Sniffing the Rigol's internal I2C bus

[Gallymimus]

Thanks for this cybernet.  I've asked a friend who has a ds4000 to check it out (He might be too afraid to try it though 

[cybernet]

is that a known menu on the DS2000 ?

[AndersAnd]

is that a known menu on the DS2000 ?

Not sure if it is for DS2000, but cosmos mentioned very similar [Project screen #1, Project screen #2 and Project screen #3] for DS4000 earlier in this topic:

Found something for the DS4000 that was new to me.

The key sequence for getting extended version info also open other stuff.
to enter and exit : Trig menu -> edge. then in one quick sequence  F7 + F6 + F7 + Utililty

EDIT: (Clarification)
to enter and exit :
Trig menu -> edge.
then in one quick sequence  [MENU7_R] + [MENU6_R] + [MENU7_R] + [Utililty]
(from marmads post earlier in tread)
/EDIT

Now I have:
extended version info under Utility -> system -> System info 
extended power info under Utility -> system -> SelftestInfo
a new sub menu under Utility(2) (second screen) called Project
under project there is now

screen #1:
Screentest
Key test
AuxTest
Gain1
Gain2
-
-

screen #2:
-
EqualCal
DealyCal
-
-
Resumecal

screen #3:
Probecal
Factory
-
-
-
-
-
return

I wonder if there might be even more interesting menus to be activated like this ... how did people find the unlocking key sequence in the first place?

[marmad]

is that a known menu on the DS2000 ?

Yes - sub-menus of the hidden Utility Menu.

[cosmos]

One DS4014 volunteer stepping up ...
That worked very well, thank you very much.     

I now have TB 2ns and 1ns.
Model number did not change.
I kept all the options I had entered earlier (riglol generated).

The fastest FPGA signal (Spartan 6, normal output drive) that I could find in a hurry was reading as 1.9 to 2.1ns rise and fall time before (DS4014) and are now around 1.24ns ...

This is with a 1GHz 1k probe into 50ohm input, the FPGA signal has no GND close by so GND is from the probe lead folded into a 5cm lead and it then does a detour on the PCB as well..

I have seen sub 1ns numbers as fall time but that was with significant undershoot and seemed dependent on the horizontal position so I do not trust it.
I think 1.24ns might be is as fast as the standard IO driver in the FPGA can go.
I need to find myself a better test signal or an RF generator.

This looks very good so far.

[cybernet]

is that a known menu on the DS2000 ?

Yes - sub-menus of the hidden Utility Menu.

seems like that flag is a enabler for a lot of stuff ... 

[cybernet]

One DS4014 volunteer stepping up ...
That worked very well, thank you very much.     

np, do you also see BW limit options raised for CH1-??? ? like it happend on the DS2000. (if the DS4k has such a setting)

[cosmos]

yes BW options are now: OFF, 20M, 100M, 200M

selecting 100M I get about the same rise and fall as I had before (~2ns).
selecting 200M I get around 1.5ns
selecting OFF I get mostly 1.28ns rise and 1.16ns fall (for the others it also like that with slightly lower number for fall time)
If I measure with cursors I get the same results (knowing that the IO is driven from 2.5V rails I can set the 10% and 90% referred to that)

[Rigol-Friend]

Cybernet:

The second bottle of champain is waiting for you.   

[Avotronics]

Hello,

I got a brand new unmodified DS2202_A_. So I would like to help to enhance the situation... 

I don't have mature experience in hacking this sort of stuff. How can I help you guys? Are there any pointers how to create a memory dump from this beast? Where to send the dump? 

Please don't hesitate do contact me with your requests... 

cool, can u request a firmware update with your distributor (even if there is none they might send u a current)  ? getting a .GEL file would be nize - other options, see the DG4000 thread - on howto do an JTAG memory dump.

Cyberdude, if it's not too much trouble, can you create an MD5 checksum of any firmwares you modify please?
I'm dumping them on http://rigol.avotronics.co.uk and it would be a good idea to have this. Thank AndersAnd for the idea.... 

[cosmos]

DS4k:
Found a better ground point where I can use a 1cm spring and now I get rise and fall times in the 800-900ps range.

[cybernet]

by using a decent os, you can do that with ... (for whatever reason ;-)
md5sum <file>


btw - by enabling the project menu - you also enable the :DBGCMD:STAT? RX|TX|CLR|Q|PARSE SCPI commands
i suspect there is more to that, then the debug outputs ... something like reading/writing memory would rock ! ;-)

Code: [Select]

./dbgstat.py 10.146.248.190
(u16HostFetchErr = 0),(u16FifoLenErr = 0),(u32NoDataCnt = 24),(u32WaitDataCnt = 17),(u16FmtDataErr = 0),(u16FmtTypeErr = 0),(u16StateMachineErr = 0),(u16DeadLockCnt = 0),(u16SysFmtErr = 0),(u16AddrAccessErr = 0),(u32TotalTxByte = 7361),(u32CurTxByte = 124)
(u16InteruptCnt = 0),(u16WInQCnt = 0),(u16RxDataCnt = 0),(u16ProCnt = 48),(u16IBFullCnt = 0),
(u16InvalidCharacter = 0),(u16KeywordNotFound = 2),(u16CmdNotFound = 0),(u16TooManyKeyword = 0),(u16LastKeywordOmitted = 0),(u16CmdSNErr = 0),(u16InvalidCallBackFunc = 0),(u16CmdExcuteErr = 0),
(u16NoFreeNode = 0),(u16QIsFull = 0),(u16QIsEmpty = 0),(u16RxBufOverflow = 0),(u16RxDataPtrNull = 0),(u16RxDataLenErr = 0),


[Avotronics]

by using a decent os, you can do that with ... (for whatever reason ;-)

md5sum <file>

Yup, I can produce one no problem, but I figured it should be created on the host system before it got shipped around the net. If you think not, I'll create one. 

[cybernet]

Yup, I can produce one no problem, but I figured it should be created on the host system before it got shipped around the net. If you think not, I'll create one. 

whats the point in a md5 sum ? if there are checksums in 2 levels all over the GEL file ? try to change byte and flash it ... wont happen
same with whats the point of a website providing a md5 sum on their homepage together with the download link ? - 1 more step for somebody that replaces a download with something evil to tamper with ?
imho completely useless except maybe for a backup software ...

[Avotronics]

Yup, I can produce one no problem, but I figured it should be created on the host system before it got shipped around the net. If you think not, I'll create one. 

whats the point in a md5 sum ? if there are checksums in 2 levels all over the GEL file ? try to change byte and flash it ... wont happen
same with whats the point of a website providing a md5 sum on their homepage together with the download link ? - 1 more step for somebody that replaces a download with something evil to tamper with ?
imho completely useless except maybe for a backup software ...

I see your point. I'm not familiar enough with the concept, but I guess the idea is to make sure that the file one downloads to ones computer has not been damaged in transit? I guess if this ain't possible in this instance, the MD5 is useless yes.

As you also pointed out, you can't flash any modern commercial device without it running checksum validation before flash. So I guess it is pointless... I told you to blame AndersAnd 

[Carrington]

DS4k:
Found a better ground point where I can use a 1cm spring and now I get rise and fall times in the 800-900ps range.

Probably the real rise time can reach ~ 650ps (maybe even less). 

More fun (make one): http://people.osmocom.org/tnt/hw/pulse_gen/

[ted572]

Re. cybernet's method for converting a DS2062 to to DS2302:

  1. Is there anyway to retain the original Serial Number, or to re-insert it later?

  2. Is it possible to return to DS2062, or D2202 if we find a significant issue with DS2302 in the future?

Thank you very much CYBERNET for all  of your fantastic tools you have come up with and shared, and for all the very generous help you have provided.

[clifford]

I see your point. I'm not familiar enough with the concept, but I guess the idea is to make sure that the file one downloads to ones computer has not been damaged in transit? I guess if this ain't possible in this instance, the MD5 is useless yes.

Usually the idea would rather be to make sure that no one has tampered with the file and you are indeed downloading what the original poster uploaded.

But for this purpose at least something like sha256 would be more suited than md5. (Afaik there is still no practical preimage attack on md5, but nevertheless it is not really considered a secure cryptographic hash anymore. But then SHA-2 was developed by NSA, so..)

[cybernet]

if i temper with the file, i temper with the website that displays the md5/sha/<otherhash> too -> e.g. useless

[Avotronics]

if i temper with the file, i temper with the website that displays the md5/sha/<otherhash> too -> e.g. useless

Not if the hash wasn't available to the tamperererererrrr tamperorrr temperer, what the hell is word lol.

I guess the hash could be stored in another location or auto mailed to the downloader.

I think this isn't useful here, I agree.

Where it is useful is when you're dealing with open source and public contributor servers etc.
But as you say, if the hash is accessible too then its all bollocks.

[jboard146]

cybernet awesome! It does work!

I don't have anything here to generate signals to measure up to 500Mhz, but on initial look it is somewhere near it.

The sine wave in is 200Mhz at 1Vpp. I'm getting ~1.62db drop at 200Mhz.
The response is flat to about 170Mhz. It just starts to drop off them there.

It is still showing DS4014, but so what.

Between this hack and the decoder options hack I've got a $8-9k scope.

[Uup]

i think Uuup did extensive testing on the option codes, but i think its worth a shot to repeat that with a little bruteforce given the following facts:

there are 8 different options that can be enabled (0-4 = the known ones) 5,6,7 = are bandwidth upgrades (so the bandwidth code should be the 3 bits left to the known codes ... *guessworkhere*)

i can see code that uses the 12 LSB bits of the option code, and does "something" with it - there are code references that then go on to change the model type (=bandwidth change), but without proper BSS setup its not possible to figure it out anymore.
Just probing the indvidiual 5,6,7th bits might not be enough, it could be a "combination" thats needed.

what i would do if i had a DS4k:

use the RLGLLDS keyformat - and bruteforce the remaining possible bits <B>

Code: [Select]

     A       B       C       D
   54321   54321   54321   54321

   10000   000BB   BBBBB   x0000   FlexRay Decode or alternate option
   10000   000BB   BBBBB   0x000   CAN Decode or alternate option
   10000   000BB   BBBBB   00x00   I2C Decode or alternate option
   10000   000BB   BBBBB   000x0   SPI Decode or alternate option
   10000   000BB   BBBBB   0000x   RS232 Decode or alternate option
i guess you could do it with python via LXI easily within a resonable timeframe

I'm quite sure that I had already tried those combinations. However, just in case I missed something, I tried the ones you indicated above again. No change and my DS4024 just responds with a 'Licence invalid - re-enter licence' reply.

I just noticed that you posted a modified firmware, will give that a try now. Awesome work! Thanks Cybernet!

Also, I have the calibration values from my DG4162. I'll start typing them in and PM them to you.

[Co6aka]

Exactly how long is a DS4000 firmware update supposed to take? My 4014 has been at it for about a half hour now.  The activity LED on my USB stick is still blinking away, and the "CH 1" button is illuminated green, the "SINGLE" button is illuminated amber, and the "RUN/STOP" button is illuminated red. What now?

[Uup]

Exactly how long is a DS4000 firmware update supposed to take? My 4014 has been at it for about a half hour now.  The activity LED on my USB stick is still blinking away, and the "CH 1" button is illuminated green, the "SINGLE" button is illuminated amber, and the "RUN/STOP" button is illuminated red. What now?

It should only take a few minutes at most. I think it took my DS4024 about 3 minutes.

Try the following:

Update via boot-up, not via the GUI.

Make sure the name of the GEL file is "DS4000Update.GEL"

Re-format the USB stick and copy the GEL file back.

If it still isn't working then try a different USB stick.

[Co6aka]

Was updating via bootup... Apparently, although my USB stick is visible and browsable on the DS, the bootup updater is allergic to my USB stick. As per Rigol's recommendations I used a <4GB stick. Also tried reformatting it, etc. The scope just doesn't like that stick.  SO, I used a newer 16GB stick and it just now finished. For future reference, I'm guessing that the red RUN/STOP means there was an error with the bootup updater.