Author Topic: Rigol MSO2000 series hacking  (Read 160629 times)

0 Members and 1 Guest are viewing this topic.

Offline Slappy_gTopic starter

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #175 on: September 03, 2014, 11:03:03 am »
@AntiCat
As to firmware, say what?! There's a new one out? Hmm....

I could be wrong.
http://beyondmeasure.rigoltech.com/acton/form/1579/0012:d-0001/1/index.htm?id=0012
Shows DS/MSO2000/A/-S: 00.03.01

Latest I saw on this Board was DS/MSO2000/A/-S: 00.03.00 SP1

Unfortunately, I think that is the same thing. It's the difference in how it is displayed internally versus on the about screen.

Sent from my SM-N900T using Tapatalk

Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline navzptc

  • Contributor
  • Posts: 26
Re: Rigol MSO2000 series hacking
« Reply #176 on: September 03, 2014, 09:15:36 pm »
Having had to help a friend out try to get his Olimex JTAG working, and following on from Slappy_g's excellent write up, I thought I would also post the information here on how to set up the Olimex reader with Win 7 64bit - I am sure this will also be the same for 32 bit

Drivers used are the ARM-USB-OCD-H-Drivers I posted a few pages back - Presume they would also work on non 'H' version.

Any reference to Capturexx is the screen shot that goes with the write up.

1.    Right here we go – Attach Olimex JTAG reader to USB port, hopefully you will hear the beep and 2 'other devices' will have appeared in Device Manager.
 
2.    Right click first ‘other device’ (Olimex) – update driver software – browse my computer for driver software – enter location in window (browse button to find directory) then ‘next’ – ‘Capture2
 
3.    Choose ‘Install this driver software anyway’ option – Capture3
 
4.    Success, it has installed the driver for USB serial converter A – Capture4
 
5.    Repeat steps 2~4 for remaining ‘other device’ and USB Serial converter B installed – Capture5
 
6.    You should now have 2 new ‘other devices’ (USB Serial Ports) – (If not press rescan icon on icon bar at top of device manager) AND USB Serial Converters A & B under USB Conrollers – Capture6
 
7.    Right click first ‘other device’ (USB Serial Port) – update driver software – browse my computer for driver software – enter location in window (browse button to find directory) then ‘next’ – ‘Capture7
 
8.    Once again ‘Install this driver software anyway’ – Capture8
 
9.    We now have a new USB Serial Port (Com12 in MY case) under Ports – Capture9
 
10.    Repeat above for remaining ‘other device’ (USB Serial Port) as above – Capture10
 
11.    So far, so good  :)  - We should now have 2 new USB Serial Ports and 2 new USB Serial Converters A & B – Capture11
 
12.    Now load Zadig – Choose Olimex (Interface 0) and press replace driver button – Capture12 & 13 (See Slappy_g's post on page 5)
 
13.    Device Manager should now have changed to 1 USB Serial Port (COM13 in MY case), USB Serial Converter B and Olimex (Interface 0) – Capture14
 
14.    Now the Fun Starts!! Connect Olimex to DSO and switch DSO on - Open up your Blackin ‘bin folder’, open up 2 command windows (shift/right click) in ‘bin’ folder, and in first Command window type : ‘ bfin-gdbproxy.exe --debug bfin --frequency=5000000 ‘    - Capture15
 
15.    Hopefully it will work and show as per the image.
 
16.    If we do get this far,  in second Command window type: ‘ bfin-elf-gdb.exe  THEN target remote :2000 THEN info mem ‘ – Capture16
 
17.    By Now I hope you are cheering  :-+

18     Then type in second Command window: dump binary memory <filename>.bin 0x00000000 0x01FFFFFF   Use a name of your choice for <filename>

Andy
 

Offline DocSnyder

  • Contributor
  • Posts: 10
Re: Rigol MSO2000 series hacking
« Reply #177 on: September 07, 2014, 10:13:05 am »
Hello Peter,

that sounds very interesting. Can you describe it a bit further? How did you copy those parts together? Maybe this is the most elegant way ever.

Thanks
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1729
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #178 on: September 07, 2014, 10:37:00 am »
@navzptc

Thanks for the write up on adding the drivers.  I used the driver set that Slappy_g linked to at the end of his big list of instructions.  I don't know why but my dump.bin file ended up in the C:\Windows\SysWOW64 directory, not in the same folder as the bfin.exe files.

This link http://www.samlogic.net/articles/32-64-bit-windows-folder-x86-syswow64.htm explains the SysWOW64 thing.
If at first you don't succeed, get a bigger hammer
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1729
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #179 on: September 07, 2014, 10:45:14 am »
@PeDre

Interesting.  How do you connect to the DS2072A?  Is it using LAN or USB?  Where do you get the SCPI utility?  This could be a much simpler route to get the memory dump if you don't need to take the back off the scope, buy a JTAG system, and make an interface cable.
If at first you don't succeed, get a bigger hammer
 

Offline DocSnyder

  • Contributor
  • Posts: 10
Re: Rigol MSO2000 series hacking
« Reply #180 on: September 07, 2014, 11:10:27 am »
Peter, what is name of this tool you used to get the answers of the scope saved?

Thanks
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1729
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #181 on: September 07, 2014, 11:15:42 am »
Also, Slappy_g has a much smaller memory range to dump so it's possible that a single :SYST:UTIL:READ? LLLLLLLLL,HHHHHHHHH command will grab the license key data if we come up with the right numbers.  If you google "SCPI Rigol" you'll get hits for how to do this, looks like you can connect using USB or LAN but I'm not sure what the best tool is - PeDre?
If at first you don't succeed, get a bigger hammer
 

Offline AntiCat

  • Contributor
  • Posts: 12
Re: Rigol MSO2000 series hacking
« Reply #182 on: September 07, 2014, 01:08:47 pm »
:SYST:UTIL:READ? 1,1048576

 :-DD is the only comment I can come up with. Great discovery!!!  :-DD

 

Offline DocSnyder

  • Contributor
  • Posts: 10
Re: Rigol MSO2000 series hacking
« Reply #183 on: September 07, 2014, 01:12:55 pm »
Now I have to wait for my MSO2072A to arrive. If this works, the Olimex ARM USB i recently bought is useless. @Peter: Great Tool. I mean the main purpose of it.
 

Offline HiassofT

  • Newbie
  • Posts: 8
  • Country: at
Re: Rigol MSO2000 series hacking
« Reply #184 on: September 07, 2014, 01:33:07 pm »
You can read the memory of the MSO2072A with a SCPI command.
Here, each in 1 MB increments up to 32 MB:

:SYST:UTIL:READ? 1,1048576
Thanks a lot for sharing this information!

It looks like the READ? command also accepts ranges larger than 1MB, so with :SYST:UTIL:READ? 1,33554432 you can read a 32MB memory block with a single command - and don't need to merge all the chuncks.

IMO the easiest way to issue SCPI commands is to use netcat (for example "ncat" from nmap.org or the openbsd "nc" on Linux) - just connect to TCP port 5555.

With ncat from nmap.org you can get a 32MB dump with this one-liner (tested on Linux and Windows XP):

Code: [Select]
echo :SYST:UTIL:READ? 1,33554432 | ncat -i 1 IP-ADDRESS-OF-SCOPE 5555 > memory.dump
so long,

Hias
 

Offline centon1

  • Supporter
  • ****
  • Posts: 30
  • Country: ca
Re: Rigol MSO2000 series hacking
« Reply #185 on: September 07, 2014, 05:52:51 pm »
https://www.eevblog.com/forum/Smileys/default/icon_smile_thumbsup.gifWooHoo!

I was just about to tackle the JTAG route using a $6.00 eBay USB Blaster and was getting ready to slip the warranty seal when I read Peter's post.

Well, twenty minutes later without lifting the seal and without opening the case my mso2072a now reports as an mso2202a. Yippe!

I would just like to thank PeDre, Slappy_g, Gandalf_Sr and others for their efforts, expertise and tenacity. Your selflessness in sharing information and knowledge makes this a better forum and a better 'blue marble' in which to participate daily. https://www.eevblog.com/forum/Smileys/default/clap.gif

This not so young noob truly thanks you.

Have a great one. Cheers
« Last Edit: September 07, 2014, 05:54:57 pm by centon1 »
 

Offline conte_vlad

  • Contributor
  • Posts: 16
Re: Rigol MSO2000 series hacking
« Reply #186 on: September 07, 2014, 06:15:53 pm »
It is my program for the screenshots, but can also send SCPI commands.

http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/

For the LAN connection no driver or installation is necessary.

Peter

 :-+ :-+ :-+

thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,
thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,
thanks,thanks,thanks,thanks,thanks,thanks,thanks  :-DD

all updated on MSO but no way for 200 and 300MHz, I will investigate more
« Last Edit: September 08, 2014, 12:08:14 am by conte_vlad »
 

Offline WesleyK

  • Contributor
  • Posts: 18
Re: Rigol MSO2000 series hacking
« Reply #187 on: September 07, 2014, 06:54:40 pm »
Woah, great work! Just unlocked all options + 200Mhz in <30 minutes. I used these posts:

Rigol Bildschirmkopie:
https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg508936/#msg508936

Config file for SCPI
https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg508969/#msg508969
Use this file to overwrite the one in your "resources" folder in Rigol Bildschirmkopie. Thanks to Pedre for the application + config file.

SCPI command:
:SYST:UTIL:READ? 1,33554432
to get a 32MB dump without the need to merge any files.

I then used Rigup as described earlier in this thread by Slappy_G to get my serial codes. Inputting the serial key was the hardest part  :P with the not that great multi purpose rotary encoder.. Took me a few minutes but its now reporitng as a MSO2202A with all options installed.
Thanks again :)
« Last Edit: September 07, 2014, 07:03:08 pm by WesleyK »
 

Offline ulrik

  • Newbie
  • Posts: 5
  • Country: at
Re: Rigol MSO2000 series hacking
« Reply #188 on: September 07, 2014, 07:21:21 pm »
Well done Peter!  :clap:  Well done to all in this thread who made really great contributions!  :-+

:SYST:UTIL:READ?  seems to be a undocumented SCPI command, isn't it? At least I couldn't find it in rigols programmers handbook - Hmmm - I can imagine why...  ::)   
Is more known about other SYST:UTIL commands? Have some other undocumented SCPI commands been discovered yet?

Is it possible to send a batch of SCPI commands (a macro?) with Peters software?
---
all circuits lead to ROM
 

Offline mscreations

  • Contributor
  • Posts: 21
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #189 on: September 07, 2014, 07:37:15 pm »
Nicely done!

I have verified that you can quickly get a dump using the SCPI method. Run the program below (it's in German? but it's easy enough to figure out what you need to do.) In the opening screen, click on select and find your device on the LAN. Then choose Device and SCPI-Command. Run the following SCPI command (tested on MSO2072A) ":SYST:UTIL:READ? 15441920, 13262848". These numbers correspond to the 0x00EBA000 and 0x01B60000 addresses from slappy_g. By shortening the memory dump, this takes a minute at most to do the dump.

After it finishes, click Save and save it in the same directory as rigup. Then just run "rigup ds2072a filename.dump.scpi" replacing filename.dump.scpi with the appropriate filename.


It is my program for the screenshots, but can also send SCPI commands.

http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/

For the LAN connection no driver or installation is necessary.

Peter
 

Offline Slappy_gTopic starter

  • Regular Contributor
  • *
  • Posts: 53
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #190 on: September 07, 2014, 08:30:33 pm »
@Pedre:

Excellent find! I'll update my instructions tonight!

Sent from my SM-N900T using Tapatalk

Unlocked the Rigol MSO2072A to a MSO2302A via JTAG.  Read about how here: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454
 

Offline conte_vlad

  • Contributor
  • Posts: 16
Re: Rigol MSO2000 series hacking
« Reply #191 on: September 08, 2014, 12:22:44 am »
 :-+

all done, MSO2102A all option +300MHz. Great job :clap:
 

Offline HiassofT

  • Newbie
  • Posts: 8
  • Country: at
Re: Rigol MSO2000 series hacking
« Reply #192 on: September 08, 2014, 09:23:49 am »
:SYST:UTIL:READ?  seems to be a undocumented SCPI command, isn't it? At least I couldn't find it in rigols programmers handbook - Hmmm - I can imagine why...  ::)   
Is more known about other SYST:UTIL commands? Have some other undocumented SCPI commands been discovered yet?
The SCPI command table seems to be located at around 0x00F0EC00. You can read it with ":SYST:UTIL:READ? 15789057,20000".

:SYST:HVER? seems to report the hardware version - 2.2

WRITe might be the complement to READ?. LOCK, UNLock, ERASe and FLASh might be for accessing the flash - but as I have no intentions of bricking my scope I haven't played with them. Not sure what QSET might be for.

BTW: I did a full 128MB dump (took some 4 minutes using netcat) and it looks like there's nothing interesting above 32MB.

so long,

Hias
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1729
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #193 on: September 08, 2014, 09:39:04 am »
And I thought SCPI was a bush kangaroo! 

What would I know? They don't have kangaroos here in Somalia.

Well done PeDre for finding an awesome back door into the Rigol system.

Now I'm considering making a piece of techno-art comprising of 2 x 'Altera' USB Blasters, 1 x Bus Blaster, an Olimex ARM-USB-OCD, 2 x JTAG adapters, 3 x invoices for online purchases, and a voucher for 2 wasted weeks of my life, any ideas anyone?  :palm:

For those who think I've lost it, this was meant to be humorous.
If at first you don't succeed, get a bigger hammer
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #194 on: September 08, 2014, 10:06:15 am »
The Rigol product are unbelievable hacker friendly. I cannot image any reason for implementing a feature, which accepts commands for reading the internal RAM's content. They block something (like possibility to downgrade a firmware) but there is still a big backdoor. Why ?
 

Offline conte_vlad

  • Contributor
  • Posts: 16
Re: Rigol MSO2000 series hacking
« Reply #195 on: September 08, 2014, 10:48:47 am »
why? perhaps because a big market of low entry customer that see a great opportunity to pay less and have more, professionals anyway has the official version and the topmost are often out of hobbist budget suche if they can choose the choice goes to a free-upgradables items

Meanwhile..I am looking for a update also for my DG1032Z...if someone has anyidea  O0
 

Offline pascal_sweden

  • Super Contributor
  • ***
  • Posts: 1539
  • Country: no
Re: Rigol MSO2000 series hacking
« Reply #196 on: September 08, 2014, 05:21:34 pm »
This is the most convenient hacking approach ever! That deserves several Belgian beers :)

With this new finding, I really wonder why people are still opening up their Rigol scopes as of today.
There is still an active thread here on this forum where they use the conventional "open up your scope" way, with the title "Sniffing the Rigol's internal I2C bus".
Should we inform these guys about the new approach? =)
« Last Edit: September 08, 2014, 05:24:56 pm by pascal_sweden »
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1729
  • Country: us
Re: Rigol MSO2000 series hacking
« Reply #197 on: September 08, 2014, 06:58:24 pm »
This is the most convenient hacking approach ever! That deserves several Belgian beers :)

With this new finding, I really wonder why people are still opening up their Rigol scopes as of today.
There is still an active thread here on this forum where they use the conventional "open up your scope" way, with the title "Sniffing the Rigol's internal I2C bus".
Should we inform these guys about the new approach? =)

I already did :D
If at first you don't succeed, get a bigger hammer
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #198 on: September 08, 2014, 07:13:24 pm »
I can confirm, the command  ":SYST:UTIL:READ? 15441920, 13262848" works perfectly on my MSO 2072 A. The scope is connected via Lan cable.
SW 3.0.SP1
HW 2.2
The rigup.exe tool generates keys in miliseconds.
 

Offline PepeK

  • Regular Contributor
  • *
  • Posts: 62
  • Country: sk
Re: Rigol MSO2000 series hacking
« Reply #199 on: September 08, 2014, 07:49:38 pm »
The scope is unlocked now for all options and 200 MHz bandwidth. Thank to everybody.
BTW : I entered the unlock code manually via the scope's rotary encoder, it was not possible to send it as a SCPI command.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf