Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1614336 times)

0 Members and 1 Guest are viewing this topic.

Online up8051

  • Regular Contributor
  • *
  • Posts: 171
  • Country: pl
Re: Sniffing the Rigol's internal I2C bus
« Reply #4475 on: January 07, 2021, 05:25:02 pm »
What is the latest firmware version for DS2072 (non-A).

At Rigol page there are only for DS2000A, is the same for non-A version?
 

Offline geo999

  • Contributor
  • Posts: 10
  • Country: ro
Re: Sniffing the Rigol's internal I2C bus
« Reply #4476 on: January 12, 2021, 04:29:22 pm »
Hi guys,

I got myself a DSO1074Z-plus thinking the upgrade to 100Mhz is as easy as for DS1054Z.
After introducing the wrong serial codes for a few times I ended up on this page reading tens of pages.

I also did a :SYSTem:OPTion:UNINSTall such that now I'm left without any option that came preinstalled.

In the end the rigol seal lasted for less than 4 hours since it got into my possession :).

I hooked up the Olimex-JTAG/OpenOCD and did a dump of the memory.
I double checked that the dump is correct by doing a second dump and comparing md5sums.
The dump was done after the scope completed booting - ready to work.

now for the fun part,
I tried different rigup versions with different results, none of them providing valid keys.


rigup-0.4.zip:

    scan:
        RC5KEY1:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        RC5KEY2:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        XXTEAKEY:      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        PUBKEY:         xxxxxxxxxxxxxxxx
        PRIVKEY:        xxxxxxxxxxxxxxxx
    --> SERIAL: this line is not present in the output of the scan command,
    even if I can find the serial in the dump with grep.

    the search command crashes with a segfault.
    after a little debugging it turns out that this is due to the missing SERIAL like in the scan output.
    after adding manually the SERIAL line entry with the serial from the label on the back of the scope the output of search command is:
   
        6 lines with serial numbers all failed
        xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx                        Failed.

rigup-0.4.1-mso1000z.zip:
    failed: No keys

rigup-0.4.2.zip:
    failed: No keys
   

rig-up from https://www.dropbox.com/sh/1yrh8s90ityn90s/AAA6PXlJk9gGQwoDOwO6TDQua?dl=0,
    failed: No keys

DS1074Z plus
00.04.04.SP4
00.04.04.04.03
Board: 2.1.4

labels on the board:
DS1000Z_MAINBRD_V01.04_20141024
Hardware Version: V[654][32].[10]
SP Version: [987]

a firmware update attempt it's saying that it's already at the same version.
   
question is: what I'm doing wrong here ?
- do I need to do a dump at a different stage ?
- do I need a different rigup tool version ?

later edit:
the serial number starts with: DS1ZC
rigup, compiled on Linux x86-64

thank you

« Last Edit: January 12, 2021, 05:52:50 pm by geo999 »
 
The following users thanked this post: KK1L

Offline KK1L

  • Contributor
  • Posts: 17
  • Country: us
    • KK1L
Re: Sniffing the Rigol's internal I2C bus
« Reply #4477 on: January 14, 2021, 08:58:42 pm »
Hi GEO999,

I would not be surprised if Rigol support wouldn't send you the code to open up the options they now ship with these rigs. It is worth a shot! Tech Support under "Support" on rigolna.com...worked for me!

You have gotten further than me with the memory dump. I think I am going have to buy an ARM ready debugger (like the Olimex) to get past my timeout issue. There is a post maybe in this quite expansive thread where there were a pair of leading zeroes in the keys which needed to be removed. I do not recall if this was automatically handled in rigup.

https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/msg3361424/#msg3361424 
73 es God Bless de KK1L, Ron <><
 

Offline KK1L

  • Contributor
  • Posts: 17
  • Country: us
    • KK1L
Re: Sniffing the Rigol's internal I2C bus
« Reply #4478 on: March 05, 2021, 02:52:22 pm »
Some success, but ultimately a failure still :(

I had reported on trouble using the SiSpeed debugger. I ended up buying an Olimex ARM-USB-TINY-H. It is great and worked well the first time...6MHz, 1MHz, whatever. Far superior to the SiSpeed in this application.

That being said...despite getting a clean 64k memory dump I have been unsuccessful finding keys in the file....until!

So it is not exactly true that the DS1074Z-Plus is the same as an MSO1074Z. The signature to find the keys in the binary dump file are the SAME as the DS1074Z. So you need to run the unmodified rigup code to pull out the keys! MSO1000Z look for "01 00 84 00 10 00". DS1000Z look for "02 00 84 00 10 00".

