Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1825559 times)

0 Members and 2 Guests are viewing this topic.

Offline DaBone_206

  • Newbie
  • Posts: 4
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4400 on: July 15, 2018, 08:46:07 pm »
Hello everybody,
I own a Rigol MSO1074Z-S. All attempts to hack, have failed so far  :scared:.
System Information:
SW. V.: 00.04.04.SP3
Board Version: 6.1.1

I used all the rigup versions that are available, but none leads to success.
For example, with option 0x1C001, I always get the following license key: AQSNGP3-JGLNNNH-ZDW33MA-WEX59CM
Since 2 years I try again and again to hack my Oszi so far without success. What am I doing wrong?
I have attached my dump maybe one gets another license key
https://www.dropbox.com/s/5ct1bipb1pdexnc/mso1074z.bin?dl=1
« Last Edit: July 15, 2018, 08:48:05 pm by DaBone_206 »
 

Offline DaBone_206

  • Newbie
  • Posts: 4
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4401 on: July 16, 2018, 06:17:36 pm »
what does these strange characters mean in the hashing?
 

Offline djdanielb

  • Newbie
  • Posts: 4
  • Country: it
Re: Sniffing the Rigol's internal I2C bus
« Reply #4402 on: October 19, 2018, 08:56:12 am »
Hi at all I'm DjDaniel.

I've just bought a DP711 power
Is there some solution to activate the extra features ?

Thank you a lot
« Last Edit: October 24, 2018, 10:30:39 pm by djdanielb »
 

Offline entropie

  • Newbie
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4403 on: November 09, 2018, 07:36:33 am »
However if you had any problem, please let us know and we'd help.

hi there,
I own a Rigol MSO1074Z.

post #4400
1)-5) works fine for me,
i get a dump file from oszi (256mb)

6) the is a problem...
rigup-0.4.2-x86_64-win.exe scan fw.bin > keys.txt

gives me a "failed, No keys"

tryed with many dumps, what is going wrong?

please help a newcomer ;)
thanx..............
« Last Edit: November 09, 2018, 07:46:05 am by entropie »
 

Offline McBryce

  • Super Contributor
  • ***
  • Posts: 2681
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4404 on: November 09, 2018, 07:45:14 am »
hi there,
I own a Rigol MSO1074Z.

#4400
1)-5) works fine for me,
i get a dump file from oszi (256mb)

6) the is a problem...
rigup-0.4.2-x86_64-win.exe scan fw.bin > keys.txt

gives me a "failed, No keys"

tryed with many dumps, what is going wrong?

please help a newcomer ;)
thanx..............

Are you definitely using the MSO rigup? There's a specific version of rigup for the MSO that's different to the DSO version.

McBryce.
30 Years making cars more difficult to repair.
 

Offline entropie

  • Newbie
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4405 on: November 09, 2018, 07:56:59 am »
i used this :

You can extract the keys from the dump file with this tool as well:
http://gotroot.ca/rigol/rigup-0.4.2-x86_64-win.zip

« Last Edit: November 09, 2018, 08:05:04 am by entropie »
 

Offline McBryce

  • Super Contributor
  • ***
  • Posts: 2681
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4406 on: November 09, 2018, 09:23:29 am »
Use the MSO specific one he links to here:

5- Download the rigup tool from this URL: http://gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip . For this step I used my MacOS X machine and simply build the executable file from the source code by running this command in the same folder which the downloaded file has been extracted:

McBryce.
30 Years making cars more difficult to repair.
 
The following users thanked this post: entropie

Offline entropie

  • Newbie
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4407 on: November 09, 2018, 10:41:42 am »
ok,
got the keys :)

but now I stuck here..........

If you have a generated file like this, bingo, you're almost done. The rest is generating the license keys. I assume generating the license codes are well documented and it's not required to mention it again here.

I can not find a working license generator.
please be patient with me.............. :palm:
 

Offline entropie

  • Newbie
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4408 on: November 09, 2018, 03:42:28 pm »
At this point I am very confused and can not continue.
All generated licenses do not work

for example:
9CL3SZS-EWH9JYW-RRNXMYP-4D5PMSM    (NSH9 = 0x1C0FF)
That should not be (CSHY = 0x1C0FF) ??

I ask for help, otherwise I send the oszi into hell ... >:D

please....... :scared:

« Last Edit: November 10, 2018, 08:22:16 am by entropie »
 

Offline entropie

  • Newbie
  • Posts: 5
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4409 on: November 10, 2018, 08:23:53 am »
finaly...........

got it to work with the right software,
many thanks to all supporters....:clap:
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 6212
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4410 on: November 10, 2018, 11:44:33 am »
got it to work with the right software,
many thanks to all supporters....:clap:

So, for the benefit of others who might read this later -- could you briefly summarize what you got wrong initially, and what constitutes "the right software"? Thanks!
 

Offline ab#FFFF

  • Newbie
  • Posts: 7
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4411 on: January 26, 2019, 06:13:21 am »
Can some1 please help me?

I have a MSO1104 scope and i tried to enable all features over LAN. Following Daruosha procedure, I upgrade the scope then I dump the fw.bin (~260Megs) a few times but the for some reason the tool rig 0.4.1 is unable to find the keys (I compile the tool under OSX with make clean/ make all). I tried the windows tool 0.4.2 but with same result.
The keys.txt look like this:

rigup scan - Version 0.4.1

        Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com

I'm wondering what is wrong? Can some1 help?
thanks,
-a
 

Offline Daruosha

  • Regular Contributor
  • *
  • Posts: 181
  • Country: ir
Re: Sniffing the Rigol's internal I2C bus
« Reply #4412 on: January 26, 2019, 06:22:09 am »
Can some1 please help me?

I have a MSO1104 scope and i tried to enable all features over LAN. Following Daruosha procedure, I upgrade the scope then I dump the fw.bin (~260Megs) a few times but the for some reason the tool rig 0.4.1 is unable to find the keys (I compile the tool under OSX with make clean/ make all). I tried the windows tool 0.4.2 but with same result.
The keys.txt look like this:

rigup scan - Version 0.4.1

        Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com

I'm wondering what is wrong? Can some1 help?
thanks,
-a

There's a bug in rigup scan tool. I don't remember what was the exact bug and where it was, but i remember you can fix it easily in the source code and build it yourself. Contact me over PM and send me your dump fie. I'll try to help you extract the keys.
 
The following users thanked this post: ab#FFFF

Offline ab#FFFF

  • Newbie
  • Posts: 7
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4413 on: January 26, 2019, 03:35:27 pm »
Thanks Daruosha for your help.

... the last step seems to be to generate the keys by running rigup (0.4.1) with license option then use the serials for activation:

rigup license keys.txt option (ex.: rigup license keys.txt 0x1C001)

option (list of hex values):
(CSAR = 0x1C001) Triggers
(CSAB = 0x1C002) Decoders
(CSA3 = 0x1C004) Mem-depth
(CSAJ = 0x1C008) Recorder
(CSAS = 0x1C010) DG
(CSRA = 0x1C020) 500uV
(CSBA = 0x1C040) Power Ana.
(CS3A = 0x1C080) Bandwidth (100MHz)
(CSHY = 0x1C0FF) All
 

Offline ab#FFFF

  • Newbie
  • Posts: 7
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4414 on: January 26, 2019, 03:45:39 pm »
rigup utility needs to be tweaked to work with some of MSO1000Z for a correct keys extractions; so, before compiling rigup 0.4.1 check below posting and modify eventually utils.c accordingly:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/msg1191044/#msg1191044

hope helps,
-a
« Last Edit: January 27, 2019, 12:01:57 am by ab#FFFF »
 
The following users thanked this post: Daruosha

Offline sv1eia

  • Contributor
  • Posts: 14
  • Country: gr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4415 on: January 27, 2019, 12:34:13 pm »
With the help of new patched firmware developed by our forum member, @konnor,  you can take the memory dump of MSO1000z series scopes and extract the keys from the dump, no JTAG adaptor or any hardware effort or taking the scope apart is required anymore.

1- Download the pathed firmware from the first post of the this thread:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1467130/#msg1467130
You have to download the two splited files, rename their extension to “rar” and extract the DS1000ZUpdate.GEL file out of the archive.

..

Hi,

My DS1104ZPlus has fw version 00.04.04.03.05 and the patched firmware is 00.04.04.03.02 so I think the instrument do not allow to downgrade, right?
How can we overcome this?

Or am I missing something?

 

Offline Daruosha

  • Regular Contributor
  • *
  • Posts: 181
  • Country: ir
Re: Sniffing the Rigol's internal I2C bus
« Reply #4416 on: January 27, 2019, 01:00:11 pm »
With the help of new patched firmware developed by our forum member, @konnor,  you can take the memory dump of MSO1000z series scopes and extract the keys from the dump, no JTAG adaptor or any hardware effort or taking the scope apart is required anymore.

1- Download the pathed firmware from the first post of the this thread:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1467130/#msg1467130
You have to download the two splited files, rename their extension to “rar” and extract the DS1000ZUpdate.GEL file out of the archive.

..

Hi,

My DS1104ZPlus has fw version 00.04.04.03.05 and the patched firmware is 00.04.04.03.02 so I think the instrument do not allow to downgrade, right?
How can we overcome this?

Or am I missing something?

You can change the patched firmware version code and its CRC value to match the new version number. The details are all in a separate topic about Rigol .GEL file reverse engineering.


 

Offline sv1eia

  • Contributor
  • Posts: 14
  • Country: gr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4417 on: January 27, 2019, 01:15:48 pm »

You can change the patched firmware version code and its CRC value to match the new version number. The details are all in a separate topic about Rigol .GEL file reverse engineering.


Thanks but that is pretty much difficult for me to figure out how to do it without any other info.
Any link? or even the topic's name?

Even though, IMHO if that is the only solution, then there is indeed a major problem if we want to move on with konnor's solution.
 

Offline Daruosha

  • Regular Contributor
  • *
  • Posts: 181
  • Country: ir
Re: Sniffing the Rigol's internal I2C bus
« Reply #4418 on: January 27, 2019, 01:25:12 pm »

You can change the patched firmware version code and its CRC value to match the new version number. The details are all in a separate topic about Rigol .GEL file reverse engineering.


Thanks but that is pretty much difficult for me to figure out how to do it without any other info.
Any link? or even the topic's name?

Even though, IMHO if that is the only solution, then there is indeed a major problem if we want to move on with konnor's solution.

You can find the details here:
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/

However I'll try to patch the latest version with konnor's stuff and post it on the same thread.
 

Offline sv1eia

  • Contributor
  • Posts: 14
  • Country: gr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4419 on: January 27, 2019, 01:29:26 pm »

However I'll try to patch the latest version with konnor's stuff and post it on the same thread.

Thats nice, this will certainly help many.
 

Offline N2tl

  • Newbie
  • Posts: 4
Re: Sniffing the Rigol's internal I2C bus
« Reply #4420 on: July 17, 2019, 01:50:25 am »
I don’t think the DS2000 (non-A version) has hardware support for 50-ohm termination, does it?
« Last Edit: July 17, 2019, 01:57:51 am by N2tl »
 

Offline ted572

  • Frequent Contributor
  • **
  • Posts: 399
  • Country: us
  • Radio Communications Equipment/System Design Engr.
Re: Sniffing the Rigol's internal I2C bus
« Reply #4421 on: July 17, 2019, 02:27:48 am »
I don’t think the DS2000 (non-A version) has hardware support for 50-ohm termination, does it?
You are correct, there isn't any 50 ohm termination capability in the DS2000 (non A).
 

Offline JDubU

  • Frequent Contributor
  • **
  • Posts: 438
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4422 on: July 17, 2019, 05:33:49 am »
Actually, there was a brief overlap in hardware versions between the DS2000 and DS2000A.  DS2000 started with hardware v1.xx but transitioned to hardware v2.xx just before the DS2000A was announced.  DS2000A only uses v2.xx hardware.  The relay controlled 50 ohm input terminator is implemented on hardware v2.xx but only the DS2000A allows it to be enabled from the front panel.  It can be enabled on a DS2000 (that has v2.xx hardware) only via SCPI command.
« Last Edit: July 17, 2019, 05:43:42 am by JDubU »
 

Offline RetroDan™

  • Contributor
  • Posts: 15
  • Country: 00
Re: Sniffing the Rigol's internal I2C bus
« Reply #4423 on: February 27, 2020, 03:06:28 am »
Successfully hacked my MSO1074Z-S.  If I upgrade the firmware to the most recent, will I lose my hacks?
(**A new 3rd Edition** companion is in preparation, expected publication 4Q15: “Learning the Art of Electronics — A Hands-on Approach”)
 

Offline McBryce

  • Super Contributor
  • ***
  • Posts: 2681
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4424 on: February 27, 2020, 07:26:21 am »
Successfully hacked my MSO1074Z-S.  If I upgrade the firmware to the most recent, will I lose my hacks?

I can't say 100% for the MSO1074Z-S, but for other devices including my MSO-1104-Z the hacks are still there after several FW updates.

McBryce.
30 Years making cars more difficult to repair.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf