Products > Test Equipment

Sniffing the Rigol's internal I2C bus

<< < (762/899) > >>

3s1d:
Hi

first of all I'd like to thank everyone here for their great work.

I have a small problem with my MSO1074Z. I dumped the 64M image using my PI and generated the license codes using the rigup-0.4.1 tool posted in #7323 (https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg565557/#msg565557). I had no errors during this process. I can confirm that the serial number in the TXT file (after the scan command) is the same as display by the device itself. I tried to enter the generated codes for 0x1C00F and 0x1C001, but had no luck. The MSO always responds: "Invalid license".

I was so frustrated that I pushed the apply-button a little bit too often. Now I have to wait at least 12h before I can continue.  |O

What did I wrong? Is the firmware too old? My firmware version is 00.04.00. To which version should I upgrade? Do I have to redump the image again after the upgrade?

Many thanks in advance.
Juergen

3s1d:
Hi
I have upgraded to 00.04.02.SP4 and tried to reenter the already obtained codes. It still fails. Do I have to re-dump the binary again in order to get new(??) keys?

Regards
Juergen


PS: The scope is only a few hours old. The trail versions are still going. Could this be an issue?

3s1d:
Hi guys,

I figured it out... I initially compiled it on my OSX machine. As I switched to Ubuntu the keys changed and now everything works fine.

I so far only applied 0x1C00F and 0x1C080. Those are missing:
(CSAS = 0x1C010) DG
(CSRA = 0x1C020) 500uV
(CSBA = 0x1C040) Power Ana.

As I understand 500uV is useless (see #3731), but what about the other 2? What are they for? Are they "harmful" (as noted here #3723)??

Regards,
Juergen

bigone5500:

--- Quote from: zombie28 on February 01, 2014, 08:10:30 pm ---
--- Quote from: poida_pie on January 29, 2014, 04:17:18 am ---What chances are there to patch a firmware so that it outputs the key and serial when you send it
"*IDN?". That would be good.

--- End quote ---

Done!

https://mega.co.nz/#!MdcEWTgL!0EEmSr-Q6TxaFSsyEmjhRrgqDvFCoXg9K49BalL5Uxc

No need for JTAG memory dumps anymore, just send *IDN? command and you'll get your license encryption keys in response (tested on my DS2072A that has just arrived).

--- End quote ---

This file is no longer available. Can someone please direct me to the file?

Thanks.

phersus:
Hello Guys,

Just a message to report another MSO1074Z unlocked  :)

Thank you to all the people contributing with their knowledge, effort, time, energy ... It's good to know that sharing is a good path to success.

Special thanks to rmd79, 0ff, Hammy, Howardlong and the guys who discovered and shared the hack in the first place sptm14, Slappy_g and for sure all the others I'm forgetting ... sorry, the thread is very long and many have contributed.

For those interested this is how I did it:

- First I tried with an Olimex JTAG header but neither Windows (7 32-bits), nor MAC OS X (Yosemite), nor Linux recognised it.
- I decided to try with the Bus Pirate V3.6 (BP) from Dangerous Prototypes and this worked at the first try (I think I got a defective Olimex  :-//).
- I did the memory dump using Linux (only because I was doing something in that machine and decided to try the BP, but I think it would have worked with the MAC as well, I did't tried).
- I used openocd and the result was a binary file of 67108863 Bytes.
- I used the updated version of rigup tool that takes into account the MSO1074Z and get the private key
- I used again rigup tool and generate the licenses
- I used the SCPI commands to enter the licenses and voila !!

The only thing I can contribute with since I haven't seen it here, is the use of the BP (Bus Pirate), the rest is according to the information given in the forum, so here it goes:

If someone is interested this guide was really helpful in putting Bus Pirate to work with openocd (under linux):

http://cybermashup.com/2014/05/01/jtag-debugging-made-easy-with-bus-pirate-and-openocd/

First a little disclaimer: This interface is really slow, when the guys from Dangerous Prototypes say that this is a human speed tool they are not kidding, it took several hours (25+) to get the dump done.

The cabling was pretty straight forward:

Oscilloscope        BusPirate
TDO <------------> MISO (According to the label in the PCB, however when in JTAG mode it is TDO as it is supposed to be)
TCK <------------> CLK (Again in JTAG mode this is TCK)
TMS <------------> CS (Which is TMS in JTAG mode)
TDI <------------> MOSI (TDI in JTAG mode)
3.3V <-----------> 3.3V
GND  <-----------> GND

I didn't use the other pins.

The openocd command line:

user@system:/home/user#openocd -f mybuspirate.cfg

File: mybuspirate.cfg

--- Code: ---
source [find interface/buspirate.cfg]
source [find target/imx28cfg]

buspirate_mode normal
buspirate_pullup 0
buspirate_speed fast
buspirate_port /dev/ttyUSB0

--- End code ---


/!\ The port where the Bus Pirate was detected in my computer was /dev/ttyUSB0, you must change the previous line according to whatever it is in your case!

once the interface was reporting this:

Info : Buspirate Interface ready!
Info : This adapter does not support configurable speed
Info : JTAG tap: imx28.cpu tap/device found: 0x079264f3 (mfg: 0x279 part: 0x7926, ver: 0x0)
Info : Embedded ICE version 6
Info : imx28.cpu: hardware has two breakpoint/watchpoint units
Info : Accepting 'telnet' connection on tcp/4444

I did the telnet to tcp port 4444


--- Code: ---user@system:/home/user#telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x40000013 pc: 0x401e1104
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> dump_image mso1074z.bin 0x40000000 0x3FFFFFF
dumped 67108863 bytes in 91906.320312s (0.713 KiB/s)
target state: halted
target halted in ARM state due to debug-request, current mode: IRQ
cpsr: 0x40000092 pc: 0x001c17a0
MMU: enabled, D-Cache: enabled, I-Cache: enabled

--- End code ---

Then I ran the rigup tool with the dump file as parameter


--- Code: ---user@system:/home/user#./rigup scan mso1074z.bin > mso1074z.txt

--- End code ---

which generated the private key/public key/RC5 keys/Serial Number

After with the latter file I ran again the rigup tool to generate the licenses:


--- Code: ---user@system:/home/user#./rigup license mso1074z.txt 0x1C001

--- End code ---

or as Sandra suggested in her post "Reply #3765" page 252 of this thread

This is a summary of the found options as far as I know:

(CSAR = 0x1C001) TRIGGER             --> Applied
(CSAB = 0x1C002) DECODER             --> Applied
(CSA3 = 0x1C004) MEM-DEPTH           --> Applied
(CSAJ = 0x1C008) RECORDER            --> Applied
(CSAS = 0x1C010) DG                --> Not clear yet on what this option does
(CSRA = 0x1C020) 500uV             --> Reported not to work correctly
(CSBA = 0x1C040) Power Ana.          --> Not clear yet on what this option does
(CS3A = 0x1C080) Bandwidth (100MHz)  --> Applied
(CSHY = 0x1C0FF)                 --> Kind of APPLY ALL!

And finally to apply the generated licences the easiest way is to use the scope's SCPI interface:

Configure the LAN interface of the MSO1074Z:

--- Code: ---Utility —> IO Setting —> LAN Conf.

--- End code ---

You can connect the scope through a switch or back to back to your PC in any case this is the setup:

[Oscilloscope] --- straight Cable -----[Switch] ------ straight Cable ------- [PC]
 or
[Oscilloscope] ------------- Crossed Cable ---------------- [PC]


--- Code: ---user@system:/home/user#telnet <Oscilloscope LAN IP Address> 5555

:SYSTem:OPTion:INSTall <The Activation Code WITHOUT the dashes or spaces>

--- End code ---

I hope this will help someone, I tried to complete with some information that was spread in several posts; if you want to see some pictures go to Sandra's post which have some very useful ones (notably for the Oscilloscope JTAG interface).

Cheers,
Gus

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod