| Products > Test Equipment |
| Sniffing the Rigol's internal I2C bus |
| << < (808/899) > >> |
| Orange:
--- Quote from: smgvbest on September 30, 2015, 01:07:44 am --- --- Quote from: Orange on September 29, 2015, 08:42:18 am --- --- Quote from: smgvbest on September 29, 2015, 12:48:46 am --- --- Quote from: MiataMuc on September 28, 2015, 07:00:47 pm ---pm --- End quote --- Thank you. this confirms to me that the keys for the DSA815 where found in another manner. the eye catchers are not there in your dump or mine with V1.14 and boot 1.04 which means to me they where found in another way --- End quote --- On the DS2000 the change came when a new hardware revision was introduced. With new hardware on the DS2000A RIGOL also introduced customized encryption parameters for each unit. Perhaps they did the same on the DS815. I don't think the boot code plays a role here, apart from the fact that you cannot downgrade. Have you tried scanning the dumps for license keys with 'rigup search [KEYFILE] DUMPFILE' BTW on a DS2000A you need at least 32Meg to get results --- End quote --- Yes I did, I also tried a 8MB dump on mine and neither found anything. I also tried dumping over SCPI the first 32Meg and it could not find anything either --- End quote --- I scanned my DSA815 via dumping over SCPI, it is an early one. Boot is 01.02 Version of main board is 00.04 Firmware is 1.09 I found 5 license keys in the lower part of the flash memory, basically the four I put in myself, and there was already one present, probably for the tracking gen. Also i tried to find the known private key in the flash (32 meg) and did not find it. |
| smgvbest:
Yes, Looking at a pre boot 1.04 I was able to find the same in even a 4Meg dump but in mine at 1.04 a search turned up nothing at all. The eye catcher bytes seem to typically be there but not on the DSA's. I manually went through the 32Meg dump and saw nothing that looked familiar I do have one throught and maybe something that's been tried before but I was thinking if I went into the licensing screen and entered even a bad key it would maybe have a deciphered bit strings in memory at that point so I'm going to try that out next |
| cybernet:
if u are after the bootloader for the DSA than i would assume that it is located at 0x2000 0000 in the Flash as a LDR stream. (thats how the DS2x does it) 0x2000 0004 contains the length of the LDR stream for the bootloader try to dump that and use a tool like ldrviewer to see if it actually contains a LDR stream if so - i have a nice LDR loader for ida pro that i can share. usually the bootldr (again DS2x knowledge) then loads yet another LDR which is the actual APP image. dumping from 0x0 onwards is RAM - which gets overwritten by the bootloader with the APP image, so i doubt u get that data out with SCPI. best to use gdb, and break the boot process before the APP image gets executed. from my old notes --- Code: ---BootMode (BMODE) is 0001b The kernel boots from address 0x20000000 in asynchronous memory bank 0. The first byte of the boot stream contains further instructions whether the memory is eight or 16 bits wide. BootLoader takes care of: bfin init (EBIU, PLL, PORTS, DMA, SPORT) fpga init lcd init and displaying ultravision & rigol logo load the application image LDR from flash @0x20040000+0x4 (first 4 bytes contain length of LDR stream) optionally firmware upgrade via DS2000Update.GEL run bfin executable from RigolDsExe.ldr (you need to disable any interrupts quickly or it will crash) --- End code --- |
| Macbeth:
--- Quote from: cybernet on October 10, 2015, 11:30:08 pm ---try to dump that and use a tool like ldrviewer to see if it actually contains a LDR stream if so - i have a nice LDR loader for ida pro that i can share. --- End quote --- Hi cybernet, Please share... anything about Rigol and Blackfin. I'm quickly learning about it as I just bricked my DM3058E doing a firmware downgrade using the Rigol method of a supplied file on a USB stick plugged into it. I've flashed these firmwares before and not had a problem, but this time Murphy got me :( I've been reading up on the ADSP-BF531 documentation and the Rigol binary file appears to follow the LDR format, just prefixed with a null terminated RIGOL firmware ID string. An example is the previous DM3058 firmware available here. I've got the 90 day trial of VisualDSP running and tried that LDRViewer application, but it doesn't seem to like the Rigol files even when I strip the header firmware string out and start on the 4 byte address, 4 byte count, and 2 byte flag immediately after it. But following the headers and blocks manually in a hex editor it seems ok. Now, I have to re-flash using the JTAG port. I'm guessing the supplied rigol firmware minus the id string is probably ok. I only have an Altera USB blaster so had a look at the official tools and nearly had a heart attack at the prices :-DD - is it possible to flash with the USB blaster? I also noticed an Olimex ARM-USB-OCD tool that looks reasonably priced and supports debugging so would be worthwhile for me to have a go at reversing this thing and fixing bugs that Rigol are so slow to... I've also got an, ahem, evaluation version of IDA Pro 6.6+SDK and found a Blackfin module but haven't had much luck getting it to work, it seems to be for an earlier version :( Anyway, any help much appreciated ;) Sorry to move off track from the DSA guys, but there is a lot of info here relevant to my DMM. Why do Rigol love the Blackfin DSP so much? It seems like total overkill for a simple DMM :-// Though I guess if they paid for all the licensed tools for their scopes and stuff... and their devs are used to it... maybe it makes sense? |
| Asmyldof:
Hey Guys and Gals, I want to aware-nize you all of this post I made in chat: New Bootloaders for DG5 and DP800 Also, @smgvbest, once I have time again from the freelance assignment from hell (should be soon), as I am interested in hacking the DS815 myself as well, I could look into the rigup code, possibly confer about what I see and how that fits the "old dump" you have and how that might be adapted to the new one. |
| Navigation |
| Message Index |
| Next page |
| Previous page |