Sniffing the Rigol's internal I2C bus

[AndersAnd]

I guess I'm not following everything here, has a key been generated that works on an A model yet?

Look 4 posts above your own post: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg345144/#msg345144

[marmad]

To sum up:

There is no distinction between 'non-A' and 'A' firmware - Rigol has intended for the latest version to work on all models. So feel free to upgrade and downgrade at will - but, because of changes to FRAM, it's best to do it only with the bootloader - and after switching between the major versions (v.1 to v.2 - or - v.2 to v.1), it's best to hold in the left-menu F6 button on the first boot after loading - or the DSO can hang when switching between various menu items.

The new v.2 FW (unlike older versions) was written to work completely correctly with a 300MHz bandwidth (which is why the 1ns/div TB works fine), so you can be assured that if it's activated, it's working correctly - unless there is something the FW does with the LMH6518 chip specifically to inhibit it on non-A models.

The v.2 FW does NOT have a 200MHz bandwidth limit switch for the channels (as evidenced by the DS2000A User Manual) - so it's correct that the option does not appear in the menus.

As AndersAnd mentioned, there has yet to be a key found for the A-model - and as far as I know, no A-model owner has attempted to just downgrade to a v.1 firmware, run the keygen, and then upgrade back to v.2 (not sure why).

[A Hellene]

Also, does anyone know HOW the keyboard connects to the blackfin, what pins/registers/interface?

Though I do not suggest that the circuit is the same in both the designs, in DS1002 the LED indicators serial data comes from the Blackfin SPORT0 primary channel while the keypad/encoders serial data are fed into the SPORT0 secondary channel.

Here are (some of) the DS1002 schematics, including the Keypad/Indicators PCB.


-George

[iNoxxam]

Maybe some pins are dedicated to coding the model version (A or non-A). In that case, it may be used to make the software act as a non-A version. Should it work, would it not allow to use the keygen? After what, the correct model version could be reset to A and that's it...
I must be wrong somewhere but I can't see where.

[cybernet]

[My ds4k have the same strapping as in the picture and the scope reports extended HW version number: 0.1.2.3 (same access to extended info as on a ds2k).
This corresponds to the straps at the top "xx.xx" being 01.10 (1.2) and the strap field below being 011 (.3) .
Not sure if the singel "ch" strap is the first digit (0.), but it would not be surprising.
Makes me wonder if "ch" relates to the number of scope channels.
Someone with a two channel DS4000 might want to report what number they have.

not sure how to explain properly, but the model type string gen function does have a dedicated variable for channels, mso y/n, bandwidth - i would expect those to be the external inputs.
cant remember right now where those vars where coming from. i guess there is no way to map those to the BGA pins^h^h^h balls ? (xray anyone ?)
 

[A Hellene]

xray anyone?

An X-ray device or a hot-air rework station:




-George

[Dave Turner]

A little while ago it was reported that the 500uV range, whilst possible to enable, doesn't in fact work on the DS1000Z series. Has anything further been discovered about this, or has it been decided that it is a hardware limit?

[alank2]

A little while ago it was reported that the 500uV range, whilst possible to enable, doesn't in fact work on the DS1000Z series. Has anything further been discovered about this, or has it been decided that it is a hardware limit?

I reported it; when enabled even after doing a cal, it was not usable.  A disconnected channel would jump high or low off the screen.

[NikWing]

but according to recent finds, one should think that is matter of minutes if just someone do an jtag dump of an A serie..
I'm definately going for the A(with s), but 100 or 200... that's the question..

yeah, that's what I hope and the reason I ask
there shouldn't be a difference between 100 and 200, right? since it's software-lock
but I also read about unlocking it to 300, but the bw filter menu won't show that setting, it seems

I can help out with jtag data, if someone tells me exactly what to do (so that I won't fry anything or lose warranty, I don't want to lose 3 years, you know ^^)
I never worked with jtag interface before, but AFAIK we have an atmel one flying around at work and I can use that if needed

but at first I have to get the DSO, one of 2 shops says available next year, the other shop writes something about the 16th this month, but I got no reply yet ...


edit: by the way, if (quoting marmad:) "There is no distinction between 'non-A' and 'A' firmware", what about the S-models? Is the key/button, that enables the waveform generator on the S-model, hidden on the non-S-devices? if it is, what happens, if you trigger it by shorting the contact area on the PCB?

[AndersAnd]

but I also read about unlocking it to 300, but the bw filter menu won't show that setting, it seems

It's not supposed to. BW limit filters in scopes are low pass filters you can activate to reduce the full BW of the scope. Without BW limit activated, you get the full specified BW of the scope so there should be no 300 MHz option on a 300 MHz model, just like there's no 200 MHz option on a 200 MHz model or a 100 MHz option on a 100 MHz model. You'll only see selected BW options below the scopes full BW.

[NikWing]

@AndersAnd: ahh, thank you, I misunderstood that then
so if a 100 MHz DSO is unlocked to 300, 200/100 and 20 should appear?

[neslekkim]

but I also read about unlocking it to 300, but the bw filter menu won't show that setting, it seems

It's not supposed to. BW limit filters in scopes are low pass filters you can activate to reduce the full BW of the scope. Without BW limit activated, you get the full specified BW of the scope so there should be no 300 MHz option on a 300 MHz model, just like there's no 200 MHz option on a 200 MHz model or a 100 MHz option on a 100 MHz model. You'll only see selected BW options below the scopes full BW.

Yeah, but I thougt the issue is that if you get an 2072, hack it to be an 2302, do you then get 100 and 200 as options in that list?

[AndersAnd]

@AndersAnd: ahh, thank you, I misunderstood that then
so if a 100 MHz DSO is unlocked to 300, 200/100 and 20 should appear?

There's no 200 MHz option on either DS2202A or DS2302A. Only 100 MHz and 20 MHz will appear on these.
On both DS2072A and DS2102A only 20 MHz will appear.
Th 200 MHz BW limit will option will appear on non-A models with an old FW modded to DS2302. (A scope model that has never been released, so 200 MHz BW limit has never been an official option).

This has already been mentioned a couple of times recently in this topic:

Works fine with ds2072 (non a) and hardware 2.0.

Model: DS2302
SW: 00.02.01.00.03
HW: 1.0.2.0.2
FPGA: SPU 03.01.09 / WPU 00.07.01 / CCU 12.29.00 / MCU 02.12

Note:
Need uninstall the old key with ultra sigma.
Option: DSHH + rigen 2b1
Protocol analysis CAN: ok
300MHz BW: ok
BW limit: OFF - 20M - 100M

If the bandwidth is 300MHz, shouldn't the BW limit menu options be:   OFF - 20MHz - 100MHz - 200MHz?
Is the bandwidth actually still 200MHZ and not 300MHz?

Never mind...
The DS2000A User's Guide, page 2-3 says:

"Enable bandwidth limit and limit the bandwidth to 20 MHz or 100 MHz (only applicable to 200 MHz and 300 MHz oscilloscopes), the high frequency components that exceed 20 MHz or 100 MHz are attenuated."

The v.2 FW does NOT have a 200MHz bandwidth limit switch for the channels (as evidenced by the DS2000A User Manual) - so it's correct that the option does not appear in the menus.

[flolic]

Yeah, but I thougt the issue is that if you get an 2072, hack it to be an 2302, do you then get 100 and 200 as options in that list?

My hacked 2072 (latest firmware and cybernet's latest license codes) has this options: OFF/20M/100M

[Dave Turner]

Alank2 - yes it was your post that I recalled. As a matter of note I discovered that the limit appears to be 800uV. It is below that that the trace either bottoms or tops out.

[marmad]

This has already been mentioned a couple of times recently in this topic:

Yes, this thread has turned into a beast which is constantly eating it's own tail ;^)

Perhaps an image will put the question to bed:

[alank2]

Any idea why they dropped the 200M bandwidth limit?

[JDubU]

To sum up:

There is no distinction between 'non-A' and 'A' firmware - Rigol has intended for the latest version to work on all models. So feel free to upgrade and downgrade at will - but, because of changes to FRAM, it's best to do it only with the bootloader - and after switching between the major versions (v.1 to v.2 - or - v.2 to v.1), it's best to hold in the left-menu F6 button on the first boot after loading - or the DSO can hang when switching between various menu items.

The new v.2 FW (unlike older versions) was written to work completely correctly with a 300MHz bandwidth (which is why the 1ns/div TB works fine), so you can be assured that if it's activated, it's working correctly - unless there is something the FW does with the LMH6518 chip specifically to inhibit it on non-A models.

The v.2 FW does NOT have a 200MHz bandwidth limit switch for the channels (as evidenced by the DS2000A User Manual) - so it's correct that the option does not appear in the menus.

As AndersAnd mentioned, there has yet to be a key found for the A-model - and as far as I know, no A-model owner has attempted to just downgrade to a v.1 firmware, run the keygen, and then upgrade back to v.2 (not sure why).

Here is something a bit odd.
I just upgraded the firmware on my DS2072 from 00.01.01.00.02 (was preinstalled on delivery) to 00.02.01.00.03 using the methods recommended by Marmad.

Extended system info:

Before:
Model: DS2072
SW: 00.01.01.00.02
HW: 1.0.2.0.0
FPGA version:
                   SPU  03.01.05
                   WPU  00.06.05
                   CCU  12.29.00
                   MCU  00.05

After:
Model: DS2072
SW: 00.02.01.00.03
HW: 1.0.2.0.1
FPGA version:
                   SPU  03.01.09
                   WPU  00.07.01
                   CCU  12.29.00
                   MCU  00.05


Note the changes in bold.
The HW version incremented and the MCU version did not change to MCU 02.12!

Any ideas why this is different than what others are seeing?

[neslekkim]

Maybe I confused myself with this and the earlier talk about the LMH6518, I thought that one was not beeing changed on the hacked models, or is that something else or ?

[marmad]

Any idea why they dropped the 200M bandwidth limit?

Well, they didn't really drop it, per se, since it was never actually officially implemented in any firmware release (just an unused feature) - but perhaps they decided not to finally use it because, if serondays BW-limit chart is accurate:

the 100MHz limit gives you a -3dB BW of ~130MHz
the 200MHz limit gives you a -3dB BW of ~185MHz

...so only a ~55MHz difference between the settings.

[JDubU]

Maybe I confused myself with this and the earlier talk about the LMH6518, I thought that one was not beeing changed on the hacked models, or is that something else or ?

The LMH6518 is the input amplifier IC that can receive commands from the firmware to change both input attenuation and bandwidth.  What commands are available to be sent to this chip by the user interface/firmware is the subject of the hacking efforts.

[cosmos]

Storing serial number etc:
There is the Actel ProASIC flash based FPGA.
The A3P030 (and the rest of the family) have a small (1024 bits) flash based memory area "FlashROM" that can be accessed both from JTAG and userspace.

cut from Actel document: http://www.microsemi.com/document-portal/doc_download/130889-proasic3-fpga-fabric-user-s-guide
************
The  FlashROM  content  can  be  changed  independently  of  the  FPGA  core  content.  It  can  be  easily
accessed and programmed via JTAG, depending on the security settings of the device. The SmartGen
core generator enables each region to be independently updated (described in the "Programming and
Accessing FlashROM" section on page 124). This enables you to change the FlashROM content on a
per-part basis while keeping some regions "constant" for all parts. These features allow the FlashROM to
be used in diverse system applications. Consider the following possible uses of FlashROM:
•    Internet protocol (IP) addressing (wireless or fixed)
•    System calibration settings
•    Restoring configuration after unpredictable system power-down
•    Device serialization and/or inventory control
•    Subscription-based business models (e.g., set-top boxes)
•    Secure key storage
•    Asset management tracking
•    Date stamping
•    Version management
************

The security settings seems to refer to 128b AES encryption ... but the AES part is missing from the low end devices that Rigol uses.

Both ds4k and ds2k have the same proASIC and it is tasked with reading the board version number too...
would not be so strange if they put the serial number and maybe model number too in there?
Just next to it is a JTAG connector (not the same as used for Xilinx or Blackfin) so it will be easy to find for the person that programs the model type and puts the sticker on...

[neslekkim]

Maybe I confused myself with this and the earlier talk about the LMH6518, I thought that one was not beeing changed on the hacked models, or is that something else or ?

The LMH6518 is the input amplifier IC that can receive commands from the firmware to change both input attenuation and bandwidth.  What commands are available to be sent to this chip by the user interface/firmware is the subject of the hacking efforts.

Ok, so this chip behaves, and is controlled exactly same on all models, so one doesnt need to worry about this one to be handled differently through the 2072 - 2302 models?
If so, that makes it easy to chose which model to buy at least..
The price difference between the 2072a-s and 2202a-s is $940 here, and the $358 between the 2072a-s and the 2102a-s..  (in Norway)

[cybernet]

thx cosmos - will see if i find code for it.

[thetooth]

Just a thought but since theres so much information around and mostly spread across this forum thread i think its time a lot of the facts are consolidated in same way.

Unless someones already done it i can host a wiki on one of my jap based VPS's, has 2TB/month bandwidth thats mostly unused. I'm not in a position to manage it full time though so if you feel like taking it on send a pm with your email or some form of contact and i'll set you up as an admin.

I can also mirror the keygen since its mostly javascript correct? Then eventually setup a firmware archive of sorts...