Sniffing the Rigol's internal I2C bus

[PepeK]

Any news on the MSO1074Z-S ? I am considering changing it into a DS2000. But there is a new firmware out there: 00.03.01. Will the known Jtag method work on this firmware.

Changing 1000 series to 2000 series scope ? It is not possible. You can only enable specific features for every series. It is like you want to change Dacia to Rolls-Royce :-)

[DocSnyder]

I meant taking it back to the dealer...

[elscode]

Hello.

I just received my new DSA815-TG Rigol spectrum analyser.
Great device for price.

I have try to unlock options using the keygen. But the keys are consider as invalid 

Version of main board : 00.06
Version of RF FPGA Board : 00.05
Version of digital FPGA Board : 00.04
Version of Firmware : 00.01.09
Version of boot : 00.01.04

Using the sweb interface here : http://rigol.avotronics.co.uk/mirrors/riglol/ and here : http://riglol.3owl.com

Give me the same key as the one in command line under linux.

Is there any issue ?

Thanks.

[pinkman]

Hello.

I just received my new DSA815-TG Rigol spectrum analyser.
Great device for price.

I have try to unlock options using the keygen. But the keys are consider as invalid 

Version of main board : 00.06
Version of RF FPGA Board : 00.05
Version of digital FPGA Board : 00.04
Version of Firmware : 00.01.09
Version of boot : 00.01.04

Using the sweb interface here : http://rigol.avotronics.co.uk/mirrors/riglol/ and here : http://riglol.3owl.com

Give me the same key as the one in command line under linux.

Is there any issue ?

Thanks.

I have also received a DSA815-TG today, my numbers are as follows:

Main board:  00.07
RF FPGA board: 0.05
Digital FPGA board: 0.04
Firmware: 00.01.09
Boot: 00.01.04

The private key (and keygen) for previous versions does not appear to work.

I was looking around, but it seems that noone has the private key for this version yet.  Can anyone confirm this is true?

[elscode]

Thanks for your confirmation.

[navzptc]

Firmware 01.09 will not let you enter the codes for upgrade options.
Have you tried downgrading to 01.08 which does work on mine - place the firmware on a usb stick which is known to work on your unit (try saving a screen shot to it to make sure it works with your dsa815),  plug the stick in, switch on the unit and hold down the preset button when booting up.
If it does boot into 01.08 then hopefully you can enter the options - bear in mind it might not let you downgrade with the latest boot option, but worth a try.

[elscode]

Update File Error!

When trying to boot from usb key including 00.01.08 firmware 

(i have try booting on usb key with 0.01.09 firmware, and flashing firmware works fine. So i presume Rigol do not allow flashing with previous firmware version.  )

[sm5uiu]

Just bought one 2072A.
Used the D2072A Unlocking Guide
Installed firmware DS2000(DSP)update_00.02.01.00.03 (license keys dump).
The web based keygen does NOT work (even if I enter priv key).
Rigup 0.4 keys work.
However ! Unlocking over SCPI did not work - had to enter keys manually directly on the scope. (just got timeout error)
However ! Guide has wrong unlock "id" - "NS8H - All Options + 300Mhz" YOU SHOULD USE NS8N
I installed all options
Installed 200MHz
And then finnaly figured (found) the NS8N
After unlocking installed firmware DS2000-03_00_01_03

Some say 5 minutes.. well I spent at least 3 hours.. (but it was worth it)

/Sam

[sm5uiu]

Just a note. I also bought at 815-TG.. and just used the web based keygen.. unlocked all options.

For that unlock I used 1.03C with priv key (presinstalled) 80444DFECE903E

Entered generated keys directly on the spec ana.

CAPITAL LETTERS AND NO SPACES OR DASHES.

