Products > Test Equipment
Sniffing the Rigol's internal I2C bus
(1/899) > >>
andyturk:
Quick Links:

#2446: buergi's "information needed to memdump [a] DS2KA"


All the talk of Rigol hacks got me curious about what goes on inside my DS1102E's non-volatile RAM. There's a FM24CL04 chip on the main board and as a prelude to hacking some more expensive equipment, I thought I'd break out the soldering iron and turn my 1102E into a guinea pig:



A logic analyzer shows decodable activity on those lines. Here's (the first part) of what happens when I change the timebase from 20ms/div to 50ms/div:



I'm not sure how to decipher it yet, but since the horizontal timebase is restored on power-up, the I2C activity is probably how the mcu saves that particular piece of information.

Attached is a .zip with two logic analyzer (Saleae Logic16) dumps. The small one is when I changed the horiz timebase. The big one is what goes on when the scope boots up.

Does anyone have suggestions on a good way to decode this data? The Saleae app seems OK, but it's hard to see more than a few bytes on the screen at once. It'd be much nicer to get a text dump of reads/writes by address.

PS. I forgot to probe the two address pins on the FRAM chip while I had the case open.  :palm: I suspect they're wired to GND though. I.e., the FRAM will be responsive to addresses like 0b101000XX.
kfitch42:
Don't have a Salea, never used their software before...
I downloaded it, opened one of the files, clicked on the 'gear' next to I2C, clicked export... The format of the generated text file isn't spectacular (the formatting of the 'data' column is annoyingly inconsistent). But, thats nothing a few lines of python/perl couldn't fix
ve7xen:
Something like a Bus Pirate, or Arduino or whatever that has a hardware I2C interface. As I understand it, most of these USB analyzers rely on buffering and can't do 'realtime' decoding, or store enough samples to capture long or infrequent-ish events.

I would first get a full image of the FRAM, and then decode each change and map controls (e.g. vertical gain) to bytes in the memory. Hopefully you can build a map of what goes where, which will get you started on figuring out what values mean what. If the DS1102 firmware is similar to the DS2000 series, it will read the entire FRAM sequentially at boot.
andyturk:

--- Quote from: ve7xen on May 17, 2013, 05:10:33 pm ---Something like a Bus Pirate, or Arduino or whatever that has a hardware I2C interface. As I understand it, most of these USB analyzers rely on buffering and can't do 'realtime' decoding, or store enough samples to capture long or infrequent-ish events.

I would first get a full image of the FRAM, and then decode each change and map controls (e.g. vertical gain) to bytes in the memory. Hopefully you can build a map of what goes where, which will get you started on figuring out what values mean what. If the DS1102 firmware is similar to the DS2000 series, it will read the entire FRAM sequentially at boot.

--- End quote ---
I'll have a Bus Pirate sometime next week.

Just looking at the amount of stuff that goes by at boot, I'd guess that the 1102 is reading the entire FRAM too. Calculating a checksum, maybe?

Has someone done a similar experiment with the DS2000/4000? Ultimately, that's where I'm headed. But if I'm going to brick a scope, I'd rather it be a cheap one.  :P
ve7xen:

--- Quote from: andyturk on May 17, 2013, 06:35:26 pm ---I'll have a Bus Pirate sometime next week.

--- End quote ---
When I did this I had to dick around with custom (faster than the firmware lets you set) baud rates to get it to be fast enough during the long initial read. It did end up working well enough to capture the bootup though; a quick Python hack and I had a binary image file.



--- Quote from: andyturk on May 17, 2013, 06:35:26 pm ---Just looking at the amount of stuff that goes by at boot, I'd guess that the 1102 is reading the entire FRAM too. Calculating a checksum, maybe?
--- End quote ---
The DS2000 has a checksum. IIRC it was CRC32 in the last 4 bytes, but whatever it was it was trivial to find. So that's probably a good guess.


--- Quote ---Has someone done a similar experiment with the DS2000/4000? Ultimately, that's where I'm headed. But if I'm going to brick a scope, I'd rather it be a cheap one.  :P
--- End quote ---
I did, but I just used clip leads and didn't leave it permanently connected. Kept it on for long enough to capture an image but that's about it, I needed to use the scope :P.
Navigation
Message Index
Next page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod