Author Topic: Rigol MSO2000 series hacking  (Read 112793 times)

0 Members and 1 Guest are viewing this topic.

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #50 on: August 16, 2014, 10:21:37 pm »
Success! Happily running @ 200 MHz with all options.

I'll consider bumping up to 300 if I ever feel I really need it, but I have seen conflicting reports here of decreased accuracy on all signals with that option turned on.

Sent from my SM-N900T using Tapatalk

Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline miguelvp

  • Super Contributor
  • ***
  • Posts: 5549
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #51 on: August 16, 2014, 10:30:26 pm »
Do the 16 Digital channels work as well after your modification?

 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #52 on: August 16, 2014, 11:30:47 pm »
Glad you got your working Slappy, I may have to revert to the Windoze option.

So my first attempt failed because I added an extra 'f' to the upper address '0x07fffffff' so I aborted

Then I left it running on pass 2 while I went for dinner; I came back and it seems there was an error.

Trying again but this time I didn't get the error saying that I was stuck at 12000000 for the USB blaster.

When I specify ~/xyzzy.bin for the file should I expect that file to be in the bin directory?
 

Offline milek22

  • Contributor
  • Posts: 27
  • Country: pl
Re: Rigol MSO2000 series hacking
« Reply #53 on: August 17, 2014, 03:47:08 am »
gentlemen,

I have a version of RIGOL
1 how to make a memory dump?
2 how and when to use "rigup" ??
3 how to make the file "HEX" in the photo above?
4 how to generate the keys?
Thank you
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #54 on: August 17, 2014, 07:43:33 am »
When I specify ~/xyzzy.bin for the file should I expect that file to be in the bin directory?

~ means in Linux your home directory : / home / userNameOfLoggedUser
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #55 on: August 17, 2014, 07:47:50 am »
1 how to make a memory dump?
2 how and when to use "rigup" ??
3 how to make the file "HEX" in the photo above?
4 how to generate the keys?

1. Open the scope, connect JTAG ... described in this thread and also other threads here. According your scope's version, it is the only working way now.
2. Rigup is used on the memory dump obtained in the step 1
3. I do not understand, do you mean hex file = the memory dump ?
4. Keys are generated via rigup-0.4 tool
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #56 on: August 17, 2014, 10:22:18 am »
OK, so far I have not generated a .bin file at all, at least I can't find a file that has the xxxxx.bin name I asked for with 'dump binary memory', I've researched Ubuntu and found how to see hidden files.

I was using blackfin-toolchain-2014R1_45-RC2.i386.tar.bz2 and now I'm going to try blackfin-toolchain-2013R1_45-RC1.i386.tar.bz2

Using the 2014 version, the dump happened but, at the end, I got a message saying 'Reply contains invalid hex digit 116 and then goes back to the (gdb) prompt

I'm also going to make sure the scope is running.  If this doesn't work, I'll switch to a different computer.

Any suggestions are welcome.
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #57 on: August 17, 2014, 11:44:45 am »
I have the Ubuntu Netbook dump running but I got the error at the stage of testing the memory using '(gdb) info dump' which replied that it could not parse XML because that feature was not included at compile time.  I'll leave that dump running but suspect it will be the same as the previous ones.

PLANB...
I'm trying to follow in Slappy's footsteps, I downloaded urJTAG, managed to install on my Windows 7-64 system (you have to run the install as Admin), but then got an error every time I tried to run it with my el-cheapo 'Altera' USB Blaster from eBay saying it couldn't find the libusb0.dll driver - I believe I've just solved that issue

I downloaded libusb-win32 from here http://sourceforge.net/projects/libusb-win32/files/libusb-win32-releases/1.2.6.0/ . I used libusb-win32-bin-1.2.6.0.zip

Next I unpacked the libusb-win32-bin-1.2.6.0 folder to C:/Temp and then opened the bin folder and installed install-filter-win.exe (I think)

Next I ran the inf-wizard.exe file while my USB Blaster was plugged in, it found and created an inf file and then offered to install it, I accepted.

Now I can run 'JTAG Shell' from start and interact with the command prompts.

This is a great resource http://sourceforge.net/p/libusb-win32/wiki/Home/
« Last Edit: August 17, 2014, 12:18:57 pm by Gandalf_Sr »
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #58 on: August 17, 2014, 02:00:54 pm »
Getting frustrated  :o

I can't get urJTAG to see my USB Blaster so that has got nowhere so far.

And my Netbook keeps giving me the 'Reply contains invalid hex digit 116' error after a 2 hour dump.

I found a post by 0xPIT on page 232 of the MEGA thread https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/3465/ which says that he's solved this problem but I struggled to follow his instructions;

I have a weird dump running but here's what I did...
everything as per the normal instructions on P165 of the mega thread up to

Quote
# cd opt/uClinux-45/bfin-uclinux/bin
 # ./bfin-uclinux-gdb
(gdb) target remote :2000
Remote debugging using :2000
0xffa0142e in ?? ()
(gdb)

Then I used his 'set debug remote 1' and 'set remotelogfile /tmp/log' commands which gave no errors and were accepted (I think) because the (gdb) prompt returned?

Then I started a dump normally using 'dump binary memory ~/myfilename.bin   0x00000000 0x07FFFFFF' and now there's zillions of characters flying across my (gdb) screen - presumably all being put into a log file somewhere!

According to 0xPIN, the dump will end with the same 116 error but all the data that's returned will be in the log file.  What I'm not clear about is how to find, open, and run the awk commands against that file so as to only keep the lines that begin with +r $ as per his instructions...

Quote
I then awk'd the logfile to include only lines starting with +r $ and then removed this string using vi (:%s/^r\ +$//g)
Now I used xxd -p -r to convert the hexdump to binary and ran rigup on it, which worked fine.

Can anyone clarify what I have to do once this dump is finished?  Is  '+r $' the actual text that starts off a line that's returned data?  and that last bit looks like Greek to me!
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #59 on: August 17, 2014, 06:26:22 pm »
Now I'm getting pissed off >:(

The latest dump using my Ubuntu Netbook finished but I can't find any log file.

My urJTAG install on my Wind 7-64 laptop can't see the USB-Blaster so that option's hasn't worked so far

Considering what to try next...

1. Run up my Raspberry PI and follow the instructions here http://sourceforge.net/p/urjtag/discussion/682993/thread/d31f1840/
2. Download a different Linux image and boot one of my PCs from it and try that
3. Solve my issues on the Netbook - e.g. find the missing log file
4. Solve the issue where urJTAG can't see the USB Blaster

Beer O'Clock  :o
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #60 on: August 17, 2014, 07:03:41 pm »
Now I'm getting pissed off >:(

Considering what to try next...

3. Solve my issues on the Netbook - e.g. find the missing log file

Log file must be somewhere in the file system. Which linux command have you used ?
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #61 on: August 17, 2014, 08:08:17 pm »
Log file must be somewhere in the file system. Which linux command have you used ?

Thanks for chipping in PepeK, I found a log file but it had 386 bytes in it.

Now I have been pursuing the urJTAG option, I fought with the driver for the 'Altera' USB Blaster and got urJTAG to connect to it, then when I asked for frequency of 5000000, it told me that the Blaster was fixed at 12000000 and detect didn't find the BF device, just timeout errors.

If I don't get a better suggestion by tomorrow morning, I think I'll order the $70 Olimex FT2xxx device and hope that works like it did for Slappy. Or are there any other FT2232-based recommendations from anyone?
« Last Edit: August 17, 2014, 10:35:05 pm by Gandalf_Sr »
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #62 on: August 18, 2014, 12:22:48 am »
Do the 16 Digital channels work as well after your modification?

They work perfectly!

Sent from my SM-N900T using Tapatalk

Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #63 on: August 18, 2014, 12:25:46 am »
Log file must be somewhere in the file system. Which linux command have you used ?

Thanks for chipping in PepeK, I found a log file but it had 386 bytes in it.

Now I have been pursuing the urJTAG option, I fought with the driver for the 'Altera' USB Blaster and got urJTAG to connect to it, then when I asked for frequency of 5000000, it told me that the Blaster was fixed at 12000000 and detect didn't find the BF device, just timeout errors.

If I don't get a better suggestion by tomorrow morning, I think I'll order the $70 Olimex FT2xxx device and hope that works like it did for Slappy. Or are there any other FT2232-based recommendations from anyone?

I strongly recommend the olimex device from sparkfun. $70, but it works.

Also, I ended up using the winusb driver and the bfin-toolchain in win 7 x64. UrJTAG was creating "weird"  dumps.

Sent from my SM-N900T using Tapatalk
« Last Edit: August 18, 2014, 12:27:57 am by Slappy_g »
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #64 on: August 18, 2014, 12:45:59 am »
gentlemen,

I have a version of RIGOL
1 how to make a memory dump?
2 how and when to use "rigup" ??
3 how to make the file "HEX" in the photo above?
4 how to generate the keys?
Thank you

I'm guessing from some of your phrasing that English is not your first language. I noticed that you have asked several repeated questions in this thread even though answers have been given.

I would suggest following the steps I listed, then using the forum search with the keywords: JTAG, ds2072a. This will answer your questions, I believe.

Also, it looks like you have the signal generator option, based on your picture. I'm not sure if that model works or not.

Sent from my SM-N900T using Tapatalk
« Last Edit: August 18, 2014, 12:49:01 am by Slappy_g »
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #65 on: August 18, 2014, 11:17:56 am »
...Also, I ended up using the winusb driver and the bfin-toolchain in win 7 x64. UrJTAG was creating "weird"  dumps...

Thanks, am I right in saying that bfin-toolchain runs in a command prompt under Windows?

It's interesting but this whole debacle has led me to read more about JTAG that I ever would have done unless I had a project on it.  It's interesting that all the manufacturers, Atmel, Actel, TI, etc. etc. all have different interface boards to talk JTAG.  It seems that the FTDI FT2232 device will probably end up being adopted by all as it's so well integrated with windows wrt drivers etc.
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #66 on: August 18, 2014, 12:02:03 pm »
Thanks, am I right in saying that bfin-toolchain runs in a command prompt under Windows?

It's interesting but this whole debacle has led me to read more about JTAG that I ever would have done unless I had a project on it.  It's interesting that all the manufacturers, Atmel, Actel, TI, etc. etc. all have different interface boards to talk JTAG.  It seems that the FTDI FT2232 device will probably end up being adopted by all as it's so well integrated with windows wrt drivers etc.

So, yes, I did just do it in Windows.

Sent from my SM-N900T using Tapatalk

Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #67 on: August 18, 2014, 04:13:24 pm »
Thanks, am I right in saying that bfin-toolchain runs in a command prompt under Windows?

So, yes, I did just do it in Windows.

Sent from my SM-N900T using Tapatalk

Hmmm, makes me wonder if I just downloaded blackfin into Windows, it would run with my 'Altera' USB Blaster?  I know you used the Sparkfun debugger based on the FT2232 - I have one on order - but I'm going to dig deeper into the bfin option.

Thanks
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #68 on: August 18, 2014, 04:27:15 pm »
...I strongly recommend the olimex device from sparkfun. $70, but it works.

Also, I ended up using the winusb driver and the bfin-toolchain in win 7 x64. UrJTAG was creating "weird"  dumps.

Sent from my SM-N900T using Tapatalk

Slappy, please can you give a few more details on how you downloaded and ran bfin under Windows?  I get the idea of having a background service running, this is what I was trying  to do in Ubuntu, but:

What files did you download?
What commands did you issue?

Thanks in advance.
 

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #69 on: August 19, 2014, 02:31:47 am »
OK, as requested by Gandalf_Sr, here is my detailed step-by-step guide to my *working* hack on the MSO2072A.   :-+

I am NOT going to detail general Windows tasks.  If you don't know it, Google is your friend.  Please keep general Windows questions to other threads.

  • PREREQUISITE 1: Windows 7 64-bit.  If using UAC, you MUST run the command prompt as administrator.
  • PREREQUISITE 2: Download the 32-bit Blackfin toolchain 2014R1 from here: http://sourceforge.net/projects/adi-toolchain/files/2014R1/2014R1_45-RC2/blackfin-toolchain-win32-2014R1_45.exe/download
  • PREQUISITE 3: This is tricky.  Get your JTAG adapter and drivers installed.  Being loaded with disposable income  8), I used the Olimex from Sparkfun - $71 of goodness: https://www.sparkfun.com/products/7834.
  • PREREQUISITE 4: Figure out how to hook up the circuit to the JTAG header using pull-up resistors, etc.  This is WAY beyond the scope of this post.
  • Install the drivers for the JTAG adapter as attached - there are instructions on Sparkfun and Olimex's sites.  This is left as an exercise for the reader.
  • I then installed the WinUSB driver for the first Olimex device in the list using the handy Zadig driver installer from here: http://zadig.akeo.ie/
  • Install the Blackfin toolchain on a folder on your desktop and go to that directory, and then into the subfolder elf\bin
  • Open 2 command prompts as administrator in this folder.  Yes, two.
  • In command prompt 1, run the following: bfin-gdbproxy.exe --debug bfin --frequency=5000000
  • [Make sure that the frequency is 5 million, not 500,000]
  • If you followed so far, you should get a message stating that the gdbproxy is waiting on port 2000.  This is basically an intermediary program that will allow the special bfin version of the Gnu Debugger (GDB) to "speak JTAG" - it's like talking dirty to the chip, but better!
  • Keep window 1 open, Trebek, you scurvy bastard!   (Saturday Night Live reference, there)
  • In command prompt 2, run bfin-elf-gdb.exe with no parameters.  You must run THIS version of GDB.
  • For the next 2 lines, type these comamnds at the (gdb) prompt:
  •    target remote :2000
  •    info mem
  • If it worked, you should see a list of 8 regions (from 0-7).  If it didn't work, you suck, or your drivers suck.  Fix that, then CTRL-C both command prompts and relaunch the proxy then GDB until you get success.
  • Now, as the two girls one cup people said, we will begin the dump.  OK, that was gross.  The command follows and will take a LONG time.  Watch the gdbproxy window for periodic messages.
  • dump binary memory ds2k_00_sdram.bin 0x00000000 0x07FFFFFF
  • When done, type quit to exit GDB.
  • Kill both command prompts.  ...WITH FIRE!
  • Your dump file will be in the same folder as the executables (the subdirectory of the Bfin-toolchain install)
  • Move that file to where you have rigup.exe
  • Run: rigup.exe scan ds2k_00_sdram.bin
  • You should get your private keys.  If you get a keys not found message like I did, make sure your scope is in RUN mode and has an active trace then re-dump the SRAM.
  • Now, prepare your champagne glass and run this:
  • rigup.exe DS2072A ds2k_00_sdram.bin
  • Enter your keys into the scope however the hell you want, and send a bottle of tequila my way, if you like.  ;)

Whew!  It's late and I feel goofy, so you'll have to deal with my terrible humor in there.  To me, the toughest part was matching up the JTAG pinouts and opening the case without breaking the sticker, in that order.  The drivers part was pissy, but once figured out, no big deal.  For the record, do NOT bother with urJTAG.
« Last Edit: August 19, 2014, 02:52:17 am by Slappy_g »
Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #70 on: August 19, 2014, 11:03:46 am »
Slappy, you are GOD-LIKE!  I now see that it's possible that my issue is that I missed the WinUSB driver step from zadig...  can you explain to us mere mortals what that does?
 
The following users thanked this post: Slappy_g

Offline Slappy_g

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #71 on: August 19, 2014, 08:37:48 pm »
Slappy, you are GOD-LIKE!  I now see that it's possible that my issue is that I missed the WinUSB driver step from zadig...  can you explain to us mere mortals what that does?

Thanks! The tool just does a targeted driver reinstall for a given device. Since there are so many driver models, using this to pick is much easier.

Just remember to run it as admin.

Sent from my SM-N900T using Tapatalk

Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline milek22

  • Contributor
  • Posts: 27
  • Country: pl
Re: Rigol MSO2000 series hacking
« Reply #72 on: August 20, 2014, 01:46:12 am »
Great job Slappy_g. Thanks.
1 Can you do ALTERA USB?
2.Na diagram Cybernet pins are: TMS / TCLK / TRST / SRST / TDI / TD0 / GND / V3.3.
3.Prosz? of counterparts OLIMEX pins for ALTERA ???

4 Do I need to buy OLIMEX to do it?
5 Can Win 7 32bit can be?

Is pin TCLK corresponds ALTERA pin 1?
Where to give UTST3,3V in ALTERA - pin 4 or 7?
Thank you very much.
« Last Edit: August 20, 2014, 02:29:27 am by milek22 »
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #73 on: August 20, 2014, 07:14:41 am »
@Milek :

If you search / check the long thread "sniffing internal Rigol I2c bus", there are nice photos showing how to connect the JTAG to the scope. Approx at page 168 - try it.
I hope my JTAG adapter arrive in next two weeks and I will post here an exact info.

BTW : do you use Google translator ?
 

Offline Gandalf_Sr

  • Frequent Contributor
  • **
  • Posts: 745
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #74 on: August 20, 2014, 11:19:45 am »
@Milek

Check out the diagram in post#2433 on this page https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/2433

I will warn you that I used an 'Altera' USB Blaster from eBay.  It connected to the JTAG using the diagram in post#2433 - it seemed to work at first but it always finished with the error 116 problem.

I haven't tried it yet but apparently, if, at the (gdb) prompt, you type 'set remotetimeout 10' just before you issue the memory dump command, it works.  I may try that tonight.

Google 'gdb commands' to see all the possible commands explained.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf