Products > Test Equipment
Sniffing the Rigol's internal I2C bus
<< < (762/899) > >>
3s1d:
Hi

first of all I'd like to thank everyone here for their great work.

I have a small problem with my MSO1074Z. I dumped the 64M image using my PI and generated the license codes using the rigup-0.4.1 tool posted in #7323 (https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg565557/#msg565557). I had no errors during this process. I can confirm that the serial number in the TXT file (after the scan command) is the same as display by the device itself. I tried to enter the generated codes for 0x1C00F and 0x1C001, but had no luck. The MSO always responds: "Invalid license".

I was so frustrated that I pushed the apply-button a little bit too often. Now I have to wait at least 12h before I can continue.  |O

What did I wrong? Is the firmware too old? My firmware version is 00.04.00. To which version should I upgrade? Do I have to redump the image again after the upgrade?

Many thanks in advance.
Juergen
3s1d:
Hi
I have upgraded to 00.04.02.SP4 and tried to reenter the already obtained codes. It still fails. Do I have to re-dump the binary again in order to get new(??) keys?

Regards
Juergen


PS: The scope is only a few hours old. The trail versions are still going. Could this be an issue?
3s1d:
Hi guys,

I figured it out... I initially compiled it on my OSX machine. As I switched to Ubuntu the keys changed and now everything works fine.

I so far only applied 0x1C00F and 0x1C080. Those are missing:
(CSAS = 0x1C010) DG
(CSRA = 0x1C020) 500uV
(CSBA = 0x1C040) Power Ana.

As I understand 500uV is useless (see #3731), but what about the other 2? What are they for? Are they "harmful" (as noted here #3723)??

Regards,
Juergen
bigone5500:

--- Quote from: zombie28 on February 01, 2014, 08:10:30 pm ---
--- Quote from: poida_pie on January 29, 2014, 04:17:18 am ---What chances are there to patch a firmware so that it outputs the key and serial when you send it
"*IDN?". That would be good.

--- End quote ---

Done!

https://mega.co.nz/#!MdcEWTgL!0EEmSr-Q6TxaFSsyEmjhRrgqDvFCoXg9K49BalL5Uxc

No need for JTAG memory dumps anymore, just send *IDN? command and you'll get your license encryption keys in response (tested on my DS2072A that has just arrived).

--- End quote ---

This file is no longer available. Can someone please direct me to the file?

Thanks.
phersus:
Hello Guys,

Just a message to report another MSO1074Z unlocked  :)

Thank you to all the people contributing with their knowledge, effort, time, energy ... It's good to know that sharing is a good path to success.

Special thanks to rmd79, 0ff, Hammy, Howardlong and the guys who discovered and shared the hack in the first place sptm14, Slappy_g and for sure all the others I'm forgetting ... sorry, the thread is very long and many have contributed.

For those interested this is how I did it:

- First I tried with an Olimex JTAG header but neither Windows (7 32-bits), nor MAC OS X (Yosemite), nor Linux recognised it.
- I decided to try with the Bus Pirate V3.6 (BP) from Dangerous Prototypes and this worked at the first try (I think I got a defective Olimex  :-//).
- I did the memory dump using Linux (only because I was doing something in that machine and decided to try the BP, but I think it would have worked with the MAC as well, I did't tried).
- I used openocd and the result was a binary file of 67108863 Bytes.
- I used the updated version of rigup tool that takes into account the MSO1074Z and get the private key
- I used again rigup tool and generate the licenses
- I used the SCPI commands to enter the licenses and voila !!

The only thing I can contribute with since I haven't seen it here, is the use of the BP (Bus Pirate), the rest is according to the information given in the forum, so here it goes:

If someone is interested this guide was really helpful in putting Bus Pirate to work with openocd (under linux):

http://cybermashup.com/2014/05/01/jtag-debugging-made-easy-with-bus-pirate-and-openocd/

First a little disclaimer: This interface is really slow, when the guys from Dangerous Prototypes say that this is a human speed tool they are not kidding, it took several hours (25+) to get the dump done.

The cabling was pretty straight forward:

Oscilloscope        BusPirate
TDO <------------> MISO (According to the label in the PCB, however when in JTAG mode it is TDO as it is supposed to be)
TCK <------------> CLK (Again in JTAG mode this is TCK)
TMS <------------> CS (Which is TMS in JTAG mode)
TDI <------------> MOSI (TDI in JTAG mode)
3.3V <-----------> 3.3V
GND  <-----------> GND

I didn't use the other pins.

The openocd command line:

user@system:/home/user#openocd -f mybuspirate.cfg

File: mybuspirate.cfg

--- Code: ---
source [find interface/buspirate.cfg]
source [find target/imx28cfg]

buspirate_mode normal
buspirate_pullup 0
buspirate_speed fast
buspirate_port /dev/ttyUSB0

--- End code ---


/!\ The port where the Bus Pirate was detected in my computer was /dev/ttyUSB0, you must change the previous line according to whatever it is in your case!

once the interface was reporting this:

Info : Buspirate Interface ready!
Info : This adapter does not support configurable speed
Info : JTAG tap: imx28.cpu tap/device found: 0x079264f3 (mfg: 0x279 part: 0x7926, ver: 0x0)
Info : Embedded ICE version 6
Info : imx28.cpu: hardware has two breakpoint/watchpoint units
Info : Accepting 'telnet' connection on tcp/4444

I did the telnet to tcp port 4444


--- Code: ---user@system:/home/user#telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x40000013 pc: 0x401e1104
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> dump_image mso1074z.bin 0x40000000 0x3FFFFFF
dumped 67108863 bytes in 91906.320312s (0.713 KiB/s)
target state: halted
target halted in ARM state due to debug-request, current mode: IRQ
cpsr: 0x40000092 pc: 0x001c17a0
MMU: enabled, D-Cache: enabled, I-Cache: enabled

--- End code ---

Then I ran the rigup tool with the dump file as parameter


--- Code: ---user@system:/home/user#./rigup scan mso1074z.bin > mso1074z.txt

--- End code ---

which generated the private key/public key/RC5 keys/Serial Number

After with the latter file I ran again the rigup tool to generate the licenses:


--- Code: ---user@system:/home/user#./rigup license mso1074z.txt 0x1C001

--- End code ---

or as Sandra suggested in her post "Reply #3765" page 252 of this thread

This is a summary of the found options as far as I know:

(CSAR = 0x1C001) TRIGGER             --> Applied
(CSAB = 0x1C002) DECODER             --> Applied
(CSA3 = 0x1C004) MEM-DEPTH           --> Applied
(CSAJ = 0x1C008) RECORDER            --> Applied
(CSAS = 0x1C010) DG                --> Not clear yet on what this option does
(CSRA = 0x1C020) 500uV             --> Reported not to work correctly
(CSBA = 0x1C040) Power Ana.          --> Not clear yet on what this option does
(CS3A = 0x1C080) Bandwidth (100MHz)  --> Applied
(CSHY = 0x1C0FF)                 --> Kind of APPLY ALL!

And finally to apply the generated licences the easiest way is to use the scope's SCPI interface:

Configure the LAN interface of the MSO1074Z:

--- Code: ---Utility —> IO Setting —> LAN Conf.

--- End code ---

You can connect the scope through a switch or back to back to your PC in any case this is the setup:

[Oscilloscope] --- straight Cable -----[Switch] ------ straight Cable ------- [PC]
 or
[Oscilloscope] ------------- Crossed Cable ---------------- [PC]


--- Code: ---user@system:/home/user#telnet <Oscilloscope LAN IP Address> 5555

:SYSTem:OPTion:INSTall <The Activation Code WITHOUT the dashes or spaces>

--- End code ---

I hope this will help someone, I tried to complete with some information that was spread in several posts; if you want to see some pictures go to Sandra's post which have some very useful ones (notably for the Oscilloscope JTAG interface).

Cheers,
Gus
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod