Sniffing the Rigol's internal I2C bus

[Trax]

I found oen guid from ike how to remove this damn waranty stickers,
are there any more or other methods?
He used a waxy paper to slide it under the sticker very very gently.
can this be simplifyed may be got air and if so how hot?

[smgvbest]

I used my Rework Gun set to 200c at about 6-8in and kept it moving plus some backing paper for a cdrom label and it was off in a few minutes.  the heat really made it easy.  previously I just used the paper and it was more stressfull and took 10minutes

[Trax]

I have one of those, thats a good idea the temp info is the important part, 200°C sounds good

[ted572]

There is new Firmware for the DS2000/DS2000A here -> https://www.eevblog.com/forum/testgear/first-impressions-and-review-of-the-rigol-ds2072-ds2000-series-dso/msg698800/#msg698800

[ted572]

I have one of those, thats a good idea the temp info is the important part, 200°C sounds good

Re. Reply #3995 and #3996 above:  I would suggest simply using a Hair Dryer.  With the Hot Air of a Soldering/Rework Tool putting out 200° C (Ouch) you have the potential for doing some serious damage to the label and/or plastic case if you aren't VERY, VERY careful.

[smgvbest]

I have one of those, thats a good idea the temp info is the important part, 200°C sounds good

Re. Reply #3995 and #3996 above:  I would suggest simply using a Hair Dryer.  With the Hot Air of a Soldering/Rework Tool putting out 200° C (Ouch) you have the potential for doing some serious damage to the label and/or plastic case if you aren't VERY, VERY careful.

That's why 6-8 inches and keep it moving.  plus I would hope anyone using a rework station knows how you use one,  just like it intended use
Drop it down if you want it closer to hair dryer temp,  mine will go to 90C that's still about 60F above a hair dryer

[TopLoser]

That's why 6-8 inches and keep it moving.

 

[McBryce]

I used a hair dryer on the last device I "liberated" and even with that I thought the plastic got very hot. The label peeled off almost by itself though

McBryce.

[smgvbest]

That's why 6-8 inches and keep it moving.

 

Glad you got a laugh out of if

I should also note I had the airflow way down,  case cut warm not hot and label came up really easy

[dadler]

I think some innuendo was intended.

[smgvbest]

we play it nice and try to ignore things and the room falls apart   

[jrmymllr]

To all you MSO1000Z Owners: It's done, we found what Rigol changed for the MSO1k and we patched rigup to generate working keys.

Another successful hack here on a MSO1104Z.  I used a JTAG interface I had from a Luminary Micro (now TI) ARM eval board.  The dump took around 56 minutes as I didn't try anything to speed it up, but I got rigup compiled under Ubuntu during that time.  No problems at all.  I just couldn't telnet to it like someone has suggested, so entering the keys were a bit tedious. 

While I had the scope open I noticed the cover on the metal can was not all the way down on one corner because a tab was stuck inside instead of on the outside, so I fixed that.  One other suggestion for anyone doing this:  Be careful of the power button.  Mine got scratched slightly (very slightly, hard to see even if you know it), so take care when pulling it apart and reassembling.  The switch goes through a hole in sheet metal, so the edges are sharp.

I also removed the sticker using a heat gun and label backing.  Very slick.  I won't bother reapplying, but am keeping it stuck on label backing just in case.

Thanks also to those (especially smgvbest) for pictures and exact instructions, and of course those who came up with the hack.

I don't know how some of you figure this stuff out.  I develop embedded systems, but reverse engineering crypto seems difficult to me.  At any rate, thanks a bunch.

[Trax]

has anyone used the "bus pirate" to dump the scope?

[pierre288]

Hi all,
Anyone have experience using rigup on a MSO1000z
at the latest firmware version 00.04.03 (June 2015) ..

Mine was originally at 00.04.01 SP2
I Updated it to 00.04.03 prior to try rigup-mso1000z.
Options do not install...

Could it be that latest version has modifications voiding rigup ?
Any hints ?

Thanks

[jrmymllr]

Hi all,
Anyone have experience using rigup on a MSO1000z
at the latest firmware version 00.04.03 (June 2015) ..

Mine was originally at 00.04.01 SP2
I Updated it to 00.04.03 prior to try rigup-mso1000z.
Options do not install...

Could it be that latest version has modifications voiding rigup ?
Any hints ?

Thanks

I don't have 00.04.03, but rather have 00.04.02.SP4 and that worked fine.  This probably doesn't help you much but who knows. 

BTW how did you get new F/W, did you have to request from Rigol or is there there a direct download?

[MarkF]

The upgraded firmware for a DS1Z (00.04.03.SP1) can be found here DS1Z firmware.  Rigol has not been updating the zip filename.  See the directory name inside.

[smgvbest]

Hi all,
Anyone have experience using rigup on a MSO1000z
at the latest firmware version 00.04.03 (June 2015) ..

Mine was originally at 00.04.01 SP2
I Updated it to 00.04.03 prior to try rigup-mso1000z.
Options do not install...

Could it be that latest version has modifications voiding rigup ?
Any hints ?

Thanks

Is this the one you used
http://gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip
Just making sure you use the correct one.
there's another one on the site and it does not work
this one once you compile it worked fine but I did not upgrade mine before testing

[jrmymllr]

The upgraded firmware for a DS1Z (00.04.03.SP1) can be found here DS1Z firmware.  Rigol has not been updating the zip filename.  See the directory name inside.

Any idea what this one fixes?  There doesn't seem to be release notes so probably who knows....

[MarkF]

The upgraded firmware for a DS1Z (00.04.03.SP1) can be found here DS1Z firmware.  Rigol has not been updating the zip filename.  See the directory name inside.

Any idea what this one fixes?  There doesn't seem to be release notes so probably who knows....

Release Notes here.

[Trax]

Simple question but:
When you got your scope how long have you waited before installing the hacked options?
In order to test if its running ok, etc...

And what happens if the scope would fail and be in need of repair while having hacked options? I guess as long as it boots the options could be simply removed before sending it in, but what if the scope wouldn't boot at all?

[Trax]

Oscilloscope        BusPirate
TDO <------------> MISO (According to the label in the PCB, however when in JTAG mode it is TDO as it is supposed to be)
TCK <------------> CLK (Again in JTAG mode this is TCK)
TMS <------------> CS (Which is TMS in JTAG mode)
TDI <------------> MOSI (TDI in JTAG mode)
3.3V <-----------> 3.3V
GND  <-----------> GND

why is it needed to connect the 3.3v line? shouldn't booth devices have their own 3.3v?

[Karel]

Simple question but:
When you got your scope how long have you waited before installing the hacked options?
In order to test if its running ok, etc...

One day.

And what happens if the scope would fail and be in need of repair while having hacked options? I guess as long as it boots the options could be simply removed before sending it in, but what if the scope wouldn't boot at all?

I don't understand the question. What is the relation between entering a bunch of codes  and a warranty claim?
Maybe in the states this is illegal but where I come from it's completely fine.

[Trax]

I don't understand the question. What is the relation between entering a bunch of codes  and a warranty claim?
Maybe in the states this is illegal but where I come from it's completely fine.

The question is what would Rigol do if you send in a scope for repair where you installed options that ware not bought from them, a.k.a. hacked.

Would they repair it? Imho they would know that the scope was opened as to hack it a memory dump is needed.

Or would they do something to disable the options permanently, setting/breaking some jumper, burning an eFuse or writing to some read only memory, etc...

[Karel]

Would they repair it? Imho they would know that the scope was opened as to hack it a memory dump is needed.

I see what you mean. Yes, opening is risky. I didn't open it. I just entered the codes on the screen.

[Trax]

Would they repair it? Imho they would know that the scope was opened as to hack it a memory dump is needed.

I see what you mean. Yes, opening is risky. I didn't open it. I just entered the codes on the screen.

Yea, I have the MSO and this requiters the memory dump over J-Tag...