Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1619576 times)

0 Members and 1 Guest are viewing this topic.

Offline sorin

  • Frequent Contributor
  • **
  • Posts: 272
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4450 on: April 13, 2020, 02:18:13 pm »
Where did you find 03_06_00_00 ?
The last version on Rigol website is 03.05.04.00.
Did the Oscilloscope arrived with 03.06.00.00 preinstalled?
 

Offline ossilampe

  • Newbie
  • Posts: 2
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4451 on: April 13, 2020, 02:37:53 pm »
Hello sorin

I bought the device for use approx. 650 € Unfortunately all decoders are locked and I have to be able to use them


here is the 00_03_06_00

http://gotroot.ca/rigol/
 

Offline bigboss59

  • Newbie
  • Posts: 4
  • Country: fr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4452 on: April 15, 2020, 07:47:52 pm »
Hello,

Is there any other method than the rigup one to unlock a DS1074Z plus ?
If not do you know if it will work with :
FW 4.04.SP4
board version 2.1.4

The last success I can found is in 2017 (lifeclock) with :
Software Version: 00.04.04.SP1
Board Version: 6.1.4

Best regards
 

Offline Gixy

  • Regular Contributor
  • *
  • Posts: 220
  • Country: fr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4453 on: April 16, 2020, 07:21:56 am »
I saw that this 00.03.06.00 release is available, but didn't install it as I could'nt find any release notes. The .zip file contains only the binary and nobody knows anything about this release.
 

Offline xyybob

  • Contributor
  • Posts: 7
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4454 on: May 08, 2020, 11:54:29 pm »
I've just got myself a DS1074Z Plus and try as I might I cannot get the 'hack' to work. I've read out the memory dump with a USB Blaster clone and scanned the dump for the keys etc. but rigup just seems to produce invalid licenses.

Software is 00.04.04.SP4
Board is 2.1.4
Rigup versions 0.1, 0.4, 0.4.2

The keys produced by the scan look fair enough and are consistent across versions of rigup so I have to assume they're ok.

Does anyone know if this still works?
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2377
  • Country: pt
Re: Sniffing the Rigol's internal I2C bus
« Reply #4455 on: May 09, 2020, 08:50:10 am »
Everything still works.
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1726
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4456 on: May 09, 2020, 08:53:09 am »
Everything still works.
Is the Riglol web page here still working properly? I heard a while back that some people had issues with it.
If at first you don't succeed, get a bigger hammer
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2377
  • Country: pt
Re: Sniffing the Rigol's internal I2C bus
« Reply #4457 on: May 09, 2020, 08:54:28 am »
I read the host had made some corrections. It was in the webpages, not the algo in itself.
 
The following users thanked this post: Gandalf_Sr

Offline xyybob

  • Contributor
  • Posts: 7
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4458 on: May 09, 2020, 11:12:06 am »
Glad to hear it still works - however not for me so far!

Please could you point me to the specific version of rigup that does work. Bear in mind that its for the DS1074Z Plus and I understand that there may be different versions for MSO etc. As you can see in previous post I've tried a few but I think I'm missing something there.

Also, I've tried running it like this:

'rigup license <my_scanned_keys_file.txt> DSEA', (for the DS version)

and like this:

'rigup license <my_scanned_keys_file.txt> 0x1C080' (for the MSO version)

neither produced a valid response.

Please, If anyone could point out where I'm going wrong I'd be very grateful.

Thanks for helping me out
 

Offline xyybob

  • Contributor
  • Posts: 7
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4459 on: May 11, 2020, 11:21:14 am »
Sorry about this, very noob question - apologies in advance. How do I get the links inserted into these posts that go to previous replies in the thread (or other threads...) to work?

e.g. if I click on:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg432125/#msg432125
I get dumped back to the main list of topics!

Or alternatively, how do I decode the message number? e.g., in the link above 'msg432125', there aren't 432125 messages in the thread so how do I get to that message?
 

Online JDubU

  • Frequent Contributor
  • **
  • Posts: 366
  • Country: us
 
The following users thanked this post: xyybob

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1726
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4461 on: May 14, 2020, 02:14:11 pm »
Sorry about this, very noob question - apologies in advance. How do I get the links inserted into these posts that go to previous replies in the thread (or other threads...) to work?

e.g. if I click on:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg432125/#msg432125
I get dumped back to the main list of topics!

Or alternatively, how do I decode the message number? e.g., in the link above 'msg432125', there aren't 432125 messages in the thread so how do I get to that message?
Find the message that you want to link to on any given page and click on the bold heading; that message will move to the top of your browser window and you will see a URL in your browser that ends in #msg43215.  Highlight and copy that whole URL.

You can just paste the URL into your message but there's a cleaner way:
1. With a previously copied URL in the clipboard, write the text you want to use as the link and then highlight using the cursor
2. Click the 'Insert Hyperlink' button (the one under italics); now you'll see {url=}text you highighted{/url} (I've used curly rather than square brackets so I can show you the method)
3. Position your cursor immediately after the '=' sign and paste in your URL.
4. Hit [Preview] to check that it looks OK.

You can also type in the URL codes in square brackets to achieve the same effect but I think it's easier to use the button.
If at first you don't succeed, get a bigger hammer
 
The following users thanked this post: xyybob

Offline xyybob

  • Contributor
  • Posts: 7
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4462 on: May 14, 2020, 08:15:20 pm »
Sorry, but I was trying to click on existing links in previous messages, not trying to add links in. I was getting nowhere with it and I didn't notice the typos.

However, thanks for the help - much appreciated!

EDIT:
This was the particular message that I was referring to:
https://www.eevblog.com/forum/testgear/ds1000z-serie-unlocking/msg491026/#msg491026
« Last Edit: May 14, 2020, 08:22:26 pm by xyybob »
 

Offline Dolence

  • Newbie
  • Posts: 4
  • Country: br
Re: Sniffing the Rigol's internal I2C bus
« Reply #4463 on: September 11, 2020, 05:57:21 pm »
Just got a DS1074Z PLUS (not S version) for myself. After much reading I have some questions.

1) The modified fw method described by the user Daruosha would apply to this unit? Reading some more I understood it's for DS and Plus is actually an MSO. I gues DS1074Z PPLUS is actually an MSO1074Z, is it right?
2) If not, would an Atmel JTAG ICE MKII or XLINX Platform Cable USB JTAG work for jtag dumping?
3) It's still doable?
« Last Edit: September 11, 2020, 07:26:56 pm by Dolence »
 

Offline Dolence

  • Newbie
  • Posts: 4
  • Country: br
Re: Sniffing the Rigol's internal I2C bus
« Reply #4464 on: September 16, 2020, 03:43:15 pm »
Is this topic dead?
 

Offline PeDre

  • Regular Contributor
  • *
  • Posts: 237
  • Country: at
    • Private Website
 
The following users thanked this post: Dolence

Offline Dolence

  • Newbie
  • Posts: 4
  • Country: br
Re: Sniffing the Rigol's internal I2C bus
« Reply #4466 on: September 16, 2020, 06:03:19 pm »
Mine come with packages unlocked from factory(no time restriction). Is there any benefit from this? Like upgrade from 70mhz to 100mhz?
 

Offline xyybob

  • Contributor
  • Posts: 7
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4467 on: October 28, 2020, 03:47:15 pm »
I have worked with members of this site to try to unlock the DS1074Zplus but not been able to do it. Looks like it can't be done!
 

Offline S. Petrukhin

  • Super Contributor
  • ***
  • Posts: 1049
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4468 on: November 02, 2020, 12:16:09 am »
Hold on... In one of the topics here, a person asked for the source codes of Rigol scope based on the GPL license...  :)
And sorry for my English.
 

Offline joezilla86

  • Newbie
  • Posts: 2
Re: Sniffing the Rigol's internal I2C bus
« Reply #4469 on: December 07, 2020, 05:14:48 pm »
I have worked with members of this site to try to unlock the DS1074Zplus but not been able to do it. Looks like it can't be done!

Sure, it can. You have to use rigup, not riglol.

I'm in a similar boat to xyybob. I have a DS1104Z Plus, I've done the memory dump using konnor's firmware, I've scanned the bin file and generated a keys.txt, but all of the license codes I generate say they are invalid. Someone up above said there's something you need to change in rigup prior to compiling, but I must be missing where to do that. I didn't compile rigup anyway, I used http://gotroot.ca/rigol/rigup-0.4-mso1000z-with-bins.zip which was the which was the version most recently posted on the site.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2377
  • Country: pt
Re: Sniffing the Rigol's internal I2C bus
« Reply #4470 on: December 09, 2020, 01:13:12 pm »
XMAS 2020 GIFT to the whole RIGUP community    :D

There is a bug in the rigup source code that makes certain scopes to not accept the licenses generated by any rigup version.

(I know this is pretty old stuff but the error is there... has always been.)

The option licenses are based on a hash of a string that has this format:  SERIAL_NUM + OPTION_CODE + XXTEA_KEY

The problem is with the XXTEA_KEY. Certain XXTEA keys contain NULL bytes. Current rigup source code always concatenates the 16 bytes of the XXTEA but that is wrong!

All 00s should be removed from the hash buffer when adding the XXTEA key (and the hash buffer size adjusted accordingly).

All those who have problems licensing, MS1000Z+, etc. please check your XXTEA keys (to see if you have 00s) and you'll be able to verify this.

Now it's up to rigup hosts to correct the available software versions.
 
The following users thanked this post: egonotto, geo999, coromonadalix, DaBone_206

Offline Bicurico

  • Super Contributor
  • ***
  • Posts: 1237
  • Country: pt
    • VMA's Satellite Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #4471 on: December 10, 2020, 07:59:27 am »
 :-+

Offline joezilla86

  • Newbie
  • Posts: 2
Re: Sniffing the Rigol's internal I2C bus
« Reply #4472 on: December 12, 2020, 08:36:01 pm »
Thanks tv84 for your help! My XXTEA_KEY did have an occurrence of a 00 and was generating invalid keys until tv84 took a look and was able to get me a valid unlock key.
 

Offline KK1L

  • Contributor
  • Posts: 17
  • Country: us
    • KK1L
Re: Sniffing the Rigol's internal I2C bus
« Reply #4473 on: December 21, 2020, 03:44:39 pm »
Just got a DS1074Z PLUS (not S version) for myself. After much reading I have some questions.

1) The modified fw method described by the user Daruosha would apply to this unit? Reading some more I understood it's for DS and Plus is actually an MSO. I gues DS1074Z PPLUS is actually an MSO1074Z, is it right?

Yes. The MSO1074Z comes with the logic probes included. The DS1074Z Plus does not. Only difference is the branding.


73 es God Bless de KK1L, Ron <><
 

Offline KK1L

  • Contributor
  • Posts: 17
  • Country: us
    • KK1L
Re: Sniffing the Rigol's internal I2C bus
« Reply #4474 on: January 05, 2021, 10:55:10 pm »
I have been trying to get a memory dump of my DS1074Z-S Plus through the JTAG port having given up getting a back level firmware loaded to access via SCPI on the LAN. I hesitate to ask here, but I am at my wits end. I have learned a great deal about OCD, JTAG access, etc in the many days I have dedicated to this endeavor. And am grateful for the all the great information especially on EEVBLOG which has allowed me to make the progress I have.

Using SiSpeed dongle with FT2232 with TMS/TCK/TDI/TDO and RST. RST is connected to SRST on the 1074Z. There is only the one reset signal, so I have to soft reset the TAP.
I seem have the interface signals defined correctly (finally!) as I can reset the scope with a reset command, and jtag arp_init comes back clean.
My problem is that I eventually get a timeout error "waiting for SYSCOMP & DBGACK". I have gotten as large as a 2MB file or so, and as small as 8k. Driving me nuts.

> jtag init
> halt
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x20000013 pc: 0x4003957c
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> dump_image mso1074z.bin 0x40000000 0x3FFFFFF
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 4


I have been trying a variety of adapter speeds, delay and timing configurations, TDO clocking edge rise/fall, etc. I do not rely on a reset command between tries. I will power cycle both the dongle and the 1074Z.

Is there a clue someone might have for me? Happy to share more detail about what I have tried.

Thanks!

73 es God Bless, KK1L Ron <><
 
73 es God Bless de KK1L, Ron <><
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf