Sniffing the Rigol's internal I2C bus

[Loeti]

Does anyone here know if the same upgrade codes are used for DS1000Z and MSO1000Z units? Would Riglol work for MSO1000Z?

Hello,

I got my MSO1104Z-S today. Even if the Rigol order codes for the options are the same for the DS1000Z and MSO1000Z series,
unfortunately Riglol doesn't work for the MSO1000Z at the moment. The firmware version of the MSO1000Z is also V04.00,
but there must be something different. Different private key, different option code or something like this. I've tried some other
option codes like "MSAB" instead of "DSAB", or "DSBB" or "DSHB" like other models use but I haven't succeeded yet.

Michael

[trunc71]

My DS2072A will arrive this week and of course I'll give it a try to unlock the added value. The description of the unlock process with the patched firmware 00.02.01.00.03 is pretty straightforward but I have one question left.

On the server http://www.gotroot.ca/rigol/ are three different rigup versions. They have version numbers 0.1, 0.2 and 0.4. Which version is the correct one to upload the binary key file ? The latest which is 0.4 or 0.1 which is the one mentioned in the document "DS2072A Unlocking Guide" on the same server ?

My thanks to all contributors who have spent that much time to look into all this.

Mike

[AintBigAintClever]

0.4 should do nicely.
If for some reason your scope rejects the 300MHz+all features code, try creating NS8N and NSEH codes and applying both, as per this post.

[trunc71]

OK, thanks. Seems that I'm well prepared now. I'll give it a try tomorrow.

[trunc71]

In the meantime I have successfully unlocked all options of my DS2072A. 

However it was not that easy as I thought. On my 64-bit Windows 7 none of the keys created with rigup worked. The DS did not respond at all when sending the final key. No error message or whatever. Nevertheless I've seen some messages with similar experience in the forum before. Therefore, I switched to a 32-bit Virtual machine and tadaaa it worked immediately. No idea what's wrong with my 64.bit OS. Finally, I installed the latest firmware and all licenses are still there.

[conte_vlad]

great 

I ask: what did not worked on 64 version? rigup or else ultra sigma that send serials?

[trunc71]

I cannot say what exactly didn't work on 64-bit. Rigup has created the keys and I tried to send them with ultra sigma and later with Telnet. In both cases I got no response from the DS2072A and the trial licenses were still active. I also tried the update tool which has been programmed by madcrow when I remember correctly. I this case I saw the congratulation screen of the update tool but when I checked the installed licenses I saw the trial ones, only.

On 32-bit I tried the manual procedure first and it worked. Interestingly, the keys created by rigup are exactly the same on both windows versions. It must be another problem, maybe something is wrong with the bus communication. I don't know.

[conte_vlad]

thanks for answer 

it seems rigup, as you said, works same as the keys are same, may be some comunication problems with 64 version.  I will do some test, I am afraid to open the unit  but I will do

[mrflibble]

I ask: what did not worked on 64 version? rigup or else ultra sigma that send serials?

Probably the 64-bit windows version. IIRC the used crypto library had some 32 vs 64-bit issues (on linux as well). So if the windows binary has not been compiled with the correct flags that would indeed cause a mismatch between generated keys on 32-bit vs 64-bit platform.

So when in doubt using a 32-bit VM is a good workaround as already noted.

[trunc71]

If that is really the case then I'd expect different keys on both systems. But they are identical what makes perfect sense to me. I have also created the keys with different rigup versions. Also identical. Therefore, when finally transmitting the key to the DOS, the unit cannot know on which system the key was created. But on 64-bit W7 I got no response at all from the DOS whereas on 32-bit I saw the progress bar etc. immediately. I may be completely wrong but at the moment I doubt that the issue has to do with the key calculation.

[AintBigAintClever]

My keys were successfully applied using Ultra Sigma in Win7 64-bit, sounds like you had an issue with either drivers or the Ultra Sigma install. Well done getting it done anyway. 

[trunc71]

That's what I first thought because I know that many people have successfully used W7 64-bit. But others didn't. In my case Ultra Sigma was able to communicate with the DOS and has read out the keys correctly with the *IDN? command. This worked for both 32- and 64-bit without problems. The :SYSTem:OPTion:INSTall command only worked on 32-bit for me. I don't know whether this is due to a driver problem but I do think that this is some kind of a communication problem that arises under not yet known circumstances.

[Alex_Ismagilov]

Hi all,
I'm very happy about upgrading my DS2202A-S to DS2302A-S+AllOptions.
Greetings from Russia

Greatest THANKS for guys who make it possible!

Some details:
Used this guide: http://gotroot.ca/rigol/D2072A%20Unlocking%20Guide.pdf
The wizard "DS2000A Upgrade Utility" - does not work. Can't see after flashing fw.

My device: DS2202A-S
Now DS2302A-S with all options

Serial: DS2E15xxxxxx
Software version: 00.02.01.00.03
Hardware version: 1.2.2.0.2

Thanks: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg409142/#msg409142
NSFH - ? all option and NO CHANGE bandwidth
NS8Q - ? all option and 300mhz

Alex.

[sethur]

Hi *,

I got an DS1074Z-S, but non of the generated keys worked for me. 

Unfortunately Rigol added a 12h timer when several wrong keys have been entered.

I then ripped up the case and read out the W25X40B flash, tried another wrong key and re-read the flash again to find out where the 12h timer is located.
It seems to be a 32bit timer at location 0x78007.

The trail keys start at 0x78027.
Removing them from flash and reentering would give another trail period, I think...

Maybe someone out there has some interest and knowledge on hacking this?

Greets,
sethur

[PepeK]

Do I understand it properly that if DS 2072 A or MSO 2072 A has a hardware version 2.2 it is not possible to downgrade using an USB stick ? (and it works only for HW revision 2.0 ? )
Is the only working way opening the scope and dumping a memory with some JTAG tool as described in this forum ?

[AndersAnd]

It would be nice if the persons handling http://gotroot.ca/rigol/riglol/ and http://riglol.3owl.com/ could update their online version.

I have http://riglol.3owl.com/ updatet. Thank you for your work.

Great work! I have updated my mirror at http://gotroot.ca/rigol/ . The old version also remains for posterity.

Avotronics's UK mirror has been updated too.

Original made by studio25: http://riglol.3owl.com
Canadian mirror hosted by ve7xen: http://gotroot.ca/rigol/riglol/
UK mirror hosted by Avotronics: http://rigol.avotronics.co.uk/mirrors/riglol/

[0xPIT]

Hi,

I'm new to the forum, thanks for your great work.

So I've got a new 2072A and I am currently trying to dump the beast,
I soldered a cable for my USB Blaster and started Dumping according to
post #2433, the Bfin is recognized nicely.

Dumping seems to work, but when it's finished, gdb spits out

Code: [Select]

dump binary memory ~/sdram.bin 0x00000000 0x07FFFFFF
Ignoring packet error, continuing...
Reply contains invalid hex digit 116

and even as the process takes hours and I can see gdbproxy's debug out
to iterate over the address space, no file is written.

I've already increased gdb's remotetimeout without any change.

As the BF-Toolchain was not available for Mac and did not compile on first try,
I used a current Ubuntu on my old Atom Netbook to do the dump.

Update:
Now also tried with same '116' problem on my MacBook Pro in a Ubuntu 14.04 VirtualBox.
I've even tried several toolchains and gdbproxy/gdb combinations

Update 2 (solved using workaround):
I managed to extract a dump and generate Keys using this workaround:
in gdb, I used
    set debug remote 1
and
    set remotelogfile /tmp/log

Then I started a new dump, which failed at the end with the stated '116' error, but all responses from the Blackfin were logged as ascii hexdump in the logfile.

I then awk'd the logfile to include only lines starting with +r $ and then removed this string using vi (:%s/^r\ +$//g)
Now I used xxd -p -r to convert the hexdump to binary and ran rigup on it, which worked fine.


Greetings,
  - pit

[asgard20032]

Im about to buy a DS1074z or a MSO1074z (maybe the -s variant), but I want to know if anyone here successfully hacked the MSO one/

[AndersAnd]

Im about to buy a DS1074z or a MSO1074z (maybe the -s variant), but I want to know if anyone here successfully hacked the MSO one/

Same firmware. Makes no difference if it's DSO or MSO, or even S variant.

[asgard20032]

Its because of that I ask :

Does anyone here know if the same upgrade codes are used for DS1000Z and MSO1000Z units? Would Riglol work for MSO1000Z?

Hello,

I got my MSO1104Z-S today. Even if the Rigol order codes for the options are the same for the DS1000Z and MSO1000Z series,
unfortunately Riglol doesn't work for the MSO1000Z at the moment. The firmware version of the MSO1000Z is also V04.00,
but there must be something different. Different private key, different option code or something like this. I've tried some other
option codes like "MSAB" instead of "DSAB", or "DSBB" or "DSHB" like other models use but I haven't succeeded yet.

Michael

[PedroDaGr8]

Im about to buy a DS1074z or a MSO1074z (maybe the -s variant), but I want to know if anyone here successfully hacked the MSO one/

The search button and/or reading this thread would give you the answer.

[asgard20032]

Im about to buy a DS1074z or a MSO1074z (maybe the -s variant), but I want to know if anyone here successfully hacked the MSO one/

The search button and/or reading this thread would give you the answer.

I read over 100 page on this thread, used the search on MSO1074z and MSO1000z, without more result than what I quoted and what we are talking since the last 3 post.

[miguelvp]

https://www.eevblog.com/forum/testgear/rigol-ds1074z-oscillosope/msg434605/#msg434605

utility:
http://riglol.3owl.com/

within utility you will find the following.

DS1000z device options:
DSAB - Advanced Triggers
DSAC - Decoders
DSAE - 24M Memory
DSAJ - Recorder
DSBA - 500uV Vertical
DSEA - 100MHz
DSFR - all options

But I have no idea about the MSO1074z then again you mentioned the DS1074z as well.

Edit: took me under 2 minutes (maybe even under 1 minute) to find it with the search button.

[asgard20032]

I know for the DS1074z... im asking about MSO1074z

[Loeti]

I tried it with a DS1104Z-S, serial no. starting with "DS1ZB" -> works.
MSO1104Z-S, serial no. starting with "DS1ZD" -> doesn't work.

Maybe they have changed the algorithm or at least the private key and provided downward compatibility for the first DS1000Z scopes with "DS1ZB" serials.

Michael