EEVblog Electronics Community Forum

Products => Test Equipment => Topic started by: Spork Schivago on December 24, 2015, 09:08:58 pm

Title: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 24, 2015, 09:08:58 pm
Hello,

I'm sorry if this has been asked before and I'm not sure if this is the proper sub-forum to ask in.   If it's not, I apologize and maybe a moderator could move the post.   I have a Rigol 832 Programmable Power Supply.   It's been absolutely wonderful.   I found the keygen a long time ago to upgrade the unit.   One of the upgrade no longer works.   I can't remember which one but I remember reading that if I upgraded the firmware, the one option would be removed.   I wanted to know if that ever got fixed?   I can try and find out what option it was that disabled by the firmware upgrade if needed.   I can't seem to find the forum anymore with the keygen.  I thought it was here on EEVBlog.

Anyway, on to my main question.   The DP832A has a multi-colour option for the main screen.   You know, where you can have more than one colour displayed at the same time.   I was curious if there was any way to get this on the original DP832?   I'd like to keep the classic UI if at all possible.   Does anyone know if what I want is doable and if so, how I'd go about doing it?   Thank you.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on December 24, 2015, 10:04:57 pm
TBH, even the DP832A "classic" version of the DP832 screen Rigol was forced to include with its 3 colours isn't as nice as the cheaper DP832, at least to most of us. The 'A' does have colour coded buttons and front panel stuff but really all anyone is interested in are the features not the fluff.

One thing the classic DP832 has is when the output is switched off the V and A all go to 0.000 while the DP832A classic just blanks.

I would personally like Rigol to keep the voltmeter switched on much like my HP6632B does it rather than display blank or hard coded 0.000
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 25, 2015, 12:09:50 am
I thought the screens were the same.   That the screen in my DP832 is the same screen that's in the DP832A.   I thought it was just firmware or something along that route that makes it so I can only display one colour, more less, on the screen at one time.   Am I wrong in this assumption?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: nidlaX on December 25, 2015, 02:00:06 am
Dump the firmware, disassemble it, add color coding.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 25, 2015, 03:01:08 am
It doesn't have any security bits set or anything?   I guess I could always just download the firmware from their website and go from there.   Thanks.   Has this been done before?   It'd be nice if there was some sort of how-to to follow.   Perhaps I could download the firmware for the DP832A and use that as a reference.   Thanks for the information.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: analogNewbie on December 25, 2015, 11:36:09 am
of cause you van download the firmware from rigol site. However, you dont know the file format of the firmware file.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 25, 2015, 06:03:22 pm
Right.   I don't know the file format of the firmware.   If they're using something like a PIC though, I should be able to load the bin file I'd think in MPLAB X to get the disassembled version.   I'm still really knew to all of this hardware stuff.   I'm trying to learn but there's a lot to learn!   I really appreciate all the help that people provide when I have questions though.   Merry Christmas!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on December 25, 2015, 07:33:55 pm
Most Rigol stuff I've encountered is Blackfin DSP, certainly not PIC  :-DD. The Blackfin will usually have a LDR format firmware.

Here's something on Rigol .GEL files https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/120/ (https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/120/)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 26, 2015, 12:15:53 am
Thank you so much!   Unfortunately, because I'm so new at the hardware stuff, I only have limited experience with PICs.   I really appreciate this information though.   It's pointing me in the right direction, thank you!!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 28, 2015, 12:26:31 am
Just got a quick question.   My understanding is that the hardware in the DP832 and the hardware in the DP832A are identical.   Does anyone know if this is true?   If it is, I'm guessing the DP832A firmware must check something like the serial number to see if the unit is a DP832 or a DP832A.   If the serial number isn't within a certain range, maybe the DP832A firmware would refuse to install on the DP832.   Am I right in these assumptions or are there physical differences between the two units?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 30, 2015, 02:38:46 am
I've watched the teardown video for the Rigol DP832.   It does appear to be the same hardware as the DP832A.   When looking for a firmware, I could only find one file for the DP832 and the DP832A.   Therefore, I'm left to assume the DP832 and the DP832A use the exact same firmware.   So chances are good the firmware just checks something like serial number to see if it should enable the multicoloured screen and all the available options or if it should turn the options off and show the one coloured screen.

I've been looking at the firmware in a hex editor and looking at the various Blackfin datasheets.   I don't think these files are for a Blackfin.   I noticed with the link that was posted for the Rigol scopes, they show the model number of the scope right at the beginning of the .GEL files.   We don't get that with these firmware files.

When I run the Linux file command on the files though, the bootloader .GEL file shows: hp200 (68010) BSD.     I wonder if that's a Motorola 68010 processor in there or if maybe file is mistaken.  I know when I look at the application firmware, not the bootloader, I see a pattern every so often (more near the endish).   00h through whatever xxh in a row.   First one is at offset 8c and goes to offset 011c.   It goes 00h - 90h.   Second one starts at 06608c and goes to offset 0660cb.    It's 00h - 3Fh but it goes 00 01 02 03 04 05 06 07 08 09 0A 0B 1A FD AE F0 10 11 12 13...    There's a whole bunch of them like that.    I figure maybe the .GEL file is kind of like an archive or something and these mark the start or end of a file or something?   In the middles, there's a whole bunch that don't count very high and they have a little bit of data (maybe 40h bytes or so) before the next set starts.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Stupid Beard on December 30, 2015, 03:29:51 am
When I run the Linux file command on the files though, the bootloader .GEL file shows: hp200 (68010) BSD.     I wonder if that's a Motorola 68010 processor in there or if maybe file is mistaken.

Have you tried binwalk (http://binwalk.org/)?

Edit: The GEL file will be an archive of some sort. There is firmware for at least the main CPU, the analog boards, and probably assorted other things like FPGAs.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 30, 2015, 03:58:16 am
Thanks!   I have not tried binwalk but I will give that a shot tomorrow.   I figured one of the two .GEL files was an archive.   The bootloader one though I figured wasn't an archive but just code for whatever CPU was in there.   I might be wrong on that though.   I was hoping to find away to extract the files from at least one of the .GEL files.   Figured that'd be good progress.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on December 30, 2015, 07:23:21 pm
Looking at one of Dave's early teardown photos (https://www.flickr.com/photos/eevblog/9604565765/in/album-72157635251122253/) it's using a Freescale (now known as NXP) i.MX283 ARM9 core Applications Processor (http://www.nxp.com/products/microcontrollers-and-processors/arm-processors/i.mx-applications-processors-based-on-arm-cores/i.mx28-processors/multimedia-applications-processors-high-performance-low-power-arm9-core:i.MX283)

ETA: The 10 pin header is most likely it's JTAG port ;)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 30, 2015, 10:35:46 pm
Looking at one of Dave's early teardown photos (https://www.flickr.com/photos/eevblog/9604565765/in/album-72157635251122253/) it's using a Freescale (now known as NXP) i.MX283 ARM9 core Applications Processor (http://www.nxp.com/products/microcontrollers-and-processors/arm-processors/i.mx-applications-processors-based-on-arm-cores/i.mx28-processors/multimedia-applications-processors-high-performance-low-power-arm9-core:i.MX283)

ETA: The 10 pin header is most likely it's JTAG port ;)

Thank you for this information!   Are you 100% sure on the processor there?   The teardown video I saw that I believe Dave posted had the CPU but it was etched off with a laser or something.  Some of the font was still visible.   A user commented saying the CPU was made by Silicon Image and that he recognized the font.   Just curious as to whether you're certain it's the Freescale MX283 ARM9 or if it's just an educated guess.   Either way, it'll get me pointed in the right direction.

I don't really have much experience with JTAG stuff.   I JTAGGED a video game console once.   I wonder if there's a way for me to tell for certain if it's a JTAG port or not and what the pinouts are.   Thanks for all the help!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on December 31, 2015, 11:50:38 am
I posted Daves photo and it's clear as day. You have the supporting RAM and flash chips next to it, crystal and JTAG header. The LCD flatflex cable is there and the PCB is labelled DP800_DigitalBoard...  :-//

The IC that had it's ID removed was something else entirely.

The JTAG pinout will most likely be the standard 10 pin ARM layout. Buzz out the VCC and GNDs to make sure.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 31, 2015, 07:00:35 pm
I posted Daves photo and it's clear as day. You have the supporting RAM and flash chips next to it, crystal and JTAG header. The LCD flatflex cable is there and the PCB is labelled DP800_DigitalBoard...  :-//

The IC that had it's ID removed was something else entirely.

The JTAG pinout will most likely be the standard 10 pin ARM layout. Buzz out the VCC and GNDs to make sure.

You're awesome!   Thank you!   For some reason, I missed the link of the photo you posted!     What does buzz out mean?   I really appreciate all the help on this!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on December 31, 2015, 08:24:08 pm
Buzz out = continuity test on your DMM. Are you sure you are up to this? It is not an easy job. All the dumping the firmware using JTAG and stuff is the easy bit. Reverse engineering the code is another matter!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on December 31, 2015, 08:35:19 pm
Oh, you want to use something like OpenOCD (http://www.openocd.net/) and also UrJTAG (http://urjtag.org/).

You might find your linux distro has them available by apt-get for easy installation.

Of course you need a supported hardware adapter as well. I have an Olimex USB-OCD that I got for £20 on ebay. I also have a dirt cheap USB Blaster which I think is good enough for dumping code, but not so much for ARM debugging.

Well, happy new year and good luck  :-+
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 31, 2015, 10:45:48 pm
Buzz out = continuity test on your DMM. Are you sure you are up to this? It is not an easy job. All the dumping the firmware using JTAG and stuff is the easy bit. Reverse engineering the code is another matter!

I want to try Macbeth.   I know I don't understand everything and will probably fail miserably but I love learning and I really want to try very hard.   I look at it like this, worst case, I fail but I will still learn something in the process.   I used to be pretty good at writing code, back in the day.   I was a system programmer and worked for a corporation called Deposit Computer Services, Inc until 2005 or so.   My ability to write code is a bit rusty.   I got a few good books on C now though.   C Programming - A Modern Approach - 2nd Edition by K.N. King and then I have the Red Dragon Book (AKA, Compilers - Principles, Techniques and Tools).  Thanks for all the help though.   I greatly appreciate how everyone's been so helpful and understanding.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Stupid Beard on December 31, 2015, 11:32:58 pm
Buzz out = continuity test on your DMM. Are you sure you are up to this? It is not an easy job. All the dumping the firmware using JTAG and stuff is the easy bit. Reverse engineering the code is another matter!

I want to try Macbeth.   I know I don't understand everything and will probably fail miserably but I love learning and I really want to try very hard.   I look at it like this, worst case, I fail but I will still learn something in the process.   I used to be pretty good at writing code, back in the day.   I was a system programmer and worked for a corporation called Deposit Computer Services, Inc until 2005 or so.   My ability to write code is a bit rusty.   I got a few good books on C now though.   C Programming - A Modern Approach - 2nd Edition by K.N. King and then I have the Red Dragon Book (AKA, Compilers - Principles, Techniques and Tools).  Thanks for all the help though.   I greatly appreciate how everyone's been so helpful and understanding.

For reverse engineering programming knowledge helps (a lot), but it's only a small part of the skillset required. You don't need to be able to write code so much as to read assembly language and relate what you're reading to what the C/C++/whatever compiler spits out. You also need a good disassembler and at least some knowledge of the CPU.

If you have no experience in it, you should be able to find a lot of information and tutorials online. It doesn't really matter what processor or languages they're for. I'd suggest starting by disassembling test programs for your desktop computer. Processors and compilers all work in more or less the same way so skills gained on one are usually easily related to others, and it will be a lot easier to try things out and see what's going on with your computer than an embedded thing.

Good luck, it's a pretty large can of worms that you are opening ;)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 31, 2015, 11:40:15 pm
Oh, you want to use something like OpenOCD (http://www.openocd.net/) and also UrJTAG (http://urjtag.org/).

You might find your linux distro has them available by apt-get for easy installation.

Of course you need a supported hardware adapter as well. I have an Olimex USB-OCD that I got for £20 on ebay. I also have a dirt cheap USB Blaster which I think is good enough for dumping code, but not so much for ARM debugging.

Well, happy new year and good luck  :-+

I was thinking of going for something like this:

https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/ (https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/)

I'm sure these questions are pretty basic for you but what's the USB Blaster for?   From what I've read, they're for Altera devices.  For programming, debugging and emulation.   Anyway, for the USB Blaster, do you think this would be a nice one?

https://www.buyaltera.com/PartDetail?partId=5638362 (https://www.buyaltera.com/PartDetail?partId=5638362)

It's the Altera USB Blaster II
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 31, 2015, 11:52:01 pm
Buzz out = continuity test on your DMM. Are you sure you are up to this? It is not an easy job. All the dumping the firmware using JTAG and stuff is the easy bit. Reverse engineering the code is another matter!

I want to try Macbeth.   I know I don't understand everything and will probably fail miserably but I love learning and I really want to try very hard.   I look at it like this, worst case, I fail but I will still learn something in the process.   I used to be pretty good at writing code, back in the day.   I was a system programmer and worked for a corporation called Deposit Computer Services, Inc until 2005 or so.   My ability to write code is a bit rusty.   I got a few good books on C now though.   C Programming - A Modern Approach - 2nd Edition by K.N. King and then I have the Red Dragon Book (AKA, Compilers - Principles, Techniques and Tools).  Thanks for all the help though.   I greatly appreciate how everyone's been so helpful and understanding.

For reverse engineering programming knowledge helps (a lot), but it's only a small part of the skillset required. You don't need to be able to write code so much as to read assembly language and relate what you're reading to what the C/C++/whatever compiler spits out. You also need a good disassembler and at least some knowledge of the CPU.

If you have no experience in it, you should be able to find a lot of information and tutorials online. It doesn't really matter what processor or languages they're for. I'd suggest starting by disassembling test programs for your desktop computer. Processors and compilers all work in more or less the same way so skills gained on one are usually easily related to others, and it will be a lot easier to try things out and see what's going on with your computer than an embedded thing.

Good luck, it's a pretty large can of worms that you are opening ;)

Thank you for the information.   I know a little bit.   I know I need a way to disassemble the firmware once I dump it using the JTAG stuff.   I need a disassembler that can understand the i.MX283 ARM927EJ-S instruction set.  I know I need to learn this instruction set but I figure it probably wouldn't be a crazy hard thing to learn.  I used to have this little MP3 type player called an Archos and that had an ARM processor of one sort or another inside it.   I didn't think it was that hard learning the assembly for it but it was an older ARM processor.  I know with the PICs I've been playing with, the instruction sets are small.   The PIC I'm playing with now (PIC16F628A) only has something like 54 instructions.    I figured everything would be done in assembly.   Once my wife is done fixing this tablet in the work room, I'll fire up my Linux box and install OpenOCD.   Hopefully there's some sort of emulator out there where I can play with the ARM9 code on my machine and compile some test programs and fire up GDB (or whatever equivalent the ARM9 toolchain comes with) to play around with them.

The hardware, for me, is the hardest part.   I just started learning how to make circuit boards and don't have much experience in that area at all!   I made a device that counts in binary (up and down) when you press a button!   It lights up LEDs to show the binary number.   I've written code most of my life and I've played with assembly on and off.   After the Marine Corps, something happened to my brain and things got a bit messed up.   Had to take a break for a bit but I'm ready to learn everything I can now.

I think it's going to be fun once I get the hardware to dump the firmware directly.   I shouldn't have to worry about the GEL files then.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Stupid Beard on December 31, 2015, 11:55:42 pm
qemu (http://wiki.qemu.org/Main_Page) is the usual emulator. There should be packages in whatever linux distro you use.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 01, 2016, 08:15:27 pm
So I ordered the ARM-USB-OCD-H made by Olimex.   I also ordered a 20-pin to 10-pin adapter from them.   I reread what I wrote the other night and wanted to clarify right now.  I didn't mean to down play how hard the software part of this was going to be.   I know once I get the firmware, it's going to take a very long time for me to analyze it and figure out what exactly everything does.   What I was trying to convey is I believe I understand the software part of this project and know what exactly needs to be done, whereas with the hardware, I'm a bit confused.   I don't really understand what the USB Blaster's for if I have the JTAG device from Olimex.   Does it just allow me to do in-circuit debugging or something?  Once I get my ARM-USB-OCD-H device, I'll rip apart the power supply and buzz those pins in the picture.   They're the ten pins above the CPU and to the right a little, near the edge of the board, right?   Thanks!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on January 01, 2016, 08:26:26 pm
You don't need the USB Blaster. I only mentioned it as it costs next to nothing and you mentioned you had used JTAG before and it's a popular (for Altera) dongle and could (possibly) at least be used with urJTAG to dump the flash.

If you get the Olimex that should be all you need.

Also something called Hex-Rays IDA is apparently very useful and appears to support reverse engineering this processor. It can be very expensive though ;) Which reminds me I have a demo version I need to learn how to use. I've got a PDF manual for it somewhere.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 01, 2016, 10:15:39 pm
You don't need the USB Blaster. I only mentioned it as it costs next to nothing and you mentioned you had used JTAG before and it's a popular (for Altera) dongle and could (possibly) at least be used with urJTAG to dump the flash.

If you get the Olimex that should be all you need.

Also something called Hex-Rays IDA is apparently very useful and appears to support reverse engineering this processor. It can be very expensive though ;) Which reminds me I have a demo version I need to learn how to use. I've got a PDF manual for it somewhere.

Thank you Macbeth!   I ordered the Olimex ARM-USB-OCD-H adapter with the ARM-JTAG-20-10 adapter (which allows me to plug the ARM-USB-OCD-H adapter into an ARM 10-pin mini-JTAG connector.   All I did before was solder some wires to a Xbox 360 to JTAG it.  I was following some how-to.

So, I've been studying the datasheet for this ARM processor a bit.   I had some questions.   I see in the datasheet, there's a DEBUG signal (B9 on the BGA chip for this processor).   The datasheet says:
Code: [Select]
This pin is used for JTAG interface.
DEBUG=0: JTAG interface works for boundary scan.
DEBUG=1: JTAG interface works for ARM debugging.

Would I need to set this pin HIGH, LOW or just leave it as it is?   I don't really know what boundary scans are.   I also see there's some security for this chip, which I didn't find surprising.   But I see in the datasheet:
Code: [Select]
Security features:
— Read-only unique ID for Digital Rights Management (DRM) algorithms
— Secure boot using 128-bit AES hardware decryption
— SHA-1 and SHA256 hashing hardware
— High assurance boot (HAB4)

Does this mean that when I hook up the JTAG unit and try dumping the firmware using OpenOCD, the firmware might be encrypted?   I've also been reading up how to dump firmware using OpenOCD.   I know some smart people found a way to dump the firmware on a device that uses an ARM processor.   Some security bits were set that prevented read access to protected memory.   Only instructions in protected memory could read the data from protected memory.   However, it was fairly easy for the people to bypass this by loading an address in one of the registers, stepping through the code in protected memory and then checking the values of the registers until one changed.   They were able to find a LOAD instruction and that's all the needed in order to dump the firmware.   They even provided a nice Ruby script that would connect to OpenOCD and dump the firmware for you.

I mean, it'd have to be modified for different processors but I was thinking maybe I'd have to do something like that.   I've been studying the datasheet but I don't really see how I'm supposed to tell how big the firmware is and where it'd be located in memory.   It's definitely a learning experience, I'll say that much!    I also have an old router that might have a JTAG port.   Perhaps I could play with that to get a little experience.   If I ruin the router, no big deal.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on January 01, 2016, 11:39:50 pm
Dave has a great vid on JTAG boundary scan. You will probably want BSDL files for your processor and flash etc.

I have to admit I have only got as far as dumping and programming firmware on my Rigol DM3058, which happens to be in unencrypted Blackfin LDR format (most Rigol stuff seems to be Analog Devices Blackfin DSP). I had to learn all this just to recover my DMM which had bricked itself after I used some obscure Rigol software not compatible with my firmware version, the alternative would have been sending it back under warranty but that would have cost me shipping and took weeks and is very, very boring. I learned how to extract LDR+data from the firmware and reflash in the weekend.

My own goal is to reverse engineer this firmware just for the hell of it and fix the bugs Rigol are too lazy to bother with and perhaps make the meter do what I want. But that's on the backburner now.

For all the ARM stuff - I don't have a clue, sorry!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on January 01, 2016, 11:49:43 pm
Oh for the size of the flash - just lookup the Hynix partnumber. There must be a memory map in the datasheet. I haven't checked for your ARM, but for Blackfin it's 0x20000000 and is easy to read with urJTAG when you set it up to read the flash chip (probably via BSDL behind the scenes).

If the flash is encrypted then yes you will need to use the hack you have found. Very interesting! My ARM experience is Raspberry Pi's only I'm afraid with none of this JTAG stuff  :scared:
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 02, 2016, 12:16:33 am
Thanks for all the help Macbeth!   Hopefully when my Olimex device comes, I'll find it's not very hard at all.   If it does turn out to be encrypted though, I might not be able to go any further at all.    I'll look into the various things you mentioned in the meantime.   Like the memory map and size of the Hynix firmware.   I'd be nice if I could get an unencrypted copy of the firmware.   Maybe I could even figure out the format of the .GEL files.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 04, 2016, 09:12:27 pm
I just wanted to update you guys.   I got the ARM-USB-OCD-H JTAG device coming but I don't think it's going to help.   I've been reading up on the security of the i.MX283 processor in the Rigol DP832.   From what I've read ( http://cache.nxp.com/files/32bit/doc/app_note/AN4555.pdf?fpsp=1&WT_TYPE=Application%20Notes&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&fileExt=.pdf (http://cache.nxp.com/files/32bit/doc/app_note/AN4555.pdf?fpsp=1&WT_TYPE=Application%20Notes&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&fileExt=.pdf) )
it seems that the bootloader gets signed and if the code changes but the signature doesn't match, then it'll refuse to start.   It seems the packages on the FLASH might be signed as well.   They use some elftosb program to sign them or something.    If I'm not mistaken (and I very well can be, I don't really understand the whole encryption stuff very well), even if I could extract the bootloader and flash contents, I won't be able to change them at all.

I wonder how the person who wrote the keygen for the DP832 managed to figure out how to successfully write it.   Did they somehow manage to extract the firmware or information from the flash chip on there?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: apelly on January 04, 2016, 09:51:29 pm
It was a while ago now, but if you read the first few hundred posts in the sniffing the rigol bus thread there is a lot of useful stuff posted by cybernet. The thread degenerates into noobs asking for help after a while, but the beginning is very cool. I think that's the one where the certificate signing stuff for the dg4000 was discovered too, but there is another thread for hacking the dg4000 which also contains interesting information.

Good luck!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 04, 2016, 10:16:51 pm
It was a while ago now, but if you read the first few hundred posts in the sniffing the rigol bus thread there is a lot of useful stuff posted by cybernet. The thread degenerates into noobs asking for help after a while, but the beginning is very cool. I think that's the one where the certificate signing stuff for the dg4000 was discovered too, but there is another thread for hacking the dg4000 which also contains interesting information.

Good luck!

Thank you!   I'll search the forums for the topic you're talking about here.   I've seen people talk about sniffing buses before.   Maybe I should invest in some equipment so I can do that too.   Sounds really cool.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 04, 2016, 10:30:19 pm
Is this the forum that you're talking about?   https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/ (https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/)

Seems to be about the Rigol DS1102E.   Perhaps I can still learn a lot from it though.   I don't have a logic analyzer.   I'd love to purchase one but I'm not certain if I want a benchtop model or a portable one.   I kind of like some of the portable ones I've seen on the net (the ones that hook up to a PC via USB).   Just not sure if they're as good and if they are, which ones to get.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: apelly on January 05, 2016, 02:20:54 am
That's the one. It's a long time since I read the first post. You're right, but it's about the ds2000 and other rigol products too. It's worth your time to read it. Really.

Can't find the other one right now, but it'll be referred to in the i2c thread for sure.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 05, 2016, 03:42:01 am
That's the one. It's a long time since I read the first post. You're right, but it's about the ds2000 and other rigol products too. It's worth your time to read it. Really.

Can't find the other one right now, but it'll be referred to in the i2c thread for sure.

Thank you.   I've already started reading the thread.   I've searched through it as well, looking for keywords like DP832.   I see a user claims he was able to disassemble the firmware somehow in order to modify the Riglol program to generate proper keys for the newer firmwares.    I wonder if he actually disassembled it and if so, how did he manage to get a copy?   Right now, I don't think there's any known ways to decode / decrypt / whatever the .GEL files.  It'd be nice if I could figure out how they did it.   I've also been reading up on OpenOCD and trying to figure out how to actually try to do the various things I want to do once I get my JTAG device in the mail.

From what I've seen, I'm going to need to know the flash segment address (this might be the wrong word here) in order to read the flash to a .hex / .bin file.   I'm going to need to figure out what the RAM segment is in order to do a memory dump.   I was expecting these addresses to be in the datasheet for the i.MX283 but I didn't find them there.   I continued to look in the various documents on NXP's website for the i.MX283 and found the memory map layout in the i.MX28 Applications Processor Reference Manual ( http://cache.nxp.com/files/32bit/doc/data_sheet/IMX28CEC.pdf?fpsp=1&WT_TYPE=Data%20Sheets&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&fileExt=.pdf (http://cache.nxp.com/files/32bit/doc/data_sheet/IMX28CEC.pdf?fpsp=1&WT_TYPE=Data%20Sheets&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&fileExt=.pdf) ) on page 135 of 2733!   However, I'm not sure which ones I need.   I see stuff like On-Chip RAM, On-Chip RAM alias, External Memory, On-Chip ROM, etc.   Don't see anything for flash like I do with some of the other datasheets out there.

I also wanted to say though that I'm extremely thankful for all the help everyone here on EEVBlog has provided to me.   I know most of the users here are experts in the electronic world and I know I don't know very much at all.   But everyone's been extremely supportive in trying to help me accomplish what I want to do and answer all the dumb questions I have!   Thank you guys.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 07, 2016, 09:40:43 pm
So I'm waiting for my ARM-USB-OCD-H JTAGGING device to come.   I learn that OpenOCD doesn't support the NAND flash controller on the i.MX28 processors.   This is disappointing.   I also want to say I remember reading something in the programming reference guide that the NAND works in parallel mode.   From reading stuff on the internet, from what I can tell, I will not be able to use one of those clips that you just put over the NAND chip and read and write to it directly, in circuit, while the device is on (like the E3 Flasher for the PS3 for example).   I think getting this NAND dump is going to be a bit harder than I originally was hoping for.

Anyway, I went back to looking at the GEL files.   I see patterns but can't really make sense out of them.   I've tried bit shifting them, doing bitwise manipulation on them (AND, OR, XOR) but I can't seem to get anything useful out of.   Maybe you guys can make some sense out of it and see something that I just don't?   For example, the first 32 bytes of code, I see a pattern...

Code: [Select]
28 23 10 00 78 B9 FB BB 7C 7D D0 7F 20 BE 82 83     /* Notice here, starting at offset 5, we have 78. If we count up in hex though, we get:
                    78 79 7A 7B 7C 7D 7E 7F...                           See how 78, 7C, 7D, and 7F line up? */

83 84 86 87 27 89 8A 8B 28 CA 8E 8F A8 81 31 78      /* We see this again...
          86 87 88 89 8A 8B 8C 8D 8E 8F...                           86, 87, 89, 8A, 8B, 8E and 8F line up. */


Now, if I create a table, the pattern becomes a bit more clear.
Code: [Select]
     x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF x0 x1 x2 x3
   ---------------------------------------------------
7x | 28 23 10 00 78 B9 FB BB 7C 7D D0 7F 20 BE 82 83 | 83
8x | 83 84 86 87 27 89 8A 8B 28 CA 8E 8F A8 81 31 78 | 93
9x | AC 85 35 7C B0 89 39 80 B4 8D 3D 84 B8 91 41 88 | A3
Ax | A4 A5 A6 A7 BC 99 49 90 C0 9D 4D 94 A8 EB BA B3 | B3
Bx | 30 F1 BE B7 34 F5 C2 BB 38 F9 C6 BF 3C FD CA C3 | C3
Cx | 40 01 CE C7 20 EB D2                            | D3
Cx |                      CB CC CD CE CF D0 D1 D2 D3 | D3 (continued)
Dx | D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF E0 E1 E2 E3 | E3
Ex | E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF F0 F1 F2 F3 | F3
Fx | F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF 00 01 02 03 | 03
0x | 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 | 13
1x | 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 | 23
2x | 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 | 33
3x | 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 | 43
4x | 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 | 53
5x | 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61 62 63 | 63
6x | 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 | 73
7x | 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 80 81 82 83 | 83
8x | 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 90          | 93

That's the first 285 bytes.   Starting at offset 57h, it starts counting up, in a row, from CBh to FFh then 00h to 90h.   I use that to create the numbers before and after the |'s.    Maybe we're supposed to remove the numbers that match up?   I'll give an example.   First row,
we see the 7x that I added, so the numbers to remove will start with a 7.   Then, the little grid above us tells us what the last number in the row has to be in order for us to remove it.   So, we look at:
Code: [Select]
     x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF x0 x1 x2 x3
   ---------------------------------------------------
7x | 28 23 10 00 78 B9 FB BB 7C 7D D0 7F 20 BE 82 83 | 83

The first number, 28, does it start with a 7?   Nope, move on.   Does 23 start with a 7?  Nope, move on....we keep going to get to 78 at offset 05h.   Does that start with a 7?  Yup.  We look up to see what number it has to end in.   In this case, an 8.  Does it end in an 8?  Yup.  Remove it.   On to the next ones.   We remove 7C, 7D, 7F, 82 and 83.    So maybe the first lines in the .GEL file are really
Code: [Select]
28 23 10 00 B9 FB BB D0 20 BE

You see, I thought I was onto something there for a second, but I can't make sense out of 0x28 0x23 0x10 0x00 0xB9 0xFB 0xBB 0xD0 0x20 0XBE.    Maybe someone smarter than me could see something that I'm missing here?   Thanks!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: dadler on January 07, 2016, 09:46:27 pm
Maybe you will find this useful:

http://www.gotroot.ca/rigol/degel-0.1.tar.gz (http://www.gotroot.ca/rigol/degel-0.1.tar.gz)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 08, 2016, 01:06:36 am
Maybe you will find this useful:

http://www.gotroot.ca/rigol/degel-0.1.tar.gz (http://www.gotroot.ca/rigol/degel-0.1.tar.gz)

Thank you for the link but that doesn't really work with the DP832's for one reason or another.   For example, that degel program looks for a header which doesn't seem to be here, at least not like in the other .GEL files.   The ones I've seen (like DG10x2Update.gel) starts with RIGOL:DG1:UPDATE FILE ALL

I've tried to figure out how to get RIGOL from the hex values in the DP832's software update.gel file.   It starts with 0x28 0x23 0x10.   If you XOR 0x7A to 0x28, you get 0x52 (R).   If you XOR 0x6A to 0x23 you get 0x49 (I).   I thought I had a pattern there.   XOR the first offset by 0x7A to get R, XOR the second offset by 0x6A to get I, but to get G for the third offset, you need to XOR it (0x10) by 0x57.   No pattern there :(
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 08, 2016, 01:16:14 am
I mean I seen a little pattern there.   These are the bytes in hex in the Update file...and the values I have to XOR them with to get RIGOL

Code: [Select]
Bytes   XOR Value     Output (in ASCII)
0x28    0x7A              R
0x23    0x6A              I
0x10    0x57              G
0x00    0x4F              O
0x78    0x34              L

See a bit of a pattern there?    The XOR's most significant value starts at 7 and counts down by a whole number each time.   7, 6, 5, 4, 3.    Just can't figure out the last numbers there.   I can't see the pattern, A, A, 7, F, 4...
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on January 08, 2016, 01:26:33 am
LOL. Before all this crypto key stuff I used to encrypt files with XOR.Just because I may use a plaintext password as the cipher didn't mean I wouldn't keep re-xor encrypting that password byte by byte as I went...

and this was on the BBC Micro back in the '80s!

However the old ones are the best. Good to see XOR is still used  ;)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 08, 2016, 01:51:32 am
LOL. Before all this crypto key stuff I used to encrypt files with XOR.Just because I may use a plaintext password as the cipher didn't mean I wouldn't keep re-xor encrypting that password byte by byte as I went...

and this was on the BBC Micro back in the '80s!

However the old ones are the best. Good to see XOR is still used  ;)
Well, I don't know if my XOR results are just coincidence or not.   Doesn't seem to work so well after RIGOL.  Or maybe the header's changed a bit.  If I could find a pattern for the least significant digits (7A, 6A, 57, 4F, 34) I'd be certain there was something to this.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on January 08, 2016, 02:14:38 am
Perhaps there is no "Rigol" header, and the firmware is exactly in the format the MX28 expects?

I know when I had to recover my bricked Rigol DM3058 only the start of the flash firmware was a RIGOL string, everything after that was in Blackfin LDR format as I found by reading the datasheet (or tome!). So I stripped that out and JTAG uploaded the rest verbatim to flash and all was well.

Perhaps there is no "Rigol" header and this firmware is purely in the MX28 format? You may be chasing a red herring.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 08, 2016, 02:28:20 am
Perhaps there is no "Rigol" header, and the firmware is exactly in the format the MX28 expects?

I know when I had to recover my bricked Rigol DM3058 only the start of the flash firmware was a RIGOL string, everything after that was in Blackfin LDR format as I found by reading the datasheet (or tome!). So I stripped that out and JTAG uploaded the rest verbatim to flash and all was well.

Perhaps there is no "Rigol" header and this firmware is purely in the MX28 format? You may be chasing a red herring.

I thought that myself but I don't think that's the case.   That was my original assumption Macbeth.   But I dunno, I was looking at the datasheet and trying to analyze the Bootloader .GEL file and the bits just don't seem to match up.   Some of the unused bits are set, some aren't.   Some conflict.  There's also the whole tablet thing.   At the very start of the .GEL file, if you compare x offset to 73 + x, a lot of them will match.    There's giant sections where the Software .GEL file will show stuff like 0xCBh to 0xFFh and then go to 0x00h to 0x90h.   The 73 + x rule always matches with those weird sections.    Like if you start at the first sector (sector 0), there's a 0x28 there.   The table thing I discovered would be 0x74 at that place.   The next value in the firmware is 0x23.   The table would be 0x75...if you go all the way up to where 0xCB is in the .GEL file, when the run starts, the tablet thing holds true.  It'll equal 0xCB.   This holds true for the whole .GEL file.   It'd be weird for some sort of processor I'd think to have instructions like that.  Like the whole file is filled with 0x74 through 0xFF then it just repeats, 0x00 through 0xFF.   There's some real data some places, other places it's just the pattern showing through.

I assumed (and might be wrong here) that the Software.GEL file actually holds NAND data.   Someone dumped their NAND by removing the physical chip from the system and hooking it up to some NAND reader.   He showed a screenshot of the first few bytes in there.   They don't look anything like the .GEL file.   You can see stuff like DP830   DP831    DP832, etc.   When I look for strings in the GEL file, I find none.   Absolutely none.   I'd think I'd see at least something there.

Thanks for the help though!   Much appreciated.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 08, 2016, 03:21:16 am
The statistics are real weird as well, which makes me think it's some sort of archive.   It's wavey.   I used HxD and clicked the Statistics button and it shows a bar graph of each value in the file, from 00h to FFh.   It shows how frequent the value is found.   And there's definitely a pattern there!   For example, there's about equal numbers of 1A's as there are 2A's as there are 3A's.   But the #A's aren't as frequent as something like 9h, 19h, 29h, which are all just about equally as prevalent.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on September 18, 2016, 05:23:05 am
Hi DP832 users,

my first post here on the forum.
It's been a while since the last post on this topic, but I'll give it a go.

I had a look at the GEL file from DP800(Software)Update(Normal)_00.01.13.00.01 and found some interesting stuff:

Start at the first byte of the file and subtract 0x74, at the second byte subtract 0x75, at the third byte 0x76, and so on...
When you reach 0xFF the next byte gets 0x00 (nothing, really) subtracted, and again and again...

If the entire file is processed like this, it reveals some interesting stuff further into the file. Don't know what the exact meaning of those is, however.

Here is a short C-program I used to do this:
Code: [Select]
// rewrite Rigol DP800 GEL file
#include "stdafx.h"
#include <stdlib.h>

#define OFFS 116 // Offset at start of File (0x74)

// Main
int main ( int argc, char *argv[] )
{
FILE *infile;
FILE *outfile;

if(argc < 2)
{
printf("Usage : %s [input]\n", *argv);
return EXIT_FAILURE;
}

// Open input file
infile = fopen(argv[1], "rb");
if(infile != NULL)
printf("File found\n");
else
{
printf("Error while opening!\n");
return EXIT_FAILURE;
}

// Open output file
outfile = fopen("DP800Update_descrambled_GEL.txt", "wb");

int ch; // current read char
int i = 0; // counter

while ((ch = fgetc(infile)) != EOF) // read until EOL
{
ch = ((ch + 256 - i - OFFS) % 256); // subtract offset
fprintf(outfile, "%c", ch); // write new char
i = ((i + 1) % 256); // increment counter
}
fclose(infile);
fclose(outfile);
printf("done!");

return EXIT_SUCCESS;
}

Hopefully this helps somewhere.

Cheers,

Volki
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 18, 2016, 06:07:53 pm
Hello Volki,

We're in the process of having a baby in the near future and I'm trying to redo the baby's room (put down hardwood floor).  I don't have a lot of free time right now, but after you run the encrypted firmware through your program, what do the first couple bytes of the file look like?   A lot of the Rigol stuff seem to start with the model of the device, like DP800, for instance.   Thanks.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on September 18, 2016, 10:33:38 pm
Hi,

just confirmed that this same thing works with DP800(Software)Update(Normal)_00.01.14.00.03 firmware as well.

The first bytes of the files don't make much sense. No DP800 or anything (at least I didn't see it).

Here are the first 512 bytes of 00.01.13.00.01:
Code: [Select]
B4 AE 9A 89 00 40 A0 A1 00 00 52 00 58 3D 00 00
FF FF 00 00 9F 00 00 00 54 3D 00 00 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
00 00 00 00 14 F0 9F E5 14 F0 9F E5 B0 3A 08 00
34 3C 08 00 34 3C 08 00 34 3C 08 00 34 3C 08 00
34 3C 08 00 40 01 08 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 C0 9F E5
1C FF 2F E1 35 11 08 00 00 C0 9F E5 1C FF 2F E1
F1 03 08 00 00 C0 9F E5 1C FF 2F E1 71 11 08 00
00 C0 9F E5 1C FF 2F E1 E5 02 08 00 08 B4 02 4B
9C 46 08 BC 60 47 C0 46 38 2A 08 00 04 E0 4E E2
0F 40 2D E9 04 D0 4D E2 00 80 A0 E3 FF 90 E0 E3
FE 9C C9 E3 00 A0 99 E5 0A 80 B0 E1 93 B0 E0 E3
FC BC CB E3 55 00 A0 E3 00 00 8B E5 08 00 18 E3
30 00 00 0A 24 E9 9F E5 00 C0 DE E5 C8 34 9F E5
04 20 D3 E5 02 00 5C E1 02 00 00 3A 0C 19 9F E5
00 90 A0 E3 00 90 C1 E5 CB A0 E0 E3 F2 AC CA E3
40 BA A0 E3 00 B0 8A E5 01 00 A0 E3 D2 FF FF EB
E8 08 9F E5 00 E0 D0 E5 8E C0 B0 E1 88 34 9F E5
03 20 9C E0 BC 13 D2 E1 01 96 B0 E1 FB A0 E0 E3
F9 AC CA E3 00 90 8A E5 01 00 A0 E3 C6 FF FF EB

And here for 00.01.14.00.03:
Code: [Select]
B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
FF FF 00 00 9F 00 00 00 9C 3D 00 00 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
00 00 00 00 14 F0 9F E5 14 F0 9F E5 F8 3A 08 00
7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
7C 3C 08 00 58 22 08 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 B5 06 48
00 68 40 07 40 0F 00 06 00 0E 07 28 00 D3 00 20
00 06 00 0E 08 BC 18 47 20 0D FF FF 10 B5 04 00
20 78 A1 78 00 06 00 0E 01 28 00 D1 2A E1 0F D3
03 28 00 D1 66 E3 00 D2 64 E2 05 28 01 D1 00 F0
E1 FC 01 D2 00 F0 4C FC 06 28 01 D1 00 F0 5A FD
02 20 60 70 09 06 09 0E 01 29 6A D1 01 20 E0 70
02 20 20 71 02 20 60 71 02 20 A0 71 80 20 20 81
40 20 60 81 B0 20 C0 00 20 82 90 20 C0 00 60 82
A0 20 C0 00 E0 82 06 20 20 76 04 20 60 76 BA 48
A0 87 BA 48 E0 87 44 20 B7 49 21 52 46 20 B7 49
21 52 62 79 04 20 42 43 00 21 B4 20 40 00 20 18
00 F0 9E FF 62 79 04 20 42 43 FF 21 C2 20 40 00
20 18 00 F0 95 FF A2 79 04 20 42 43 00 21 BC 20
40 00 20 18 00 F0 8C FF A2 79 04 20 42 43 FF 21

Cheers,

Volki
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 19, 2016, 05:19:58 am
You mention some interesting stuff further in the file.   What type of interesting stuff is further in the file?   Is it plain text ASCII?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: dav on September 19, 2016, 10:51:07 am
@Spork Schivago:
There is some text; take a look yourself with an hex editor.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on September 19, 2016, 11:49:31 am
There are a lot of bitmaps in RGB565, one after the other, in different sizes. Some parts that look like code in between.
Some html/xml and javascript (with some "~" every 128 bytes),
Some filenames with a hint to "E:\MQX\Freescale MQX 3.7 ARM9 imx287evk_rev2\Freescale MQX 3.7 ARM9 imx287evk",
Some strings seem to be model numbers (namely DP831A, DP832A, DP821A, DP811A, DP812A, DP813A, DP841A, DP831, DP832, DP821, DP811, DP812, DP813, DP841)

So far I could not identify a structure of it all.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 19, 2016, 05:55:11 pm
Thank you guys so much!

So, from the sounds of it, Volki successfully decrypted the firmware update.   Do you guys think that's safe to assume?   There was some program I ran across a while back...a program made for Rigol .GEL files.   It could extract the files or something.   I wonder if that program would work now with the decrypted DP832 firmware...
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 19, 2016, 06:38:53 pm
I don't know a lot about flash or anything, but looking through the descrambled GEL file, at offset: 3091B5, I see:
Code: [Select]
<link hEref
I know with HTML, that should be
Code: [Select]
<link href.   Maybe that E in there has something to do with the flash, like where that bit of code gets written to...or maybe there's a little more to descrambling this file, or maybe it's compressed some how.   What do you guys think?

Further down the file, the www's aren't right.   Like at offset: 3092A6 and 309304
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on September 19, 2016, 09:35:00 pm
These inconsistencies in plain xml '<hEref' appear in regular intervals, i.e. like every 128 bytes (find '~' mostly) inside a logical block, that's why I think it's part of a bigger package. I'm not really experienced in this.

Other things I observed are a lot of bitmaps in RGB565. If you see the descrambled file as a bitstream, run it through a raw pixel viewer and adjust the width correctly, you see a lot of bitmaps. The first one looks like a clock face, then comes more unidentified data and then a whole collection of more bitmaps. For ecample, I also found the 'middle balls' of the normal view in DP8xxA models.
Other bitmaps are the LXI logo, RIGOL logo, all in diverse colours. Haven't got any at hand to attach atm.
But these bitmaps do not have a header of some sort. They are just next to each other.
However, I didn't find a section with indexes and size information of the single bitmaps, yet. So, these might be part of a bigger package again.
So I keep on searching for some kind of index table.
I couldn't make any sense of the first 256 or so bytes in the file, yet.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on September 19, 2016, 09:50:28 pm
Excellent hacking! It seems a lot of work to get multicolour but the journey is far more interesting than the goal!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 19, 2016, 10:03:12 pm
These inconsistencies in plain xml '<hEref' appear in regular intervals, i.e. like every 128 bytes (find '~' mostly) inside a logical block, that's why I think it's part of a bigger package. I'm not really experienced in this.
I noticed the same pattern.   Also, with the www's, the ones that have the messed up text, almost all of them start with a y with a ' over it.   And then there's a w and a lot have the ~.   Like http://y(with (http://y(with) the ' over it)w~.   I saw one that had a capital Z instead of the ~ (or maybe instead of the funky y).

Other things I observed are a lot of bitmaps in RGB565. If you see the descrambled file as a bitstream, run it through a raw pixel viewer and adjust the width correctly, you see a lot of bitmaps. The first one looks like a clock face, then comes more unidentified data and then a whole collection of more bitmaps. For example, I also found the 'middle balls' of the normal view in DP8xxA models.
Other bitmaps are the LXI logo, RIGOL logo, all in diverse colours. Haven't got any at hand to attach atm.
But these bitmaps do not have a header of some sort. They are just next to each other.
However, I didn't find a section with indexes and size information of the single bitmaps, yet. So, these might be part of a bigger package again.
So I keep on searching for some kind of index table.
I couldn't make any sense of the first 256 or so bytes in the file, yet.

You know more about bitmaps than I do.   I too couldn't find an index but I think there has to be one somewheres.   Perhaps in the first 256 bytes or so.   I'm wondering if the first few bytes of the file get decrypted / descrambled differently.

If I were to take a guess, I'd bet the file header for this firmware update might not be too much different than some of the other Rigol firmwares.   Perhaps that could help?   I was reading for the DSxxxx's that Rigol makes, if I understand them correctly, the index for the files is in the beginning of the update file.   I know when I worked as a programmer for Deposit Computer Services, Inc, whenever we got a new customer, I'd find the source code from another customer that wanted something similar and I'd just modify the code a little bit to make it fit, rather than writing the whole thing from scratch.   I bet Rigol's programmers do the same.   The header might not be too much different from the headers in their other files.   Just properly decrypting it, there might be more to it than the 75, 76, 77, etc thing.

I cannot seem to find any termination strings that might separate one file from another.   I think an index has to be used.   Something with offset, filelength and filename and probably some sort of checksum.   Also, somewheres, I almost remember finding the ends of the various Rigol DP832 firmwares had something special about them, like it was all the same values, the last 500 and some bytes or something.   I thought I posted about that somewhere here, in this thread.   Maybe there's a footer.

You did great work though and got much further than I did.   I had given up on this.   Thank you!!!!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on September 30, 2016, 11:27:00 am
I've compared the current (00.01.14.00.01) GEL file that was de-scrambled as before, with an older version (00.01.09.00.01). Here is what they look like:

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78


The (00.01.09.00.01) version is not scrambled and misses the first 4 Bytes: B4 AE 9A 89. From there on, the structure aligns pretty good. Only a few bytes are different, either addresses or length information...

I looked through the bitmaps I could find in (00.01.14.00.03) and made a collection of them here.
Furthermore I could find a lot of 1 bit per pixel character sets with all sorts of special characters. Amongst them are also the 7-segment numbers in different sizes for the main display. Haven't indexed those, though.

Still looking at it and not getting an idea what the overall structure could be. Any more ideas? Any disassemblers?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on September 30, 2016, 11:43:23 am
I cannot seem to find any termination strings that might separate one file from another.   I think an index has to be used.   Something with offset, filelength and filename and probably some sort of checksum.   Also, somewheres, I almost remember finding the ends of the various Rigol DP832 firmwares had something special about them, like it was all the same values, the last 500 and some bytes or something.   I thought I posted about that somewhere here, in this thread.   Maybe there's a footer.

Some bitmaps in the file can be found in different colors (for the different DP800 variants). They are directly adjacent to each other in the code. But sometimes they are also separated by 2 bytes: 00 00. Didn't find a reason for that and why it is only sometimes...

The different variants can be found in location 0x2F172C:
Code: [Select]
44 50 38 33 31 41 00 00 44 50 38 33 32 41 00 00  |  DP831A..DP832A..
44 50 38 32 31 41 00 00 44 50 38 31 31 41 00 00  |  DP821A..DP811A..
44 50 38 31 32 41 00 00 44 50 38 31 33 41 00 00  |  DP812A..DP813A..
44 50 38 34 31 41 00 00 44 50 38 33 31 00 00 00  |  DP841A..DP831...
44 50 38 33 32 00 00 00 44 50 38 32 31 00 00 00  |  DP832...DP821...
44 50 38 31 31 00 00 00 44 50 38 31 32 00 00 00  |  DP811...DP812...
44 50 38 31 33 00 00 00 44 50 38 34 31 00 00 00  |  DP813...DP841...
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on September 30, 2016, 05:44:29 pm
Could this be a lookup table for model numbers that are pre-programmed in the devices flash area along with serial number and calibration, etc?

Would it by as simple as changing byte 0x2F1771 from 00 to 41 'A' and perhaps byte 0x2F1739 from 41 to 00 for consistency but also just in case a simple checksum is used?

Nah, that seems to easy  :-DD
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 30, 2016, 06:46:43 pm
Could this be a lookup table for model numbers that are pre-programmed in the devices flash area along with serial number and calibration, etc?

Would it by as simple as changing byte 0x2F1771 from 00 to 41 'A' and perhaps byte 0x2F1739 from 41 to 00 for consistency but also just in case a simple checksum is used?

Nah, that seems to easy  :-DD
I too found the variants at 0x2F172C but I think there has to be a checksum that would prevent the firmware from being loaded.   Someone with more time than me right now could try a simple test.   Turn on their power supply, find a text string in some menu.   Search the descrambled file for this string and make sure it's only found once in the file.   Then just change a letter.   Flash the firmware and see if it's changed in the menu.

If there's some sort of checksum, I'd imagine the power supply would refuse to accept the firmware.   Another thing would be to make sure you can flash the same version firmware that's already installed on the machine.

For example, if your DP832 has firmware 00.01.14.00.01, make sure you can flash a normal version of firmware 00.01.14.00.01.    Otherwise, we could have issues.   Let's say someone's running firmware 00.01.09.00.01 and they flash a modified version of 00.01.14.00.01.   Then they go to undo their changes and try flashing 00.01.14.00.01 again.   The machine might refuse the firmware saying it's already up-to-date.   That could greatly reduce someone's chances to finding a multi-coloured option for the DP832's.   They might only have a couple chances at it.

Can someone upload the source code to re-scramble the files?   I wonder what would happen if someone removed those first 4 bytes in the descrambled file and try flashing it, descrambled like....maybe those first four say the file's encrypted or something?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on September 30, 2016, 07:02:50 pm
Ok, I didn't rescramble the file but modified my original 1.14 using the same '74 offset' formula.

So I changed

2F1379 from EE to AD
2F1771 from E5 to 5C

Reflashed using USB and the help button at the '...' elipses, it didn't spit back any errors and appeared to accept the file, flashed ok and asked me to power off and on.

Unfortunately it hasn't made the blindest difference  (at least that I have found so far. Perhaps a SCPI command or the webserver will report back the wrong model?) :-DD
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 30, 2016, 07:16:15 pm
I've compared the current (00.01.14.00.01) GEL file that was de-scrambled as before, with an older version (00.01.09.00.01). Here is what they look like:

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78


The (00.01.09.00.01) version is not scrambled and misses the first 4 Bytes: B4 AE 9A 89. From there on, the structure aligns pretty good. Only a few bytes are different, either addresses or length information...

I looked through the bitmaps I could find in (00.01.14.00.03) and made a collection of them here.
Furthermore I could find a lot of 1 bit per pixel character sets with all sorts of special characters. Amongst them are also the 7-segment numbers in different sizes for the main display. Haven't indexed those, though.

Still looking at it and not getting an idea what the overall structure could be. Any more ideas? Any disassemblers?

The bottom of 00.01.09.00.01 seems to repeat itself a bit, but the bottom of the newer version doesn't.

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78



Maybe the 9F E5's are some sort of terminator though?

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78

Or maybe the four bytes there, like 18 F0 9F E5 are offsets?

There's gotta be some version string somewheres here.   I'd really think this is some sort of header.   I'd think it'd contain the version string, size of the file, etc.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 30, 2016, 07:18:38 pm
Ok, I didn't rescramble the file but modified my original 1.14 using the same '74 offset' formula.

So I changed

2F1379 from EE to AD
2F1771 from E5 to 5C

Reflashed using USB and the help button at the '...' elipses, it didn't spit back any errors and appeared to accept the file, flashed ok and asked me to power off and on.

Unfortunately it hasn't made the blindest difference  (at least that I have found so far. Perhaps a SCPI command or the webserver will report back the wrong model?) :-DD

You can flash the same version firmware over and over again?   Perhaps you'd like to go into the menu, find some text string, and do what I suggested earlier?   Just change the text a little and see if it makes any difference.   I wouldn't try modifying the webpage stuff at all, but the actual text string in one of the menus....if that's successful, then we can assume perhaps there's no checksum's at all?   That'd be great news....
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 30, 2016, 08:17:50 pm
I keep on trying to upload 00.01.14.00.03 in a zip file and it looks like it goes, but my posts don't get posted here for some reason.   Not sure where they're going.   But after I post, it takes me this Start new message page, as if I'm trying to PM someone.   I don't see why I cannot upload the zip file.   It's 9,244KB in size.   Any ideas?    I thought with closer firmware numbers, there wouldn't be so many changes and maybe it'd be easier to figure out the stuff, like the header of the file, etc.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on September 30, 2016, 08:25:32 pm
Ok, I chose to change the installed options text at 277BC0 from ":Official" to ":Hacked!" so the encoded bytes are

5E 6D 87 8A 93 8E B8 4C 2C

Reflashed and unfortunately the options still showed as ":Official" so perhaps it is ignoring the upgrade? I then tried the "Update analog board 1 & 2" step just in case but no luck.

So I downgraded using official 1.13 - that installed and reported version correctly.

I then re-installed my hacked 1.14 which gave all indication of installing ok, but the Sys Info still showed 1.13 and of course my hack did not work.

I then installed proper 1.14 which installed ok, and now Sys Info does show 1.14.

So I give up. That's it for tonight!  ;)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on September 30, 2016, 08:55:48 pm
Ok, I chose to change the installed options text at 277BC0 from ":Official" to ":Hacked!" so the encoded bytes are

5E 6D 87 8A 93 8E B8 4C 2C

Reflashed and unfortunately the options still showed as ":Official" so perhaps it is ignoring the upgrade? I then tried the "Update analog board 1 & 2" step just in case but no luck.

So I downgraded using official 1.13 - that installed and reported version correctly.

I then re-installed my hacked 1.14 which gave all indication of installing ok, but the Sys Info still showed 1.13 and of course my hack did not work.

I then installed proper 1.14 which installed ok, and now Sys Info does show 1.14.

So I give up. That's it for tonight!  ;)

Just so I'm understanding you correctly, you had a hacked 1.14, you installed it, it seemed to install correctly.   But the hack didn't go through, so you installed an unhacked 1.13, checked the version, it showed 1.13.   Then you went and installed your hacked 1.14 again, checked the version, and it still showed 1.13, is that correct?

It seems there is in fact a checksum somewheres...Are there any logs that get stored anywhere on the device when a firmware update is performed?   Also, when you install the hacked firmware, are you re-encoding them or does the power supply seem to accept the decrypted / unscrambled versions?  Thanks for trying!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on September 30, 2016, 09:34:11 pm
Just so I'm understanding you correctly, you had a hacked 1.14, you installed it, it seemed to install correctly.   But the hack didn't go through, so you installed an unhacked 1.13, checked the version, it showed 1.13.   Then you went and installed your hacked 1.14 again, checked the version, and it still showed 1.13, is that correct?

Yep!

Quote
It seems there is in fact a checksum somewheres...Are there any logs that get stored anywhere on the device when a firmware update is performed?   Also, when you install the hacked firmware, are you re-encoding them or does the power supply seem to accept the decrypted / unscrambled versions?  Thanks for trying!

Spork, the first attempt I simply swapped the bytes for 'DP832\0' and 'DP832A' (but re-encoded using the offset 0x74 algorithm, purely using http://www.hexedit.com/ (http://www.hexedit.com/) and manually with its calculator. This is on the original 1.14 file, not the decoded one.

Though the PSU appeared to accept it and reported "Upgrade successful!" it made no difference. I did choose to swap the bytes instead of just changing 1 byte because I guessed there may be a checksum and simple checksum algo's will still work if bytes are just swapped.

So I then chose to do something more blatant as in change some obvious text but without any attempt at covering for a simple checksum. I did not unscramble/decrypt the whole file, just changed the bytes using the 74 offset algo and HexEdit. No joy with that but no error messages stating anything wrong with the update. Indeed it appeared to go just fine!

Regarding limited chances at upgrading firmwares, it looks like downgrades and upgrades work just fine. I think it is only the bootloader that you can't downgrade but that is for firmwares with a bootloader <1.09 IIRC and the firmware we are playing with (so far) is not the bootloader.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on September 30, 2016, 10:56:50 pm
So I then chose to do something more blatant as in change some obvious text but without any attempt at covering for a simple checksum. I did not unscramble/decrypt the whole file, just changed the bytes using the 74 offset algo and HexEdit. No joy with that but no error messages stating anything wrong with the update. Indeed it appeared to go just fine!

Regarding limited chances at upgrading firmwares, it looks like downgrades and upgrades work just fine. I think it is only the bootloader that you can't downgrade but that is for firmwares with a bootloader <1.09 IIRC and the firmware we are playing with (so far) is not the bootloader.
At least that's good news that you can flash over and over again, as it seems.
Might be worth trying changes in all the different parts of the software now: changing bitmaps, changing HTML code, etc. See which changes are accepted until it breaks.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on October 01, 2016, 01:02:46 am
Maybe an interesting find and a pointer into the right direction (pun intended  ^-^):

In the header of (00.01.14.00.03) we find:
000000: B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
000010: FF FF 00 00 9F 00 00 00 9C 3D 00 00 18 F0 9F E5
000020: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
000030: 00 00 00 00 14 F0 9F E5 14 F0 9F E5 F8 3A 08 00
000040: 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
000050: 7C 3C 08 00 58 22 08 00 00 00 00 00 00 00 00 00
000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The addresses 0x00A03D and 0x009C3D and surrounding looks like this:
003D80: 52 55 D5 00 00 00 00 00 00 00 00 00 00 00 00 00
003D90: 77 77 F7 00 FA FA FA 00 FA FA FA 00 00 00 00 00  <-- This is address 0x3D9C from the header
003DA0: A5 00 00 00 00 00 55 55 55 55 00 00 64 00 00 00  <-- This address is 0x3DA0 from the header
003DB0: 01 00 01 00 01 00 00 00 00 40 AB 61 00 00 00 00
003DC0: A1 6D 33 00 FF FF 00 00 9F 00 00 00 52 49 47 4F  <-- RIGO
003DD0: 4C 4C 00 00 00 00 00 00 00 00 00 00 18 F0 9F E5  <-- L
003DE0: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
003DF0: FF FF FF FF 18 F0 9F E5 18 F0 9F E5 DC E8 26 40
003E00: 38 1D 06 40 70 1D 06 40 A8 1D 06 40 E0 1D 06 40
003E10: FF FF FF FF 50 1E 06 40 90 1E 06 40 01 01 00 00
003E20: 40 00 00 00 00 33 6D 40 00 00 00 00 F0 41 2D E9
003E30: 00 60 B0 E1 00 70 A0 E3 9C 0E 9F E5 D7 80 D0 E1
003E40: 08 00 B0 E1 00 0C A0 E1 40 0C B0 E1 80 12 80 E0
003E50: 88 0E 9F E5 01 02 90 E0 00 10 A0 E3 0C 12 C0 E5
003E60: 06 00 B0 E1 00 08 A0 E1 20 08 B0 E1 02 10 A0 E3
003E70: 4C 1D 81 E3 01 00 50 E1 10 00 00 0A 12 10 A0 E3


Notice the "RIGOL" string at 0x003DCC and the recurring 18F09FE5 pattern from the header.

A similar thing seems to happen in 1.09 GEL file and 1.13 GEL files.
Maybe worth looking into this one, as this might be an address reference.

Bytes 55 55 55 55 are some sort of a marker. It does not look like a valid armv5 instruction. However the uint32 that end with some sort of Ex (E0, E1, E3, E5, E9) might be some code bits.

I guess I have to figure out how http://www.hexedit.com/ (http://www.hexedit.com/) can be used effectively now.  ;)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 01, 2016, 01:14:36 am
Just so I'm understanding you correctly, you had a hacked 1.14, you installed it, it seemed to install correctly.   But the hack didn't go through, so you installed an unhacked 1.13, checked the version, it showed 1.13.   Then you went and installed your hacked 1.14 again, checked the version, and it still showed 1.13, is that correct?

Yep!

Quote
It seems there is in fact a checksum somewheres...Are there any logs that get stored anywhere on the device when a firmware update is performed?   Also, when you install the hacked firmware, are you re-encoding them or does the power supply seem to accept the decrypted / unscrambled versions?  Thanks for trying!
...I did choose to swap the bytes instead of just changing 1 byte because I guessed there may be a checksum and simple checksum algo's will still work if bytes are just swapped....

What do you consider to be a simple checksum algorithm?   I figured they were probably using something like SHA1 or SHA256.   With those types of algorithms, byte swapping will change the checksum.   MD5 has a lot more collisions than originally thought and I don't think any good coder would use MD5 checksums, but I guess they could.   There's open source programs that implement SHA type checksums so it wouldn't be hard for a programmer to implement the more secure types.

I don't mean to argue with you or anything.   I'm just a bit confused.   If I understand everything correctly, byte swapping would change the checksum if an SHA type algorithm was used, right?   Is SHA not considered simple?   Thanks for sharing what you did and your thinking behind it.   I really appreciate all the help people have provided on trying to get this working.   It seems I'm not the only one interested in making this multi-coloured option work.

I really want to get a collection of the different versions of firmware for the DP832 / DP832A.   Anything under 1.09 isn't encrypted?   If anyone can send me links to the rest of the versions, after our baby is born, I might have some down time and might be able to play more with this.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 01, 2016, 01:18:51 am
So I then chose to do something more blatant as in change some obvious text but without any attempt at covering for a simple checksum. I did not unscramble/decrypt the whole file, just changed the bytes using the 74 offset algo and HexEdit. No joy with that but no error messages stating anything wrong with the update. Indeed it appeared to go just fine!

Regarding limited chances at upgrading firmwares, it looks like downgrades and upgrades work just fine. I think it is only the bootloader that you can't downgrade but that is for firmwares with a bootloader <1.09 IIRC and the firmware we are playing with (so far) is not the bootloader.
At least that's good news that you can flash over and over again, as it seems.
Might be worth trying changes in all the different parts of the software now: changing bitmaps, changing HTML code, etc. See which changes are accepted until it breaks.

So far, if I understand Macbeth correctly, all changes are ignored.   It would be worth trying changes though.   We should start working on trying to figure out the checksum routine.   I'll open a hex editor on the decrypted firmware.   If I remember correctly though, different versions of the firmware had some similarities at the end of them.   Maybe that was some sort of checksum?    I know some of the firmware I played with, the header had a checksum, the different parts had checksums, etc.

For example, the header might have a checksum (perhaps that end bit after all those 00's?)   Then maybe the flash section, after all the websites or something, there might be some checksum there.   Then at the end, there might be one for the entire size of the file, etc.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 01, 2016, 01:23:51 am
Maybe an interesting find and a pointer into the right direction (pun intended  ^-^):

In the header of (00.01.14.00.03) we find:
000000: B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
000010: FF FF 00 00 9F 00 00 00 9C 3D 00 00 18 F0 9F E5
000020: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
000030: 00 00 00 00 14 F0 9F E5 14 F0 9F E5 F8 3A 08 00
000040: 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
000050: 7C 3C 08 00 58 22 08 00 00 00 00 00 00 00 00 00
000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The addresses 0x00A03D and 0x009C3D and surrounding looks like this:
003D80: 52 55 D5 00 00 00 00 00 00 00 00 00 00 00 00 00
003D90: 77 77 F7 00 FA FA FA 00 FA FA FA 00 00 00 00 00  <-- This is address 0x3D9C from the header
003DA0: A5 00 00 00 00 00 55 55 55 55 00 00 64 00 00 00  <-- This address is 0x3DA0 from the header
003DB0: 01 00 01 00 01 00 00 00 00 40 AB 61 00 00 00 00
003DC0: A1 6D 33 00 FF FF 00 00 9F 00 00 00 52 49 47 4F  <-- RIGO
003DD0: 4C 4C 00 00 00 00 00 00 00 00 00 00 18 F0 9F E5  <-- L
003DE0: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
003DF0: FF FF FF FF 18 F0 9F E5 18 F0 9F E5 DC E8 26 40
003E00: 38 1D 06 40 70 1D 06 40 A8 1D 06 40 E0 1D 06 40
003E10: FF FF FF FF 50 1E 06 40 90 1E 06 40 01 01 00 00
003E20: 40 00 00 00 00 33 6D 40 00 00 00 00 F0 41 2D E9
003E30: 00 60 B0 E1 00 70 A0 E3 9C 0E 9F E5 D7 80 D0 E1
003E40: 08 00 B0 E1 00 0C A0 E1 40 0C B0 E1 80 12 80 E0
003E50: 88 0E 9F E5 01 02 90 E0 00 10 A0 E3 0C 12 C0 E5
003E60: 06 00 B0 E1 00 08 A0 E1 20 08 B0 E1 02 10 A0 E3
003E70: 4C 1D 81 E3 01 00 50 E1 10 00 00 0A 12 10 A0 E3


Notice the "RIGOL" string at 0x003DCC and the recurring 18F09FE5 pattern from the header.

A similar thing seems to happen in 1.09 GEL file and 1.13 GEL files.
Maybe worth looking into this one, as this might be an address reference.

Bytes 55 55 55 55 are some sort of a marker. It does not look like a valid armv5 instruction. However the uint32 that end with some sort of Ex (E0, E1, E3, E5, E9) might be some code bits.

I guess I have to figure out how http://www.hexedit.com/ (http://www.hexedit.com/) can be used effectively now.  ;)

When you say This is address 0x3D9C from the header, you mean from offset 0, right?   You haven't found where the header actually ends yet, have you?   That'd be nice.   Regardless, I too thought maybe there where some addresses in the beginning there but just didn't have time to explore it yet.   In the 1.09 firmware, I thought maybe the 18 F0 9F E5 was an address somewhere.   You guys are making great progress!   
Title: Re: Need help hacking DP832 for multicolour option.
Post by: stj on October 01, 2016, 01:41:18 am
a slight change of subject - only slight.

maybe you should try to find out how the code determines the model.
does it identify the model when you change the firmware, and flash the apropriate files,
or does it install everything and then determine which files to use every time it's powered up?

does it have an eeprom?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 01, 2016, 02:09:03 am
a slight change of subject - only slight.

maybe you should try to find out how the code determines the model.
does it identify the model when you change the firmware, and flash the apropriate files,
or does it install everything and then determine which files to use every time it's powered up?

does it have an eeprom?

This could be hard to find out.   Last time I tried dumping the flash, OpenOCD didn't fully support this processor.   At the time, the flash wasn't supported, so there was no way to dump it.   I figured (just a straight up guess) that the firmware is the same on the DP832 and the DP832A.   Just at startup, there's some sort of serial number check.   I figured it's kinda like the unlock codes.   You got the right code, it unlocks the features.   You got the right serial number, it'll enable the multi-coloured screen.   That was just my guess though.


At offset 310, you can see what appears to be more addresses.   Memory pointers or something?   Perhaps file sizes or parts of the index?   I don't know, but there's definitely some sort of pattern, in the 1.14.00.03 descrambled file at least.

I don't know where they start so the beginning of these bytes might actually be the end of one address and the beginning of the second, but I see stuff like:
Code: [Select]
00 00 21 21 54 D0 20 40      <-- starts at offset 315h
00 01 21 21 54 FF 20 A2
30 01 21 21 54 D1 20 40
00 01 21 21 54 FF 20 A4
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 01, 2016, 02:35:18 am
What do you guys make of offset 0x30A69B?   We're still missing something on the decryption or this file is somehow compressed, but I don't think it's compressed.   There's to much text.   Text compresses real easy like.

I see a comment:
Code: [Select]
//window.alert("oh yeah!\nö ~SOng is a pig!");

oh yeah!   then a new line.    But the funky o with two dots over it, the squigly ~, stuff like that I don't think's right.   There's a lot of ý's where there shouldn't be.   Maybe if we could work on getting a bit cleaner descrambling program, we'd see things a bit differently?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 01, 2016, 04:49:24 am
What's the bootloader code look like unscrambled?   I have searched through the file looking for some sort of table.   I've found html files, css files, etc.   But there's very few file names.   I found a couple, here's their offsets:
Code: [Select]
Offset 002E8FF8: /images/nav_1_0.jpg
Offset 00285CEC: /DP800A_NetworkSettings.html
Offset 00285D0C: /DP800A_setting_pswrong.html
Offset 002BA170: /RG1000NetworkSettings.css
Offset 002BA18C: /DP800A_NetworkStatus.html
Offset 002BA1C4: /DP800A_WelcomePage.html
Offset 002BAAC4: /RG1000WelcomePage.css
Offset 002BAADC: /DP800A_Security.html
Offset 002BAAF4: /DP800A_successful.html
Offset 002BAB0C: /images/logo_DP800.jpg
Offset 002E8FA8: /RG1000Security.css
Offset 002E8FBC: /DP800A_Help.html
Offset 002E8FD0: /images/logo.jpg
Offset 002E8FE4: /images/nav_1.jpg
Offset 002E8FF8: /images/nav_1_0.jpg
Offset 002E900C: /images/nav_2.jpg
Offset 002E9020: /images/nav_2_0.jpg
Offset 002E9034: /images/nav_3.jpg
Offset 002E9048:/images/nav_3_0.jpg

There were more, but I got tired.   I tried finding how those names were related the data and I couldn't find anything.    For example, I thought there'd be a good chance the /images/logo.jpg file would exist.    So, I searched for hex values like 2E8FD0   and D08F2E.  I found D08F2E at offset: 21A7D4

I found a bunch of other addresses in that area and tried going to what they said, and they took me places, some of them seem to line up and I thought I found the table, but then some of them didn't.   I give up for the night and I'm going to bed.   Maybe someone else can figure it out though.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: stj on October 01, 2016, 05:03:44 am
What do you guys make of offset 0x30A69B?   We're still missing something on the decryption or this file is somehow compressed, but I don't think it's compressed.   There's to much text.   Text compresses real easy like.

I see a comment:
Code: [Select]
//window.alert("oh yeah!\nö ~SOng is a pig!");

oh yeah!   then a new line.    But the funky o with two dots over it, the squigly ~, stuff like that I don't think's right.   There's a lot of ý's where there shouldn't be.   Maybe if we could work on getting a bit cleaner descrambling program, we'd see things a bit differently?

"nö ~SOng" - is a font issue - use something else to view it such as UTF-8
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 01, 2016, 04:01:55 pm
What do you guys make of offset 0x30A69B?   We're still missing something on the decryption or this file is somehow compressed, but I don't think it's compressed.   There's to much text.   Text compresses real easy like.

I see a comment:
Code: [Select]
//window.alert("oh yeah!\nö ~SOng is a pig!");

oh yeah!   then a new line.    But the funky o with two dots over it, the squigly ~, stuff like that I don't think's right.   There's a lot of ý's where there shouldn't be.   Maybe if we could work on getting a bit cleaner descrambling program, we'd see things a bit differently?

"nö ~SOng" - is a font issue - use something else to view it such as UTF-8

I have tried UTF-8 but it doesn't seem to make a difference.   Are you sure that's an issue?   There's some strings like:
Code: [Select]
http://ýw~.w3.org/TR/html4/loose.dtd

That's at offset 0x00309133

I'm using HxD and right now have the character set set to ANSI.  I change it to the various different options and none show www.   So, with it set to ANSI, I copy the text, then I open notepad.   I paste the text.   I go to File -> Save As and I set it to UTF-8.   I reopen the text, it's the same.   I paste the text again, now that Notepad is in UTF-8 mode, still the same.   Is there a better hex editor?   I like how HxD can do the various checksums (even custom ones), I like how I can set how many bytes to group together and how many bytes to display per row....It's still lacking though and I don't think it's going to be updated any time soon.

It'd be nice to be able to see the bytes in something besides hex, for instance...Being able to set the encoding to UTF-8 would be nice.   Being able to do a side-by-side comparison of different windows would be nice.   Kinda like how Volkimel displayed the differences between the firmwares, with the underlines and stuff like that.   Any suggestions on a better hex editor for Windows?

I got a little bit of time today.   I want to download the source to Volkimel's program, setup a compiler, make an executable.   I'd like to add some simple command line switches or write a second program that reencrypts the firmware.   If anyone has already done this and just wants to share the source code, I'd greatly appreciate it.   I haven't written a C program for the PC in a long time and it'll take me a bit to walk through the code.   I was looking at the C program Volkimel wrote and I don't fully understand it yet.   That's an issue.   I used to be a C programmer and got paid for writing code.   I shouldn't have trouble understanding this!   It's just been so long.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on October 01, 2016, 05:45:30 pm
In Windows, Notepad++ is the choice..
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on October 01, 2016, 07:18:41 pm
Spork,

I just wrote a simpler version in Python and added a -r command line option for re-scrambling. :-+

No need for C compilers and .exe files ;) Install Python 2.7 if you don't have it already, and yes Notepad++ is what I use in Windows.

Code: [Select]
# DP800 file descrambler

import argparse

parser = argparse.ArgumentParser(description='Descramble a Rigol DP800 .GEL file')
parser.add_argument('-r', '--rescramble', action='store_true',help='convert back to original format')
parser.add_argument('infile', help='input filename')
parser.add_argument('outfile', help='output filename')
args = parser.parse_args()

with open(args.infile, 'rb') as infile:
    buf = bytearray(infile.read())
    infile.close()

offset = 116

for i in range(len(buf)):
    if args.rescramble:
        b = buf[i] + offset
        if b>255: b-=256
    else:
        b = buf[i] - offset
        if b<0: b += 256

    buf[i] = b
    offset += 1
    if offset > 255: offset=0

with open(args.outfile, 'wb') as outfile:
    outfile.write(buf)
    outfile.close()
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 01, 2016, 08:17:37 pm
Spork,

I just wrote a simpler version in Python and added a -r command line option for re-scrambling. :-+

No need for C compilers and .exe files ;) Install Python 2.7 if you don't have it already, and yes Notepad++ is what I use in Windows.

Code: [Select]
# DP800 file descrambler

import argparse

parser = argparse.ArgumentParser(description='Descramble a Rigol DP800 .GEL file')
parser.add_argument('-r', '--rescramble', action='store_true',help='convert back to original format')
parser.add_argument('infile', help='input filename')
parser.add_argument('outfile', help='output filename')
args = parser.parse_args()

with open(args.infile, 'rb') as infile:
    buf = bytearray(infile.read())
    infile.close()

offset = 116

for i in range(len(buf)):
    if args.rescramble:
        b = buf[i] + offset
        if b>255: b-=256
    else:
        b = buf[i] - offset
        if b<0: b += 256

    buf[i] = b
    offset += 1
    if offset > 255: offset=0

with open(args.outfile, 'wb') as outfile:
    outfile.write(buf)
    outfile.close()

Macbeth, thanks for the Python script.   I'm a bit of a C fan personally and I might just use your Python script to rewrite the C code to process it.   Not that there's anything wrong with Python.   It's a very nice language and everything.

So, Notepad++, I've heard of this, but it's an actual hex editor that can do everything that I'm looking for?   If it's the program I'm thinking of, it's been around for a very long time, when I was in high school.   Back then, I remember it just being a fancy text editor...I'll check it out.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on October 01, 2016, 09:36:37 pm
Python... nice!... this is my first attempt at a Python script from scratch and I'll have you know it was a serious PITA! Tabs vs spaces fighting each other ! :-DD

Yeah, good old 'C' is my ultimate fallback and what I use for microcontrollers, short of pure assembler, but all the fashionable kids are doing it in Python, and to be fair interpreted stuff is nicer/easier to play with.

Notepad++ is a text editor with programmers in mind. My Windows Hex editor is free from www.hexedit.com (http://www.hexedit.com), I've not tried HxD. I will give it a shot...
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 01, 2016, 10:51:45 pm
Python... nice!... this is my first attempt at a Python script from scratch and I'll have you know it was a serious PITA! Tabs vs spaces fighting each other ! :-DD

Yeah, good old 'C' is my ultimate fallback and what I use for microcontrollers, short of pure assembler, but all the fashionable kids are doing it in Python, and to be fair interpreted stuff is nicer/easier to play with.

Notepad++ is a text editor with programmers in mind. My Windows Hex editor is free from www.hexedit.com (http://www.hexedit.com), I've not tried HxD. I will give it a shot...

Yeah, I have to agree about the Python.   I've seen a lot about it recently and started learning it from the free MIT courses.   For an interpreted language, it's not too shabby.    I'm slowly getting into PICs.   I just don't have enough free time and too many projects.    C is my favourite, even for the PICs although assembly might be a little more efficient (for microcontrollers I mean).   For being a high level language, the C compilers I generally use seem to pretty optimized.   My all time favourite is the GNU C compiler.

So Notepad++ isn't what I'm looking for.   I'm looking for a better hex editor for Windows.  I'll check out hex edit.   HxD is free as well.   It was promising but I think it's dead now.   The checksum features are nice though.   It can calculate all the way up to SHA-512.  You can pick just one, or certain ones, or all of them, you can have it use custom checksums, you can have it run a checksum on the whole file or just the selection.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on October 02, 2016, 12:51:30 am
Spork,

I just wrote a simpler version in Python and added a -r command line option for re-scrambling. :-+

No need for C compilers and .exe files ;) Install Python 2.7 if you don't have it already, and yes Notepad++ is what I use in Windows.

Very nice, Macbeth. Thanks.
Being a microcontroller programmer by trade, it was easier for me to just get a quick C console .exe together. Just because, I knew what I was doing and I was excited to see this pattern.
But Python is of course a nice language for this kind of work. I didn't have Python installed on the machine I'm doing this with.

I was looking more into the structure of the GEL file, again. Haven't tried any reflashing my DP832, yet. It's still happily running on 00.01.13.00.01 with all options.

Now, simply put "18 F0 9F E5" into Google and see what comes out: A few websites suggest it is the vector table of an ARMv5 architecture, leaving the correct space at 0x00000014 and doing the correct stuff at the few vectors.
So, when disassembling this, we could figure out where the reset vector branches, make it our main() and disassemble from there. That's a task for someone who knows what he's doing. :)

So far, I only took it as indication that we have to concentrate on the few bytes before the first "18 F0 9F E5". I would guess that's the header then.

For 1.14 it looks like this:
0x000000: B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
0x000010: FF FF 00 00 9F 00 00 00 9C 3D 00 00


In this bit of hex code there are "A0 3D 00 00", followed by "FF FF 00 00", and "9C 3D 00 00". If you read these backwards (different endianess, I'm always getting confused, which is which) these are addresses or offsets that point close to another structure like the header:

Again, in 1.14 it is here:
0x003D9C: 00 00 00 00 A5 00 00 00 00 00 55 55 55 55 00 00
0x003DAC: 64 00 00 00 01 00 01 00 01 00 00 00 00 40 AB 61
0x003DBC: 00 00 00 00 A1 6D 33 00 FF FF 00 00 9F 00 00 00
0x003DCC: 52 49 47 4F 4C 4C 00 00 00 00 00 00 00 00 00 00

The GEL file continues with "18 F0 9F E5" again, so I guess the structure is done after these 64 bytes.

Like in the first 28 Bytes at 0x000000 there seems to be another address or offset before the "FF FF 00 00", again here. It is "A1 6D 33 00".
If you take this as another offset to 0x003DDC (where the ARM Vector table starts) and jump to location (0x003DDC + 0x336DA1 = 0x33AB7D), you are exactly 64 Bytes from the end of the GEL file.

The last 64 Bytes in 1.14 look like this:
33AB7D: 9F 00 00 00 68 FC 5A AA 5F 2A A7 CF CF BC 40 37 <-- maybe checksums here?
33AB8D: 1C 20 81 2A 66 8F D4 A9 90 24 05 00 90 24 05 00  <-- repeating pattern starts here...
33AB9D: 90 24 05 00 90 24 05 00 90 24 05 00 90 24 05 00
33ABAD: 90 24 05 00 90 24 05 00 90 24 05 00 91 24 05 00  <-- ...except for one more bit in the last "91"

There is also the "9F 00 00 00" again.

Softwares 1.13 and 1.14 have the same structure.

The same thing is happening in the 1.09 software that did not have the scrambling and did not have the mystical "B4 AE 9A 89" in the beginning.
The last 64 Bytes of 1.09 look like this:
3233C5: 9F 00 00 00 46 4E 7D 13 0B 73 66 35 70 07 E4 93 <-- maybe checksums here?
3233D5: 84 BC F8 1B E9 F5 3C 2F D7 FF 04 00 D7 FF 04 00  <-- repeating pattern starts here...
3233E5: D7 FF 04 00 D7 FF 04 00 D7 FF 04 00 D7 FF 04 00
3233F5: D7 FF 04 00 D7 FF 04 00 D7 FF 04 00 DE FF 04 00  <-- ...except for two bits in the last "DE" (one on, one off)


Maybe the few bytes after "9F 00 00 00" and before the repeating pattern are finally checksums of different blocks. I didn't check on them.

I'm just thinking out loud here, to what I find.

So Notepad++ isn't what I'm looking for.   I'm looking for a better hex editor for Windows.  I'll check out hex edit.   HxD is free as well.   It was promising but I think it's dead now.   The checksum features are nice though.   It can calculate all the way up to SHA-512.  You can pick just one, or certain ones, or all of them, you can have it use custom checksums, you can have it run a checksum on the whole file or just the selection.

I also use all of those tools. They are really helpful. The HEX plugin for my version of NP++ has some issues when copy and pasting HEX code, though, so I don't rely on it.
I couldn't figure out how to copy a block of HEX bytes including their addresses. So far I do a lot of manual editing and trying not to get confused after that. :)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 02, 2016, 02:24:56 am
I noticed the repeating pattern at the end there as well.   I was trying to figure out the checksum and was trying to figure out what to run the checksum algorithms against (I couldn't figure out exactly where to stop).   I tried a few beginnings.   I tried without the first 4 bytes and without the first 128 bytes and without the first 256 bytes and 512 bytes, etc.

I'm either going to install Python or write the C program to rescramble the firmware and I'll try flashing on my machine.   I want to try a few things.   Because we can downgrade, I wanted to try removing those first four bytes and flashing an unscrambled, unedited file.   I wonder if the bits say something, like this is a compressed file, etc.   It could also maybe be the size of the file?

I really want to start flashing my unit but every time I sit down on the PC to start writing the program to rescramble the firmware, I get distracted.   Now my wife wants to watch a movie.   You and Macbeth know a lot more about microcontrollers than I do.   I don't know what a vector table is, for example.

Macbeth, you're certain the modified firmware didn't take?   For example, not trying to change a version number or anything, just maybe some HTML or something, going from a lower firmware to a modified higher firmware, checking the version number, and it's still the lower version, right?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: whatchitfoool on October 17, 2016, 08:27:31 am
Anyone have an update on the state of the project?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 17, 2016, 06:50:03 pm
I believe the firmware files might have been successfully decoded.   We know at least some of them have been.   I think we might still be missing some of the decryption scheme but maybe not.   We haven't been able to actually update the device using a modified firmware image though.   We're thinking maybe there's some sort of checksum routine in the firmware file.

At this point, I think it's best to try and figure out the format of the firmware file, but that can take a bit of work.   Someone with experience with the processor used in these power supplies might be beneficial.

Our baby came Saturday, October 15th, at 7:40AM.   Chloe Lee Swarthout, weighing 8 lbs, 12.7 ounces, being 20 3/4" long.   She's healthy.   My wife had some complications during the pregnancy and was delivering from 11:45PM Friday until 7:40AM Saturday.   The midwife had to leave early on and came back around 5:30am and yelled at the nurse and kicked her out.   The baby was in the wrong position and she said she shouldn't had let Jess go that long pushing.   She should have known that baby wasn't coming out.   So, she had Jess lay down on her side and sleep for an hour and a half or so.   At 7:20AM, she brought a new nurse in and tried again.   20 minutes later, the baby was here!

Jess was coming in and out of during the delivery.  Her blood pressure was really low and I don't think she remembers most of it, so that's good.   But we just got home today from the hospital and are slowly adjusting to be new parents!   I probably won't be on for a bit to answer questions though.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on October 17, 2016, 09:08:50 pm
I wish mother and baby well! You need a bracing glass of something or other too  :-+

Don't be too hard on the nurses, everything is amplified in these situations, and lets not forget that only a few decades ago it was normal for a 1 in 10 chance complete loss of life of mother, baby, or both during childbirth.  :scared:

This is one reason I am glad for the NHS in the UK and utterly bewildered at the "green" Guardianistas who decide to "give birth naturally" with feckin' "doolahs" or whatever these mystics are called  :palm: Yeah that birthing pool of natural yoghurt is great until the complications happen!  :-D
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on October 17, 2016, 11:31:23 pm
....   But we just got home today from the hospital and are slowly adjusting to be new parents!   I probably won't be on for a bit to answer questions though...

Wish your wife speedy recovery and for baby to be healthy and to bring joy to the family.. All the best and congrats!!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on October 18, 2016, 01:12:59 am
I wish mother and baby well! You need a bracing glass of something or other too  :-+

Don't be too hard on the nurses, everything is amplified in these situations, and lets not forget that only a few decades ago it was normal for a 1 in 10 chance complete loss of life of mother, baby, or both during childbirth....

I've been looking at it as at least my wife and baby are okay and that it could have been much worse, you know?   Although Jess is hurting, she'll recover with time.   It could take up to a month but at least she's still here, you know?  And the baby is healthy as well.   That's great.

Also, the midwife left because of an emergency.   So if she had stayed, maybe someone wouldn't have made it?   I guess in the end, we're just thankful everything worked itself out.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Dwaine on December 31, 2016, 12:02:36 pm
Did anyone get any further ahead decoding the file structure?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Pinkus on December 31, 2016, 01:36:16 pm
Did anyone get any further ahead decoding the file structure?
Not as I know. As there is no license code for this, I assume this can only be done by either hacking and installing an existing firmware update package or by changing the files on the internal flash.
It does not look like this will happen in a near future.

Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on December 31, 2016, 05:51:25 pm
Did anyone get any further ahead decoding the file structure?

There were people who claimed to have dump the firmware directly from the flash on this unit.   I've contacted all the people I could find who said they were able to dump it, to see if they'd provide me with a copy, but I never got a response.   I went out and bought a JTAG device, just to find out OpenOCD didn't support the flash with this CPU, so I wasn't able to dump it myself.   That was a while back.   Maybe now they do support the flash with this CPU?   The CPU, if I remember correctly, has some fancy security features.   I want to say there was something about making it really hard to read the flash, something with encryption, I dunno.

Anyway, if we could get a copy of the flash on the drive, maybe we'd have better luck decrypting the firmware .GEL files?   It almost seems like the decryption program that the one person wrote isn't quote right.   If you look through a "decrypted" .GEL file, you'll see stuff like ht~1p:// instead of http:// (that's just an example, I don't think it's ht~1p://, I just don't remember what they look like).   I was thinking maybe there's a little bit more to decrypting the files, but I could be wrong.   I just thought that was wrong.   That we should be seeing those strings as http.

I think there's some sort of checksum in the firmware that tells if the firmware's been modified or not.   I think that would be the next step, finding where the checksum is and figuring out how it's calculated.   It might be impossible, I dunno.   There could be multiple checksums.   There might be one for each section and then one for the entire file.   At the very end of the files for the different firmware versions, I found similar bytes.   I thought maybe that was some sort of checksum.

There's probably some table of contents, something that says where the files are located and how many bytes are in each file.  I couldn't really find anything in the .GEL file.   Perhaps this information is in another file?   I dunno.   There's gotta be a way to say this is the start of one file, this is the end of this file, either a special character or some sort of table.   That's something that'd need to be done.   Usually files on flash have filenames, right?   Or isn't that always the case?   I have limited experience with flash.   I've been looking at it more like a hard drive with some sort of filesystem.   Maybe it's not like that at all though?   If it is, there should be filenames somewheres as well.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: toxuin on January 09, 2017, 08:36:10 pm
Looking at the unscrambled file with binwalk shows there are many LZMA-compressed chunks – could this be packaged firmwares for various chips on board? But sadly, extraction is not possible because of damaged archive.
I suspect it has something to do with the infamous ht~p:/ bug – as it damages strings it damages the compressed structures. Unscrambling has to have more to it.

I've took a look at gotroot's keygen and it has a dp832 private key – not sure if we need it or not, but might be useful. Apart from that there is a lot of wicked crypto stuff that must come (at least an idea how to do it) from a disassembled binary, no doubt.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 10, 2017, 01:47:42 am
My wife had a baby and I don't have a lot of free time anymore.   But this is great news.   We should look at how often that ~ appears.   If I remember correctly, it was x number of bytes into the file.   For example, everything 74th byte, there'd be a ~, which made me start thinking maybe the code to decrypt was 100% right, but maybe it wouldn't need much to fix at all.    ~ is ASCII 126 decimal or 7E hex.    t is 116 decimal or 74 hex.   It's only 10 digits off.

I wanted to write the decryption / encryption program in C but lost the free time.   I'll try to find it again and maybe we can try stepping through this one more time.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: smithnerd on January 27, 2017, 06:40:54 am
Looking at the unscrambled file with binwalk shows there are many LZMA-compressed chunks – could this be packaged firmwares for various chips on board? But sadly, extraction is not possible because of damaged archive.
I suspect it has something to do with the infamous ht~p:/ bug – as it damages strings it damages the compressed structures. Unscrambling has to have more to it.

I believe those extra bytes ('~' etc) are an artefact of the html files being encoded in a TFS filesystem, within the firmware executable. I've seen it before in the DS1054Z firmware.

Binwalk is a handy tool, but you often get false positives for LZMA because the header is so simple. You need to examine each one to check how plausible it is as LZMA stream data, and bear in mind that in the DS1054Z GEL files, they are using a non-standard LZMA implementation - what should be a 64-bit uncompressed size field is a pair of 32-bit values representing compressed/uncompressed sizes.

I had a quick scroll through a hexdump of the DP800 firmware, and I see some good long chunks of properly aligned ARM code. It looks correctly decoded to me.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on January 28, 2017, 01:46:28 am
Than that means we're back to trying to figure out what type of checksum routine / signature they're using.   I thought I remember seeing the same bytes at the end of two different versions of the encrypted firmware that I thought might have been some sort of signature or checksum routine.   That was long time ago though.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ollihd on March 30, 2017, 07:46:21 pm
Any updates on this?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on April 02, 2017, 10:08:30 pm
I've compared the current (00.01.14.00.01) GEL file that was de-scrambled as before, with an older version (00.01.09.00.01). Here is what they look like:

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78


The (00.01.09.00.01) version is not scrambled and misses the first 4 Bytes: B4 AE 9A 89. From there on, the structure aligns pretty good. Only a few bytes are different, either addresses or length information...

I looked through the bitmaps I could find in (00.01.14.00.03) and made a collection of them here.
Furthermore I could find a lot of 1 bit per pixel character sets with all sorts of special characters. Amongst them are also the 7-segment numbers in different sizes for the main display. Haven't indexed those, though.

Still looking at it and not getting an idea what the overall structure could be. Any more ideas? Any disassemblers?

I wonder what would happen if you removed the B4 AE 9A 89 in the 00.01.14.00.03 file and did a byte-swap somewheres.   Maybe those 4 bytes are some sort of flags....
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on January 19, 2018, 11:15:49 pm
Does anyone have the previous DP800 firmware versions available? I would like to give a try at decoding something...

1.11, 1.13, 1.14 here (all seem to use bootloader 1.09) https://mega.nz/#F!6dll0ZCS!KwD7sHGZLU3D7Kr8u03ifA (https://mega.nz/#F!6dll0ZCS!KwD7sHGZLU3D7Kr8u03ifA)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on January 19, 2018, 11:59:25 pm
Here is my quick parsing of the DP800 v00.01.14.00.03 GELs:

Code: [Select]
DP800(Software)Update(Normal)_00.01.14.00.03:
Offset     Checksum???                 Block Size    Type
00000004 - 00 40 81 40 | 00 00 52 00 | A0 3D 00 00 | FF FF 00 00 | 9F 00 00 00  (block header)
  00000018 - 9C 3D 00 00 (size of the block that follows)
  [0000001C - 00003DB7] ARM code (little-endian) Loading address = 0x00080000

00003DB8 - 00 40 AB 61 | 00 00 00 00 | A1 6D 33 00 | FF FF 00 00 | 9F 00 00 00  (block header)
  00003DCC - ("RIGOLL" string)
  [00003DDC - 0033AB6C] ARM code (little-endian) Loading address = 0x3FFFFFB4

0033AB6D - 00 90 00 00 | 14 02 00 00 | 3C 00 00 00 | 14 FF 00 00 | 9F 00 00 00  (block header)
  [0033AB81 - 0033ABBC] Looks like it contains a 20-byte hash (or something encrypted...)

------------------------------------------------------------------------------------------------

DP800(Software)Update(Bootloader)_01.09:
Offset     Checksum???                 Block Size    Type
00000000 - 00 C8 33 27 | 00 00 00 00 | 20 0E 04 00 | 31 00 00 00 | 9F 00 00 00  (block header)

         ***  Header  ***
00000014          Header SHA-1: 31D47AF0F62F94737E737D3D9F4184DBACC44DAD  [00000028-00000073]  HASH OK
00000028           Signature 1: STMP  MAGIC OK
0000002C        Format Version: 1.1
0000002E                 Flags: 0x0000
00000030            Image Size: 00040E20
00000034   1st Boot Tag Offset: 000000A4
00000038   1st Boot Section ID:
0000003C     # Encryption Keys: 1
0000003E  Key Dictionary Start: 00000084
00000040           Header Size: 00000060
00000042     # Section Headers: 1
00000044   Section Header Size: 16 bytes
00000046        Random Padding: 0xC0B2
00000048           Signature 2: sgtl  (Sigmatel?)
0000004C         Creation Time: 26-03-2014 15:19:10
00000054       Product Version: 999.999.999
00000060     Component Version: 999.999.999
0000006C             Drive Tag: 0x0000
0000006E        Random Padding: 0xEFD4BC0FAC83
         ***  Sections Table  ***
00000074   ID:      | Ofs: 000000B4 | Len: 00040D60 | Flg: 00000001 - ROM_SECTION_BOOTABLE
         ***  Key Dictionary  ***
00000084  OTP Key0 Hash: 9A78EED8ABA28234DA5C39E00B28942E  CBC-MAC_AES OK
         ***  Session Key (decrypted)  ***
00000094  Key: 7B686FA69EF90D53A53CDCDE074B6E44  (using OTP Key0)
         ***  Sections (decrypted)  ***
000000A4  TAG  | 0001 | Sect ID:      | Len: 00040D60 | Flg: 00000001 - ROM_SECTION_BOOTABLE
000000B4  LOAD | 0000 | Adr: 00000000 | Len: 00000040 | CRC: BAF6AF35  CRC OK
00000104  LOAD | 0000 | Adr: 00000400 | Len: 00004D14 | CRC: 8A1A8B63  CRC OK
00004E34  FILL | 0000 | Adr: 00018000 | Len: 00001960 | Ptn: 00000000
00004E44  LOAD | 0000 | Adr: 00008000 | Len: 00000020 | CRC: 1809D243  CRC OK
00004E74  CALL | 0001 | Adr: 00008000 | Len: 00000000 | Arg: 00000000
00004E84  LOAD | 0000 | Adr: 00000000 | Len: 00000040 | CRC: E853D834  CRC OK
00004ED4  LOAD | 0000 | Adr: 41000000 | Len: 0003BEB4 | CRC: FE3E32E7  CRC OK
00040DA4  FILL | 0000 | Adr: 41300000 | Len: 00001900 | Ptn: 00000000
00040DB4  FILL | 0000 | Adr: 41301900 | Len: 00002404 | Ptn: 00000000
00040DC4  FILL | 0000 | Adr: 41700000 | Len: 004C4B40 | Ptn: 00000000
00040DD4  LOAD | 0000 | Adr: 00008000 | Len: 00000020 | CRC: 7846C59D  CRC OK
00040E04  JUMP | 0001 | Adr: 00008000 | Len: 00000000 | Arg: 00000000
         ***  File SHA-1 Hash (decrypted)  ***
00040E14  File SHA-1: 8A2D9884D7A265264E43E719A1BE297DFB784EF9  [00000014-00040E13]  HASH OK

I think that the 1st 4 bytes of a encoded .GEL indicate the filetype/encoding (28 23 10 00) and shouldn't be decoded.

So I use only (C#):
Code: [Select]
            for (int i1 = 0x04, mask = 0x78; i1 < buffer.Length; i1++, mask++)
                buffer[i1] += (byte)(256 - mask);
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on January 20, 2018, 09:05:46 pm
Parsing of versions:  (thank you to dav and ted572 for sending them)

00.01.03.00.02
00.01.05.00.00
00.01.06.00.00
00.01.08.00.02
00.01.09.00.01
00.01.10.00.03
00.01.11.00.00
00.01.13.00.01
00.01.14.00.03

Conclusions so far:
- 1st byte in the 1st block header is used to decode the file.
- 2nd byte is a flag byte with these meanings:
   X------- last block
   -X------ block has CRC
   ---X---- FRAM block (1 = saves to FRAM; 0 = saves to FLASH)
   ----X--- bootloader block
   -----X-- no block contents ?

- 2nd word in block headers is a CRC16 of the block.
- Special focus on the contents of the block with size=0x3C bytes (that is directly saved in the FRAM).
- if you look the final words in the 0x3C block, it seems to increment with each version. Maybe it's directly related to the firmware version/release date.

Code: [Select]
DP800(Software)Update(Normal)_00.01.03.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002EEF09 | 00000000 | 00000000
00000014  Block #1: [00000014-002EEF1C]

002EEF1D  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 00000000 | 00000000
002EEF31  Hash/Encrypt ??:  3FF75ED5D6F06206F304DBD9BAA1A75E7459FC21
002EEF45  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B180
002EEF59  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B189
002EEF31  Block #2: [002EEF31-002EEF6C]

002EEF6D  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 00002384 | 00000000 | 00000000
002EEF81  Block Size: 00002384
002EEF91  Block #3: [002EEF91-002F1304]

002F1305  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F1319  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.05.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F6391 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F63A4]

002F63A5  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F63B9  Hash/Encrypt ??:  D5B2A1A71C6EBB7944B17F03AB122FF162031E59
002F63CD  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD28
002F63E1  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD29
002F63B9  Block #2: [002F63B9-002F63F4]

002F63F5  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 000024E4 | 0000FFFF | 00000000
002F6409  Block Size: 000024E4
002F6419  Block #3: [002F6419-002F88EC]

002F88ED  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F8901  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.06.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F7661 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F7674]

002F7675  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F7689  Hash/Encrypt ??:  42A86549B434F4D06827669679D7F06A6CBC505B
002F769D  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF09
002F76B1  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF10
002F7689  Block #2: [002F7689-002F76C4]

002F76C5  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00002698 | 0000FFFF | 00000000
002F76D9  Block Size: 00002698
002F76E9  Block #3: [002F76E9-002F9D70]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.08.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 00308A9D | 0000FFFF | 00000000
00000014  Block #1: [00000014-00308AB0]

00308AB1  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
00308AC5  Hash/Encrypt ??:  CB1F0C46AC83A6E18455705ED7EFD0C07C83E23E
00308AD9  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAA9
00308AED  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAAC
00308AC5  Block #2: [00308AC5-00308B00]

00308B01  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00003520 | 0000FFFF | 00000000
00308B15  Block Size: 00003520
00308B25  Block #3: [00308B25-0030C034]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.09.00.01

00000000  Header - Mask: 00 | Flags: 40 | 08CE | 00520000 | Size: 00003520 | 0000FFFF | 0000009F
00000014  Block Size: 00003520
00000024  Block #1: [00000024-00003533]

00003534  Header - Mask: 00 | Flags: 40 | 301D | 00000000 | Size: 0031FE6D | 0000FFFF | 0000009F
00003548  String1: RIGOLL
00003558  Block #2: [00003558-003233B4]

003233B5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003233C9  Hash/Encrypt ??:  464E7D130B7366357007E49384BCF81BE9F53C2F
003233DD  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFD7
003233F1  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFDE
003233C9  Block #3: [003233C9-00323404]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.10.00.03

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | 5732 | 00000000 | Size: 0031DA25 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-003210E4]

003210E5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003210F9  Hash/Encrypt ??:  FC3999DF41FAC462946CE1BDC6E069E74D523C9C
0032110D  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC36
00321121  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC3F
003210F9  Block #3: [003210F9-00321134]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.11.00.00

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | DC62 | 00000000 | Size: 00322285 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-00325944]

00325945  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
00325959  Hash/Encrypt ??:  A92B0C1660C0424D48D19499AE7BF4C70F647AA4
0032596D  UInt32    (???):  00050373 00050373 00050373 00050373 00050373
00325981  UInt32    (???):  00050373 00050373 00050373 00050373 0005037A
00325959  Block #3: [00325959-00325994]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.13.00.01

00000004  Header - Mask: 00 | Flags: 40 | A1A0 | 00520000 | Size: 00003D58 | 0000FFFF | 0000009F
00000018  Block Size: 00003D54
0000001C  Block #1: [0000001C-00003D6F]

00003D70  Header - Mask: 00 | Flags: 40 | 2D14 | 00000000 | Size: 00335605 | 0000FFFF | 0000009F
00003D84  String1: RIGOLL
00003D94  Block #2: [00003D94-00339388]

00339389  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033939D  Hash/Encrypt ??:  8A968039CF72794BA2BB2762B0708CBD822456D1
003393B1  UInt32    (???):  00052233 00052233 00052233 00052233 00052233
003393C5  UInt32    (???):  00052233 00052233 00052233 00052233 0005223A
0033939D  Block #3: [0033939D-003393D8]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.14.00.03

00000004  Header - Mask: 00 | Flags: 40 | 4081 | 00520000 | Size: 00003DA0 | 0000FFFF | 0000009F
00000018  Block Size: 00003D9C
0000001C  Block #1: [0000001C-00003DB7]

00003DB8  Header - Mask: 00 | Flags: 40 | 61AB | 00000000 | Size: 00336DA1 | 0000FFFF | 0000009F
00003DCC  String1: RIGOLL
00003DDC  Block #2: [00003DDC-0033AB6C]

0033AB6D  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033AB81  Hash/Encrypt ??:  68FC5AAA5F2AA7CFCFBC40371C20812A668FD4A9
0033AB95  UInt32    (???):  00052490 00052490 00052490 00052490 00052490
0033ABA9  UInt32    (???):  00052490 00052490 00052490 00052490 00052491
0033AB81  Block #3: [0033AB81-0033ABBC]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.06

00000000  Header - Mask: 00 | Flags: C8 | 8E34 | 00000000 | Size: 00040C70 | 000000B3 | 0000009F
00000014  Block #1: [00000014-00040C83]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.09

00000000  Header - Mask: 00 | Flags: C8 | 2733 | 00000000 | Size: 00040E20 | 00000031 | 0000009F
00000014  Block #1: [00000014-00040E33]


If anyone has the FW versions that are not listed here please repost or send me a pm:
00.01.01.02.04
00.01.02.00.03
00.01.04.00.02

Edit: 2/1/2020 Fill some "flag" explanations
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on February 13, 2018, 01:23:20 am
Parsing of versions:  (thank you to dav and ted572 for sending them)

00.01.03.00.02
00.01.05.00.00
00.01.06.00.00
00.01.08.00.02
00.01.09.00.01
00.01.10.00.03
00.01.11.00.00
00.01.13.00.01
00.01.14.00.03

Conclusions so far:
- 1st byte in the 1st block header is used to decode the file.
- 2nd byte is a flag byte with these meanings:
   X------- last block
   -X------ normal block ?
   ---X---- special block 0x3C
   ----X--- bootloader block
   -----X-- no block contents ?

- 2nd word in block headers seems to be a CRC/checksum.
- Special focus on the contents of the block with size=0x3C bytes.
- if you look the final words in the 0x3C block, it seems to increment with each version. Maybe it's directly related to the firmware version/release date.

Code: [Select]
DP800(Software)Update(Normal)_00.01.03.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002EEF09 | 00000000 | 00000000
00000014  Block #1: [00000014-002EEF1C]

002EEF1D  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 00000000 | 00000000
002EEF31  Hash/Encrypt ??:  3FF75ED5D6F06206F304DBD9BAA1A75E7459FC21
002EEF45  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B180
002EEF59  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B189
002EEF31  Block #2: [002EEF31-002EEF6C]

002EEF6D  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 00002384 | 00000000 | 00000000
002EEF81  Block Size: 00002384
002EEF91  Block #3: [002EEF91-002F1304]

002F1305  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F1319  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.05.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F6391 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F63A4]

002F63A5  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F63B9  Hash/Encrypt ??:  D5B2A1A71C6EBB7944B17F03AB122FF162031E59
002F63CD  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD28
002F63E1  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD29
002F63B9  Block #2: [002F63B9-002F63F4]

002F63F5  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 000024E4 | 0000FFFF | 00000000
002F6409  Block Size: 000024E4
002F6419  Block #3: [002F6419-002F88EC]

002F88ED  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F8901  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.06.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F7661 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F7674]

002F7675  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F7689  Hash/Encrypt ??:  42A86549B434F4D06827669679D7F06A6CBC505B
002F769D  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF09
002F76B1  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF10
002F7689  Block #2: [002F7689-002F76C4]

002F76C5  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00002698 | 0000FFFF | 00000000
002F76D9  Block Size: 00002698
002F76E9  Block #3: [002F76E9-002F9D70]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.08.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 00308A9D | 0000FFFF | 00000000
00000014  Block #1: [00000014-00308AB0]

00308AB1  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
00308AC5  Hash/Encrypt ??:  CB1F0C46AC83A6E18455705ED7EFD0C07C83E23E
00308AD9  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAA9
00308AED  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAAC
00308AC5  Block #2: [00308AC5-00308B00]

00308B01  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00003520 | 0000FFFF | 00000000
00308B15  Block Size: 00003520
00308B25  Block #3: [00308B25-0030C034]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.09.00.01

00000000  Header - Mask: 00 | Flags: 40 | 08CE | 00520000 | Size: 00003520 | 0000FFFF | 0000009F
00000014  Block Size: 00003520
00000024  Block #1: [00000024-00003533]

00003534  Header - Mask: 00 | Flags: 40 | 301D | 00000000 | Size: 0031FE6D | 0000FFFF | 0000009F
00003548  String1: RIGOLL
00003558  Block #2: [00003558-003233B4]

003233B5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003233C9  Hash/Encrypt ??:  464E7D130B7366357007E49384BCF81BE9F53C2F
003233DD  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFD7
003233F1  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFDE
003233C9  Block #3: [003233C9-00323404]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.10.00.03

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | 5732 | 00000000 | Size: 0031DA25 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-003210E4]

003210E5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003210F9  Hash/Encrypt ??:  FC3999DF41FAC462946CE1BDC6E069E74D523C9C
0032110D  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC36
00321121  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC3F
003210F9  Block #3: [003210F9-00321134]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.11.00.00

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | DC62 | 00000000 | Size: 00322285 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-00325944]

00325945  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
00325959  Hash/Encrypt ??:  A92B0C1660C0424D48D19499AE7BF4C70F647AA4
0032596D  UInt32    (???):  00050373 00050373 00050373 00050373 00050373
00325981  UInt32    (???):  00050373 00050373 00050373 00050373 0005037A
00325959  Block #3: [00325959-00325994]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.13.00.01

00000004  Header - Mask: 00 | Flags: 40 | A1A0 | 00520000 | Size: 00003D58 | 0000FFFF | 0000009F
00000018  Block Size: 00003D54
0000001C  Block #1: [0000001C-00003D6F]

00003D70  Header - Mask: 00 | Flags: 40 | 2D14 | 00000000 | Size: 00335605 | 0000FFFF | 0000009F
00003D84  String1: RIGOLL
00003D94  Block #2: [00003D94-00339388]

00339389  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033939D  Hash/Encrypt ??:  8A968039CF72794BA2BB2762B0708CBD822456D1
003393B1  UInt32    (???):  00052233 00052233 00052233 00052233 00052233
003393C5  UInt32    (???):  00052233 00052233 00052233 00052233 0005223A
0033939D  Block #3: [0033939D-003393D8]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.14.00.03

00000004  Header - Mask: 00 | Flags: 40 | 4081 | 00520000 | Size: 00003DA0 | 0000FFFF | 0000009F
00000018  Block Size: 00003D9C
0000001C  Block #1: [0000001C-00003DB7]

00003DB8  Header - Mask: 00 | Flags: 40 | 61AB | 00000000 | Size: 00336DA1 | 0000FFFF | 0000009F
00003DCC  String1: RIGOLL
00003DDC  Block #2: [00003DDC-0033AB6C]

0033AB6D  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033AB81  Hash/Encrypt ??:  68FC5AAA5F2AA7CFCFBC40371C20812A668FD4A9
0033AB95  UInt32    (???):  00052490 00052490 00052490 00052490 00052490
0033ABA9  UInt32    (???):  00052490 00052490 00052490 00052490 00052491
0033AB81  Block #3: [0033AB81-0033ABBC]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.06

00000000  Header - Mask: 00 | Flags: C8 | 8E34 | 00000000 | Size: 00040C70 | 000000B3 | 0000009F
00000014  Block #1: [00000014-00040C83]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.09

00000000  Header - Mask: 00 | Flags: C8 | 2733 | 00000000 | Size: 00040E20 | 00000031 | 0000009F
00000014  Block #1: [00000014-00040E33]

If anyone has the FW versions that are not listed here please repost or send me a pm:
00.01.01.02.04
00.01.02.00.03
00.01.04.00.02

Wow, you've made some real progress here!   Can you please share the source code you're using to parse the files?   The one that shows stuff like:

Code: [Select]
DP800(Software)Update(Bootloader)_01.06

00000000  Header - Mask: 00 | Flags: C8 | 8E34 | 00000000 | Size: 00040C70 | 000000B3 | 0000009F
00000014  Block #1: [00000014-00040C83]

Unfortunately, I think C# is mainly for Windows, although I guess there's a Mono C# compiler.   But you're okay with sharing the code, maybe I could convert it to normal C real quick like and repost for Linux users?

I had made a collection of the various firmwares that I found for the unit.   I will check on my Linux box and see if the ones you requested are there or not.

I had given up on this project because we had a daughter and that kind of changed priorities a lot.   I am very impressed with the work that the community has done, including your work.   You guys are amazing and discovered stuff I would have never have discovered.

That's what I love about forums.   It's a place for society to come together and work on stuff together.   I might not think of something, but you may.   Or vice-versa.   And together, we might be able to solve some pretty interesting problems.

Now I don't know a lot about cryptology, but for the bootloader code....the SHA-1 for the header, that's just a SHA-1 checksum of the contents, right?   It's not anything to deal with signing, is it?    Because my understanding is that brute-forcing an SHA-1 private key is not going to happen anytime soon, and I'm really hoping they're not signed with a private key.

But I did notice, as I mentioned on previous pages somewheres, that the last x amount of bytes in the firmware files match, and I thought perhaps that was some sort of signature, but I probably was wrong.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on April 01, 2018, 04:42:12 am
Who needed the memory dump again and could they please provide me with the directions?   I got so caught up with my life (daughter, wife, trying to start a new legal business, earning money to pay for all the software / hardware we need to stay legal, etc) that I totally forgot all about it!

But I do have a Rigol DP832 that I'll be more than happy to provide the memory dump, if they just provide the directions on how to do so.

Thanks!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 04, 2019, 09:56:12 pm
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: toxuin on April 04, 2019, 09:58:19 pm
Whoa, that's a breakthrough!

I would appreciate a write-up on how you came up with this, if that's not too much work. This sounds awesome!

PS. Is this trick reversible?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 04, 2019, 10:07:59 pm
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

tossu,  :clap: :clap: :clap:

I don't know what you did but that sounds interesting!!!

Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 04, 2019, 10:24:03 pm
I'd be happy to do a write-up! I expected hardly anyone to be interested in this hack anymore. Just give me some time.

I just tested that the hack can be reversed by setting the model back to DP832.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 04, 2019, 10:27:33 pm
How about DP831 ?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 04, 2019, 10:47:05 pm
How about DP831 ?

I'd try setting the model to DP831A. I don't have a DP831 to test with, but DP831A is a recognized string constant. I don't see why it shouldn't work.

Edit: Pictures of my hacked DP832
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 04, 2019, 10:58:28 pm
How about DP831 ?

I'd try setting the model to DP831A. I don't have a DP831 to test with, but DP831A is a recognized string constant. I don't see why it shouldn't work.
Thanks!
I'll give it a go and report back..
Title: Re: Need help hacking DP832 for multicolour option.
Post by: PTR_1275 on April 04, 2019, 11:18:04 pm
So changing it to the coloured display doesn’t give you that horrible triangular split display?? (The one with the circle in the middle and the settings top left, top rightand bottom middle) Personally that screen layout is the reason I avoided the 832a...
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 04, 2019, 11:21:53 pm
So changing it to the coloured display doesn’t give you that horrible triangular split display?? (The one with the circle in the middle and the settings top left, top rightand bottom middle) Personally that screen layout is the reason I avoided the 832a...

It does, but DP832A has a DP832-like colorful display mode as an alternative.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on April 04, 2019, 11:52:15 pm
Fantastic hacking work!

Even though I prefer the plain '7 segment font' DP832 display over the DP832A anyway, I wonder if the random reboots that DP832 owners suffer from for absolutely no rhyme or reason will vanish when software converting to a DP832A, like there was some sick fuck that deliberately sabotaged these PSU's by software methods only? Much like the scum involved in HP inkjet printers and cartridges malarky?  :wtf:
Title: Re: Need help hacking DP832 for multicolour option.
Post by: CustomEngineerer on April 05, 2019, 03:22:22 am
Worked for me, thanks!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: jasonbrent on April 05, 2019, 05:14:15 am
Well, this just moved the 832 back up on my list of potential adds. Good work!

-j
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on April 05, 2019, 06:36:25 am
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

Very nice finding, thank you!  :-+

In the beginning, the difference between DP832 and DP832A use to be that the "A" variant came with all the features unlocked from the factory, and a new weird and multicolour display scheme.

With the latest firmware, are the differences between DP832 and DP832A still the same?  Was there any new functionality added in the meantime to the DP832A only?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on April 05, 2019, 09:17:58 am
 :-+ DP811 -> DP811A works a treat!

I like the "proper" fonts so much more than the simulated 7-Segment digits that even are shown dimmed when "off" (what a stupid idea).
Kudos to you @tossu and thank you very much for sharing!

Cheers,
Thomas
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Pinkus on April 05, 2019, 09:27:44 am
Thank you Tossu!

@all: do I really still need Ultrasigma to send SCPI commands or is there a smaller tool around? I remember Ultrasigma being huge and if possible I would like to avoid installing it just for this hack. Though if there is now way around, i would do a backup->install->hack->restore to get rid of it  quickly. Thanks.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on April 05, 2019, 09:39:22 am
Under Windows, you can just telnet to the Power Supply (provided you're using an ethernet connection):

Figure out its IP address

Start a console (cmd)

telnet [IP_Address] 5555

Now just enter (or copy&paste) the SCPI command -- voila.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Pinkus on April 05, 2019, 09:43:48 am
Thanks. I will try it right away!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Pinkus on April 05, 2019, 10:17:11 am
Mmmmh - not working.  Should I get a feedback from the DP832? I am able to open telnet. Any entered character is shown as a space on the screen; after entering the string manually (or copy/paste) nothing happens (I am pressing ENTER after entering the string. There is no visible feedback from the power supply. Is this correct?
Rebooting then changes nothing - shows still DP832 in system info screen.
I tried an old 1GB USB stick and formatted with 16Kbyte blocks. I will now try another USB stick (4 GByte and 64KByte blocks) and I as I do not have the latest firmware installed, I will try this too.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on April 05, 2019, 10:40:59 am
I also didn't get a response from the power supply via telnet when I did so. It may be worth to try another command that will return a value like for example:

:SYSTem:VERSion?

This should return "1999.0" (SCPI version on the device). If this works and you're sending the correct command, you should really check the USB drive you're using. I was successful with a quite old 8GB thumb drive labeled "Verbatim" that I also use for firmware updates. But I followed @tossu's instructions to format it and then only copy the provided file on it. Worked for both my DP832 and DP811.

Good luck,
Thomas
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Pinkus on April 05, 2019, 10:55:31 am
Thanks Tom,
I was running firmware 1.04 :wtf:. Yeah pretty old but as everything was working fine, there was no need. As a firmware update to 1.11. did solve the problem above, anybody should check his/her version first and then do an update if needed. I will now update to 1.14. (1.11. was -according to Rigol- a needed step inbetween).
Title: Re: Need help hacking DP832 for multicolour option.
Post by: rfspezi on April 05, 2019, 11:34:01 am
Are you using the Ultra Sigma Software from Rigol to send the SCPI command?
I tried to download that software several times from the Rigol homepage, however it takes ages and finally is corrupt.  :-\
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Pinkus on April 05, 2019, 11:56:29 am
No I used telnet as Tom mentioned above.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: rfspezi on April 05, 2019, 12:10:56 pm
No I used telnet as Tom mentioned above.

Thank you!
Hack works :)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: jancumps on April 05, 2019, 12:11:40 pm
you need to run ultra sigma to load the drivers. I haven’t tried pure tcp/ip to send scpi, I can give that a try ...

ah, already confirmed.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: rfspezi on April 05, 2019, 12:26:19 pm
PS. Is this trick reversible?

Good question :)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on April 05, 2019, 12:32:40 pm
PS. Is this trick reversible?

Good question :)

@tossu already confirmed that: https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2320566/#msg2320566 (https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2320566/#msg2320566)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: rfspezi on April 05, 2019, 12:36:41 pm
PS. Is this trick reversible?

Good question :)

@tossu already confirmed that: https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2320566/#msg2320566 (https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2320566/#msg2320566)

Thanks!
Can confirm it's working.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: _Wim_ on April 05, 2019, 12:37:16 pm
I would appreciate a write-up on how you came up with this, if that's not too much work.

@Tossu, first of all great work!  :-+

I also would appreciate some write-up on how you came to this, because this method is maybe applicable to other rigol gear as wel. I tried to use this on my DG1032Z (upgrade to DG1062Z) but after I send the SCPI-command the communication locked up (does not respond to *IDN? any longer) and had to reboot.

On my DP832 it worked flawlessly.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 05, 2019, 12:39:51 pm
Copied file to FAT formatted empty USB stick, telnet to 5555 port and pasted:

:PROJ:SET MODEL,DP831A

Enter and reboot. Worked perfectly.
Thanks!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: CustomEngineerer on April 05, 2019, 12:45:18 pm
I also didn't get a response from the power supply via telnet when I did so. It may be worth to try another command that will return a value like for example:

:SYSTem:VERSion?

This should return "1999.0" (SCPI version on the device). If this works and you're sending the correct command, you should really check the USB drive you're using. I was successful with a quite old 8GB thumb drive labeled "Verbatim" that I also use for firmware updates. But I followed @tossu's instructions to format it and then only copy the provided file on it. Worked for both my DP832 and DP811.

Good luck,
Thomas

I also had issues with the first USB drive I tried. Formatted and copied the file onto it, stuck in back of DP832, connected with telnet, but when I would send the SCPI command, the screen on the DP832 would show something like "Incorrect command". I switched to an older 512MB verbatim USB drive, formatted, and this time when I sent the SCPI command I'm pretty sure the DP832 didn't show any indication it had worked (no message on the screen or beep), until I rebooted it. Once it was rebooted though I was able to change the display mode to the DP832A ones.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: PA0PBZ on April 05, 2019, 06:12:58 pm
Thanks @tossu, that was brilliant!  :-+
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 05, 2019, 08:28:47 pm
A DP800 should reply OK if the :PROJ:SET MODEL,DP832A command was successful. It does that, if the command is sent from the USB interface. If it is sent from the LAN interface, it won't reply anything or accept new commands until the connection is closed.

:PROJ:SET is probably not meant to be used from LAN, and it might be crashing the server process.

I tried to use this on my DG1032Z (upgrade to DG1062Z) but after I send the SCPI-command the communication locked up (does not respond to *IDN? any longer) and had to reboot.

On my DP832 it worked flawlessly.

It might be working on DP800 by coincidence. Did you try to use the USB interface?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on April 05, 2019, 10:56:29 pm
WOW, way nicer display, easier to read (DP832A/Classic).  :-+
https://www.albinoblacksheep.com/flash/thankyou (https://www.albinoblacksheep.com/flash/thankyou)

Tried the upgrade with a 4GB AData USB.  Worked flawless.

The upgrade from DP832 to DP832A is reversible, can be set as you like at any time as long as the USB drive is plugged in.  Did it by LAN.  No OK response to the change model SCPI command, but it worked. 

DP832
(https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/?action=dlattach;attach=697248;image)

DP832A
(https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/?action=dlattach;attach=697254;image)

To be honest, I didn't expect the color display to make such a big difference, yet it does.  And the digits are not 7 segments any more, much easier to read now.  Very nice surprise.
 :D

After changing the model and powering it off/on again, pressed the 'Display' button then clicked 'Disp Mode' button until is selected 'Dips Mode: Classic', then pressed the 'Display' button again, and that's it.

DP832A
(https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/?action=dlattach;attach=697260;image)

DP832A
(https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/?action=dlattach;attach=697266;image)

Now, to upgrade to the latest firmware, too, what is the latest available for DP800, and how do I interrogate for the installed firmware version, please?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: maginnovision on April 05, 2019, 11:51:04 pm
Now you all need to change the channel on LEDs to match the screens.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on April 06, 2019, 01:08:45 am
No need to change the LEDs.  A simple highlight with marker will be enough.

It happened to me in the past to power up other channel than the intended one, so coloring the buttons and the banana plugs might not be a bad idea.

About the firmware update, the latest versions are:
- bootloader 01.09
- software 00.01.14.00.03
downloaded today from https://www.rigolna.com/products/dc-power-loads/dp800/ (https://www.rigolna.com/products/dc-power-loads/dp800/)

When asked for credentials, enter whatever.

To see the installed firmware details press 'Utility' -> 'Sys Info' -> 'M1' -> 'M3' -> 'M2'
Where M1...M5 are the buttons under the screen.

(https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/?action=dlattach;attach=697362;image)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: PeDre on April 06, 2019, 05:51:43 am
There is a newer firmware v00.01.16.00.02:
http://www.rigol.com/Support/SoftDownload/3 (http://www.rigol.com/Support/SoftDownload/3)
http://www.rigol.com/File/ModelSoftWare/20190328/DP800(ARM)update.rar (http://www.rigol.com/File/ModelSoftWare/20190328/DP800(ARM)update.rar)

Peter
Title: Re: Need help hacking DP832 for multicolour option.
Post by: hansibull on April 06, 2019, 08:43:33 am
There is a newer firmware v00.01.16.00.02:
http://www.rigol.com/Support/SoftDownload/3 (http://www.rigol.com/Support/SoftDownload/3)
http://www.rigol.com/File/ModelSoftWare/20190328/DP800(ARM)update.rar (http://www.rigol.com/File/ModelSoftWare/20190328/DP800(ARM)update.rar)

Peter

Does anybody know what's been changed in the latest firmware version? And can anybody verify that work with the hack tossu released?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on April 06, 2019, 08:59:11 am
On both of my PSUs (DP832 and DP811), F/W 01.16.00.02 was installed prior to applying @tossu's patch via LAN. Worked without any problem.

Obviously, installing the new firmware after applying the patch will have to work because it's supposed to work on "official" DP800A devices as well. And it pretty much seems the patch turns a non-A instrument into an "A"-version without any (technical) difference to an official one (...maybe someone may start a business by offering the "Hello Kitty" bezels  (https://www.eevblog.com/forum/testgear/new-rigol-dc-psu_s/msg179369/#msg179369)for upgrade... )  :-DD .
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on April 06, 2019, 10:17:37 am
I just upgraded the firmware to DP800 00.01.16.00.02 2019-03-28 (for a DP832 transformed yesterday into DP832A using tossu hack - thanks again, great finding).

The new firmware seems to be working fine, except the DNS address in the LAN settings (mine are set to manual LAN settings.  After a power off/on cycle, the DNS will always point to 88.218.37.64  :-//

Code: [Select]
!!!!! For Firmware DP800 00.01.16.00.02 2019-03-28 the DNS address seems hardcoded to 88.218.37.64 !!!!!
========================================================================================================
IP address 88.218.37.64 location
Country:Spain
Region:Madrid
City:Madrid
Longitude:-3.7026
Latitude:40.4165
Time Zone:Europe/Madrid
Postal Code:28050


IP Whois Information For 88.218.37.64
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '88.218.36.0 - 88.218.39.255'

% Abuse contact for '88.218.36.0 - 88.218.39.255' is '@airbnb.com'

inetnum: 88.218.36.0 - 88.218.39.255
netname: IE-AIRBNB-20181214
country: IE
org: ORG-AU44-RIPE
admin-c: ARA114-RIPE
tech-c: MA19860-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: ie-airbnb-1-mnt
created: 2018-12-14T12:50:04Z
last-modified: 2018-12-14T12:50:04Z
source: RIPE

organisation: ORG-AU44-RIPE
org-name: AIRBNB IRELAND ULC
org-type: LIR
address: The Watermarque Building South Lotts Road, Ringsend
address: 4
address: Dublin
address: IRELAND
admin-c: ARA114-RIPE
tech-c: MA19860-RIPE
abuse-c: AR38143-RIPE
mnt-ref: ie-airbnb-1-mnt
mnt-by: RIPE-NCC-HM-MNT
mnt-by: ie-airbnb-1-mnt
created: 2016-10-31T08:25:02Z
last-modified: 2017-05-08T12:17:29Z
source: RIPE # Filtered
phone: +14157280000

person: Eoin Hession
address: The Watermarque Building South Lotts Road, Ringsend
address: 4
address: Dublin
address: IRELAND
phone: +14157280000
nic-hdl: ARA114-RIPE
mnt-by: ie-airbnb-1-mnt
created: 2016-10-31T08:25:01Z
last-modified: 2016-11-22T21:48:25Z
source: RIPE

person: Eric Lee
address: 888 Brannan Street, San Francisco, CA 94114
phone: +14087506453
nic-hdl: MA19860-RIPE
mnt-by: ie-airbnb-1-mnt
created: 2016-11-22T21:54:00Z
last-modified: 2018-12-14T09:08:49Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.93.2 (BLAARKOP)

Anybody else having problems setting the DNS address in the DP800 LAN settings, please?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tautech on April 06, 2019, 10:21:19 am
Oh dear, seems you're also in Spain, Ireland and San Fran.   :clap:
Title: Re: Need help hacking DP832 for multicolour option.
Post by: hansibull on April 06, 2019, 10:47:56 am
Oh dear, seems you're also in Spain, Ireland and San Fran.   :clap:

I've never heard of this before. Care to explain?  :)

I successfully hacked my DP832 and turned it into a DP832A. I didn't bother updating the firmware, so I'm still at 01.14. However, one quirk I found was that the USB stick has to be connected after the PSU have booted. It's not visible if the USB stick is plugged in when the PSU is turned off.

The PSU never gave me a response on the screen, even though the hack was applied. However, when I returned to the main screen (without rebooting I noticed the negative value of CH3. Somehow a minus sign has snuck in there. When I rebooted I was greeted with a colorful DP832A screen. The minus sign was gone.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tautech on April 06, 2019, 10:57:38 am
Oh dear, seems you're also in Spain, Ireland and San Fran.   :clap:

I've never heard of this before. Care to explain?  :)
Study the code in RoGeorge's post.  ;)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on April 06, 2019, 12:54:03 pm
Oh dear, seems you're also in Spain, Ireland and San Fran.   :clap:

I've never heard of this before. Care to explain?  :)
Study the code in RoGeorge's post.  ;)

That's no code, it's the result of a 'whois 88.218.37.64' search.  Each routable IPv4 is stored in IANA (Internet Assigned Numbers Authority) database, together with some public information about the owner of the routable IP.

For whatever reason, my DP800 disregards my manual setting for the DNS address, and instead it always shows the 88.218.37.64 as a DNS, which seems to be some computer from Madrid.  The company that has that computer with the IP 88.218.37.64 is 'Airbnb Ireland' from Doublin, and so on.

A DNS is used when a computer (in this case my DP832) wants to contact some other internet address by name.  Changing the DNS or enforcing a DNS other than the desired one can be the sign of a security breach.  I hope this is just a bug, and not a security threat.

Anybody with the latest FW and manual IP care to check the DP832 settings please? (to check press 'Utility' -> 'IO Config' -> 'LAN')
Do you have the DNS set to 88.218.37.64 after a power cycle, like this?

(https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/?action=dlattach;attach=697698;image)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 06, 2019, 02:50:31 pm
Anybody with the latest FW and manual IP care to check the DP832 settings please? (to check press 'Utility' -> 'IO Config' -> 'LAN')
Do you have the DNS set to 88.218.37.64 after a power cycle, like this?

I upgraded my DP832 to 1.16, and it is doing the same thing. The DNS is set to 88.218.37.64 when a "LAN connected" notification is shown. However, the value I've set is restored if I go back to the DNS settings. I noticed FW 1.14 changes the DNS as well, but it sets it to 0.0.0.0.

I took a quick look at a DG1032Z firmware I found somewhere. I think it's version 1.06. It has a very similar check for the same magic value at sector 0x78EC.

Could someone eager to hack (or brick) their DG1032Z send these commands to it, preferably via USB, and post the results here? The keyfile.bin I made for DP832 should work.
Code: [Select]
:PROJ:STAT MCALTIMES,QUERY
*IDN?
:PROJ:STAT MODEL,DG1062Z
*IDN?

The first command is just a sanity check. It should print CH1 = <some number>, CH2 = <some number>.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on April 06, 2019, 03:40:14 pm
No DG1032Z here.

Tried it on a DG4102 instead, over LAN, and ':PROJ:STAT MCALTIMES,QUERY' doesn't seem to be recognized.  There is no reply over LAN, and the generator's screen shortly displays the message "Error generated by remote interface command!", which is the same message as the one displayed for any unrecognized SCPI command.  After that, *IDN? is working just fine.

Also tried ':PROJ:STAT MODEL,DG4162' with the same result.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on April 06, 2019, 04:24:01 pm
Tried it on DG4102 again, this time over USB, and the results are the same:  no SCPI response, only an error message displayed on the DG4102 screen as it would be an unrecognized command, "Error generated by remote interface command!".

Code: [Select]
~$ echo "*IDN?" > /dev/usbtmc1; cat /dev/usbtmc1
Rigol Technologies,DG4102,DG4E17xxxxxx3,00.01.12
cat: /dev/usbtmc1: Connection timed out
~$ echo ":PROJ:STAT MCALTIMES,QUERY" > /dev/usbtmc1; cat /dev/usbtmc1
cat: /dev/usbtmc1: Connection timed out
~$ echo "*IDN?" > /dev/usbtmc1; cat /dev/usbtmc1
Rigol Technologies,DG4102,DG4E17xxxxxx3,00.01.12
cat: /dev/usbtmc1: Connection timed out
~$ echo ":PROJ:STAT MODEL,DG4162" > /dev/usbtmc1; cat /dev/usbtmc1
cat: /dev/usbtmc1: Connection timed out
~$ echo "*IDN?" > /dev/usbtmc1; cat /dev/usbtmc1
Rigol Technologies,DG4102,DG4E17xxxxxx3,00.01.12
cat: /dev/usbtmc1: Connection timed out

~$ #power cycled the DG4102 here

~$ echo "*IDN?" > /dev/usbtmc1; cat /dev/usbtmc1
Rigol Technologies,DG4102,DG4E17xxxxxx3,00.01.12
cat: /dev/usbtmc1: Connection timed out
~$

USB drive formatted FAT32, then copied only the 'keyfile.bin', plugged in the DG4102 at all times.  When it was plugged in the first time, the USB drive was recognized just fine by the generator.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 06, 2019, 05:57:42 pm
Tried it on DG4102 again, this time over USB, and the results are the same:  no SCPI response, only an error message displayed on the DG4102 screen as it would be an unrecognized command, "Error generated by remote interface command!".

That is to be expected if hidden commands are not enabled by whatever switch DG4102 is using.

I'm afraid my hack can't easily be modified for the DG4000 series. Doesn't it have a Blackfin CPU like most of the older Rigol products? If it does, it has to use a different RTOS also. I'm using Ghidra which can't disassemble Blackfin code, and reverse engineering parts of the OS would take significant amount of time anyway. Although, if they are using the same kind of manufacturing process for the DG4000 series, it would probably be enough to get the magic value and sector from the application code.

I was able to decode the command table of DG4000 firmware. It has a :PROJ:STAT command and some promising strings like MODEL and SN.

Title: Re: Need help hacking DP832 for multicolour option.
Post by: rfspezi on April 06, 2019, 07:03:33 pm
In my oppinion, the colours are not very well chosen concerning the combination of RGB pixel appearance to the human eye.
They appear too uneven in brightness when deactivated.

The combination i'd love to see is the font of the DP832A mode but other colours - even monochrome as in the DP832 mode would be ok.
Maybe the RGB values can be found and replaces in the binary.  ^-^
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 06, 2019, 07:48:36 pm
The combination i'd love to see is the font of the DP832A mode but other colours - even monochrome as in the DP832 mode would be ok.
Maybe the RGB values can be found and replaces in the binary.  ^-^

I'm quite sure the color values can be found. The problem is that the firmware seems to be checksummed or signed. Earlier in this thread a simple string replacement of model names was tried, and the modified firmware would not be flashed. Even the checksum for flashing could probably be figured out, but if the bootloaded has an another check, your PSU might become bricked. Does anyone know if the firmware is flashed by the bootloader or the main firmware itself? It might be done by the bootloader based on the upgrade instructions.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 06, 2019, 07:58:08 pm
tossu, I think it's the bootloader since the .GEL reference only appears in BL.

From my code analysis you discovered the USB_vendor_disk string that must be present in order for the commands to  change MODEL and/or SN to work, right?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 06, 2019, 08:43:05 pm
From my code analysis you discovered the USB_vendor_disk string that must be present in order for the commands to  change MODEL and/or SN to work, right?

What's a USB_vendor_disk? It don't recognize that indentifier. The only usb vendor disk thing I could find with Google was a reference in the MSO5000 hacking thread. I'm not at all familiar with that.

But yes, I discovered the value that must be present on a USB drive. Finding the value was easy. I spend more time than I'd like to admit decompiling the firmware before I took a look at MQX RTOS sources and found out that the value had to be on a USB drive.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 06, 2019, 08:50:51 pm
There is another specimen of USB_vendor_disk that is recognized by other Rigol equipments. It possesses a specific XXTEA encrypted sector.

You've discovered a simpler one used on other equipment models. That was a big reversing job since the code is not obvious at all (I've just looked into it)!

Now, let's try and see which other models recognize this USB_disk.

Again, great job!


Edit: Just by looking at the .GEL file types, I would say that this method works, at least, for all

DP800 , DL3000 and DG1000(Z)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: WhichEnt2 on April 06, 2019, 09:16:16 pm
Could someone eager to hack (or brick) their DG1032Z send these commands to it, preferably via USB, and post the results here? The keyfile.bin I made for DP832 should work.
Would like to check it on DG1022Z as soon as it arrives.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on April 06, 2019, 09:20:01 pm
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

Tossu and TV84, I cannot thank you guys enough for your help with this project, along with everyone else who provided insight and tried helping in hacking this!    This was something I wanted for a very long time and just found out today that it was finally hacked!   THANK YOU GUYS SOOOOOO MUCH!!!!!!!!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: hansibull on April 06, 2019, 09:29:09 pm
In my opinion, the colors are not very well chosen concerning the combination of RGB pixel appearance to the human eye.
They appear too uneven in brightness when deactivated.

The combination I'd love to see is the font of the DP832A mode but other colors - even monochrome as in the DP832 mode would be ok.
Maybe the RGB values can be found and replace in the binary.  ^-^

THIS! As much as I like the DP832A font it would probably take some time to get used to the new yellow, purple and blue colors. A firmware hack with a different palette would be fantastic. What colors would you guys prefer to have instead? IMO plain white for all three channels would be nice  8)

Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on April 06, 2019, 09:58:45 pm
Actually, the choice of the color palette like it's been on the "non-A-configuration" but with the fonts / layout of the "A-classic" would be my favorite. Anyway, I'm happy the way it is right now.  :)


P.S. I've also been playing around with my DG4102 and the prepared USB disk. Same result as @RoGeorge. Also somewhat strange behavior of the LXI interface via telnet but that's probably the result of the completely different underlying hardware (BlackFin) compared to the DP800 series (i.MX28 processor).
Title: Re: Need help hacking DP832 for multicolour option.
Post by: rfspezi on April 06, 2019, 10:07:55 pm
What colors would you guys prefer to have instead? IMO plain white for all three channels would be nice  8)

White would be my favourite too.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 06, 2019, 11:02:04 pm
P.S. I've also been playing around with my DG4102 and the prepared USB disk. Same result as @RoGeorge. Also somewhat strange behavior of the LXI interface via telnet but that's probably the result of the completely different underlying hardware (BlackFin) compared to the DP800 series (i.MX28 processor).

Tom, I've got no indication that this might work on that BF machine. But, maybe there is a similar one...  ;)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 06, 2019, 11:08:05 pm
Just confirmed that the DL3000 is exactly as the DP800  (the disk sector is also 0x58E0). And same byte sequence.

Can anyone try a DL3000 to DL3000A conversion?

Title: Re: Need help hacking DP832 for multicolour option.
Post by: hansibull on April 06, 2019, 11:15:29 pm
Just confirmed that the DL3000 is exactly as the DP800  (the disk sector is also 0x58E0). And same byte sequence.

Can anyone try a DL3000 to DL3000A conversion?

There is a DL3000 at work which is rarely used. I may try applying the hack on Monday. Same procedure and SCPI command as on the DP832?
Should I update to the latest firmware version before applying the hack? And is there a real chance of bricking it?

EDIT:
It seems like a stock DL3021 can't use the LAN port without buying an upgrade. Is it possible to apply the SCPI command using RS-232?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 07, 2019, 01:40:18 am
OK, I promised a write-up of my hacking process earlier. I've left out some things I did if they didn't end up anywhere, but feel free to skip the first part still. It's night already and I'm tired and writing in English. Not much can be expected. I finally got to it so here it comes!

Premilinary work

I started with a firmware version 1.14 descrambled with the method previously discovered in this thread. The first thing to do was of course to run binwalk and strings on it. Binwalk found a lot of ARM instructions and the entropy plot seemed sensible. I read the list of strings carefully and found some interesting: MODEL, FACTORYON, FACTORYOFF, MANUFACTUREON, MANUFACTUREOFF. They looked a lot like SCPI commands.

I tried a lot of plausible combinations like :SYSTEM:FACTORYON programmatically. I got just a bunch of false results because the SCPI server crashes easily and starts to do weird things.

I wanted to disassemble the firmware, and luckily the loading address had already been figured out. Search for references to those interesting string constants found something. One function, insted of it's normal thing, sets a variable to 1 if parameter FACTORYON is passed to it while some condition is true. The function usually takes ON, 1, OFF or 0 as a parameter. The DP800 programming manual list only a few of those. I tried all of them them but those returned errors. That was very much expected. Following functions calls for the condition would just find more and more complex code with indirect references.

At this point, I figured out I had been living under a rock, and there's a new decompiler called Ghidra. I wanted to try it so I redid all of my previous work with it. It didn't take much time at all, but neither did it help me any further. I started to look for other commands. I found a one which can set a MODEL or SN, but it checks for the same condition before it does anything.

A dump of RAM would've helped me a lot, and there was a command for it. To use it, I had to get it's name. The names were stored in a tree-like structure which had to be parsed. By chance I came across a simple Perl script for printing DS1054Z command structure. I quickly rewrote it in Python and had a list of commands on the first try. I modified it to print command IDs and conditional parts properly. The command list is attached if you want to have a look.

Now I could start dumping the memory with command :PROJect:MEMOry:READ?. Figuring out it's parameters was easy with a help of a decompiler. The first kilobyte of the flash could be read with :PROJ:MEMO:READ? FLASH,0,1024 and it was sensible. To test it I dumped the flash. There was just the firmware I already had. Luckily the command could also read RAM by changing the first parameter. I tried to read the RAM but the output made no sense. I read the decompiled source again and was sure I was using the command right. Instead, the command either had a placeholder implementation or was missing a call to atoi. It read from the address of the second parameter instead of the numeric value and would just echo back the parameters. I had to do more static analysis without a memory dump.

Decompilation and a hack

The offset and the loading address of the firmware are known thanks to previous efforts in this thread. The array of pointers to command handlers is easy to find. Just find one handler with a known string and follow the cross references. Names of the commands are stored in an another large structure which can be parsed with a script made for DS1054Z. It has pointers to all the command names and is easily found with xrefs.

The command handler which can change the model references strings MODEL an SN. The former is long enough to be found with any string search. The handler calls a function which does the USB drive check. Unless it returs zero, the handler does nothing and returns an error. A pointer to the command can be found by following xrefs back to the command handler array. Based on it's index, name :PROJect:SET can be found from the command name structure.

The USB drive check function has many arbitary values. By calling a second function, it does a memcpy-like operation of 8 bytes from 0x58E0 to an array in the stack and compares those against hard coded constants. The second function has a pattern which looks very much like "allocate, read something, memcpy, free". At least the vectorized memcpy is easy to recognize.

The function which does the reading is unfortunately the most difficult to understand. I uses a lot of pointers and arbitary values. It also has a slightly different style to it. This hints that it might be a part of an OS driver. Strings reveal that the firmware contains version 3.7 of MQX RTOS. It's sources are available, and they contain symbolic values for some of the immediate values used in the fuction. One, MFS_READ_FAULT, is used only in three places. One of those is function MFS_Read_device_sector. It's source matches the decompiler output perfectly. The last thing to do with the code is go back and get the 8 byte value from the disassembly. Some mental math has to be done to get endianness right.

When the value is written to the start of sector 0x58E0 of a USB drive, the command :PROJect:SET will work. I took the easy route and did the file copy trick. Mainly because I didn't bother to check if a valid file system is required or if it's sector 0x58E0 of the drive or a partition or something.

Afterthoughts

I think it took me three or four evenings of messing around with my DP832 in total. Most of it was spend trying to dump the memory and trying some things I've left out. I didn't help that I had never read ARM assembly or used Ghidra before. I think Ghidra is an excelent tool and in some ways better than a, um, free version of another interactive disassembler.

I've decompiled some of the other commands. The unit can be set to some factory mode with command :SYST:BEEP FACTORYON if the magic USB drive is inserted. In that mode the model can be set with :SYST:LOCK DP832A$, but I don't think it enables anything else. :DIGItal:IO commands seemed somewhat interesting by their name, but they don't seem to be doing anything.

The :PROJ:SET command should return OK but crashes the command line if it's send via LAN. I think it safer to test it via USB on other Rigol models. However, on DP832 it seems to be working quite well.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 07, 2019, 02:15:07 am
There is another specimen of USB_vendor_disk that is recognized by other Rigol equipments. It possesses a specific XXTEA encrypted sector.

You've discovered a simpler one used on other equipment models. That was a big reversing job since the code is not obvious at all (I've just looked into it)!

It seems you got a hang of my hack pretty quickly before any explanation. I assume you got figured it out completely as you were able to check it for other models. Did the magic values help? What's the another specimen? Could you tell how did you thought I did it? I haven't really read other Rigol hacking threads so I might be asking some stupid questions. If that's the case, please point me to the right direction.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: WhichEnt2 on April 07, 2019, 07:29:16 am
tossu, how do you look into DG1000Z firmware? I tried the python version of descrambler, but output is a complete mess, not anyting readable in strings output at all.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ealex on April 07, 2019, 07:37:46 am
thanks for the hack.

quick hint for linux users: if you connect it via USB it will be detected as an usbtmcX device:
Code: [Select]
[38355.860413] usb 5-1.2: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 80, changing to 10
[38355.860415] usb 5-1.2: config 1 interface 0 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 64
[38355.860417] usb 5-1.2: config 1 interface 0 altsetting 0 bulk endpoint 0x3 has invalid maxpacket 64
[38355.861908] usb 5-1.2: New USB device found, idVendor=1ab1, idProduct=0e11, bcdDevice= 0.02
[38355.861909] usb 5-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[38355.861910] usb 5-1.2: Product: DP800 Serials
[38355.861912] usb 5-1.2: Manufacturer: Rigol Technologies.
[38355.861913] usb 5-1.2: SerialNumber: DP8C163953058
[38355.939460] usbcore: registered new interface driver usbtmc

it's a simple char device -> you can use echo and cat to access it:
Code: [Select]
# echo ":SYSTem:VERSion?" > /dev/usbtmc3
# cat /dev/usbtmc3
1999.0
^C^C^C^C
# echo ":PROJ:SET MODEL,DP832A" > /dev/usbtmc3

it works with a FAT16 partition on a newer USB stick - just make it the first partition on the stick
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 07, 2019, 10:13:33 am
It seems you got a hang of my hack pretty quickly before any explanation. I assume you got figured it out completely as you were able to check it for other models. Did the magic values help? What's the another specimen? Could you tell how did you thought I did it? I haven't really read other Rigol hacking threads so I might be asking some stupid questions. If that's the case, please point me to the right direction.

You took advantage of my parsings but you deserve full credit for this discovery!  :clap:  (the main reason of my parsings is to allow the kind of work you did)

In the meantime, the method has been confirmed to work on DG1000Z (as expected, even with a different sector). Of course, I was only able to somewhat understand what you did based on the magic values that you published. Even after your explanation is not something very easy to recreate without diving into the MQX toolchain.

The other specimen can be used, for example, in the DS1054Z and also in the MSO5000/7000 (it's for ARM only)

You can have a taste of it, here:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517 (https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517)

Based on known Rigol's way of doing things, it was not hard to figure out what you had accomplished (even if you were not fully aware at the time). Without previous knoweledge of Rigol hacks it's even more amazing!

Even the "brute-force" method of the file in the disk is poetry.  BTW , it wouldn't work in the other specimen because the sector is one of the disk reserved sectors.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 07, 2019, 10:37:03 am

In the meantime, the method has been confirmed to work on DG1000Z (as expected, even with a different sector).


Does DG1000Z work with same magic sector as DP800 or it is another one.. Syntax for a model command is the same I presume?
Thks!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 07, 2019, 10:40:19 am

In the meantime, the method has been confirmed to work on DG1000Z (as expected, even with a different sector).


Does DG1000Z work with same magic sector as DP800 or it is another one.. Syntax for a model command is the same I presume?
Thks!

It's a different sector but tossu file works also with that sector. Syntax should be the same.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: hansibull on April 07, 2019, 10:53:48 am
Would this sort of hack work on the Rigol DG1022 (non Z) as well? I have a DG1022 on my bench and would love to turn it into a DG1022A.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 07, 2019, 11:17:13 am
Would this sort of hack work on the Rigol DG1022 (non Z) as well? I have a DG1022 on my bench and would love to turn it into a DG1022A.

The FW is the same, right?  If so, I think it would but you are all on your own. I've done no tests since I don't have the equipment.

The test done was DG1022Z -> DG1062Z.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 07, 2019, 11:18:18 am
DG1000Z doesn't work over telnet.. It hangs the AWG completely (not responsive to buttons)..
Will try over USB, installing UltraSigma..
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 07, 2019, 11:25:55 am
Over USB on the first try all went well.. Even got OK\n response..
Reboot and it works..

And now only Arb16M   ::)

@tossu  premium work kudos.. thanks a bunch
and as always thanks to tv84..
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 07, 2019, 12:19:41 pm
tossu, how do you look into DG1000Z firmware? I tried the python version of descrambler, but output is a complete mess, not anyting readable in strings output at all.

It uses the same scrambling algorithm but a different starting value. I took advantage of the fact that firmwares usually have long strings of zeroes and those make distinctive patterns of increasing numbers. If the right value of just one byte is known, the offset can be calculated.

The FW is the same, right?  If so, I think it would but you are all on your own. I've done no tests since I don't have the equipment.

DG1022 is the old, DS1052E era function generator. I don't think it's going to work.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: mleyden on April 07, 2019, 12:37:20 pm
DG1022Z -> DG1062Z successful over LAN (using same USB stick that did my DP832 -> DP832A upgrade):

>telnet 192.168.1.XXX 5555
*IDN?
Rigol Technologies,DG1022Z,DG1ZA183______,03.01.12
:PROJ:STAT MODEL,DG1062Z
*IDN?
Rigol Technologies,DG1062Z,DG1ZA183______,03.01.12


Thanks!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: CustomEngineerer on April 07, 2019, 12:44:07 pm
DG1000Z doesn't work over telnet.. It hangs the AWG completely (not responsive to buttons)..
Will try over USB, installing UltraSigma..

Maybe stupid question, but going to ask anyways. At least on the DP832, once you connect (or maybe once you send the first command) over telnet, the power supply locks out the buttons on the front panel. If you want to resume controlling the power supply from the front panel, you have to hit the back button first, which takes it out of remote command mode. Is it possible the DG1000Z is the same?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: WhichEnt2 on April 07, 2019, 12:47:10 pm
DG1022Z -> DG1062Z successful over LAN (using same USB stick that did my DP832 -> DP832A upgrade):
Did you perform full range sweep to check whether it is somewhat flat on the extended range?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 07, 2019, 12:59:42 pm
DG1000Z doesn't work over telnet.. It hangs the AWG completely (not responsive to buttons)..
Will try over USB, installing UltraSigma..

Maybe stupid question, but going to ask anyways. At least on the DP832, once you connect (or maybe once you send the first command) over telnet, the power supply locks out the buttons on the front panel. If you want to resume controlling the power supply from the front panel, you have to hit the back button first, which takes it out of remote command mode. Is it possible the DG1000Z is the same?
No it is not in remote mode. It blocks both on telnet connection (no response after command) and instrument non responsive... Can't press local to get it back. Reboot needed.

It is 2016 instrument , maybe something is downlevel.. DG1022Zs are new ones, maybe have new boot/OS portion...
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 07, 2019, 01:17:46 pm
DG1022Z -> DG1062Z successful over LAN (using same USB stick that did my DP832 -> DP832A upgrade):
Did you perform full range sweep to check whether it is somewhat flat on the extended range?
My DG1032Z is pretty much dead flat to 60 MHz
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on April 07, 2019, 08:44:15 pm
In my opinion, the colors are not very well chosen concerning the combination of RGB pixel appearance to the human eye.
They appear too uneven in brightness when deactivated.

The combination I'd love to see is the font of the DP832A mode but other colors - even monochrome as in the DP832 mode would be ok.
Maybe the RGB values can be found and replace in the binary.  ^-^

THIS! As much as I like the DP832A font it would probably take some time to get used to the new yellow, purple and blue colors. A firmware hack with a different palette would be fantastic. What colors would you guys prefer to have instead? IMO plain white for all three channels would be nice  8)

A hack might not be needed.   It might be a good idea for someone to contact Rigol, someone who owns an official DP832A, to ask if they could implement the change?   Perhaps if enough people ask quick like, they might implement it for current DP832A users, and with this hack, it'd allow the palette change.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on April 07, 2019, 09:21:46 pm
Over USB on the first try all went well.. Even got OK\n response..
Reboot and it works..

And now only Arb16M   ::)

@tossu  premium work kudos.. thanks a bunch
and as always thanks to tv84..

I don't understand.   How do you preform the hack over USB?   Isn't the USB port needed for the magic thumb drive?   Thanks!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on April 07, 2019, 09:23:11 pm
tossu, how do you look into DG1000Z firmware? I tried the python version of descrambler, but output is a complete mess, not anyting readable in strings output at all.

It uses the same scrambling algorithm but a different starting value. I took advantage of the fact that firmwares usually have long strings of zeroes and those make distinctive patterns of increasing numbers. If the right value of just one byte is known, the offset can be calculated.

The FW is the same, right?  If so, I think it would but you are all on your own. I've done no tests since I don't have the equipment.

DG1022 is the old, DS1052E era function generator. I don't think it's going to work.

I always wondered how you figured out that starting value!!!!   That is smart, and good to know!   I wouldn't have thought of that.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 07, 2019, 10:01:56 pm
I don't understand.   How do you preform the hack over USB?   Isn't the USB port needed for the magic thumb drive?   Thanks!

Devices this hack applies to have two USB ports.

While comparing DP800 and DG1000Z firmwares, I found a string 586E719859AF6C obfuscated in the DG1000Z firmware. I think the corresponding string for DP800 is 5EC2D25AE85124. Those look very much like some encryption keys. Google finds one result for the DP800 string in the Rigol's I2C bus thread, but the DG1000Z one might be a new one. Maybe it can be used for something.

Title: Re: Need help hacking DP832 for multicolour option.
Post by: msquared on April 08, 2019, 12:31:33 am
First I just want to give a HUGE THANK YOU to tossu. What an awesome way to "upgrade" a device.

So far I'm 3 for 3.
DP832 to DP832A all options enabled
DL3021 to DL3021A all options enabled
DG1032Z to DG1062Z still missing memory upgrade but output is flat out to 60MHz

All three were done over telnet using the same USB stick. It took me all of about 15 minutes to "upgrade" all 3 devices.

Thanks again.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 08, 2019, 12:37:04 am
This is far-fetched but there is code in the DG1000 firmware that sets a 16M memory related flag if the serial of the unit is "DG1ZA000000000". Command :PROJ:STAT SN,DG1ZA000000000 should be able to change the serial. I have no idea when that function is run but maybe it's worth a try.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: msquared on April 08, 2019, 03:46:54 am
That worked. The option is listed as "Trial" but I don't see a timer so maybe it'll last forever.

Thanks again!

Btw. If anyone is wondering it does require the "Special Key" to work.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: hansibull on April 08, 2019, 10:20:19 am
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options where now available.

Are there any devices left that this hack would possibly work on?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 08, 2019, 03:03:26 pm
I think the corresponding string for DP800 is 5EC2D25AE85124.

That's the ECC public key of the DP832. Did you find any relation of that with the USB disk string?

With the public key 586E719859AF6C  you might upgrade riglol and generate the official license for Arb16M.

Then, it's just:

:LICense:INSTall 1234567890123456789012345678
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on April 08, 2019, 07:16:09 pm
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options where now available.

Are there any devices left that this hack would possibly work on?
Are there any known hacks for the DL3000 series that allow LAN interface, or some other way to apply the hack without having to purchase any of the keys?   Just curious.   I couldn't find any, if they do exist.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: hansibull on April 08, 2019, 08:07:30 pm
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default, the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options were now available.

Are there any devices left that this hack would possibly work on?
Are there any known hacks for the DL3000 series that allow LAN interface, or some other way to apply the hack without having to purchase any of the keys?   Just curious.   I couldn't find any if they do exist.

Not that I'm aware of. But applying this hack does turn it into a DL3021A. And the A model has all option enabled, LAN too.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on April 08, 2019, 08:46:29 pm
...still doesn't make the load any better...  :P

https://www.eevblog.com/forum/testgear/new-rigol-dc-load-d3000-series/msg1327086/#msg1327086 (https://www.eevblog.com/forum/testgear/new-rigol-dc-load-d3000-series/msg1327086/#msg1327086)

P.S. Interesting anyway that the hack is possible. Probably with a little hardware upgrade (some opamps and a few IRFP250's) a conversion to a DL3031A should also be within reach. So if you're sure you need a load only for high, slowly changing currents, this may be a good opportunity...
Title: Re: Need help hacking DP832 for multicolour option.
Post by: hansibull on April 08, 2019, 09:08:22 pm
...still doesn't make the load any better...  :P

https://www.eevblog.com/forum/testgear/new-rigol-dc-load-d3000-series/msg1327086/#msg1327086 (https://www.eevblog.com/forum/testgear/new-rigol-dc-load-d3000-series/msg1327086/#msg1327086)

P.S. Interesting anyway that the hack is possible. Probably with a little hardware upgrade (some opamps and a few IRFP250's) a conversion to a DL3031A should also be within reach. So if you're sure you need a load only for high, slowly changing currents, this may be a good opportunity...

Whoa, I didn't know it was THAT terrible! I know the GUI is rather annoying (I'm still scratching my head every time I want to the main screen since there is no obvious back button) but this basically makes it useless for small loads. At work, we use it to stress test DC/DC converters and switchmode power supplies. So for this application, it's not really an issue. However, if I'd buy myself a DC load I would definitely get something more versatile than this.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on April 08, 2019, 09:19:54 pm
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default, the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options were now available.

Are there any devices left that this hack would possibly work on?
Are there any known hacks for the DL3000 series that allow LAN interface, or some other way to apply the hack without having to purchase any of the keys?   Just curious.   I couldn't find any if they do exist.

Not that I'm aware of. But applying this hack does turn it into a DL3021A. And the A model has all option enabled, LAN too.
Yeah, but to apply the hack, don't you at least need the LAN option active?   Or is the RS232 active without the need for a paid Option?   Thanks!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: hansibull on April 08, 2019, 09:24:09 pm
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default, the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options were now available.

Are there any devices left that this hack would possibly work on?
Are there any known hacks for the DL3000 series that allow LAN interface, or some other way to apply the hack without having to purchase any of the keys?   Just curious.   I couldn't find any if they do exist.

Not that I'm aware of. But applying this hack does turn it into a DL3021A. And the A model has all option enabled, LAN too.
Yeah, but to apply the hack, don't you at least need the LAN option active?   Or is the RS232 active without the need for a paid Option?   Thanks!

The RS232 interface is can be used on a stock DL3021. However, I did have to make myself a crossed gender changer because I didn't have a female-female DB9 cable.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 09, 2019, 04:43:59 pm
Did anybody ever buy MEM-DG1000Z Memory Option (16Meg AWG upgrade)  for DG1000Z?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Pinkus on April 09, 2019, 05:13:12 pm
just a short note for those who are "upgrading" to a DP832A. I had a very old firmware revision (1.04) on my DP832. With this old firmware, the hack was not working. I then updated to 1.16 (first 1.11. then 1.16) and then the hack worked.
However, somewhere during this process my DP832 lost all the calibration, thus a complete re-calibration (Edit: can be done by yourself, see here: https://www.eevblog.com/forum/testgear/rigol-dp832-firmware-updates-and-bug-list/ (https://www.eevblog.com/forum/testgear/rigol-dp832-firmware-updates-and-bug-list/)) was needed. Though this calibration procedure takes a while, so make sure you have enough time in case this happens to you too.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 09, 2019, 05:45:20 pm
My DP831 was 1.14 and kept calibration going to 1.16
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on April 09, 2019, 08:48:31 pm
just a short note for those who are "upgrading" to a DP832A. I had a very old firmware revision (1.04) on my DP832. With this old firmware, the hack was not working. I then updated to 1.16 (first 1.11. then 1.16) and then the hack worked.
However, somewhere during this process my DP832 lost all the calibration, thus a complete re-calibration was needed. This takes a while, so make sure you have enough time in case this happens to you too.

Mine didn't lost the calibration when upgraded from DP832 to DP832A, but the firmware was already at 1.14.

Couldn't find the info in the DP800 User Manual, it say to contact Rigol.
What is the password and the procedure for DP800 manual calibration, please?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on April 09, 2019, 09:06:10 pm
just a short note for those who are "upgrading" to a DP832A. I had a very old firmware revision (1.04) on my DP832. With this old firmware, the hack was not working. I then updated to 1.16 (first 1.11. then 1.16) and then the hack worked.
However, somewhere during this process my DP832 lost all the calibration, thus a complete re-calibration was needed. This takes a while, so make sure you have enough time in case this happens to you too.

Mine didn't lost the calibration when upgraded from DP832 to DP832, but the firmware was already at 1.14.

Couldn't find the info in the DP800 User Manual, it say to contact Rigol.
What is the password and the procedure for DP800 manual calibration, please?


2012
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Pinkus on April 09, 2019, 09:16:31 pm
Quote
Couldn't find the info in the DP800 User Manual, it say to contact Rigol.
What is the password and the procedure for DP800 manual calibration, please?
I added a link in my post above. See at the first page of the link, there are links to the calibration procedure.  The automatic calibration by a python script (if you have a SCPI/LXI ready-DMM available) is using the password "11111"; for the manual calibration "2012" will be the correct one.
Though I tried the manual calibration first and was annoyed quickly about the long and pesky procedure. I then used the python script posted several times here in the forum (e.g. see link above). Instead of manually reading and entering the numbers for two hours I decided to dig into the python stuff (which took longer than 2 hours ... but I learned something new by this, so it was worth it).
Title: Re: Need help hacking DP832 for multicolour option.
Post by: _Wim_ on April 10, 2019, 03:54:50 pm
I took a quick look at a DG1032Z firmware I found somewhere. I think it's version 1.06. It has a very similar check for the same magic value at sector 0x78EC.

Could someone eager to hack (or brick) their DG1032Z send these commands to it, preferably via USB, and post the results here? The keyfile.bin I made for DP832 should work.

:PROJ:STAT MCALTIMES,QUERY
*IDN?
:PROJ:STAT MODEL,DG1062Z
*IDN?

I can do this, but only next week.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 10, 2019, 05:10:46 pm
I think it's better to not mess with:

:PROJ:STAT MCALTIMES,QUERY

Just do the:

:PROJ:STAT MODEL,DG1062Z

And you'll have a new model!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: _Wim_ on April 10, 2019, 07:18:55 pm
I think it's better to not mess with:

:PROJ:STAT MCALTIMES,QUERY

Just do the:

:PROJ:STAT MODEL,DG1062Z

And you'll have a new model!

Thanks. I will give this a try when I am back at home.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: stj on April 10, 2019, 08:27:58 pm
has anybody tried this on the scopes?

on the ds1000z series, it may be usefull in the future to switch it to the MSO variant.
also, although i'm not sure, it was the case that Riglol didnt work on the 2000 and 4000 series.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on April 10, 2019, 08:38:51 pm
I doubt that the hack will work on DS/MSO 2000 and 4000 platforms since these are based on Blackfin DSPs (just like the DG4000) and not the iMX SOCs that are used in the machines that are apparantly/proven to be hackable with the described approach. Yet, turning the DS1000Z into an MSO may appear attractive to some, especially since there is this parallel thread approaching a "DIY" probe adapter for the MSO1000Z and MSO5000 platforms.

Cheers,
Thomas
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 10, 2019, 10:09:51 pm
has anybody tried this on the scopes?

on the ds1000z series, it may be usefull in the future to switch it to the MSO variant.
also, although i'm not sure, it was the case that Riglol didnt work on the 2000 and 4000 series.

It's almost guaranteed that you can convert a DS1000Z into a MSO but, in the end, you need the additional HW.

They use the same FW, although each one uses a licensing scheme/functions different. But both methods are present in the FW.

Of course you would have to flash a key_block into the DS in order for it to behave as a MSO. Remember all the "rigup machines" take their private keys from a block that's in their flash.

As the DS doesnt have that block, you would have to create it besides "changing model".

It could be that the simple insertion of the key_block (in the flash) is the trigger to a model change!

Title: Re: Need help hacking DP832 for multicolour option.
Post by: Spork Schivago on April 12, 2019, 01:36:44 pm
Out of curiosity, what does the :PROJ:STAT MCALTIMES,QUERY command do?   I searched the net and all I could find was something from this thread on page 7 that has been edited or is missing from some other reason.   Google Cache was no help.

Does it query calibration times?   What's the M for I wonder?  Also, why would that command be a bad idea to run?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: WhichEnt2 on April 12, 2019, 01:52:30 pm
I searched the net and all I could find was something from this thread on page 7 that has been edited or is missing from some other reason.   Google Cache was no help.
I bet it's the last post on page 6 has been moved from page 7 by someone deleting post somwhere in the thread.
Compare it's contents: cat: /dev/usbtmc1: Connection timed out ~$ echo ":PROJ:STAT MCALTIMES,QUERY" vs https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2324442/#msg2324442 (https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2324442/#msg2324442)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on April 12, 2019, 02:39:46 pm
Out of curiosity, what does the :PROJ:STAT MCALTIMES,QUERY command do?   I searched the net and all I could find was something from this thread on page 7 that has been edited or is missing from some other reason.   Google Cache was no help.

Does it query calibration times?   What's the M for I wonder?  Also, why would that command be a bad idea to run?

It just prints the values of two variables. I'd guess it's counting how many times a manual calibration is done. I don't see why running the command would break anything but it would be completely unnecessary. People had problems upgrading their DG1000Z's, so I wanted to see if the :PROJ:STAT command would work at all. That post was by no means intented to be a guide.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: WhichEnt2 on April 15, 2019, 04:29:21 pm
With the public key 586E719859AF6C  you might upgrade riglol and generate the official license for Arb16M.
Doesn't it requrie additional research for obtaining option code(s) from firmware?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on April 15, 2019, 05:07:57 pm
Doesn't it requrie additional research for obtaining option code(s) from firmware?

Arb16M option code is JBNE.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: WhichEnt2 on May 01, 2019, 01:45:21 pm
With the public key 586E719859AF6C  you might upgrade riglol and generate the official license for Arb16M.
Looks like this task is not just too straight and involves recovering private key from a public key.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: BLF Lexel on May 02, 2019, 07:11:02 am
I got the problem getting a connection with my DP811

I can ping it at 192.168.178.22 but when I use Telnet on port 5555 I get no connection

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Windows\system32>ping 192.168.178.22

Ping wird ausgeführt für 192.168.178.22 mit 32 Bytes Daten:
Antwort von 192.168.178.22: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.178.22: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.178.22: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.178.22: Bytes=32 Zeit<1ms TTL=64

Ping-Statistik für 192.168.178.22:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms

C:\Windows\system32>telnet 192.168.178.22 5555
Verbindungsaufbau zu 192.168.178.22...Es konnte keine Verbindung mit dem Host he
rgestellt werden, auf Port 5555: Verbindungsfehler
Title: Re: Need help hacking DP832 for multicolour option.
Post by: BLF Lexel on May 02, 2019, 08:30:54 am
I get no connection
I also installed IVI and tried USB
Title: Re: Need help hacking DP832 for multicolour option.
Post by: PA0PBZ on May 02, 2019, 08:38:29 am
I think the interfaces are optional for the DP811, same as DP832?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Pinkus on May 02, 2019, 08:51:34 am
Quote
I think the interfaces are optional for the DP811, same as DP832?
Exactly what I thought: did you enable the options before (especially Rigol DP8-INTERFACE)?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: BLF Lexel on May 02, 2019, 11:17:19 am
just RS232 is unofficial with Riglol rest is enabled
Title: Re: Need help hacking DP832 for multicolour option.
Post by: BLF Lexel on May 09, 2019, 12:58:31 pm
I revived a very old PC in basement and now got my
DP811
DP832
and new DG1022Z
fully upgraded

seemy my network did not like Telnet at all
Title: Re: Need help hacking DP832 for multicolour option.
Post by: volkimel on May 15, 2019, 12:05:20 pm
That's wonderful news! :-+
Thanks a lot for putting in the effort and sharing it, tossu!
I had almost given up on this, because the last bit of disassembly skills are missing!
And now, after a while not looking at it, huge progress was made!

Of course I had to try it out and it worked a treat. Got a DP832A with all options now!  :)

Used a rather old SanDisk Cruzer mini 512MB USB stick and connected with PuTTY via LAN. Really, really simple!

The software on my DP832 was and is still 00.01.13.00.01. This will change now as well.
Thanks to everyone who spend time and effort on this topic!

Cheers!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Smokey on May 21, 2019, 02:05:38 am
...I wonder if the random reboots that DP832 owners suffer from for absolutely no rhyme or reason will vanish when software converting to a DP832A...

I had the random reboot problem and sent the thing in for repair.  They replaced boards, so I'd doubt it's purely a software issue that you can fix like this.  Bummer.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: starec on May 24, 2019, 11:40:24 am
With the public key 586E719859AF6C  you might upgrade riglol and generate the official license for Arb16M.
Doesn't it requrie additional research for obtaining option code(s) from firmware?

i've calculated the private key for you: 7412E98108CAB0
but it isn't so straight to generate license using riglol because of slight modified algorithms used in DG1000Z

Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on May 24, 2019, 03:49:44 pm
slight modified algorithms used in DG1000Z

= riglol 1.03d
Title: Re: Need help hacking DP832 for multicolour option.
Post by: starec on May 24, 2019, 04:33:22 pm
= riglol 1.03d
Ok, this one is almost working. You need however change some things:
B32 alphabet - ascii_map[] = "MNBVCXZASDFGHJKLPUYTREWQ23456789"
and arrays in fn format_license_dp832_109 as follows
    const int map1[] = {3, 0xE, 0x13, 9, 0x1A, 5, 7, 0x11, 0xC, 0x18, 6, 0x16};
    const int map2[] = {4, 0xB, 0x10, 0x17, 0, 8, 0x14, 0x1B, 2, 0xD, 0xF, 0x15};
    const int map3[] = {1, 0xA, 0x12, 0x19};
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Trident900fi on May 26, 2019, 09:41:00 am
To update your Rigol DL3021 to DL3021A, here is the complete procedure, without the need of buying the LAN option...
You need:
-Computer with RS232 port
-USB stick formatted in FAT32 with the file keyfile.bin from Tossu (many thanks for the hack !)
-Cross cabel RS232 female-female (2->3; 3->2; 5->5)
-Free software Termite from Compuphase (https://www.compuphase.com/software_termite.htm (https://www.compuphase.com/software_termite.htm))

Connect everything together. Start the computer first and launch Termite.
Termite Serial port settings:
-Port COM1 (depend on your computer)
-Baud rate 9600
-Data bits 8
-Stop bits 1
-Parity none
-Flow control none
-Forward none
-Transmitted text Append CR-LF

Turn on the DL3021
To check the connection, you can try to type *IDN? in the Termite command line.
He will return the model of your device.
Type in Termite :PROJ:SET MODEL,DL3021A
That all  :D

Title: Re: Need help hacking DP832 for multicolour option.
Post by: Wintel on May 26, 2019, 07:29:44 pm
To update your Rigol DL3021 to DL3021A, here is the complete procedure, without the need of buying the LAN option...
You need:
-Computer with RS232 port
-USB stick formatted in FAT32 with the file keyfile.bin from Tossu (many thanks for the hack !)
-Cross cabel RS232 female-female (2->3; 3->2; 5->5)
-Free software Termite from Compuphase (https://www.compuphase.com/software_termite.htm (https://www.compuphase.com/software_termite.htm))

Connect everything together. Start the computer first and launch Termite.
Termite Serial port settings:
-Port COM1 (depend on your computer)
-Baud rate 9600
-Data bits 8
-Stop bits 1
-Parity none
-Flow control none
-Forward none
-Transmitted text Append CR-LF

Turn on the DL3021
To check the connection, you can try to type *IDN? in the Termite command line.
He will return the model of your device.
Type in Termite :PROJ:SET MODEL,DL3021A
That all  :D

Can hack the DC Load DL3021 to DL3031A?  Like the DG811 to DG992?

Title: Re: Need help hacking DP832 for multicolour option.
Post by: Trident900fi on May 26, 2019, 10:11:25 pm
To update your Rigol DL3021 to DL3021A, here is the complete procedure, without the need of buying the LAN option...
You need:
-Computer with RS232 port
-USB stick formatted in FAT32 with the file keyfile.bin from Tossu (many thanks for the hack !)
-Cross cabel RS232 female-female (2->3; 3->2; 5->5)
-Free software Termite from Compuphase (https://www.compuphase.com/software_termite.htm (https://www.compuphase.com/software_termite.htm))

Connect everything together. Start the computer first and launch Termite.
Termite Serial port settings:
-Port COM1 (depend on your computer)
-Baud rate 9600
-Data bits 8
-Stop bits 1
-Parity none
-Flow control none
-Forward none
-Transmitted text Append CR-LF

Turn on the DL3021
To check the connection, you can try to type *IDN? in the Termite command line.
He will return the model of your device.
Type in Termite :PROJ:SET MODEL,DL3021A
That all  :D

Can hack the DC Load DL3021 to DL3031A?  Like the DG811 to DG992?
No, it's not possible, it's not the same hardware inside...
Maybe, if you add the missing components  ;)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: joad on June 01, 2019, 06:13:59 pm
Where do I find the script för extracting all scpi commands like on the DP 800 "dp800_all_commands.txt"

Im looking for scpi commands for calibrating the DL3000.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on June 06, 2019, 07:52:53 pm
Where do I find the script för extracting all scpi commands like on the DP 800 "dp800_all_commands.txt"

Im looking for scpi commands for calibrating the DL3000.

There is no fully automated script unless someone else has made one.

Here is a list of commands I have extracted from some version of the DL3000 firmware. There seems to be a bunch of calibration related commands. I hope you will find those usefull.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 07, 2019, 03:11:26 pm
This isn't working for me, I tried 2 different USB drives, formatted FAT32 with just the xxx.bin file on them and my gear says it sees a USB drive.

I am directly connected by LAN and can see my DP832 and DG1022Z in RigolBildschirmkopie after search, I can select them then connect to with the SCPI Commant terminal, issue the *IDN? command to them and see the expected response when I hit [Send & Receive] but when I try to send :PROJ:SET MODEL,DP832A/DG1062Z, in both cases I get a response of...

"There was an error when sending the SCPI command" and after that, the device I just tried to send the :PROJ:SET MODEL,XXXX command to is not seen in RigolBildschirmkopie after search until I cycle power.

I tried using telnet via an admin-level windows powershell (Win 10) but that hangs after I type "telnet 10.0.0.xxx 5555".

Any ideas?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: PeDre on June 07, 2019, 03:21:31 pm
"There was an error when sending the SCPI command" and after that, the device I just tried to send the :PROJ:SET MODEL,XXXX command to is not seen in RigolBildschirmkopie after search until I cycle power.

This error is displayed if the device does not confirm that it has received the command. Unfortunately the Rigol devices do not comply with the VXI (LAN) and USBTMC standard.
In this case the command was sent correctly.

Peter
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 07, 2019, 03:41:21 pm
"There was an error when sending the SCPI command" and after that, the device I just tried to send the :PROJ:SET MODEL,XXXX command to is not seen in RigolBildschirmkopie after search until I cycle power.

This error is displayed if the device does not confirm that it has received the command. Unfortunately the Rigol devices do not comply with the VXI (LAN) and USBTMC standard.
In this case the command was sent correctly.

Peter
Thanks for the reply but the device is not changed to the new model?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on June 07, 2019, 03:49:36 pm
Any ideas?

Try linux to send the command.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: _Wim_ on June 07, 2019, 03:56:58 pm
Thanks for the reply but the device is not changed to the new model?

For the DG1062, the command is :PROJ:STAT MODEL,DG1062Z  (not SET, but maybe both work). I seem to remember I had to put a space between model and the modelnumber :PROJ:STAT MODEL, DG1062Z
Title: Re: Need help hacking DP832 for multicolour option.
Post by: _Wim_ on June 07, 2019, 04:00:32 pm
Any ideas?

Are you sure you can see the contents of the USB key from the Rigol device? You can try to save a file to the key first to ensure you can correctly read the usb key (the Rigol deveices are very picky about the USB keys)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 07, 2019, 04:45:20 pm
Any ideas?

Are you sure you can see the contents of the USB key from the Rigol device? You can try to save a file to the key first to ensure you can correctly read the usb key (the Rigol deveices are very picky about the USB keys)
I tried to save a file to the USB drive on the DP832 and it worked just fine.
I tried the :PROJ:STAT MODEL, DG1062Z command via RigolBildschirmkopie and it gave the same error.

I might have suspected firmware upgrade differences but it seems unlikely I'd get the same issue on both if device itself were the problem and the DG1022Z and the DP832 are pretty recently updated (not quite the latest).

Maybe it's the USB drive.  Is there some way I can check that the keyfile.bin file is in the correct location?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 07, 2019, 05:00:42 pm
When I send :PROJ:STAT MODEL, DG1062Z to the DG1022Z it (briefly) says on the DG1022Z screen
"error generated by remote interface command"
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 07, 2019, 05:04:18 pm
Any ideas?

Try linux to send the command.
I'm running up my (old) Ubuntu 16.04 laptop up, what do I need to run to get to the place where I can send a SCPI command to the Rigols?  I'm not a Linux person.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on June 07, 2019, 05:06:00 pm
Any ideas?

Try linux to send the command.
I'm running up my (old) Ubuntu 16.04 laptop up, what do I need to run to get to the place where I can send a SCPI command to the Rigols?  I'm not a Linux person.

You telnet to 10.0.0.xxx 5555 and write the command directly.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 07, 2019, 05:22:34 pm
I get into Ubuntu terminal with Ctl-Alt-T and get to a command prompt, it didn't recognize telnet

So I tried sudo apt-get install xinetd telnetd and it prompted me for password then it says...

"Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?

As I said, I'm not a Linux person

[EDIT] I got past that, I was able to run sudo apt-get install -y xinetd telnetd

and it seemed to work but now I can't get telnet to run when I try to...

telnet 10.0.0.128:5555 I get

"could not resolve 10.0.0.128:5555: name or service not known"

I tried rebooting
Title: Re: Need help hacking DP832 for multicolour option.
Post by: smithnerd on June 08, 2019, 04:24:10 am
Replace the colon with a space:

Code: [Select]
telnet 10.0.0.128 5555
host:port is a common convention for many UNIX tools, but not telnet (it is ancient).
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on June 08, 2019, 08:48:41 am
host:port is a common convention for many UNIX tools, but not telnet (it is ancient).

My bad!  |O   (addicted to automatic logins...)


Assuming that the IP of your DG is 10.0.0.128, do:

"nmap -p- 10.0.0.128" in the linux prompt
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 08, 2019, 02:16:49 pm
OK, so I can telnet to the DP832 from Linux.

nmap -p- 10.0.0.128 gives the following open ports... 80,111,617,618,619,555 all /tcp and the line for 5555 is...

5555/tcp open  freeciv

I can "telnet 10.0.0.128 5555" and get a message saying "connected to 10.0.0.128"

I can issue *IDN? and get the expected response but when I issue the command ":PROJ:SET MODEL,DP832A the screen of the DP832 flashes up a box saying "remote command incorrect" and there's no response on the telnet terminal.

Tried 2 different USB drives (still may be the issue) and I tried putting the USB drive(s) in before and after boot up.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 08, 2019, 02:21:39 pm
Trying the DG1022Z I can telnet to it and issue the ":PROJ:STAT MODEL,DG1062Z" command but again, the screen pops up with an "error generated by remote interface command" pop up message
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 08, 2019, 02:40:14 pm
OK, all issues solved!

The problem was the USB drive; I tried a 3rd drive, an old Verbatim 2GByte drive - I don't know if this was a cause of my problems but when I formatted the other 2 drives from Windows 10 Explorer, the allocation unit size was set to 4096 and when I formatted the Verbatim, I changed it to "Default Allocation Size" and gave the drive a volume label of "Rigol"; then I copied the single keyfile.bin file to it.

I plugged it in while the equipment was still running and went through all the previous steps in Ubuntu terminal and this time I got no error messages on the PSU or AWG and no response on the telnet terminal after issuing the :PROJ:SET/STAT commands but the *IDN? command revealed that the changes had been successfully applied, in the case of the DP832(A), it needed a reboot before it would respond.

I used the :PROJ:STAT to do the DG1022Z and :PROJ:SET to do the DP832, no space was needed after the comma e.g.
:PROJ:STAT MODEL,DG1062Z works fine

Thanks for all the help guys :D
Title: Re: Need help hacking DP832 for multicolour option.
Post by: bd139 on June 08, 2019, 11:00:50 pm
Confirmed another DG1022Z upgraded to DG1062Z

(https://imgur.com/YcvgMak.jpg)

(https://imgur.com/3rNLUeL.jpg)

Hardware is definitely ok. Flat response to 60MHz. Couldn't get USB stick to work properly to start with. Used diskpart to create a 2Gb partition at the start of the USB disk and formatted it FAT32 quick, then added keyfile.bin. Telnet did SFA other than throw errors. Assumed it was windows' telnet client being crap so I knocked up a small C# program to send the command:

Code: [Select]
using System;
using System.IO;
using System.Net.Sockets;

class Program
{
    static void Main(string[] args)
    {
        using (var client = new TcpClient("192.168.178.31", 5555))
        using (var networkStream = client.GetStream())
        using (var writer = new StreamWriter(networkStream))
        using (var reader = new StreamReader(networkStream))
        {
            writer.AutoFlush = true;
            writer.Write(":PROJ:STAT MODEL,DG1062Z\n");
            Console.WriteLine(reader.ReadLine());
        }
    }
}

Bingo! Big thanks to the reverse engineers  :-+
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 1anX on June 09, 2019, 12:13:39 am
Can you please detail how to use the C program to hack the DG1022Z.
I have a DG1022Z unit that I would love to run at 60MHz.
Just need a sequence of (simple) steps I can follow to get there. Any help much appreciated!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: FuzzyOtter on June 09, 2019, 04:13:12 am
Long time listener, first time caller. Massive thanks to tossu for sharing his efforts here and helping the rest of us. I bought myself a DP832 some time ago and while it's been a fantastic bench supply, I was annoyed that it lacked the multi-colour display abilities of it's big brother. Your discovery is exactly what I was hoping for! I was able to apply the change quickly and easily. It's a relatively minor quality of life improvement, but it has made the power supply feel complete!

I wanted to share a few notes for others just in case anyone gets snagged up:


Thank you again!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 09, 2019, 12:01:25 pm
Can you please detail how to use the C program to hack the DG1022Z.
I have a DG1022Z unit that I would love to run at 60MHz.
Just need a sequence of (simple) steps I can follow to get there. Any help much appreciated!
What forms of computer do you own?  There are only 2 'challenges':

1. Get an (old) USB stick formatted correctly
2. Get some form of telnet communicating with your DG1022Z via LAN (or maybe USB).

You can Google telnet and find all sorts of options - windows 10 command prompt worked for me after adding telnet to windows but it's sort of clunky as there are no success messages after typing telnet <IP_address> 5555 (e.g. 10.0.0.123 5555) you just see a blank screen but, once you have telneted to your DG1022Z, try the *IDN? command and you should see a line of information returned like...

Rigol Technologies,DG1022Z,DG1ZAxxxxxxxxx,03.01.12

If you get this far, all you have to do is create and plug in the correctly formatted USB stick to the front of your DG1022Z and issue the command...

:PROJ:STAT MODEL,DG1062Z

If you're successful, you will get no response over telnet and there will be no messages on the screen of the DG1022Z.
If you see an "error generated by remote interface command" briefly popping up on the DG1022Z screen, then you probably have an issue with your USB drive.

How to create the USB stick and how to telnet are covered in multiple places in this thread.

One thing I've noticed is that saved configurations through the store>browser menu won't load after upgrade with an 'incorrect format' message.  You have to recreate and resave over the old stored info and then it works so some may want to take pictures of your saved configs.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 1anX on June 10, 2019, 06:53:11 am
I have win 10 PCs but could run Linux of a USB mem stick if needed.
Thanks for the info, I will give it a try!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 10, 2019, 09:43:56 am
I have win 10 PCs but could run Linux of a USB mem stick if needed.
Thanks for the info, I will give it a try!
I tried Windows and Ubuntu but, in the end, the issue was the thumb drive and I eventually made it all work using telnet from a command prompt in Win 10 with telnet service added.  As I already said; if you can telnet and get a response to *IDN? but then see "error generated by remote interface command" popping up briefly when you try to send the :PROJ:STAT MODEL,DG1062Z command, then the issue is with the USB drive - a recent comment says the drive has to be formatted in FAT but mine was FAT32.

Good luck
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on June 10, 2019, 05:56:44 pm
Preparing the USB drive is, indeed, quite a persnickety process. The file won't end up in the right sector if the partition is too large.

To make that easier, I made a disk image that can be written directly to any USB drive with a dd-like utility. On Windows I like to use Win32 Disk Imager.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: bson on June 11, 2019, 03:57:03 am
Neat hack, and the fonts are a huge improvement over the faux 7-segment ones!  :-+
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 1anX on June 11, 2019, 05:50:13 am
Thank you all so much!
My DG1022Z now running full speed as a DG1062Z.
Simply sent the command :PROJ:STAT MODEL,DG1062Z through Rigol's, Ultra Sigma software, connected thru USB.
Used USB and Ultra Sigma to hack my DP832 to DP832A without a hitch! Dont really know if the colour display is a step forward or backward  :)
Its certainly made the display more customisable and thats gotta be a good thing.

Probably pushing my luck but has anyone had success unlocking the 16Mb ARB memory?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 12, 2019, 12:28:27 am
I didn't think I'd like it but the 'Pie chart' screen is my favorite now.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on June 14, 2019, 12:10:35 am
Probably pushing my luck but has anyone had success unlocking the 16Mb ARB memory?

Yes. There are two ways to do it, both of which are described in this thread. I think changing the serial is the easier one.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 1anX on June 14, 2019, 03:24:10 am
Probably pushing my luck but has anyone had success unlocking the 16Mb ARB memory?

Yes. There are two ways to do it, both of which are described in this thread. I think changing the serial is the easier one.
I had help from an advanced forum member and now have the 16Mb arb enabled.
Its amazing what is possible when a group of EEV members put their collective minds together!
There is no way I could have ever hacked my Rigol instruments without the hard work being done by this community, thank you!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: HDR on June 25, 2019, 01:55:44 pm
Does anyone know if you can upgrade a DSA815-TG to a DSA832-TG?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on June 25, 2019, 10:42:13 pm
Does anyone know if you can upgrade a DSA815-TG to a DSA832-TG?

No way, different hardware! Compare the weights of the instruments in the specs, this already tells everything. The higher-spec'd DSA8XX units feature a much more modular design, like the Siglent SSA3000 series.

Cheers,
Thomas
Title: Re: Need help hacking DP832 for multicolour option.
Post by: HDR on June 26, 2019, 10:37:55 am
Thank you!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: aristarchus on June 27, 2019, 05:46:03 pm
Probably pushing my luck but has anyone had success unlocking the 16Mb ARB memory?

Yes. There are two ways to do it, both of which are described in this thread. I think changing the serial is the easier one.
I had help from an advanced forum member and now have the 16Mb arb enabled.
Its amazing what is possible when a group of EEV members put their collective minds together!
There is no way I could have ever hacked my Rigol instruments without the hard work being done by this community, thank you!


Any chance to have this? It would be awsome!

A
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 1anX on June 28, 2019, 06:49:28 am
To unlock/enable the 16Mb arb memory you need to use a license key along with this text file file as shown on the Rigol website https://rigol.desk.com/customer/en/portal/articles/2283691-how-do-i-activate-the-dg1000z-memory-upgrade-
Perhaps someone can offer a method of creating a license key from your serial number?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 28, 2019, 08:43:47 am
To unlock/enable the 16Mb arb memory you need to use a license key along with this text file file as shown on the Rigol website https://rigol.desk.com/customer/en/portal/articles/2283691-how-do-i-activate-the-dg1000z-memory-upgrade-
Perhaps someone can offer a method of creating a license key from your serial number?
Page 151 of the Rigol User Guide also offers this method of applying option license strings to the DG1000Z series...

2) Install the option by sending SCPI commands
Open the remote control window and send the following option installation commands by referring to “Remote Control”. :LICense:SET <license> or :LICense:INSTall <license> Wherein, <license> is the option license (note that the hyphens should be omitted).
For example,

:LICense:INSTall SM9KD3YPMWNP2AQMST8J5H592EQT (that license string is shown in the manual, you will need the right one for your AWG)

If the option is successfully installed, the prompt message informing you that the option installation succeeds will be displayed; otherwise, the corresponding error message will be displayed.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: aristarchus on June 28, 2019, 11:13:36 am
Thanks for any help.

What I actually did is tried to modify according to starec's findings and hints.
Now I need the 4 digit option code that should be used.
Anyone knows?


A
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 1anX on June 28, 2019, 11:59:14 pm
Thanks for any help.

What I actually did is tried to modify according to starec's findings and hints.
Now I need the 4 digit option code that should be used.
Anyone knows?

A

If you read thru the thread you will find it listed!
options:          JBNE  (0x6D422)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: starec on June 29, 2019, 07:34:32 am
I've sent the PM for you - anyway
there are two options:
JBNE - for permanent license
JNNE - for temporary(timed) license
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 07, 2019, 06:45:06 pm
When I first got a Rigol DM3058E (Bench-Top DMM) several years ago I would get 6 1/2 digit voltage measurement data when I queried it via USB from my PC using MS Excel.  The PC's 6 1/2 dgits went away later with a firmware change and hasn't been seen since.

I Understand that the DM3058 and DM3058E both have a LCD Display capable of displaying the 6 1/2 digits. And if this is valid, could a DM3058E/DM3058 possibly be hacked into a DM3068 'close enough' to also display 6 1/2 digits?

I asking on this thread because this seems to be where you real sharp software/firmware guys are hanging out.

PS  Thank you so very much for putting color into my DP832.
By the way I sent the SCPI command via USB using EEVbloger 'PeDre' Messinstrumente (Measuring instruments - program for data transfer and control) which is very easy and fast.  Here is a English link to 'Messinstrumente' (Measuring instruments - program for data transfer and control) ->  https://translate.google.com/translate?hl=en&sl=de&u=http://peter.dreisiebner.at/messinstrumente/index.htm (https://translate.google.com/translate?hl=en&sl=de&u=http://peter.dreisiebner.at/messinstrumente/index.htm)

Edit: Added that I used 'Messinstrumente' to send SCPI command for DP832/A
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Macbeth on July 09, 2019, 12:15:24 am
When I first got a Rigol DM3058E (Bench-Top DMM) several years ago I would get 6 1/2 digit voltage measurement data when I queried it via USB from my PC using MS Excel.  The PC's 6 1/2 dgits went away later with a firmware change and hasn't been seen since.

In your Excel VBA code you can change the reading mode to CMDSET AGILENT instead of CMDSET RIGOL. This will even give you 8 1/2 digits for free!  :-+ With two caveats... The first of which is you will have to filter out some garbage from the SCPI READ? results, a bug I reported nearly half a decade ago to RIGOL (https://www.eevblog.com/forum/testgear/rigol-dm3058-agilent-scpi-mode-bug-(possibly-affects-dm3068-too)/), and still not fixed. The second is most of those extra digits are just noise anyway.

Quote
I Understand that the DM3058 and DM3058E both have a LCD Display capable of displaying the 6 1/2 digits. And if this is valid, could a DM3058E/DM3058 possibly be hacked into a DM3068 'close enough' to also display 6 1/2 digits?

The DM3068 is an entirely different beast to the DM3058 despite the outward appearances. The least of which it uses an LM399 for 7V ref instead of the MAX6325 2.5V ref used in the DM3058.

There is no software hack to switch a 3058 to a 3068, they are completely different hardware and firmware.

(However the firmware for the 3058 is unencrypted and quite hackable for those so inclined.)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 09, 2019, 06:09:06 pm
When I first got a Rigol DM3058E (Bench-Top DMM) several years ago I would get 6 1/2 digit voltage measurement data when I queried it via USB from my PC using MS Excel.  The PC's 6 1/2 dgits went away later with a firmware change and hasn't been seen since.

I Understand that the DM3058 and DM3058E both have a LCD Display capable of displaying the 6 1/2 digits. And if this is valid, could a DM3058E/DM3058 possibly be hacked into a DM3068 'close enough' to also display 6 1/2 digits?

The DM3068 is an entirely different beast to the DM3058 despite the outward appearances. The least of which it uses an LM399 for 7V ref instead of the MAX6325 2.5V ref used in the DM3058.

There is no software hack to switch a 3058 to a 3068, they are completely different hardware and firmware.

(However the firmware for the 3058 is unencrypted and quite hackable for those so inclined.)

When Rigol NA was located in Ohio one of the Support Specialist there told me that the DM3058 and DM3058E DMMs were calibrated on the same Test Fixture as the DM3068, and the he understood that the sixth digit I saw on  the MS Excel work sheet was indeed valid.  Although of course that I couldn't expect the same accuracy as the DM3068. No problem with this, although if the DM3058/E firmware isn't encrypted, that gives me hope that we may be possibly able to get a another digit to be displayed (for 6 1/2 digits).  That indeed would in it-self be very nice.

Do you have any thoughts on the possibility of at least being able to get a 6 1/2 Display capability on the DM3058/3058E?  I'm only asking for your opinion.  And thank you for your initial reply to me, as I certainly understand the difference between  the DM5058/E and DM3068 much better now.    Cheers, Ted
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on July 09, 2019, 07:11:18 pm
I included here the list of DM3058 / DM3068 SCPI commands based on the latest .LDR.  The FW has 3 separate SCPI command blocks.

https://www.eevblog.com/forum/testgear/lists-of-rigol-scpi-commands/msg2460030/#msg2460030 (https://www.eevblog.com/forum/testgear/lists-of-rigol-scpi-commands/msg2460030/#msg2460030)

I think there are commands that allow a model change.

What's the output of?

:SYSTem:TYPE?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 09, 2019, 07:30:42 pm
I included here the list of DM3058 / DM3068 SCPI commands based on the latest .LDR.  The FW has 3 separate SCPI command blocks.

https://www.eevblog.com/forum/testgear/lists-of-rigol-scpi-commands/msg2460030/#msg2460030 (https://www.eevblog.com/forum/testgear/lists-of-rigol-scpi-commands/msg2460030/#msg2460030)

I think there are commands that allow a model change.

What's the output of?

:SYSTem:TYPE?
Hello TV84:  The output is -> DM3058E        Thanks, Ted
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on July 09, 2019, 07:34:25 pm
Hello TV84:  The output is -> DM3058E        Thanks, Ted

Hi Ted, what's the difference between the E and non-E versions?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 09, 2019, 07:52:25 pm
TV84:

RE: Hi Ted, what's the difference between the E and non-E versions?
DM3058 and DM3058E are both 5 1/5 digit Bench-Top DMMs, but he DM308E does not have GPIB or Ethernet (10/100Mbit LAN) that the DM3058 does have.  That is the only difference that I know of.

I was hoping that the DM3058 and DM3068 were similar other than the 5 1/2 vs. 6 1/2 digits, but    Macbeth pointed out that they are not similar.    Thanks for your help, Ted
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 10, 2019, 01:25:04 am
I included here the list of DM3058 / DM3068 SCPI commands based on the latest .LDR.  The FW has 3 separate SCPI command blocks.

https://www.eevblog.com/forum/testgear/lists-of-rigol-scpi-commands/msg2460030/#msg2460030 (https://www.eevblog.com/forum/testgear/lists-of-rigol-scpi-commands/msg2460030/#msg2460030)

I think there are commands that allow a model change.
Hello TV84:  I couldn't find anything for changing the model type/name.  Although thank you for the suggestion to look in your SCPI command list.  I scanned the files manually, and performed automatic file searches.   Ted

Edit: Of course I could try using :SYSTem:TYPE DM3068    As this would be the natural command, and we know :SYSTem:TYPE? works to find the Model Type.  It seems like it may be low risk? ?   But I don't want to brick my unit.

Edit 2: I used  :SYSTem:TYPE DM3068 plus various combinations of the command structure and nothing worked to do anything.  The plus side is that all is still OK with my DM3058E. So no 6 1/2 digits for it, but its not bricked either.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: mike47203 on July 10, 2019, 01:56:48 am
So, I am trying to enable the 16m option on my newly upgraded DG1022Z using what starec and tv84 mentioned here, but I am not having any luck. It seems I haven't successfully modified riglol1.03d to make it work. I changed the private key and the character maps, but generated key is still incorrect. I am sure I am missing something. Any help would be appreciated.

I attached a diff file of how I changed riglol.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: starec on July 10, 2019, 11:09:14 am
Ok, 1-2 weeks ago i've modified riglol 1.03d for DG1000Z generation/calculation

here is a full source code:
Code: [Select]
char version[]             = "Riglol 1.03d";
char DP832_private_key[]   = "5C393C30FACCF4"; //publ: 0x5EC2D25AE85124
char DS2000_private_key[]  = "8EEBD4D04C3771"; //publ: 0x8445B2BE29E5C7
char DSA815_private_key[]  = "80444DFECE903E"; //publ: 0x691213692D18FA
char DS1000Z_private_key[] = "6F1106DDA994DA"; //publ: 0x58E9F183B924BB
char DG1000Z_private_key[] = "7412E98108CAB0"; //publ: 0x586E719859AF6C

static char* ascii_map;
static const char ascii_map_dg[] = "MNBVCXZASDFGHJKLPUYTREWQ23456789";
static const char ascii_map_[] = "23456789ASDFGHJKLPUYTREWQMNBVCXZ";

char no_private_key[]      = "";

/*
** sign the secret message (serial + opts) with the private key
*/
void ecssign(char *serial, char *options, char *privk, char *lic1, char *lic2) {
    char prime1[]  = "AEBF94CEE3E707";
    char prime2[]  = "AEBF94D5C6AA71";
    char curve_a[] = "2982";
    char curve_b[] = "3408";
    char point1[]  = "7A3E808599A525";
    char point2[]  = "28BE7FAFD2A052";
    int k_offset = 0; // optionally change ecssign starting offset (changes lic1; makes different licenses)
    mirsys(800, 16)->IOBASE = 16;

    sha sha1;
    shs_init(&sha1);

    char *ptr = serial;
    while(*ptr) shs_process(&sha1, *ptr++);
    ptr = options;
    while(*ptr) shs_process(&sha1, *ptr++);

    char h[20];
    shs_hash(&sha1, h);
    big hash = mirvar(0);
    bytes_to_big(20, h, hash);

    big a = mirvar(0);
    instr(a, curve_a);
    big b = mirvar(0);
    instr(b, curve_b);
    big p = mirvar(0);
    instr(p, prime1);
    big q = mirvar(0);
    instr(q, prime2);
    big Gx = mirvar(0);
    instr(Gx, point1);
    big Gy = mirvar(0);
    instr(Gy, point2);
    big d = mirvar(0);
    instr(d, privk);
    big k = mirvar(0);
    big r = mirvar(0);
    big s = mirvar(0);
    big k1 = mirvar(0);
    big zero = mirvar(0);

    big f1 = mirvar(17);
    big f2 = mirvar(53);
    big f3 = mirvar(905461);
    big f4 = mirvar(60291817);

    incr(k, k_offset, k);
    epoint *G = epoint_init();
    epoint *kG = epoint_init();
    ecurve_init(a, b, p, MR_PROJECTIVE);
    epoint_set(Gx, Gy, 0, G);

    for(;;) {
        incr(k, 1, k);

        if(divisible(k, f1) || divisible(k, f2) || divisible(k, f3) || divisible(k, f4))
            continue;

        ecurve_mult(k, G, kG);
        epoint_get(kG, r, r);
        divide(r, q, q);

        if(mr_compare(r, zero) == 0)
            continue;

        xgcd(k, q, k1, k1, k1);
        mad(d, r, hash, q, q, s);
        mad(s, k1, k1, q, q, s);

        if(!divisible(s, f1) && !divisible(s, f2) && !divisible(s, f3) && !divisible(s, f4))
            break;
    }

    cotstr(r, lic1);
    cotstr(s, lic2);
}

/*
** convert string to uppercase chars
*/
char *strtoupper(char *str) {
    char *p;
    for (p=str; *p; p++)
        *p = toupper(*p);
    return str;
}

/*
** prepend a char to a string
*/
char *prepend(char *c, char *str) {
    int i;

    for (i = strlen(str); i >= 0; i--) {
        str[i + 1] = str[i];
    }

    str[0] = *c;
    return c;
}

/*
** convert hex-ascii-string to rigol license format
*/
void map_hex_to_rigol(char *io) {
    unsigned long long b = 0;
    int i = 0;
    char map[] = {
        'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
        'J', 'K', 'L', 'M', 'N', 'P', 'Q', 'R',
        'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
        '2', '3', '4', '5', '6', '7', '8', '9'
    };

    /* hex2dez */
    while (io[i] != '\0') {
        if (io[i] >= '0' && io[i] <= '9') {
            b = b * 16 + io[i] - '0';
        } else if (io[i] >= 'A' && io[i] <= 'F') {
            b = b * 16 + io[i] - 'A' + 10;
        } else if (io[i] >= 'a' && io[i] <= 'f') {
            b = b * 16 + io[i] - 'a' + 10;
        }
        i++;
    }

    for (i = 3; ; i--) {
        io[i] = map[b & 0x1F];
        if (i == 0) break;
        b >>= 5;
    }

    io[4] = '\0';
}

char *get_version() {
  char *v;

  v=version;
  return v;
}

void show_help(char *cmd) {
    printf("%s\n", get_version());
    printf("\n");
    printf("Usage: %s <sn> <opts> <privkey>\n", cmd);
    printf("  <sn>       serial number of device (D............)\n");
    printf("  <opts>     device options, 4 characters, see below\n");
    printf("  <privkey>  private key (optional)\n");
    printf("\n");
    printf("DP832 starting from v1.09 device options:\n");
    printf("  first character:  F = official, B = trial\n");
    printf("  F3PT - Accuracy\n");
    printf("  F6PT - Analyzer and Monitor\n");
    printf("  F6LT - LAN\n");
    printf("  FALT - RS232\n");
    printf("  FLLT - Trigger\n");
    printf("\n");
    printf("DP832 up to v1.06 device options:\n");
    printf("  first character:  M = official, 5 = trial\n");
    printf("  MWSS - Trigger\n");
    printf("  MWTB - Accuracy\n");
    printf("  MWTC - LAN and RS232\n");
    printf("  MWTE - Analyzer and Monitor\n");
    printf("\n");
    printf("DS1000z device options:\n");
    printf("  DSAB - Advanced Triggers\n");
    printf("  DSAC - Decoders\n");
    printf("  DSAE - 24M Memory\n");
    printf("  DSAJ - Recorder\n");
    printf("  DSBA - 500uV Vertical\n");
    printf("\n");
    printf("DG1000z device options:\n");
    printf("  JBNE - 16M Memory\n");
    printf("\n");
    printf("DS2000 device options:\n");
    printf("  first character:  D = official, V = trial\n");
    printf("  DSAB - Advanced Triggers\n");
    printf("  DSAC - Decoders\n");
    printf("  DSAE - 56M Memory\n");
    printf("  DSAJ - 100MHz\n");
    printf("  DSAS - 200MHz\n");
    printf("  DSAZ - all options\n");
    printf("\n");
    printf("DS4000 device options:\n");
    printf("  first character:  D = official, V = trial\n");
    printf("  DSHB - RS232 Decoder\n");
    printf("  DSHC - SPI Decoder\n");
    printf("  DSHE - I2C Decoder\n");
    printf("  DSHJ - CAN Decode\n");
    printf("  DSHS - FlexRay Decoder\n");
    printf("  DSH9 - all options\n");
    printf("\n");
    printf("DSA815 device options:\n");
    printf("  first character:  A = official, S = trial\n");
    printf("  AAAB - Tracking Generator\n");
    printf("  AAAC - Advnced Measurement Kit\n");
    printf("  AAAD - 10Hz RBW\n");
    printf("  AAAE - EMI/Quasi Peak\n");
    printf("  AAAF - VSWR\n");
    printf("\n");
    printf("MAKE SURE YOUR FIRMWARE IS UP TO DATE BEFORE APPLYING ANY KEYS\n");
}

static int ascii_to_bin(char c)
{
    int i;

    for (i = 0; i < 0x20; i++)
        if (ascii_map[i] == c)
            break;
    return i;
}

static char *options_4to5(const char *opt4, char *opt5)
{
    int map[] = { 0, 3, 2, 1 };
    int i, opt = 0;

    for (i = 0; i < 4; i++)
        opt = (opt << 5) | ascii_to_bin(opt4[map[i]]);
    for (i = 0; i < 5; i++) {
        opt5[i] = ascii_map[opt & 0x0F];
        opt >>= 4;
    }
    opt5[i] = 0;
    return opt5;
}

static void format_license_dp832_109(char *lic1_code, char *lic2_code,
                                     char *options, char *licence, int isDG)
{
    const int map1dp[] = { 4, 11, 16, 23, 0, 24, 6, 22, 8, 20, 18, 25 };
    const int map2dp[] = { 3, 14, 19, 9, 26, 5, 1, 10, 12, 13, 15, 21 };
    const int map3dp[] = { 2, 7, 17, 27 };

    const int map1dg[] = {3, 0xE, 0x13, 9, 0x1A, 5, 7, 0x11, 0xC, 0x18, 6, 0x16};
    const int map2dg[] = {4, 0xB, 0x10, 0x17, 0, 8, 0x14, 0x1B, 2, 0xD, 0xF, 0x15};
    const int map3dg[] = {1, 0xA, 0x12, 0x19};

    const int *map1 = isDG?map1dg:map1dp;
    const int *map2 = isDG?map2dg:map2dp;
    const int *map3 = isDG?map3dg:map3dp;
    unsigned long long k;
    int i;

    k = strtoll(lic1_code, NULL, 16);
    for (i = 0; k < (1ULL << 51); i++)
        k = (k << 4) | 0;
    k = (k << 4) | i;
    for (i = 0; i < 12; i++) {
        licence[map1[i]] = ascii_map[k & 0x1F];
        k >>= 5;
    }

    k = strtoll(lic2_code, NULL, 16);
    for (i = 0; k < (1ULL << 51); i++)
        k = (k << 4) | 5;
    k = (k << 4) | i;
    for (i = 0; i < 12; i++) {
        licence[map2[i]] = ascii_map[k & 0x1F];
        k >>= 5;
    }

    if (isDG) {
        int map[] = { 0, 3, 2, 1 };
char *opt = strdup(options);
for (i = 0; i < 4; i++)
    opt[i] = options[map[i]];
for (i = 0; i < 4; i++)
    licence[map3[i]] = opt[3 - i];
        free(opt);
    }
    else
for (i = 0; i < 4; i++)
    licence[map3[i]] = options[i];

    licence[28] = 0;
}

static void format_license_classic(char *lic1_code, char *lic2_code,
                                   char *options, char *licence)
{
    char *lic_all, *chunk, *temp;
    int i, j;

    /* fix missing zeroes */
    while (strlen(lic1_code) < 14) {
        prepend("0", lic1_code);
    }
    while (strlen(lic2_code) < 14) {
        prepend("0", lic2_code);
    }

    /* combine lic1 and lic2 */
    lic_all = (char*)calloc(128, 1);
    temp = (char*)calloc(128, 1);
    chunk = (char*)calloc(6, 1);
    strcpy(lic_all, lic1_code);
    strcat(lic_all, "0");
    strcat(lic_all, lic2_code);
    strcat(lic_all, "0");

    /* generate serial */
    i=0;
    while (i < strlen(lic_all)) {
        memcpy(chunk, lic_all + i, 5);
        map_hex_to_rigol(chunk);
        strcat(temp, chunk);
        i = i + 5;
    }

    /* add options and "-" */
    j = 0;
    for(i = 0; i <= strlen(temp); ) {
       switch(j) {
         case 1:  licence[j] = options[0];  break;
         case 7:  licence[j] = '-';         break;
         case 10: licence[j] = options[1];  break;
         case 15: licence[j] = '-';         break;
         case 19: licence[j] = options[2];  break;
         case 23: licence[j] = '-';         break;
         case 28: licence[j] = options[3];  break;
         default: licence[j] = temp[i];
                  i++;
       }
       j++;
    }
    licence[j] = '\0';

    /* cleen up */
    free(lic_all);
    free(chunk);
    free(temp);
}

char *make_licence(char *serial, char *options, char* priv_key)
{
    char options_buffer[8], *opts = options;
    char *lic1_code, *lic2_code, *lic_all;
    char *chunk, *temp, *licence;
    int i, j;

    /* convert string to uppercase chars */
    strtoupper(serial);
    strtoupper(options);
    strtoupper(priv_key);

    int isDG = strncmp(serial, "DG1", 3)?0:1;
    /* convert options string format for DP832 with firmware >= 1.09 or for DG1000Z*/
    if ((!strncmp(serial, "DP8", 3) && options[0] != 'M' && options[0] != '5') || isDG)
        opts = options_4to5(options, options_buffer);

    /* sign the message */
    lic1_code = (char*)calloc(64, 1);
    lic2_code = (char*)calloc(64, 1);
    ecssign(serial, opts, priv_key, lic1_code, lic2_code);

    /* format licence string */
    licence = (char*)calloc(128, 1);
if ((!strncmp(serial, "DP8", 3) && *options != 'M' && *options != '5') || isDG)
        format_license_dp832_109(lic1_code, lic2_code, options, licence, isDG);
    else
        format_license_classic(lic1_code, lic2_code, options, licence);

    /* cleen up */
    free(lic1_code);
    free(lic2_code);

    return licence;
}

char *select_priv_key(char *serial) {
    char *priv_key;

    strtoupper(serial);
    if      (!strncmp(serial, "DS1", 3)) priv_key = DS1000Z_private_key;
    else if (!strncmp(serial, "DS2", 3)) priv_key = DS2000_private_key;
    else if (!strncmp(serial, "DS4", 3)) priv_key = DS2000_private_key;
    else if (!strncmp(serial, "DSA", 3)) priv_key = DSA815_private_key;
    else if (!strncmp(serial, "DP8", 3)) priv_key = DP832_private_key;
    else if (!strncmp(serial, "DG1", 3)) priv_key = DG1000Z_private_key;
    else                                 priv_key = no_private_key;

    return priv_key;
}

int main(int argc, char *argv[0]) {
    char *serial, *options, *priv_key, *licence;

    /* parse input */
    if (!((argc == 3 || argc == 4))) {
        show_help(argv[0]);
        exit(1);
    }
    serial = argv[1];
    options = argv[2];

    ascii_map = strncmp(serial, "DG1", 3)?(char*)ascii_map_:(char*)ascii_map_dg;

    if (argc == 4) priv_key = argv[3];
    else {
        priv_key = select_priv_key(serial);
        if (strlen(priv_key) == 0) {
            show_help(argv[0]);
            printf("\nERROR: UNKNOW DEVICE WITHOUT PRIVATKEY\n");
            exit(1);
        }
    }

    if (strlen(priv_key) != 14) {
        show_help(argv[0]);
        printf("\nERROR: INVALID PRIVATE KEY LENGTH\n");
        exit(1);
    }
    if (strlen(serial) < 13) {
        show_help(argv[0]);
        printf("\nERROR: INVALID SERIAL LENGTH\n");
        exit(1);
    }
    if (strlen(options) != 4) {
        show_help(argv[0]);
        printf("\nERROR: INVALID OPTIONS LENGTH\n");
        exit(1);
    }

    licence = make_licence(serial, options, priv_key);
    printf("%s\n", licence);
    free(licence);
}

Edit: I've added missing line to the function ecssign
Title: Re: Need help hacking DP832 for multicolour option.
Post by: firstcolle on July 10, 2019, 07:30:20 pm
Many many thanks!!!
DP832 hacked to DP832A
DG1022z hacked to DG1062z

i only miss the 16M option, i can't find the procedure in the thread.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on July 10, 2019, 08:44:28 pm
Edit: Of course I could try using :SYSTem:TYPE DM3068    As this would be the natural command, and we know :SYSTem:TYPE? works to find the Model Type.  It seems like it may be low risk? ?   But I don't want to brick my unit.

Edit 2: I used  :SYSTem:TYPE DM3068 plus various combinations of the command structure and nothing worked to do anything.  The plus side is that all is still OK with my DM3058E. So no 6 1/2 digits for it, but its not bricked either.

:) "I won't brick it..." 5 sec later "Let's do it.."

Well, I think any of those special "set" commands (as always) only work with a vendor USB disk inserted.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on July 10, 2019, 08:45:44 pm
i only miss the 16M option, i can't find the procedure in the thread.

The procedure is in the previous msg (to yours)!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 10, 2019, 10:59:55 pm
Edit: Of course I could try using :SYSTem:TYPE DM3068    As this would be the natural command, and we know :SYSTem:TYPE? works to find the Model Type.  It seems like it may be low risk? ?   But I don't want to brick my unit.

Edit 2: I used  :SYSTem:TYPE DM3068 plus various combinations of the command structure and nothing worked to do anything.  The plus side is that all is still OK with my DM3058E. So no 6 1/2 digits for it, but its not bricked either.

:) "I won't brick it..." 5 sec later "Let's do it.."

Well, I think any of those special "set" commands (as always) only work with a vendor USB disk inserted.
Hello TV84:  Ok, I'm ready to do it, but what should I use for a 'Vendor USB Disk'?  Can I get one at Walmart, or Amazon?  Hi Hi, Ted
PS  : BTW Hi Hi is similar to Ha Ha.

Edit:  I'm not worried about bricking it as the DM3058 and E version firmware are the same package.  Whereas the DM3068 is apparently different(?).  Although I just noticed and the DM3058/E and DM3068 LDR firmware files are same size.  So that is interesting, maybe at one time the DM3058 was going to be also be used for the DM3068 hardware platform.  Anyway I'm looking forward to going ahead on changing the Model Name, although I don't necessarily have high expectations.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 11, 2019, 12:30:48 am
I added color coded labels to my DM832 as part of its conversion to a DM832A.  Unfortunately I used the camera's Flash that ended up washing out the colors, although the actual label colors are quite well matched to those of the LCD's Classic Display.

Edit:  New replacement photo.  I added Color to the three Channel selection buttons.  Had to use Flash again because the ambient lighting wasn't sufficient.

Last Edit: Added information about Using Sharpie Permanent Color Markers for adding LCD matching colors.

The colors are from Sharpie Permanent Color Markers (fine tip). You will have go to where they have a huge selection of different color markers, or otherwise get a large (qty 24) assortment package that you can select your particular colors from (confirm that your colors are included). The DC Output labels can be numbered using Dry-Transfer Decals. I had some old miscellaneous VHF Tape labels that simplified things for me.

My channel Button colors, and DC Output number label colors match the LCD display colors very well. You do have to coat the Buttons several times over a couple of days to get the markers to stain the buttons sufficiently, and the results look great. They will basically be permanent, although you can use a solvent on them to lighten the color if required as you go along. You can use gasoline as a solvent (Suggestion! Stay away from open flames). Gasoline will not affect the number label on the buttons, and it is also safe to use on the front panel's surface.  You may prefer using a less volatile solvent, but this works well for me. 
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on July 11, 2019, 12:47:42 am
Hello TV84:  Ok, I'm ready to do it, but what should I use for a 'Vendor USB Disk'?  Can I get one at Walmart, or Amazon?  Hi Hi, Ted
You make it yourself, it's just a USB drive formatted in a particular way with a specific file on it.  Use any old or new USB drive and follow the instructions in this post (https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2475702/#msg2475702) which is all of 1 page back.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on July 11, 2019, 12:51:18 am
I added color coded labels to my DM832 as part of its conversion to a DM832A.  Unfortunately I used the camera's Flash that ended up washing out the colors, although the actual label colors are quite well matched to those of the LCD's Classic Display.
Sweet! Where did you get those labels from?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 11, 2019, 02:21:10 am
I added color coded labels to my DM832 as part of its conversion to a DM832A.  Unfortunately I used the camera's Flash that ended up washing out the colors, although the actual label colors are quite well matched to those of the LCD's Classic Display.
Sweet! Where did you get those labels from?https://www.eevblog.com/forum/Smileys/default/facepalm.gif
Hello Gandalf:  For information on how I added Labels and Color to my PD832 to DP832A conversion Front Panel please see ->    https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2540175/#msg2540175 (https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2540175/#msg2540175)

Thanks for the info on the USB Image file that you provided a path to for me.  It hasn't helped, but I don't know if the USB Disk Image is the problem.  Or if it is just that the hack for the DM3058E doesn't do anything, which I kind of expected before (that it wouldn't work).  I have to play with this some more, and also see if I can reformat (low level of course) the USB drive back to its original 256 GB.  Right now its total capacity is at about 31 MB.  So the image must have been 31 MB, although the size of the image file itself was around 16.4 MB.  I know that this is what happens when you transfer a disk image file to a USB drive, so I'm not concerned.  But as I said I don't know if the image process worked properly yet.

Thanks for your assistance, Ted

Edit: Added Link for information about using Sharpie Permanent Color Markers for adding LCD matching colors, etc, and nothing requires disassembly.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on July 11, 2019, 09:30:50 am
@ted572
You're welcome.  If the USB drive reads and has a single file on it then it's almost certainly good and not the reason things aren't working for you.  Mine worked in a DG1022Z and DP832.  If you issue the model command via tenet and get a message like "unrecognized command" on the screen on the screen of device you're trying to upgrade but do get responses to *IDN? then it's probably a bad USB drive - maybe one that the device doesn't like for some reason.  However, a drive you created from the disk image is more likely to work than one you created yourself by formatting and copying the file to the drive.

I don't know if it's possible to upgrade a DM3058E using the USB method, has anyone else done that?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on July 11, 2019, 10:41:20 am
The DM3068 DMM's digital circuitry is built around an Analog Devices Blackfin DSP, I assume it's a similar situation with the DM3058(E). It appears that only Rigol's more recent gear that's based on the Freescale/NXP i.MX or Texas Instrument Sitara ARM Core SOCs can be accessed via the "Magic Stick" method. So your attempts to "talk to" your DM3058E may be futile...  :(
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 11, 2019, 12:29:36 pm
Thank you Gandalf and Tom for your comments.  Yes I believe that the USB SCPI commands aren't going change this to a DM3068.  I never had high expectations for it, but I wanted to give it a shot.  The DM3058 firmware wold need to modified to do the job of getting 6 1/2 digit display, and that is beyond my capability.

Side note: I send the Rigol SCPI commands via USB using 'Messinstrumente' (Measuring instruments - program for data transfer and control) which is very easy and always works for me.  You enter the SCPI command in the command window and then press Send/Receive.  The command goes out and a second later you see the results as received data.  A good test to see that all is working OK is to send *IDN?, and you should see a reply (Receive Data) with your Model Number and S/N.  Other commands may reply with something like 'Command Executed OK'.  If the command is invalid the program will simply time out 'without a reply', or 'Invalid Command', etc. in 3 - 6 seconds.

I just wondered why I didn't read about anyone else using this for the DP832 to DP832A Mod?  There is a USB type B connector on the back of the unit for this, in addition to the USB type A connector for the USB drive.  It seemed to me that everyone was using LAN or RS232 when the USB is so easy.

Rigol Ultra Sigma would also work for sending USB SCPI commands, but at the expense of adding about 500 GB to your computer, and not being able to uninstall it ALL without manually searching for left over Files and Registry entries.  Even using the more complete Uninstallers such as 'Revo Uninstaller', they won't catch everything, as there will still be well over ten items that won't be automatically cleaned out.

PS:  'Messinstrumente' is a portable program that doesn't get installed on your computer.  You can simply run it from a USB drive, the Desk Top, etc.

Edit: By request, here is a English link to 'Messinstrumente' (Measuring instruments - program for data transfer and control) ->  https://translate.google.com/translate?hl=en&sl=de&u=http://peter.dreisiebner.at/messinstrumente/index.htm (https://translate.google.com/translate?hl=en&sl=de&u=http://peter.dreisiebner.at/messinstrumente/index.htm)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: das_strobel on July 11, 2019, 12:51:25 pm
Ok, 1-2 weeks ago i've modified riglol 1.03d for DG1000Z generation/calculation

here is a full source code:
...

I tried to make use of this code. I downloaded the sources from http://gotroot.ca/rigol/riglol/ (http://gotroot.ca/rigol/riglol/) and replaced the original riglol.c with your code. It didn't compile first, because all the #includes where missing. I added them and it compiled. But still no cigar. The compiled executable runs in general (putting out the help text etc.) but if I try to generate the 16MB option key it just hangs without any message. I can kill the program with Ctrl-C, though.

I did all that using Ubuntu 18.04 running in the native Linux environment on Win10.

Any idea?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: firstcolle on July 11, 2019, 02:24:23 pm
i tried to compile with c compiler but it give me some errors..
wich compiler should i use?

i only miss the 16M option, i can't find the procedure in the thread.

The procedure is in the previous msg (to yours)!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on July 11, 2019, 05:56:06 pm
i tried to compile with c compiler but it give me some errors..
wich compiler should i use?

That's a tricky question because the riglol / rigup source codes have some bugs (in terms buffer overruns, unallocated pointers, 32 bits vs 64 bits compilation, etc...). Most guys that are able to compile them do some corrections in order to accomplish it.

If all was good, any compiler should work.

For riglol try compilation in 32 bits or 64 bits, to start.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: mike47203 on July 12, 2019, 12:34:36 am
Starec;

Thanks so much for the code you posted for the modified riglol. I was able to make that work. I did find that one line was missing that caused the program to hang. In the ecssign function at line 41 in your post "instr(a, curve_a)" is missing. Once I added that, it work perfectly. Much appreciated.

It seems that may be the problem other people were having. If you diff the posted code against the original riglol.c it is apparent what needs to be changed. I had no trouble compiling and running in Linux. Can't say if it works for any other platform.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: das_strobel on July 12, 2019, 09:45:04 am
It seems that may be the problem other people were having. If you diff the posted code against the original riglol.c it is apparent what needs to be changed. I had no trouble compiling and running in Linux. Can't say if it works for any other platform.

Thanks, mike47203! This did the trick also for me. I changed the line, compiled again on my Ubuntu on WSL on Win10, and voila the program runs and the generated key works. 8) :-+ :-+ :-+
Title: Re: Need help hacking DP832 for multicolour option.
Post by: starec on July 13, 2019, 07:30:31 am
In the ecssign function at line 41 in your post "instr(a, curve_a)" is missing. Once I added that, it work perfectly. Much appreciated.
Yes indeed,
i wrote my own application in Windows and was all in there. This copied code was from riglol source itself. I only added my changes and no checked the remaining code so i didn't notice the missing line - my fault. However as tv84 been noted the riglol source codes have some bugs. I'd added (at least) releasing of acquired memory in the fn ecssign as follows
Code: [Select]
mirkill(a);
mirkill(b);
mirkill(p);
mirkill(q);
mirkill(Gx);
mirkill(Gy);
mirkill(d);
mirkill(k);
mirkill(r);
mirkill(s);
mirkill(k1);
mirkill(zero);
mirkill(f1);
mirkill(f2);
mirkill(f3);
mirkill(f4);
mirkill(hash);
epoint_free(G);
epoint_free(kG);
mirexit();
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on July 13, 2019, 08:28:30 am
I'd added (at least) releasing of acquired memory in the fn ecssign as follows

Yep, even this simple thing is missing...  When one runs a single time, less important but if we start reusing, etc, etc all type of weird things start to happen.

Of course the way mem is allocated and the var types/casts are the biggest problem.

riglol is more polished, rigup is much worse. Nonetheless the authors deserve all the credits for creating those tools.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Marc M. on July 13, 2019, 10:38:07 pm
... The USB drive must be formatted as FAT, not FAT32 or exFAT. On...

For some reason this isn't always the case.  I just grabbed a brand new 8Gb pre-formatted FAT32 card (older SanDisk HC1), stuck the file on it and powered the supply up with the USB adapter plugged in.  I connected to a Windows laptop with UltraSigma installed and sent IDN to confirm the connection, then issued the :PROJ.... command.  I think it spit out an error but I saw an OK at the bottom so I went ahead and power cycled the supply.  It came up in not-so glorious color.  Arrggh, the pale color pallet of grey, white, and light blues is terrible, but I do like the 3 color classic main display. 

Aesthetics aside, I had to jump thru some hoops before I got the above result.  I bought an early supply with the original hardware and firmware (1.04 maybe?) on it.  When I tried it on that firmware it flipped me off with an error.  I remembered there was an issue with newer firmware and hacked options which was no reversible so I never bothered to update it.  Since this hack changes it to an A model, all options are  turned on automatically so any risk to previously hacked options won't matter.  I updated the boot loader, then the firmware, and finally the analogs with the latest revision I found somewhere on Rigol's site.  After that was complete, I reconnected, issued the PROJ command and it worked without a problem.  So SD cards are just hit/miss as I violated both the 2 to 4 gig limit and the no FAT32 rules. YMWV but I'd try whatever card you have at hand.

On my already way too long, I'll be dead long before half of it gets done To Do list, I plan on pulling the front panel off and changing out the green LEDs behind the channel enable buttons to reflect the channel color to help differentiate them (at least while they're turned on). Anyone happen to know what size they are?  I voided my warranty long ago dealing with the overheating regulator issue, and I've probably had it longer than 3 years anyway.  Rigol could make a killing selling replacement 832A buttons!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on July 13, 2019, 11:41:31 pm
Changing the LEDs to match the channel colors is a great idea.  I found that my drive was formatted to FAT worked so I think that FAT32 is not absolutely essential.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on July 14, 2019, 09:03:56 am
These equipments use Linux filesystems so all 3 FAT types should work when we are reading/writing files.

The only limitation is that some Rigol equipments do some USB vendor disk verification (when one wants to do the "upgrades") with direct disk access functions and those should match a specific FAT type or may end up in unpredictable results.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Marc M. on July 14, 2019, 04:18:57 pm
A special thanks again to everybody in the EEVBlog Community who contributed to all the reverse engineering efforts within the Rigol product range which allowed me to maximize the potential of my DSA815, DS2072, and now DP832.  My only regret was buying a DG4162 instead of a 4062  :palm:.  You guys rock!

I said screw it, stayed up late and swapped out the LED's which were 0806's.  I didn't have any in purple, so I stuck a red one in for now.  Got some purple and some hopefully yellower yellow LEDs heading this way from China.  All I can say is Wow! what a difference.  I was worried the replacements wouldn't be bright enough but I was wrong, they are quite a bit brighter than the stock green ones.  I'm so happy with the results, one of these days I'm going to pull my Rigol DS2072 apart and replace the front panel LEDs on that because the green ones on that are barely visible.

I was also surprised to see provisions for a set of 4th channel buttons both on the PCB and the molding in the front case.  I had sniffed around looking for a photo of the front keyboard to determine the LED size ahead of time but couldn't find one.  Dave didn't pull the front board when he did his teardown either so here's a shot of mine for the curious.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 1anX on July 16, 2019, 10:41:22 am
Marc M where are you getting your smd 0806 leds from?
Looks great with the coloured leds and if cheap from China I think I will do the same to mine just for fun!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 16, 2019, 11:06:28 am
DP800 Firmware 16 (re. DP832/A, etc.) initial 00.01.16.00.00 was a Beta version, although the current version 00.01.16.00.02 (2019-1-31) is a official released version.

Edit: Added applicable improvements.
     
    Support for USB-GPIB
    Fixed *OPT? command
    Fixed cursor settings
    Fixed LAN Library (network stability)
    Other. . . .
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Marc M. on July 16, 2019, 01:48:53 pm
... where are you getting your smd 0806 leds from?...
I can't say for sure, had them for several years.  My guess is either Fleabay or AliExpress, I think I just bought an assortment of 5 colors for stock.  The purpler red and hopefully yellower yellow LEDs I ordered for this are coming from Fleabay.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: JDubU on July 16, 2019, 04:56:24 pm
Is the LED source voltage high enough to put a red and blue led in series for channel 3?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: HDR on July 17, 2019, 08:02:42 am
Does anyone know if you can upgrade a DSA815-TG to a DSA832-TG?

No way, different hardware! Compare the weights of the instruments in the specs, this already tells everything. The higher-spec'd DSA8XX units feature a much more modular design, like the Siglent SSA3000 series.

Cheers,
Thomas

Ok, i just orderd the Rigol DSA832E-TG. Do you think I can upgrade it to DSA832-TG or even DSA875-TG? The weight of them seems to be equal.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: 2N3055 on July 17, 2019, 09:24:28 am
Does anyone know if you can upgrade a DSA815-TG to a DSA832-TG?

No way, different hardware! Compare the weights of the instruments in the specs, this already tells everything. The higher-spec'd DSA8XX units feature a much more modular design, like the Siglent SSA3000 series.

Cheers,
Thomas

Ok, i just orderd the Rigol DSA832E-TG. Do you think I can upgrade it to DSA832-TG or even DSA875-TG? The weight of them seems to be equal.

No and no.
Different hardware. Sorry.

Best regards,
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 17, 2019, 10:38:15 am
i just ordered the Rigol DSA832E-TG. Do you think I can upgrade it to DSA832-TG or even DSA875-TG?
No, you will NOT be able to upgrade it to either other model, although you have made an excellent economical choice.  You won't regret your choice in the future!  As the DSA832E is a excellent product, and the differences between it and the DSA832 (non E) are insignificant for normal/most Spectrum Analyzer applications, especially as a hobbyist.  Congratulations, and enjoy your new instrument! 
Title: Re: Need help hacking DP832 for multicolour option.
Post by: HDR on July 17, 2019, 10:57:24 am
Thank you!
I also think that it is absolutly sufficent for my projects. But in germany we say "Haben ist besser als brauchen." (To have is better than to need)  ;D
Title: Re: Need help hacking DP832 for multicolour option.
Post by: ted572 on July 17, 2019, 11:34:42 am
Thank you!
I also think that it is absolutly sufficent for my projects. But in germany we say "Haben ist besser als brauchen." (To have is better than to need)  ;D
Dann schäme dich, denn anscheinend hast du eine der goldenen Regeln deiner Nation gebrochen. Vielleicht sollten Sie umkehren, Ihre Bestellung stornieren und einen RSA3000 / 5000 kaufen. Hi Hi

Title: Re: Need help hacking DP832 for multicolour option.
Post by: 1anX on July 20, 2019, 01:14:07 am
Thank you!
I also think that it is absolutly sufficent for my projects. But in germany we say "Haben ist besser als brauchen." (To have is better than to need)  ;D
Dann schäme dich, denn anscheinend hast du eine der goldenen Regeln deiner Nation gebrochen. Vielleicht sollten Sie umkehren, Ihre Bestellung stornieren und einen RSA3000 / 5000 kaufen. Hi Hi

I wondered what was said so did the translate to english thing.

"Then be ashamed, because apparently you have broken one of the golden rules of your nation. Maybe you should reverse, cancel your order and buy a RSA3000 / 5000. Hi Hi"
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Vaiti on July 31, 2019, 06:09:54 am
Quick Guide
Flash the rigol-key.img from the attached zipfile to a USB drive using your prefered disk imaging software. (dd/Win32 Disk Imager)

Power on the device, and insert the thumbdrive

Send the SCPI command to change the model number:

--For the DP800 series--
Code: [Select]
:PROJ:SET MODEL,DP832A
--For the DG1000Z series--
Code: [Select]
:PROJ:STAT MODEL,DG1062ZYou can then unlock the Arb16Mb option with this command as well, it will show as trail, but will never expire. (This sets your serial number to DG1ZA000000000, you can revert this by replacing the string with the serial found on the back of your unit, if you have need)
Code: [Select]
:PROJ:STAT SN,DG1ZA000000000
--For the DL3000 series--
Code: [Select]
:PROJ:SET MODEL,DL3021A
Reboot the device and you should be done.

Rigol's Ultra Sigma and the IVI drivers it provides have always been very flaky for me, so I used Messinstrumente with Zadig USB drivers

http://peter.dreisiebner.at/messinstrumente/Messinstrumente_2019-06-14.zip (http://peter.dreisiebner.at/messinstrumente/Messinstrumente_2019-06-14.zip)
https://zadig.akeo.ie/downloads/ (https://zadig.akeo.ie/downloads/)

I wanted to make a quick recap as this thread has gotten pretty long and it actually took me awhile to sort out some of the details and find the original posts that had the relevant information.
I also had trouble with Rigol's Ultra Sigma when trying to issue the SCPI commands, and ted572 (Thank you!) had made a suggestion to use Messinstrumente, and that worked immediately with no issue after installing the Zadig USB driver for the device.

I'm including the rigol-key.zip with this post for ease of download, but credit must go to tossu
https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2475702/#msg2475702 (https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2475702/#msg2475702)

A huge thank you to volkimel, tv84, tossu for making this hack happen.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: maxpayne on August 01, 2019, 05:59:23 pm
This didnt work for me !

I am getting message "Remote command is incorrect"

Am I doing anything wrong ?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tossu on August 01, 2019, 06:43:23 pm
I am getting message "Remote command is incorrect"

Am I doing anything wrong ?

Most probably, your USB drive is not set up properly. Make sure you insert the drive after the PSU has booted. If you prepared the drive using the old method Vaiti described, try using the disk image I made later: https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2475702/#msg2475702 (https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2475702/#msg2475702)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: maxpayne on August 01, 2019, 06:44:31 pm
I partitioned a 16GB drive to 4096MB, full formatted it with FAT32 and then copied the keyfile.bin
Title: Re: Need help hacking DP832 for multicolour option.
Post by: maxpayne on August 01, 2019, 06:55:08 pm
I am getting message "Remote command is incorrect"

Am I doing anything wrong ?

Most probably, your USB drive is not set up properly. Make sure you insert the drive after the PSU has booted. If you prepared the drive using the old method Vaiti described, try using the disk image I made later: https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2475702/#msg2475702 (https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2475702/#msg2475702)

Thanks Tossu. the disk image method worked and I am greeted with a color display !!

Needs to be FAT I believe, not FAT32, I'll edit my post to make that more clear. I actually thought I should have put more emphasis on that when I wrote it

FAT32 worked as well in my case :)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: maxpayne on August 01, 2019, 07:14:01 pm
To update your Rigol DL3021 to DL3021A, here is the complete procedure, without the need of buying the LAN option...
You need:
-Computer with RS232 port
-USB stick formatted in FAT32 with the file keyfile.bin from Tossu (many thanks for the hack !)
-Cross cabel RS232 female-female (2->3; 3->2; 5->5)
-Free software Termite from Compuphase (https://www.compuphase.com/software_termite.htm (https://www.compuphase.com/software_termite.htm))

Connect everything together. Start the computer first and launch Termite.
Termite Serial port settings:
-Port COM1 (depend on your computer)
-Baud rate 9600
-Data bits 8
-Stop bits 1
-Parity none
-Flow control none
-Forward none
-Transmitted text Append CR-LF

Turn on the DL3021
To check the connection, you can try to type *IDN? in the Termite command line.
He will return the model of your device.
Type in Termite :PROJ:SET MODEL,DL3021A
That all  :D

Can hack the DC Load DL3021 to DL3031A?  Like the DG811 to DG992?

Does not the DL3021 hack can be done when connected via USB ? like the same way DP832 ?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: aristarchus on August 01, 2019, 07:34:34 pm
I partitioned a 16GB drive to 4096MB, full formatted it with FAT32 and then copied the keyfile.bin

Read again tossu's message, "You can format a drive as FAT "..

Anyway, the trick is to have the 'magic' sector written with the proper value, give it a try with some other usb sticks.

/PS
LoL for the time it took me to write this, it was already answered and done.. :-))
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on August 01, 2019, 08:39:21 pm
Yes, and for the DG800 / DG900 with a slightly different "Magic Stick" (https://www.eevblog.com/forum/testgear/new-rigol-16-bit-function-generators-dg800900-series/msg2420391/#msg2420391)  ;)

Cheers,
Thomas
Title: Re: Need help hacking DP832 for multicolour option.
Post by: maxpayne on August 02, 2019, 03:42:38 am
To update your Rigol DL3021 to DL3021A, here is the complete procedure, without the need of buying the LAN option...
You need:
-Computer with RS232 port
-USB stick formatted in FAT32 with the file keyfile.bin from Tossu (many thanks for the hack !)
-Cross cabel RS232 female-female (2->3; 3->2; 5->5)
-Free software Termite from Compuphase (https://www.compuphase.com/software_termite.htm (https://www.compuphase.com/software_termite.htm))

Connect everything together. Start the computer first and launch Termite.
Termite Serial port settings:
-Port COM1 (depend on your computer)
-Baud rate 9600
-Data bits 8
-Stop bits 1
-Parity none
-Flow control none
-Forward none
-Transmitted text Append CR-LF

Turn on the DL3021
To check the connection, you can try to type *IDN? in the Termite command line.
He will return the model of your device.
Type in Termite :PROJ:SET MODEL,DL3021A
That all  :D

Can hack the DC Load DL3021 to DL3031A?  Like the DG811 to DG992?

Does not the DL3021 hack can be done when connected via USB ? like the same way DP832 ?

I just tested with USB. Though the command was successful, I saw OK message, it does not work and my load model remains the same i.e. DL3021.

Perhaps I have to use the serial /RS232 interface.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: LdkE on August 02, 2019, 06:42:02 am
Quick Guide
Flash the rigol-key.img from the attached zipfile to a USB drive using your prefered disk imaging software. (dd/Win32 Disk Imager)

Power on the device, and insert the thumbdrive

Send the SCPI command to change the model number:

For the DP800 series
Code: [Select]
:PROJ:SET MODEL,DP832A
For the DG1000Z series
Code: [Select]
:PROJ:STAT MODEL,DG1062Z
For the DL3000 series
Code: [Select]
:PROJ:SET MODEL,DL3021A
Reboot the device and you should be done.

Rigol's Ultra Sigma and the IVI drivers it provides have always been very flaky for me, so I used Messinstrumente with Zadig USB drivers

http://peter.dreisiebner.at/messinstrumente/Messinstrumente_2019-06-14.zip (http://peter.dreisiebner.at/messinstrumente/Messinstrumente_2019-06-14.zip)
https://zadig.akeo.ie/downloads/ (https://zadig.akeo.ie/downloads/)

I wanted to make a quick recap as this thread has gotten pretty long and it actually took me awhile to sort out some of the details and find the original posts that had the relevant information.
I also had trouble with Rigol's Ultra Sigma when trying to issue the SCPI commands, and ted572 (Thank you!) had made a suggestion to use Messinstrumente, and that worked immediately with no issue after installing the Zadig USB driver for the device.

I'm including the rigol-key.zip with this post for ease of download, but credit must go to tossu
https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2475702/#msg2475702 (https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2475702/#msg2475702)

A huge thank you to volkimel, tv84, tossu for making this hack happen.

Followed Vaiti's quick guide, after connecting my DP832 with the PC via USB cable I installed the zadic driver on my PC, started Messinstrumente and shot the command over - BAM - it worked like a charm for me  :clap: :clap: :clap:

 :-+ :-+ :-+ Biggest thanks to volkimel, tv84, tossu and Vaiti for the hack and posting a quick guide that not everybody has to dig through the whole thread  :-+ :-+ :-+
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Vaiti on August 03, 2019, 06:00:54 pm
I said screw it, stayed up late and swapped out the LED's which were 0806's.

0806 denotes 0.8x0.6 millimeters correct? If so, are you sure they aren't 0805's? Those are more readily available on eBay and Aliexpress, the 0806's seem to be non-existent.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tautech on August 03, 2019, 08:53:04 pm
I said screw it, stayed up late and swapped out the LED's which were 0806's.

0806 denotes 0.8x0.6 millimeters correct? If so, are you sure they aren't 0805's? Those are more readily available on eBay and Aliexpress, the 0806's seem to be non-existent.
I'd guess from below it's a typo of an imperial size:

(https://images0.cnblogs.com/blog/268182/201308/30130002-0f4a03e9a34146baaf43989806a36dec.png)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: JDubU on August 04, 2019, 01:20:41 pm
I said screw it, stayed up late and swapped out the LED's which were 0806's.

0806 denotes 0.8x0.6 millimeters correct? If so, are you sure they aren't 0805's? Those are more readily available on eBay and Aliexpress, the 0806's seem to be non-existent.

Here is a Digikey search of 0806 LED's:
https://www.digikey.com/products/en/optoelectronics/led-lighting-white/124?k=led+0806&k=&pkeyword=led+0806&sv=0&pv16=3364&pv16=3790&sf=1&FV=ffe0007c&quantity=&ColumnSort=0&page=1&pageSize=25 (https://www.digikey.com/products/en/optoelectronics/led-lighting-white/124?k=led+0806&k=&pkeyword=led+0806&sv=0&pv16=3364&pv16=3790&sf=1&FV=ffe0007c&quantity=&ColumnSort=0&page=1&pageSize=25)

They are 0806 imperial sized SMD packages -- 0.080" L x 0.065" W (2.04mm x 1.64mm)



Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on August 30, 2019, 01:28:20 pm
I ordered and received 0805 LEDs of suitable colors, I will report back on how well they fit but I am expecting them to work just fine.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: CCB on September 05, 2019, 09:23:16 am
Just wanted to add that I've upgraded to latest firmware v00.01.16.00.02  2019-1-31 and it kept the options enabled. I had to check the manual to change the language back to english.

Also changed to DP832A and it's fantastic the new font and colours are great. Thank you sooo much!  :) :) :-+



Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on September 05, 2019, 09:57:32 am
Just wanted to add that I've upgraded to latest firmware v00.01.16.00.02  2019-1-31 and it kept the options enabled. I had to check the manual to change the language back to english.

Also changed to DP832A and it's fantastic the new font and colours are great. Thank you sooo much!  :) :) :-+
Does anyone have any info on what's different between the latest version and mine which is v00.01.14.00.03 ?  Is there any affect on calibration when making the upgrade?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Vaiti on September 05, 2019, 10:40:34 am
Calibration should remain the same.

Rigol DP800 Changelog:
-Update of this version-

v00.01.16.00.02   2019-1-31
     
     - Add the support for USB-GPIB
     - Fixed the bug of command "*OPT?"
     - Fixed the bug of cursor settings(Before:set the current firstly, then change the voltage , the cursor is always on the highest digit.)
     - Replacement of LAN Interface Library to solve the problem of network instability.


-Historical Versions and Updates-

v00.01.15.00.02   2017-05-25
     
     - Private version,not public

v00.01.14.00.03   2015-03-10

     - Modify the bug of OVP&OCP
     - Add new models
     - Update help Information

v00.01.13.00.01   2014-11-18

     - Modify the bug of UI display
     - Replacement of USB Device Library to solve the problem of unstable USB Device communication
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on September 05, 2019, 02:17:49 pm
I downloaded the new firmware but the instructions are garbled...

1. Copy .gel file to the root of USB flash
2. Insert USB flash into DP800 (make sure the USB flash can be recognized by DP800). Power on DP800, press and hold HELP button until the update started.
3. Move USB flash after update is finished, then press these button in turn: HELP¡úHELP£¬¡úM4¡úM2¡úM1 (update analog board 1), ¡úM4¡úM2¡úM2 (update analog board 2)
4. Reboot DP800 after all the update finished and check the new version (Utility->system info->M1-M3-M2)

Can anyone help to decipher what line 3 means?

[EDIT] Never mind, I figured it out - ignore all the crap above, here's what worked for me...
1. Copy .gel file to the root of USB flash (I had to have a FAT32 formatted drive and the .gel file was the only file on the drive, you may do better than me)
2. Switch on the DP832(A) and immediately press [Help] button while first 3 ... is displayed, it now says "please insert drive with new firmware"
3. Plug in USB drive and (if it's a good drive) progress bar moves with download and update messages (only took about 30 seconds in total)
4. PSU reboots automatically but now all the menus are in Chinese
5. Press [Utility] > Language (M4) and then select 'English'
6 Check firmware revision by [Utility] > SysInfo and then, while the 3 lines of info are displayed, M1, M3, M2 (the buttons under the display numbered L to R)

The only problem I've found is that the stored settings don't work, it says they are the wrong format. You have to redo all the saved settings files.

That's it
Title: Re: Need help hacking DP832 for multicolour option.
Post by: marshalljmp on September 13, 2019, 03:41:22 pm
To update your Rigol DL3021 to DL3021A, here is the complete procedure, without the need of buying the LAN option...
You need:
-Computer with RS232 port
-USB stick formatted in FAT32 with the file keyfile.bin from Tossu (many thanks for the hack !)
-Cross cabel RS232 female-female (2->3; 3->2; 5->5)
-Free software Termite from Compuphase (https://www.compuphase.com/software_termite.htm (https://www.compuphase.com/software_termite.htm))

Connect everything together. Start the computer first and launch Termite.
Termite Serial port settings:
-Port COM1 (depend on your computer)
-Baud rate 9600
-Data bits 8
-Stop bits 1
-Parity none
-Flow control none
-Forward none
-Transmitted text Append CR-LF

Turn on the DL3021
To check the connection, you can try to type *IDN? in the Termite command line.
He will return the model of your device.
Type in Termite :PROJ:SET MODEL,DL3021A
That all  :D

Can hack the DC Load DL3021 to DL3031A?  Like the DG811 to DG992?

Does not the DL3021 hack can be done when connected via USB ? like the same way DP832 ?

I just tested with USB. Though the command was successful, I saw OK message, it does not work and my load model remains the same i.e. DL3021.

Perhaps I have to use the serial /RS232 interface.

Just converted my DL3021 to a DL3021A with USB, no problems at all. Send the command and I got a color screen immediately .
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Trident900fi on November 10, 2019, 07:01:47 pm
Usually the USB port is not activated on the DL3021, that's why I gave the procedure to follow in RS232...
Once converted to DL3021A, the USB port is automatically enabled.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: dekagon on November 13, 2019, 09:35:27 am
I want to try to unlock the Arb16M option of my DG1022Z (the option fix to convert it ti a DG1062Z was already successful).

The online version of Riglol (1.03d) does not have the capability to create such key :(

Is there another possibility to generate a ARB16M option key for my DG1062Z (aka DG1022Z)?
After intensive search I found no working solution in this thread or forum...

Thanks in advance

Chris
Title: Re: Need help hacking DP832 for multicolour option.
Post by: dekagon on November 14, 2019, 01:07:07 pm
F.Y.I.:

I installed the MinGWgcc compiler package and compiled the windows version from the modified riglol.c code from user @starec (earlier post on page 12).

After inserting some missed #include statements at the beginning of the codefile and trying to compile the sources all is going without failures.  :D
I was able after that to generate an option key for the ARB16M option for DG1022Z.
The installation could be done either with copying the serial number and the option key into a license.txt file as described under
https://rigol.desk.com/customer/en/portal/articles/2283691-how-do-i-activate-the-dg1000z-memory-upgrade-

or alternatively via SCPI/Telnet session to IP-address port 5555 and the command  :LICense:INSTall <Riglol license key output>

After all everything is quite perfect now  8)

Many thanks to all the users who made this work possible!

Chris
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Volchenok82 on November 14, 2019, 02:32:34 pm
Hello everyone!  :)

 I was interested in this topic, since I, too, am a “happy” owner of Rigol devices without additional options installed ... Undoubtedly, there are knowledgeable people who have been able to activate the options they need ... Tell me, please, was someone adding the three options through Riglol, or in another simple way, in the DP700 series power supplies - or is this basically impossible?

  If the number of hacked devices via Riglol has expanded (DG1000Z is a prime example!), then what prevents from adding the missing models to the online version of Riglol at http://gotroot.ca/rigol/riglol/ (http://gotroot.ca/rigol/riglol/) ? 

I think that many novice users, such as myself (who have not yet mastered writing programs) will be very grateful to you for this!   ;)

Sorry for the clumsy English ...


Pavel
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Trident900fi on November 17, 2019, 11:49:22 am
Hello guys!  :)

Had someone of you try to upgrade a DMM Rigol DM3058E to DM3058 or better, DM3068 ?

Looks like it's the same principle as other Rigol devices  :D
Title: Re: Need help hacking DP832 for multicolour option.
Post by: WhichEnt2 on November 17, 2019, 01:29:54 pm
You'd have to change the hardware to do that. They have different refs at least.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Trident900fi on November 17, 2019, 02:41:19 pm
You'd have to change the hardware to do that. They have different refs at least.

Yes it's right. The goal was only to get the better resolution and the higher sampling rate...
Title: Re: Need help hacking DP832 for multicolour option.
Post by: azemati on February 16, 2020, 07:11:29 pm
Hi dear friend
Can you please guide me in hacking Spectrum Analyzer Model DSA832E-TG?
I need EMI-DSA800
EMI Filter & Quasi-Peak Detector Kit

AMK-DSA800
Advanced Measurement Kit

PA-DSA832
Preamplifier option, 100kHz to 3.2GHz (only for DSA832, DSA832E, DSA832E-TG, or DSA832-TG)

Please advice me
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Houseman on February 21, 2020, 02:40:39 pm
Ok, 1-2 weeks ago i've modified riglol 1.03d for DG1000Z generation/calculation

here is a full source code:
Code: [Select]
char version[]             = "Riglol 1.03d";
char DP832_private_key[]   = "5C393C30FACCF4"; //publ: 0x5EC2D25AE85124
char DS2000_private_key[]  = "8EEBD4D04C3771"; //publ: 0x8445B2BE29E5C7
char DSA815_private_key[]  = "80444DFECE903E"; //publ: 0x691213692D18FA
char DS1000Z_private_key[] = "6F1106DDA994DA"; //publ: 0x58E9F183B924BB
char DG1000Z_private_key[] = "7412E98108CAB0"; //publ: 0x586E719859AF6C

static char* ascii_map;
static const char ascii_map_dg[] = "MNBVCXZASDFGHJKLPUYTREWQ23456789";
static const char ascii_map_[] = "23456789ASDFGHJKLPUYTREWQMNBVCXZ";

char no_private_key[]      = "";

/*
** sign the secret message (serial + opts) with the private key
*/
void ecssign(char *serial, char *options, char *privk, char *lic1, char *lic2) {
    char prime1[]  = "AEBF94CEE3E707";
    char prime2[]  = "AEBF94D5C6AA71";
    char curve_a[] = "2982";
    char curve_b[] = "3408";
    char point1[]  = "7A3E808599A525";
    char point2[]  = "28BE7FAFD2A052";
    int k_offset = 0; // optionally change ecssign starting offset (changes lic1; makes different licenses)
    mirsys(800, 16)->IOBASE = 16;

    sha sha1;
    shs_init(&sha1);

    char *ptr = serial;
    while(*ptr) shs_process(&sha1, *ptr++);
    ptr = options;
    while(*ptr) shs_process(&sha1, *ptr++);

    char h[20];
    shs_hash(&sha1, h);
    big hash = mirvar(0);
    bytes_to_big(20, h, hash);

    big a = mirvar(0);
    instr(a, curve_a);
    big b = mirvar(0);
    instr(b, curve_b);
    big p = mirvar(0);
    instr(p, prime1);
    big q = mirvar(0);
    instr(q, prime2);
    big Gx = mirvar(0);
    instr(Gx, point1);
    big Gy = mirvar(0);
    instr(Gy, point2);
    big d = mirvar(0);
    instr(d, privk);
    big k = mirvar(0);
    big r = mirvar(0);
    big s = mirvar(0);
    big k1 = mirvar(0);
    big zero = mirvar(0);

    big f1 = mirvar(17);
    big f2 = mirvar(53);
    big f3 = mirvar(905461);
    big f4 = mirvar(60291817);

    incr(k, k_offset, k);
    epoint *G = epoint_init();
    epoint *kG = epoint_init();
    ecurve_init(a, b, p, MR_PROJECTIVE);
    epoint_set(Gx, Gy, 0, G);

    for(;;) {
        incr(k, 1, k);

        if(divisible(k, f1) || divisible(k, f2) || divisible(k, f3) || divisible(k, f4))
            continue;

        ecurve_mult(k, G, kG);
        epoint_get(kG, r, r);
        divide(r, q, q);

        if(mr_compare(r, zero) == 0)
            continue;

        xgcd(k, q, k1, k1, k1);
        mad(d, r, hash, q, q, s);
        mad(s, k1, k1, q, q, s);

        if(!divisible(s, f1) && !divisible(s, f2) && !divisible(s, f3) && !divisible(s, f4))
            break;
    }

    cotstr(r, lic1);
    cotstr(s, lic2);
}

/*
** convert string to uppercase chars
*/
char *strtoupper(char *str) {
    char *p;
    for (p=str; *p; p++)
        *p = toupper(*p);
    return str;
}

/*
** prepend a char to a string
*/
char *prepend(char *c, char *str) {
    int i;

    for (i = strlen(str); i >= 0; i--) {
        str[i + 1] = str[i];
    }

    str[0] = *c;
    return c;
}

/*
** convert hex-ascii-string to rigol license format
*/
void map_hex_to_rigol(char *io) {
    unsigned long long b = 0;
    int i = 0;
    char map[] = {
        'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
        'J', 'K', 'L', 'M', 'N', 'P', 'Q', 'R',
        'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
        '2', '3', '4', '5', '6', '7', '8', '9'
    };

    /* hex2dez */
    while (io[i] != '\0') {
        if (io[i] >= '0' && io[i] <= '9') {
            b = b * 16 + io[i] - '0';
        } else if (io[i] >= 'A' && io[i] <= 'F') {
            b = b * 16 + io[i] - 'A' + 10;
        } else if (io[i] >= 'a' && io[i] <= 'f') {
            b = b * 16 + io[i] - 'a' + 10;
        }
        i++;
    }

    for (i = 3; ; i--) {
        io[i] = map[b & 0x1F];
        if (i == 0) break;
        b >>= 5;
    }

    io[4] = '\0';
}

char *get_version() {
  char *v;

  v=version;
  return v;
}

void show_help(char *cmd) {
    printf("%s\n", get_version());
    printf("\n");
    printf("Usage: %s <sn> <opts> <privkey>\n", cmd);
    printf("  <sn>       serial number of device (D............)\n");
    printf("  <opts>     device options, 4 characters, see below\n");
    printf("  <privkey>  private key (optional)\n");
    printf("\n");
    printf("DP832 starting from v1.09 device options:\n");
    printf("  first character:  F = official, B = trial\n");
    printf("  F3PT - Accuracy\n");
    printf("  F6PT - Analyzer and Monitor\n");
    printf("  F6LT - LAN\n");
    printf("  FALT - RS232\n");
    printf("  FLLT - Trigger\n");
    printf("\n");
    printf("DP832 up to v1.06 device options:\n");
    printf("  first character:  M = official, 5 = trial\n");
    printf("  MWSS - Trigger\n");
    printf("  MWTB - Accuracy\n");
    printf("  MWTC - LAN and RS232\n");
    printf("  MWTE - Analyzer and Monitor\n");
    printf("\n");
    printf("DS1000z device options:\n");
    printf("  DSAB - Advanced Triggers\n");
    printf("  DSAC - Decoders\n");
    printf("  DSAE - 24M Memory\n");
    printf("  DSAJ - Recorder\n");
    printf("  DSBA - 500uV Vertical\n");
    printf("\n");
    printf("DG1000z device options:\n");
    printf("  JBNE - 16M Memory\n");
    printf("\n");
    printf("DS2000 device options:\n");
    printf("  first character:  D = official, V = trial\n");
    printf("  DSAB - Advanced Triggers\n");
    printf("  DSAC - Decoders\n");
    printf("  DSAE - 56M Memory\n");
    printf("  DSAJ - 100MHz\n");
    printf("  DSAS - 200MHz\n");
    printf("  DSAZ - all options\n");
    printf("\n");
    printf("DS4000 device options:\n");
    printf("  first character:  D = official, V = trial\n");
    printf("  DSHB - RS232 Decoder\n");
    printf("  DSHC - SPI Decoder\n");
    printf("  DSHE - I2C Decoder\n");
    printf("  DSHJ - CAN Decode\n");
    printf("  DSHS - FlexRay Decoder\n");
    printf("  DSH9 - all options\n");
    printf("\n");
    printf("DSA815 device options:\n");
    printf("  first character:  A = official, S = trial\n");
    printf("  AAAB - Tracking Generator\n");
    printf("  AAAC - Advnced Measurement Kit\n");
    printf("  AAAD - 10Hz RBW\n");
    printf("  AAAE - EMI/Quasi Peak\n");
    printf("  AAAF - VSWR\n");
    printf("\n");
    printf("MAKE SURE YOUR FIRMWARE IS UP TO DATE BEFORE APPLYING ANY KEYS\n");
}

static int ascii_to_bin(char c)
{
    int i;

    for (i = 0; i < 0x20; i++)
        if (ascii_map[i] == c)
            break;
    return i;
}

static char *options_4to5(const char *opt4, char *opt5)
{
    int map[] = { 0, 3, 2, 1 };
    int i, opt = 0;

    for (i = 0; i < 4; i++)
        opt = (opt << 5) | ascii_to_bin(opt4[map[i]]);
    for (i = 0; i < 5; i++) {
        opt5[i] = ascii_map[opt & 0x0F];
        opt >>= 4;
    }
    opt5[i] = 0;
    return opt5;
}

static void format_license_dp832_109(char *lic1_code, char *lic2_code,
                                     char *options, char *licence, int isDG)
{
    const int map1dp[] = { 4, 11, 16, 23, 0, 24, 6, 22, 8, 20, 18, 25 };
    const int map2dp[] = { 3, 14, 19, 9, 26, 5, 1, 10, 12, 13, 15, 21 };
    const int map3dp[] = { 2, 7, 17, 27 };

    const int map1dg[] = {3, 0xE, 0x13, 9, 0x1A, 5, 7, 0x11, 0xC, 0x18, 6, 0x16};
    const int map2dg[] = {4, 0xB, 0x10, 0x17, 0, 8, 0x14, 0x1B, 2, 0xD, 0xF, 0x15};
    const int map3dg[] = {1, 0xA, 0x12, 0x19};

    const int *map1 = isDG?map1dg:map1dp;
    const int *map2 = isDG?map2dg:map2dp;
    const int *map3 = isDG?map3dg:map3dp;
    unsigned long long k;
    int i;

    k = strtoll(lic1_code, NULL, 16);
    for (i = 0; k < (1ULL << 51); i++)
        k = (k << 4) | 0;
    k = (k << 4) | i;
    for (i = 0; i < 12; i++) {
        licence[map1[i]] = ascii_map[k & 0x1F];
        k >>= 5;
    }

    k = strtoll(lic2_code, NULL, 16);
    for (i = 0; k < (1ULL << 51); i++)
        k = (k << 4) | 5;
    k = (k << 4) | i;
    for (i = 0; i < 12; i++) {
        licence[map2[i]] = ascii_map[k & 0x1F];
        k >>= 5;
    }

    if (isDG) {
        int map[] = { 0, 3, 2, 1 };
char *opt = strdup(options);
for (i = 0; i < 4; i++)
    opt[i] = options[map[i]];
for (i = 0; i < 4; i++)
    licence[map3[i]] = opt[3 - i];
        free(opt);
    }
    else
for (i = 0; i < 4; i++)
    licence[map3[i]] = options[i];

    licence[28] = 0;
}

static void format_license_classic(char *lic1_code, char *lic2_code,
                                   char *options, char *licence)
{
    char *lic_all, *chunk, *temp;
    int i, j;

    /* fix missing zeroes */
    while (strlen(lic1_code) < 14) {
        prepend("0", lic1_code);
    }
    while (strlen(lic2_code) < 14) {
        prepend("0", lic2_code);
    }

    /* combine lic1 and lic2 */
    lic_all = (char*)calloc(128, 1);
    temp = (char*)calloc(128, 1);
    chunk = (char*)calloc(6, 1);
    strcpy(lic_all, lic1_code);
    strcat(lic_all, "0");
    strcat(lic_all, lic2_code);
    strcat(lic_all, "0");

    /* generate serial */
    i=0;
    while (i < strlen(lic_all)) {
        memcpy(chunk, lic_all + i, 5);
        map_hex_to_rigol(chunk);
        strcat(temp, chunk);
        i = i + 5;
    }

    /* add options and "-" */
    j = 0;
    for(i = 0; i <= strlen(temp); ) {
       switch(j) {
         case 1:  licence[j] = options[0];  break;
         case 7:  licence[j] = '-';         break;
         case 10: licence[j] = options[1];  break;
         case 15: licence[j] = '-';         break;
         case 19: licence[j] = options[2];  break;
         case 23: licence[j] = '-';         break;
         case 28: licence[j] = options[3];  break;
         default: licence[j] = temp[i];
                  i++;
       }
       j++;
    }
    licence[j] = '\0';

    /* cleen up */
    free(lic_all);
    free(chunk);
    free(temp);
}

char *make_licence(char *serial, char *options, char* priv_key)
{
    char options_buffer[8], *opts = options;
    char *lic1_code, *lic2_code, *lic_all;
    char *chunk, *temp, *licence;
    int i, j;

    /* convert string to uppercase chars */
    strtoupper(serial);
    strtoupper(options);
    strtoupper(priv_key);

    int isDG = strncmp(serial, "DG1", 3)?0:1;
    /* convert options string format for DP832 with firmware >= 1.09 or for DG1000Z*/
    if ((!strncmp(serial, "DP8", 3) && options[0] != 'M' && options[0] != '5') || isDG)
        opts = options_4to5(options, options_buffer);

    /* sign the message */
    lic1_code = (char*)calloc(64, 1);
    lic2_code = (char*)calloc(64, 1);
    ecssign(serial, opts, priv_key, lic1_code, lic2_code);

    /* format licence string */
    licence = (char*)calloc(128, 1);
if ((!strncmp(serial, "DP8", 3) && *options != 'M' && *options != '5') || isDG)
        format_license_dp832_109(lic1_code, lic2_code, options, licence, isDG);
    else
        format_license_classic(lic1_code, lic2_code, options, licence);

    /* cleen up */
    free(lic1_code);
    free(lic2_code);

    return licence;
}

char *select_priv_key(char *serial) {
    char *priv_key;

    strtoupper(serial);
    if      (!strncmp(serial, "DS1", 3)) priv_key = DS1000Z_private_key;
    else if (!strncmp(serial, "DS2", 3)) priv_key = DS2000_private_key;
    else if (!strncmp(serial, "DS4", 3)) priv_key = DS2000_private_key;
    else if (!strncmp(serial, "DSA", 3)) priv_key = DSA815_private_key;
    else if (!strncmp(serial, "DP8", 3)) priv_key = DP832_private_key;
    else if (!strncmp(serial, "DG1", 3)) priv_key = DG1000Z_private_key;
    else                                 priv_key = no_private_key;

    return priv_key;
}

int main(int argc, char *argv[0]) {
    char *serial, *options, *priv_key, *licence;

    /* parse input */
    if (!((argc == 3 || argc == 4))) {
        show_help(argv[0]);
        exit(1);
    }
    serial = argv[1];
    options = argv[2];

    ascii_map = strncmp(serial, "DG1", 3)?(char*)ascii_map_:(char*)ascii_map_dg;

    if (argc == 4) priv_key = argv[3];
    else {
        priv_key = select_priv_key(serial);
        if (strlen(priv_key) == 0) {
            show_help(argv[0]);
            printf("\nERROR: UNKNOW DEVICE WITHOUT PRIVATKEY\n");
            exit(1);
        }
    }

    if (strlen(priv_key) != 14) {
        show_help(argv[0]);
        printf("\nERROR: INVALID PRIVATE KEY LENGTH\n");
        exit(1);
    }
    if (strlen(serial) < 13) {
        show_help(argv[0]);
        printf("\nERROR: INVALID SERIAL LENGTH\n");
        exit(1);
    }
    if (strlen(options) != 4) {
        show_help(argv[0]);
        printf("\nERROR: INVALID OPTIONS LENGTH\n");
        exit(1);
    }

    licence = make_licence(serial, options, priv_key);
    printf("%s\n", licence);
    free(licence);
}

Edit: I've added missing line to the function ecssign


Hi. Thank You for the code.
I have successfully compiled the code with you .c provided and it runs showing the help guide but once I use it with my serial number and the JBNE option (with or without the privatekey) the exe crashes with a segmentation fault 11.
Any hints?
Regards
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on February 21, 2020, 03:11:19 pm
Any hints?

riglol code has plenty of var definition problems, memory leaks and non-deallocated structures. If you don't do an overall verification of the whole code, you must have some luck in choosing the compiler and 32/64 bit architecture.

Overcoming those problems is the skill that one needs in order to earn a generated lic. :)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Houseman on February 21, 2020, 10:10:19 pm
Got it! I understand. Thank You. Managing to compile the whole code and get the bin was already a long way...
Will walk anyway forward. Regards
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Houseman on February 22, 2020, 02:43:38 pm
THANKS MAN.
I have now an OFFICAL license... (CHINGLISH)
Does it still show to your device?

Regards

Any hints?

riglol code has plenty of var definition problems, memory leaks and non-deallocated structures. If you don't do an overall verification of the whole code, you must have some luck in choosing the compiler and 32/64 bit architecture.

Overcoming those problems is the skill that one needs in order to earn a generated lic. :)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Houseman on February 22, 2020, 10:56:47 pm
First of all, thanks for the great-huge work.
Have a DG1022Z riglol.upgraded to a 1062Z
Works like a charme
HOWEVER.
The Ultrastation Software recognize the unit as 1062Z but you can only draw waveforms less than 20MHz..
Attached the screenshot.
Any hints??

Thank You.
 

Anybody with the latest FW and manual IP care to check the DP832 settings please? (to check press 'Utility' -> 'IO Config' -> 'LAN')
Do you have the DNS set to 88.218.37.64 after a power cycle, like this?

I upgraded my DP832 to 1.16, and it is doing the same thing. The DNS is set to 88.218.37.64 when a "LAN connected" notification is shown. However, the value I've set is restored if I go back to the DNS settings. I noticed FW 1.14 changes the DNS as well, but it sets it to 0.0.0.0.

I took a quick look at a DG1032Z firmware I found somewhere. I think it's version 1.06. It has a very similar check for the same magic value at sector 0x78EC.

Could someone eager to hack (or brick) their DG1032Z send these commands to it, preferably via USB, and post the results here? The keyfile.bin I made for DP832 should work.
Code: [Select]
:PROJ:STAT MCALTIMES,QUERY
*IDN?
:PROJ:STAT MODEL,DG1062Z
*IDN?

The first command is just a sanity check. It should print CH1 = <some number>, CH2 = <some number>.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: _Wim_ on February 23, 2020, 06:20:07 am
The Ultrastation Software recognize the unit as 1062Z but you can only draw waveforms less than 20MHz..

This is normal, see extact of datasheet below.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on May 26, 2020, 08:58:53 am
I'm trying to get this to run on Win10 64 with mingw64 and LinuxMint64 (on VM).
I get a "segmentation fault (core dump)" error message when executing on Linux.
On Windows the riglol.exe just hangs and I get the typical MS warning when something's not responding.

I've tried both the 1.03d (unchanged) from the gotroot archive as well as the code attached by starec on July 10/ 2019 (including the definitions of the gootroot 1.03d .c file)

The miracl library compiles fine on both configurations (on windows I've used the mingw.bat and on linux the bash linux64 script).
The executable also compiles ok and runs normally when executed giving me the command options and usage.

It's when I put a serial number and a licence 4 digit code that the program fails.(so when it actually needs to do something)

I've troubleshoot enough to find out that the problem probably lies in the ecurve function call but I'm not sure.
I've put the program to print something from various parts of the code and that's where it loses it.

Many people have succesfully compiled and run this so I don't know if there's any needed "skill" at play here as tv84 implied; it's maybe something trivial that's system specific or just an omission of sorts on my part.

Any tips would be greatly appreciated as I'm really curious what I might be doing wrong.
Thanks:)


EDIT: I was able to run the program after I've compiled the miracl library and the riglol.c in 32bit.
I should've tried it a lot sooner I guess; still curious what's wrong with 64bit though..
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on May 30, 2020, 03:14:43 pm
Is there any way to set the DP832 to be DP832A while keeping the 7-segment display as is?
I only need to try the hi-res option to be honest and kind of like the 7-segment display better than the smooth fonts..
So would it be better just to enter the riglol code for "accuracy" instead instead of performing the model change?
Only reason I considered the model change is that it's reversible.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on May 30, 2020, 04:55:08 pm
You can not have DP832A with 7 segments font, but you can unlock the high resolution option (or any other, or all options) for the DP832, without turning the instrument into a DP832A.  Unlocking the options is different from the method used here.  Search for "Riglol" to find the key generator.

As a side note, the 7 segments font is very hard to read when compared with the fonts of DP832A.  I used to think those 7 segments digits were cool, but the DP832A normal font is so much easier to read that I wouldn't want to go back to seven segments font, ever!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on May 30, 2020, 06:03:44 pm
I'll check both options when my replacement DP832 arrives (I've had a bit of adventure getting a defective unit so I'm in the process of getting a replacement).

I could first try changing the model to DP832A to check the smooth font color screen,if I decide to keep the "A" version I would effectively have a "new" screen and only the high-res option enabled but not the LAN and RS232, correct?

I would then need to unlock the other options within the riglol generator right?

BTW what is the accuracy option "MWTB" for the DP832A?
Isn't this default to all "A" units?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on May 30, 2020, 06:38:32 pm
AFAIK DP832A have all the options enabled by default, including LAN and RS232, so no matter what options were installed before on a DP832, when you turn it into DP832A it will also unlock all the options.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: tv84 on May 30, 2020, 06:50:03 pm
AFAIK DP832A have all the options enabled by default, including LAN and RS232, so no matter what options were installed before on a DP832, when you turn it into DP832A it will also unlock all the options.

You're correct!  :-+
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on May 30, 2020, 07:01:43 pm
I know the fonts are nicer on the DP832A but it does have a display mode that looks like the single-color display on the DP832 (you can choose the single color on the DP832) but, on the DP832A, the 3 sections are color-coded to each supply plus the fonts are cleaner.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: PA0PBZ on May 30, 2020, 07:19:10 pm
I use this setting:

(https://pbs.twimg.com/media/ENyCIBtX0AEuur1.jpg)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on May 30, 2020, 07:59:01 pm
Okay you've convinced me. ^-^
So no Riglol at all with this unit..
Just a model change and we're done. (all the options plus the clearer screen)
I know it's been said before but since the DP832 doesn't come with the LAN I guess the SCPI command is to be executed via the UltraSigma software, yes?

If so I need to be on a Windows PC to do it.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: RoGeorge on May 30, 2020, 08:24:04 pm
No.  All the hardware is present in all units.  DP832 or DP832A are identical in hardware no matter what options they had at the buying moment.  You will have both LAN and RS232, and LXI and everything, and in either case you won't need ultra sigma anyway.  Nobody uses that.   ;D

The only difference between a DP832 and DP832A is the front panel that is painted in many colors for the DP832A version.

You'll have everything possible like it would be with the most expensive DP832A.

Stop warring and in the meantime read the user manual and the programming manual, or even better before the manuals (if you plan to control the power source remotely) search online for introductory info about the SCPI standard.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on May 30, 2020, 08:30:00 pm
No, I mean in order to initially get my DP832 to change to the "A" model wouldn't I need to connect it w/USB in order to send the command?

Since it won't come with the LAN option enabled I can't just insert the USB drive, connect it to my LAN and nc or telnet the command into it..

Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on May 30, 2020, 08:35:40 pm
You can use Riglol to add LAN to a DP832 and then Telnet to it via LAN to do the model change.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on May 30, 2020, 08:39:38 pm
True , but I was thinking in terms of keeping all changes reversible just in case.
It's very nice that you can essentially enjoy all the extra features of the "A" variant without losing your warranty.
But I could always try the USB method and the UltraSigma software for just once.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on May 30, 2020, 10:11:25 pm
You can change it back to a DP832 and then issue a SCPI command to remove all options.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on May 30, 2020, 10:12:24 pm
Oh, I didn't know that.
Great!Thanks:)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: jcfoto on June 02, 2020, 09:25:50 am
Hello.
Thanks for guy' that made an fantastic work. My news devices, bought in spring 2020, are betters whith yours reserches :      :clap:
DP832 -> DP832A - news colors but, also (must !) better définited ( mV and mA)
*IDN? -> RIGOL TECHNOLOGIES,DP832,DP8Cxxxxxxxxxxxx,00.01.16

DG1022Z -> DG1062Z - Sinus fréquency max = 60MHz ( saw with scope) and memory up to 16 MB in no limit trial mode.
*IDN? -> Rigol Technologies,DG1022Z,DG1ZAxxxxxxxxxxxxx,03.01.12

One note for DG : square waveforms aren't particulary correct at frequency upper than 1MHz ( transitions are curve !!!). Sinus at 60MHz very correct.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 02, 2020, 10:03:43 am
Zut alors jcfoto, c'est fantastique! Bonne chance.

translation...
Damn jcfoto, that's fantastic! Good luck.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on June 02, 2020, 11:21:24 am

One note for DG : square waveforms aren't particulary correct at frequency upper than 1MHz ( transitions are curve !!!). Sinus at 60MHz very correct.

Ι've noticed that as well on my DG1022z; one would think that "upgrading" it to dg1062z would also scale upwards how the square responds for frequencies > 1MHz but it hasn't changed much.
The relationship should be linear since the square is a sum anyways so essentially doubling the BW would also double the limit of a nice square output.
If it was 1meg before, now it should be at least double that.

I've not tested a "before" and "after" to be sure but I too think that square is the same.

With the 25MHz limit an acceptable square output of around 1MHz maybe be expected since a square inherently consists of infinite harmonics to start with and technically *any* BW is not enough to represent it but it's weird that changing the upper BW limit didn't improve the square output much (enough to be noticeable at least)..

EDIT:
I've had a problem (user error probably) after upgrading so for anyone experiencing the same it might be of help.
The peak to peak value was not consistent all the way up to 60MHz.
I had to revert to factory settings in order to have a proper voltage output all the way up to the limit.
But that did not improve the square I think.
Τhen again, the scope also has a BW limit so..
I'd need to change the model back to 1022 and take a diff measurement of some sort to at least have a reference point.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: PA0PBZ on June 02, 2020, 11:40:14 am
The specification for all the DG10* models say "Square: 1 μHz to 25 MHz" so I would not expect anything to change.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on June 02, 2020, 11:41:46 am
Yes..
So it's only a higher freq sin the only difference between these models..
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 02, 2020, 01:30:00 pm
On my DG1062Z, the square wave output is only a square wave at 10 MHz and then the rise fall times are pretty long (11 nS), by the time it gets to 25MHz, it's pretty much a sine wave.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: jcfoto on June 09, 2020, 03:57:53 pm
I'd made two recents "print screen" of my DS2202E scope ( full options !) from DG upgraded :
Sinus 59MHz -> Very little Frequency and voltage modulation. It's correct. 5vcc
Square 15MHz -> Very ... funny square signal, is'nt it ? Correct up to 5MHz. 5vcc
For hight frequency square signals, i use µ controlers ( more efficient).

On join "print screen", scales and samples of scope may be readable.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: PA0PBZ on June 09, 2020, 05:11:56 pm
15, 25 and 50MHz square from an upgraded DG4062 on a MSOX3054:

[attach=1]

[attach=2]

[attach=3]
Title: Re: Need help hacking DP832 for multicolour option.
Post by: edgelog on June 10, 2020, 11:49:38 am
Just an observation which slightly worries me.

After updating the DP832 from firmware 00.01.16.00.00 to 00.01.16.00.02 I also configured the analog boards by doing the HELP-HELP-M4-M2-M1 and HELP-HELP-M4-M2-M2. Interestingly, the analog version went down a tick after that.

Before upgrading, the analog version was 03.02.05.03.02.05, but after the upgrade it was 03.02.04.03.02.04. It irks me a little bit.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on June 10, 2020, 01:10:58 pm
I also configured the analog boards by doing the HELP-HELP-M4-M2-M1 and HELP-HELP-M4-M2-M2.

Sorry but what's this?
This configuring of the analog boards I mean..Wheere did you find this key-pattern?
Is it mentioned in the manual?
I have a problem with my DP832 so it couldn't hurt to try it.

About your problem:
Could you try to downgrade the firmware and then redo the above?

Title: Re: Need help hacking DP832 for multicolour option.
Post by: edgelog on June 10, 2020, 01:15:40 pm
I also configured the analog boards by doing the HELP-HELP-M4-M2-M1 and HELP-HELP-M4-M2-M2.

Sorry but what's this?
This configuring of the analog boards I mean..Wheere did you find this key-pattern?
Is it mentioned in the manual?
I have a problem with my DP832 so it couldn't hurt to try it.

About your problem:
Could you try to downgrade the firmware and then redo the above?

You’ll find this key sequence in earlier messages, but I think I’ve seen it in older release notes as well.

I’m not really having a problem, just a little bit confounded by the version numbers, so I’m not going to downgrade again. Not unless I run into some problem down the road.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Fabse on June 20, 2020, 07:34:23 am
Hey guys,
can someone pls post the whole compilable source code for the 16M option? I am no coder and I tried my best, but i can not get this thing to compile. I would really appreciate any help :)
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on June 20, 2020, 09:12:21 am
What operating system are you using?
I could sent you an Linux compiled executable.
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Fabse on June 20, 2020, 09:32:13 am
Hello belzrebuth,
a linux executable would be perfect. I guess that's all I need :)
Thank you very much!
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on June 20, 2020, 10:22:14 am
Hello belzrebuth,
a linux executable would be perfect. I guess that's all I need :)
Thank you very much!

Here you are!
Title: Re: Need help hacking DP831
Post by: czecht on June 22, 2020, 02:43:05 am
I have DP831 and I like to hack it to all updates. Where can I find the information?
Can I just use the DP832 - are they hardware wise the same or not?
Thank you guys!
Tony
Title: Re: Need help hacking DP831
Post by: Gandalf_Sr on June 22, 2020, 10:16:15 am
I have DP831 and I like to hack it to all updates. Where can I find the information?
Can I just use the DP832 - are they hardware wise the same or not?
Thank you guys!
Tony
DP831 and DP832 are different hardware but clearly the DP832 is based on the DP831.  I don't know for sure but I bet that the 'magic' USB stick will allow you to turn a DP831 into a DP831A but not a DP832(A).
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on June 22, 2020, 04:18:55 pm
It works for the DP811 so there's no reason why it shouldn't work with the DP831 which is much closer design-wise to the DP832 than the DP811...
Title: Re: Need help hacking DP832 for multicolour option.
Post by: Gandalf_Sr on June 22, 2020, 08:03:44 pm
It works for the DP811 so there's no reason why it shouldn't work with the DP831 which is much closer design-wise to the DP832 than the DP811...
What works?
Title: Re: Need help hacking DP832 for multicolour option.
Post by: belzrebuth on June 22, 2020, 09:53:39 pm
I think he means the model change command..
Title: Re: Need help hacking DP832 for multicolour option.
Post by: TurboTom on June 22, 2020, 09:55:12 pm
I used the "Magic Stick" to modify both my DP811 and my DP832 to the "A" version, so I haven't any doubt that it will as well work on the DP831 (to turn it into a DP831A that is). Maybe my previous post was a little confusing...  ;)