Sniffing the Rigol's internal I2C bus

[jouyang3]

Hello guys, does anyone know how shall I connect to the Blackfin JTag via Altera USB-Blaster? (I am hacking DS2072A with v3 kernel). I have connected to the board through the description from Analog's and Altera's datasheet yet bfin-debug complains about device not found. The TRST and SRST pins are not present in the usb-blaster, is it required to get a memory dump? One last thing, do I have to use the external circuit to make the signal recognizable through usb? If so, can anyone provide me with the schematics? (The image for the connection in previous post is no longer valid) Thank you everyone! Have a nice day!

[pascal_sweden]

Why are people still opening up their scopes and doing all sorts of tricks with JTAG to hack their scope, while you can simply send SCPI commands to enable all the options for free?

https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/msg559767/#msg559767

Or does that SCPI hack not work on all Rigol models? Which models work? Which models don't work?
Does it still work in the newer firmware versions?

[miguelvp]

Simple, some people are curious on how things really work inside, maybe just to get a better understanding on how it's done or maybe because they want to do their own custom firmware for whatever they think they can add into the scope that is not there.

Maybe as simple as being able to play pong on it

[pascal_sweden]

Isn't the scope protected with a secure bootloader?

Usually the firmware contains an RBL part and a DBL part: Resident Boot Loader and Dynamic Boot Loader.

The RBL part is stored in the One-Time-Progammable OTP area of the flash and can not be changed.
It only accepts secure (signed) boot images in the DBL part, to prevent that unauthorized software can be installed on the device.

This is at least how we did it in Motorola STB products

[jouyang3]

Why are people still opening up their scopes and doing all sorts of tricks with JTAG to hack their scope, while you can simply send SCPI commands to enable all the options for free?

https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/msg559767/#msg559767

Or does that SCPI hack not work on all Rigol models? Which models work? Which models don't work?
Does it still work in the newer firmware versions?

The SCPI hack works. But I just want to see how people actually did it with JTag + USB Blaster. I think this will help me understand the interface better.

[dadler]

Why are people still opening up their scopes and doing all sorts of tricks with JTAG to hack their scope, while you can simply send SCPI commands to enable all the options for free?

https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/msg559767/#msg559767

Or does that SCPI hack not work on all Rigol models? Which models work? Which models don't work?
Does it still work in the newer firmware versions?

As far as I know, the only option right now with the DSA815 is pulling the write protect pin on the FRAM chip high to extend the trials indefinitely. The newer bootloader disallows installation of older firmware, and nobody has cracked the newer firmware yet.

[smgvbest]

Why are people still opening up their scopes and doing all sorts of tricks with JTAG to hack their scope, while you can simply send SCPI commands to enable all the options for free?

https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/msg559767/#msg559767

Or does that SCPI hack not work on all Rigol models? Which models work? Which models don't work?
Does it still work in the newer firmware versions?

It varies by product.   The DS1000Z/MSO1000Z don't support the SCPI reads for example.   and while the DS1000Z do work with gen software the MSO you have to open to dump the memory to get the gen to work.   So its a 'it depends' on the  product as to why some are using JTAG.  plus if you want to enjoy and have some fun there's nothing like opening your own up.

[BloodyCactus]

the 1032Z AWG does not support dumping the memory over SCPI read command either.

[pascal_sweden]

On the website of the tool Rigol Bildschirmkopie LAN/USB it says MSO1104Z:
http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/#screenshot

Benutzer konnten das Programm mit folgenden Geräten verwenden:

    DSA815 - LAN/USB
    DSA1030A - LAN/?
    DS1074Z-S - LAN/USB
    DS1104Z-S - LAN/USB
    DS2202 - LAN/USB
    DS4054 - LAN/?
    MSO1104Z - ?/USB
    MSO2072A - LAN/USB
    MSO2302A - LAN/USB
    MSO4024 - LAN/?
    DM3068 - -/USB


Does that mean that for MSO1104Z in particular it works and not for MSO1074Z?
Or does it mean that it works for all MSO1000 series, but only via USB and not via LAN?

[shrek]

Has anyone tried to hack the DP832's ANALOG board? Any luck with JTAG and full memory dump of the controller?

[pascal_sweden]

Some people wrote a few entries earlier in this forum post that DS1000Z and MSO1000Z series don't support SCPI commands to read out memory, and that this is the reason why you need to open up your scope and use JTAG to read out the memory.

Apparently you don't need memory dump for DS1000Z series, as it will work with Riglol and serial number.

But for MSO1000Z series you need memory dump, and there is where JTAG comes into picture, as SCPI does not work.

Would be nice to really get this confirmed? I really hope SCPI works on both DS1000Z and MSO1000Z series.

[pascal_sweden]

So this confirms that the Bildschirm tool does not work on DS1000Z and MSO1000Z scopes?

[miguelvp]

Would be nice to really get this confirmed? I really hope SCPI works on both DS1000Z and MSO1000Z series.

Here are the SCPI commands of the firmware 00.04.02.SP4 (DS1074Z-S). I have not found any commands for reading the memory.

Peter

Strange no one looks for the programming manual:

http://www.batronix.com/pdf/Rigol/ProgrammingGuide/MSO1000Z_DS1000Z_ProgrammingGuide_EN.pdf

You are looking for WAVeform:DATA? (lowercase optional WAV:DATA? will work as well)
but you need to set things up first

Also there are ways to talk to the Rigol without the NI-VISA library.

Same thing for the DS2000 but that one doesn't support telnet access but the DS/MSO1000Z series does.

Programming manual for the DS2000 if your google fu is not strong enough
http://www.tequipment.net/assets/1/26/Documents/Rigol/DS2072/ds2072_doc_5.pdf


But if you mean the actual programming memory then no dice as far as I know.

[ebastler]

So this confirms that the Bildschirm tool does not work on DS1000Z and MSO1000Z scopes?

You mean this tool? http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/

Why would the SCPI command list imply that it does not work? On his web page, the author of the Bildschirmkopie software explicitly confirms that it works for the DS1000Z as well as the MSO1000Z, both via LAN and USB.

[pascal_sweden]

So if I get it right: DS1000Z and MSO1000Z can be hacked through Bildschirmkopie tool after all, and there is no need to open up the scope and use JTAG. The people who open up their scope and use JTAG, just like to do it the hard way.

[pascal_sweden]

Okey I think that I get it. You can use the tool to issue SCPI commands to the scope in general.
This works for all Rigol scopes, including the DS1000Z and MSO1000Z series. However the SCPI command in particular which you need to hack the scope is the memory read SCPI command, and this command in particular is not implemented in the DS1000Z and MSO1000Z SCPI command set.

Still the tool is useful for the DS1000Z and MSO1000Z series, for other actions, like making a screen capture of the displayed waveform, etc.

[d6diesel]

It seems Dave92F1 has provided a superb method while we all stand on the shoulders of giants (Peter, rigup).

Dave's method:

YET ANOTHER HACK SUMMARY

I had all options + 300 MHz on my DS2072A, then I upgraded to the latest firmware, and lost all the hacks. It took me some time to figure out how to get them back.

This is my summary (should work for a new out-of-the-box DS2072A as well):

1 - Download & unzip the latest "Rigol Bildschirmkopie LAN/USB" from http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/

2 - Connect scope to LAN.

3 - Run the RigolBildschirmkopie.exe, click Device>Select>Search>Select.

4 - Do Device>SCPI-Command, then  Send & receive ":SYST:UTIL:READ? 1,33554432".
 
     Wait a long time (~5 to 10 min) for it to complete.
     
     Click Save, save it as "memoryDump.scpi" (save this file for future use!!)

5 - Download and unzip Rigup 0.4 (or later) from http://gotroot.ca/rigol/.

6 - Open a command window where you unzipped Rigup 0.4, copy memoryDump.scpi into the same folder.

7 - In the command window do: "rigup ds2072a memoryDump.scpi"

      This will produce an output something like:

rigup ds2072a - Version 0.4

Serial number: DSxxxxx

NSEH:  JPJQLFK-G3QNRLU-WFFFZMD-xxxxxxx    All options, no bandwidth upgrade
NSER:  8NXBL2U-JE2LZL7-9NEN5XK-xxxxxxx   All options, bandwidth 100 MHz
NSEQ:  R939MMG-NR63H25-9H993PX-xxxxxxx    All options, bandwidth 200 MHz
NS8H:  G2YRFYX-D589HNR-4K8YW3H-xxxxxxx    All options, bandwidth 300 MHz

8 - rigup scan MyKeys memoryDump.scpi

This will write your keys to the file "MyKeys".

9 - rigup license MyKeys NS8N

This produces an output something like:

5P89ZX7-LYMCTCS-P4PQ792-xxxxxxx   (NS8N = 0x1C0C3)

10 - Run RigolBildschirmkopie.exe again, click Device>Select>Search>Select (again).

11 - Click Device>SCPI-Command, then send & receive:
       :SYSTem:OPTion:INSTall <key to the right of NSEQ in step 7>

       The key (from step 7) MUST have the dashes removed.

       For example:
       :SYSTem:OPTion:INSTall R939MMGNR63H259H993PXxxxxxxx
       
At this point you should have all options + 200 MHz.

12 - Click Device>SCPI-Command, then send & receive:

       :SYSTem:OPTion:INSTall <key from step 9>

       Again, the key must have all dashes removed.

       For example:
       :SYSTem:OPTion:INSTall 5P89ZX7LYMCTCSP4PQ792xxxxxxx

That's it; you should have 300 MHz + all options now.

Maybe you can skip step 11 - I haven't tried it that way.

If you mess up, no problem. Just send ":SYSTem:OPTion:UNINSTall" and start over.


Only minor tweaks I can add are :
   Step 2 : Connect to lan  so the scope can obtain an IP address and be recognized on your ethernet.

   Step 4 : Do Device>SCPI-Command, then  Send & receive
                 ":SYST:UTIL:READ? 1,33554432".   Remove the first colon  so that it now  reads
                  Do Device>SCPI-Command, then  Send & receive
                  "SYST:UTIL:READ? 1,33554432".  Make sure there is a space after the question
                      mark.
   Step 6 : After the command window is  open use  DOS commands "CD" to  change the directory until you are in the correct one.

   Step 11 : Do this step  just  as he  notes.  He  suggests an  option to leave it out, but others did not get a complete install unless they did step 11 and then step 12.


Minor tweaks really from this newbie.  Can't say enough about the knowledge brought together at the eevblog.  As Dave Jones would say : AWESOME !!
     

[Ivan]

Hello.
1) I have a problem with MSO1104Z.
2) I updated the program to 4.3 from the site.
3) I downloaded memory with 0x40000000 to 0x43ffffff
4) I downloaded rigup-0.4.1-mso1000z.zip archive from the site http://gotroot .ca/rigol/
and make all near Ubunta.
5) rigup scan gave out RC5KEY1 etc. SERIAL - coincided with my number.
6) rigup license gave out with 0x1C001 and 0x1C010 and 0x1C0FF keys and any doesn't approach.

It isn't sure, but during copying of jtag the oscilloscope blocked input of the password for 12 hours.

There can be in it a reason of failure and it is necessary to copy memory anew?

Memory 3 hours by means of ULINK were copied.

Please help to generate keys. The packed dump of memory is only 5 Mb.

[BloodyCactus]

Would be nice to really get this confirmed? I really hope SCPI works on both DS1000Z and MSO1000Z series.

Here are the SCPI commands of the firmware 00.04.02.SP4 (DS1074Z-S). I have not found any commands for reading the memory.

Peter

Strange no one looks for the programming manual:

http://www.batronix.com/pdf/Rigol/ProgrammingGuide/MSO1000Z_DS1000Z_ProgrammingGuide_EN.pdf

You are looking for WAVeform:DATA? (lowercase optional WAV:DATA? will work as well)
but you need to set things up first

thats because were not talking about SCPI commands to get waveform data, but the commands to read the system memory and basically do a raw dump of its internals.

[Ivan]

thats because were not talking about SCPI commands to get waveform data, but the commands to read the system memory and basically do a raw dump of its internals.

100% - not work. MS1104z isn't present the response on: SYST:UTIL:READ?



But I found out that it is possible to prolong a trial till 62 o'clock for all options rigup license 0x9C001 ... 0x9C004  as 0x1C001 doesn't work for me.

[Ivan]

Hey!! 
My MSO1074Z-S got now all options Official!! 

I managed to discover the problem..
In the new version of rigup, When I use "rigup serial keys.txt MSZ..." to update the serial number, it solves the problem.... 
Then some of preinstalled licenses with rigup search test Ok. Previously they test Fail.

Then I regenerate the licenses and now they test also Ok with "rigup info" command..  Previously they test Fail.
Also i update the firmware after apply licenses and no problem.

Thank You All, specially to users smgvbest for her tutorial at page 252 and to rmd79 for the rigup application.
Regards
Manuel

At whom every time password different.
These actions help. 0x1C0FF works.

And experiences with license 0x9C001 - 0x9C00F add time of 36 hours on one and then 0x9C00F together.

Limit trial of time of 100 hours.

Thanks to all creators of the rigup program.

Hi from Belarus.

[miguelvp]

Would be nice to really get this confirmed? I really hope SCPI works on both DS1000Z and MSO1000Z series.

Here are the SCPI commands of the firmware 00.04.02.SP4 (DS1074Z-S). I have not found any commands for reading the memory.

Peter

Strange no one looks for the programming manual:

http://www.batronix.com/pdf/Rigol/ProgrammingGuide/MSO1000Z_DS1000Z_ProgrammingGuide_EN.pdf

You are looking for WAVeform:DATA? (lowercase optional WAV:DATA? will work as well)
but you need to set things up first

thats because were not talking about SCPI commands to get waveform data, but the commands to read the system memory and basically do a raw dump of its internals.

I also said:

But if you mean the actual programming memory then no dice as far as I know.

at the end.

Edit: But thanks for the clarification.

[pierre288]

Hi,

sorry to ask as I presume answer is somewhere within this fabulous thread (thanks for your hard work).
but I need help to solve my problem with MSO1074z-S...
I tried many permutation using rigup without success..

Original firmware was 0.4.1 and I upgraded it to latest 0.4.3...both versions give same results.
I used a Segger J-tag interface to get a memory dump file (address 0x40000000, 3ffffff bytes).
Running rigup 0.4 I scan, I consistently get following error:
     Scanning "memorydump.bin" file failed: No keys

with rigup serial I was able to produce a serial number file.
with rigup search I produced a keyfile (at least I think).
I then merged both text files into a new keyfile.
I then tried to run rigup license...
I get set of license numbers (??) generated but if I repeat this, different numbers are always produced..!!???
I tried two of these numbers which MSO did not accept and madly locked out for 12 hours each time.

At last I retried rigup scan but same results (No keys error)
info does not work either.

What do I do wrong ?
Is there a standard format to produce a compatible blank keyfile.txt file ?
I see no place where to enter model number...is it required and how to do it ?
...need help

thanks

[McBryce]

There's a patched version of rigup for the MSOs are you using the right one?

McBryce.

[pierre288]

Hi McBryce,

you got a point there...
I'm using regular 0.4 version.
I noticed there is an other version (rigup-0.4.1-mso1000z) you probably refer too
the only problem is this does not include executable file and I don't have required setup to compile it to run under Windows' Command session.

Anyone has the executable file ?

thanks
pierre