Products > Test Equipment

Sniffing the Rigol's internal I2C bus

<< < (354/899) > >>

cybernet:
currently no time to play with the new firmware but what would be good to know is:

does a fully (DSAZ..) unlocked DS2000 (official fw) keep its features on upgrade to latest fw ?
does it "enable" the CAN ? (if DSAZ was used) - my guess is now, as its only evaluated written to NV during key apply.
is downgrading possible or not (on old DS2000's) ? (after latest  fw was flashed) - i didnt see downgrade checks in the old bootldr.

there are no plaintext keys anymore in code - and the GEL format slightly changed (last block has invalid CRC, but only 64 bytes and thus ignored by bootldr update as far as i can tell)
anyhow, i will flash it probably over the xmas holidays - and see what i can find.

the pros are:
* the bootldr on the DS2000 does have no crypto stuff. i suspect the 64 bytes in the end could be a 512bit signing key for the FW for newer bootloaders.
* the "old" bootldr doesnt use the DS2000Update.GEL to update the bootldr itself, thats done via another filename. so they have a hard time rolling out secure updates to the old devices bootldrs (imho !)
   that basically means, whatever they throw at the old devices can be modified, reassembled into a GEL and flashed.
   that goes for model string, type and CAN bus options
* i still saw MIRACL function calls in there, but the structure on the keychecks has changed so it could take some time to find out what they've done.

somebody with JTAG should dump the new bootldr to check if they've gone for signatures

marmad:

--- Quote from: cybernet on December 09, 2013, 12:45:13 am ---does a fully (DSAZ..) unlocked DS2000 (official fw) keep its features on upgrade to latest fw ?
--- End quote ---

Mine does (with official options key). Member g***! upgraded - then used the keygen to unlock his DSO while running v.2.


--- Quote ---does it "enable" the CAN ? (if DSAZ was used) - my guess is now, as its only evaluated written to NV during key apply.
--- End quote ---

No one that's upgraded has reported seeing the CAN option appear - perhaps g***! can report if it showed up after entering the code when already running v.2.


--- Quote ---is downgrading possible or not (on old DS2000's) ? (after latest  fw was flashed) - i didnt see downgrade checks in the old bootldr.
--- End quote ---

I've done it many times already - upgrading and downgrading. It works fine as long as you hold in Left-F6 (to clear FRAM) during the first boot after going from v.1 to v.2 or vice-versa.

alank2:

--- Quote from: cybernet on December 09, 2013, 12:45:13 am ---somebody with JTAG should dump the new bootldr to check if they've gone for signatures

--- End quote ---

Has someone dumped the old bootldr yet so it can be analyzed?  Any link to this?

marmad:

--- Quote from: cybernet on December 09, 2013, 12:45:13 am ---does it "enable" the CAN ? (if DSAZ was used) - my guess is now, as its only evaluated written to NV during key apply.

--- End quote ---

I scoured for information, but there is no actual evidence that the CAN option is (or ever will be) available for non-A models except this line of text at Tequipment, "CAN trigger and decode for DS2000 and DS2000A" - but that text is nowhere else to be found online (and likely a mistake).

In fact, the part number (CAN-DS2000A) tends to indicate that it is, in fact, an A-model only option.

fcab100:

--- Quote from: cybernet on December 09, 2013, 12:45:13 am ---currently no time to play with the new firmware but what would be good to know is:

does a fully (DSAZ..) unlocked DS2000 (official fw) keep its features on upgrade to latest fw ?
does it "enable" the CAN ? (if DSAZ was used) - my guess is now, as its only evaluated written to NV during key apply.
is downgrading possible or not (on old DS2000's) ? (after latest  fw was flashed) - i didnt see downgrade checks in the old bootldr.

there are no plaintext keys anymore in code - and the GEL format slightly changed (last block has invalid CRC, but only 64 bytes and thus ignored by bootldr update as far as i can tell)
anyhow, i will flash it probably over the xmas holidays - and see what i can find.

the pros are:
* the bootldr on the DS2000 does have no crypto stuff. i suspect the 64 bytes in the end could be a 512bit signing key for the FW for newer bootloaders.
* the "old" bootldr doesnt use the DS2000Update.GEL to update the bootldr itself, thats done via another filename. so they have a hard time rolling out secure updates to the old devices bootldrs (imho !)
   that basically means, whatever they throw at the old devices can be modified, reassembled into a GEL and flashed.
   that goes for model string, type and CAN bus options
* i still saw MIRACL function calls in there, but the structure on the keychecks has changed so it could take some time to find out what they've done.

somebody with JTAG should dump the new bootldr to check if they've gone for signatures

--- End quote ---


cybernet I went straight from your DS2302 hack fw to the most recent fw (have a ds2072 scope) and the DS2302 name stuck but not 300Mhz only 20Mhz & 100Mhz are there. I was however able to use the key gen to install all options and uninstall them at will. Now that i think about it no can decoding or 50ohm terminator.

I got my DS2072 About 2.5 weeks ago it's Version 2.0 hardware.

Thanks to everyone for your great work so far with hacking this scope.


EDIT:

I do have 1ns TB. With channel 2 on it does not seem to have that weird offset anymore.


Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod