| Products > Test Equipment |
| Sniffing the Rigol's internal I2C bus |
| << < (880/899) > >> |
| metalmanbaris:
--- Quote from: edgelog on March 19, 2018, 08:45:45 pm ---The MSO1000 and the DS1000 are not exactly the same. The rigup you should use is not the MSO one, but the DS one. There's a small difference in the string it's looking for in the memory dump. OTOH, if you used the wrong rigup, I would have expected it not to find any keys, and that's not your case, it seems. --- End quote --- Yes you're right but I got the result with the MSO (maybe it is because my DS is a PLUS version... maybe) But the keys generated with rigup license are invalid.... Do people managed to pull out the right KEYS for DS1104Z-Plus ? |
| edgelog:
--- Quote from: metalmanbaris on March 20, 2018, 08:04:21 pm ---Do people managed to pull out the right KEYS for DS1104Z-Plus ? --- End quote --- Good question. I really don't know if anyone did it with that specific version. |
| edgelog:
--- Quote from: metalmanbaris on March 20, 2018, 07:56:58 pm --- --- Quote from: edgelog on March 19, 2018, 08:49:04 pm ---Have you tried entering the codes by hand through the scope's own interface? --- End quote --- Yes I did...same error.. "invalidlicense" --- End quote --- Ok, one more thing to try. I have a vague recollection that someone had a problem entering the keys into rigup. Something with the fields not being really empty even though they look blank. Backspace first, or select all and delete, then enter the keys. I'm sorry my recollections aren't any sharper, but it's worth trying. |
| Daruosha:
With the help of new patched firmware developed by our forum member, @konnor, you can take the memory dump of MSO1000z series scopes and extract the keys from the dump, no JTAG adaptor or any hardware effort or taking the scope apart is required anymore. 1- Download the pathed firmware from the first post of the this thread: https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1467130/#msg1467130 . You have to download the two splited files, rename their extension to “rar” and extract the DS1000ZUpdate.GEL file out of the archive. 2- Copy the patched firmware file into a 4GB FAT32 formatted USB disk and put in to the scope,. After inserting the flash drive, scope prompts you to upgrade to firmware (into the same version if you have the latest version). 3- Once the patched firmware installation is done, connect your scope to your local network with an ethernet cable and make sure it's been connected and obtained an IP address. (if you don't have a DHCP server, you can manually assign a proper IP address from the menu). In order to make sure the scope is connected and reachable from your PC, try to ping its IP address and check the scope is responding. 4- For this step you need a windows machine, I used VirtualBox to host a new windows VM and run the utility. Download the required utility from this post: https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1478726/#msg1478726 and then extract it on your computer. Next from the “release” folder run the following command: rigolif.exe r -ffw.bin -l0x3FFFFFF -a0x40000000 this command dumps the memory contents of your scope in to a file named “fw.bin” During the memory dump process you may see a few errors, generally it's not a problem, but if in the next step you couldn't extract the keys, repeat the process from this step (step 4) again and continue. 5- Download the rigup tool from this URL: http://gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip . For this step I used my MacOS X machine and simply build the executable file from the source code by running this command in the same folder which the downloaded file has been extracted: make if you have a windows machine, you have to compile the file yourself (I don't know which compiler and which settings is required). You can extract the keys from the dump file with this tool as well: http://gotroot.ca/rigol/rigup-0.4.2-x86_64-win.zip (this is just extraction, to generate the license keys, you have to use the MSO1000z version of rigup). 6- Copy the fw.bin file (obtained from step 4) in to the same folder which you have extracted the rupup tool and run the following command: rigup-0.4.2-x86_64-win.exe scan fw.bin > keys.txt (of course you may need to modify the command, correct executable file name and paths and etc…) Once the command finishes, you can check the extracted keys with this command: type keys.txt You must have a file contains something like this: Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com RC5KEY1: 6CDBAC1CCE16B5048F2425237A8A0EF4 RC5KEY2: CFFED4830820DAA382AE39E5ACCDA639 XXTEAKEY: E141B9AE1AA4773F5CF9B5B9341DB788 PUBKEY: 005497018B62F230 PRIVKEY: 0099FC5DFBE778D0 SERIAL: DS1ZC182871920 If you have a generated file like this, bingo, you're almost done. The rest is generating the license keys. I assume generating the license codes are well documented and it's not required to mention it again here. However if you had any problem, please let us know and we'd help. |
| borisbees:
I bought a Rigol DP711 power supply recently and came across this thread while researching. It looks like no-one has published anything about this model yet, so I'm taking a shot. The DP711 uses a Winbond W25Q128FV (16MB) SPI flash chip to store its firmware and user settings. This chip supports Dual and Quad SPI, but it's hard-wired for standard SPI operation - HOLD/RESET, and WP (write protect) are directly connected to VCC. It's located on the digital board behind the screen, under the screen's flat-flex connector, and it's an easy-to-probe VSOP package. Initially I used a logic analyzer to watch reads and writes during startup and various operations, but I've recently dumped the whole flash contents via a microcontroller. Conveniently, the Winbond chip lets you issue a single read command for address 0x0 and proceed to clock out its entire memory. The DP711 doesn't appear to touch the flash when left idling on the main screen, but it has a fairly strong pull-up on the chip-select pin of the flash when idle. Connecting CS to ground through a 100 ohm resistor was enough to overcome this without issue for an extended period of time. I've only had a cursory look at the full firmware dump at this time. The rigup scan tool didn't find anything, so Rigol may have changed something in this model... One thing that stuck out like a sore thumb however was this: 000ce00a 00 00 00 00 00 31 32 33 34 35 36 00 00 00 01 05 |.....123456.....| It shouldn't have needed a logic analyzer to find, but that's the System -> Calibration screen password :palm: I'll post more once I've had a better look at the flash dump. |
| Navigation |
| Message Index |
| Next page |
| Previous page |