Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1572555 times)

0 Members and 1 Guest are viewing this topic.

Offline loaderr

  • Contributor
  • Posts: 6
  • Country: nz
Re: Sniffing the Rigol's internal I2C bus
« Reply #4300 on: December 13, 2016, 09:47:17 am »
2twingy: check if your keys start from 0's and do they have proper length (should be 8 or 16 hexadecimal digits), if not append 0 in front of key like 0x001234. Otherwise fixed Rigup should just work for you.
 

Offline Twingy

  • Newbie
  • Posts: 3
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4301 on: December 13, 2016, 03:24:13 pm »
Hello loaderr, I've attached a copy of my output from rigup, do you see anything that looks out of the ordinary?  Thanks.
 

Offline Daruosha

  • Regular Contributor
  • *
  • Posts: 180
  • Country: ir
Re: Sniffing the Rigol's internal I2C bus
« Reply #4302 on: December 13, 2016, 05:50:18 pm »
Since public and private keys are same across MSO-1000z models, is there anyway to calculate XXTEA and RC5 keys from serial number? I have the trial codes and looking for a solution to solve these keys from serial number and trial codes. Any suggestions?

 

Offline jckz82

  • Newbie
  • Posts: 1
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4303 on: December 20, 2016, 04:50:00 pm »
I'm in the same situation as Twingy.

- MSO1074Z bought in Dec 2016
- Software V04.03.SP2
- Board 2.1.4
- JTAG header absent from board
- Ran memory dump immediately after logo disappears (did three dumps with the same results)
- Used loaderr's fixed version of rigup

Generated licenses are invalid. 

Any files or information I can upload that would help solve this?
« Last Edit: December 20, 2016, 06:11:24 pm by jckz82 »
 

Offline Noize

  • Regular Contributor
  • *
  • Posts: 179
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4304 on: December 20, 2016, 06:07:56 pm »
I had success upgrading my mso1074z-s  8)

Software version 00.04.04
Board version 6.1.1


I compiled loaderr's version of rigup with VS 2013
Used a Chinese knockoff jtag dongle firmware: J-Link ARM V8 compiled 1 Dec 2009.    Hardware version: V8.00

Turned on the oscilloscope then plugged j-link into the computer
Started J-link commander from the command line>JLink.exe -speed 100

J-Link>connect
......
Device>arm9
.......
JTAGConf> (just press enter)

J-Link>h (press enter when license screen appears)

J-Link>speed 4600

J-Link>savebin mso1074z.bin 0x40000000 0x3FFFFFF

J-Link>g

Use Loaderr's file as per usual.

I bought my scope from Rigol 3 months ago with the latest firmware installed, the jtag header was still present.

Thank you to everyone who contributed  :clap: I am now able to continue electronics thank god! Ha
« Last Edit: December 21, 2016, 12:37:13 am by Noize »
 

Offline jlm1

  • Newbie
  • Posts: 2
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4305 on: January 01, 2017, 07:37:30 pm »
result same as Twingy. Generated license invalid
MSO1047Z-S
DS1ZDxxxxxxxxx (15 total chars)
Software 4.03.SP2
Board 6.1.4
JTAG header not populated. Note that cardboard box indicates manufacture date in July 2016.

First...
Memory dumped using Segger J-Link Pro. I used J-link commander, set the device to IMX28 (which selected ARM9), halted, and dumped using savebin.  I don't think it took much longer than five minutes.

Then...
Compiled Rigup in Visual Studio 2015 from the above posed modified source. It complied without any issues but then rigup scan crashed on a call to IsDigit(...) with a negative value. I debugged figured out that VS was using signed char. It was necessary to add the /J flag to VS to force the compiler to use unsigned char. Then Rigup scan worked and found the correct serial number and possibly reasonable looking keys.

I generated DSAB (advanced trigger) license, entered it, and got invalid license.
--
If someone wants to double check my work and see if you get the same license codes from my memory dump, email me.  I would like to rule out a bug from compiling in visual studio.
---
Update: Another member generated keys with his complied code and everything worked. So I was doing something wrong or my compiled rigup didn't work. so Yes, rigup still works for Software 4.03.SP2, Board 6.1.4, without JTAG header.


« Last Edit: January 06, 2017, 07:29:51 pm by jlm1 »
 

Offline enry68

  • Contributor
  • Posts: 11
  • Country: it
Re: Sniffing the Rigol's internal I2C bus
« Reply #4306 on: January 03, 2017, 02:08:29 pm »
Hi guys.

How can I get the fabrication date of my Rigol 1054Z ?

many thanks,
Enrico.
 

Offline jlm1

  • Newbie
  • Posts: 2
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4307 on: January 04, 2017, 04:47:20 am »
I think the date is on the calibration certificate
 

Offline Andrew8086

  • Contributor
  • Posts: 13
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4308 on: January 04, 2017, 10:52:38 am »
It is also coded into the serial number:

Manufacture date code in serial no.:
DS1ZA yy ww xxxxx
yy: 15=2013, 16=2014, 17=2015, 18=2016
ww: week no. in indicated year
 
The following users thanked this post: RoGeorge

Offline Teneyes

  • Frequent Contributor
  • **
  • Posts: 497
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4309 on: January 07, 2017, 07:04:46 am »
Manufacture date code in serial no.:
DS1ZA yy ww xxxxx
There was a time when there was a Hack to change the Serial Number  :)
IiIiIiIiIi  --  curiosity killed the cat but, satisfaction brought it back
 

Offline Noize

  • Regular Contributor
  • *
  • Posts: 179
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4310 on: January 07, 2017, 02:56:04 pm »
Quote from: jlm1 on January 01, 2017, 07:37:30 PM>Quote
Update: Another member generated keys with his complied code and everything worked. So I was doing something wrong or my compiled rigup didn't work. so Yes, rigup still works for Software 4.03.SP2, Board 6.1.4, without JTAG header.Quote

It was actually loaderr's version from Reply #4308 compiled with VS2013 Just to clarify.

The file I have attached was compiled on a windows 7 machine.
Use Rigol instead of rigup for the commands.





« Last Edit: January 07, 2017, 04:15:05 pm by Noize »
 

Offline ve7xen

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: ca
    • VE7XEN Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #4311 on: January 11, 2017, 01:22:51 am »
Hi all,
I uploaded fixed rigup sources to https://www.dropbox.com/sh/1yrh8s90ityn90s/AAA6PXlJk9gGQwoDOwO6TDQua?dl=0, feel free to use.
There are still some bugs as psysc0rpi0n was unable to unlock so far so use cautiously :)
I did some investigation how licenses are stored and it looks like they just programmed to flash and never erased. On startup FW scans all of them to decide which one to use. As longs as rigup works no need to worry about trials.

Great work, thanks!

I have ported the build back to original POSIX build environment (just copied the new source into the old build directory), added some attribution for your work and bumped the version to 0.4.2, and packaged it up as rigup-0.4.2 and built a Linux x86_64 binary here.

I also decided to get MingW and try building for Windows. Seems to build with some warnings, but bails without outputting anything on the console. Not sure what that's about. I might spend a few minutes debugging, but it's not a platform I care about ;).

Edit: Build problem was -Wl,-dead_strip. Removing this linker option builds working Windows binaries. All builds now:

Linux x64 i686
Windows x64 i686
« Last Edit: January 11, 2017, 01:48:36 am by ve7xen »
73 de VE7XEN
He/Him
 
The following users thanked this post: Teneyes

Offline mikehs

  • Contributor
  • Posts: 7
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4312 on: January 26, 2017, 04:36:03 am »
SYSTem: OPTion:UNINSTall is deleting "All official options removed" or something like this.
But after some mem dumps I found 36 Hours Trial License Key ... key. Like for DP832
there is the same for DS1054Z too in here http://www.gotroot.ca/rigol/riglol/
And this is V for generating trial keys for DS1054Z
Option VSER is all  options like DSER but 36 hours trial version.
So others can be

DS1000z device options:
first character: D = official, V = trial

DSAB - Advanced Triggers
DSAC - Decoders
DSAE - 24M Memory
DSAJ - Recorder
DSBA - 500uV Vertical
DSEA - 100MHz
DSFR - all options
DSER - all options - 500uV Vertical

Currently I have DS1000Z-00.04.04.00.07 firmware.
Now if I add official license, all options are official and after delete
all options continue trial time. (and mem dump is messier at key regions
like he is generating all separate trial keys but factory ones are there too. )

Sorry if this should have been clear after reading the last 10 pages...
I am just trying to understand if the www.gotroot.ca/rigol/riglol generated key still works for the newer DS1054Z?
software version: 00:04:04
board version: 0.1.4

I tried it, but no love.

Thanks for any help!
 

Offline mikehs

  • Contributor
  • Posts: 7
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4313 on: January 27, 2017, 12:17:17 am »
SYSTem: OPTion:UNINSTall is deleting "All official options removed" or something like this.
But after some mem dumps I found 36 Hours Trial License Key ... key. Like for DP832
there is the same for DS1054Z too in here http://www.gotroot.ca/rigol/riglol/
And this is V for generating trial keys for DS1054Z
Option VSER is all  options like DSER but 36 hours trial version.
So others can be

DS1000z device options:
first character: D = official, V = trial

DSAB - Advanced Triggers
DSAC - Decoders
DSAE - 24M Memory
DSAJ - Recorder
DSBA - 500uV Vertical
DSEA - 100MHz
DSFR - all options
DSER - all options - 500uV Vertical

Currently I have DS1000Z-00.04.04.00.07 firmware.
Now if I add official license, all options are official and after delete
all options continue trial time. (and mem dump is messier at key regions
like he is generating all separate trial keys but factory ones are there too. )

Sorry if this should have been clear after reading the last 10 pages...
I am just trying to understand if the www.gotroot.ca/rigol/riglol generated key still works for the newer DS1054Z?
software version: 00:04:04
board version: 0.1.4

I tried it, but no love.

Thanks for any help!

Sorry for bothering you all with that newbee Q. I got it working!

Turns out that you need to delete all the characters in the SN entry dialog before entering your SN.  I deleted up to the 'D' and that apparently does not work.
 

Offline FT952

  • Newbie
  • Posts: 2
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4314 on: January 29, 2017, 07:02:16 pm »
I bought a MSO2072A.
Software version 00.03.04.SP2
Hardware version 2.2

I read eevblog from 'Reply #3668' and tried 'Rigol USB' as well as 'Peter Dreisiebner.at - Rigol Bildschirmkopie'.
I dumped 13MB, 32MB and even 64MB (with Bildschirmkopie).
When I try to find the keys with rigup, I always get the message 'No keys'.   :-\

Even in the following replies I didn't find any solution.
I think I somewhere saw that MSO2072A would need a differnt kind of unlocking.

Any suggestions ?
Thanks
R.
 

Offline FT952

  • Newbie
  • Posts: 2
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4315 on: January 31, 2017, 06:08:20 pm »
With some help, I used rigol 4.0 and entered the key in manually on the scope's key entry screen.
Usage of Bildschirmkopie didn't work.

Now its a 2302A with all protocolls enabled. :-+

Thanks for your great work and support guys!
Really well done.

Also in https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg1105561/#msg1105561 I found a solution like mine.

Best regards
R.
 

Offline Eric-H

  • Contributor
  • Posts: 26
  • Country: nl
DP711 unlock hires option
« Reply #4316 on: February 01, 2017, 03:44:36 pm »
I recently bought the Rigol DP711 power supply. Nice device (although the fan is a bit loud).

It has three options: HIRES, Trigger and timer. Does anyone know which device option codes (the four characters) and private key to use for the DP711 with the Riglol generator?
« Last Edit: February 01, 2017, 06:20:37 pm by Eric-H »
 

Offline Solder_Junkie

  • Regular Contributor
  • *
  • Posts: 82
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4317 on: February 23, 2017, 05:28:01 pm »
Now the later firmware for the DSA815 includes 10 Hz resolution, rendering the most useful hack obsolete, did anyone work out how to remove licence keys from an 815?
 

Offline ted572

  • Frequent Contributor
  • **
  • Posts: 397
  • Country: ca
  • Radio Communications Equipment/System Design Engr.
Re: Sniffing the Rigol's internal I2C bus
« Reply #4318 on: February 23, 2017, 06:15:26 pm »
Now the later firmware for the DSA815 includes 10 Hz resolution, rendering the most useful hack obsolete, did anyone work out how to remove licence keys from an 815?
No, we still do not know how to remove any previously installed option license.  But, it is not necessary to remove the license key.  The 10 Hz RBW will work fine now with, or without the license {option 3} activated.
« Last Edit: February 23, 2017, 06:17:07 pm by ted572 »
 

Offline Solder_Junkie

  • Regular Contributor
  • *
  • Posts: 82
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4319 on: February 23, 2017, 07:06:51 pm »
It would be nice to remove the licence keys in case it ever needs repair, the only hack that is useful to me is the 10Hz b/w one and that's now included.

No worries, I'll cross my fingers that it keeps working.
 

Offline Mike_H

  • Contributor
  • Posts: 7
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4320 on: March 08, 2017, 03:13:11 pm »
A quick post to say thank you to all the hard work that this thread represents.

After 3 days of reading and play, I was able to enable the options I wanted on my new to me 2302A.
For the record my firmware is 3.05

Thanks again!  :-+
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #4321 on: March 10, 2017, 01:02:01 am »
fun to see that this rigol hacking is still going on ;-) :-DD
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 
The following users thanked this post: Carrington, Orange

Offline Gennady

  • Newbie
  • Posts: 1
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4322 on: March 11, 2017, 11:48:04 am »
Hi all,
who used J-Link (J-Link V8 ARM USB-JTAG) to download memory dump from MSO1074Z, tell me please pinouts connection. TCK, TMS, TDI, TDO it's clear. But where to connect TRST, VREF, SRST (what pins of J-Link)?

Thanks for any help!
 

Offline Co6aka

  • Supporter
  • ****
  • Posts: 280
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4323 on: March 11, 2017, 03:23:25 pm »
fun to see that this rigol hacking is still going on ;-) :-DD

Reminds me of "i aM eLiTe!!!! gIvE mE wArEz D00dZ!!!!!!!!!!"  :-DD

Co6aka says, "BARK! and you have no idea how humans will respond."
 

Offline mightyzen

  • Contributor
  • Posts: 36
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #4324 on: April 01, 2017, 09:26:04 am »
doing that since about a week or so - but the discovered TWI functions so far a slave mode, not master mode - a lot of stuff is happening via DMA transfers to from the fpga (assumption). they use VDK and threads, which makes reversing a pain in the ass, 8k subs, thousands of pointers ... im slowly approaching the right subs. if anyone has ida with the blackfin cpu from rigol homebrew, im happy to share my custom GEL loader, and IDA DB.

I'm looking into the firmware for the past weeks or so to try and enable the 50ohm option on a non-A ds2k model with v2 hardware. I would except this to be a simple enough patch as long I could find the handling of the scpi "CHAN1:IMP FIFTY" command.

I'm just lost in those 8k of subs and simply fail to find the references to the "FIFTY" and "OMEG" strings. Could some one please point me in the right direction?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf