Author Topic: Rigol DS1000Z - firmware patch & plugins  (Read 26315 times)

0 Members and 1 Guest are viewing this topic.

Offline konnor

  • Contributor
  • Posts: 43
  • Country: ru
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #75 on: April 20, 2018, 05:50:06 pm »
Mixed hardware/software info

Used interfaces:
I2C_0:      I2C nvram, 800h bytes (o-scope settings)
UART_0:   keyboard/LED
SPI_0:      8 bit bus xilinx<->cpu
SPI_2:      contol bus (multiple chip select)
     CS0:    SPI NVRAM  (loader + calibrate ("/sys/CalData.bin") + copy "/sys/OptionData.bin" + copy "/sys/OptionPara.bin" + other)
     CS1:    actel (cpld). Commands (two byte):
   1,x - Select device for CS2
                x:
      0 - ADF4360 (3 byte/packet)
      1 - ADC Controll (3 byte/packet)
      2 - AD5207 x 2 (3 byte/packet, 20 bit)
      3 - frontend control (4 byte/packet)
      4 - Load Xilinx firmware
      6 - Load Altera firmware + DG settings load
      7 - ?? (total offilne?)
   5,x -> ADC control (02 - reset bit, 01 - ? bit)
   6,0 -> 2 byte answer, second - low part of MB version
   7,0 -> 2 byte answer, second - high part of MB version
   8,0 -> 2 byte answer, low tetrade of second - CPLD version.
   B,x -> Load Xilinx control (answer - status bits)
   D,x -> Load Altera/DG control
     command B,D:
             x=0 - reset
             x=1 - no reset, start loading

CS2: common stream (see actel command 01)

Front End Control 4 channel, 4 x SN74AHC595 (HA595):
0x01 - DC coupling (0 - AC), cosmo rele
0x02 - attenuator rele
0x04 - bandwidth bit 1
0x08 - bandwidth bit 2
0x10 - ?? (used only as 0x10000000)
0x20 - vertical offset bit 1
0x40 - Amp. select
0x80 - vertical offset bit 2
Separate Bit:
0x10000000 - ? HC4053 on CH4?

Calibrate cirquit(?):
dac860+HC4051 - control from xilinx registers C2/C3 (dac serial + mux)


DMA Channels:
0 - SPI_0
4 - NAND FLASH
         
CPU pin settings (pin no - as in datasheet):
Pin 1, SSP2_MOSI pin function selection: BANK2_PIN17 00= ssp2_cmd;
Pin 2, SSP0_DATA2 pin function selection: BANK2_PIN02 00= ssp0_d2;
Pin 4, SSP2_SS0 pin function selection: BANK2_PIN19 00= ssp2_d3;  (SPI2/CS0?)

two var:
Pin 6, SSP0_DATA6 pin function selection: BANK2_PIN06, 11= GPIO. (SPI)
Pin 6, SSP0_DATA6 pin function selection: BANK2_PIN06 00= ssp0_d6;

Pin 7, SSP2_SS1 pin function selection: BANK2_PIN20 00= ssp2_d4;  (SPI2/CS1?)
Pin 8, SAIF1_SDATA0 pin function selection: BANK3_PIN26 11= GPIO. (some gpio interrupt)
Pin 18, SSP2_SS2 pin function selection: BANK2_PIN21 00= ssp2_d5; (SPI2/CS2?)
Pin 26, AUART2_TX pin function selection:BANK3_PIN09 11= GPIO (USB-Device)
Pin 27, ENET0_RX_EN pin function selection: BANK4_PIN02 00= enet0_rx_en
Pin 29, ENET0_TX_EN pin function selection: BANK4_PIN06 00= enet0_tx_en
Pin 30, AUART0_RX pin function selection:BANK3_PIN00 00= auart0_rx;
Pin 34, SAIF0_LRCLK pin function selection: BANK3_PIN2111= GPIO. (some for FPGA)
Pin 35, ENET0_TXD1 pin function selection: BANK4_PIN08 00= enet0_txd1;
Pin 37, ENET0_TXD0 pin function selection: BANK4_PIN07 00= enet0_txd0;
Pin 38, AUART0_TX pin function selection: BANK3_PIN01 00= auart0_tx;
Pin 39, ENET0_MDIO pin function selection:BANK4_PIN01 00= enet0_mdio
Pin 45, ENET0_RXD0 pin function selection: BANK4_PIN03 00= enet0_rxd0;
Pin 47, ENET0_RXD1 pin function selection: BANK4_PIN04 00= enet0_rxd1;
Pin 54, ENET0_MDC pin function selection BANK4_PIN00 00= enet0_mdc
Pin 66, AUART0_RTS pin function selection: BANK3_PIN03 00= auart0_rts;
Pin 68, PWM2 pin function selection: BANK3_PIN18 11= GPIO (DG detect ?)
Pin 70, AUART0_CTS pin function selection: BANK3_PIN02 00= auart0_cts
Pin 81, AUART1_RX pin function selection: BANK3_PIN04 11= GPIO. (PXP)
Pin 82, AUART3_RTS pin function selection: BANK3_PIN15 00= auart3_rts;
Pin 84, PWM1 pin function selection:BANK3_PIN17 00= pwm_1; (beeper)
Pin 86, AUART3_TX pin function selection: BANK3_PIN13 00= auart3_tx;
Pin 90, AUART3_CTS pin function selection: BANK3_PIN14 00= auart3_cts;
Pin 98, AUART3_RX pin function selection:BANK3_PIN12 00= auart3_rx;
Pin 268, SSP0_SCK pin function selection: BANK2_PIN10 00= ssp0_sck;
Pin 270, SSP0_DATA0 pin function selection: BANK2_PIN00 00= ssp0_d0;
Pin 272, I2C0_SCL pin function selection: BANK3_PIN24 00= i2c0_scl;
Pin 274, SSP0_DATA3 pin function selection: BANK2_PIN03 00= ssp0_d3;
Pin 275, SSP0_DETECT pin function selection: BANK2_PIN09 00= ssp0_card_detect;
Pin 276, SSP0_CMD pin function selection: BANK2_PIN08 00= ssp0_cmd;
Pin 278, SSP0_DATA4 pin function selection: BANK2_PIN04 00= ssp0_d4;
Pin 280, SSP2_SCK pin function selection: BANK2_PIN16 00= ssp2_sck;
Pin 281, I2C0_SDA pin function selection: BANK3_PIN25 00= i2c0_sda;
Pin 282, SSP0_DATA7 pin function selection: BANK2_PIN07 00= ssp0_d7;
Pin 284, SSP0_DATA5 pin function selection: BANK2_PIN05 00= ssp0_d5;
Pin 288, SSP2_MISO pin function selection: BANK2_PIN18 00= ssp2_d0;
Pin 289, SSP0_DATA1 pin function selection: BANK2_PIN01 00= ssp0_d1;


Variables:
00007FF4 - dword flag "disable load settings"
00007FF8 - firmware version from loader
00007FFC - boot version

SPI NVAM MAP:
00000-70000: Bootloader
70000-76000: Unused ?
76000-76008: LA/DG Calibr (?)
78000-79800: /sys/OptionData.bin
79800-7A000: /sys/OptionPara.bin
7A000-7C000: /sys/_SYS_REG_CFG_0417.cfg
7E000-7F800: /sys/CalData.bin
7F800-80000: part of /sys/CalData.bin
« Last Edit: April 28, 2018, 05:12:58 pm by konnor »
 
The following users thanked this post: Daruosha

Offline Adrian_Arg.

  • Frequent Contributor
  • **
  • Posts: 287
  • Country: ar
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #76 on: April 22, 2018, 06:34:55 pm »
3) rnage -> rnage (decoder: conf: range
I can not locate this text error in my rigol dz1054z, nor does that option?
 

Offline konnor

  • Contributor
  • Posts: 43
  • Country: ru
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #77 on: April 23, 2018, 09:44:48 am »
offset 0x202D00 in APP.out
This is an undocumented SCPI command.
 

Offline Adrian_Arg.

  • Frequent Contributor
  • **
  • Posts: 287
  • Country: ar
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #78 on: April 24, 2018, 12:55:13 pm »
ok, esntonce is a mistake that can not be seen in the oscilloscope, I mean it is not in the menus of the team, as was the case of PLUSES, by pulses
 

Offline konnor

  • Contributor
  • Posts: 43
  • Country: ru
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #79 on: April 28, 2018, 04:04:09 am »
Changes:
1) Add new plugin (plugin_backup, ld_backup.bat). It saves the contents of two nvram (i2c + spi W25X40) and several files from the system partition to USB flash. The result can be used for recovery of the device or for some   ;) operations with keys. It is highly desirable to use an empty usb flash or (at least) not having a lot of files or directories.

2) changes in rigolif. I analyse network exchange by wireshark, and found strange behavior: with some slight probability (<0.01%), the oscilloscope does not forward the response udp-block to the host computer. When host issue a second request, rigol immediate send back two blocks - the old one and the new one. Now the utility has a mechanism that takes into account this behavior and does not bother the user with error messages.

3) Update list of functions, some bat files for control fron-end, etc
« Last Edit: April 28, 2018, 04:40:04 pm by konnor »
 
The following users thanked this post: dpavlin, tv84, Daruosha

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 364
  • Country: ee
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #80 on: April 28, 2018, 10:24:23 am »
There is many FunctionNames resolved  :-+
But... too many... for me. I can't fit them into IDA as my decompiled app doesn't have many of them
in such places. It says: can't rename, because this byte can't have a name (it is a tail byte).
What program do you use or how do I get different decompilation?
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1852
  • Country: pt
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #81 on: April 28, 2018, 10:46:20 am »
Changes:
1) Add new plugin (plugin_backup, ld_backup.bat). It saves the contents of two nvram (i2c + spi W25X40) and several files from the system partition to USB flash. The result can be used for recovery of the device or for some   ;) operations with keys. It is highly desirable to use an empty usb flush or (at least) not having a lot of files or directories.

I had starting doing one but you beat me up to it... :)

Please add also the copying of the GEL file in the NAND, since it may/usually contain the bootloader. That makes available the GELs with bootloaders that are not public.

Excellent work!

Everyone can brick their devices now...  :) The only thing missing is a tutorial to start from scratch with a full-erased device.
 

Offline konnor

  • Contributor
  • Posts: 43
  • Country: ru
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #82 on: April 28, 2018, 04:23:22 pm »
It says: can't rename, because this byte can't have a name (it is a tail byte).
What program do you use or how do I get different decompilation?
I'm using IDA.
It is possible that if there are examples, it would be easier for me to understand the problem.
 

Offline konnor

  • Contributor
  • Posts: 43
  • Country: ru
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #83 on: April 28, 2018, 04:39:15 pm »
Please add also the copying of the GEL file in the NAND, since it may/usually contain the bootloader. That makes available the GELs with bootloaders that are not public.
This does not make sense, since the bootloader must be in spi-nvram (the processor is loaded from there). You just need to cut off the tail of the DS1KZ_NVRAM.BIN.

Everyone can brick their devices now...  :) The only thing missing is a tutorial to start from scratch with a full-erased device.
It's simple ;D
1) Open device
2) Write a file DS1KZ_NVRAM.BIN to W25X40 (by jtag, by external programmer or any other method)
3) Insert USB Flash with gel and  power on

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 364
  • Country: ee
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #84 on: April 28, 2018, 05:46:33 pm »
It says: can't rename, because this byte can't have a name (it is a tail byte).
What program do you use or how do I get different decompilation?
I'm using IDA.
It is possible that if there are examples, it would be easier for me to understand the problem.
I open SparrowApp file in IDA, I don't choose any settings and it does his magic. Now there is
all functions and disassembly in Ida View-A.
I take your Func_full.lst and make idc file from it with replace command in notepad. There is:
40000010 _task_block
400000e0 _sched_run_internal
400000f0 _CHECK_RUN_SCHEDULER
...
Code: [Select]
I replace (.*) (.*) with MakeName(0x\1, "\2" ); and get:MakeName(0x40000010, "_task_block");
MakeName(0x400000e0, "_sched_run_internal");
MakeName(0x400000f0, "_CHECK_RUN_SCHEDULER");
...

After that I remove all with no names so I get 6480 functions at this time
in Func_full.idc file. Now I open it: File -> Script file... and most of the functions are renamed.
But I have different disassembly view and at all addresses are not functions... in 207 places.
 

Offline konnor

  • Contributor
  • Posts: 43
  • Country: ru
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #85 on: April 28, 2018, 06:02:39 pm »
The problem is that before the MakeName command it is necessary to remove the arrays, that were created incorrectly.
In addition, you can use the MakeCode / MakeFunction functions.
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1852
  • Country: pt
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #86 on: April 28, 2018, 08:58:37 pm »
This does not make sense, since the bootloader must be in spi-nvram (the processor is loaded from there). You just need to cut off the tail of the DS1KZ_NVRAM.BIN.

I know that the "booting" bootloader is in the SPI-NVRAM. But why cut and insert a bootloader in a GEL if I can get the full assembled GEL straight from the NAND with the bootloader inside...

Most of the files that you chose to copy from /SYS/ were also extractable from the DS1KZ_NVRAM.BIN.
« Last Edit: April 28, 2018, 09:23:16 pm by tv84 »
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 364
  • Country: ee
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #87 on: April 29, 2018, 06:35:07 am »
You can't.
In W25X40 is bootloader at the beginning. It is there until you use GEL update with bootloader.
So far there is only one public version with 0.0.1.0 - Sparrow(Boot)update_00.04.00.00.00
Until you don't do bootloader update you can get old bootloader from eeprom.
Now the NAND is 128MB. One part is 90,5MB Local DISK and another is 37,5MB /SYS (I think)?
In SYS are DS1000ZUpdate.GEL, all files from GEL except bootloader and some system files
as are visible on pictures before where we made that SuperSecretRigolFlash.

Now you need konnor's patched firmware for his plugins. What happens if you update GEL? :)
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1852
  • Country: pt
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #88 on: April 29, 2018, 12:16:56 pm »
You can't.
In W25X40 is bootloader at the beginning. It is there until you use GEL update with bootloader.
So far there is only one public version with 0.0.1.0 - Sparrow(Boot)update_00.04.00.00.00
Until you don't do bootloader update you can get old bootloader from eeprom.
Now the NAND is 128MB. One part is 90,5MB Local DISK and another is 37,5MB /SYS (I think)?
In SYS are DS1000ZUpdate.GEL, all files from GEL except bootloader and some system files
as are visible on pictures before where we made that SuperSecretRigolFlash.

Now you need konnor's patched firmware for his plugins. What happens if you update GEL? :)

Didn't quite understand but...

I thought about it and, if a guy has konnor's GEL patched, then he won't have "an original" GEL with possible bootloader.

So, because of this reason, with this method it's irrelevant the GEL download. Only a external download could solve it.

We'll have to go by with NVRAM extraction.

So when anyone extracts NVRAMs with bootloaders 1.1 or 1.3 please post them.
 

Offline konnor

  • Contributor
  • Posts: 43
  • Country: ru
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #89 on: April 29, 2018, 01:21:44 pm »
It is not difficult for me to make a copy of the gel file (attached).
But I do not understand how it can be applied. If the oscilloscope has an original gel, the plugin can not be loaded. If patched, then why read it back from the oscilloscope? Just download from the first page of this topic. ;)
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1852
  • Country: pt
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #90 on: April 29, 2018, 06:41:12 pm »
It is not difficult for me to make a copy of the gel file (attached).
But I do not understand how it can be applied. If the oscilloscope has an original gel, the plugin can not be loaded. If patched, then why read it back from the oscilloscope? Just download from the first page of this topic. ;)

I concluded that the GEL with your patch is not what I wanted (see my previous msg). But, BTW, the file that you attached can't be a GEL or it's a top-secret format.
 

Offline konnor

  • Contributor
  • Posts: 43
  • Country: ru
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #91 on: April 29, 2018, 07:07:43 pm »
I saw the message:
Please add also the copying of the GEL file in the NAND, since it may/usually contain the bootloader. That makes available the GELs with bootloaders that are not public.
I tried to explain that this function does not make sense.
But to me it's more difficult to argue  than compiling a plugin with copying a gel file from nand. So I added the requested function, rebuild plugin and attach special version of the plugin to the attachment.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 364
  • Country: ee
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #92 on: April 29, 2018, 08:01:33 pm »
You can't.
In W25X40 is bootloader at the beginning. It is there until you use GEL update with bootloader.
So far there is only one public version with 0.0.1.0 - Sparrow(Boot)update_00.04.00.00.00
Until you don't do bootloader update you can get old bootloader from eeprom.
Now the NAND is 128MB. One part is 90,5MB Local DISK and another is 37,5MB /SYS (I think)?
In SYS are DS1000ZUpdate.GEL, all files from GEL except bootloader and some system files
as are visible on pictures before where we made that SuperSecretRigolFlash.

Now you need konnor's patched firmware for his plugins. What happens if you update GEL? :)
I continue from here...
What happens if you update GEL? You need to update it to have patched APP in scope to use
konnor's plugins for making backups for example. But then you overwrite DS1000ZUpdate.GEL
and all extracted files from it. There is no more stock GEL to backup. Even if you make GEL from
one file (SparrowApp), like I did, you overwrite old GEL. You can see it on /SYS directory image.
Mine is only 1.0 M long. So you have there GEL you just uploaded...

But, can be new bootloader made? It's booting and there is menu which you select with knob.
In the menu are SparrowApp, custom app (with plugins), Tetris, Snake, DOOM (I saw somewhere
Linux version)...
 

Offline maximevince

  • Contributor
  • Posts: 8
  • Country: be
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #93 on: December 13, 2018, 11:03:20 am »
Hi Konnor et al.,

Sorry for necrobumping, but this seems the appropriate thread.

The custom firmware and plugin system looks really awesome.
Only downside to me seems that you still need to open up the oscilloscope and overwrite the firmware, in order to be able to use plugins.

I have long been thinking if it would be possible to exploit some part of the USB stack in the scope, to be able to create a plugin system.
That way it would be possible to load code into the RAM and execute this. This could contain a small loader which allows custom plugins, or even jumping to a Linux bootloader, or launching my port of DOOM for the Rigol :)

Do any of you have readable IDA disassemblies of the firmware, and an idea how the USB code works?
We could start looking for vulnerabilities in the USB stack to exploit these.
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1852
  • Country: pt
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #94 on: December 13, 2018, 02:51:00 pm »
Only downside to me seems that you still need to open up the oscilloscope and overwrite the firmware, in order to be able to use plugins.

What do you mean "open up"? You don't need to open it in order to patch the FW.

User rhb is also investigating in the "booting from USB" area.
 
The following users thanked this post: maximevince

Offline MarkF

  • Super Contributor
  • ***
  • Posts: 1872
  • Country: us
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #95 on: December 13, 2018, 06:38:58 pm »
 :popcorn: 
 

Offline Stefan_Z

  • Newbie
  • Posts: 4
  • Country: de
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #96 on: January 03, 2019, 10:50:45 am »
Hello!
This is my 1st post, hope I am not intruding on this thread…

Does any of you have a list of all the SCPI commands the DS1000Z recognizes?
And I don't mean the programmer's guide, I mean from the disassembled firmware.

Because I noticed that some stuff is missing or undocumented:
#1 - Setting up USB file formats and triggering save (DS4000E series has :SAVE Commands). I guess Rigol left this out for some "protecting the upper price segment" reasons.
Maybe there is something the manual doesn't tell us…
#2 - The :LAN Commands (from the DS4000E manual) are such a case - they work fine on my DS1054Z, but the manual does not mention them.

 

Offline PeDre

  • Regular Contributor
  • *
  • Posts: 184
  • Country: at
    • Private Website
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #97 on: January 03, 2019, 01:21:42 pm »
Does any of you have a list of all the SCPI commands the DS1000Z recognizes?
And I don't mean the programmer's guide, I mean from the disassembled firmware.
« Last Edit: January 03, 2019, 01:28:58 pm by PeDre »
 
The following users thanked this post: BravoV, _Wim_, ebastler, bitseeker, Marcos, RoGeorge, simas1017, DC1MC, lfldp

Online RoGeorge

  • Super Contributor
  • ***
  • Posts: 2571
  • Country: ro
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #98 on: January 03, 2019, 07:45:00 pm »
Does any of you have a list of all the SCPI commands the DS1000Z recognizes?
And I don't mean the programmer's guide, I mean from the disassembled firmware.

Very useful, thank you.

I would like to send Beep/Bell and custom text messages using SCPI commands.  Couldn't find any commands to do that.  For a short beep (keypress beep style), it is possible to send a ':SYST:BEEP 1' as a workaround.

Is there any way to send a long beep (Error style beep)?
Is there any way to put a custom text message to the oscilloscope's screen, or at least to send a custom message ('Parameter Limited!' style)?
« Last Edit: January 03, 2019, 07:46:32 pm by RoGeorge »
 

Offline Stefan_Z

  • Newbie
  • Posts: 4
  • Country: de
Re: Rigol DS1000Z - firmware patch & plugins
« Reply #99 on: January 03, 2019, 09:10:58 pm »
Thanks a lot!
Look at all those hidden gems!

PS - is there a way to pass a string for the text input fields like the filename?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf