Author Topic: Rigol MSO2000 series hacking  (Read 112807 times)

0 Members and 1 Guest are viewing this topic.

Offline AntiCat

  • Contributor
  • Posts: 12
Re: Rigol MSO2000 series hacking
« Reply #25 on: August 14, 2014, 06:17:06 pm »
Not sure where you are on the planet (or even if you ARE on the planet) but Tequipment.net web site says they have 23 in stock and you can get 6% discount by using the code EEVBLOG6 giving a final price of $1,164.66 with free shipping.  I have ordered other stuff from them in the past and they are good to deal with.

I'm from Switzerland so it is an additional 130$ for shipping and 200$ for import taxes. This is approximately the same as the local distributor. At this price range I prefer to have a point of contact nearby. However your suggestion is very tempting..
 

Offline milek22

  • Contributor
  • Posts: 27
  • Country: pl
Re: Rigol MSO2000 series hacking
« Reply #26 on: August 15, 2014, 03:44:33 am »
gentlemen,
I have a question:
1 - Now I was left with 1720 min. Trial Version.
2 .-- As time runs out Tial Version is no longer possible for a JTAG or upgrade done by the official Version ???
Thank you.
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #27 on: August 15, 2014, 06:55:08 am »
gentlemen,
As time runs out Tial Version is no longer possible for a JTAG or upgrade done by the official Version ???
Thank you.

You can enter a code to have some special features any time. During a trial period or after it expires. It does not matter if code is bought officially or created with the rigol hack tool based on a data obtained via JTAG memory dump.
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #28 on: August 16, 2014, 02:28:14 am »
OK guys - had the scope for a bit (MSO 2072A, latest SW, HW 2.02), and got it opened up today since my Olimex OCD-ARM-JTAG arrived from Sparkfun.

I'm running into an issue on Win 7 x64, even when running this from a command prompt as admin.  Any ideas?  Unplugging/replugging and reinstalling drivers does not seem to help.  I do have a functioning COM11: port for the debugger device.

Code: [Select]
GO!:>bfin-gdbproxy.exe --debug bfin --frequency=500000

Remote proxy for GDB, v0.7.2, Copyright (C) 1999 Quality Quorum Inc.
MSP430 adaption Copyright (C) 2002 Chris Liechti and Steve Underwood
Blackfin adaption Copyright (C) 2008 Analog Devices, Inc.

GDBproxy comes with ABSOLUTELY NO WARRANTY; for details
use `--warranty' option. This is Open Source software. You are
welcome to redistribute it under certain conditions. Use the
'--copying' option for details.

debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
error: Couldn't connect to suitable USB device.
error:     bfin: cable initialization failed
debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
error: Couldn't connect to suitable USB device.
error:     bfin: cable initialization failed
^C
GO!:>
« Last Edit: August 16, 2014, 03:11:45 am by Slappy_g »
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #29 on: August 16, 2014, 03:53:11 am »
Replying to myself...

I am trying this option now - hope it's helpful to people:

  • Download urJTAG (from http://urjtag.org/)
  • Install it... (I recommend NOT running installer as admin and putting it somewhere within your user profile directory - if you don't know what that means, use Google)
  • Launch the JTAG Shell icon it puts in your start menu - handy!
  • type these commands:
  • cable arm-usb-ocd
  • frequency 5000000
  • detect
  • initbus bf526_ezkit
  • readmem 0x00000000 0x001FFFFF output.dmp
  • Hope and pray that it works - since it's midnight here, I'm hoping I didn't do something stupid so far.
  • Also, I recommend pointing a nice strong fan at the device while you're dumping the RAM, as the FPGAs get HOT!
« Last Edit: August 16, 2014, 04:19:09 am by Slappy_g »
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Online MattSR

  • Regular Contributor
  • *
  • Posts: 93
  • Country: au
Re: Rigol MSO2000 series hacking
« Reply #30 on: August 16, 2014, 10:24:04 am »
Awesome work guys! I think I'll buy the MSO2702A now instead of the DSO2702A
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #31 on: August 16, 2014, 12:54:16 pm »
OK, so I saw Slappy_g's post and thought I'd try his route using Windows rather than Linux.

I downloaded urJTAG vn 10 but it would't install in Windows 7, 64 bit, but then it did when I right clicked and ran as admin.

My problem is that windows can't find a driver for my el-cheapo eBay 'Altera' USB Blaster, it sees it but there's a yellow triangle in system devices and it says the driver isn't loaded.

Any ideas?


 

Offline Macman

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
Re: Rigol MSO2000 series hacking
« Reply #32 on: August 16, 2014, 01:06:01 pm »

<snip>
Also, I recommend pointing a nice strong fan at the device while you're dumping the RAM, as the FPGAs get HOT![/li][/list]


When I did the JTAG dump I routed the JTAG cables out of the corner of the shielding and temporarily put the rear shieling back on so that it would be cooled in the normal way.

It will be interesting to see if you can get it to work in Windows with urJTAG.
Is there any reason you only dumping to 0x001FFFFF?

@Gandalf_Sr
You can download a Windows driver from the Altera website which should work OK with the clone USB blaster.
 

Offline Mark_O

  • Frequent Contributor
  • **
  • Posts: 937
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #33 on: August 16, 2014, 01:09:19 pm »
My problem is that windows can't find a driver for my el-cheapo eBay 'Altera' USB Blaster, it sees it but there's a yellow triangle in system devices and it says the driver isn't loaded.

Any ideas?

If you didn't get one of the little mini-CDs with the device, the actual Altera drivers here may work for you...

http://www.altera.com/download/drivers/dri-index.html
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #34 on: August 16, 2014, 01:26:27 pm »

It will be interesting to see if you can get it to work in Windows with urJTAG.
Is there any reason you only dumping to 0x001FFFFF?

Yeah, the reason was that I was sleep deprived. I started the proper range after I realized that and promptly fell asleep on my keyboard. I'm about to go and see if it worked.

Sent from my SM-N900T using Tapatalk

Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #35 on: August 16, 2014, 01:59:41 pm »
Thanks guys, the el-cheapo USB Blaster came with instructions in Chinese but no drivers.  It looks like I may have to download a free version of quartus to get the drivers  :(
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #36 on: August 16, 2014, 04:40:06 pm »
Aside from Windows deciding to take half an hour downloading updates, I did manage to get drivers installed for the 'Altera' USB Blaster.

I installed urJTAG but when I try to run the shell I get an error window telling me that libusb0.dll is missing from my system.  Any suggestions?
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #37 on: August 16, 2014, 06:07:35 pm »
So, rigup is reporting that it can't find any keys in my memory dump...


Any ideas?

Sent from my SM-N900T using Tapatalk

Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #38 on: August 16, 2014, 06:16:13 pm »
I gave up on Windoze and ran up my tiny little Dell Netbook powered by an Intel Atom processor.

That netbook cane with XP but it was so slow that I wiped Windows and installed Ubuntu, mainly cos there's a version for the Dell Netbook.

Following the instructions on the MEGA thread did not appear to go completely smoothly - the install of blackfin went OK but the following issues occurred:

1. The command to set the speed to 5000000 didn't work, the system responded that the speed of the USB Blaster was locked at 12000000 (12 MHz)

2. when I did the part where you test GDB by issuing the info mem command at the (GDB) prompt, it gave me the following message...

Warning: Can not parse XML memory map; XML support was disabled at compile time
There are no memory regions defined

Anyway, I pressed on and started the 'dump binary memory and it seems to be running, the server window shows what appear to be block reads and I'm up to 02D0XXXX after 47 minutes - my simple math suggests that it will take just over 2 hours to complete.

Watch this space....
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #39 on: August 16, 2014, 06:17:23 pm »
So, rigup is reporting that it can't find any keys in my memory dump...


Any ideas?

Sent from my SM-N900T using Tapatalk
Bummer  :(

Do you have the right dump?
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #40 on: August 16, 2014, 06:59:02 pm »
Bummer  :(

Do you have the right dump?

I do. Definitely has good data in it, as I checked with a hex editor. I used the model number ds2072a when running rigup, as it doesn't accept the MSO model numbers.

Is there a step I'm missing here?

Sent from my SM-N900T using Tapatalk
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #41 on: August 16, 2014, 07:17:14 pm »
Bummer  :(

Do you have the right dump?

I do. Definitely has good data in it, as I checked with a hex editor. I used the model number ds2072a when running rigup, as it doesn't accept the MSO model numbers.

Is there a step I'm missing here?

Sent from my SM-N900T using Tapatalk
I don't think you've missed a step, Marcel has said that he used Linux cos he'd heard of people having problems in Windoze, I am up to 06A0XXXX of 07FFFFFF so I should know fairly soon if it's worked for me.  Do you have access to a Linux machine?
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #42 on: August 16, 2014, 07:19:22 pm »
There is a user from France, MarcelM reporting success on MSO 2072 A, SW 3.0.SP1 and HW 2.2 using JTAG. Is is a bit difficult to find here the exact post but he has done nothing special, simply connected JTAG and used rigol.exe.
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #43 on: August 16, 2014, 07:23:28 pm »
It is not necessary to have a Linux machine. I am waiting for my JTAG adapter to be delivered and during this time I arranged an usb key with a bootable Ubuntu (look for "universal-usb-installer" and "ubuntu 14.0.1 desktop i386" or "x64".
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #44 on: August 16, 2014, 07:33:30 pm »
Excellent idea...  Trying now.

UPDATE: So, that string does not appear to be in the dump file anywhere...  The file is exactly 128MB in size, and appears to contain lots of identifiable strings including my serial number and the entire contents of the HTML help system.

It doesn't make sense that it would be a "corrupted" dump if I'm seeing real, readable data, but I guess I'm not sure what I'm supposed to see.  Is there a different way to try the dump?  I ended up switching to the WinUSB driver and using the bfin-gdbproxy and bfin-elf-gdb approach.



Can you find the hex pattern "020084001000" in your dump file, as in the rigup utils.c file?

KeyData* ScanKeys(const void *data, size_t datasize)
{
  /*
    Offset   Data
      0      02 00 84 00 10 00
      6      <16 bytes of XXTEAKey>
     22      20 00
     24      <16 bytes of RC5Key1>
     40      <16 bytes of RC5Key2>
     56      08 00
     58      <8 bytes of bit-shuffled ECC public key>
     66      40 00
     68      <64 bytes of some ASCII-HEX data>
    132      <END>
  */

I used rigup 0.4: "rigup ds2072a ds2k_00_sdram.bin"

Peter
« Last Edit: August 16, 2014, 07:40:56 pm by Slappy_g »
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #45 on: August 16, 2014, 08:06:39 pm »
Below is the advanced system information before I made the dump. Is your system information differently?

Peter

OK, so I enabled advanced info (Trigger Menu, Menu7, Menu6, Menu7, Utility all pressed in quick succession).

Now, I see the same thing you do...

SW: 00.03.00.01.03
HW: 1.1.2.2.0
« Last Edit: August 16, 2014, 08:11:19 pm by Slappy_g »
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #46 on: August 16, 2014, 08:09:20 pm »
Below is the advanced system information

How do you access that detailed info ? I can invoke only a simplified version of that popup window.
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #47 on: August 16, 2014, 08:10:03 pm »
Below is the advanced system information

How do you access that detailed info ? I can invoke only a simplified version of that popup window.

About to edit my previous response.  Look above in 2 minutes.
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #48 on: August 16, 2014, 08:20:07 pm »
Thank you, Pedre, I see also the extended system info now. All versions are exactly the same as yours.
So, as there are reports about successful hacking of exactly same model of the scope, there should be some JTAG adapter / toolchain problem is hack does not work.
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
OK, how's this for WEIRD?!
« Reply #49 on: August 16, 2014, 09:12:37 pm »
OK, so I just re-ran the SDRAM dump - exactly the same way as before.  Same output file size, same gdbproxy messages, etc.

And, go figure, there's the key!  Now, the thing I did which was different than before was that I made sure the scope was in RUN mode.  Last dump I did, I had the scope in STOP mode, so not sure if that had an impact, but it sure seems to have worked!

Now, I'm going to try to use the DS2072A model name to generate the licenses...
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf