Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1619677 times)

0 Members and 3 Guests are viewing this topic.

Offline Jacobs

  • Newbie
  • Posts: 1
Re: Sniffing the Rigol's internal I2C bus
« Reply #3825 on: February 05, 2015, 08:04:53 pm »
Hi guys!

I have an idea to solve license problem in new DSA815. Has somebody tried to change S/N in DSA815? If earlier devices can work correctly with firmware 00.01.09 and installed licences I suppose that the key to "upgrade" DSA815 is S/N. I read on the forum that in S/N is coded date of production. Firmware 00.01.09 probably use this coded date to verification installed licences. Know somebady way to change S/N?
 

Offline ted572

  • Frequent Contributor
  • **
  • Posts: 397
  • Country: ca
  • Radio Communications Equipment/System Design Engr.
Re: Sniffing the Rigol's internal I2C bus
« Reply #3826 on: February 05, 2015, 08:18:58 pm »
Hi guys!

I have an idea to solve license problem in new DSA815. Has somebody tried to change S/N in DSA815? If earlier devices can work correctly with firmware 00.01.09 and installed licences I suppose that the key to "upgrade" DSA815 is S/N. I read on the forum that in S/N is coded date of production. Firmware 00.01.09 probably use this coded date to verification installed licences. Know somebady way to change S/N?

I suggest NOT changing the S/N.  It won't help, and you would be sorry!

Edit:  It is the BootLoader .04 that was supplied with the new factory DSA815's with Firmware .09 and .12 that is the problem.  If the BootLoader can be changed back to version .03 (or .02) then you will be able to down grade to a earlier Firmware version.  Then use the Riglol 1.03c or 1.03d Keygen to add the Options in the DSA.  And finally upgrade to Firmware .12 to get all the new features. BTW BootLoader .03 was incorporated with Firmware .06.   Or, wait for someone to possibly develop a new Riglol Keygen to work with the current version of .12 Firmware.
« Last Edit: February 05, 2015, 09:56:40 pm by ted572 »
 

Offline SteveyG

  • Supporter
  • ****
  • Posts: 921
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #3827 on: February 08, 2015, 01:06:50 pm »
Another happy MSO1074Z user :) Thanks to rmd79 and 0ff!. I documented my steps here:

YouTube Channel: https://www.youtube.com/user/sdgelectronics/
Use code: “SDG5” to get 5% off JBC Equipment at Kaisertech
 

Offline McBryce

  • Super Contributor
  • ***
  • Posts: 2229
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #3828 on: February 12, 2015, 04:02:35 pm »
Hi,
    first post here on the eevblog. First off, really great work guys (and gal), and nice video Stevey. Took a while to read all 258 pages of this thread, but I've still got a few questions:

I've been asked to "liberate" the features on an MSO1074z-s for someone. It seems that the hack for this is still a "work in progress". I don't fancy trying to remove the waranty seal from this guys scope. Is it just a matter of time before the Key has been found so that this scope can be hacked with Riglol like the other scopes, or is there some factor that means it will always require a RAM dump to get the license info?
If it will always require a RAM dump: I don't have an Olimex, but I do have a Chinese clone Xilinx USB Blaster USB-JTAG. This one I think: http://www.ebay.de/itm/171008779562 . Does anyone know if this will work with Openocd / imx28 ? Or will I have to buy an Olimex for this?

Thanks
McBryce.
 

Offline AndersAnd

  • Frequent Contributor
  • **
  • Posts: 572
  • Country: dk
Re: Sniffing the Rigol's internal I2C bus
« Reply #3829 on: February 13, 2015, 01:33:50 pm »

Here's part of the source code in riglol.c (source code can be downloaded at the bottom of http://riglol.3owl.com)

I don't know who wrote/maintains this code, but I found a small bug that I want to report.
There is a line which may or may not function as desired depending on the compiler.
Here is my simple fix:
Code: [Select]
--- riglol_orig.c 2015-02-03 12:53:18.659248144 -0800
+++ riglol.c 2015-02-03 12:54:16.283267920 -0800
@@ -141,7 +141,7 @@
 char * strtoupper(char *str) {
     char *newstr, *p;
     p = newstr = (char*) strdup((char*)str);
-    while ((*p++ = toupper(*p)));
+    while (*p = toupper(*p)) { p++; }
     return newstr;
 }

studio25 wrote/maintains this code and host it it at 3owl. So try PM'ing  your modifications to him.

The two other Riglol sites hosted by other members are just mirrors of studio25's Riglol site at 3owl:

Original made by studio25: http://riglol.3owl.com
Canadian mirror hosted by ve7xen: http://gotroot.ca/rigol/riglol/
UK mirror hosted by Avotronics: http://rigol.avotronics.co.uk/mirrors/riglol/
 

Offline SteveyG

  • Supporter
  • ****
  • Posts: 921
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #3830 on: February 13, 2015, 10:31:03 pm »
Hi,
    first post here on the eevblog. First off, really great work guys (and gal), and nice video Stevey. Took a while to read all 258 pages of this thread, but I've still got a few questions:

I've been asked to "liberate" the features on an MSO1074z-s for someone. It seems that the hack for this is still a "work in progress". I don't fancy trying to remove the waranty seal from this guys scope. Is it just a matter of time before the Key has been found so that this scope can be hacked with Riglol like the other scopes, or is there some factor that means it will always require a RAM dump to get the license info?
If it will always require a RAM dump: I don't have an Olimex, but I do have a Chinese clone Xilinx USB Blaster USB-JTAG. This one I think: http://www.ebay.de/itm/171008779562 . Does anyone know if this will work with Openocd / imx28 ? Or will I have to buy an Olimex for this?

Thanks
McBryce.

Hi,

Essentially the JTAG interface has to be compatible with the ARM processor and with openocd.

This should work, although you'd have to wait for shipping http://www.ebay.de/itm/JLINK-J-LINK-V8-Emulator-ARM-4-74B-MDK5-0-PRTR5V0U4D-JTAG-Interface-Auto-Update-/271596747000
YouTube Channel: https://www.youtube.com/user/sdgelectronics/
Use code: “SDG5” to get 5% off JBC Equipment at Kaisertech
 

Offline metRo_

  • Regular Contributor
  • *
  • Posts: 90
  • Country: pt
Re: Sniffing the Rigol's internal I2C bus
« Reply #3831 on: February 18, 2015, 01:41:34 pm »
If it will always require a RAM dump: I don't have an Olimex, but I do have a Chinese clone Xilinx USB Blaster USB-JTAG. This one I think: http://www.ebay.de/itm/171008779562 . Does anyone know if this will work with Openocd / imx28 ? Or will I have to buy an Olimex for this?
USB Blaster should work.

To unlock the 1054Z can I use the website with the keygen, can't I? It is possible to reverse the process if for some reason I need to send it to warranty?
 

Offline aveekbh

  • Regular Contributor
  • *
  • Posts: 62
  • Country: in
Re: Sniffing the Rigol's internal I2C bus
« Reply #3832 on: February 18, 2015, 04:24:50 pm »
It is possible to reverse the process if for some reason I need to send it to warranty?
I believe you can uninstall all the options by issuing the SCPI command :SYSTem:OPTion:UNINSTall over LXI or USBTMC.

 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 623
  • Country: us
    • Kilbourne Astronomics
Re: Sniffing the Rigol's internal I2C bus
« Reply #3833 on: February 18, 2015, 06:04:06 pm »
If it will always require a RAM dump: I don't have an Olimex, but I do have a Chinese clone Xilinx USB Blaster USB-JTAG. This one I think: http://www.ebay.de/itm/171008779562 . Does anyone know if this will work with Openocd / imx28 ? Or will I have to buy an Olimex for this?
USB Blaster should work.

To unlock the 1054Z can I use the website with the keygen, can't I? It is possible to reverse the process if for some reason I need to send it to warranty?

I thought the DS1000Z did not need to dump memory.  Only the MSO1000Z's needed that.
I would try using the site or rigup first before doing a dump.  no sense in opening it up if you do not have to
Sandra
(Yes, I am a Woman :p )
 

Offline Zandor

  • Contributor
  • Posts: 8
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #3834 on: February 18, 2015, 08:28:54 pm »
If it will always require a RAM dump: I don't have an Olimex, but I do have a Chinese clone Xilinx USB Blaster USB-JTAG. This one I think: http://www.ebay.de/itm/171008779562 . Does anyone know if this will work with Openocd / imx28 ? Or will I have to buy an Olimex for this?
USB Blaster should work.

To unlock the 1054Z can I use the website with the keygen, can't I? It is possible to reverse the process if for some reason I need to send it to warranty?

I thought the DS1000Z did not need to dump memory.  Only the MSO1000Z's needed that.
I would try using the site or rigup first before doing a dump.  no sense in opening it up if you do not have to

Correct, the 1054Z does not need to be opened up.  Just use the website or download the executable and run it on your system.

I have heard you should run it several times if using the website as it sometimes has problems giving a correct key.  Run it until you get the same key several times.
 

Offline McBryce

  • Super Contributor
  • ***
  • Posts: 2229
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #3835 on: February 19, 2015, 10:45:03 am »
In my case it's an MSO. However, the owner hasn't made up his mind yet, whether he wants to risk messing with the Warranty Seal yet. In the meantime, I've noticed that ebay has been purged of all dodgy Chinese Segger devices (including the one that SteveyG linked to). If he does decide to go ahead with the "liberation" I'll try my Xilinx J-Tag programmer first.

McBryce.
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 623
  • Country: us
    • Kilbourne Astronomics
Re: Sniffing the Rigol's internal I2C bus
« Reply #3836 on: February 22, 2015, 07:44:31 am »
In my case it's an MSO. However, the owner hasn't made up his mind yet, whether he wants to risk messing with the Warranty Seal yet. In the meantime, I've noticed that ebay has been purged of all dodgy Chinese Segger devices (including the one that SteveyG linked to). If he does decide to go ahead with the "liberation" I'll try my Xilinx J-Tag programmer first.

McBryce.

You can remove the warrany sticker without voiding it.  Check it out here if you have not seen it

I did my MSO1074Z-S and it's actually pretty easy to do.  I have an Old Amontec JTAG-Key I use based on the FTDI2232 which allot are based on now and it works create.  As long as OpenOCD supports it you should be fine so Instead of buying one you might get OpenOCD and see which ones it's supports then get one it supports   I know OpenOCD supports some of the Xilinx ones so just check yours is supported.

Sandra
(Yes, I am a Woman :p )
 

Offline McBryce

  • Super Contributor
  • ***
  • Posts: 2229
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #3837 on: February 22, 2015, 12:06:46 pm »
Yes you can, but it's not 100% garanteed that you manage it. Even watching the video, you only get one chance and if it goes wrong then... I'm not sure I want to offer this service, especially as the owner isn't all that confident/happy with the prospect either.
I've also checked and the Xilinx Jtag I have isn't compatible with OpenOCD (yet). So it looks like the guy is just going to have to buy the licenses if he wants the functions or live without them (as it's supposed to be done anyway) :)

McBryce.
 

Offline SteveyG

  • Supporter
  • ****
  • Posts: 921
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #3838 on: February 22, 2015, 12:23:42 pm »
I wonder if there are some warranty stickers on eBay that match those used on the Rigol  :-//
YouTube Channel: https://www.youtube.com/user/sdgelectronics/
Use code: “SDG5” to get 5% off JBC Equipment at Kaisertech
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 623
  • Country: us
    • Kilbourne Astronomics
Re: Sniffing the Rigol's internal I2C bus
« Reply #3839 on: February 23, 2015, 06:21:36 am »
Havent' seen a match yet
Sandra
(Yes, I am a Woman :p )
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5128
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #3840 on: February 23, 2015, 09:08:50 am »
While I understand the reticence to fiddle with the warranty sticker, I agree with smgvbest, it's not actually that hard, probably the most important skill you need is patience, maybe ten minutes of your time the first time you do it, although once you've done one subsequent efforts seem quicker. The first one I did was on the MSO1074Z-S, and I must've tackled half a dozen others since watching Mike's vid. I used to just cut them, assuming that they really were tamper-proof.

Maybe try it with something that's already out of warranty first?
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 623
  • Country: us
    • Kilbourne Astronomics
Re: Sniffing the Rigol's internal I2C bus
« Reply #3841 on: February 24, 2015, 01:14:53 am »
I also did it on my MSO1074Z-S like Howardlong did and while it was nerve wrecking the first time now it's not bad at all.
I realize the OP is doing this for someone else and that add's to the stress but if he wants it done it really is not a big deal.  Patience is key.  if you think your pushing to fast you probably are.  it took me maybe 10-15 minutes with as Dave say tongue at the right angle but it came off fine.  Used some additional slick paper and taped it back just like he does in the video and it just works.

If the guy asking to do it wants it done personally now after doing it I'd say don't worry about it.
Sandra
(Yes, I am a Woman :p )
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 623
  • Country: us
    • Kilbourne Astronomics
Re: Sniffing the Rigol's internal I2C bus
« Reply #3842 on: February 27, 2015, 12:30:23 am »
I also did it on my MSO1074Z-S like Howardlong did and while it was nerve wrecking the first time now it's not bad at all.

Ladies First  :)
Already went, who's next??
Sandra
(Yes, I am a Woman :p )
 

Offline dkozel

  • Regular Contributor
  • *
  • Posts: 116
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #3843 on: March 03, 2015, 09:20:04 am »
Hello,

My DS2072 is currently bricked and not booting. I'd like to try reflashing the firmware and do have an OpenOCD JTAG device. Cybernet, you seem to be the guru of this, could you (or anyone else  :)) share any gottchas around flashing the bootloader/firmware?

Thanks!

Please forgive the poor choice of title, its not inaccurate, but is likely misleading.
https://www.eevblog.com/forum/testgear/rigol-ds2074-no-longer-boots-after-fixing-broken-heatsink-clip/
 

Offline NortliW

  • Contributor
  • Posts: 18
Re: Sniffing the Rigol's internal I2C bus
« Reply #3844 on: March 03, 2015, 11:49:50 pm »
Any Riglol progress on the DSA-1030? Would like it with some options......TNX.
 

Offline ytsejam

  • Contributor
  • Posts: 16
Re: Sniffing the Rigol's internal I2C bus
« Reply #3845 on: March 07, 2015, 05:09:21 am »
Has anyone successfully dumped the flash content of DSA815 ?
Just got a tiny progress, hope to see if anyone can share their finding?

I tried to dump BF526's async banks (0x20000000 ~ 0x203FFFFF) with bfin toolchain and ARM-USB-OCD-H cable,
however I found that the dump files are inconsistent, results are not the same.
(Tried on both DSA815 with bootloader 1.03  and 1.04)

Since TopJTAG was mentioned previously, I decided to give it a try.
The flash chip on DSA815 is Spansion S29GL064N90TFI04 (TSOP48 package, 8MB Parallel NOR flash, CFI compiant).
I used Segger J-LINK v9 as the JTAG cable.
I managed to figure out the setting for TopJTAG Flash Programmer:

------------------------------
1. BSDL for BF526 is attached.
2. Data bus is 16-bit wide with 16-bit maximum capable data
3. Signal pins:

CE = AMS0, active = low
OE = AOE  , active = low
WE = AWE , active = low


A0 ~ A18 = ADDR1 ~ ADDR19
(A21 ~ A19 seem to be hardcoded as 110 or controlled by other device, FPGA?)

D0 ~ D15 = DATA0 ~ DATA15

4. Static pins

No static pins defined.

-------------------------------

With the above setting, I was able to dump 1MB flash content.

My intention was to dump the flash content of a DSA815 with bootloader 1.03 and restore it on my DSA815 with bootloader 1.04.
I was able to dump 1MB binary files from each.

However when I tried to restore the dump from 1.03 to my 1.04 DSA815, the program and verification process was completed successfully.
But when I rebooted my DSA815, the bootloader remains 1.04 and everything is unchanged. (WP# was hardcoded at VIH, maybe there is some dynamic write protections?)

I was confused by the design.
BF526 supports up to 4 async banks with each has 1MB address. That will only be able to provide 4 MB address in total.
However, they uses a 8 MB flash. Is the reset of the space used by FPGA?

Also, as I mentioned, if A21 ~ A19 are hard coded with 110, BF526 will only be able to access 1MB flash space in this case.
And the size of DSA800_UpdateFile.sys (firmware) is nearly 2.x MB. I believe that A21 ~ A19 must be connect to BF526 in some ways.
Or it won't be able to program the whole content of the firmware update into the flash chip.

According to past experience, usually flash will maintain multiple copies of firmware (I've seen the case with 4 copies), and the content will be checked during boot. Maybe I was just updated one of them?

Appreciate if anyone with similar experience can share your finding.

UPDATE
The setup profile for TopJTAG Flash Programmer is attached. Remove the suffix .txt before use.
BDSL file needs to be placed in the same folder with the setup profile.
« Last Edit: March 08, 2015, 11:09:30 am by ytsejam »
 
The following users thanked this post: colabri

Offline ytsejam

  • Contributor
  • Posts: 16
Re: Sniffing the Rigol's internal I2C bus
« Reply #3846 on: March 07, 2015, 04:28:01 pm »
UPDATE: the above method actually works.

Previously, I tried to program my DSA815 (bootloader 01.04, FW 01.09, RF FPGA FW 00.05, Digital FPGA FW 00.04) with the flash dump from another DSA815 (bootloader 01.03, FW 01.07, RF FPGA FW 00.05, Digital FPGA FW 00.04). I didn't notice any change.

Next, I tried to upgrade my DSA815 to FW 01.12, after upgrade, the sysinfo shows: bootloader 01.04, FW 01.12, RF FPGA FW 00.05, Digital FPGA FW 00.05
Then I Programmed the flash with the dump file from the old DSA815. Once I reboot my DSA815, the bootloader prompts something like "Factory Boot".
Which means, the bootloader cannot boot into the firmware on the flash. Obviously, this is because the bootloader is not able to recognise part of the code on the flash. I think this is due to the version of Digital FPGA FW version mismatch. I guess the portion I write into the flash was the Digital FPGA FW.

The factory boot mode can be recovered by pressing PRESET to load a FW version 01.12.

Though no immediate success, but this might give me a clue that if I can dump the correct portion of the flash, I should be able to "restore" the bootloader back to 01.03.
 

Offline guiasse

  • Contributor
  • Posts: 5
Re: Sniffing the Rigol's internal I2C bus
« Reply #3847 on: March 16, 2015, 11:24:23 am »
Hello,
I'm trapped on a firmware 1.12 / boot 1.04. There is no way to downgrade firmware.
Does anybody have a way to do that ?
Best regards,
 

Offline N8AUM

  • Regular Contributor
  • *
  • Posts: 131
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #3848 on: March 17, 2015, 06:45:52 am »
Hello,
I'm trapped on a firmware 1.12 / boot 1.04. There is no way to downgrade firmware.
Does anybody have a way to do that ?
Best regards,

I wonder how many of us are in the same boat ?
 

Offline guiasse

  • Contributor
  • Posts: 5
Re: Sniffing the Rigol's internal I2C bus
« Reply #3849 on: March 17, 2015, 07:12:41 am »
If i'm right the only way for the moment is to use a pic over Fram to reset time trial at each boot.
Did somebody try that with last realease ?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf