Sniffing the Rigol's internal I2C bus

[psysc0rpi0n]

The logic analyser won't control anything, it's just a passive listener, you need a jtag dongle compatible with openocd, which will control the actual jtag communication.

Sent from my m8wl using Tapatalk

Yes, I understood that since the other post you said the only thing I could see with the LA was a dump of the JTAG port activity. And it's exactly that I was trying to see but I'm not sure of how the setp should be done in Saleae Logic software to be able to pick up the JTAG port activity...

[qwertymodo]

You don't need to connect SRST, that's for resetting the host system.  The logic analyzer just needs TRST to reset the internal JTAG state machine.

[psysc0rpi0n]

What about TDI and  TDO?

Sent from my GT-I9505 using Tapatalk

[psysc0rpi0n]

Looks like I managed to use an Arduino to get some info from the JTAG of my scope!

I'm not sure if I can do anything else but I used a library available here I managed to pick up some bits of info, using "minicom" or the serial monitor of Arduino:

At boot time, I try to interrogate the JTAG interface to find all the connected devices (chips). It lists their built-in identification codes which take the form of 32 bits in four groups,and i get this:

03c93279  [0000 0011110010010011 00100111100 1]

The groups are, from most to least significant bit: 4-bit product version (0), 16-bit product code (3c93), 11-bit manufacturer code (279), and one bit that is always 1 for thaumaturgic reasons.

After the boot, if I interrogate the JTAG interface again, I get different results:

079264f3  [0000 0111100100100110 01001111001 1]

Does this means that there are at least 2 memories being used by the scope?


Edited;
I need to make a correction...
No matter what, the first time I interrogate the JTAG interface, I get the 03c93279 code, and the second time I interrogate it, I get 079264f3. Then if I try again, I always get the 079264f3 code.

[Pinkus]

Hello
If someone can read the spi flash 25x40 of dp832a; I can try to turn my 832 into 832a, because fw is same.
Also other option is a full cloning spi flash + nand flash from 832a to manually program in a 832.

I know, the above it is quite old, but did rsivan or somebody else tried this?

[psysc0rpi0n]

Is it need anything special to connect the J-Link device to the PC?? (I'm using Debian Jessie). I can't make J-Link software to connect with the device.

After connected the device to the USB port, if I start the software only with "./JLinkEXE" I get this error:

Code: [Select]

SEGGER J-Link Commander V6.10a (Compiled Sep 19 2016 20:08:32)
DLL version V6.10a, compiled Sep 19 2016 20:08:23

Connecting to J-Link via USB...FAILED: Can not connect to J-Link via USB.
If I use sudo prior to the launch I get this error:

Code: [Select]

SEGGER J-Link Commander V6.10a (Compiled Sep 19 2016 20:08:32)
DLL version V6.10a, compiled Sep 19 2016 20:08:23

Connecting to J-Link via USB...

*** J-Link V6.10a Error ***
The connected emulator can not be used with this software.

Reason:
"Broken. No longer used"
*** J-Link V6.10a Error ***

FAILED: Can not connect to J-Link via USB.
What is wrong???

[McBryce]

The first error is due to the user permissions being set wrong for USB. Not sure about the second sudo error. Do you have a Windows PC that you could try?

McBryce.

[psysc0rpi0n]

I'm now checking and redoing the wiring but I have a question about the pin out of the J-Link device. I'm following J-Link site to plug some wires, but I'm used to see around the internet the following:

TCK, TMS, TDI, TRST, TDO and SRST

The J-Link site has:
TDI, TMS, TCK, RTCK, TDO and RESET.

I'm wondering which one, RTCK or RESET, matches the SRST...

[psysc0rpi0n]

Ok, I got it...

SRST is RESET I guess...

Anyway I issued the following command

Code: [Select]

sudo openocd -d1  -f  interface/jlink.cfg -c "transport select jtag" -c "adapter_khz 6000" -f board/imx28evk.cfg -l ~/openocd_log
and the first time I got this:

Code: [Select]

Open On-Chip Debugger 0.9.0 (2016-09-30-19:43)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
Error: Invalid command argument
new_level option value ('l') is not valid

jtag
adapter speed: 6000 kHz
trst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain connect_deassert_srst
adapter_nsrst_delay: 100
jtag_ntrst_delay: 100
dcc downloads are enabled
imx28evk_init
Info : J-Link ARM V8 compiled Nov 28 2014 13:44:46
Info : J-Link caps 0xb9ff7bbf
Info : J-Link hw version 80000
Info : J-Link hw type J-Link
Info : J-Link max mem block 9224
Info : J-Link configuration
Info : USB-Address: 0x0
Info : Kickstart power on JTAG-pin 19: 0xffffffff
Info : Vref = 3.448 TCK = 1 TDI = 1 TDO = 0 TMS = 1 SRST = 1 TRST = 1
Info : J-Link JTAG Interface ready
Info : clock speed 6000 kHz
Info : JTAG tap: imx28.cpu tap/device found: 0x079264f3 (mfg: 0x279, part: 0x7926, ver: 0x0)
Info : Embedded ICE version 6
Info : imx28.cpu: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection on tcp/4444


I mistyped -dl instead of -d1... Then I did the telnet connection and it worked!

Then I trid again the connection but added a new option, to save the output log of openOCD like this:

Code: [Select]

sudo openocd -d1  -f  interface/jlink.cfg -c "transport select jtag" -c "adapter_khz 6000" -f board/imx28evk.cfg -l ~/openocd_log
and I got this:

Code: [Select]

Open On-Chip Debugger 0.9.0 (2016-09-30-19:43)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
debug_level: 1
I hope this is OK...

Now I'm going foe the telnet connection again...

But before I want to ask another question:
What I'm doing is just a memory dump, right? Is this anyway dangerous to the scope? Can I brick the scope?

[psysc0rpi0n]

I tried to halt the scope a few seconds after powering it up while the Rigol logo is still on the screen but I always get "time out"...
When I issue the "reset" command i get this:

Code: [Select]

Error: IR capture error at bit 4, saw 0x21 not 0x...3
Warn : Bypassing JTAG setup events due to errors
Warn : ThumbEE -- incomplete support
Error: cp15 read operation timed out
in procedure 'reset'
in procedure 'ocd_bouncer'

[psysc0rpi0n]

Well, I was able to do the memory dump and generate the license keys but none was valid until I was banned of installing licenses for 12 hours! And I did 2 memory dumps. The first one didn't found any keys!

[McBryce]

And you're definitely using the MSO version of riglol not the standard version?

McBryce.

Gesendet von meinem Motorola DynaTEC 8000X mit Tapatalk.

[psysc0rpi0n]

And you're definitely using the MSO version of riglol not the standard version?

McBryce.

Gesendet von meinem Motorola DynaTEC 8000X mit Tapatalk.

Yes, I used this one:
http://www.gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip

There are patches in the same folder but I don't know if I should use them or even how to apply them.
http://www.gotroot.ca/rigol/mso1000z-patches.zip

[qwertymodo]

I was successful using rigup-0.4.1-mso1000z exactly as it was provided in that package (no patches), using a memory dump taken immediately after the Rigol logo disappeared and the options dialog appeared on screen, using option code 0x1C0DF for a single license to unlock everything except the non-functional 5uV option (so you only have to type in one code). Give that a try.

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

I was successful using rigup-0.4.1-mso1000z exactly as it was provided in that package (no patches), using a memory dump taken immediately after the Rigol logo disappeared and the options dialog appeared on screen, using option code 0x1C0DF for a single license to unlock everything except the non-functional 5uV option (so you only have to type in one code). Give that a try.

Sent from my m8wl using Tapatalk

Ok, but when I power on my scope, I don't see anymore the options window because the trial time is already over, so I'm not sure when I should issue the halt! But I'll try that hex code with rigup!

[qwertymodo]

Just do it right after the Rigol logo disappears.

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

Just do it right after the Rigol logo disappears.

Sent from my m8wl using Tapatalk

Ok. In the mwantime, I generated a license key for that code but it didn't worked either! Now, for each wrong key inserted, I got blocked for 12 hours!

Tomorrow I'll try to do that dump right after the logo disappear! Today is already too late! My dump takes about 30 minutes. It's 67MB at about 47KB/s. I set the speed to 6MHz but it's slow as this!

[psysc0rpi0n]

I have tried once more but no good... The memory dump is successful but the keys are invalid! I think my hope has now ended!

[Daruosha]

I've bought a new MSO1104Z  and silly me upgraded to latest version immediately when I got home.

I have no experience with JTAG yet and ordered a knock off Altera USB blaster to follow memory dump instructions. However I'm not sure with the new version, extraction of private keys from memory dump will be successful at all.

psysc0rpi0n, do you have any news?

[pascal_sweden]

I see you are based in Sweden. Did you buy from InstrumentCenter AB?

[hammy]

The memory dump is successful but the keys are invalid! I think my hope has now ended!

You doublechecked the other side? Is your compiled binary from "[url´=http://gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip]rigup-0.4.1-mso1000z[/url]" ok?
You tried also the provided binary?

I created my keys in December 2014 and I compiled the binary on my RasPi running raspian. My firmware version was 00.04.01.SP2.

What I read here ist querymodo was able to create the keys. Maybe something in your procedure is not working the right way. If you are sure about the dump, please check the other end of your workchain, aka the binary you compiled.

Good luck!

[psysc0rpi0n]

The memory dump is successful but the keys are invalid! I think my hope has now ended!

You doublechecked the other side? Is your compiled binary from "[url´=http://gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip]rigup-0.4.1-mso1000z[/url]" ok?
You tried also the provided binary?

I created my keys in December 2014 and I compiled the binary on my RasPi running raspian. My firmware version was 00.04.01.SP2.

What I read here ist querymodo was able to create the keys. Maybe something in your procedure is not working the right way. If you are sure about the dump, please check the other end of your workchain, aka the binary you compiled.

Good luck!

What can I do to check if the binary is correctly compiled? I think I didn't need to compile anything. The binary was ready-to-use, I guess!

The binary link for 64bit is not working... Or better, the file can't extract... It returns an error!

[hammy]

I think I didn't need to compile anything. The binary was ready-to-use, I guess!

Ok, I see. This means you had used the provided binary for the key generation, right?

Do you asked someone, maybe querymondo, to generate you keys? Obviously he was able to generate the license-keys.

If you transfer your dump to another person who already generated working license-keys, maybe this person could generate your license keys as well.

Can you provide your dump via a download link?

[psysc0rpi0n]

I think I didn't need to compile anything. The binary was ready-to-use, I guess!

Ok, I see. This means you had used the provided binary for the key generation, right?

Do you asked someone, maybe querymondo, to generate you keys? Obviously he was able to gernerate the license-keys.

If you transfer your dump to another person who already generated working license-keys, maybe this person could generate your license keys as well.

Can you provide your dump via a download link?

I haven't asked anyone to generate license keys. If anyone is kind enough to do that, I can provide a link to my memory dump!

[hammy]

I haven't asked anyone to generate license keys. If anyone is kind enough to do that, I can provide a link to my memory dump!

Excellent!  Please prepare that link.
Ok, I reinstalled my raspi some time ago, but I can setup this stuff again. I get in touch with you tomorrow via pm ...