Bottom line is the 1074Z-Plus is a hybrid of sorts. You must use JTAG to pull the memory file, but must use the DS1000 family rigup to pull the keys out!
I used version 0.4 from http://gotroot.ca/rigol...specifically rigup-0.4.zip. However the serial number is in the format of the MSO, so rigup will not extract the serial from the DS1074Z-S Plus. You need to add that with the "serial" option of rigup.

Code: [Select]
./rigup scan keyfile.txt ds1074z-plus.bin
./rigup serial keyfile.txt <your serial number>
./rigup license keyfile.txt DSEA 0x1c0ff 0x1c080
You can direct the output of the license generation to a file if you like.

1st keyfile looks like this:
RC5KEY1:        72A369AC1CzipitydodaB9E27EAF0513
RC5KEY2:        582A21C677zipitydodaA302642B08E8
XXTEAKEY:       D07D6B66E6zipitydodaAA551326D9DE
PUBKEY:         005zipitydoda230
PRIVKEY:        009zipitydoda8D0

2nd keyfile looks like this:
RC5KEY1:        72A369AC1CzipitydodaB9E27EAF0513
RC5KEY2:        582A21C677zipitydodaA302642B08E8
XXTEAKEY:       D07D6B66E6zipitydodaAA551326D9DE
PUBKEY:         005zipitydoda230
PRIVKEY:        009zipitydoda8D0
SERIAL:         DS1ZD21xxxxxxx

Okay, so great. Now I have the key file. The bummer is no mater how I generate a license code it will not unlock 100MHz on my DS1074Z-S Plus.
I tried rigup with options DSEA (DS version) and 0x1c080 (MSO version). I tried riglol for grins with the extracted private code. I tried substituting the 16 nibble sequences I found in the memory dump binary just before the serial number into the private key and trying the above again. All no joy.

When I first purchased the scope on clearance from Rigol they gave me the code to unlock the options, and I asked about paying for an upgrade to 100MHz. The rep told me it could not me upgraded. Maybe he really meant it.

I was going to modify the rigup code to work for the DS Plus version, but since the keys don't work anyway it would be pointless. If someone has a clue for me to I will give it a shot.

DS1074Z plus
00.04.04.SP4
00.04.04.04.03
Board: 6.1.4

Board markings look suspiciously like BS...
Hardware Version: [654][32].[10]
SP Version [987]


P.S. At least I am loving my encoder knob upgrade :) !
« Last Edit: March 05, 2021, 04:11:55 pm by KK1L »
73 es God Bless de KK1L, Ron <><
 

Offline KK1L

  • Contributor
  • Posts: 17
  • Country: us
    • KK1L
Re: Sniffing the Rigol's internal I2C bus
« Reply #4479 on: March 06, 2021, 02:45:13 am »
Ok folks with help and some hints from a friendly PM from tv84 the issue is sorted.

The bottom line is the rigup versions from gotroot.ca do not work. I tried all of them (windows exe). The one below does. Funky output for the "search" option when including the dump file, but shows the "ok." for the known good license in my memory dump. It creates the correct unlock code!

http://i-hobby.org/blog/Electronics/60.html

Be sure of the option code used. 0x1C0DF is what I used to open all up except 500uV.

(CSAR = 0x1C001) Triggers
(CSAB = 0x1C002) Decoders
(CSA3 = 0x1C004) Mem-depth
(CSAJ = 0x1C008) Recorder
(CSAS = 0x1C010) DG
(CSRA = 0x1C020) 500uV
(CSBA = 0x1C040) Power Ana.
(CS3A = 0x1C080) Bandwidth (100MHz)
(CSHY = 0x1C0FF) All
(CSGY = 0x1C0DF) All except 500uV

I should have noticed it before, but there is a bit set for each option. You should be able to mix and match. I did an :uninst, then :inst 0x1C0DF and got all but 500uV. Sweet.

« Last Edit: March 06, 2021, 04:37:14 am by KK1L »
73 es God Bless de KK1L, Ron <><
 

Online RoGeorge

  • Super Contributor
  • ***
  • Posts: 3202
  • Country: ro
Re: Sniffing the Rigol's internal I2C bus
« Reply #4480 on: March 06, 2021, 10:07:12 am »
Why not enabling the 500uV/div, too?

It won't hurt the scope.  After enabling all the options run a self calibration (from the oscilloscope's menu Utility -> Self-Cal).  And if you decide you don't like the 500uV option, all the options can be removed with the SCPI command ":SYSTem:OPTion:UNINSTall", then re-installed with only the options you like as many times as you want. (the codes doesn't change, you can use the SCPI command ":SYSTem:OPTion:INSTall <license>")

Just FYI, the 500uV/div works very well in my former DS1054Z.
Some are saying in their DS1000Z the trace is out of screen after Self-Cal, or something, therefore religiously advocate that no one should ever dare to enable the 500uV, because "problems", and "useless".   :-//

I found the 500uV/div range very useful when using the oscilloscope as a synchronous detector or as a lock-in amplifier, to measure very small synchronous and repetitive signals, with the oscilloscope's Acquire mode set to (trace) Average mode.

Any internal noise of the DS1054Z (and DS1000Z it is very noisy indeed in its analog front end) doesn't matter when the scope is in Average mode.  Noise averages to zero, so any asynchronous noise(either from the internals of the DS1000Z or from the device under test) will fade out and only the measured signal will remain, with a crisp clean trace on the display.
 
The following users thanked this post: KK1L

Offline KK1L

  • Contributor
  • Posts: 17
  • Country: us
    • KK1L
Re: Sniffing the Rigol's internal I2C bus
« Reply #4481 on: March 06, 2021, 03:25:16 pm »
Thanks. I have disabled it based on comments of others. Averaging works in many applications to let the true signal show itself.

Yes you are totally correct that it is super easy to enable or disable features via SCPI commands. You can do it with a single :INST command if you formulate the option code correctly. I will put it back to give it a whirl....why not :)

By the way what is the Power Ana. option?
« Last Edit: March 06, 2021, 06:47:21 pm by KK1L »
73 es God Bless de KK1L, Ron <><
 

Offline colabri

  • Newbie
  • Posts: 1
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4482 on: May 12, 2021, 12:53:44 pm »
With the above setting, I was able to dump 1MB flash content.

I was confused by the design.
BF526 supports up to 4 async banks with each has 1MB address. That will only be able to provide 4 MB address in total.
However, they uses a 8 MB flash. Is the reset of the space used by FPGA?

Also, as I mentioned, if A21 ~ A19 are hard coded with 110, BF526 will only be able to access 1MB flash space in this case.
And the size of DSA800_UpdateFile.sys (firmware) is nearly 2.x MB. I believe that A21 ~ A19 must be connect to BF526 in some ways.
Or it won't be able to program the whole content of the firmware update into the flash chip.

Thanks for the information. Since Rigol doesn't provide a built-in backup function and has disabled reading the flash via SCPI I had to resort to reading it via JTAG. Took me a while to figure out the bank switching method but it was an interesting exercise.

There's some component (the ASIC perhaps?) mapped to async mem bank 3, with the relevant functionality starting at offset 0x200 bytes / 0x100 half-words (bus width is 16 bit). For reading flash content via JTAG, the following sequence is sufficient:
  • write 0x0000 to address 0x20300202 (only needed once)
  • write bank number (0x0000 .. 0x0003) to address 0x20300206
  • write 0x0001 to address 0x20300204

E.g. with urjtag (using a BusBlaster for this example):
Code: [Select]
cable KT-LINK pid=0x6010 vid=0x0403 interface=0
frequency 10000000
detect
initbus bf52x
poke 0x20300202 0
poke 0x20300206 0
poke 0x20300204 1
readmem 0x20000000 0x00100000 rigol_dsa815-flash-bank_0.img
poke 0x20300206 1
poke 0x20300204 1
readmem 0x20000000 0x00100000 rigol_dsa815-flash-bank_1.img
poke 0x20300206 2
poke 0x20300204 1
readmem 0x20000000 0x00100000 rigol_dsa815-flash-bank_2.img
poke 0x20300206 3
poke 0x20300204 1
readmem 0x20000000 0x00100000 rigol_dsa815-flash-bank_3.img

I wasn't able to send commands to the flash (which is also why urjtag cannot auto-detect the flash); my guess is that the same component that's handling the bank switching is keeping WE# high by default. The firmware does a lot more writes to async mem bank 3; I haven't tried figuring out which one enables "write" access to the flash.

HTH.
 

Offline davorin

  • Supporter
  • ****
  • Posts: 847
  • Country: ch
Re: Sniffing the Rigol's internal I2C bus
« Reply #4483 on: May 25, 2021, 10:21:57 am »
Good afternoon (o;

Just received my DS1074Z Plus today....and after powering up and listing the options I see that all options show as version "Official"....

So does this mean there isn't anything left I can unlock on this scope?
Or what options are left for this scope to add? Only the 100MHz bandwidth?


thanks in advance
richard
 

Online hammy

  • Supporter
  • ****
  • Posts: 453
  • Country: 00
Re: Sniffing the Rigol's internal I2C bus
« Reply #4484 on: May 25, 2021, 08:42:01 pm »
Or what options are left for this scope to add? Only the 100MHz bandwidth?

Exactly. That's the only option missing.
 

Offline davorin

  • Supporter
  • ****
  • Posts: 847
  • Country: ch
Re: Sniffing the Rigol's internal I2C bus
« Reply #4485 on: May 26, 2021, 10:11:13 am »
Hmm..no luck with J-Link and openocd on Debian linux:

Code: [Select]
me@blender:~/develop/openocd$ sudo openocd -d1  -f  interface/jlink.cfg -c "transport select jtag" -c "adapter speed 6000" -f target/imx28.cfg
Open On-Chip Debugger 0.11.0+dev-00179-g4e872a797-dirty (2021-05-26-11:07)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
debug_level: 1

jtag
adapter speed: 6000 kHz

dcc downloads are enabled

Error: JTAG scan chain interrogation failed: all zeroes
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: imx28.cpu: IR capture error; saw 0x00 not 0x01
Warn : Bypassing JTAG setup events due to errors
Error: unknown EmbeddedICE version (comms ctrl: 0x00000000)

 

Offline davorin

  • Supporter
  • ****
  • Posts: 847
  • Country: ch
Re: Sniffing the Rigol's internal I2C bus
« Reply #4486 on: May 26, 2021, 11:35:50 am »
Stupid me (o;

J-Link IO buffers are powered from the Vtarget pin ;-)

Okay..memory dumped...modified src/utils.c for MSO key search and remove the LD option in Makefile as on Debian 10.9 it would always core dump (o;

Installing license via SCPI didn't work...but on the scope it did ;-)

Had to use the serial number returned from *IDN? SCPI command....now I got before and afte without power-cycler:

Code: [Select]
IDN?
RIGOL TECHNOLOGIES,DS1074Z Plus,DS1ZC223303310,00.04.04.SP4
*IDN?
RIGOL TECHNOLOGIES,DS1104Z Plus,DS1ZC223303310,00.04.04.SP4

« Last Edit: May 26, 2021, 12:22:05 pm by davorin »
 

Offline ve7xen

  • Frequent Contributor
  • **
  • Posts: 884
  • Country: ca
    • VE7XEN Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #4487 on: June 14, 2021, 09:28:20 pm »
Ok folks with help and some hints from a friendly PM from tv84 the issue is sorted.

The bottom line is the rigup versions from gotroot.ca do not work. I tried all of them (windows exe). The one below does. Funky output for the "search" option when including the dump file, but shows the "ok." for the known good license in my memory dump. It creates the correct unlock code!

http://i-hobby.org/blog/Electronics/60.html

Be sure of the option code used. 0x1C0DF is what I used to open all up except 500uV.

(CSAR = 0x1C001) Triggers
(CSAB = 0x1C002) Decoders
(CSA3 = 0x1C004) Mem-depth
(CSAJ = 0x1C008) Recorder
(CSAS = 0x1C010) DG
(CSRA = 0x1C020) 500uV
(CSBA = 0x1C040) Power Ana.
(CS3A = 0x1C080) Bandwidth (100MHz)
(CSHY = 0x1C0FF) All
(CSGY = 0x1C0DF) All except 500uV

I should have noticed it before, but there is a bit set for each option. You should be able to mix and match. I did an :uninst, then :inst 0x1C0DF and got all but 500uV. Sweet.

Edit: I have reviewed the source code in the i-Hobby zipfile and concluded there isn't any substantive difference (just some standard-C-to-Windows-isms and the like), so either the provided binary doesn't match the source, or there is something wrong/different between the two builds.

Would you be willing to PM me your dumpfile/serial and the working output? I would like to investigate.

In the meantime, I have added the i-Hobby zipfile to the gotroot.ca archive.
« Last Edit: June 14, 2021, 09:48:11 pm by ve7xen »
73 de VE7XEN
He/Him
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2353
  • Country: pt
Re: Sniffing the Rigol's internal I2C bus
« Reply #4488 on: June 15, 2021, 08:01:58 am »
I've said this in the past: due to its evolution history, rigup has some coding problems (possibility of buffer overflows, vars not properly freed up, some vars assignments, etc, etc) that require a complete revision of the code. Due to its age and potential targets, it seems that is not an appealing task.

Due to these deficiencies one needs to have "some luck" with the compiling setup (OS, architecture, compiler, etc.) and the running environment.
 
The following users thanked this post: egonotto


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf