Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1537260 times)

0 Members and 1 Guest are viewing this topic.

Offline farzadb82

  • Contributor
  • Posts: 12
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #3575 on: October 03, 2014, 04:15:42 pm »
Quote
After factory reset (multipress left gray button #6 multiple during booting) and retry to enter generated keys...

Is there a secret 'reset' button like this for the DS1000Z ?

Unfortunately, there's nothing "officially" documented, that I was able to find. I attempted the procedure above, but had no success.

I tried the above and it reset all the options and went back to Chinese (seems just like "Storage->Default" but it resets the language as well).

Luckily it starts up in a state where it says "Language" on the menu...easy to go to a different language.

I tried the procedure on my MSO1000Z and ended up with a constant beeping noise (as if I'd pressed the button too many times), but no reset. It's possible that I did something incorrectly. I'll give it another shot tonight after work.
 

Offline alank2

  • Super Contributor
  • ***
  • Posts: 2108
Re: Sniffing the Rigol's internal I2C bus
« Reply #3576 on: October 03, 2014, 05:37:51 pm »
I tried the procedure on my MSO1000Z and ended up with a constant beeping noise (as if I'd pressed the button too many times), but no reset. It's possible that I did something incorrectly. I'll give it another shot tonight after work.

It is the 5th gray button on the left (not the bottom gray button).  When you press it during power on it will beep a couple of times until the Rigol screen comes up.  Keep pressing it.  You'll know it worked when you see Chinese!
 

Offline Gallymimus

  • Regular Contributor
  • *
  • Posts: 177
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #3577 on: October 03, 2014, 05:59:49 pm »
DS4000 series Bandwidth (model type) Option Codes.

For those who have an interest in the DS4000, I have found the option codes for selecting the bandwidth .
This also sets the model type.

For example the code FAB9 will select 500Mhz, (DS405x), with all Decoders enabled.

The attached file contains all the details.

There are also two un-documented, possibly future, options called "Power Analysis" and "MA".

The option codes have been tested with firmware ver 00.02.00.00.04 and ver 00.02.01.00.03.

This was tested and is confirmed working BTW.  You can eliminate the need for Mr Krabs modified firmware and stick with stock stock firmware.  Bandwidth was NOT tested, but time base and system info look correct for 500MHz
 

Offline cap4096

  • Contributor
  • Posts: 7
Re: Sniffing the Rigol's internal I2C bus
« Reply #3578 on: October 04, 2014, 11:09:23 pm »
DS4000 series Bandwidth (model type) Option Codes.

For those who have an interest in the DS4000, I have found the option codes for selecting the bandwidth .
This also sets the model type.

For example the code FAB9 will select 500Mhz, (DS405x), with all Decoders enabled.

The attached file contains all the details.

There are also two un-documented, possibly future, options called "Power Analysis" and "MA".

The option codes have been tested with firmware ver 00.02.00.00.04 and ver 00.02.01.00.03.


I have a question: Does this work on a Rigol MSO4014?

/Cap4096

 

Offline seronday

  • Regular Contributor
  • *
  • Posts: 61
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #3579 on: October 04, 2014, 11:58:17 pm »
If it is using one of the Firmware versions mentioned, then , Yes.

Try it and report back.
 

Offline cap4096

  • Contributor
  • Posts: 7
Re: Sniffing the Rigol's internal I2C bus
« Reply #3580 on: October 05, 2014, 12:41:23 am »
If it is using one of the Firmware versions mentioned, then , Yes.

Try it and report back.

Well I have to order it before trying :-) I will probably do that on monday.
 

Offline ted572

  • Frequent Contributor
  • **
  • Posts: 405
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #3581 on: October 08, 2014, 12:20:46 pm »
 

Offline AndersAnd

  • Frequent Contributor
  • **
  • Posts: 568
  • Country: dk
Re: Sniffing the Rigol's internal I2C bus
« Reply #3582 on: October 08, 2014, 05:30:11 pm »
Ultra Power Analyzer software for the DS2000, DS4000, and MSO4000 series O'Scopes:
Yes the Software is available, and it looks like there may be a Key to enable it with the dso. Has anyone seen any codes in the firmware???
The "Power Analysis" option is listed in "DS4000 Option Codes.pdf" uploaded to this topic by seronday just a few days ago: https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg523679/#msg523679
 

Online Howardlong

  • Super Contributor
  • ***
  • Posts: 4978
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #3583 on: October 15, 2014, 06:36:54 pm »
I tried the procedure on my MSO1000Z and ended up with a constant beeping noise (as if I'd pressed the button too many times), but no reset. It's possible that I did something incorrectly. I'll give it another shot tonight after work.

It is the 5th gray button on the left (not the bottom gray button).  When you press it during power on it will beep a couple of times until the Rigol screen comes up.  Keep pressing it.  You'll know it worked when you see Chinese!

