Author Topic: Rigol MSO2000 series hacking  (Read 112760 times)

0 Members and 1 Guest are viewing this topic.

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #125 on: August 27, 2014, 01:20:58 am »
On the 32 Bit Win 7 laptop it at least finds the Olimex adapter. and appears to connect to it as the LED changes from green to red and it tells me its using the libftdi driver!

Mine is not the H version adaptor.

I get the TDO stuck low error message irrespective of whether its connected to the DSO or not.

As much as it sounds like the default help desk answer...  try rebooting.  Failing that, check to ensure that you are running the command prompts as administrator.  If the title bar does not say "Administrator: Command Prompt" explicitly, then you are not.  That can often be a problem, as low-level port I/O can be flaky without elevation of rights.
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Bukurat

  • Regular Contributor
  • *
  • Posts: 65
  • Country: au
Re: Rigol MSO2000 series hacking
« Reply #126 on: August 27, 2014, 02:51:19 am »
It's dumping as I write.

I redid all the cabling from the ARM-USB-OCD adaptor, this time leaving the supplied cable off and connecting directly to the pins on the adaptor.

For anyone using Windows, turn your Virus scanner off before running the programs. Avast insists on deep scanning anything it doesn't know about and this stuffs up the timing.

Edit.

All done!
« Last Edit: August 27, 2014, 05:50:56 am by Bukurat »
 

Offline navzptc

  • Contributor
  • Posts: 26
Re: Rigol MSO2000 series hacking
« Reply #127 on: August 27, 2014, 10:53:32 am »
Quote
Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

Slappy_g, to read to 0x01FFFFFF to dump SRAM contents takes 5m 36s (Just timed it!), which works out to 22.5m approximately for a dump to 0x07FFFFFF - sounds about right for when I did that on my initial run on getting it all set up - Looks like the 'H' version is a lot quicker then  :-+

Andy
 

Online Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #128 on: August 27, 2014, 11:11:23 am »
Quote
Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

Slappy_g, to read to 0x01FFFFFF to dump SRAM contents takes 5m 36s (Just timed it!), which works out to 22.5m approximately for a dump to 0x07FFFFFF - sounds about right for when I did that on my initial run on getting it all set up - Looks like the 'H' version is a lot quicker then  :-+

Andy
So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?
 

Offline navzptc

  • Contributor
  • Posts: 26
Re: Rigol MSO2000 series hacking
« Reply #129 on: August 27, 2014, 11:22:48 am »
Quote
Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

Slappy_g, to read to 0x01FFFFFF to dump SRAM contents takes 5m 36s (Just timed it!), which works out to 22.5m approximately for a dump to 0x07FFFFFF - sounds about right for when I did that on my initial run on getting it all set up - Looks like the 'H' version is a lot quicker then  :-+

Andy
So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

I'm using my JTAG on my DSA815-TG to try and recover my lost calibration data, and only read to 0x01FFFFFF - The DSA only has 32MB SRAM and I believe that the DSO memory map is also the same and that there is no need to go to 0x07FFFFFF.

Andy
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #130 on: August 27, 2014, 02:25:12 pm »
So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

The "rigup.exe" tool is searching for some (as I remember 8 bytes long) binary pattern in the memory dump file. This signals that private key section follows. If those people who have done hack successfully post here which address is it in their dump file, we can narrow the address range for a dump (and make it faster).
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #131 on: August 28, 2014, 03:11:36 am »
So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

The "rigup.exe" tool is searching for some (as I remember 8 bytes long) binary pattern in the memory dump file. This signals that private key section follows. If those people who have done hack successfully post here which address is it in their dump file, we can narrow the address range for a dump (and make it faster).

Here's my contribution.  I have highlighted the semaphore bits that mark the start of the key block.  I have blacked out the rest, since I don't trust all you slackers...   :-DD

So the base address you could start the dump, would be 01B5E000, and capture through 01B5EFFF.  Boy, I wish I had known that.  Would have saved me HOURS.
« Last Edit: August 28, 2014, 03:13:41 am by Slappy_g »
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Gixy

  • Regular Contributor
  • *
  • Posts: 192
  • Country: fr
Re: Rigol MSO2000 series hacking
« Reply #132 on: August 28, 2014, 07:33:59 am »
Thx Slappy_g,
Does that means that the item #19 of your step by step procedure should be updated?
 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #133 on: August 28, 2014, 07:46:37 am »
If you are only doing a partial memory dump you will need to use a range that includes the serial number as well as the keys.
On my scope the serial number is at  00EBA382 and the keys are at 01B5EC08 so I would suggest a dump range of 00EBA000 to 01B60000.
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #134 on: August 28, 2014, 11:41:46 am »
Thx Slappy_g,
Does that means that the item #19 of your step by step procedure should be updated?

Basically, yes, I could update the instructions, but I want to wait until we have confirmation from more people on their memory location.

For now, the instructions are safer as-is.
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Online Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #135 on: August 28, 2014, 12:18:29 pm »
Cool!  I have the Olimex widget in my hands now, unfortunately, it's my wife's birthday and I suspect I'll be unable to creep off into my mancave tonight to do  the dump deed :-\ but I feel the end of my epic 'War and Peace' saga of trying to get this done is in sight.
 

Offline milek22

  • Contributor
  • Posts: 27
  • Country: pl
Re: Rigol MSO2000 series hacking
« Reply #136 on: August 28, 2014, 01:44:50 pm »
HELP
Please urgent help.
It seems that he sees the USB BLASTER
Ponirzej see PHOTO
I plugged ALTERA USB BLASTER JTAG - SCOPE.
>> What do I do now?
>> Type "bfin-gdbproxy.exe --debug bfin --frequency = 5000000" ???
Then start - bfin-elf-gdb.exe
then what?
day...
 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #137 on: August 28, 2014, 02:02:50 pm »
@Milek
Open another command window in the same directory (leave the existing command window open).
Type the following in the new command window:

bfin-uclinux-gdb (you will need to replace this with the Windows GDB name)
target remote :2000
dump binary memory ds2k_00_sdram.bin   0x00EBA000  0x01B60000
« Last Edit: August 28, 2014, 02:14:09 pm by Macman »
 

Offline milek22

  • Contributor
  • Posts: 27
  • Country: pl
Re: Rigol MSO2000 series hacking
« Reply #138 on: August 28, 2014, 02:24:11 pm »

new command window: bfin-uclinux-gdb
I run a second window "bfin-proxy?
when I type "bfin-gdbproxy.exe --debug bfin --frequency = 5000000" and what window?
























 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #139 on: August 28, 2014, 02:33:27 pm »
@Milek,

I thought you had already got the proxy running because of the screen shot you posted.

You need 2 command windows open in the directory where the blackfin toolchain binary files are.
In the first window you type the proxy command line you mentioned.

Then in the second command window you type the lines in the previous post. You may need to change the name of the GDB program to match the file names you have in the bin directory. Look at a list of file mnames in the directory, it should be obvious.

<edit>
Just as a tip.
An easy way to open a command window in a specific directory is to hold down the shift key and right click on the directory then select 'Open command window here'
« Last Edit: August 28, 2014, 02:58:59 pm by Macman »
 

Offline milek22

  • Contributor
  • Posts: 27
  • Country: pl
Re: Rigol MSO2000 series hacking
« Reply #140 on: August 28, 2014, 03:06:53 pm »
how to open a second window "bfin-gdbproxy.exe" it writes falided usb cable,
In any window, you can not write anything ???
What's going on?
 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #141 on: August 28, 2014, 03:15:53 pm »
Can you post a screen shot of the command windows you have open?
 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #142 on: August 28, 2014, 03:53:43 pm »
@Milek

If you have the cable connected correctly and you still can't get the bfin-gdbproxy to work it could be that the Blackfin tool chain is not compatable with the altera driver. If you can't get the bfin-gdbproxy to work there is no point in going on to start gdb in the other window.

I never tried in doing the Dump in Windows because all the sucessful reports I saw were done using Linux and I did't want the hassle of trying untested things in Windows.

If it is still not working I guess you have 2 choices, purchase the Olimex adapter or use Linux with your existing altera blaster clone.
 

Offline milek22

  • Contributor
  • Posts: 27
  • Country: pl
Re: Rigol MSO2000 series hacking
« Reply #143 on: August 28, 2014, 04:13:58 pm »
I have a dump of the proxy
 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #144 on: August 28, 2014, 04:16:58 pm »
It looks like it is outputting the help screen because you have typed the parameters incorrectly.
press control C and shutdown the command window. Open the command window again and try again.

edit
I just noticed in the line in your previous post you had 'frequency = 5000000' this should be 'frequency=5000000' i.e. without the spaces.
« Last Edit: August 28, 2014, 04:24:41 pm by Macman »
 

Offline milek22

  • Contributor
  • Posts: 27
  • Country: pl
Re: Rigol MSO2000 series hacking
« Reply #145 on: August 28, 2014, 05:05:14 pm »
You're right mate. Thanks a lot. Now I think it is ok?
See photo and text
 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #146 on: August 28, 2014, 05:15:22 pm »
OK Looks good so far. Leave this command window open and open a second command window and type the GDB line I gave a few posts back.
 

Offline milek22

  • Contributor
  • Posts: 27
  • Country: pl
Re: Rigol MSO2000 series hacking
« Reply #147 on: August 28, 2014, 05:25:31 pm »
Give me an example ok? what name do I replace windows? I'm afraid a little bit and I want to type correctly.
if so i have to enter a string with a space?
bfin-uclinux-gdb target remote: 2000 binary memory dump ds2k_00_sdram.bin 0x00EBA000 0x01B60000
 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #148 on: August 28, 2014, 05:34:49 pm »
In the command window just type:
bfin-uclinux-gdb
Then type the following 2 lines:

target remote :2000
dump binary memory ds2k_00_sdram.bin   0x00EBA000  0x01B60000

Note the ':' is next to the 2000
Don't worry if it is the wrong program name it just will not work. If it rejects just tell be the directory path you opened the command window in and I will give you the correct name.
 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #149 on: August 28, 2014, 05:38:06 pm »
Once the dump starts leave the first command window will continuously output debug messages as the dump progresses. The second command window (the one you are typing the commands in to now will not show any further output until the dump is complete, which I would expect to take around 20 minutes.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf