Sniffing the Rigol's internal I2C bus

[Daruosha]

What I'm concerned about is the possibility of a successful memory dump and keys extraction with the lastes published firmware. It seems i have to try it myself rather than relying on other experiences. Having all options worths loosing the warranty (i don't have the patience to peel off the warranty label properly), but loosing warranty and gaining nothing is not the best option i guess.

However, i think I'm going to take the risk and let it go as an experience.

In the men time I'd appreciate any suggestions and recommendations :-)

[TurboTom]

Peeling off the sticker really isn't troublesome at all if you gently heat it with a hair dryer or a reflow hot air blower at low low temperature setting (<100°C). This softens the glue of the sticker so much that wax paper (or whatever that stuff is called that nothing sticks to) more or less just slides underneath it. A job of a minute or so.

Cheers,
Tom

[Daruosha]

Guess what?!?!

I took apart the scope and found the JTAG pin headers on the main board were gone. Just 10 unpopulated solder pads DAMN

[qwertymodo]

It's not hard to solder on a standard 2x5x0.1" pin strip, or just get a press-fit header from Samtec.

Sent from my m8wl using Tapatalk

[Spinwing]

Guess what?!?!

I took apart the scope and found the JTAG pin headers on the main board were gone. Just 10 unpopulated solder pads DAMN

I just went through the process of unlocking everything on my MSO1104Z-S here, and I found the same thing when I opened it up. I ended up soldering in a header, but it does take a little bit of work since you have to fully disassemble the scope. And no point bothering to keep the warranty sticker after that

However the process worked fine. I used an Altera USB Blaster clone I got from eBay, wired it up according the JTAG pinouts specified here:

https://www.altera.com/content/dam/altera-www/global/en_US/pdfs/literature/ug/ug_usb_blstr.pdf

For reference, here are the USB blaster pin assignments for JTAG mode:

USB Blaster Pin	Signal
1	TCK
2	GND
3	TDO
4	VCC
5	TMS
6	N/C
7	N/C
8	N/C
9	TDI
10	GND

When I was hooking it up I just ignored any signals that aren't on that list.

I used OpenOCD 0.9.0 on Windows. My scope had firmware 4.03.SP2 installed, and I still had some time left on the feature trial licenses so I just halted the processor while the trial time remaining screen was showing and dumped the image.

I got bored after about an hour and wanted to see if I was getting anything, so I stopped the process with about 16MB dumped and used rigup 0.4.1 (the mso1000z version, no patches or anything applied). It found the keys and the generated license worked fine.

As a side note, I briefly tried building and running rigup using the bash shell support in Windows 10, but it faulted with a failed assertion that I didn't look into. Instead I built it in Visual Studio and it ran fine with just a couple of very minor tweaks to change a couple of POSIX specific calls.

[qwertymodo]

I used OpenOCD 0.9.0 on Windows. My scope had firmware 4.03.SP2 installed, and I still had some time left on the feature trial licenses so I just halted the processor while the trial time remaining screen was showing and dumped the image.

Glad to hear that worked for somebody else.  Looks like the timing of the dump really is (at least part of) the issue.  Not sure what that means for people whose trials have expired.  Maybe in that case, it might be possible to open the Options>Installed menu where it lists the trial options that have expired and try taking a dump while that dialog is displayed.  psysc0rpi0n, maybe can you try that?

[Daruosha]

No change.
Still the Error with the EmbeddedICE version and I can't halt the CPU.

I have the same problem and everything i did, couldn't figure it out.

What did you?

[Edinson]

In my case it was most likely a wiring problem.
As soon as I did like shown in reply #4248 it worked without any issues.
My adapter is an Olimex ARM-USB-OCD-H and I had an additional pin (#3 at both ends) connected.
Others in this forum have used an Altera as well as far as I have read, maybe one of these may share how they did it.

[Edinson]

Look at reply #4013

[Daruosha]

My JTAG adaptor is Altera USB blaster and I checked the wiring several times. I just left the SRST and TRSTS and ignored them, since my Altera blaster does't have those pins. Do you think that could be the issue?

[Daruosha]

I ordered an Olimex USB-OCD-H. Let see does that work or not.

On things i was wondering could cause connection problem was the way i connected the pin hearders. Since i didn't want to fully disassemble the scope, i put 2 rows of 5pin so called "military" headers on the scope pcb and put an IDC cable and put rather heavy thing on the idc connector to keep the pin headers straight on the PCB.  It sounds very stupid and rather idiotic, but i think the pin headers make a reasonable connection with pads. I couldn't find pres fit headers and i cannot think of any other solderless solution.

Any suggestions?

[qwertymodo]

That could work, but I'd never trust it for something that takes this long. I've done exactly that for reprogramming micros, and sometimes it'll take 2-3 tries, which isn't a big deal when the whole thing takes 10 seconds, but do you really want it to come loose 40 minutes in and have to start all over?

Here are Samtec's press-fit series, you can get the exact 2x5 header you need: https://www.samtec.com/products/pht

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

I used OpenOCD 0.9.0 on Windows. My scope had firmware 4.03.SP2 installed, and I still had some time left on the feature trial licenses so I just halted the processor while the trial time remaining screen was showing and dumped the image.

Glad to hear that worked for somebody else.  Looks like the timing of the dump really is (at least part of) the issue.  Not sure what that means for people whose trials have expired.  Maybe in that case, it might be possible to open the Options>Installed menu where it lists the trial options that have expired and try taking a dump while that dialog is displayed.  psysc0rpi0n, maybe can you try that?

I didn't checked this thread for a few days... I'll try it right away!


Edited;
Ok, the generated keys were the same as the previous attempts so they were a no go! I halted the scope with the board of the installed option on the screen but no good!

[Daruosha]

Let's assume I have the codes for 2000 minutes trial license keys. Can I uninstall them when it's close to expiration and re-install them (with SCPI commands of course)?
Is there anyway to completely factory reset the scope?

[manu]

DS4000 series Bandwidth (model type) Option Codes.

For those who have an interest in the DS4000, I have found the option codes for selecting the bandwidth .
This also sets the model type.

For example the code FAB9 will select 500Mhz, (DS405x), with all Decoders enabled.

The attached file contains all the details.

There are also two un-documented, possibly future, options called "Power Analysis" and "MA".

The option codes have been tested with firmware ver 00.02.00.00.04 and ver 00.02.01.00.03.

*EDIT*
 Attached updated PDF document to include the option selection codes for LIN and 1553B decode.
Also included are two possible future options,  Power Analysis and I2S decode.
Power Analysis has been listed for some time, but the I2S decode is relatively recent.
The original un-documented "MA" option has become the 1553B decode option.

Hello,

I successfully added decoders option to my MSO4024.
soft ver 00.02.03.00.03
hard ver 0.1.3.1
The 4-letter parameter to add decoders permanently: BAA9 (RS232, SPI, I2C, CAN, FlexRay, LIN decoders)

[tom66]

I'm curious. When you buy a licence key from Rigol (or a distributor) you just provide them with your serial number, right? Does Rigol also know the private key of every scope, or is it just different for the MSO series?

[Daruosha]

Yes, all they need is the serial number of the device.

[Fungus]

I'm curious. When you buy a licence key from Rigol (or a distributor) you just provide them with your serial number, right?

Right.

Does Rigol also know the private key of every scope

They could easily generate keys at the factory and store them in a database keyed to the serial number.

Or maybe the private key is simply derived in some way from the serial number (using a private Rigol key).

Does anybody know how the dealers generate the keys? I think Rigol doesn't generate them directly so the dealers must have software to generate keys. Do they have to go to a special Rigol website or something? Anybody know?

[BravoV]

Does Rigol also know the private key of every scope

They could easily generate keys at the factory and store them in a database keyed to the serial number.

Or maybe the private key is simply derived in some way from the serial number (using a private Rigol key).

Does anybody know how the dealers generate the keys? I think Rigol doesn't generate them directly so the dealers must have software to generate keys. Do they have to go to a special Rigol website or something? Anybody know?

Once you purchased the option, Rigol or dealers will send you Software License Certificate with an initial product key (not for keying into the scope though , and then you will need to point your browser to -> http://int.rigol.com/CustomerService/ProductRight , then you key in the "product key" provided in the certificate AND your scope's serial number to generate the real key for user to enable it at the scope.

The most important fact , the generated key is NOT identical from the one generated by riglol. 

[fab13]

hi I can not see option install on mine DS 2102A  what i am doing wrong ?

I can only see System info , but no detail , can some one help ?

thx

[RebornGeek]

Thanks for the great posts. 

I've used a couple of the license-key-generator sites (http://gotroot.ca/rigol/riglol/) and used the key on my 1074S Scope.  Keep getting invalid license.

So:

1. Does this hack still work?  Seems that maybe Rigol has caught on.
2. Should the license key change?  I keep getting the same key trying different website, clearing my cache, etc.

Many thanks for any help.
RebornGeek

[manu]

Thanks for the great posts. 

I've used a couple of the license-key-generator sites (http://gotroot.ca/rigol/riglol/) and used the key on my 1074S Scope.  Keep getting invalid license.

So:

1. Does this hack still work?  Seems that maybe Rigol has caught on.

I tried with a ds1054z this week-end to activate:
- advanced triggers: DSAB
- decoders: DSAC
- 24M memory: DSAE
- recorder: DSAJ
Use your scope serial number to generate the license key(s).

[cypcyp]

Hello, i received my DS1074-S-Z a few days ago with the free DECODER-Option. The official application of that option via Rigol website went fine. But unfortunately the keys generated by riglol_1.03d for the advanced trigger failed, now i'm locked out for the 12 hrs period every time i enter a wrong key.

Do you have any idea why the keygen doesn't work? Sysinfo says DS1074Z Plus Firmware 00.04.03.SP2 Board Version 6.1.1.
Were other attempts successful on that model? Or am i too stupid to understand the procedure?
I enter my serial Nr, the Option-select DSAB, the private key is generated by the keygen and then dial in the 4*7 char key.

 

[Daruosha]

Hello, i received my DS1074-S-Z a few days ago with the free DECODER-Option. The official application of that option via Rigol website went fine. But unfortunately the keys generated by riglol_1.03d for the advanced trigger failed, now i'm locked out for the 12 hrs period every time i enter a wrong key.

Do you have any idea why the keygen doesn't work? Sysinfo says DS1074Z Plus Firmware 00.04.03.SP2 Board Version 6.1.1.
Were other attempts successful on that model? Or am i too stupid to understand the procedure?
I enter my serial Nr, the Option-select DSAB, the private key is generated by the keygen and then dial in the 4*7 char key.

Have you tried to generate the keys on a different browser or even a different machine?

[MarkF]

Let's assume I have the codes for 2000 minutes trial license keys. Can I uninstall them when it's close to expiration and re-install them (with SCPI commands of course)?
Is there anyway to completely factory reset the scope?

Maybe someone else can verify this. But, there are NO codes for the trial licenses.