I GOT IT !!! I will make a how to in details in few minutes to you guys that are having problem as i did!!!
RC5KEY1: BCF38C.....
RC5KEY2: 44A3403....
XXTEAKEY: 50E3E8B8A71720...
PUBKEY: 0200840010001809
PRIVKEY: 04444000424137314533353943394136333435423731353741414432353035334236...
SERIAL: DS2D1....
RC5KEY1: 4155BFD82D429EA69B3EE7D7D59C8906
RC5KEY2: B9BC53D8B8CE6CE3594555AA89556543
XXTEAKEY: 86F4A0930BC7ED276B2D6C2CE293535F
PUBKEY: 00A0581020E5C012
PRIVKEY: 005BCEE4DD323E4E
SERIAL: DS2D154300287
RIGOL TECHNOLOGIES,DS2072A,DS2D154700708,020084001000E9BC3D59216F9F9A1DD30EFED1AE20F92000ABC495314FF8236E708F9A2C6E3F6E87D09019C79419FEA9E9F3862A12CA1DE90800819A17FCA12E500540003330313233345645645465333033374342323539363234343535354243343836453538424243353233314631353132443135383035353734463544413334
How to Hack your DS2000 series :
1 - Copy the DS2000Update.GEL from the DS2000(DSP)update_00.02.01.00.03 (license keys dump) zip file to a fat 32 pendrive.
2 - Press the power on button on the front panel of the instrument. All of the buttons will light. At the same time press two or three times the Help key on the front panel. all buttons will unlight.
3- insert the USB stick into the front panel.
4- Wait for the end of the firmware update(may take 1 mins.... be patient)
5 - all of the buttons on the front panel will be lit. Turn off the scope. Remove the pendrive. Turn on agaion
6 - check the new firmware version , should be now 00.02.01
7 - Connect to USB cable to PC and open up Ultra Sigma Software ( you may need to install the NI-VISA full driver , google it and will find easy to download, from ni.com)
8 - On the Ultra Sigma software, click with the left button on your scope being listed, click on SCPI Panel Control, then click Send & Read button (*IDN? command should be already wrote on the SCPI COMMAND, if not, please write it ). It will bring back something like :
RIGOL TECHNOLOGIES,DS2072A,DS2D154700708,020084001000E9BC3D59216F9F9A1DD30EFED1AE20F92000ABC495314FF8236E708F9A2C6E3F6E87D09019C79419FEA9E9F3862A12CA1DE90800819A17FCA12E500540003330313233345645645465333033374342323539363234343535354243343836453538424243353233314631353132443135383035353734463544413334
9- Get from ( 020084 till the end) Copy and paste on HxD editor on the middle column ( which shows 02 00 84 00 10 00 E9 BC 3D 59 21 6F 9F 9A 1D D3..... so on )
10 - now, on the right side of the editor, just append your model serial number( DS2D1....... ) , no spaces, just append, and append more 00 after your model on the middle column.
11 - save the file on you hard drive , same folder as rigup exe, and open command prompt, go to the same folder as rigup and do : rigup ds2072a key.txt ( replace dS2072a for the model you have, and replace key.txt for the filename you saved.
Now it will show you the serials !!!
No credit for me other the explaning... The guys did here ALL the hard work, but their level where so higher on the understand that for us that just wants to hack the scope, we got a little bit lost right ?
okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?
Quick question about the current state of affairs.
DS1074Z and DS2072 ==> hack working for ages, based on common private key.
DS2072A ==> recently hacked, based on seperate key for each scope.
Correct?
okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?
okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg375454/#msg375454
The two pictures say it all !!
okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg375454/#msg375454
Does this work with the key values and serial you have posted here? I can't get it to work using these values. I just get this error message when typing rigup ds2072a key.txt after saving the hex file as key.txt:
Scanning 'key.txt' failed: No keys
I have attached the key.txt I generated with HxD for reference.
Code: [Select]$ rigup license your-keyfile.txt NSEH NSER NSEQ
rigup license - Version 0.1
H8LXHB8-QEXAC7W-ZJMN5KH-APD9CVM (NSEH = 0x1C087)
W2LAMX2-DBEFZCT-XSND62C-PG8JJVM (NSER = 0x1C08F)
5CAZKCC-2Z865FH-MQVBXUB-BDV8E8M (NSEQ = 0x1C097)
NSEH = All options
NSER = All options + 100 MHz
NSEQ = All options + 200 MHz
License-code for 300 MHz is unknown. Thought it could be NSFH but there are reports that it doesn't work.
If you're brave you could play with rigup and license-codes. You could use hex codes, too:Code: [Select]$ rigup license your-keyfile.txt 0x1C087 0x1C08F 0x1C097 0x1C0A7
rigup license - Version 0.1
H8LXHB8-QEXAC7W-ZJMN5KH-APD9CVM (NSEH = 0x1C087)
W2LAMX2-DBEFZCT-XSND62C-PG8JJVM (NSER = 0x1C08F)
5CAZKCC-2Z865FH-MQVBXUB-BDV8E8M (NSEQ = 0x1C097)
XYJ69WE-SBZABHL-69FYG4N-W6DH2VM (NSFH = 0x1C0A7)
okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg375454/#msg375454
You should have given him the information I was given after all it was the same Question
THANKS
Rachael
https://mega.co.nz/#!MdcEWTgL!0EEmSr-Q6TxaFSsyEmjhRrgqDvFCoXg9K49BalL5Uxc
No need for JTAG memory dumps anymore, just send *IDN? command and you'll get your license encryption keys in response (tested on my DS2072A that has just arrived).
3E3C0E435D39DB813C3CC643093CD6837C7C87C78D0CC3833D0101000000000100000000000000000000000000000000000000000000001E0000006400000000000000001100000012000002130000001400000015000000160000001700000018000000190002001A0000001B0004001C0000001D0000001E0000001F00000020000100
My Model number is: DS2A143101119What chances are there to patch a firmware so that it outputs the key and serial when you send it
"*IDN?". That would be good.
Done!
https://mega.co.nz/#!MdcEWTgL!0EEmSr-Q6TxaFSsyEmjhRrgqDvFCoXg9K49BalL5Uxc
No need for JTAG memory dumps anymore, just send *IDN? command and you'll get your license encryption keys in response (tested on my DS2072A that has just arrived).
I'm sorry to bother you guys but it is not working with my rigol Ds2072(A?).
[...]
My Model number is: DS2A143101119