Sniffing the Rigol's internal I2C bus

[diyaudio]

I GOT IT !!! I will make a how to in details in few minutes to you guys that are having problem as i did!!!

please do we will really appreciate it.

[AndersAnd]

RC5KEY1:  BCF38C.....   
RC5KEY2:  44A3403....     
XXTEAKEY: 50E3E8B8A71720...   
PUBKEY:   0200840010001809         
PRIVKEY:  04444000424137314533353943394136333435423731353741414432353035334236...   
SERIAL:   DS2D1....

I think your PUBKEY and PRIVKEY looks wrong. Why are these not hexadecimal values?
I have tried to extract the values from one of the .bin memory dumps uploaded here using the "rigup scan" command and it generates a keyfile that looks like this:

Code: [Select]

RC5KEY1:        4155BFD82D429EA69B3EE7D7D59C8906
RC5KEY2:        B9BC53D8B8CE6CE3594555AA89556543
XXTEAKEY:       86F4A0930BC7ED276B2D6C2CE293535F
PUBKEY:         00A0581020E5C012
PRIVKEY:        005BCEE4DD323E4E
SERIAL:         DS2D154300287

[tiagobaracho]

How to Hack your DS2000 series :

1 - Copy the DS2000Update.GEL from the DS2000(DSP)update_00.02.01.00.03 (license keys dump) zip file to a fat 32 pendrive.
2 - Press the power on button on the front panel of the instrument. All of the buttons will light. At the same time press two or three times the Help key on the front panel. all buttons will unlight.
3- insert the USB stick into the front panel.
4- Wait for the end of the firmware update(may take 1 mins.... be patient)
5 - all of the buttons on the front panel will be lit.  Turn off the scope. Remove the pendrive. Turn on agaion
6 - check the new firmware version , should be now 00.02.01
7 - Connect to USB cable to PC and open up Ultra Sigma Software  ( you may need to install the NI-VISA full driver , google it and will find easy to download, from ni.com)
8 - On the Ultra Sigma software, click with the left button on your scope being listed, click on SCPI Panel Control, then click  Send & Read button (*IDN? command should be already wrote on the SCPI COMMAND, if not, please write it ). It will bring back something like :
RIGOL TECHNOLOGIES,DS2072A,DS2D154700708,020084001000E9BC3D59216F9F9A1DD30EFED1AE20F92000ABC495314FF8236E708F9A2C6E3F6E87D09019C79419FEA9E9F3862A12CA1DE90800819A17FCA12E500540003330313233345645645465333033374342323539363234343535354243343836453538424243353233314631353132443135383035353734463544413334
9- Get from ( 020084 till the end)  Copy and paste on HxD editor on  the middle column  ( which shows 02 00 84 00 10 00 E9 BC 3D 59 21 6F 9F 9A 1D D3..... so on )
10 - now, on the right side of the editor, just append your model serial number( DS2D1....... )  , no spaces, just append, and append more 00 after your model on the middle column.
11 - save the file on you hard drive , same folder as rigup exe, and open command prompt, go to the same folder as rigup and do : rigup ds2072a key.txt ( replace dS2072a  for the model you have, and replace key.txt for the filename you saved.
Now it will show you the serials !!!

No credit for me other the explaning... The guys did here ALL the hard work, but their level where so higher on the understand that for us that just wants to hack the scope, we got a little bit lost right ?

[AndersAnd]

RIGOL TECHNOLOGIES,DS2072A,DS2D154700708,020084001000E9BC3D59216F9F9A1DD30EFED1AE20F92000ABC495314FF8236E708F9A2C6E3F6E87D09019C79419FEA9E9F3862A12CA1DE90800819A17FCA12E500540003330313233345645645465333033374342323539363234343535354243343836453538424243353233314631353132443135383035353734463544413334

Does this work with the key values and serial you have posted here? I can't get it to work using these values. I just get this error message when typing rigup ds2072a key.txt after saving the hex file as key.txt:
Scanning 'key.txt' failed: No keys

I have attached the key.txt I generated with HxD for reference.

[diyaudio]

How to Hack your DS2000 series :

1 - Copy the DS2000Update.GEL from the DS2000(DSP)update_00.02.01.00.03 (license keys dump) zip file to a fat 32 pendrive.
2 - Press the power on button on the front panel of the instrument. All of the buttons will light. At the same time press two or three times the Help key on the front panel. all buttons will unlight.
3- insert the USB stick into the front panel.
4- Wait for the end of the firmware update(may take 1 mins.... be patient)
5 - all of the buttons on the front panel will be lit.  Turn off the scope. Remove the pendrive. Turn on agaion
6 - check the new firmware version , should be now 00.02.01
7 - Connect to USB cable to PC and open up Ultra Sigma Software  ( you may need to install the NI-VISA full driver , google it and will find easy to download, from ni.com)
8 - On the Ultra Sigma software, click with the left button on your scope being listed, click on SCPI Panel Control, then click  Send & Read button (*IDN? command should be already wrote on the SCPI COMMAND, if not, please write it ). It will bring back something like :
RIGOL TECHNOLOGIES,DS2072A,DS2D154700708,020084001000E9BC3D59216F9F9A1DD30EFED1AE20F92000ABC495314FF8236E708F9A2C6E3F6E87D09019C79419FEA9E9F3862A12CA1DE90800819A17FCA12E500540003330313233345645645465333033374342323539363234343535354243343836453538424243353233314631353132443135383035353734463544413334
9- Get from ( 020084 till the end)  Copy and paste on HxD editor on  the middle column  ( which shows 02 00 84 00 10 00 E9 BC 3D 59 21 6F 9F 9A 1D D3..... so on )
10 - now, on the right side of the editor, just append your model serial number( DS2D1....... )  , no spaces, just append, and append more 00 after your model on the middle column.
11 - save the file on you hard drive , same folder as rigup exe, and open command prompt, go to the same folder as rigup and do : rigup ds2072a key.txt ( replace dS2072a  for the model you have, and replace key.txt for the filename you saved.
Now it will show you the serials !!!

No credit for me other the explaning... The guys did here ALL the hard work, but their level where so higher on the understand that for us that just wants to hack the scope, we got a little bit lost right ?

thanks dude, that worked, don't forget when using windows 8 you need to run from the command prompt as administrator  I had an issue not running it as an admin.. Now for the moment of truth try them keys...

[mrflibble]

Quick question about the current state of affairs.

DS1074Z and DS2072 ==> hack working for ages, based on common private key.

DS2072A ==> recently hacked, based on seperate key for each scope.

Correct?

Reason I ask .. I'm currently debating DS1074Z vs DS2072(A) and have just about decided in favor of the 1074Z. But whatever it becomes, always good to know what tools are available.

Incidentally, when reading about some older hacks I noticed that one of those used usb-tmc on the front usb port. Does anyone know roughly what the capabilities are of this usb port? Is it just SCPI commands over usb, or some other stuff as well?

[diyaudio]

okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?

[AndersAnd]

okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?

https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg375454/#msg375454

[AndersAnd]

Quick question about the current state of affairs.

DS1074Z and DS2072 ==> hack working for ages, based on common private key.

DS2072A ==> recently hacked, based on seperate key for each scope.

Correct?

Correct.

[diyaudio]

okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?

okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?

https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg375454/#msg375454

Thanks
:SYSTem:OPTion:UNINSTall
 
Syntax
:SYSTem:OPTion:UNINSTall
 
Description
Unload the option installed.
 
works

[tiagobaracho]

The two pictures say it all !!
I am so happy that you guys did... you guys have just "transformed" a 70 mhz oscilloscope on a 200mhz .... Thats on another price class..
Thanks very much once again!

[diyaudio]

success! Its been a long night for me, I just wanted to give a very humble thank you to everyone that participated, especially to ones who work in the silicon shadows a really big thank you I/we really appreciate this.

 

 
 

[tiagobaracho]

Just to keep complete !

How to Hack your DS2000 series :

Download the firmware: https://mega.co.nz/#!MdcEWTgL!0EEmSr-Q6TxaFSsyEmjhRrgqDvFCoXg9K49BalL5Uxc
Download the rigup: https://mega.co.nz/#!qAkUkTZB!XG12bUKhIz4CmQt6DbBnGRMvEe5AvUjEaBxi4R03tw8 or https://www.hightail.com/download/elNKUXV1dzg5bEJ2TzhUQw


1 - Copy the DS2000Update.GEL from the DS2000(DSP)update_00.02.01.00.03 (license keys dump) zip file to a fat 32 pendrive.
2 - Press the power on button on the front panel of the instrument. All of the buttons will light. At the same time press two or three times the Help key on the front panel. all buttons will unlight.
3- insert the USB stick into the front panel.
4- Wait for the end of the firmware update(may take more than 1 min.... be patient)
5 - all of the buttons on the front panel will be lit.  Turn off the scope. Remove the pendrive. Turn on again
6 - check the new firmware version , should be now 00.02.01
7 - Connect to USB cable to PC and open up Ultra Sigma Software  ( you may need to install the NI-VISA full driver , google it and will find easy to download, from ni.com)
8 - On the Ultra Sigma software, click with the left button on your scope being listed, click on SCPI Panel Control, then click  Send & Read button (*IDN? command should be already wrote on the SCPI COMMAND, if not, please write it ). It will bring back something like :
RIGOL TECHNOLOGIES,DS2072A,DS2D154700708,020084001000E9BC3D59216F9F9A1DD30EFED1AE20F92000ABC495314FF8236E708F9A2C6E3F6E87D09019C79419FEA9E9F3862A12CA1DE90800819A17FCA12E500540003330313233345645645465333033374342323539363234343535354243343836453538424243353233314631353132443135383035353734463544413334
9- Get from ( 020084 till the end)  Copy and paste on HxD editor on  the middle column  ( which shows 02 00 84 00 10 00 E9 BC 3D 59 21 6F 9F 9A 1D D3..... so on )
10 - now, on the right side of the editor, just append your model serial number( DS2D1....... )  , no spaces, just append, and append more 00 after your model on the middle column.
11 - save the file on you hard drive , same folder as rigup exe, and open command prompt, go to the same folder as rigup and do : rigup ds2072a key.txt ( replace dS2072a  for the model you have, and replace key.txt for the filename you saved.
Now it will show you the serials !!!

No credit for me other the explaining... The guys did here ALL the hard work!

[Rigol-Friend]

Hi everybody,

here a small info about Rigol DSA815-TG:

After pressing following keys
TRACE > TG > MARKER FCTN > MEAS SETUP > SYSTEM > PRINT SETUP > STORAGE

you will get a hidden menu called "Service" at the second page of the system-menu. Not permanent, after the next turn-on it's hidden again.

Next days I will examine this new menu, maybe it's helpfull.

Have a nice day
Rigol-Friend

[cybermaus]

The two pictures say it all !!

I sometimes see these thanks pictures. I really wonder if the guru's and owners if this thread should not ask the rest of us to tone it down. I do appreciate the wonderful and unbelievable skill and effort of course. And a thank you note is in order.

But its one thing for Rigol to dig through text to count the number people using this. But quite another to give them large screaming visuals they can then use in power-point presentations to their managers. Too much hurrahs, and the firmware will close even more.

[MrsR]

okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?

https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg375454/#msg375454

You should have given him the information I was given after all it was the same Question
THANKS
Rachael

[zombie28]

Does this work with the key values and serial you have posted here? I can't get it to work using these values. I just get this error message when typing rigup ds2072a key.txt after saving the hex file as key.txt:
Scanning 'key.txt' failed: No keys

I have attached the key.txt I generated with HxD for reference.

This file contains some invalid chars and is too short. Maybe the *IDN? response was distorted during transmission or UltraSigma doesn't expect such a long string and sometimes fails to show it correctly? I don't know, it's just my speculation. However, the last data block starting at offset 0x44 can be fixed manually, provided the rest of the file is correct. It should contain 64 ASCII-HEX digits, but it doesn't matter what data is there, because it's not used by the keygen for computations.

[zombie28]

Code: [Select]

$ rigup license your-keyfile.txt NSEH NSER NSEQ
rigup license - Version 0.1

H8LXHB8-QEXAC7W-ZJMN5KH-APD9CVM    (NSEH = 0x1C087)
W2LAMX2-DBEFZCT-XSND62C-PG8JJVM    (NSER = 0x1C08F)
5CAZKCC-2Z865FH-MQVBXUB-BDV8E8M    (NSEQ = 0x1C097)

NSEH = All options
NSER = All options + 100 MHz
NSEQ = All options + 200 MHz

License-code for 300 MHz is unknown. Thought it could be NSFH but there are reports that it doesn't work.

If you're brave you could play with rigup and license-codes. You could use hex codes, too:

Code: [Select]

$ rigup license your-keyfile.txt 0x1C087 0x1C08F 0x1C097 0x1C0A7
rigup license - Version 0.1

H8LXHB8-QEXAC7W-ZJMN5KH-APD9CVM    (NSEH = 0x1C087)
W2LAMX2-DBEFZCT-XSND62C-PG8JJVM    (NSER = 0x1C08F)
5CAZKCC-2Z865FH-MQVBXUB-BDV8E8M    (NSEQ = 0x1C097)
XYJ69WE-SBZABHL-69FYG4N-W6DH2VM    (NSFH = 0x1C0A7)


I didn't check it yet, but I think that 300 MHz + all options should be set by value of 0x1C0C7 (NS8H).

[johna]

Hi,

1. Is the using DS2000 firmware on DS2000A reversable. Can you just replace it with original firmware later? Where do you get the original firmware. Is it possible backup the firmware?
2. Is this firmware altered or it's just the original non-A firmware?
3. Do you loose trial options? Is it possible after restoring original DS2000A firmware to still have the trial options?
4. I guess firmware updates is not an option when using the 00.02.01.00.03 from non-A series

[diyaudio]

okay it works however i did a dumb thing i installed the untested 300Mhz option how do you uninstall the 300Mhz options ?

https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg375454/#msg375454

You should have given him the information I was given after all it was the same Question
THANKS
Rachael

I actually ended up using the rigol command manual before I got the answer in the thread, we use the manuals when we become desperate

[hari]

https://mega.co.nz/#!MdcEWTgL!0EEmSr-Q6TxaFSsyEmjhRrgqDvFCoXg9K49BalL5Uxc

No need for JTAG memory dumps anymore, just send *IDN? command and you'll get your license encryption keys in response (tested on my DS2072A that has just arrived).

Zombie28, may I kindly ask you to provide a md5 or sha sum of your patched firmware file?

thank you very much,
hari

[Spikee]

I'm sorry to bother you guys but it is not working with my rigol Ds2072(A?).
I think my key/memory dump is to long:

the dump part: Rigol Ds2072

Code: [Select]

3E3C0E435D39DB813C3CC643093CD6837C7C87C78D0CC3833D0101000000000100000000000000000000000000000000000000000000001E0000006400000000000000001100000012000002130000001400000015000000160000001700000018000000190002001A0000001B0004001C0000001D0000001E0000001F00000020000100My Model number is: DS2A143101119

Could anyone be so kind to try / fix this for me ?

Thanks!
(the idn return count is 305 , i tried several times)

[cepphus]

What chances are there to patch a firmware so that it outputs the key and serial when you send it
"*IDN?". That would be good.

Done!

https://mega.co.nz/#!MdcEWTgL!0EEmSr-Q6TxaFSsyEmjhRrgqDvFCoXg9K49BalL5Uxc

No need for JTAG memory dumps anymore, just send *IDN? command and you'll get your license encryption keys in response (tested on my DS2072A that has just arrived).

Amazing!
Now, the JTAG adapter I ordered will show up way too late as it seems, or is there still an interest for any of you superhackers to get access to more memory dumps from 2072A scopes? If so, I'll be happy to share mine..

[np]

[/quote]
I didn't check it yet, but I think that 300 MHz + all options should be set by value of 0x1C0C7 (NS8H).
[/quote]

Thanks zombie28 for the IDA plugin

I comfirm, 0x1C0C7 is the good option for permanent 300Mhz + all options (screenshot) Timebase : 1ns


Congratulations for all the team members as done that possible

[zombie28]

I'm sorry to bother you guys but it is not working with my rigol Ds2072(A?).
[...]
My Model number is: DS2A143101119

Apparently you have non-A model, so there are no keys to dump in your scope. Just use the 'riglol' keygen.