Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1823156 times)

0 Members and 3 Guests are viewing this topic.

studio25

  • Guest
Re: Sniffing the Rigol's internal I2C bus
« Reply #125 on: June 11, 2013, 07:57:22 pm »
Here are the current files. The old files have errors and should be deleted.

2160 min. trials, 250Mhz bandwidth, 1ns time base

http://rapidshare.com/files/2386551592/Rigol%20DS2000%20trial%20hack.rar
 

Offline true

  • Frequent Contributor
  • **
  • Posts: 329
  • Country: us
  • INTERNET
Re: Sniffing the Rigol's internal I2C bus
« Reply #126 on: June 11, 2013, 09:36:30 pm »
Hell yeah, modchips for oscilloscopes. I'm not surprised at the lack of protections for this.

I recall you stating that patching the bandwidth would be overridden by the default value for the 'scope if the bandwidth limit was toggled in the menu. Is this still the case with this version, or will it use the modified value provided by the modchip?

Same with the timebase - can you change the timebase and return to 1ns?

Great work studio25. I'll try this out in a couple weeks =)
 

studio25

  • Guest
Re: Sniffing the Rigol's internal I2C bus
« Reply #127 on: June 11, 2013, 09:53:43 pm »
Hell yeah, modchips for oscilloscopes. I'm not surprised at the lack of protections for this.

I recall you stating that patching the bandwidth would be overridden by the default value for the 'scope if the bandwidth limit was toggled in the menu. Is this still the case with this version, or will it use the modified value provided by the modchip?

Same with the timebase - can you change the timebase and return to 1ns?

Great work studio25. I'll try this out in a couple weeks =)

Once the bandwidth limit or the time base is adjusted, it is not possible to return to the patched values. It must be done a reboot.
When you reboot, the values ??are changed in the fram. But it only works when under
"UTILITY" -> "System" -> "Power On" "Last" is selected.
 

Offline jirikv

  • Newbie
  • Posts: 4
  • Country: cz
Re: Sniffing the Rigol's internal I2C bus
« Reply #128 on: June 12, 2013, 01:04:24 am »
Hi,
I discovered extended system info on DG4062 arb gen.
Go to: Utility-System-Sys Info, then press first, third and fifth softbutton (6 blue/grey side buttons).
It`s only for info.... :)
« Last Edit: June 12, 2013, 01:07:51 am by jirikv »
 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1192
  • Country: ca
    • VE7XEN Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #129 on: June 12, 2013, 02:59:39 am »
I've mirrored the new file at the same location as before: http://www.gotroot.ca/rigol/

Thanks again for your work studio25, this is great :D.
73 de VE7XEN
He/Him
 

Offline max-bit

  • Frequent Contributor
  • **
  • Posts: 667
  • Country: pl
Re: Sniffing the Rigol's internal I2C bus
« Reply #130 on: June 12, 2013, 04:53:06 am »
Has anyone tested this hack oscilloscope?
in terms of the rise time (JW Pulse Generator)
screenshots?
 

Offline Harvs

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #131 on: June 12, 2013, 05:02:56 am »
Thanks again studio25.

It would be great though if we could start adding a version number or date to the rar file name. 

It could start getting confusing as to what versions people are using.
 

Offline Harvs

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #132 on: June 13, 2013, 10:04:57 am »
Has anyone tested this hack oscilloscope?
in terms of the rise time (JW Pulse Generator)
screenshots?

I cobbled one together this evening out of parts I had lying around.  It's just using a 2N3904 transistor instead of the proper one, so I'm certainly not claiming anything about how good it is.

However, from the screen grabs below there is a difference pre and post mod.  I don't know what the actual peak voltage of the pulse is, so the rise times can't be used to calculate the BW.  If I get around to it I'll modify it to extend the pulse duration (using coax) and add an attenuator.
 

Offline nack

  • Regular Contributor
  • *
  • Posts: 75
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #133 on: June 13, 2013, 11:04:38 am »
Interesting! Keep an eye on this thread to make use of it once my DS2072 arrives.
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 346
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #134 on: June 15, 2013, 05:28:14 pm »
I build the ATtiny85 version today, and also tested the rise times. I got very optimistic rise times in the order of 600..800 pSec.
I used an Tektronix Type 284 pulser with a very short cable. This has a spec of 70 pSec rise time @200 mV.

Time base was set to the initial 1 nSec, and 250 MHz BW.

It made me suspicious since this rise time is not really possible with this scope. I did a further check with an 200MHz signal gen. It turns out that the actual timebase setting was 2nSec despite the fact that the setting was indicating 1nSec. All time measurements on screen are based on the 1nSec/div.

I made a new version of the ATtiny85 hack and set it to 2 nSec. This all was tested with the latest firmware 00.01.00.00.03 on a DS2072.

I now have a more realistic rise time of 1.4nSec. (0.33/1.4 = 235MHz)

So it seems that the DS2000 series can handle max 2 nSec.
A big thank you to Studio25 for his nice work.


Update :
Done some more testing by changing the BW settings from 0x04 to 0x05; the result is that the scope shows no BW any longer in the menu, but stays at the 250MHz setting.

Attached are the 1nSec screen shots of a 200 MHz signal. There is a difference in single or dual mode. Single mode seems to be OK.
For the moment I'll keep it 2nSec. Still not bad for a 70MHz model  :)

Perhaps RIGOL can fix this bug for us  ;)

- Orange
« Last Edit: June 16, 2013, 06:48:15 am by Orange »
 

Offline BlueLaser

  • Contributor
  • Posts: 17
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #135 on: June 17, 2013, 09:10:56 pm »
So just to clarify, this works on all firmware versions?  Also, has Rigol taken down their firmware download section for the ds2000 series?
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 346
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #136 on: June 18, 2013, 07:38:40 am »
So just to clarify, this works on all firmware versions?  Also, has Rigol taken down their firmware download section for the ds2000 series?
I only tested it with 00.1.00.00.03 firmware, but I have no reason to believe it should not work with older versions. Download firmware for the DS2000 ?
I wished Rigol had that...
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 346
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #137 on: June 20, 2013, 01:56:54 pm »
Some photos of the ATtiny85 placed on the FRAM
 

Offline jamesb

  • Regular Contributor
  • *
  • Posts: 54
  • Country: 00
Re: Sniffing the Rigol's internal I2C bus
« Reply #138 on: June 20, 2013, 03:46:29 pm »
That is just awesome!! :) :)

I bet when Rigol sees this they will be fuming. Almost pin-for-pin!!
 

Offline van-c

  • Regular Contributor
  • *
  • Posts: 69
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #139 on: June 20, 2013, 03:49:34 pm »
Some photos of the ATtiny85 placed on the FRAM
That really gets right to the heart of the matter.  Does your ATtiny85 code patch the FRAM every time the DS2000 boots up?

--Van
« Last Edit: June 20, 2013, 03:51:05 pm by van-c »
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 346
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #140 on: June 20, 2013, 04:24:15 pm »
Some photos of the ATtiny85 placed on the FRAM
That really gets right to the heart of the matter.  Does your ATtiny85 code patch the FRAM every time the DS2000 boots up?

--Van
Yes it does; if you power-up the scope, it writes the patched values.
For sure Rigol does not like this, but it's all in the game  :)

 

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2979
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #141 on: June 20, 2013, 05:13:12 pm »
Yes it does; if you power-up the scope, it writes the patched values.
For sure Rigol does not like this, but it's all in the game  :)

Unfortunately, there's possible downsides to public posting of hacking techniques: longer times between FW updates - and more convoluted (and perhaps buggy) code - or measures (e.g. eliminating trials altogether) to try to prevent it.

I'm not saying I'm against hacking - just trying to be realistic.
 

Offline jamesb

  • Regular Contributor
  • *
  • Posts: 54
  • Country: 00
Re: Sniffing the Rigol's internal I2C bus
« Reply #142 on: June 20, 2013, 05:22:44 pm »
Unfortunately, there's possible downsides to public posting of hacking techniques: longer times between FW updates - and more convoluted (and perhaps buggy) code - or measures (e.g. eliminating trials altogether) to try to prevent it.

I'm not saying I'm against hacking - just trying to be realistic.

That is a very good point - I just hope that Rigol does not burn their user-base as a result of their very poor implementation (ie. hackability).

I could see trial licenses being completely null in the upcoming FW as a result of efforts such as this. Then again, being able to swap back to an older FW for extra functionality may be a functional reality. Then there is the whole FW hacking effort.
 

Offline manticore00

  • Regular Contributor
  • *
  • Posts: 52
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #143 on: June 20, 2013, 05:57:51 pm »
Rigol's response is probably going to depend a lot on who they sell each SKU to and how cunning their business strategy is...

If the DS2102 and DS2202 aren't big sellers to hobbyists but rather are being used by small shops and other places/people that would be more concerned about maintaining their warranty then they may see that these hacks don't cause cannibalization of the DS2102 and DS2202 sales. Rather the availability of this hack may actually boost sales of DS2072 among folks who were on the fence about buying a new scope but never would've paid for the DS2102 or DS2202 anyway.

My hope is that these hacks don't hit their bottom line enough to warrant them spending the money to significantly address them and instead they turn a blind eye in favor of the added user community enthusiasm and potential for increase DS2072 sales volume... Yes Siglent and Owon's scopes aren't as good but they're significantly cheaper and the thought of this hack might be enough for someone to agree to pony up the extra cash for a Rigol instead of buying a cheaper competitor...
Aut viam inveniam aut faciam
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 346
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #144 on: June 20, 2013, 06:47:33 pm »
Yes it does; if you power-up the scope, it writes the patched values.
For sure Rigol does not like this, but it's all in the game  :)

Unfortunately, there's possible downsides to public posting of hacking techniques: longer times between FW updates - and more convoluted (and perhaps buggy) code - or measures (e.g. eliminating trials altogether) to try to prevent it.

I'm not saying I'm against hacking - just trying to be realistic.
Oh I see I forgot to post the 2nSec hex file for the ATtiny85 ;D
 

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: Sniffing the Rigol's internal I2C bus
« Reply #145 on: June 20, 2013, 07:05:21 pm »
Oh I see I forgot to post the 2nSec hex file for the ATtiny85 ;D

Thanks, forwarding this to a friend who just bought a DS2072.  >:D

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2979
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #146 on: June 20, 2013, 07:08:23 pm »
I could see trial licenses being completely null in the upcoming FW as a result of efforts such as this. Then again, being able to swap back to an older FW for extra functionality may be a functional reality. Then there is the whole FW hacking effort.

Unfortunately because of this, Rigol might remove downgradeability at some point (as they did in the DS1000E series).

If the DS2102 and DS2202 aren't big sellers to hobbyists but rather are being used by small shops and other places/people that would be more concerned about maintaining their warranty then they may see that these hacks don't cause cannibalization of the DS2102 and DS2202 sales.

There are many people among the user base here that own DS2102s or DS2202s, so I'm not sure that's the reality.

Quote
My hope is that these hacks don't hit their bottom line enough to warrant them spending the money to significantly address them and instead they turn a blind eye in favor of the added user community enthusiasm and potential for increase DS2072 sales volume... Yes Siglent and Owon's scopes aren't as good but they're significantly cheaper and the thought of this hack might be enough for someone to agree to pony up the extra cash for a Rigol instead of buying a cheaper competitor...

As evidenced by the hack of the DS1000E series, it's unlikely Rigol will turn a blind eye to this. I suspect that hack made them a lot more money than this one will - and they still battled against it (as mentioned above).

As I mentioned in my video - and Dave has mentioned in his - this isn't a question of the DS2000 just being a better - but more expensive - DSO than the cheapest ones. They are WORLDS APART - in the build quality, shielding, UI, features, etc, etc.  I've had four different DSO's in the last 2 years and the DS2000 feels like a low-cost professional instrument - where the others feel like a cheap substitute for something serious.

Oh I see I forgot to post the 2nSec hex file for the ATtiny85 ;D

I guess that was a joke? Oh, yes, nevermind, I just noticed the flag.  :)
« Last Edit: June 20, 2013, 07:11:49 pm by marmad »
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #147 on: June 20, 2013, 07:44:13 pm »
 :blah: downgrading firmware is something they cant prevent with their current firmware architecture, with jtag i can flash whatever i like and without changing the PCB they cant get rid of jtag.
There is already ppl going for the DS4k with the same approach. With the .GEL file reversed, a simple custom bootloader is no big deal - and everybody could install it, then fireing/loading whatever is presented via USB. (=dont care about OTP or lockbox, if they ever go this route, which i doubt given the R&D necessary for such a change )

lastly, even the guys with a DS2102 or DS2202 will benefit from a "keygen" - and again thx to jtag and some mathbrainfu*k, only a matter of time - and rigol cant do anything about it without screwing their existing userbase. and from the looks of it at the moment, the key schema is not only used in the DS2k ;-)

 



___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2979
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #148 on: June 20, 2013, 08:46:39 pm »
:blah: downgrading firmware is something they cant prevent with their current firmware architecture, with jtag i can flash whatever i like and without changing the PCB they cant get rid of jtag.
There is already ppl going for the DS4k with the same approach. With the .GEL file reversed, a simple custom bootloader is no big deal - and everybody could install it, then fireing/loading whatever is presented via USB. (=dont care about OTP or lockbox, if they ever go this route, which i doubt given the R&D necessary for such a change )

lastly, even the guys with a DS2102 or DS2202 will benefit from a "keygen" - and again thx to jtag and some mathbrainfu*k, only a matter of time - and rigol cant do anything about it without screwing their existing userbase. and from the looks of it at the moment, the key schema is not only used in the DS2k ;-)

Yes, none of this will have any affect on anything Rigol does in the future  ::)
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #149 on: June 20, 2013, 08:49:45 pm »
Yes, none of this will have any affect on anything Rigol does in the future  ::)

well i hope it does, more fun next time ;-)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf