Rigol MSO2000 series hacking

[Slappy_g]

On the 32 Bit Win 7 laptop it at least finds the Olimex adapter. and appears to connect to it as the LED changes from green to red and it tells me its using the libftdi driver!

Mine is not the H version adaptor.

I get the TDO stuck low error message irrespective of whether its connected to the DSO or not.

As much as it sounds like the default help desk answer...  try rebooting.  Failing that, check to ensure that you are running the command prompts as administrator.  If the title bar does not say "Administrator: Command Prompt" explicitly, then you are not.  That can often be a problem, as low-level port I/O can be flaky without elevation of rights.

[Bukurat]

It's dumping as I write.

I redid all the cabling from the ARM-USB-OCD adaptor, this time leaving the supplied cable off and connecting directly to the pins on the adaptor.

For anyone using Windows, turn your Virus scanner off before running the programs. Avast insists on deep scanning anything it doesn't know about and this stuffs up the timing.

Edit.

All done!

[navzptc]

Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

Slappy_g, to read to 0x01FFFFFF to dump SRAM contents takes 5m 36s (Just timed it!), which works out to 22.5m approximately for a dump to 0x07FFFFFF - sounds about right for when I did that on my initial run on getting it all set up - Looks like the 'H' version is a lot quicker then 

Andy

[Gandalf_Sr]

Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

Slappy_g, to read to 0x01FFFFFF to dump SRAM contents takes 5m 36s (Just timed it!), which works out to 22.5m approximately for a dump to 0x07FFFFFF - sounds about right for when I did that on my initial run on getting it all set up - Looks like the 'H' version is a lot quicker then 

Andy

So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

[navzptc]

Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

Slappy_g, to read to 0x01FFFFFF to dump SRAM contents takes 5m 36s (Just timed it!), which works out to 22.5m approximately for a dump to 0x07FFFFFF - sounds about right for when I did that on my initial run on getting it all set up - Looks like the 'H' version is a lot quicker then 

Andy

So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

I'm using my JTAG on my DSA815-TG to try and recover my lost calibration data, and only read to 0x01FFFFFF - The DSA only has 32MB SRAM and I believe that the DSO memory map is also the same and that there is no need to go to 0x07FFFFFF.

Andy

[PepeK]

So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

The "rigup.exe" tool is searching for some (as I remember 8 bytes long) binary pattern in the memory dump file. This signals that private key section follows. If those people who have done hack successfully post here which address is it in their dump file, we can narrow the address range for a dump (and make it faster).

[Slappy_g]

So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

The "rigup.exe" tool is searching for some (as I remember 8 bytes long) binary pattern in the memory dump file. This signals that private key section follows. If those people who have done hack successfully post here which address is it in their dump file, we can narrow the address range for a dump (and make it faster).

Here's my contribution.  I have highlighted the semaphore bits that mark the start of the key block.  I have blacked out the rest, since I don't trust all you slackers...   

So the base address you could start the dump, would be 01B5E000, and capture through 01B5EFFF.  Boy, I wish I had known that.  Would have saved me HOURS.

[Gixy]

Thx Slappy_g,
Does that means that the item #19 of your step by step procedure should be updated?

[Macman]

If you are only doing a partial memory dump you will need to use a range that includes the serial number as well as the keys.
On my scope the serial number is at  00EBA382 and the keys are at 01B5EC08 so I would suggest a dump range of 00EBA000 to 01B60000.

[Slappy_g]

Thx Slappy_g,
Does that means that the item #19 of your step by step procedure should be updated?

Basically, yes, I could update the instructions, but I want to wait until we have confirmation from more people on their memory location.

For now, the instructions are safer as-is.

[Gandalf_Sr]

Cool!  I have the Olimex widget in my hands now, unfortunately, it's my wife's birthday and I suspect I'll be unable to creep off into my mancave tonight to do  the dump deed but I feel the end of my epic 'War and Peace' saga of trying to get this done is in sight.

[milek22]

HELP
Please urgent help.
It seems that he sees the USB BLASTER
Ponirzej see PHOTO
I plugged ALTERA USB BLASTER JTAG - SCOPE.
>> What do I do now?
>> Type "bfin-gdbproxy.exe --debug bfin --frequency = 5000000"
Then start - bfin-elf-gdb.exe
then what?
day...

[Macman]

@Milek
Open another command window in the same directory (leave the existing command window open).
Type the following in the new command window:

bfin-uclinux-gdb (you will need to replace this with the Windows GDB name)
target remote :2000
dump binary memory ds2k_00_sdram.bin   0x00EBA000  0x01B60000

[milek22]

new command window: bfin-uclinux-gdb
I run a second window "bfin-proxy?
when I type "bfin-gdbproxy.exe --debug bfin --frequency = 5000000" and what window?

[Macman]

@Milek,

I thought you had already got the proxy running because of the screen shot you posted.

You need 2 command windows open in the directory where the blackfin toolchain binary files are.
In the first window you type the proxy command line you mentioned.

Then in the second command window you type the lines in the previous post. You may need to change the name of the GDB program to match the file names you have in the bin directory. Look at a list of file mnames in the directory, it should be obvious.

<edit>
Just as a tip.
An easy way to open a command window in a specific directory is to hold down the shift key and right click on the directory then select 'Open command window here'

[milek22]

how to open a second window "bfin-gdbproxy.exe" it writes falided usb cable,
In any window, you can not write anything
What's going on?

[Macman]

Can you post a screen shot of the command windows you have open?

[Macman]

@Milek

If you have the cable connected correctly and you still can't get the bfin-gdbproxy to work it could be that the Blackfin tool chain is not compatable with the altera driver. If you can't get the bfin-gdbproxy to work there is no point in going on to start gdb in the other window.

I never tried in doing the Dump in Windows because all the sucessful reports I saw were done using Linux and I did't want the hassle of trying untested things in Windows.

If it is still not working I guess you have 2 choices, purchase the Olimex adapter or use Linux with your existing altera blaster clone.

[milek22]

I have a dump of the proxy

[Macman]

It looks like it is outputting the help screen because you have typed the parameters incorrectly.
press control C and shutdown the command window. Open the command window again and try again.

edit
I just noticed in the line in your previous post you had 'frequency = 5000000' this should be 'frequency=5000000' i.e. without the spaces.

[milek22]

You're right mate. Thanks a lot. Now I think it is ok?
See photo and text

[Macman]

OK Looks good so far. Leave this command window open and open a second command window and type the GDB line I gave a few posts back.

[milek22]

Give me an example ok? what name do I replace windows? I'm afraid a little bit and I want to type correctly.
if so i have to enter a string with a space?
bfin-uclinux-gdb target remote: 2000 binary memory dump ds2k_00_sdram.bin 0x00EBA000 0x01B60000

[Macman]

In the command window just type:
bfin-uclinux-gdb
Then type the following 2 lines:

target remote :2000
dump binary memory ds2k_00_sdram.bin   0x00EBA000  0x01B60000

Note the ':' is next to the 2000
Don't worry if it is the wrong program name it just will not work. If it rejects just tell be the directory path you opened the command window in and I will give you the correct name.

[Macman]

Once the dump starts leave the first command window will continuously output debug messages as the dump progresses. The second command window (the one you are typing the commands in to now will not show any further output until the dump is complete, which I would expect to take around 20 minutes.