Products > Test Equipment

Sniffing the Rigol's internal I2C bus

<< < (483/899) > >>

battlefield:
Ok so I'm getting myself an JTAG cable but its not listed on that page. Mine is Olimex ARM-USB-OCD, now can someone please tell me if it will work or not?

Pehtoori:

--- Quote from: tirulerbach on January 11, 2014, 12:41:32 pm ---
--- Quote from: Pehtoori on January 11, 2014, 12:05:39 pm ---This is one reason why its hard to get those dumps! Not really good instructions for the noobs (like me).

--- End quote ---
That's life. No pain no gain.

--- End quote ---

If you know me, you would not say that  >:D I'm sick, in constant pain and can't work because of it. But np you don't know me.

But you miss the point, what I mean is that many people have written instructions on parts of the process, but there is no complete process collected in one place. Would be much easier to point people to that document than write answers over and over again.

Reduce pain, get more gain.  O0


--- Quote ---It's your chance to improve the situation: Start a tutorial, you already learned some pieces!

--- End quote ---

Waiting for my scope and JTAG-adapter from customs. If I can make the dump and I have energy (sickness eating it) I will do this.

buergi:
Hey,
as it took me many hours to gather all the information needed to memdump my DS2KA I'd like to give a short summary to lower the pain for the gain. So here we go.

First of all the principles. Rigol implemented a lot of feature in the scopes that are artificially restricted to work only for a 4000 minutes trial period. After that time you have the opportunity reenable them forever by purchasing license keys from Rigol. These license keys are bound to each specific device via its serial number.

License verification mechanism

Thanks to zombie28's great work he managed to reconstruct the way the signature verification works.
To give you a short overview I'll rougly summarize the mechanism in the following for all the details check out zombie28's code.
The License Key contains the desired options as well as a signature. With this signature the manufacturer signs that the scope with the serial number the license key was generated for is allowed to use the options. The following diagram depicts the process (I dropped some details for simplicity). For details about ECDSA I recommend you kakaroto's blog post.


To verify the signature the scope needs the following information, that thus need to be stored in its memory

* two RC5 keys to decrypt the signature
* XXTEA key to encrypt the serial and option codes with
* ECC Parameters: a, b, p, N, G
* The scopes public keyFor generating signatures we furthermore need the Private key which is not stored in the memory.
Usually the whole sense of public-key crypto algorithms is that you cannot calculate the private from the public key (besides brute force of course). I'm not sure how but it seems tirulerbach has it's tricks: his ecc-smash tool seems to generate the key in milliseconds .

So tirulerbach can now generate valid license codes for us, BUT unfortuately the RC5,XXTEA and public keys differ between the devices. It is currently not known if there is some hidden scheme between the different devices. Thats why currently we have to provide memory dumps to tirulerbach (and to zombie28?). But how to get them?

Memory dumping

Fortunatelly Rigol has integrated a fully functional JTAG debug port to the Blackfin BF526 which is responsible for all the crypto stuff. So all we need to do is to connect to it and grab the dump. However not all of as are JTAG-lords and a big question mark hovers over the heads of a lot of us :D So here comes a step by step guide:

Requirements

* DS2000A scope with any firmware (you don't need to downgrade!) I use a DS2072A with HW 2.0, SW 00.02.00
* Torx T10 screw driver
* A compatible JTAG adapter
Actually all of them should work, however some are faster and some are slower. The following are known to work

* Amontec JTAGKey (Tiny) used by cybernet
* Altera USB-Blaster JTAG used by granz
* Olimex ARM-USB-OCD used by tirulerbach (SDRAM dump: 15min)
* OpenMoko Debug Board v3 used by me (SDRAM dump: 60min)
* A linux or window computer
* A 3.9k and 10k resistor
* Some wire (preferably jumper wires)
* A breadboard or a soldering iron
I'm one of those nerds who owns an OpenMoko phone including debug board and never knew what to do with it now the time has come to brush the dust of my good old OpenMoko Debug Board v3. It includes a FT2232 compatible JTAG connector with a usual ARM 20 pin connector.


Step by Step Guide

* 1. Void if broken Try removing the 'warrany void if broken' sticker like shown in . The metal layer of the sticker peals of extremely easy so be careful and if it nevertheless breaks don't worry and read this
* 2. Open up the beast There are 4 T10 screws, two at the bottom and two behind the handle.
* 3. Unmount the shield There are 8 T10 screws, 4 at the top, 4 at the bottom. Moreover you have to remove the nut arround the BNC connector before pulling of the shield.
* 4. Find the JTAG connector it is a 2x7 pinhead with pin 3 missing
* 5. Wiring Now comes the little more complicate part: use the jumper wires, breadboard and the resistors and connect the JTAG port to your adapter.

I feel that this step demands some further clarification. The image shows the connector on the board, the missing pin is marked with an X. You have to connect the TMS, TCLK, TRST, SRST, TDI, TDO, GND to your JTAG adapter, check its datasheet for its pinout (the most ones have an ARM 20 pin connector). Ignore the confusing pin UTST I guess cybernet used it just to probe the voltage. The two pull-up resistors have to be added externaly. I used a bread board for the wiring, check out the attached image. And one last point: the 3.3V on Pin 1 are not an output, you need to provide them. However, there are multiple pins where you can steal this voltage. I used the 4 pin connector on the opposite side of the PCB labeled VCC.

* 6. Download and install bfin toolchain Download here. For linux you can choose one blackfin-toolchain or blackfin-toolchain-elf, it doesn't matter. I used linux and blackfin-toolchain-2013R1_45-RC1.x86_64.tar.bz2, unpack with tar xjf blackfin-toolchain-2013R1_45-RC1.x86_64.tar.bz2
* 7. Power up your scope Switch on your scope, and wait a moment until it's running.
* 8. Start the gdbproxy Open a command line cd to the bin directory and execute bfin-gdbproxy like the following.
If errors occur try lowering the frequency or unplug/replug your JTAG adapter.
--- Code: ---# cd opt/uClinux-45/bfin-uclinux/bin
# sudo ./bfin-gdbproxy --debug bfin --frequency=5000000
Found USB cable: USB-JTAG-RS232
Connected to libftdi driver.
IR length: 5
Chain length: 1
Device Id: 00100010011111100100000011001011 (0x227E40CB)
  Manufacturer: Analog Devices, Inc. (0x0CB)
  Part(0):      BF526 (0x27E4)
  Stepping:     2
  Filename:     ./../share/urjtag/analog/bf527/bf527
warning: USB-JTAG-RS232: untested cable, set wait_clocks to 30
warning:   bfin: no board selected, BF526 is detected
notice:    bfin: jc: waiting on TCP port 2001
notice:    bfin: jc:  (you must connect GDB before using jtag console)
notice:    bfin-gdbproxy: waiting on TCP port 2000

--- End code ---


* 9. Test GDB Keep the bfin-gdbproxy running in background and open a second command line window, cd into the directory and launch gdb like below.
The manual of the BF526 describes the meening of the different memory regions on page 115&116.
--- Code: ---# cd opt/uClinux-45/bfin-uclinux/bin
# ./bfin-uclinux-gdb
(gdb) target remote :2000
Remote debugging using :2000
0xffa0142e in ?? ()
(gdb) info mem
Using memory regions provided by the target.
Num Enb Low Addr   High Addr  Attrs
0   y   0x20000000 0x20400000 rw nocache
1   y   0xef000000 0xef008000 ro nocache
2   y   0xff800000 0xff804000 rw nocache
3   y   0xff804000 0xff808000 rw nocache
4   y   0xff900000 0xff904000 rw nocache
5   y   0xff904000 0xff908000 rw nocache
6   y   0xffa00000 0xffa0c000 rw nocache
7   y   0xffa10000 0xffa14000 rw nocache
8   y   0xffb00000 0xffb01000 rw nocache
9   y   0xffc00000 0xffe00000 rw nocache
10  y   0xffe00000 0x100000000 rw nocache

--- End code ---


* 10. Dump the memory
The part of the memory that contains the keys is the SDRAM (0x00000000 0x07FFFFFF). To dump it hack the following command into gdb.
dump binary memory ~/ds2k_00_sdram.bin   0x00000000 0x07FFFFFF
Depending on your JTAG adapter this might take you 15min or even some hours. With my adapter it took roughly an hour. You can check the progress in the gdbproxy terminal window: when started with --debug it outputs the address range of the dumped blocks.

If you want to dump GDB script below (only tested on linux). Save the code below as memdump.gdb and run
./bfin-uclinux-gdb --batch --comand=~/memdump.gdb
--- Code: ---target remote :2000
dump binary memory ~/ds2k_00_sdram.bin   0x00000000 0x07FFFFFF
dump binary memory ~/ds2k_01_abank0.bin  0x20000000 0x200FFFFF
dump binary memory ~/ds2k_02_abank1.bin  0x20100000 0x201FFFFF
dump binary memory ~/ds2k_03_abank2.bin  0x20200000 0x202FFFFF
dump binary memory ~/ds2k_04_abank3.bin  0x20300000 0x203FFFFF
dump binary memory ~/ds2k_05_boot.bin    0xEF000000 0xEF007FFF
dump binary memory ~/ds2k_06_dbankA.bin  0xFF800000 0xFF803FFF
dump binary memory ~/ds2k_07_dbankAc.bin 0xFF804000 0xFF807FFF
dump binary memory ~/ds2k_08_dbankB.bin  0xFF900000 0xFF903FFF
dump binary memory ~/ds2k_09_dbankBc.bin 0xFF904000 0xFF907FFF
dump binary memory ~/ds2k_10_ibankA.bin  0xFFA00000 0xFFA07FFF
dump binary memory ~/ds2k_11_ibankB.bin  0xFFA08000 0xFFA0BFFF
dump binary memory ~/ds2k_12_ibankC.bin  0xFFA10000 0xFFA13FFF
dump binary memory ~/ds2k_13_scratch.bin 0xFFB00000 0xFFB00FFF

--- End code ---


* 11. YEAAH you made it Now zip it e.g.
tar cJf ds2k_memdump.tar.xz ~/ds2k*
upload it to some one-click hoster and send the link to tirulerbach.
If you are nice to tirulerbach he'll send you a bunch of license keys which you can enter either directly on the scope via Utility>Options>Setup>Editor ON or using
SCPI :SYSTem:OPTion:INSTall <keyhere>

Hope this guide helped you and you will all diligently commit your memory dumps.
Good luck, have fun with your scopes and happy hacking.

Changelog
2014-01-11 Initial post
2014-01-12 Inline attached images. Add some additional clarifications based on comments. Add list of working JTAG adapters.

tirulerbach:
Thank you buergi for your tutorial  :-+


--- Quote from: buergi on January 11, 2014, 03:59:55 pm ---For generating signatures we furthermore need the Private key which is not stored in the memory.
Usually the whole sense of public-key crypto algorithms is that you cannot calculate the private from the public key (besides brute force of course). I'm not sure how but it seems tirulerbach has it's tricks: his ecc-smash tool seems to generate the key in milliseconds.
--- End quote ---
To be precisely, it takes about 70ms on my machine...  :-DD

But that's not the point. I only searched the internet and ripped some tools together. In the meantime, my license generator evolved and is ready. Now it goes to beta test to selected people...  8)

For a appetizer look at the screenshot. Total running time is about 300ms...   O0

marmad:

--- Quote from: buergi on January 11, 2014, 03:59:55 pm ---Hey,
as it took me many hours to gather all the information needed to memdump my DS2KA I'd like to give a short summary to lower the pain for the gain. So here we go.

--- End quote ---

Nice summary. andyturk (the OP) should copy and paste a link to this post in the first post of the thread.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod