Products > Test Equipment
Sniffing the Rigol's internal I2C bus
<< < (899/899)
s1ic3r:
Yet another succesful MSO1104Z all options magically turned official hack, i'll take maybe about 4% of the credit. Thank-You, Thank-You, Thank-You for all the hours of work everyone put into this project, you guys enabled a 70+ year old that can't remember what he had for breakfast to (eventually, with the help of a voltage divider, lol) get some extra functionality out of a my scope.

Turns out for some of us it really is rocket science!

Thanks Again

EDIT for a recap, wall of text.


equipment:        mso1104z
firmware:          00.04.04.SP4
board version:   6.1.1

openocd-0.10.0   
Openocd for Windows:https://freddiechopin.info/en/download/category/4-openocd
 
rigup-0.4.1-mso1000z
thanks to ve7xen for hosting rigup tool from here: https://gotroot.ca/rigol/

For a step by step check out smgvbest's excellent post here.

Resources

Main Thread
https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/msg233647/#msg233647
Specific Steps
https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/msg569236/#msg569236
Related Thread
https://www.eevblog.com/forum/testgear/you-can_t-unlock-a-mso1000z-series-scope-without-a-memory-dump-and-other-lessons/msg772022/#msg772022
Related Thread
https://www.eevblog.com/forum/testgear/mso1104z-hackingpossible/msg862468/#msg862468

Commands are as follows:

C:\openocd-0.8.0\bin-x64\openocd-x64-0.8.0.exe -d1 -f C:\openocd-0.8.0\scripts\interface\ftdi\olimex-arm-usb-ocd-h.cfg -f C:\openocd-0.8.0\scripts\target\imx28.cfg

dump_image your_filename_here.bin 0x40000000 0x3FFFFFF

If you have no build tools in Ubuntu then sudo apt-get install build-essential

./rigup scan mso1074z.bin > mso1074z.txt

./rigup license mso1074z.txt 0x1C0xx

I elected to do the memory dump using windows so after getting my hands on a seggar jlink sat down to get to it.
I used the pinout from most excellent video for reference,


and right at the get go I noticed that the debugger I was using outputs 5v to the target, while the scopes jtag header takes an input of 3.3v. What I ended up doing was soldering together 3ea 1/4 W 1k resistors into a voltage divider. Worked perfectly. I will say at this point that that was the only modification in this project that didn't come directly from the resources above and someone elses hard work and know-how. thanks guys and girls!

Anyone else using the j-link device will need to edit the jlink.cfg file in the scripts/interface folder in openocd with "adapter_khz 4000", just like that (without quotes). I also installed JLink Commander with the intention of making use of the included driver for windows, well that didn't work so I used Zadig to replace the seggar driver with Winusb, after a few false starts the thing was recognized by windows command line at 4000 khz. which translates to about 15 or 20 min for the dump to complete. now I will say I saw where someone else used "adapter_khz 10000" but i'm pretty sure I read somewhere the default speed was adapter_khz 4000 so I went with that. Again, I used the list of commands on the page with the above video, edit as necessary, and thanks to #ElectronicsCreators

Now i'll regress a bit and mention that i've never actually read "sniffing the rigols internal i2c bus" from start to finish, but spent a goodly amount of time cherry picking what I figured was appropriate for what I was trying to accomplish. That didn't work so well. Anyhow, after getting 2-blocked time and again (read generating valid looking codes), after editing this file or that file, that fail to install, so I finally decided I needed to bite the bullet and start on page 1 and just keep reading until something made sense. That happened on page 47.

The first change to the rigup (0.4.1-mso1000z is what I used) code that was suggested (commented in the file) for mso devices was in rigup-0.4.1-mso1047/src/utils.c as follows, line 241 I believe,

EDIT-
 found this post that indicates for the mso1104z at least this edit is dependant on firmware, and or board version. The firmware on my mso1104z is 00.04.04.SP4 and the edit I made is opposite from the edit required by his scope.

Just for clarity, this MSO1104Z with firmware 00.04.04.SP1 uses the sequence 0x02 0x00 0x84 0x00 0x10 0x00.
Fix: if you download the rigup-0.4.1-mso1000z.zip from gotroot.ca, open utils.c, in the function ScanKeys() uncomment the first static const and comment out the second, so it looks like this afterwards:
EDIT/


--- Code: ---KeyData* ScanKeys(const void *data, size_t datasize)
{
  /*
    Offset Data
      0 02 00 84 00 10 00
      For mso1074z-s, use: 01 00 84 00 10 00
      6 <16 bytes of XXTEAKey>
     22 20 00
     24 <16 bytes of RC5Key1>
     40 <16 bytes of RC5Key2>
     56 08 00
     58 <8 bytes of bit-shuffled ECC public key>
     66 40 00
     68 <64 bytes of some ASCII-HEX data>
    132 <END>
  */

  const unsigned int sequenceSize = 6 + 16 + 2 + 2*16 + 2 + 8 + 2 + 64;
  //static const uint8_t seq_1_ref[] = {0x02, 0x00, 0x84, 0x00, 0x10, 0x00};
  static const uint8_t seq_1_ref[] = {0x01, 0x00, 0x84, 0x00, 0x10, 0x00};

--- End code ---

the above is after the edit:

this line was commented out:
//static const uint8_t seq_1_ref[] = {0x02, 0x00, 0x84, 0x00, 0x10, 0x00};

this line was uncommented in:
static const uint8_t seq_1_ref[] = {0x01, 0x00, 0x84, 0x00, 0x10, 0x00};

the second change was made in Makefile, line 7 or so:

from this:


--- Code: ---
LDFLAGS       := -O2 -Wl,-dead_strip


--- End code ---

to this:


--- Code: ---
LDFLAGS                := -O2 -Wl,--gc-sections -s


--- End code ---


OK, after making the edits and compiling the code and doing a ./rigup scan mso1047x.bin > mso1047.txt, that the serial # on the txt file was not the same as my scope, at this point I got it into my head that until rigup generated a txt file that matched the serial # of the scope that the software wouldn't be able to come up with the correct option codes. I didn't figure out what a dumb assumption that was until I got to page 47, specifically a link to this thread,

You can't unlock a MSO1000Z series scope without a memory dump and other lessons

more specifically, this:


--- Quote ---5.You don't need to modify rigup if you have a serial number beginning with DS1ZC Looking at the source code of the patched rigup tool (rigup-0.4.1-mso1000z.zip), I   thought it only worked for oscilloscopes with serial numbers beginning with DS1ZD.   In utils.c, there's this following line:

  if ( serialNumber[4]!='D' && serialNumber[3]!='Z' && serialNumber[2]!='1' &&
  serialNumber[1]!='S' && serialNumber[0]!='D' )

  This got me concerned as my scope's serial number began with DS1ZC. Turns out this   if statement never evaluates true (set a breakpoint, never hit during debug).
--- End quote ---
 
So i'm thinking to myself it can't be as easy as editing the mso1047x.txt file with the correct ser # could it?

Turns out it could be that easy.

Tried it and almost loaded my pants when the license code generated from:

./rigup license mso1074z.txt 0x1C0FF

enabling all options,

successfully installed!

Thanks Again

colabri:

--- Quote from: rteodor on February 20, 2022, 08:08:28 pm ---
I want to do a backup before updating a buggy firmware on a bit different oscilloscope. Only the dump from the first bank came out properly (https://www.eevblog.com/forum/testgear/old-firmware-for-siglent-based-axiomet-oscilloscope/msg4020166/#msg4020166).

I tried to switch to the second bank with your steps. Fortunately nothing bad happened but unfortunately there was no switch.

It may be that the registers are different and right now I have no idea on how to figure them out.
Can you detail a bit on how you figured out the bank switching ?

--- End quote ---

Bank switching is rather specific to the individual hardware. There's a chance devices from the same vendor use the same (or a similar) method, but between vendors it's rather unlikely.

I had to reverse engineer the Rigol firmware to figure out how the bank switching works on the DSA815. Was the first time I did something like this and took me a couple of weeks (!). Only worth it for learning how to work with Ghidra.
kimouser6471:

--- Quote from: up8051 on January 07, 2021, 05:25:02 pm ---What is the latest firmware version for DS2072 (non-A).

At Rigol page there are only for DS2000A, is the same for non-A version?

--- End quote ---
FW 3.6 same DS2072A
Navigation
Message Index
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod