Sniffing the Rigol's internal I2C bus

[tiagobaracho]

Me too.. i cant donwload..... Please send it to www.yousendit.com it works great
I am Just waiting for it to be able to free my scope ! lol

[Pehtoori]

Me too.. i cant donwload..... Please send it to www.yousendit.com it works great
I am Just waiting for it to be able to free my scope ! lol

Try again now, should be up

if not:
https://www.hightail.com/download/elNKUXV1dzg5bEJ2TzhUQw

[tiagobaracho]

Me too.. i cant donwload..... Please send it to www.yousendit.com it works great
I am Just waiting for it to be able to free my scope ! lol

Try again now, should be up

if not:
https://www.hightail.com/download/elNKUXV1dzg5bEJ2TzhUQw

yesssssssssssss o got it now !!!!
Please check if i am right..
all i need to do is :
1 - Copy the DS2000Update.GEL from the DS2000(DSP)update_00.02.01.00.03 (license keys dump) zip file to a fat 32 pendrive.
2 - Press the power on button on the front panel of the instrument. All of the buttons will light. At the same time press two or three times the Help key on the front panel. All buttons will unlight
3- insert the USB stick into the front panel.
4- Wait for the end of the firmware update
5 - all of the buttons on the front panel will be lit.  Turn off the scope. Remove the pendrive
6 - check the new firmware version
7 - Connect to USB cable to PC and open up Ultra Sigma Software 
8 - Send the  *IDN? command. and get the keys back.
9 - write the keys to the HxD editor and get the final serial and input on the DS2072a

Is that right ? If i understood correctly..
Thanks

[np]

You can use either my first firmware patch (https://mega.co.nz/#!FFk10SCY!UuWPXyqZwmca00pa2clOth1ryh1Z-AAgJg2yibfoUw0) with old keygen (riglol.3owl.com) or my newest patch from the post above with the new tirulerbach's keygen (if he decides to publish it).

Decided: https://mega.co.nz/#!qAkUkTZB!XG12bUKhIz4CmQt6DbBnGRMvEe5AvUjEaBxi4R03tw8 

Just another generator that I quickly wirte (a bit ugly) as I received my DS2072A yesterday   (before catching this message of course)

https://mega.co.nz/#!AcB11JAK!cHpnLrRwE2xJwz-ryTE6-zCXEgfmqlPEMj6AbaBzNmc


Usage : ./riglol-np DSHH 'RIGOL TECHNOLOGIES,DS2072A,DS2D123456789,020084001000........'

This should work as I can verify signed keys based on zombie28 code.


@zombie28, it will be cool if you can share the boot trick (magic buttons tricks),  and how to boot from the network (inject ldr  / kernel) and other stuff like compiled blackfin IDA plugin.

Riglol+

[zombie28]

Usage : ./riglol-np DSHH 'RIGOL TECHNOLOGIES,DS2072A,DS2D123456789,020084001000........'

Don't use DSHH option code with the new DS2kA keygen! This code is valid only for non-A models or firmware patched to use non-A license codes on DS2kA scopes. Take a look at tirulerbach's keygen for valid option codes.

[ju1ce]

yesssssssssssss o got it now !!!!
Please check if i am right..
all i need to do is :
1 - Copy the DS2000Update.GEL from the DS2000(DSP)update_00.02.01.00.03 (license keys dump) zip file to a fat 32 pendrive.
2 - Press the power on button on the front panel of the instrument. All of the buttons will light. At the same time press two or three times the Help key on the front panel. All buttons will unlight
3- insert the USB stick into the front panel.
4- Wait for the end of the firmware update
5 - all of the buttons on the front panel will be lit.  Turn off the scope. Remove the pendrive
6 - check the new firmware version
7 - Connect to USB cable to PC and open up Ultra Sigma Software 
8 - Send the  *IDN? command. and get the keys back.
9 - write the keys to the HxD editor and get the final serial and input on the DS2072a

Is that right ? If i understood correctly..
Thanks

Yup, you got it.

[at2]

Hi zombie 28,
after receiving the long string by sending *IDN? of the encryption free made Ds2072A i tried to put this
string into the HxD editor.
But which is the  final serial ?
I tried also the rigup keygenerator with the so received string from the DS2072A but i always receive the message "no keys in there".
Did i miss something, or did i send the wrong string to the keygenerator?

at2

[diyaudio]

yesssssssssssss o got it now !!!!
Please check if i am right..
all i need to do is :
1 - Copy the DS2000Update.GEL from the DS2000(DSP)update_00.02.01.00.03 (license keys dump) zip file to a fat 32 pendrive.
2 - Press the power on button on the front panel of the instrument. All of the buttons will light. At the same time press two or three times the Help key on the front panel. All buttons will unlight
3- insert the USB stick into the front panel.
4- Wait for the end of the firmware update
5 - all of the buttons on the front panel will be lit.  Turn off the scope. Remove the pendrive
6 - check the new firmware version
7 - Connect to USB cable to PC and open up Ultra Sigma Software 
8 - Send the  *IDN? command. and get the keys back.
9 - write the keys to the HxD editor and get the final serial and input on the DS2072a

Is that right ? If i understood correctly..
Thanks

Yup, you got it.

Fail for me, im using windows 8 X64 and Ultra Sigma crashes every time ! and I didn't even get to install the updated firmware. the label on the cd says for DS2000A V01.02
IVE GOT SOFTWARE VERSION 00.02.00 is this a windows 8 x64 thing

Gosh im trying to download latest Ultra Sigma version is downloading so slooow from the rigol server!

[zombie28]

@zombie28, it will be cool if you can share the boot trick (magic buttons tricks),  and how to boot from the network (inject ldr  / kernel) and other stuff like compiled blackfin IDA plugin.

I attached IDA blackfin plugin, but I don't know anything about the rest - it's cybernet's domain.

[tiagobaracho]

On the rigup readme it says ( 2.) Once you got a memory dump of your scope, use the tool "rigup" to     create a list of suitable licenses. Example:       rigup ds2072a memory_dump.bin "
how do i do this memory dump ?

[zombie28]

Hi zombie 28,
after receiving the long string by sending *IDN? of the encryption free made Ds2072A i tried to put this
string into the HxD editor.
But which is the  final serial ?
I tried also the rigup keygenerator with the so received string from the DS2072A but i always receive the message "no keys in there".
Did i miss something, or did i send the wrong string to the keygenerator?

at2

You need to append your scope's serial number and terminate it with 0 in HxD editor.

[zombie28]

On the rigup readme it says ( 2.) Once you got a memory dump of your scope, use the tool "rigup" to     create a list of suitable licenses. Example:       rigup ds2072a memory_dump.bin "
how do i do this memory dump ?

The answer is here: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg380144/#msg380144

[at2]

Hi zombie28,

i did as you wrote:" you need to append your scope's serial number and terminate it with 0 in HxD editor".

But it comess the same answer, that there will be no keys there inside.
What did i wrong? I copied the whole string beginning with "Rigol.." and put it into the HxD editor with appending the SN and 0.
I did only the numbers following the text string " Rigol..." but i think this would be wrong.

Thank you for your execellent work for encrypting the DS2000A and for your assistance help.

at2

[zombie28]

i did as you wrote:" you need to append your scope's serial number and terminate it with 0 in HxD editor".

But it comess the same answer, that there will be no keys there inside.
What did i wrong? I copied the whole string beginning with "Rigol.." and put it into the HxD editor with appending the SN and 0.
I did only the numbers following the text string " Rigol..." but i think this would be wrong.

Put the string starting with '02008400...' as binary data, ie. 0x02, 0x00, 0x84, 0x00 and so on, then append your scope's serial number 'DS2D....' as plain ASCII text and then append 0x00 byte.

[diyaudio]

still no luck, can anyone please let me know what os system they using and why this software keep crashing on me. :face palm:

[at2]

Hello zombie 28,
i did your helpful assistance but no luck. Yes,  perhaps i`m not so familiar with it. But i did your advice:

"Put the string starting with '02008400...' as binary data, ie. 0x02, 0x00, 0x84, 0x00 and so on, then append your scope's serial number 'DS2D....' as plain ASCII text and then append 0x00 byte."

a) Rigup is running under DOS, so this cannot be the problem.
b) I did the parameters for HxD by: 16, DOS/IBM-ASCII, hex

Is there all be allright up to this?

at2

[tirulerbach]

No need for playing with hex editors. You can use keyfiles with rigup, too. They are simple textfiles:

Code: [Select]

RC5KEY1:        88359067012Exxxxxxxxxxxxxxxxxxx
RC5KEY2:        3D44CD4EC48Fxxxxxxxxxxxxxxxxxxx
XXTEAKEY:       95F6CC12864Axxxxxxxxxxxxxxxxxxx
PUBKEY:         006CE7F7xxxxxxxx
PRIVKEY:        008ABBC4xxxxxxxx
SERIAL:         DS2D154xxxxxx

and then:

Code: [Select]

$ rigup license your-keyfile.txt NSEH NSER NSEQ
rigup license - Version 0.1

H8LXHB8-QEXAC7W-ZJMN5KH-APD9CVM    (NSEH = 0x1C087)
W2LAMX2-DBEFZCT-XSND62C-PG8JJVM    (NSER = 0x1C08F)
5CAZKCC-2Z865FH-MQVBXUB-BDV8E8M    (NSEQ = 0x1C097)

NSEH = All options
NSER = All options + 100 MHz
NSEQ = All options + 200 MHz

License-code for 300 MHz is unknown. Thought it could be NSFH but there are reports that it doesn't work.

If you're brave you could play with rigup and license-codes. You could use hex codes, too:

Code: [Select]

$ rigup license your-keyfile.txt 0x1C087 0x1C08F 0x1C097 0x1C0A7
rigup license - Version 0.1

H8LXHB8-QEXAC7W-ZJMN5KH-APD9CVM    (NSEH = 0x1C087)
W2LAMX2-DBEFZCT-XSND62C-PG8JJVM    (NSER = 0x1C08F)
5CAZKCC-2Z865FH-MQVBXUB-BDV8E8M    (NSEQ = 0x1C097)
XYJ69WE-SBZABHL-69FYG4N-W6DH2VM    (NSFH = 0x1C0A7)

I didn't try zombie28's patched firmware. So maybe somebody posts an example how the output looks like and maybe I expand rigup to play nice with zombie28's code...

[diyaudio]

No need for playing with hex editors. You can use keyfiles with rigup, too. They are simple textfiles:

Code: [Select]

RC5KEY1:        88359067012Exxxxxxxxxxxxxxxxxxx
RC5KEY2:        3D44CD4EC48Fxxxxxxxxxxxxxxxxxxx
XXTEAKEY:       95F6CC12864Axxxxxxxxxxxxxxxxxxx
PUBKEY:         006CE7F7xxxxxxxx
PRIVKEY:        008ABBC4xxxxxxxx
SERIAL:         DS2D154xxxxxx

and then:

Code: [Select]

$ rigup license your-keyfile.txt NSEH NSER NSEQ
rigup license - Version 0.1

H8LXHB8-QEXAC7W-ZJMN5KH-APD9CVM    (NSEH = 0x1C087)
W2LAMX2-DBEFZCT-XSND62C-PG8JJVM    (NSER = 0x1C08F)
5CAZKCC-2Z865FH-MQVBXUB-BDV8E8M    (NSEQ = 0x1C097)

NSEH = All options
NSER = All options + 100 MHz
NSEQ = All options + 200 MHz

License-code for 300 MHz is unknown. Thought it could be NSFH but there are reports that it doesn't work.

If you're brave you could play with rigup and license-codes. You could use hex codes, too:

Code: [Select]

$ rigup license your-keyfile.txt 0x1C087 0x1C08F 0x1C097 0x1C0A7
rigup license - Version 0.1

H8LXHB8-QEXAC7W-ZJMN5KH-APD9CVM    (NSEH = 0x1C087)
W2LAMX2-DBEFZCT-XSND62C-PG8JJVM    (NSER = 0x1C08F)
5CAZKCC-2Z865FH-MQVBXUB-BDV8E8M    (NSEQ = 0x1C097)
XYJ69WE-SBZABHL-69FYG4N-W6DH2VM    (NSFH = 0x1C0A7)

I didn't try zombie28's patched firmware. So maybe somebody posts an example how the output looks like and maybe I expand rigup to play nice with zombie28's code...

The DS2000Update.GEL help says:

Rigol "DS2000(DSP)update_00.02.01.00.03" firmware modified
to return license encryption keys after sending *IDN? SCPI
command. The keys file is returned instead of "the software
version of the instrument" in the following hex format:

02 00
84 00
10 00 <16 bytes of XXTEAKey>
20 00 <2x16 bytes of RC5Key1 and RC5Key2>
08 00 <8 bytes of bit-shuffled ECC public key>
40 00 <64 bytes of ASCII-HEX verification data>

Note: Use this firmware in DS2000A oscilloscopes only!

the keygen works like this

rigup - License generator for the Rigol DS2000_A series scopes
==============================================================

Use at your own risk!

1.) You need a memory dump from the scope you wish to upgrade. Read the
    forums how to achieve this.

    Important: ***Read***, not asking the same questions all the time.
    There are all necessary information. No pain, no gain! Just learn
    for your own benefit!

2.) Once you got a memory dump of your scope, use the tool "rigup" to
    create a list of suitable licenses. Example:

        rigup ds2072a memory_dump.bin

    Replace 'ds2072a' with your model number.

3.) Choose a license from the generated list and enter the 28 characters
    in your scope.

4.) Have fun and report success or failure to the forum!

This means we cannot use the patched firmware as you shown with rigup keyfile, the format of the patched firmware is not in the same keyfile format.. right? so we must use the hexeditor.
 

I expand rigup to play nice with zombie28's code...

please do so it becomes easier

[tirulerbach]

This means we cannot use the patched firmware as you shown with rigup keyfile, the format of the patched firmware is not in the same keyfile format.. right? so we must use the hexeditor.

Ahh.. Ok. So somebody should send me some "patched firmware keyfiles" and we will see...

[diyaudio]

yesssssssssssss o got it now !!!!
Please check if i am right..
all i need to do is :
1 - Copy the DS2000Update.GEL from the DS2000(DSP)update_00.02.01.00.03 (license keys dump) zip file to a fat 32 pendrive.
2 - Press the power on button on the front panel of the instrument. All of the buttons will light. At the same time press two or three times the Help key on the front panel. All buttons will unlight
3- insert the USB stick into the front panel.
4- Wait for the end of the firmware update
5 - all of the buttons on the front panel will be lit.  Turn off the scope. Remove the pendrive
6 - check the new firmware version
7 - Connect to USB cable to PC and open up Ultra Sigma Software 
8 - Send the  *IDN? command. and get the keys back.
9 - write the keys to the HxD editor and get the final serial and input on the DS2072a

Is that right ? If i understood correctly..
Thanks

Yup, you got it.

Fail for me, im using windows 8 X64 and Ultra Sigma crashes every time ! and I didn't even get to install the updated firmware. the label on the cd says for DS2000A V01.02
IVE GOT SOFTWARE VERSION 00.02.00 is this a windows 8 x64 thing

Gosh im trying to download latest Ultra Sigma version is downloading so slooow from the rigol server!

okay I got the key using *IDN?y. luckily I have a spare notebook with windows 7 x64.

[at2]

So after all trying and erroring:

rigup.exe license dump.bin DSEZ (or something else?)

After enter,  the rigup.exe crashes down.

Now , i don`t know further.

Perhaps any idea?

at2

[AndersAnd]

rigup.exe license dump.bin DSEZ (or something else?)

Something else! DSEZ is for non-A models. Use  NSEH, NSER or NSEQ as mentioned above.
But you don't have to type any 4-letter code at all.
Just type "rigup ds2072a memory_dump.bin" [replace ds2072a with your specific model name: ds2072a, ds2102a, ds2202a or ds2302a to only generate the codes relevant for your model].
Then it will generate for both NSEH, NSER, NSEQ and NSFH. But NSFH for 300 MHz doesn't seem to be the correct code, so use NSEQ for "All options + 200 MHz".

NSEH = All options
NSER = All options + 100 MHz
NSEQ = All options + 200 MHz

License-code for 300 MHz is unknown. Thought it could be NSFH but there are reports that it doesn't work.

[diyaudio]

yesssssssssssss o got it now !!!!
Please check if i am right..
all i need to do is :
1 - Copy the DS2000Update.GEL from the DS2000(DSP)update_00.02.01.00.03 (license keys dump) zip file to a fat 32 pendrive.
2 - Press the power on button on the front panel of the instrument. All of the buttons will light. At the same time press two or three times the Help key on the front panel. All buttons will unlight
3- insert the USB stick into the front panel.
4- Wait for the end of the firmware update
5 - all of the buttons on the front panel will be lit.  Turn off the scope. Remove the pendrive
6 - check the new firmware version
7 - Connect to USB cable to PC and open up Ultra Sigma Software 
8 - Send the  *IDN? command. and get the keys back.
9 - write the keys to the HxD editor and get the final serial and input on the DS2072a

Is that right ? If i understood correctly..
Thanks

Yup, you got it.

9 - write the keys to the HxD editor and get the final serial and input on the DS2072a

im stuck here, ive extracted the various address explained here

02 00
84 00
10 00 <16 bytes of XXTEAKey>
20 00 <2x16 bytes of RC5Key1 and RC5Key2>
08 00 <8 bytes of bit-shuffled ECC public key>
40 00 <64 bytes of ASCII-HEX verification data>

Note: Use this firmware in DS2000A oscilloscopes only!

RC5KEY1:  BCF38C.....   
RC5KEY2:  44A3403....     
XXTEAKEY: 50E3E8B8A71720...   
PUBKEY:   0200840010001809         
PRIVKEY:  04444000424137314533353943394136333435423731353741414432353035334236...   
SERIAL:   DS2D1....

when I map it as above and execute I get this.

rigup license final.txt NSEH NSER NSEQ
rigup license - Version 0.1

Error parsing line: 'RC5KEY1:  BCF38CB....
'
Loading keyfile 'final.txt' failed. uhmm now im officially stuck,
 


 

[tiagobaracho]

I GOT IT !!! I will make a how to in details in few minutes to you guys that are having problem as i did!!!

[idpromnut]

First of all, thank you zombie28 & tirulerbach for your work!  And now, some feedback:

I tried all three codes that were generated (minus NSFH) on a DS2072A:

NSEH: works a beauty.

NSER: seemed to work (i.e. all options enabled, + 100Mhz option + model was not DS2102A) but no 1ns timebase (still at 5ns minimum sweep). I decided to uninstall all the options and after that the 2ns, 1ns and 500ps (uhhh) timebases became available (also the model was reset to DS2072A).  I resintalled the NSER license and the 2ns, 1ns, and 500ps timebases disappear and all the options are enabled again and the model is back to DS2102A.

NSEQ: key was not taken by the scope at all (and no non-bandwidth options were enabled), said that No Licenses were available.