Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1825061 times)

0 Members and 1 Guest are viewing this topic.

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2979
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #100 on: June 07, 2013, 08:47:25 pm »
update: when powercycling in 2ns mode, it comes back in 2ns mode, if u leave it then it wont let u back to 2ns
so that byte should be in FRAM somewhere then ... ;)

Did you know that you can enter the 2ns time base by loading a Settings file that has 2ns as the time base it was saved at?
« Last Edit: June 07, 2013, 08:49:30 pm by marmad »
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #101 on: June 07, 2013, 08:48:30 pm »
update: when powercycling in 2ns mode, it comes back in 2ns mode, if u leave it then it wont let u back to 2ns
so that byte should be in FRAM somewhere then ... ;)

Did you know that you could enter the 2ns time base by loading a Settings file that had 2ns as the time base it was saved at?


nope, but guess same issue when u leave 2ns mode, you cant get back ...
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

studio25

  • Guest
Re: Sniffing the Rigol's internal I2C bus
« Reply #102 on: June 07, 2013, 09:08:08 pm »
Now I know the offset for the time base. More details in the source code.   ;D
« Last Edit: June 07, 2013, 09:10:54 pm by studio25 »
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #103 on: June 07, 2013, 09:22:04 pm »
500ps  8)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline tinhead

  • Super Contributor
  • ***
  • Posts: 1918
  • Country: 00
    • If you like my hacks, send me a donation
Re: Sniffing the Rigol's internal I2C bus
« Reply #104 on: June 07, 2013, 09:31:21 pm »
for tinhead 8051

ohh don't worry, i know MCS51 (8051) very well.

My comment was to what you posted before :

The MCU 8051RNL is a USB Serial in out controller it is most likely the point where the SPI code is used.

and that was wrong because:

- chip with 8051RNL marking is chip KSZ8051RNL
- this is not MCU
- the "8051" in KSZ8051RNL name have nothing to do with MCS51 platform
- KSZ8051 is a single supply 10Base-T/100Base-TX Ethernet physical layer transceiver
- it does not have anything to do with USB or serial in/out

The USB serial in/out is made with Cypress FX2LP (CY7C68013A) which is the next part KSZ8051RNL to on PCB.
All i said was that the 8051 core in CY7C68013A is not directly accesible from and for DSO hardware.
I don't want to be human! I want to see gamma rays, I want to hear X-rays, and I want to smell dark matter ...
I want to reach out with something other than these prehensile paws and feel the solar wind of a supernova flowing over me.
 

Offline tinhead

  • Super Contributor
  • ***
  • Posts: 1918
  • Country: 00
    • If you like my hacks, send me a donation
Re: Sniffing the Rigol's internal I2C bus
« Reply #105 on: June 07, 2013, 09:33:49 pm »
Now I know the offset for the time base. More details in the source code.   ;D

awesome, and did you tried to use even higher values for bandwidth (even if there is no string for menu) ?
I don't want to be human! I want to see gamma rays, I want to hear X-rays, and I want to smell dark matter ...
I want to reach out with something other than these prehensile paws and feel the solar wind of a supernova flowing over me.
 

studio25

  • Guest
Re: Sniffing the Rigol's internal I2C bus
« Reply #106 on: June 07, 2013, 09:38:16 pm »
Now I know the offset for the time base. More details in the source code.   ;D

awesome, and did you tried to use even higher values for bandwidth (even if there is no string for menu) ?

No, I have neither the equipment to check this nor do I think that the hardware can do more.
 

Offline Harvs

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #107 on: June 08, 2013, 12:49:01 pm »
Do you guys reckon a similar thing is possible with the new function generators? I wouldn't mind pairing a 60mhz function gen (unlocked to 160mhz) with a 70Mhz 2000 series scope (at 200mhz) :D

I've cracked open my DG4062 to have a crack at this.  It's got the same FRAM as the DS2000.  I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all.  So deciphering what's it in could be a challenge, if it's even the right place to be looking.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #108 on: June 08, 2013, 01:12:12 pm »
Do you guys reckon a similar thing is possible with the new function generators? I wouldn't mind pairing a 60mhz function gen (unlocked to 160mhz) with a 70Mhz 2000 series scope (at 200mhz) :D

I've cracked open my DG4062 to have a crack at this.  It's got the same FRAM as the DS2000.  I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all.  So deciphering what's it in could be a challenge, if it's even the right place to be looking.

can u share the FW file or at least 0x0 - 0x0FFF of it ? or comment on if my loader addr tool (posted earlier) gives some output.
the fw must be very similiar - i see tons of code for DS4X features in my disassembly. so chances are the use the exact same FRAM mapping.

___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline Harvs

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #109 on: June 08, 2013, 01:35:43 pm »
I've cracked open my DG4062 to have a crack at this.  It's got the same FRAM as the DS2000.  I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all.  So deciphering what's it in could be a challenge, if it's even the right place to be looking.

can u share the FW file or at least 0x0 - 0x0FFF of it ? or comment on if my loader addr tool (posted earlier) gives some output.
the fw must be very similiar - i see tons of code for DS4X features in my disassembly. so chances are the use the exact same FRAM mapping.

I've opened the DG4062 function gen, not the DS4xxx scope if that's what you were after?

BTW how do you actually get the firmware file?  Is there a way to read it back out?
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #110 on: June 08, 2013, 01:40:40 pm »
I've cracked open my DG4062 to have a crack at this.  It's got the same FRAM as the DS2000.  I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all.  So deciphering what's it in could be a challenge, if it's even the right place to be looking.

can u share the FW file or at least 0x0 - 0x0FFF of it ? or comment on if my loader addr tool (posted earlier) gives some output.
the fw must be very similiar - i see tons of code for DS4X features in my disassembly. so chances are the use the exact same FRAM mapping.

I've opened the DG4062 function gen, not the DS4xxx scope if that's what you were after?

BTW how do you actually get the firmware file?  Is there a way to read it back out?

ah i misread that sorry, probably looking at assembly code for too long ;-)
for the DG i have firmware files - rigols content delivery system is not the best ;-) even if its not on the homepage you can still download stuff ... ;-) including internal vids ...  >:D

look for a 14pin header, as described earlier in my post - if its blackfin its there for sure - and get an 30$ amontec jtag key tiny - thats pretty much all u need, besides a few pullup resistors. rest is uclinux-blackfin toolchain ... bfin-jtag as gdb proxy and gdb + your fav. frontend.

alternatively check my fw loader address tool - or get ldrviewer (free tool) + some offset  (check the source)
if that does something usefull, you could use IDA pro + my custom GEL loader - let me know if you find a way.
im only looking after the license keys algos for the DS2k's at the moment ...
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline Harvs

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #111 on: June 08, 2013, 01:48:12 pm »
look for a 14pin header, as described earlier in my post - if its blackfin its there for sure - and get an 30$ amontec jtag key tiny - thats pretty much all u need, besides a few pullup resistors. rest is uclinux-blackfin toolchain ... bfin-jtag as gdb proxy and gdb + your fav. frontend.

alternatively check my fw loader address tool - or get ldrviewer (free tool) + some offset  (check the source)
if that does something usefull, you could use IDA pro + my custom GEL loader - let me know if you find a way.
im only looking after the license keys algos for the DS2k's at the moment ...

Thanks.  Being a DS2072 owner I'm benefiting from all the work on that as well so I'm grateful!

The DG4k is based on the blackfin as well, and that header is there.  There's a lot of similarities with the insides of the DS2k scope at first look.
 

Offline andyturkTopic starter

  • Frequent Contributor
  • **
  • Posts: 895
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #112 on: June 08, 2013, 06:30:38 pm »
The DG4k is based on the blackfin as well, and that header is there.  There's a lot of similarities with the insides of the DS2k scope at first look.

Workin' on it...  (it's a DS4014):-/O





 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13694
  • Country: gb
    • Mike's Electric Stuff
Re: Sniffing the Rigol's internal I2C bus
« Reply #113 on: June 08, 2013, 08:22:18 pm »
Do you guys reckon a similar thing is possible with the new function generators? I wouldn't mind pairing a 60mhz function gen (unlocked to 160mhz) with a 70Mhz 2000 series scope (at 200mhz) :D

I've cracked open my DG4062 to have a crack at this.  It's got the same FRAM as the DS2000.  I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all.  So deciphering what's it in could be a challenge, if it's even the right place to be looking.
I had a quick look at mine before I read this. Chip appeared to be a 24C16  Seems to read the chip at startup, then write 8  bytes to the start of each page, apparently same each startup (only 2 compared).
However I powered it up with the chip removed and it started up as normal...! Didn't check calibration or anything but serial no. was still there.

Code attatched if anyone wants to compare


   
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Harvs

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #114 on: June 09, 2013, 01:16:44 am »
Do you guys reckon a similar thing is possible with the new function generators? I wouldn't mind pairing a 60mhz function gen (unlocked to 160mhz) with a 70Mhz 2000 series scope (at 200mhz) :D

I've cracked open my DG4062 to have a crack at this.  It's got the same FRAM as the DS2000.  I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all.  So deciphering what's it in could be a challenge, if it's even the right place to be looking.
I had a quick look at mine before I read this. Chip appeared to be a 24C16  Seems to read the chip at startup, then write 8  bytes to the start of each page, apparently same each startup (only 2 compared).
However I powered it up with the chip removed and it started up as normal...! Didn't check calibration or anything but serial no. was still there.

Code attatched if anyone wants to compare

Thanks Mike.  That's interesting about it still starting and having it's serial #.

I think the firmware's got to be the next place to start.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #115 on: June 09, 2013, 06:00:25 am »
bfin has a unique chipid and they use that + a model prefix DSA2<.....>
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline MrsR

  • Regular Contributor
  • *
  • Posts: 118
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #116 on: June 09, 2013, 03:32:28 pm »
SORRY TINHEAD, my mistake I looked at the wrong Data sheet although I did post the correct one.
We stock about 30,000 ICs and about 50 Data Sheets came up from the search parameters.
I will make sure I am quoting the right Data Sheet next time.

REGARDS
Rachael :-+
 

Offline ftransform

  • Frequent Contributor
  • **
  • Posts: 728
  • Country: 00
Re: Sniffing the Rigol's internal I2C bus
« Reply #117 on: June 09, 2013, 09:56:44 pm »
how close is this?
 

Offline DL5TOR

  • Contributor
  • Posts: 35
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #118 on: June 10, 2013, 08:14:20 am »
switching internal model type to DS2202 (0x1) allows 2ns Timebase (see attachment) - the settings are read in during boot (TWI i guess, but right sub()s still not found), and then the various strings/settings are applied - changeing the model type has immediate effect ;-)

if somebody whats to check if some of those bytes are in the FRAM try to change em to something like:

RAM:E4DD1F                                         # 0x16=DS2072
RAM:E4DD1F                                         # 0x0= DS2102
RAM:E4DD1F                                         # 0x1= DS2202  (2ns timebase avail)
RAM:E4DD1F                                         # 0x2= DS????? (500ps timebase avail)

update: when powercycling in 2ns mode, it comes back in 2ns mode, if u leave it then it wont let u back to 2ns
so that byte should be in FRAM somewhere then ... ;)



I just checked the hex file that studio25 provided in post on page 4 and the only place that I found the hex digit of 0x16 (for the ds2072) is in the position 0x43c so this is a possible area of attack
I hope this helps

Torsten
 

Ruben57

  • Guest
Re: Sniffing the Rigol's internal I2C bus
« Reply #119 on: June 10, 2013, 10:53:08 am »
for the DG i have firmware files - rigols content delivery system is not the best ;-) even if its not on the homepage you can still download stuff ... ;-) including internal vids ...  >:D


I took a look and found all the training videos, sales tool kits and other files. However, I could only find one firmware file. It is for the DG4000 series (DG4000_FW_Update.zip).

It can be found via "113" if you know what I mean... >:D

Can you share where the other firmware files are located? :D

The DG4000 firmware zip contains the file DG4000Update.GEL, dated 20/3/2012. There doesn't seem to be a readily identifiable version number in it, other than version 1.2.3a. However, it appears as though it is a generic number as it also has a serial number of 543210.

I have a DG4162 and its details are:

Software: 00.01.07  (suspect there is more to it)
Hardware: 01.03
Keyboard: 04.01

I also have a DS4024 and its details are:

Software: 00.01.00.00.07
Hardware: 0.1.2.3
SPU: 03.00.06
WPU: 00.07.04
CCU: 01.40.05
MCU: 1.3

I can dump the contents of the FRAM if it helps. :)
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #120 on: June 10, 2013, 02:13:31 pm »
yeah, the chinese stuff is funny ;-)  >:D - cant remember the vals, but they had multiple root folders in the cms - so its not just changing the last value ;-)

i will start playing with DG firmware once i have bought a DS4162 - still busy with their ds2XXX license key brainfuck ...
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline DL5TOR

  • Contributor
  • Posts: 35
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #121 on: June 11, 2013, 08:56:47 am »
Hi all,

to bad that the license on the dsa815 is different then on the scopes as this is also something of interest.
The way I see it the serial number of the scope is in the key of the scope but in the spectrum analyzer it is not. This is backed up by the fact that when you buy a key from batronix for a scope they need the serial of the scope (as stated there) but on the keys for the dsa there is no mention of the serial number.

Just as an FYI the key format on the dsa815 is: FAQ83TF37A3Y8ST4RA********** if you want I can see if I can get a FRAM image from my dsa815, if needed

73 de DL5TOR
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #122 on: June 11, 2013, 09:17:02 am »
can u confirm the following features of the spectrum analyzer license key:

length ?
is it grouped in 4 chunks a 7 chars like the DS2X ? (1234567-1234567-1234567-1234567) ?
no letter I, no letter 0, no 0 (zero), no 1 (one) as input

the lic-functions that i have analyzed so far are 2 categories - kinda prepare the input license key by scrambling/cutting/shifting parts of it around,
they are depending on the length (28/0x1C). but the real deal which does recursive transformations on the key is not length dependent.
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline DL5TOR

  • Contributor
  • Posts: 35
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #123 on: June 11, 2013, 10:08:21 am »
ength ?
is it grouped in 4 chunks a 7 chars like the DS2X ? (1234567-1234567-1234567-1234567) ?

Length is 28


no letter I, no letter 0, no 0 (zero), no 1 (one) as input

I do not see one

Id you want, i can send you the key by mail. I also have a firmware file on hand if you need it
 

Ruben57

  • Guest
Re: Sniffing the Rigol's internal I2C bus
« Reply #124 on: June 11, 2013, 01:14:38 pm »
yeah, the chinese stuff is funny ;-)  >:D - cant remember the vals, but they had multiple root folders in the cms - so its not just changing the last value ;-)


Yes, I see what you mean now... I was wondering what that was about.

I found two other firmware files with unusual file names (eg. "fileCA9NWMFE.zip") but they both contain the same version of DG4000 firmware.

Anyhow, not so interesting anymore so not going to waste anymore time there.  :) 
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf