Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1823142 times)

0 Members and 1 Guest are viewing this topic.

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2979
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #175 on: June 22, 2013, 07:11:39 pm »
We all be burning in hell forever,


Jeesze what a lot of bullshit is on this forum.

You really don't understand any of it, do you?
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #176 on: June 22, 2013, 07:19:04 pm »
Jeesze what a lot of bullshit is on this forum.

 :-DD - kids and their supersecrect "hack"

working on reversing the license key schema - 200+ subs done, but still way to go .. i have "crypto" vector initalization & three rounds (so far) of their code transformations implemented in a bunch of c files.
still missing the final verification, then - reversing the process (math brainfuck  |O) - slowly getting there ..

trigger options are possible by changing retvals from their verification subs (e.g. patch code via jtag)
Code: [Select]
set *0x59a24=0xb0f86018 (changes opcodes to R0=3 in 0x59A24)
one could patch the firmware file with this, given somebody bothers to find the CRC checks in the bootldr.
i found a lot of other stuff on the go, but first things first.

___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline mickpah

  • Regular Contributor
  • *
  • Posts: 148
  • Country: au
    • Yeti Hacks
Re: Sniffing the Rigol's internal I2C bus
« Reply #177 on: June 23, 2013, 12:20:27 am »
OK, while we on the off-topic of Rigol support. I bought my DS2072 soon after release in 2012. Emailed the local distributor I purchased it from in October 2012 for an update.
Result , I now receive email catalogues and promotions - not firmware. grrrrr

Questions

1 Who's arse do I kiss to get the update ?
2. WTF should I have to kiss arse when if I have an agilent product I just download it ?
3 Is this the "support" we are jeopardising in this thread ?

I am really considering buying a Rigol DP832 and or and arb.
 Rigol are only in there for because the initial purchase bang per buck equation makes sense. If I factor support they lose. Leaving aside the trial renewal thing, the kind of "self help" happening on EEV forums the makes up for Rigols support apathy.
Marbag, you have done such a great job supporting their stuff, beta testing and writing software we can all use, but really there is another ethical issue here too. Rigol are off loading their responsibility and cost on to people like you. I really hope you are getting something out this because they are profiting by your work.

This is only a semi-troll  :)
I am pissed about Rigol support but am not going to pop an aneurysm
 

Offline Stonent

  • Super Contributor
  • ***
  • Posts: 3824
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #178 on: June 23, 2013, 12:24:17 am »
OK, while we on the off-topic of Rigol support. I bought my DS2072 soon after release in 2012. Emailed the local distributor I purchased it from in October 2012 for an update.
Result , I now receive email catalogues and promotions - not firmware. grrrrr

Questions

1 Who's arse do I kiss to get the update ?
2. WTF should I have to kiss arse when if I have an agilent product I just download it ?
3 Is this the "support" we are jeopardising in this thread ?

I am really considering buying a Rigol DP832 and or and arb.
 Rigol are only in there for because the initial purchase bang per buck equation makes sense. If I factor support they lose. Leaving aside the trial renewal thing, the kind of "self help" happening on EEV forums the makes up for Rigols support apathy.
Marbag, you have done such a great job supporting their stuff, beta testing and writing software we can all use, but really there is another ethical issue here too. Rigol are off loading their responsibility and cost on to people like you. I really hope you are getting something out this because they are profiting by your work.

This is only a semi-troll  :)
I am pissed about Rigol support but am not going to pop an aneurysm

I a link here:
http://www.rigolna.com/products/digital-oscilloscopes/ds2000/ds2072/
That takes you here to a form:
http://www.rigolna.com/download/501G0000000TyNXIA0/

That's just for the standard firmware.

The larger the government, the smaller the citizen.
 

Offline mickpah

  • Regular Contributor
  • *
  • Posts: 148
  • Country: au
    • Yeti Hacks
Re: Sniffing the Rigol's internal I2C bus
« Reply #179 on: June 23, 2013, 12:31:52 am »
OK, while we on the off-topic of Rigol support. I bought my DS2072 soon after release in 2012. Emailed the local distributor I purchased it from in October 2012 for an update.
Result , I now receive email catalogues and promotions - not firmware. grrrrr

Questions

1 Who's arse do I kiss to get the update ?
2. WTF should I have to kiss arse when if I have an agilent product I just download it ?
3 Is this the "support" we are jeopardising in this thread ?

I am really considering buying a Rigol DP832 and or and arb.
 Rigol are only in there for because the initial purchase bang per buck equation makes sense. If I factor support they lose. Leaving aside the trial renewal thing, the kind of "self help" happening on EEV forums the makes up for Rigols support apathy.
Marbag, you have done such a great job supporting their stuff, beta testing and writing software we can all use, but really there is another ethical issue here too. Rigol are off loading their responsibility and cost on to people like you. I really hope you are getting something out this because they are profiting by your work.

This is only a semi-troll  :)
I am pissed about Rigol support but am not going to pop an aneurysm

I a link here:
http://www.rigolna.com/products/digital-oscilloscopes/ds2000/ds2072/
That takes you here to a form:
http://www.rigolna.com/download/501G0000000TyNXIA0/

That's just for the standard firmware.

my point exactly, this is the support for the US, can't even register for the site as I am resident in New South Wales / Australia. There is not even an option for "other"
I guess I could put in a dummy address, but really why the hell should I have to go through so much hassle ?

 

Offline UberSteve

  • Contributor
  • Posts: 21
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #180 on: June 23, 2013, 02:41:33 am »
I just got my DS2072 and now it's fully potted!  :-DD

Must be heavy!  :-DD

You're kidding right...  :phew:
 

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2979
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #181 on: June 23, 2013, 03:16:24 am »
OK, while we on the off-topic of Rigol support. I bought my DS2072 soon after release in 2012. Emailed the local distributor I purchased it from in October 2012 for an update.
Result , I now receive email catalogues and promotions - not firmware. grrrrr

Well, your dealer should be able to provide you with FW updates - that seems to be Rigol's preferred route of distribution (yeah, I know, a pain in the ass) - and we all just pass it around among ourselves. Anyway, I got my last copy from Dave here (who got it from his dealer) - if you still don't have a copy of FW 01.00.00.03, send me an email and I'll send it to you.

Quote
3 Is this the "support" we are jeopardising in this thread ?

No, Rigol's support generally sucks - no doubt about it - although they begin to make small baby steps: they've actually started listening to our bug reports/FW complaints and responding with fixes. OTOH, they've made huge improvements in the design, build quality, and workmanship of their instruments in the last 2 years - so hopefully some of that movement will be shifted towards support at some point. But I'm just hoping to get them to still implement a few more sorely missing features in future versions of the FW.
 

Offline bluesmoke

  • Contributor
  • Posts: 24
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #182 on: June 23, 2013, 07:15:18 am »
Quote
I just got my DS2072 and now it's fully potted!  :-DD

I was joking... I'm still waiting for mine.. shipping date has been moved from the June 21st to the 26th... I don't hold out much hope.
I just want to get my mitts on one!

 

Offline jsykes

  • Contributor
  • Posts: 31
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #183 on: June 23, 2013, 07:42:56 am »
In other words, Blue smoke was just blowing smoke. :)
I would hate to see them start potting. That news is a relief. I remember back in the day, when they did that with the old C band satellite descramblers in the US and the hackers just carefully chipped away the potting.
 

Offline jedreg

  • Contributor
  • Posts: 11
Re: Sniffing the Rigol's internal I2C bus
« Reply #184 on: June 26, 2013, 12:59:40 pm »
I did it again, I got another Rigol - DS2102 replacing DS1052E. BW of the first one was enhanced first day of arrival, purchase decision on the new one was also influenced by this forum. Guys, your work is impressive! I am not going to apply any hardware hack soon though, 3y warranty is valuable for me, but I cannot wait for software ways of enhancements!

cheers,
andy.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #185 on: June 28, 2013, 08:24:56 am »
small goody discovered.
seems to enable a test mode - full features (+100M/200M Bandwith) - but vanishes on power cycling.
I have no information about any effects on already installed keys - so use at your own risk

LLLLLLL-RLGLLDS-DSARLLL-LLLLLLL

enjoy  >:D
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline mickpah

  • Regular Contributor
  • *
  • Posts: 148
  • Country: au
    • Yeti Hacks
Re: Sniffing the Rigol's internal I2C bus
« Reply #186 on: June 28, 2013, 08:43:39 am »
small goody discovered.
seems to enable a test mode - full features (+100M/200M Bandwith) - but vanishes on power cycling.
I have no information about any effects on already installed keys - so use at your own risk

LLLLLLL-RLGLLDS-DSARLLL-LLLLLLL

enjoy  >:D

simply awesome ;D
Pretty good bet it will be gone in the next update, but that may actually mean they release one - of course they will need to make it attractive to upgrade now. win all round I'd say
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #187 on: June 28, 2013, 08:51:28 am »
well maybe its some factory-test thingy that they use ... and i only tried it for FW v.00.01.00.05

LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL

should also work (this enables all 5 possible features (bitmask 0x1F))

if somebody owns a DS4/6 - let me know if it works there too.
and let me know if works on other fw versions as i will stay on 01.00.05 for a while.

-

while it enables 100M/200M official versions, it does *NOT* allow <5ns TB on the 2072 ... so maybe its not implemented fully in 01.00.05.
changing the model type in memory will allow to go down to 500ps however ...
can someone with the right equipment check if 100M/200M BW is actually working ?
« Last Edit: June 28, 2013, 08:55:22 am by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1192
  • Country: ca
    • VE7XEN Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #188 on: June 28, 2013, 09:13:04 am »
Awesome work. For me:

a) Confirmed -3dB bandwidth is ~230MHz on my DS2072 with code enabled (just a quick check, not an accurate measurement, it is certainly > 200MHz though)
b) Timebase 2ns works for me

I used the R code, and because of the note about it being removed after power off I did some fiddling in the options menu to see if I could get it to save the state (just trying invalid codes, refreshing everything etc.).

While the option disappears from the options page, the 100MHz filter still appears in CH settings and can be switched on/off, 2ns timebase still works, and I confirm at least 200MHz bandwidth after reboot and changing channel settings. 56M memory option and decoders are disabled. I didn't notice if the advanced triggers were there, but they are not now.

I am on 1.00.00.03.
« Last Edit: June 28, 2013, 09:14:52 am by ve7xen »
73 de VE7XEN
He/Him
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #189 on: June 28, 2013, 09:18:26 am »
Awesome work. For me:

a) Confirmed -3dB bandwidth is ~230MHz on my DS2072 with code enabled (just a quick check, not an accurate measurement, it is certainly > 200MHz though)
b) Timebase 2ns works for me

I used the R code, and because of the note about it being removed after power off I did some fiddling in the options menu to see if I could get it to save the state (just trying invalid codes, refreshing everything etc.).

While the option disappears from the options page, the 100MHz filter still appears in CH settings and can be switched on/off, 2ns timebase still works, and I confirm at least 200MHz bandwidth after reboot and changing channel settings. 56M memory option and decoders are disabled. I didn't notice if the advanced triggers were there, but they are not now.

I am on 1.00.00.03.

thx for reporting back  :-+
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: Sniffing the Rigol's internal I2C bus
« Reply #190 on: June 28, 2013, 09:39:46 am »
Thanks Cybernet !

This whole thread's posts saved offline, just in case.  >:D

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #191 on: June 28, 2013, 10:41:28 am »

Tested in FW 05, you get the options but NOT the bandwidth, not  with the 9 nor the R version of the key.
Tested on a DS 2072

with not the BW i assume u mean the BW limit setting ? (20M) ? because ve7xen tested it for >200MHZ at -3db. (see above)
BW limiter is probably a model specifc setting, and it does not change the model type to a DS2202 - which at least in FW 05 doesnt seem possible without a modified FW itself. anyone fancies some CRC cracking ? i can do the nessecary bfin code ;-)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #192 on: June 28, 2013, 10:52:09 am »
Awesome work. For me:

a) Confirmed -3dB bandwidth is ~230MHz on my DS2072 with code enabled (just a quick check, not an accurate measurement, it is certainly > 200MHz though)
b) Timebase 2ns works for me

I used the R code, and because of the note about it being removed after power off I did some fiddling in the options menu to see if I could get it to save the state (just trying invalid codes, refreshing everything etc.).

While the option disappears from the options page, the 100MHz filter still appears in CH settings and can be switched on/off, 2ns timebase still works, and I confirm at least 200MHz bandwidth after reboot and changing channel settings. 56M memory option and decoders are disabled. I didn't notice if the advanced triggers were there, but they are not now.

I am on 1.00.00.03.

interesting, on FW 05, i only have 20M BW limit, and 5ns TB - seems like FW 03 is actually making use of it ... talk about "mature code" releases ;-)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

studio25

  • Guest
Re: Sniffing the Rigol's internal I2C bus
« Reply #193 on: June 28, 2013, 11:26:41 am »
Great work!

I have done the following:
- Update to FW 03
- Enter code LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL
- Downgrade to FW 05

Now 20Mhz, 100Mhz and OFF is available in the menu. Also, can I use the 2ns time base.
I see no difference to a DS2202.
Even after rebooting.

A big thank you to cybernet
« Last Edit: June 28, 2013, 11:30:00 am by studio25 »
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #194 on: June 28, 2013, 11:31:04 am »
Great work!

I have done the following:
- Update to FW 03
- Enter code LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL
- Downgrade to FW 05

Now 20Mhz, 100Mhz and OFF is available in the menu. Even after rebooting.

A big thank you to cybernet

could u investigate the FRAM side of things a bit ? especially if u see  "9C007" or "9C01F" somewhere - and what happens when u change that to a "1C007" or "1C01F" ... the 1C is the permanent code, the 9C denotes a temp key ;-) i think u get the idea ...
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2979
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #195 on: June 28, 2013, 11:50:30 am »
I have done the following:
- Update to FW 03
- Enter code LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL
- Downgrade to FW 05

Now 20Mhz, 100Mhz and OFF is available in the menu. Also, can I use the 2ns time base.
I see no difference to a DS2202.
Even after rebooting.

A big thank you to cybernet

Very interesting. One thing to consider - it would be worthwhile to discover a key to change the model numbers BACK to original numbers (2072 or 2102), since this could clearly be used as an indicator for voided warranty.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #196 on: June 28, 2013, 12:02:54 pm »
I have done the following:
- Update to FW 03
- Enter code LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL
- Downgrade to FW 05

Now 20Mhz, 100Mhz and OFF is available in the menu. Also, can I use the 2ns time base.
I see no difference to a DS2202.
Even after rebooting.

A big thank you to cybernet

Very interesting. One thing to consider - it would be worthwhile to discover a key to change the model numbers BACK to original numbers (2072 or 2102), since this could clearly be used as an indicator for voided warranty.

try DSAA as magic bytes as that will have non of the option bits set, which might reverts it ;-)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #197 on: June 28, 2013, 12:05:06 pm »
I have done the following:
- Update to FW 03
- Enter code LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL
- Downgrade to FW 05

Now 20Mhz, 100Mhz and OFF is available in the menu. Also, can I use the 2ns time base.
I see no difference to a DS2202.
Even after rebooting.

A big thank you to cybernet

Very interesting. One thing to consider - it would be worthwhile to discover a key to change the model numbers BACK to original numbers (2072 or 2102), since this could clearly be used as an indicator for voided warranty.


YES it can be deleted..., just tried, do:  uninstall

can u try DSAA too ? (its hours until im at my scope again .. and im curious ;-)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline alank2

  • Super Contributor
  • ***
  • Posts: 2183
Re: Sniffing the Rigol's internal I2C bus
« Reply #198 on: June 28, 2013, 12:24:38 pm »
- Update to FW 03
- Enter code LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL
- Downgrade to FW 05

Why do you say downgrade to FW 05 from FW 03 - would that be upgrade?

Is there somewhere that details the FW release versions and also has them available for download?
« Last Edit: July 09, 2013, 07:17:56 pm by alank2 »
 

Offline orbiter

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: gb
  • -0 Resistance is Futile
Re: Sniffing the Rigol's internal I2C bus
« Reply #199 on: June 28, 2013, 12:27:56 pm »
- Update to FW 03
- Enter code LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL
- Downgrade to FW 05

Why do you say downgrade to FW 05 from FW 03 - would that be upgrade?

Is there somewhere that details the FW release versions and also has them available for download?


FW 05 came out first, then a subsequent version was released.. FW 03

I have never seen any details on Rigol's site etc to do with FW releases.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf