Products > Test Equipment
Sniffing the Rigol's internal I2C bus
<< < (704/899) > >>
rmd79:

Flatlander (and everyone else interested in the MSO1000Z series)..

Today I dumped the RAM from my MSO1074Z-S using an Olimex ARM-USB-OCD-H adapter and a JTAG cable I made using the information provided by sptm14.

I ran the "rigup" tool on the memory dump but it didn't find any keys.  However, I then went and manually searched for variations of what rigup was searching for, and found a section of the memory dump that seems to almost exactly match what rigup wants to see in order to extract the keys and resolve the private key.

In the rigup-0.4.zip, /src/ directory, there is a file called utils.c, which contains a function called ScanKeys().  It searches for the following pattern in the memory dump:

(hex):

02 00 84 00 10 00

I changed it to:

01 00 84 00 10 00

and then re-compiled and ran it on my memory dump, then I got this:

root@kali03:/home/rdavidson/rigup-0.4# ./rigup scan /root/mso1074z-s_64M_RAM.bin
rigup scan - Version 0.4

RC5KEY1:        057C2FCEFAD84E75AF393F05A13F8690
RC5KEY2:        23E24CFCA6FA196C89F3A9706BDA3689
XXTEAKEY:       D4AD754E348E9D2BF3C161517AE2CB04
PUBKEY:         005497018B62F230
PRIVKEY:        0099FC5DFBE778D0

I also ran "rigup search /root/mso1074z-s_64M_RAM.bin".  It spat out 6 keys, one of which looks obviously wrong/invalid, but I tried one of the more reasonable looking keys on my scope and got a message saying the key has already been used.  So, I believe I have 1 valid key (which might be a trial key, since my scope still has about 33 hours of its trial period left and I haven't purchased any upgrades, or maybe its a feature key for the Sig Gen or LA.  No idea!).

The key below, VZ2RCVM... is the key that rigup was able to find in my memory dump, and that the scope says has already been used.  This info below, I believe, is rigup validating the key, using the key info above:

root@kali03:/home/rdavidson/rigup-0.4# ./rigup info mso1074z-s.keys VZ2RCVM-ZK8ZY4L-_______-_______
rigup info - Version 0.4

License:        VZ2RCVM-ZK8ZY4L-_______-_______    (V2MP = 0x9ED6D)
Signature 1:    0000000000000000
Signature 2:    0000000000000000
Padding 1:      00000000A0EF87DE
Padding 2:      00000000743732CE
Verify:         Ok

All of the other keys it found do not verify (and I haven't tried inputting them into my scope yet, to see if they work there).

FYI: My MSO1074Z-S runs firmware version 00.04.01.SP2.  In the memory dump, the keys appear to be located at hex address 0x00E063AC.

I have not had any luck generating keys to unlock the features in the scope yet.

If anyone wants to give me a hand or has any ideas, let me know.  I'm not giving up yet, but its 2am here and I'm off to bed.
conte_vlad:
I apologize if I missed something but seems youi are using, that what I understood, the procedure writen for the DS-MSO2000 on DS-MSO1000 and I am not sure it is correct.

Go there

http://www.gotroot.ca/rigol/riglol/

fill the field with your requested detail, read on section for DS1000, and try. I don't have the MSO1000 and never used it, but try.... O0
rmd79:

Hello conte_vlad,

I'm using a very similar procedure to the others, basically trying to go the route of dumping the memory, getting the keys and then generating licence keys.  There is nothing new about that, but I'm hoping that I've found the private key for the MSO1000Z series and that now I just need to find the 4-character feature codes.

I don't fully understand your post, the link is to a file on your hard drive.  If you are trying to ask me to try using the DS1000Z key generation feature in Riglol, then I can already tell you that it doesn't work with the MSO1000Z series.  I tried that before going the JTAG route.
conte_vlad:
sorry, I corrected the link... :phew:
rmd79:

--- Quote from: conte_vlad on September 11, 2014, 05:15:50 pm ---sorry, I corrected the link... :phew:

--- End quote ---

Hello conte_vlad,

I've tried Riglol, but it doesn't produce valid license keys for my MSO1074Z-S.  After I opened up my MSO for the first time and saw that the board was labelled as DS1000Z main board, I tried the Riglol tool, but no luck.  I'm fairly sure that I've read somewhere in this massive thread that the Riglol tool can't produce valid keys for the MSO1000Z series yet, so its no surprise that it didn't work.
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod