Sniffing the Rigol's internal I2C bus

[elscode]

I have got the brand new version of dsa815. Downgrade to previous firmware version is not possible. Image is considered as invalid and upgrade process aborted 

[radiogeek97]

if this is actually the case what is the last version of the FW where the "upgrades" will work?  The other question i have and i am a total newbie: If i got an 815 with the latest "locked" FW how would that work with the old software licenses for accessories ect, for example  the rigol SWR brige kit comes with the hardware and a software key for $600 usd  if rigol eliminated the "home upgrade" process by another FW revision wouldnt they have to change all the old legacy software license keys?  IF not wouldnt the same KEYGEN software work?  what if i got a brand new up to date dsa815 from rigol and bought a new rigol VSWR bridge/and software license off ebay would the old software license be incompattible?   JUst a few random newbie thoughts

[Gandalf_Sr]

It seems that all the messing around with holo-stickers and JTAG may no longer be necessary...

Check out this thread https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/180/ where PeDre has shown that a memory dump can be done using a simple SCPI command over the USB or LAN ports using a free download utility.  That memory dump can then be applied to Rigup in the usual way.  This has been successfully done by at least 3 people so far.

[radiogeek97]

Has anybody purchased a rigol dsa815 with the latest FW and have been Abel to use the rigol key gen utility to upgrade their device successfully ? 

[pinkman]

Has anybody purchased a rigol dsa815 with the latest FW and have been Abel to use the rigol key gen utility to upgrade their device successfully ?

As myself and another stated on page 236, no, it does not work.

[swanawood]

@pinkman
Did you try what suggested by Gandalf_Sr at page 236 ?

Thanks

[radiogeek97]

folks
    i am totally ignorant when it comes to  simple SCPI  commands.  I have looked thru the threads and havent found any good explanation on how to initiate and run  simple SCPI commands.  If anybody could point me in the right direction ( as far as previous threads ect)  I will educate myself as much as possible so as not to be a burdon on all of you that have been soo helpful

thanks in advance

[Gandalf_Sr]

folks
    i am totally ignorant when it comes to  simple SCPI  commands.  I have looked thru the threads and havent found any good explanation on how to initiate and run  simple SCPI commands.  If anybody could point me in the right direction ( as far as previous threads ect)  I will educate myself as much as possible so as not to be a burdon on all of you that have been soo helpful

thanks in advance

Follow the link in my post at the end of page 236 of this thread (previous page).  There's not much reading to do.

[flatlander]

I'm about to pull the trigger on a MSO-1074z and was wondering if anyone has tried the SCPI method to dump this scope's memory and then use 'rigup' to get the keys to unlock the optional features on this model.

[swanawood]

It would be appriciated if radiogeek97 and pinkman give it a try with the DSA-815 and report back the result.

Personally I havo no Rigol instrument to try with (willing to buy 815TG), so I can't help directly.

Thanks

[radiogeek97]

I will as soon as I get one 

i am an idot compared to some of the talent on here, however I am savvy enough to follow directions once somebody has cracked the problem      I "upgraded my rigol 1052e" with directions provided to me by the fine posts on here.  I most certainly will post when I get my dsa815  I just need to figure out how the SCPI commands are imputted ect before I commit my cash

thanks

[sacherjj]

It would be appriciated if radiogeek97 and pinkman give it a try with the DSA-815 and report back the result.

Personally I havo no Rigol instrument to try with (willing to buy 815TG), so I can't help directly.

I had no problems with keys on my 815TG, but not sure if firmware has changed.  I've had it about 6 months.  We purchased the features I needed for work, but I unlocked some features I wanted to play with.

[radiogeek97]

Sacherjj
   I am in the same boat getting one for work with LEGIT Vswr from rilgol, but would like to play with a few more options like the EMI.   I contacted a few vendors like Tequipment and they have no way of knowing what FW version they will ship out, most likeley latest due to their high turn over   
   I'm hoping somebody can do a step by step how to for the dsa815 with the latest FW version, as I am not up to speed on hacking although I can apply and follow directions.    Thanks again to all on here

[sacherjj]

Sacherjj
   I am in the same boat getting one for work with LEGIT Vswr from rilgol, but would like to play with a few more options like the EMI.   I contacted a few vendors like Tequipment and they have no way of knowing what FW version they will ship out, most likeley latest due to their high turn over   
   I'm hoping somebody can do a step by step how to for the dsa815 with the latest FW version, as I am not up to speed on hacking although I can apply and follow directions.    Thanks again to all on here

If you are already getting it, then get it.  Go to the various web hosted key gens and try.  I see it as an added bonus, but it wouldn't have stopped us getting the equipment in the first place.

[radiogeek97]

Oh no definitely already got the quote. Just waiting on getting a P.O 

[rmd79]

Flatlander (and everyone else interested in the MSO1000Z series)..

Today I dumped the RAM from my MSO1074Z-S using an Olimex ARM-USB-OCD-H adapter and a JTAG cable I made using the information provided by sptm14.

I ran the "rigup" tool on the memory dump but it didn't find any keys.  However, I then went and manually searched for variations of what rigup was searching for, and found a section of the memory dump that seems to almost exactly match what rigup wants to see in order to extract the keys and resolve the private key.

In the rigup-0.4.zip, /src/ directory, there is a file called utils.c, which contains a function called ScanKeys().  It searches for the following pattern in the memory dump:

(hex):

02 00 84 00 10 00

I changed it to:

01 00 84 00 10 00

and then re-compiled and ran it on my memory dump, then I got this:

root@kali03:/home/rdavidson/rigup-0.4# ./rigup scan /root/mso1074z-s_64M_RAM.bin
rigup scan - Version 0.4

RC5KEY1:        057C2FCEFAD84E75AF393F05A13F8690
RC5KEY2:        23E24CFCA6FA196C89F3A9706BDA3689
XXTEAKEY:       D4AD754E348E9D2BF3C161517AE2CB04
PUBKEY:         005497018B62F230
PRIVKEY:        0099FC5DFBE778D0

I also ran "rigup search /root/mso1074z-s_64M_RAM.bin".  It spat out 6 keys, one of which looks obviously wrong/invalid, but I tried one of the more reasonable looking keys on my scope and got a message saying the key has already been used.  So, I believe I have 1 valid key (which might be a trial key, since my scope still has about 33 hours of its trial period left and I haven't purchased any upgrades, or maybe its a feature key for the Sig Gen or LA.  No idea!).

The key below, VZ2RCVM... is the key that rigup was able to find in my memory dump, and that the scope says has already been used.  This info below, I believe, is rigup validating the key, using the key info above:

root@kali03:/home/rdavidson/rigup-0.4# ./rigup info mso1074z-s.keys VZ2RCVM-ZK8ZY4L-_______-_______
rigup info - Version 0.4

License:        VZ2RCVM-ZK8ZY4L-_______-_______    (V2MP = 0x9ED6D)
Signature 1:    0000000000000000
Signature 2:    0000000000000000
Padding 1:      00000000A0EF87DE
Padding 2:      00000000743732CE
Verify:         Ok

All of the other keys it found do not verify (and I haven't tried inputting them into my scope yet, to see if they work there).

FYI: My MSO1074Z-S runs firmware version 00.04.01.SP2.  In the memory dump, the keys appear to be located at hex address 0x00E063AC.

I have not had any luck generating keys to unlock the features in the scope yet.

If anyone wants to give me a hand or has any ideas, let me know.  I'm not giving up yet, but its 2am here and I'm off to bed.

[conte_vlad]

I apologize if I missed something but seems youi are using, that what I understood, the procedure writen for the DS-MSO2000 on DS-MSO1000 and I am not sure it is correct.

Go there

http://www.gotroot.ca/rigol/riglol/

fill the field with your requested detail, read on section for DS1000, and try. I don't have the MSO1000 and never used it, but try.... O0

[rmd79]

Hello conte_vlad,

I'm using a very similar procedure to the others, basically trying to go the route of dumping the memory, getting the keys and then generating licence keys.  There is nothing new about that, but I'm hoping that I've found the private key for the MSO1000Z series and that now I just need to find the 4-character feature codes.

I don't fully understand your post, the link is to a file on your hard drive.  If you are trying to ask me to try using the DS1000Z key generation feature in Riglol, then I can already tell you that it doesn't work with the MSO1000Z series.  I tried that before going the JTAG route.

[conte_vlad]

sorry, I corrected the link...

[rmd79]

sorry, I corrected the link...

Hello conte_vlad,

I've tried Riglol, but it doesn't produce valid license keys for my MSO1074Z-S.  After I opened up my MSO for the first time and saw that the board was labelled as DS1000Z main board, I tried the Riglol tool, but no luck.  I'm fairly sure that I've read somewhere in this massive thread that the Riglol tool can't produce valid keys for the MSO1000Z series yet, so its no surprise that it didn't work.

[hematose]

rmd,

Thank you very much for taking this important step! The fact that you got one key that didn't error suggests that we really do have the private key now.

I'll try and go back to take a look at the 4-character codes for the other scopes.

Looking forward to hearing more!

[rmd79]

Looking forward to hearing more!

Thanks,

I'm still working on this, I have a couple of concerns at the moment.  Those are:

1. Both the PUBKEY and PRIVKEY start with 0x00, which I find odd.  It might be perfectly fine/normal, but I'm not sure yet.  Looks like thats normal based on other posts.

2. The PRIVKEY is 16 characters long, but the web version of Riglol only seems to accept 14-character private keys.  Seems normal, I guess we drop the 0x00 from the beginning of the key.

3. The serial number of my MSO1074Z-S is 14 characters long, the serials of the DS2 series seem to be 13 characters long (going by what I see in the code).

FWIW, I'm working with the rigup-0.4.zip codebase and the riglol that it contains, not the web version.  I'm just noting some issues here that I've come across so far, kind of in the hope that someone can chime in on them and maybe help out a little.

I'm also considering purchasing a license for my scope just to see if I can find the option code and maybe validate that the private key is correct.  The reason I have some concerns is that I can't get Riglol to re-produce this license key:

VZ2RCVM-ZK8ZY4L-_______-_______    (V2MP = 0x9ED6D)

I would have thought that if everything was working correctly, I could run something like:

./rigup riglol DS1ZDxxxxxxxxx V2MP

and then get the same license key as above, however the key that it generates is completely different.

EDIT: I should mention that I've added, what I think may be the private key for the MSO1000Z series into my copy of rigup/riglol, otherwise the above would just error out.

[Vtech]

Hi rmd79,

You won't be able to generate the same license key as original rigol key. Key generation algorithm uses seed number (k_offset in riglol code). Riglol code sets this number to 0 but genuine Rigol licenses seems to be using true random numbers. Two valid licenses for the same option and serial number can have totally different value.

Buying license also wouldn't help because Rigol doesn't give option codes. They give you 16 character code that you have to enter on their website along with serial number of your unit and in response you get the license key.

Hope this helps

[rmd79]

Hi Vtech,

Thanks for the info

[rmd79]

Vtech,

I forgot to mention, the reason I was thinking about buying an official license for an option in my scope was because I think I might be able to deduce the option code by running the official key through the rigup "info" command, which I've previously done with the official trial key in my scope.  The info command verified the key as OK and also spat out what looks like a option code (V2MP).

So I was thinking I might be able to get a non-trial option code that way, and maybe work from there.