I confirm that this works, but you need to start pressing the 5th grey button on the left within a few milliseconds after you switch on.

(To change language from Chinese, press the Utility button -> select Language).
 

Offline rmd79

  • Contributor
  • Posts: 18
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #3584 on: October 17, 2014, 12:09:04 am »
Hello,

Could someone please post a key file (without the serial number is fine) generated with "rigup scan ..." from a memory dump of a DS1000Z series scope?

I've tried searching the forum and with Google but haven't had any luck.

Thanks.
 

Offline rmd79

  • Contributor
  • Posts: 18
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #3585 on: October 17, 2014, 01:15:26 am »
Search within eevblog.
https://www.eevblog.com/forum/testgear/ds1000z-serie-unlocking/msg491026/#msg491026

The info I'm looking for doesn't seem to be there.

I'm looking for the DS1000Z equivalent of the key file, so the following info:

RC5KEY1:        ...
RC5KEY2:        ...
XXTEAKEY:       ...
PUBKEY:         ...
PRIVKEY:        ...
 

Offline rmd79

  • Contributor
  • Posts: 18
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #3586 on: October 17, 2014, 02:57:56 am »
Is this search it. maybe not private (scroll)
https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg362575/#msg362575

Thats basically what I'm looking for, except for the DS1000Z series (the code you linked to looks like its for the DS2000 series).
 

Offline sptm14a

  • Contributor
  • Posts: 7
DS and MSO1000Z option codes
« Reply #3587 on: October 17, 2014, 04:50:09 am »
Here is a list of all 8 option codes for DS/MSO1000Z (firmware 00.04.01.SP2):

CSAR Triggers
CSAB Decoders
CSA3 Memory Depth
CSAJ Recorder
CSRA 500uV Vertical
CSAS ?
CSBA ?
CS3A ?

These are "official" options. "Trial" options start with "V", i.e. VSAR == Triggers trial

Plugging these into current versions of rigup/riglol won't work because Rigol slightly changed license validation/generation algorithm and character translation tables. I updated the algorithm to make it work for me, but but I'd rather not release it untested.


 

Offline farzadb82

  • Contributor
  • Posts: 12
  • Country: us
Re: DS and MSO1000Z option codes
« Reply #3588 on: October 17, 2014, 01:29:39 pm »
Here is a list of all 8 option codes for DS/MSO1000Z (firmware 00.04.01.SP2):

CSAR Triggers
CSAB Decoders
CSA3 Memory Depth
CSAJ Recorder
CSRA 500uV Vertical
CSAS ?
CSBA ?
CS3A ?

These are "official" options. "Trial" options start with "V", i.e. VSAR == Triggers trial

Plugging these into current versions of rigup/riglol won't work because Rigol slightly changed license validation/generation algorithm and character translation tables. I updated the algorithm to make it work for me, but but I'd rather not release it untested.

Thank you for passing along this info.

I have the MSO1000Z device and have been (unsuccessfully) trying to work out the new algorithm. I'd love to help test any changes that you may have or alternatively, if you could pass on more details on the algorithm changes, I'd be happy to integrate them into the keygen tools.
 

Offline NZST205

  • Contributor
  • Posts: 19
Re: Sniffing the Rigol's internal I2C bus
« Reply #3589 on: October 19, 2014, 06:07:33 pm »
Can anyone please help me by advising what format I should be saving the SCPI dump in, should it be ASCII, byte-8bit, byte-16bit or byte-32bit. As ASCII it creates a small (about 200Kb, the other formats create files 300-500+Mb, another is the 28-32 Mb range mentioned.

When I rigup any of the the file it says no keys. perhaps I need to hit the Advanced Tab in Current Return Value screen or something as not matter what file I save they are either 8 or 16 kb, not the 32 Mb file I am expecting. I have tried the scan with both 1,133554432 and 1544190,13262848.

Scope is a DS2072A with 03.01.00.04 and HW 1.02.0.2 Manufactured August 2014.
 

Offline Rigby

  • Super Contributor
  • ***
  • Posts: 1476
  • Country: us
  • Learning, very new at this. Righteous Asshole, too
Re: Sniffing the Rigol's internal I2C bus
« Reply #3590 on: October 19, 2014, 08:34:41 pm »
There's only four choices.  Try them all. 

It might be mentioned somewhere... Have you read the entire thread?  I know it's very long, but there's like ts of knowledge in it for someone willing to take the time.
 

Offline NZST205

  • Contributor
  • Posts: 19
Re: Sniffing the Rigol's internal I2C bus
« Reply #3591 on: October 19, 2014, 08:42:12 pm »
Yep, been through it twice, and even downloaded this an other related threads and did a txt search but nothing that says what sort of format the file should be in or if the advanced tab is relevant.
 

Offline Helder22

  • Contributor
  • Posts: 22
Re: Sniffing the Rigol's internal I2C bus
« Reply #3592 on: October 19, 2014, 09:09:19 pm »
Ok, so I tried unlocking my new MSO2072A (3.00 SP1, HV 2.2, SN DS2F1629*****) using the DS2000A Upgrade Utility, but that did not work, So now I guess I'm gonna have to use the JTAG memory dump method. I really didn't want to because I'm afraid of messing something up permanently, but I as far as I've seen there are currently no alternatives.
I've already read most of this HUGE thread, and I guess I can say I understand the basic logic of it all, but the specifics are a bit over my head.
 
So now I have to order a JTAG adapter (and wait weeks for it to arrive). Is there any difference which one I get? I'm not really looking for the cheapest one, but one that would make the process simpler and therefore reducing the chances of me bricking my beloved new scope.
« Last Edit: October 19, 2014, 09:12:23 pm by Helder22 »
 

Offline navzptc

  • Contributor
  • Posts: 26
Re: Sniffing the Rigol's internal I2C bus
« Reply #3593 on: October 19, 2014, 11:04:13 pm »
Have a look at this forum, especially around message no. 189  ::)

You may find something to your advantage!

https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg506553/#msg506553
 

Offline Helder22

  • Contributor
  • Posts: 22
Re: Sniffing the Rigol's internal I2C bus
« Reply #3594 on: October 20, 2014, 12:28:04 am »
Oh my, I think it worked! Thanks navzptc (and everyone else)!
I have a 32,768KB scpi file now!

 
« Last Edit: October 20, 2014, 12:33:09 am by Helder22 »
 

Offline Helder22

  • Contributor
  • Posts: 22
Re: Sniffing the Rigol's internal I2C bus
« Reply #3595 on: October 20, 2014, 02:40:38 am »
Unlocked!
Thanks to everyone who did all the real work in order to make this possible!
« Last Edit: October 20, 2014, 02:42:19 am by Helder22 »
 

Offline NZST205

  • Contributor
  • Posts: 19
Re: Sniffing the Rigol's internal I2C bus
« Reply #3596 on: October 22, 2014, 07:58:08 am »
Have a look at this forum, especially around message no. 189  ::)

You may find something to your advantage!

https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg506553/#msg506553

I can't seem to find what format to save the SCPI file in (of the 4 options). ASCII creates a 15kb file and the three byte formats saves files all over 200 MBs. Perhaps as I am running Windows 7 Ultimate un Parallels it may be mucking things up. Can anyone please provide me with some guidance ?
 

Offline AndersAnd

  • Frequent Contributor
  • **
  • Posts: 568
  • Country: dk
Re: Sniffing the Rigol's internal I2C bus
« Reply #3597 on: October 22, 2014, 08:52:28 am »
Have a look at this forum, especially around message no. 189  ::)

You may find something to your advantage!

https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg506553/#msg506553

I can't seem to find what format to save the SCPI file in (of the 4 options). ASCII creates a 15kb file and the three byte formats saves files all over 200 MBs. Perhaps as I am running Windows 7 Ultimate un Parallels it may be mucking things up. Can anyone please provide me with some guidance ?
Probably better to ask in the topic where SCPI memory dump is discussed in detail, to keep the information about this method in one place: https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg508898/#msg508898
« Last Edit: October 22, 2014, 09:02:27 am by AndersAnd »
 

Offline akisnas

  • Contributor
  • Posts: 5
Re: Sniffing the Rigol's internal I2C bus
« Reply #3598 on: October 25, 2014, 09:50:28 am »
http://pastebin.com/ghYHnCfT
It would not have happened without:
The jtag firmware dump from DL5TOR
ecc help from some guy
Coding by Cybernet
Testing by Marc M.
I find it very selfless to release all your work for everyone to freely use. Good on all of you  :clap: :-+

Very nice job guys, I'd like to ask you about this link http://pastebin.com/ghYHnCfT it's an old & not working, is there anybody can help to find the files, or to help to unlock the options & 10 Hz RBW for a DSA815TG?
Best Regards
« Last Edit: October 25, 2014, 09:54:45 am by akisnas »
 

Offline AndersAnd

  • Frequent Contributor
  • **
  • Posts: 568
  • Country: dk
Re: Sniffing the Rigol's internal I2C bus
« Reply #3599 on: October 25, 2014, 10:33:29 am »
or to help to unlock the options & 10 Hz RBW for a DSA815TG?
Use the online Riglol keygen.

Original: http://riglol.3owl.com
Canadian mirror: http://gotroot.ca/rigol/riglol/
UK mirror: http://rigol.avotronics.co.uk/mirrors/riglol/
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf