| Products > Test Equipment |
| Sniffing the Rigol's internal I2C bus |
| << < (774/899) > >> |
| jmccorison:
Dave92F1, Thanks for a great post on unlocking the DS2072A. Some observations about it. I first performed the unlock on firmware 00.03.00.SP1 and it worked like a champ. I missed step 11 as it was so similar to step 12, so you are correct that step 11 doesn't need to be performed. I then upgraded to firmware 00.03.03.01 and the previous unlock was still in effect. When I check installed options all options show as "official version" except for the MEM_DEPTH which stills shows as trial. I can live with that. When I installed the new key the RigolBildschirmkopie.exe tool displayed an error "There was an error when sending the SCPI command." However it still performed the desired action. |
| Pacif13r:
Hi all, I recently got myself a DS2072A over the 1000Z with the plan of doing the hack to add bandwidth and features. I chose to go down the route of a JTAG memory dump to minimize my chances of doing damage. To this end I got myself a Olimex ARM-USB-OCD-H and made up a cable. As everyone has acknowledged this topic is a monster and a half to follow with myriad sub topics having sprung up. Luckily I chanced upon beurgi's #2431 summary of what had been learned. Following those instructions I've got as far as trying to get a memdump... This has been problematic as rigup is unable to find keys so I've looked at the dump files and I'm certainly not getting anything like what I would have expected (without knowing what to expect in this scopes ram). I've confirmed my results are odd by locating some dumps for the DS2072A which people have uploaded and having a look at these. Everything appears to work but the resulting dump is around 130MB looks to be 98% full of long runs of FF bytes and then long runs of 00 bytes with the very occasional and sporadic exceptions which tend to be limited to repeated and limited selection of bytes First image is that it seems to start off ok for a couple of dozen bytes and then... Second image is a randomly selected island of non FF/00 bytes. I'm using Ubuntu x64 in a VMware host on my Win7 x64 laptop but I guess I'd think that if that were a factor I wouldn't be able to get as far as I do. Model: DS2072A Serial: DS2D16535XXXX SW Ver: 00.03.03.SP1 HW Ver: 2.0 --- Code: ---GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "--host=x86_64-unknown-linux-gnu --target=bfin-uclinux". (gdb) target remote :2000 Remote debugging using :2000 0x00000000 in ?? () (gdb) info mem Using memory regions provided by the target. Num Enb Low Addr High Addr Attrs 0 y 0x20000000 0x20400000 rw nocache 1 y 0xef000000 0xef008000 ro nocache 2 y 0xff800000 0xff804000 rw nocache 3 y 0xff804000 0xff808000 rw nocache 4 y 0xff900000 0xff904000 rw nocache 5 y 0xff904000 0xff908000 rw nocache 6 y 0xffa00000 0xffa0c000 rw nocache 7 y 0xffa10000 0xffa14000 rw nocache 8 y 0xffb00000 0xffb01000 rw nocache 9 y 0xffc00000 0xffe00000 rw nocache 10 y 0xffe00000 0x100000000 rw nocache (gdb) dump binary memory ~/electronics/ds2k_00_sdram.bin 0x00000000 0x07FFFFFF --- End code --- Any thoughts gratefully appreciated if anyone has come across this before? :-// Thanks, Justin |
| CustomEngineerer:
While opening up your scope so you can hook up JTAG shouldn't be too terribly risky, its still far more risky than just hooking up a network or usb cable to the ports on the outside of the case. There should be no reason to need to open up the scope at all. When I first tried the hack I was having a hard time getting a full dump, I can't remember which SPCI program I was using at the time (probably UltraSigma) but once I switched over to using Bildschirmkopie to get the dump it worked first time. And it has also worked several times since when I lost the original memory dump and generated keys and wanted to try playing around with other options. |
| Pacif13r:
--- Quote from: CustomEngineerer on April 03, 2015, 06:53:47 am ---While opening up your scope so you can hook up JTAG shouldn't be too terribly risky, its still far more risky than just hooking up a network or usb cable to the ports on the outside of the case. There should be no reason to need to open up the scope at all. When I first tried the hack I was having a hard time getting a full dump, I can't remember which SPCI program I was using at the time (probably UltraSigma) but once I switched over to using Bildschirmkopie to get the dump it worked first time. And it has also worked several times since when I lost the original memory dump and generated keys and wanted to try playing around with other options. --- End quote --- Thanks, I was under the impression, that this required a custom firmware flash? I've enjoyed a couple of bricking experiences over the years so I'm super wary with high ticket items... ::) Still if there are no horror stories with the technique on here perhaps I should reconsider given my lack of JTAG success unless someone has some insight to share on my problem. |
| CustomEngineerer:
There is no longer a need for the custom firmware flash. The current way works with the latests firmware. I believe it was first reported around Aug - Sept 2014. Sorry I dont remember exactly where the steps are in this thread (they are also listed in plenty of other threads, there was a much more recent thread on hacking the rigol scopes from I think Feb 2015). I would go back in this thread to Aug 2014 and go forward from there, or try to find one of the more recently created threads. 1) Use RigolBildschirmkopie program to issue SCPI command to have scope dump memory. My memory dump was only the first 32MB. 2) Use rigup program on dump from step 1 to generate the key codes. 3) Use RigolBildschirmkopie/UltraSigma or any SCPI program to send the key code to the scope. You can also manually add the key code through the scopes interface just like you would if you had purchased an upgrade from Rigol. Thats it, no opening scope, no flashing custom firmware, no need to downgrade firmware. Once you get it the whole process takes less than 5 minutes. |
| Navigation |
| Message Index |
| Next page |
| Previous page |