| Products > Test Equipment |
| Sniffing the Rigol's internal I2C bus |
| << < (762/899) > >> |
| 3s1d:
Hi first of all I'd like to thank everyone here for their great work. I have a small problem with my MSO1074Z. I dumped the 64M image using my PI and generated the license codes using the rigup-0.4.1 tool posted in #7323 (https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg565557/#msg565557). I had no errors during this process. I can confirm that the serial number in the TXT file (after the scan command) is the same as display by the device itself. I tried to enter the generated codes for 0x1C00F and 0x1C001, but had no luck. The MSO always responds: "Invalid license". I was so frustrated that I pushed the apply-button a little bit too often. Now I have to wait at least 12h before I can continue. |O What did I wrong? Is the firmware too old? My firmware version is 00.04.00. To which version should I upgrade? Do I have to redump the image again after the upgrade? Many thanks in advance. Juergen |
| 3s1d:
Hi I have upgraded to 00.04.02.SP4 and tried to reenter the already obtained codes. It still fails. Do I have to re-dump the binary again in order to get new(??) keys? Regards Juergen PS: The scope is only a few hours old. The trail versions are still going. Could this be an issue? |
| 3s1d:
Hi guys, I figured it out... I initially compiled it on my OSX machine. As I switched to Ubuntu the keys changed and now everything works fine. I so far only applied 0x1C00F and 0x1C080. Those are missing: (CSAS = 0x1C010) DG (CSRA = 0x1C020) 500uV (CSBA = 0x1C040) Power Ana. As I understand 500uV is useless (see #3731), but what about the other 2? What are they for? Are they "harmful" (as noted here #3723)?? Regards, Juergen |
| bigone5500:
--- Quote from: zombie28 on February 01, 2014, 08:10:30 pm --- --- Quote from: poida_pie on January 29, 2014, 04:17:18 am ---What chances are there to patch a firmware so that it outputs the key and serial when you send it "*IDN?". That would be good. --- End quote --- Done! https://mega.co.nz/#!MdcEWTgL!0EEmSr-Q6TxaFSsyEmjhRrgqDvFCoXg9K49BalL5Uxc No need for JTAG memory dumps anymore, just send *IDN? command and you'll get your license encryption keys in response (tested on my DS2072A that has just arrived). --- End quote --- This file is no longer available. Can someone please direct me to the file? Thanks. |
| phersus:
Hello Guys, Just a message to report another MSO1074Z unlocked :) Thank you to all the people contributing with their knowledge, effort, time, energy ... It's good to know that sharing is a good path to success. Special thanks to rmd79, 0ff, Hammy, Howardlong and the guys who discovered and shared the hack in the first place sptm14, Slappy_g and for sure all the others I'm forgetting ... sorry, the thread is very long and many have contributed. For those interested this is how I did it: - First I tried with an Olimex JTAG header but neither Windows (7 32-bits), nor MAC OS X (Yosemite), nor Linux recognised it. - I decided to try with the Bus Pirate V3.6 (BP) from Dangerous Prototypes and this worked at the first try (I think I got a defective Olimex :-//). - I did the memory dump using Linux (only because I was doing something in that machine and decided to try the BP, but I think it would have worked with the MAC as well, I did't tried). - I used openocd and the result was a binary file of 67108863 Bytes. - I used the updated version of rigup tool that takes into account the MSO1074Z and get the private key - I used again rigup tool and generate the licenses - I used the SCPI commands to enter the licenses and voila !! The only thing I can contribute with since I haven't seen it here, is the use of the BP (Bus Pirate), the rest is according to the information given in the forum, so here it goes: If someone is interested this guide was really helpful in putting Bus Pirate to work with openocd (under linux): http://cybermashup.com/2014/05/01/jtag-debugging-made-easy-with-bus-pirate-and-openocd/ First a little disclaimer: This interface is really slow, when the guys from Dangerous Prototypes say that this is a human speed tool they are not kidding, it took several hours (25+) to get the dump done. The cabling was pretty straight forward: Oscilloscope BusPirate TDO <------------> MISO (According to the label in the PCB, however when in JTAG mode it is TDO as it is supposed to be) TCK <------------> CLK (Again in JTAG mode this is TCK) TMS <------------> CS (Which is TMS in JTAG mode) TDI <------------> MOSI (TDI in JTAG mode) 3.3V <-----------> 3.3V GND <-----------> GND I didn't use the other pins. The openocd command line: user@system:/home/user#openocd -f mybuspirate.cfg File: mybuspirate.cfg --- Code: --- source [find interface/buspirate.cfg] source [find target/imx28cfg] buspirate_mode normal buspirate_pullup 0 buspirate_speed fast buspirate_port /dev/ttyUSB0 --- End code --- /!\ The port where the Bus Pirate was detected in my computer was /dev/ttyUSB0, you must change the previous line according to whatever it is in your case! once the interface was reporting this: Info : Buspirate Interface ready! Info : This adapter does not support configurable speed Info : JTAG tap: imx28.cpu tap/device found: 0x079264f3 (mfg: 0x279 part: 0x7926, ver: 0x0) Info : Embedded ICE version 6 Info : imx28.cpu: hardware has two breakpoint/watchpoint units Info : Accepting 'telnet' connection on tcp/4444 I did the telnet to tcp port 4444 --- Code: ---user@system:/home/user#telnet localhost 4444 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Open On-Chip Debugger > halt target state: halted target halted in ARM state due to debug-request, current mode: Supervisor cpsr: 0x40000013 pc: 0x401e1104 MMU: enabled, D-Cache: enabled, I-Cache: enabled > dump_image mso1074z.bin 0x40000000 0x3FFFFFF dumped 67108863 bytes in 91906.320312s (0.713 KiB/s) target state: halted target halted in ARM state due to debug-request, current mode: IRQ cpsr: 0x40000092 pc: 0x001c17a0 MMU: enabled, D-Cache: enabled, I-Cache: enabled --- End code --- Then I ran the rigup tool with the dump file as parameter --- Code: ---user@system:/home/user#./rigup scan mso1074z.bin > mso1074z.txt --- End code --- which generated the private key/public key/RC5 keys/Serial Number After with the latter file I ran again the rigup tool to generate the licenses: --- Code: ---user@system:/home/user#./rigup license mso1074z.txt 0x1C001 --- End code --- or as Sandra suggested in her post "Reply #3765" page 252 of this thread This is a summary of the found options as far as I know: (CSAR = 0x1C001) TRIGGER --> Applied (CSAB = 0x1C002) DECODER --> Applied (CSA3 = 0x1C004) MEM-DEPTH --> Applied (CSAJ = 0x1C008) RECORDER --> Applied (CSAS = 0x1C010) DG --> Not clear yet on what this option does (CSRA = 0x1C020) 500uV --> Reported not to work correctly (CSBA = 0x1C040) Power Ana. --> Not clear yet on what this option does (CS3A = 0x1C080) Bandwidth (100MHz) --> Applied (CSHY = 0x1C0FF) --> Kind of APPLY ALL! And finally to apply the generated licences the easiest way is to use the scope's SCPI interface: Configure the LAN interface of the MSO1074Z: --- Code: ---Utility —> IO Setting —> LAN Conf. --- End code --- You can connect the scope through a switch or back to back to your PC in any case this is the setup: [Oscilloscope] --- straight Cable -----[Switch] ------ straight Cable ------- [PC] or [Oscilloscope] ------------- Crossed Cable ---------------- [PC] --- Code: ---user@system:/home/user#telnet <Oscilloscope LAN IP Address> 5555 :SYSTem:OPTion:INSTall <The Activation Code WITHOUT the dashes or spaces> --- End code --- I hope this will help someone, I tried to complete with some information that was spread in several posts; if you want to see some pictures go to Sandra's post which have some very useful ones (notably for the Oscilloscope JTAG interface). Cheers, Gus |
| Navigation |
| Message Index |
| Next page |
| Previous page |