AAAB - Tracking Generator
(0001) DSA800-TG

AAAC - Advnced Measurement Kit
(0002) DSA800-AMK

AAAD - 10Hz RBW
(0003) Is it 10Hz RBW

AAAE - EMI/Quasi Peak
(0004) DSA800-EMI

AAAF - VSWR
(0005) DSA800-VSWR

/Sam

[jc101]

Just a note. I also bought at 815-TG.. and just used the web based keygen.. unlocked all options.

For that unlock I used 1.03C with priv key (presinstalled) 80444DFECE903E

Entered generated keys directly on the spec ana.

CAPITAL LETTERS AND NO SPACES OR DASHES.

AAAB - Tracking Generator
(0001) DSA800-TG

AAAC - Advnced Measurement Kit
(0002) DSA800-AMK

AAAD - 10Hz RBW
(0003) Is it 10Hz RBW

AAAE - EMI/Quasi Peak
(0004) DSA800-EMI

AAAF - VSWR
(0005) DSA800-VSWR

/Sam

Was this with FW 1.09?

[elscode]

Testing again with only CAPITAL LETTERS. But keys are not accepted 

[pinkman]

Just a note. I also bought at 815-TG.. and just used the web based keygen.. unlocked all options.

For that unlock I used 1.03C with priv key (presinstalled) 80444DFECE903E

Entered generated keys directly on the spec ana.

CAPITAL LETTERS AND NO SPACES OR DASHES.

AAAB - Tracking Generator
(0001) DSA800-TG

AAAC - Advnced Measurement Kit
(0002) DSA800-AMK

AAAD - 10Hz RBW
(0003) Is it 10Hz RBW

AAAE - EMI/Quasi Peak
(0004) DSA800-EMI

AAAF - VSWR
(0005) DSA800-VSWR

/Sam

Where did you buy it from?

[trunc71]

...
However ! Unlocking over SCPI did not work - had to enter keys manually directly on the scope. (just got timeout error)
However ! Guide has wrong unlock "id" - "NS8H - All Options + 300Mhz" YOU SHOULD USE NS8N

There is still a lot of mystery behind this process that is obviously not fully understood. I also had the problem that unlocking over SCPI didn't work at all on Win 64bit though I can connect to the DSO. On Win 32 no problem at all and the unlocking code passed through. Also the NS8H worked for me so that I had no need to try the NS8N. But others have described that they had to unlock in a two step process by applying two different codes.

On the other hand this unlock procedure comes to an end anyway due to Rigol's FW 03 changes.

[DocSnyder]

Again the MSO1074Z-S. Can anyone give a description how the private key and the option keys for the DS1000Z has ever been found? Maybe they have changed for the MSO.

[hematose]

Just want to echo DocSnyder's request. Is there a keydump firmware for the DS1000Z or was there some other way to get at the private key?

[1.21gigawatts]

I have successfully upgraded an MSO2072A-S using an "Altera" bus blaster (which I already had from another project). No problems at all following the instructions in this thread and others. Yes, I got the warning about the fixed frequency, but it worked fine anyway.

One thing, though (and this has nothing to do with the upgrade): I'm having a hell of a time with Ultra Station downloading waveforms to the "-S" part of the instrument. It is recognized by Ultra Sigma (and I have edited the .ini file to apply Ultra Station to this scope). I can edit a wave form and download it, but the only thing that gets set is the frequency. The waveform never actually appears.

Any idea what's going on here? Any better place to ask?

[Gandalf_Sr]

I've just successfully 'upgraded' an MSO2072A to a MSO2302A.  I had to go the JTAG dump route because I have the MSO, not the DS.  My cheap 'Altera' USB Blaster didn't work, nor did a Bus Blaster from dangerous prototopyes.  The device that worked was the Olimex ARM-USB-OCD from Sparkfun.

Follow Slappy_g's instructions and you will prevail.

[pinkman]

Thanks to anyone who can give me advice:

Since I have one of the new DSA815-TG's with the new boot loader/firmware, it sounds like I need to buy a JTAG interface and get busy dumping my memory to hopefully find a new private key.  Is this correct?  I am definitely capable of doing this.  I just would like someone to advise me whether this should help or if Rigol has found some way to make the memory dump useless.  I assume that I'll void my warranty by breaking the silver seals, so I only want to do that if it is necessary

[Bukurat]

Thanks to anyone who can give me advice:

  I assume that I'll void my warranty by breaking the silver seals, so I only want to do that if it is necessary

It's possible to remove the seal without damage if you are careful. There are YouTube  how to videos referenced  somewhere earlier in these threads

[sptm14]

Again the MSO1074Z-S. Can anyone give a description how the private key and the option keys for the DS1000Z has ever been found? Maybe they have changed for the MSO.

I don't have time to dig for the algorithm or public key, but enabling all options on MSO1074Z is actually quite easy. All you need to do is patch one function. get_opt_trial_state() must return 0x03. Thank you Rigol for debug info in firmware, totally insecure board configuration, and soldered-in JTAG header.

In OpenOCD for firmware version 04.00, just issue these two commands:

mww 0x40223FF4 0xE3A00003
mww 0x40223FF8 0xE12fff1e

(this translates to mov r0,0x03; bx lr)

Unfortunately, you cannot permanently flash the image back until somebody writes a flash driver for the IMX28 processor. Current version of OpenOCD does no have it. I have not tried patching a firmware update image and flashing it through the update process, considering how insecure the device is, it might work.

[rmd79]

Thanks for the info sptm14,

I opened my MSO1074Z-S today to see what the situation was regarding possible candidates for JTAG headers.

I have a 6-pin header and two 10-pin headers on the board.  My guess based on the PCB traces is that the 10-pin header nearest to the Hynix ram is probably the JTAG header, and my hope is that this header follows the usual 10-pin ARM JTAG pinout (I haven't poked around at it yet)

Are you able to confirm if my assumptions are correct?

I've attached a photo from inside my scope for reference.

[sptm14a]

Are you able to confirm if my assumptions are correct?

Yes, the 10-pin header next to the hynix dram chip is the JTAG you need (there are several jtag interfaces on the board).
Pinout is not standard ARM, here it is, left to right as shown on your picture:

top row: tck,tms,tdi,trst,3.3v
bottom row: XXX,tdo,srst,gnd,gnd

[rmd79]

top row: tck,tms,tdi,trst,3.3v
bottom row: XXX,tdo,srst,gnd,gnd

Thanks for this, really appreciated.  I've got some JTAG adaptors on the way so hopefully I'll be able to play with this really soon

[rmd79]

Thanks for this, really appreciated.  I've got some JTAG adaptors on the way so hopefully I'll be able to play with this really soon

Well I tried the first JTAG adaptor without success (but also no smoke, so thats always nice).  I bought a cheap ST-Link v2 JTAG/SWD dongle, but no luck with that so far.  I'm completely new to JTAG, so I'm not really sure what I'm doing.

I tried to get OpenOCD v0.8.0 working with the ST-Link adaptor connected to the scope.  I made a short cable to convert the standard 20-pin ARM connector to the 10 pin one in the scope, but all I've been able to get OpenOCD to do so far is reset the scope when it tries to connect.  I played around with the reset_config options a little but still had the same results.  OpenOCD can detect the ~3.3v from the scope, so the dongle appears to at least partially work.

I've got an Olimex ARM-USB-OCD-H adaptor on its way, so maybe I'll have better luck with that.  The more I've been reading to try to solve the various problems I've run into so far, the more its becoming clear that the ST-Link adaptors are a little bit "special" (not in a good way).

[radiogeek97]

About to pull trigger on a dsa815tg, prob from tequipment, BUT I saw a post by "pinkman"  in this thread that made refrence to a new boot loader/ firmware that may have locked out the "upgrade process"  to turn on options.  Is this true ? ?.   If so could an owner downgrade the FW and then "activate the options"   Any advice would as always be welcomed