Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1467816 times)

0 Members and 2 Guests are viewing this topic.

Offline borisbees

  • Newbie
  • Posts: 3
  • Country: 00
Sniffing the Rigol DP711's flash (may apply to DP712 too)
« Reply #4400 on: May 08, 2018, 04:47:25 am »
I bought a Rigol DP711 power supply recently and came across this thread while researching. It looks like no-one has published anything about this model yet, so I'm taking a shot.

The DP711 uses a Winbond W25Q128FV (16MB) SPI flash chip to store its firmware and user settings. This chip supports Dual and Quad SPI, but it's hard-wired for standard SPI operation - HOLD/RESET, and WP (write protect) are directly connected to VCC. It's located on the digital board behind the screen, under the screen's flat-flex connector, and it's an easy-to-probe VSOP package.

Initially I used a logic analyzer to watch reads and writes during startup and various operations, but I've recently dumped the whole flash contents via a microcontroller. Conveniently, the Winbond chip lets you issue a single read command for address 0x0 and proceed to clock out its entire memory. The DP711 doesn't appear to touch the flash when left idling on the main screen, but it has a fairly strong pull-up on the chip-select pin of the flash when idle. Connecting CS to ground through a 100 ohm resistor was enough to overcome this without issue for an extended period of time.

I've only had a cursory look at the full firmware dump at this time. The rigup scan tool didn't find anything, so Rigol may have changed something in this model... One thing that stuck out like a sore thumb however was this:


000ce00a  00 00 00 00 00 31 32 33  34 35 36 00 00 00 01 05  |.....123456.....|


It shouldn't have needed a logic analyzer to find, but that's the System -> Calibration screen password  :palm:

I'll post more once I've had a better look at the flash dump.
 
The following users thanked this post: Daruosha, djdanielb

Offline DaBone_206

  • Newbie
  • Posts: 4
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4401 on: July 15, 2018, 08:46:07 pm »
Hello everybody,
I own a Rigol MSO1074Z-S. All attempts to hack, have failed so far  :scared:.
System Information:
SW. V.: 00.04.04.SP3
Board Version: 6.1.1

I used all the rigup versions that are available, but none leads to success.
For example, with option 0x1C001, I always get the following license key: AQSNGP3-JGLNNNH-ZDW33MA-WEX59CM
Since 2 years I try again and again to hack my Oszi so far without success. What am I doing wrong?
I have attached my dump maybe one gets another license key
https://www.dropbox.com/s/5ct1bipb1pdexnc/mso1074z.bin?dl=1
« Last Edit: July 15, 2018, 08:48:05 pm by DaBone_206 »
 

Offline DaBone_206

  • Newbie
  • Posts: 4
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4402 on: July 16, 2018, 06:17:36 pm »
what does these strange characters mean in the hashing?
 

Offline djdanielb

  • Newbie
  • Posts: 4
  • Country: it
Re: Sniffing the Rigol's internal I2C bus
« Reply #4403 on: October 19, 2018, 08:56:12 am »
Hi at all I'm DjDaniel.

I've just bought a DP711 power
Is there some solution to activate the extra features ?

Thank you a lot
« Last Edit: October 24, 2018, 10:30:39 pm by djdanielb »
 

Offline entropie

  • Contributor
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4404 on: November 09, 2018, 07:36:33 am »
However if you had any problem, please let us know and we'd help.

hi there,
I own a Rigol MSO1074Z.

post #4400
1)-5) works fine for me,
i get a dump file from oszi (256mb)

6) the is a problem...
rigup-0.4.2-x86_64-win.exe scan fw.bin > keys.txt

gives me a "failed, No keys"

tryed with many dumps, what is going wrong?

please help a newcomer ;)
thanx..............
« Last Edit: November 09, 2018, 07:46:05 am by entropie »
 

Offline McBryce

  • Super Contributor
  • ***
  • Posts: 1315
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4405 on: November 09, 2018, 07:45:14 am »
hi there,
I own a Rigol MSO1074Z.

 #4400
1)-5) works fine for me,
i get a dump file from oszi (256mb)

6) the is a problem...
rigup-0.4.2-x86_64-win.exe scan fw.bin > keys.txt

gives me a "failed, No keys"

tryed with many dumps, what is going wrong?

please help a newcomer ;)
thanx..............

Are you definitely using the MSO rigup? There's a specific version of rigup for the MSO that's different to the DSO version.

McBryce.
 

Offline entropie

  • Contributor
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4406 on: November 09, 2018, 07:56:59 am »
i used this :

You can extract the keys from the dump file with this tool as well:
http://gotroot.ca/rigol/rigup-0.4.2-x86_64-win.zip

« Last Edit: November 09, 2018, 08:05:04 am by entropie »
 

Offline McBryce

  • Super Contributor
  • ***
  • Posts: 1315
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4407 on: November 09, 2018, 09:23:29 am »
Use the MSO specific one he links to here:

5- Download the rigup tool from this URL: http://gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip . For this step I used my MacOS X machine and simply build the executable file from the source code by running this command in the same folder which the downloaded file has been extracted:

McBryce.
 
The following users thanked this post: entropie

Offline entropie

  • Contributor
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4408 on: November 09, 2018, 10:41:42 am »
ok,
got the keys :)

but now I stuck here..........

If you have a generated file like this, bingo, you're almost done. The rest is generating the license keys. I assume generating the license codes are well documented and it's not required to mention it again here.

I can not find a working license generator.
please be patient with me.............. :palm:
 

Offline entropie

  • Contributor
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4409 on: November 09, 2018, 03:42:28 pm »
At this point I am very confused and can not continue.
All generated licenses do not work

for example:
9CL3SZS-EWH9JYW-RRNXMYP-4D5PMSM    (NSH9 = 0x1C0FF)
That should not be (CSHY = 0x1C0FF) ??

I ask for help, otherwise I send the oszi into hell ... >:D

please....... :scared:

« Last Edit: November 10, 2018, 08:22:16 am by entropie »
 

Offline entropie

  • Contributor
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4410 on: November 10, 2018, 08:23:53 am »
finaly...........

got it to work with the right software,
many thanks to all supporters....:clap:
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 2994
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4411 on: November 10, 2018, 11:44:33 am »
got it to work with the right software,
many thanks to all supporters....:clap:

So, for the benefit of others who might read this later -- could you briefly summarize what you got wrong initially, and what constitutes "the right software"? Thanks!
 

Offline ab#FFFF

  • Newbie
  • Posts: 3
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4412 on: January 26, 2019, 06:13:21 am »
Can some1 please help me?

I have a MSO1104 scope and i tried to enable all features over LAN. Following Daruosha procedure, I upgrade the scope then I dump the fw.bin (~260Megs) a few times but the for some reason the tool rig 0.4.1 is unable to find the keys (I compile the tool under OSX with make clean/ make all). I tried the windows tool 0.4.2 but with same result.
The keys.txt look like this:

rigup scan - Version 0.4.1

        Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com

I'm wondering what is wrong? Can some1 help?
thanks,
-a
 

Offline Daruosha

  • Regular Contributor
  • *
  • Posts: 168
  • Country: ir
Re: Sniffing the Rigol's internal I2C bus
« Reply #4413 on: January 26, 2019, 06:22:09 am »
Can some1 please help me?

I have a MSO1104 scope and i tried to enable all features over LAN. Following Daruosha procedure, I upgrade the scope then I dump the fw.bin (~260Megs) a few times but the for some reason the tool rig 0.4.1 is unable to find the keys (I compile the tool under OSX with make clean/ make all). I tried the windows tool 0.4.2 but with same result.
The keys.txt look like this:

rigup scan - Version 0.4.1

        Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com

I'm wondering what is wrong? Can some1 help?
thanks,
-a

There's a bug in rigup scan tool. I don't remember what was the exact bug and where it was, but i remember you can fix it easily in the source code and build it yourself. Contact me over PM and send me your dump fie. I'll try to help you extract the keys.
 
The following users thanked this post: ab#FFFF

Offline ab#FFFF

  • Newbie
  • Posts: 3
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4414 on: January 26, 2019, 03:35:27 pm »
Thanks Daruosha for your help.

... the last step seems to be to generate the keys by running rigup (0.4.1) with license option then use the serials for activation:

rigup license keys.txt option (ex.: rigup license keys.txt 0x1C001)

option (list of hex values):
(CSAR = 0x1C001) Triggers
(CSAB = 0x1C002) Decoders
(CSA3 = 0x1C004) Mem-depth
(CSAJ = 0x1C008) Recorder
(CSAS = 0x1C010) DG
(CSRA = 0x1C020) 500uV
(CSBA = 0x1C040) Power Ana.
(CS3A = 0x1C080) Bandwidth (100MHz)
(CSHY = 0x1C0FF) All
 

Offline ab#FFFF

  • Newbie
  • Posts: 3
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4415 on: January 26, 2019, 03:45:39 pm »
rigup utility needs to be tweaked to work with some of MSO1000Z for a correct keys extractions; so, before compiling rigup 0.4.1 check below posting and modify eventually utils.c accordingly:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/msg1191044/#msg1191044

hope helps,
-a
« Last Edit: January 27, 2019, 12:01:57 am by ab#FFFF »
 
The following users thanked this post: Daruosha

Offline sv1eia

  • Contributor
  • Posts: 14
  • Country: gr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4416 on: January 27, 2019, 12:34:13 pm »
With the help of new patched firmware developed by our forum member, @konnor,  you can take the memory dump of MSO1000z series scopes and extract the keys from the dump, no JTAG adaptor or any hardware effort or taking the scope apart is required anymore.

1- Download the pathed firmware from the first post of the this thread:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1467130/#msg1467130
You have to download the two splited files, rename their extension to “rar” and extract the DS1000ZUpdate.GEL file out of the archive.

..

Hi,

My DS1104ZPlus has fw version 00.04.04.03.05 and the patched firmware is 00.04.04.03.02 so I think the instrument do not allow to downgrade, right?
How can we overcome this?

Or am I missing something?

 

Offline Daruosha

  • Regular Contributor
  • *
  • Posts: 168
  • Country: ir
Re: Sniffing the Rigol's internal I2C bus
« Reply #4417 on: January 27, 2019, 01:00:11 pm »
With the help of new patched firmware developed by our forum member, @konnor,  you can take the memory dump of MSO1000z series scopes and extract the keys from the dump, no JTAG adaptor or any hardware effort or taking the scope apart is required anymore.

1- Download the pathed firmware from the first post of the this thread:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1467130/#msg1467130
You have to download the two splited files, rename their extension to “rar” and extract the DS1000ZUpdate.GEL file out of the archive.

..

Hi,

My DS1104ZPlus has fw version 00.04.04.03.05 and the patched firmware is 00.04.04.03.02 so I think the instrument do not allow to downgrade, right?
How can we overcome this?

Or am I missing something?

You can change the patched firmware version code and its CRC value to match the new version number. The details are all in a separate topic about Rigol .GEL file reverse engineering.


 

Offline sv1eia

  • Contributor
  • Posts: 14
  • Country: gr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4418 on: January 27, 2019, 01:15:48 pm »

You can change the patched firmware version code and its CRC value to match the new version number. The details are all in a separate topic about Rigol .GEL file reverse engineering.


Thanks but that is pretty much difficult for me to figure out how to do it without any other info.
Any link? or even the topic's name?

Even though, IMHO if that is the only solution, then there is indeed a major problem if we want to move on with konnor's solution.
 

Offline Daruosha

  • Regular Contributor
  • *
  • Posts: 168
  • Country: ir
Re: Sniffing the Rigol's internal I2C bus
« Reply #4419 on: January 27, 2019, 01:25:12 pm »

You can change the patched firmware version code and its CRC value to match the new version number. The details are all in a separate topic about Rigol .GEL file reverse engineering.


Thanks but that is pretty much difficult for me to figure out how to do it without any other info.
Any link? or even the topic's name?

Even though, IMHO if that is the only solution, then there is indeed a major problem if we want to move on with konnor's solution.

You can find the details here:
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/

However I'll try to patch the latest version with konnor's stuff and post it on the same thread.
 

Offline sv1eia

  • Contributor
  • Posts: 14
  • Country: gr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4420 on: January 27, 2019, 01:29:26 pm »

However I'll try to patch the latest version with konnor's stuff and post it on the same thread.

Thats nice, this will certainly help many.
 

Offline N2tl

  • Newbie
  • Posts: 4
Re: Sniffing the Rigol's internal I2C bus
« Reply #4421 on: July 17, 2019, 01:50:25 am »
I don’t think the DS2000 (non-A version) has hardware support for 50-ohm termination, does it?
« Last Edit: July 17, 2019, 01:57:51 am by N2tl »
 

Offline ted572

  • Frequent Contributor
  • **
  • Posts: 366
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4422 on: July 17, 2019, 02:27:48 am »
I don’t think the DS2000 (non-A version) has hardware support for 50-ohm termination, does it?
You are correct, there isn't any 50 ohm termination capability in the DS2000 (non A).
 

Online JDubU

  • Regular Contributor
  • *
  • Posts: 235
Re: Sniffing the Rigol's internal I2C bus
« Reply #4423 on: July 17, 2019, 05:33:49 am »
Actually, there was a brief overlap in hardware versions between the DS2000 and DS2000A.  DS2000 started with hardware v1.xx but transitioned to hardware v2.xx just before the DS2000A was announced.  DS2000A only uses v2.xx hardware.  The relay controlled 50 ohm input terminator is implemented on hardware v2.xx but only the DS2000A allows it to be enabled from the front panel.  It can be enabled on a DS2000 (that has v2.xx hardware) only via SCPI command.
« Last Edit: July 17, 2019, 05:43:42 am by JDubU »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf