Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1619583 times)

0 Members and 2 Guests are viewing this topic.

Online TurboTom

  • Super Contributor
  • ***
  • Posts: 1098
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4375 on: August 20, 2017, 11:40:25 pm »
This chip appears to be an 8 bit microcontroller, MC9S08QD2, see the datasheet here: http://www.nxp.com/docs/en/data-sheet/MC9S08QD4.pdf.

If the 2k of memory that it contains is enough for calibration data is something I'ld doubt. But it chould well be involved in license management. Yet more probable is that it's used for something much more mundane, like generating a power good signal/reset circuitry as it features four A/D channels. Food for thought...

Cheers,
Thomas
 

Offline LeoIt

  • Newbie
  • Posts: 4
  • Country: it
Re: Sniffing the Rigol's internal I2C bus
« Reply #4376 on: August 21, 2017, 07:58:12 pm »
Thank you very much TurboTom !

You are right, it sould be HCS08 Micro, the Power supply pins are quite strange, not much used (+3 and -4)  and are compatible, also the strip connectio to pin 1 - Reset and  2 - BKGD are conneted to the strip (probably used to pogram o configuration and.... Single wire "debugging" ;-).....

I agree with you, its memory (2K Flash) is too small for DSA calibration data.....

Because its power supply seems separated from the main DSP and related chips, I think it will be used to power up the instruments....
I mean to make the fading blink of the ON/OFF button and to check its status to turn ON and OFF the entire system.

I hope, but not sure, it is not used like a sort of harware key to identify each device.
Or used to store the MAC address and other unique information of the instrument (but for this they should use the U1105 FRAM .... ? ).

Thank you again for your help....

Bye...
 

Online TurboTom

  • Super Contributor
  • ***
  • Posts: 1098
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4377 on: August 22, 2017, 05:10:45 pm »
You're most probably right: The HCS08 variant appears to be part of several of Rigol's designs that feature the BlackFin processor as the digital core and a soft power button, see here the DS2000 (as per Dave's teardown photos, in the lower right corner, yet here it's the 4kB variant):
https://www.flickr.com/photos/eevblog/8022098878/in/album-72157631618295437

Similar situation for the DM3068, the DG4000 series and also the DS4000, yet in the latter Rigol uses a higher pin count / memory variant of the HCS08 series, the MC9S08JM60.

In contrary, the DS1000Z series doesn't seem to contain the HCS08 controller and this instrument features a "hard" power switch, so the usage of the controller for the soft power circuitry is very likely.

Cheers.
Thomas
« Last Edit: August 22, 2017, 05:13:03 pm by TurboTom »
 

Offline chevdor

  • Newbie
  • Posts: 1
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4378 on: August 23, 2017, 09:48:19 pm »
I have seen some questions several times (while searching myself) so I will try to provide a few facts based on my trials.

Using a Mac with an Olimex ARM-USB-OCH-H does work.
Just don´t expect to see anything in /dev/cu*. This is OK so.

My scope is a MSO1104Z-S. This is a recently purchased (2017-08) scope with the latest firmware (00.04.04.SP3).
The board shows version v01.04_20141024 on the PCB.

You guys probably saw the great video at: https://www.youtube.com/watch?time_continue=7&v=OvcGn_ScG5w
This video helps a lot if you take your time. Highly recommended. Yes, you will need to open your scope.

A little surprise though, the JTAG headers are not longer part of the board. You still have the holes and traces in the PCB but no header. Surprising but not really an issue.

New comers will probably miss the openocd config files. They are here:
https://raw.githubusercontent.com/arduino/OpenOCD/master/tcl/target/imx28.cfg
https://raw.githubusercontent.com/arduino/OpenOCD/master/tcl/interface/ftdi/olimex-arm-usb-ocd-h.cfg

Compiling rigup on a Mac is a breeze. Follow the guides.

You may get an error when running openocd:
Error: An adapter speed is not selected in the init script. Insert a call to adapter_khz or jtag_rclk to proceed.

No panic, you can add the following line:
Code: [Select]
adapter_khz 5000as line 34 in imx28.cfg

I did a few tests regarding the speed. Some failed, I am not sure whether it was due to the speed or the temperature.
I used a few fans during the process...

adapter_khz 1000 => works, just damn slow. Expect a dump in around 40-50 minutes. I did not wait...
adapter_khz 5000 => works. Around 10:30 minutes for the dump.
adapter_khz 8000 => failed me, the scope rebooted
adapter_khz 10000 => failed me, the scope rebooted

With
Code: [Select]
adapter_khz 5000, the dump will take about 10:30 minutes. I got it to work 2/2 times with pins simply hanging around in the PCB holes... Do not shake your desk  :-DD and make sure your fan does not move things around too much.

I did not apply the 0x1C080 (100 MHz) obviously.

Respect to the team who put that together.  :-+

Rigol plays it smart on that one as I am sure they are aware that they end up selling more of there 'hackable' scopes, thus making more $$$ than selling a few software options that are anyway harder to buy on their site than it is to find this thread!

A little warning though, you do need a few tools to get this to work:
- TX10 screwdriver
- 14mm flat wrench helps
- a fan is probably recommended
- a good lamp :)
- some stickers (not for the sticker, but for the waxed paper supporting them)
- clean headers (2x 5 pins). Those won´t be soldered so clean them up or use new ones. Forget those 5 years old headers you used 20 times...
- a few clean cables: if you start messy, chances of success will decrease...

Good luck

« Last Edit: August 30, 2017, 08:32:55 am by chevdor »
 

Offline El Viking

  • Newbie
  • Posts: 1
  • Country: fr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4379 on: September 02, 2017, 01:39:33 pm »
hi,

On a MSO1074z, software version 00.04.04.SP1, board version 2.1.4 a very new scope, delivery this week. Jtag was not populated.
I use a PC on W10-64-pro.
I setup olimex arm...h (some problems with driver solve with zadig).
I use rigup w64 version 0.4.2 from
I dump memory with openocd 0.10.0

first time I have used rigup-0.4.2-x86_64-win.zip  ==>good txt file, with good serial number, but license number don't run==>invalide licence
I made many dump.... same txt file, same key...
Second time I try with rigup-0.4.2-i686-win.zip==> same txt file, but license key accepted by the scope...
Now MSO is full option, I have all ready testing the RS232 decode, it run correctly.

Many thankssss to the working team!!!!


 

Offline ironcurtain

  • Regular Contributor
  • *
  • Posts: 62
  • Country: es
Re: Sniffing the Rigol's internal I2C bus
« Reply #4380 on: November 08, 2017, 05:33:52 am »
I'm really considering getting a Rigol since I have to diagnose some RFI issues in some projects and it will come handy for lots of stuff down the line. I have IDA 6.X with the decompilers (did not pay for the last upgrade haha!) and can do reversing if needed.

What is the status of the hack right now? Is there a bandwidth upgrade from 70 to 100 or 100 to 200 as it used to be? How about options?
If I end up getting a Rigol I will likely buy off Baronix since I'm in Europe... so I'm limited to whatever they are shipping right now.

Luckily it seems you can downgrade FW since they don't use any sort of e-fuses...

Cheers!
 

Offline H.O

  • Frequent Contributor
  • **
  • Posts: 706
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4381 on: November 10, 2017, 04:28:39 pm »
"A Rigol" is pretty vague since they have at least 4 different series of scopes and DSO/MSO models in each series (except possibly the DS6000 series). If I'm not mistaken the unlock process is a bit different on different models. For some you might need to dump the firwmware while on other all you need to do is generate an option key and install it.

I'm not up to speed on it all but if you specify which model you're considering someone might give you a better answer.

With that said, their Ultra Vision platform is >5 years old now and depending on your needs there might be other suitable options.
 

Offline wldshy

  • Contributor
  • Posts: 26
  • Country: cn
Re: Sniffing the Rigol's internal I2C bus
« Reply #4382 on: November 13, 2017, 02:00:36 pm »
hi,
I really wanna know, whether the new Rigol DS2000E/4000E series can be hacked. especially the DS4014E is a very affordable choice, only if can be hacked to 500MHz BW.
 

Offline ironcurtain

  • Regular Contributor
  • *
  • Posts: 62
  • Country: es
Re: Sniffing the Rigol's internal I2C bus
« Reply #4383 on: November 18, 2017, 03:02:11 am »
"A Rigol" is pretty vague since they have at least 4 different series of scopes and DSO/MSO models in each series (except possibly the DS6000 series). If I'm not mistaken the unlock process is a bit different on different models. For some you might need to dump the firwmware while on other all you need to do is generate an option key and install it.

I'm not up to speed on it all but if you specify which model you're considering someone might give you a better answer.

With that said, their Ultra Vision platform is >5 years old now and depending on your needs there might be other suitable options.

Thanks a lot for responding. I should have been more specific:

- I would like at least 200MHz achievable bandwidth either thru hacks or off the shelf. If I can score a DSO going higher than that through hacks, that would be great.
- Use will be debugging, looking at unknown signals from MCUs, diagnosing issues with resonators and some RF work, mostly repairs and such.
- I would love to have the ability to get FFTs and other math transformations. If it has a built-in decoder for signals... that would even be better!

I was looking at this Siglent unit:
https://www.batronix.com/shop/oscilloscopes/Siglent-SDS1202X+.html

But Rigol seems a lot more geared towards hobbyists, so I will definitely appreciate your suggestions.  Either way I have reverse engineering experience and got the necessary tools at hand including a (legitimate) pro licensed IDA with decompilers :)
 

Offline H.O

  • Frequent Contributor
  • **
  • Posts: 706
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4384 on: November 18, 2017, 12:50:03 pm »
FFT is not something I personally use but from what I understand Rigol isn't doing very well in that department (you can Always export the data and perform the FFT on the PC if needed).

Since you're considering the Siglent SDS1202X I'm guessing 2 channels is "all you need"? If that's the case and 200MHz is "enough" then there's a lot to choose from but I'd personally put 4 channels way above good FFT functionality and I would not spend money on a built in function gen, I think it's better to have a separate unit. But that's me.

Take a look at the Siglent SDS1202X-E, and if you need four channels wait for the four channel version in that series (I hear Dave has one for teardown/Review so it'll probably show up sooner than later).

I don't know about hacks on anything except Rigol and I don't know if the new DS2000E and DS4000E series are hackable and if so to what extent. All I can really say from personal experience is that the DS4000 series ARE (closed case) hackable to enable full bandwidth (500MHz) and all the options (which you now get for free now anyway).

There are SO many considerations to make (which is shown again and again and again in all the "which scope is right for me threads") but, as was said in another thread if you want 4 channels and lot bandwidth then a DS4014 probably STILL is a good option despite it being 5-6 years old now.

For a general purpose scope, today, I'd want the R&S RTB2000 and I probably would've gotten one if the bastards would have offered the introductor deal in Europe and not only in the US.

And at the lower end the upcoming 4 channel Siglent is going to be interesting, since you mention 200MHz that might just be the unit for you.

But comparing a $400-500 Siglent SDS1202X-E to a $2000 Rigol DS4000 or a $3000 RTB2004 (200MHz) isn't really "fair" from any perspective.
 
The following users thanked this post: egonotto

Offline sebastos08

  • Contributor
  • Posts: 9
  • Country: fr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4385 on: December 18, 2017, 01:16:23 pm »
Hi all,

any chance to receive a "riglol" item extension or any tips to crack my options for my new dl3021?

thanks in advance
 

Offline gantarone

  • Newbie
  • Posts: 3
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4386 on: January 03, 2018, 07:32:29 pm »
Hi,
rigol  DS1074Z Plus (S series)
Software Version 00.04.04.SP3
Board Version  6.1.4
I tried using Jtag but with no success.....
after the dump (with sagger JLINK)  file size around 67,1MB
after command:
./rigup scan mio.bin > mio.txt
Scanning 'mio.bin' failed: No keys
Please Help!!!

 

Offline edgelog

  • Regular Contributor
  • *
  • Posts: 70
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4387 on: January 04, 2018, 05:57:34 am »
Hi,
rigol  DS1074Z Plus (S series)
Software Version 00.04.04.SP3
Board Version  6.1.4
I tried using Jtag but with no success.....
after the dump (with sagger JLINK)  file size around 67,1MB
after command:
./rigup scan mio.bin > mio.txt
Scanning 'mio.bin' failed: No keys
Please Help!!!

I found that in my scope the code sequence was different. I thought that was just the MSO, but it's worth a try. Look for 0x02 0x00 0x84 0x00 0x10 0x00 with a hex editor.

See my description at:

https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg1191044/#msg1191044

 
The following users thanked this post: gantarone

Offline gantarone

  • Newbie
  • Posts: 3
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4388 on: January 04, 2018, 01:37:33 pm »
Thanks edgelog, I had already tried,
but I probably did not clean up the old compilation,,,,
I tried again now and bamm found the codes !!!!THANKS!!!!!
For now I can not try the codes I have to wait 12h .....(too many try)

I discovered other 5 codes in my dump!!!!,
using the simple command(on OSX, but i think is the same on Linux):
strings -n 28 dump.bin >> dumpoutput.txt
you will find so many text (in dumpoutput.txt), but if you have patience you will find other codes without use rigup (two at the end of file (dumpoutput.txt) other in the middle)
I tried just one and in one shot enabled all the options except 100M bandwidth !!!!!! :-+ :-+ :-+ :-+

PS Thanks Again edgelog!!!!
« Last Edit: January 05, 2018, 12:20:53 pm by gantarone »
 

Offline gantarone

  • Newbie
  • Posts: 3
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4389 on: January 05, 2018, 10:28:21 am »
Thanks edgelog!!!
it works!!!
before
model: 1074z Plus S

Now:
all option plus 100Mhz!!! and function generator ok!!! have not tried MSO  but it seems to work.
model :DS1104Z Plus
Software Version : 00.04.04.SP3
Board Version 6.1.4
 :) :) :) :) :) :) :) :)
 

Offline edgelog

  • Regular Contributor
  • *
  • Posts: 70
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4390 on: January 05, 2018, 05:00:40 pm »
Thanks edgelog!!!
it works!!!

Glad I could help!
 

Offline metalmanbaris

  • Newbie
  • Posts: 3
  • Country: tr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4391 on: March 19, 2018, 07:42:39 pm »

I know it has bees asked million times... I read all posts but I didn't find my answer ...

I have a DS1104Z Plus.. Version 04.04 SP3
I did the memory dump.. I scanned the keys..
But when I use the rigup and use the keys on the scope I got "invalid license key" error.

I used 0.4.1 and 0.4.2 of rigup   (Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com)

What am I doing wrong...? Isn't the DS1104Z Plus hackable.... Should I use a different rigup tool ?

Thanks
Baris (TA7W)



 
 

Offline edgelog

  • Regular Contributor
  • *
  • Posts: 70
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4392 on: March 19, 2018, 08:45:45 pm »

I have a DS1104Z Plus.. Version 04.04 SP3
I did the memory dump.. I scanned the keys..
But when I use the rigup and use the keys on the scope I got "invalid license key" error.

I used 0.4.1 and 0.4.2 of rigup   (Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com)

What am I doing wrong...? Isn't the DS1104Z Plus hackable.... Should I use a different rigup tool ?

The MSO1000 and the DS1000 are not exactly the same. The rigup you should use is not the MSO one, but the DS one. There's a small difference in the string it's looking for in the memory dump. OTOH, if you used the wrong rigup, I would have expected it not to find any keys, and that's not your case, it seems.
 

Offline edgelog

  • Regular Contributor
  • *
  • Posts: 70
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4393 on: March 19, 2018, 08:49:04 pm »
I have a DS1104Z Plus.. Version 04.04 SP3
I did the memory dump.. I scanned the keys..
But when I use the rigup and use the keys on the scope I got "invalid license key" error.

I also seem to have a vague memory of others with that problem if they cut/pasted the codes into the scope using the terminal interface. Some hidden characters got copied along. Have you tried entering the codes by hand through the scope's own interface?
 

Offline metalmanbaris

  • Newbie
  • Posts: 3
  • Country: tr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4394 on: March 20, 2018, 07:56:58 pm »
Have you tried entering the codes by hand through the scope's own interface?

Yes I did...same error.. "invalidlicense"

 

Offline metalmanbaris

  • Newbie
  • Posts: 3
  • Country: tr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4395 on: March 20, 2018, 08:04:21 pm »
The MSO1000 and the DS1000 are not exactly the same. The rigup you should use is not the MSO one, but the DS one. There's a small difference in the string it's looking for in the memory dump. OTOH, if you used the wrong rigup, I would have expected it not to find any keys, and that's not your case, it seems.
Yes you're right but I got the result with the MSO (maybe it is because my DS is a PLUS version... maybe)
But the keys generated with rigup license are invalid....

Do people managed to pull out the right KEYS for DS1104Z-Plus ?
 

Offline edgelog

  • Regular Contributor
  • *
  • Posts: 70
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4396 on: March 20, 2018, 08:46:12 pm »
Do people managed to pull out the right KEYS for DS1104Z-Plus ?

Good question. I really don't know if anyone did it with that specific version.
 

Offline edgelog

  • Regular Contributor
  • *
  • Posts: 70
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4397 on: March 20, 2018, 08:49:27 pm »
Have you tried entering the codes by hand through the scope's own interface?

Yes I did...same error.. "invalidlicense"

Ok, one more thing to try. I have a vague recollection that someone had a problem entering the keys into rigup. Something with the fields not being really empty even though they look blank. Backspace first, or select all and delete, then enter the keys.

I'm sorry my recollections aren't any sharper, but it's worth trying.
 

Offline Daruosha

  • Regular Contributor
  • *
  • Posts: 180
  • Country: ir
Re: Sniffing the Rigol's internal I2C bus
« Reply #4398 on: April 15, 2018, 06:07:27 am »
With the help of new patched firmware developed by our forum member, @konnor,  you can take the memory dump of MSO1000z series scopes and extract the keys from the dump, no JTAG adaptor or any hardware effort or taking the scope apart is required anymore.

1- Download the pathed firmware from the first post of the this thread:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1467130/#msg1467130
You have to download the two splited files, rename their extension to “rar” and extract the DS1000ZUpdate.GEL file out of the archive.

2- Copy the patched firmware file into a 4GB FAT32 formatted USB disk and put in to the scope,. After inserting the flash drive, scope prompts you to upgrade to firmware (into the same version if you have the latest version).

3- Once the patched firmware installation is done, connect your scope to your local network with an ethernet cable and make sure it's been connected and obtained an IP address. (if you don't have a DHCP server, you can manually assign a proper IP address from the menu). In order to make sure the scope is connected and reachable from your PC, try to ping its IP address and check the scope is responding.

4- For this step you need a windows machine, I used VirtualBox to host a new windows VM and run the utility. Download the required utility from this post:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1478726/#msg1478726
and then extract it on your computer. Next from the “release” folder run the following command:

rigolif.exe r -ffw.bin -l0x3FFFFFF -a0x40000000

this command dumps the memory contents of your scope in to a file named “fw.bin”
During the memory dump process you may see a few errors, generally it's not a problem, but if in the next step you couldn't extract the keys, repeat the process from this step (step 4) again and continue.

5- Download the rigup tool from this URL: http://gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip . For this step I used my MacOS X machine and simply build the executable file from the source code by running this command in the same folder which the downloaded file has been extracted:

make

if you have a windows machine, you have to compile the file yourself (I don't know which compiler and which settings is required). You can extract the keys from the dump file with this tool as well:
http://gotroot.ca/rigol/rigup-0.4.2-x86_64-win.zip
(this is just extraction, to generate the license keys, you have to use the MSO1000z version of rigup).

6- Copy the fw.bin file (obtained from step 4) in to the same folder which you have extracted the rupup tool and run the following command:

rigup-0.4.2-x86_64-win.exe scan fw.bin > keys.txt

(of course you may need to modify the command, correct executable file name and paths and etc…)

Once the command finishes, you can check the extracted keys with this command:

type keys.txt

You must have a file contains something like this:

        Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com

RC5KEY1:        6CDBAC1CCE16B5048F2425237A8A0EF4
RC5KEY2:        CFFED4830820DAA382AE39E5ACCDA639
XXTEAKEY:       E141B9AE1AA4773F5CF9B5B9341DB788
PUBKEY:         005497018B62F230
PRIVKEY:        0099FC5DFBE778D0
SERIAL:         DS1ZC182871920


If you have a generated file like this, bingo, you're almost done. The rest is generating the license keys. I assume generating the license codes are well documented and it's not required to mention it again here. However if you had any problem, please let us know and we'd help.
« Last Edit: May 26, 2018, 04:45:48 am by Daruosha »
 
The following users thanked this post: Cirkvito, DaveM

Offline borisbees

  • Newbie
  • Posts: 3
  • Country: 00
Sniffing the Rigol DP711's flash (may apply to DP712 too)
« Reply #4399 on: May 08, 2018, 04:47:25 am »
I bought a Rigol DP711 power supply recently and came across this thread while researching. It looks like no-one has published anything about this model yet, so I'm taking a shot.

The DP711 uses a Winbond W25Q128FV (16MB) SPI flash chip to store its firmware and user settings. This chip supports Dual and Quad SPI, but it's hard-wired for standard SPI operation - HOLD/RESET, and WP (write protect) are directly connected to VCC. It's located on the digital board behind the screen, under the screen's flat-flex connector, and it's an easy-to-probe VSOP package.

Initially I used a logic analyzer to watch reads and writes during startup and various operations, but I've recently dumped the whole flash contents via a microcontroller. Conveniently, the Winbond chip lets you issue a single read command for address 0x0 and proceed to clock out its entire memory. The DP711 doesn't appear to touch the flash when left idling on the main screen, but it has a fairly strong pull-up on the chip-select pin of the flash when idle. Connecting CS to ground through a 100 ohm resistor was enough to overcome this without issue for an extended period of time.

I've only had a cursory look at the full firmware dump at this time. The rigup scan tool didn't find anything, so Rigol may have changed something in this model... One thing that stuck out like a sore thumb however was this:


000ce00a  00 00 00 00 00 31 32 33  34 35 36 00 00 00 01 05  |.....123456.....|


It shouldn't have needed a logic analyzer to find, but that's the System -> Calibration screen password  :palm:

I'll post more once I've had a better look at the flash dump.
 
The following users thanked this post: Daruosha, djdanielb


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf