DSDS2XX2A ----- HW 2.0 ----- NOT HACKABLE ----- Can buy NEW ----- See Reply #1275
If he couldn't get it to work on his DP832 either then I'm guessing he is just using the keygen incorrectly. Not necessarily, but likely. We'll see as more DS2000A units arrive.
Yea. Exactly. Only fooled around for 10 minutes. And only used input directly on the scope. And it was late (very). Chance for error? Well over 50% I reckon.
No time to pick this up right now, but FWIW the firmware version on my 832 is 00.01.06, in case anyone has any ideas in the meantime.
I have not checked which firmware versions the keygen is reported to work with. (or if there is extended system info anywhere)
Yea. Exactly. Only fooled around for 10 minutes. And only used input directly on the scope. And it was late (very). Chance for error? Well over 50% I reckon.
No time to pick this up right now, but FWIW the firmware version on my 832 is 00.01.06, in case anyone has any ideas in the meantime.
I have not checked which firmware versions the keygen is reported to work with. (or if there is extended system info anywhere)
Give it another try today and let us know. If you have any questions about how to generate the keys just pm me with the serial of the scope and I'll message you the keys.
Give it another try today and let us know. If you have any questions about how to generate the keys just pm me with the serial of the scope and I'll message you the keys.
Just out of curiosity, where are the steps for generating keys? I remember seeing something about elliptical encryption, but not any step by step stuff.
Just out of curiosity, where are the steps for generating keys? I remember seeing something about elliptical encryption, but not any step by step stuff.
Well, if you're only interested in generating these Rigol keys, then there is a command line utility to do that for you. However, if you are tying to learn the math behind the technology, I'd recommend you Google it.
apelly you're our only hope... ;-)
some findings on the DS4000, sorry no revolution, just gathering background info.
poking around in the latest DS4000 GEL files I find this:
seg000:00332EC0 CA B1 BC E4 A3 BA 00 00 4F 70 74 69 6F 6E 20 4E -¦+õú¦..Option N
seg000:00332ED0 61 6D 65 3A 00 00 00 00 4F 70 74 69 6F 6E 20 54 ame:....Option T
seg000:00332EE0 79 70 65 3A 00 00 00 00 54 69 6D 65 20 4C 65 66 ype:....Time Lef
seg000:00332EF0 74 3A 00 00 6E B8 16 00 70 B8 16 00 6E B8 16 00 t:..n©.p©.n©.
seg000:00332F00 6E B8 16 00 66 B8 16 00 66 B8 16 00 66 B8 16 00 n©.f©.f©.f©.
seg000:00332F10 6E B8 16 00 06 01 5A AD 68 B6 FA 00 1C 00 00 00 n©.Z¡h·....
seg000:00332F20 66 B8 16 00 06 00 2F AD 84 B6 FA 00 4C 00 00 00 f©../¡ä·.L...
seg000:00332F30 00 00 00 00 6E B8 16 00 4F 66 66 63 69 61 6C 20 ....n©.Offcial
seg000:00332F40 56 65 72 73 69 6F 6E 00 F8 B9 16 00 AC BA 16 00 Version.°¦.¼¦.
seg000:00332F50 A0 BB 16 00 68 BC 16 00 52 53 32 33 32 BD E2 C2 á+.h+.RS232¢Ô-
seg000:00332F60 EB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Ù...............
seg000:00332F70 00 00 00 00 00 00 53 50 49 BD E2 C2 EB 00 00 00 ......SPI¢Ô-Ù...
seg000:00332F80 06 01 22 AD D0 B6 FA 00 14 00 00 00 00 00 00 00 "¡ð·.¶.......
seg000:00332F90 06 00 0B AD E4 B6 FA 00 08 00 00 00 00 00 00 00 .¡õ·........
seg000:00332FA0 49 32 43 BD E2 C2 EB 00 06 01 1E AD EC B6 FA 00 I2C¢Ô-Ù.¡ý·.
seg000:00332FB0 14 00 00 00 00 00 00 00 06 00 EA AD 00 B7 FA 00 ¶........Û¡.À·.
seg000:00332FC0 0C 00 00 00 00 00 00 00 00 00 43 41 4E BD E2 C2 .........CAN¢Ô-
seg000:00332FD0 EB 00 00 00 06 01 FF AD 0C B7 FA 00 14 00 00 00 Ù... ¡À·.¶...
seg000:00332FE0 00 00 00 00 06 00 EE AD 20 B7 FA 00 28 00 00 00 .....¯¡ À·.(...
seg000:00332FF0 00 00 00 00 46 6C 65 78 52 61 79 BD E2 C2 EB 00 ....FlexRay¢Ô-Ù.
seg000:00333000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
seg000:00333010 00 00 35 30 30 4D B4 F8 BF ED 00 00 06 01 BB AD ..500M¦°+Ý..+¡
seg000:00333020 48 B7 FA 00 14 00 00 00 00 00 00 00 06 00 92 AD HÀ·.¶........Æ¡
seg000:00333030 5C B7 FA 00 28 00 00 00 00 00 00 00 33 35 30 4D \À·.(.......350M
seg000:00333040 B4 F8 BF ED 00 00 00 00 00 00 00 00 00 00 00 00 ¦°+Ý............
seg000:00333050 00 00 00 00 00 00 00 00 00 00 32 30 30 4D B4 F8 ..........200M¦°
seg000:00333060 BF ED 00 00 06 01 77 AD 84 B7 FA 00 14 00 00 00 +Ý..w¡äÀ·.¶...
seg000:00333070 00 00 00 00 06 00 72 AD 98 B7 FA 00 0C 00 00 00 .....r¡ÿÀ·....
seg000:00333080 00 00 00 00 B5 E7 D4 B4 B7 D6 CE F6 00 00 00 00 ....ÁþȦÀÍ+÷....
seg000:00333090 06 01 57 AD A4 B7 FA 00 14 00 00 00 00 00 00 00 W¡ñÀ·.¶.......
seg000:003330A0 06 00 1B AD B8 B7 FA 00 44 01 00 00 00 00 00 00 .¡©À·.D......
seg000:003330B0 52 53 32 33 32 20 44 65 63 6F 64 65 00 00 00 00 RS232 Decode....
seg000:003330C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 50 ..............SP
seg000:003330D0 49 20 44 65 63 6F 64 65 00 00 00 00 00 00 00 00 I Decode........
seg000:003330E0 00 00 00 00 00 00 00 00 00 00 00 00 49 32 43 20 ............I2C
seg000:003330F0 44 65 63 6F 64 65 00 00 00 00 00 00 00 00 00 00 Decode..........
seg000:00333100 00 00 00 00 00 00 00 00 00 00 43 41 4E 20 44 65 ..........CAN De
seg000:00333110 63 6F 64 65 00 00 00 00 00 00 00 00 00 00 00 00 code............
seg000:00333120 00 00 00 00 00 00 00 00 46 6C 65 78 52 61 79 20 ........FlexRay
seg000:00333130 44 65 63 6F 64 65 00 00 00 00 00 00 00 00 00 00 Decode..........
seg000:00333140 00 00 00 00 00 00 42 61 6E 64 77 69 64 74 68 20 ......Bandwidth
seg000:00333150 35 30 30 4D 00 00 00 00 00 00 00 00 00 00 00 00 500M............
seg000:00333160 00 00 00 00 42 61 6E 64 77 69 64 74 68 20 33 35 ....Bandwidth 35
seg000:00333170 30 4D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0M..............
seg000:00333180 00 00 42 61 6E 64 77 69 64 74 68 20 32 30 30 4D ..Bandwidth 200M
seg000:00333190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
seg000:003331A0 50 6F 77 65 72 20 41 6E 61 6C 79 73 69 73 00 00 Power Analysis..
seg000:003331B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
seg000:003331C0 49 6E 73 74 61 6C 6C 65 64 20 4F 70 74 69 6F 6E Installed Option
seg000:003331D0 73 00 00 00 04 C2 16 00 08 C2 16 00 04 C2 16 00 s...-.-.-.
I wonder if the options screen on models above DS4014 says the option is enabled or if the model number just enables the right bandwidth.
On the DS4014 only the options that are enabled gets printed, the bandwidth line does not show up.
Looks like they prepared for Bandwidth set as an option, and there is also a possible new option "Power Analysis" that I do not remember hearing about.
*
In case someone wonders: I can confirm that removing the options with :system:option:uninstall worked and it could be set again without problems (serial number stays and so on)
*
I tested several variants of the keys based on what Uup documented without finding anything new.
It still feels like the BW and new Power Analysis options should be just another Serial (Rigol help file uses this name for the key we enter. When I first found it thought it referred to setting the serial number of the unit)
*
I find 4 Xilinx bitstreams in the GEL file, the header info is consistent with the devices all being the same (ID string 02 86 E0 93 = XC5VLX30) where the LX30 is the smallest Virtex 5 device.
The use of Virtex 5 circuits explains the larger heat sinks compared to the DS2000, Virtex 5 are 65nm devices optimized for speed,speed and more speed (newer mind the power consumption and leakage).
Spartan 6 on the other hand are "45 nm process optimized for cost and low power", so assuming we are not running close to the max frequency the Spartan should run cooler.
There are 5 FPGAs in the DS4000, so one pair should be getting the same config file, my guess is on the pair closest to the ADCs with the trace memory.
*
In Connor Wolfs teardown there is a lasered circuit just next to the Blackfin. If I look closely on mine I can see faintly the logo "Actel", if I compare wiring around this circuit it closely resembles the Actel that can be seen in Daves DS2000 teardown between the Coin battery and the Flash and referred to as glue logic.
In a block diagram I would expect this circuit to sit between the Blackfin bus and the rest of the system, it also could be that it is in charge of configuring the FPGAs since it looks to be directly linked to the Flash.
Nearby is the same programming connector, board version setting resistors, and in both cases the Flash is close to it. I would not be surprised if this circuits config would be the exact same in both models.
*
The fan is this one: Delta AFB1212L
It is the lowest rpm version in the AFB series, seems it should be possible to find a replacement that gets nearly the same flow and pressure with less noise, expecting a possible replacement in the mail tomorrow.
Actually I am a bit surprised the fan is so noisy when the datasheet says it should be 32dBA max at 1900rpm, subjectively it feels like it is over 40dBA.
Just out of curiosity, where are the steps for generating keys? I remember seeing something about elliptical encryption, but not any step by step stuff.
Well, if you're only interested in generating these Rigol keys, then there is a command line utility to do that for you. However, if you are tying to learn the math behind the technology, I'd recommend you Google it.
I'd actually read through the elliptical cryptography stuff, but I was curious about locating the private keys and the basic stuff. I'm sure I read it somewhere in the 86 pages of the thread, but I have a short memory...
I wonder if the options screen on models above DS4014 says the option is enabled or if the model number just enables the right bandwidth.
FWIW, if I were going to code this firmware up, I would embed enabling of
tiered features in the model number... Or perhaps in a separate semaphore field -- "tier" -- and then let the unit set the model number and tier-enabled features from it... Because if I was going to sell an "upgrade" then it would include a license key
and a new sticker/badge/label/whatever for the face of the instrument.So... Has anyone figured out where the model number is stored, and perhaps how to change it? I thought there was someone whose DS4000-series lost its mind/memory and "upgraded" itself to a higher tier model...? (Or... have I been eating waaay too many doggie-biscuits?)
I wonder if the options screen on models above DS4014 says the option is enabled or if the model number just enables the right bandwidth.
FWIW, if I were going to code this firmware up, I would embed enabling of tiered features in the model number... Or perhaps in a separate semaphore field -- "tier" -- and then let the unit set the model number and tier-enabled features from it... Because if I was going to sell an "upgrade" then it would include a license key and a new sticker/badge/label/whatever for the face of the instrument.
So... Has anyone figured out where the model number is stored, and perhaps how to change it? I thought there was someone whose DS4000-series lost its mind/memory and "upgraded" itself to a higher tier model...? (Or... have I been eating waaay too many doggie-biscuits?)
No, that happened. right here:
https://www.eevblog.com/forum/reviews/rigol-ds4014-decided-it-would-be-more-fun-to-be-a-ds4054/
I hesitate to post this in case I look like a prat later, but I'm pretty confident now that Rigol have changed their private key for the DS2000A.
I've tried a couple of different keygens, all giving the same key, copied and pasted into and... no worky.
I still haven't compared the firmware version of my DP832 to a known working version. If I do have a later version I might try downgrading. It would seem unlikely that they would change their private key on a current product though.
Did you send the key without the dashes if using scpi?
It will definately work for the DP832 (at least). Try entering the code manually with the keypad on the device (as opposed to the remote commands from a computer)
We need something like this (fpga bitcoins miner):
Hahaha, what a douche-bag! I had a bitcoin miner programmed into my DEO-Nano baodr a while back, and it hashed out keys at 1/100th of the pace of my NVidia (CUDA-enabled) GPU. This guy just wasted a fortune on FPGA dev boards, as well as a room; and he's probably a virgin.
Has Butterfly-Labs ever shipped their ASIC bitcoin miners?
We need something like this (fpga bitcoins miner):
Hahaha, what a douche-bag! I had a bitcoin miner programmed into my DEO-Nano baodr a while back, and it hashed out keys at 1/100th of the pace of my NVidia (CUDA-enabled) GPU. This guy just wasted a fortune on FPGA dev boards, as well as a room; and he's probably a virgin.
Has Butterfly-Labs ever shipped their ASIC bitcoin miners?
Well, I have to recognize that about this subject (bitcoins) I know little.
The previous picture I got from here:
http://www.joeydevilla.com/wordpress/wp-content/uploads/2013/04/bitcoin-fpga-mining-rig.jpg-.jpgFrom what you say you are an expert on the subject. How much money do you get per day? I read that up to 130USD.
Not an expert; not even close. However, I can assure you that the setup you showed below is not generating $130USD/day. Perhaps $20, but this number decreases each day, since bitcoins become more difficult to mine over time. I'm not saying his set-up wont pay for itself in time, just that he shouldn't give up his day job.
No, that happened. right here...
Well... From the second photo in that thread... The model number doesn't match the badge...
SO it looks to me like the model number (or tier/whatever) is set in a semaphore, which got changed/set/cleared... Which means it's held in some kind of FLASH/EEPROM... Which means it
should be hackable.
Seems that what we need are dumps from two or more different models to compare the NV content.
Any luck?
No. But I haven't had time to fool around much.
I thought I'd try some of the lesser keys for the 2072 in case they just disabled the model hack.
Still no idea about the 832. You say the keys will definitely work yet this has not been my experience so far. I have tried direct entry and entry via scpi. Only tried direct entry once though and user error is quite likely this way I think.
Also, I haven't gone back to re-read the beginning of the thread, but I don't recall any specifics of how the private keys were originally discovered. If they have changed, and were chosen well, it seems unlikely they will be rediscovered quickly.
I have worked in software design and development for many years, so I am quite confident I am not doing anything stupid, but experience tells me I can not rule it out 100%
I will re-post this reply in the main thread in case it prompts any responses.
I hesitate to post this in case I look like a prat later, but I'm pretty confident now that Rigol have changed their private key for the DS2000A.
I've tried a couple of different keygens, all giving the same key, copied and pasted into and... no worky.
I still haven't compared the firmware version of my DP832 to a known working version. If I do have a later version I might try downgrading. It would seem unlikely that they would change their private key on a current product though.
Yes. I do look like a prat. The keygen for the 832 is fine.
Any ideas why the scpi commands wouldn't work? No idea what I was trying before. The commands I just tried now were clearly not recognised. Direct entry on the device worked fine while awake and sober.
Yes. I do look like a prat. The keygen for the 832 is fine.
Any ideas why the scpi commands wouldn't work? No idea what I was trying before. The commands I just tried now were clearly not recognised. Direct entry on the device worked fine while awake and sober.
So the 832 seems to accept the keys, but the 2072A won't, huh?
apelly, don't be too hard on yourself. I learn
a lot of stuff nearly everything by making mistakes.
Try it again, manually, on the DS2072A. When sober
Try it again, manually, on the DS2072A. When sober
Did that earlier. Also tried lesser keys. No joy.
Just rereading the first thousand or so posts in this thread for clues about the ECC keys. It starts to get interesting somewhere around post 400. There are some tips there about cracking tools. Looks like the firmware will be needed though and I don't have the gear to extract it. Also rediscovered LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL in
cybernet's post. I'll give that a go later.
Try it again, manually, on the DS2072A. When sober
Did that earlier. Also tried lesser keys. No joy.
Just rereading the first thousand or so posts in this thread for clues about the ECC keys. It starts to get interesting somewhere around post 400. There are some tips there about cracking tools. Looks like the firmware will be needed though and I don't have the gear to extract it. Also rediscovered LLLLLLL-RLGLLDS-DSA9LLL-LLLLLLL in cybernet's post. I'll give that a go later.
The way i see it is that the Private key is different. "all" that is neede is a FW dump via jtag and gdb the rest shuld be simple (as seen on the other devices)
so if someone can do a dump i am confident to help with the rest
73 de DL5TOR
Torsten