Sniffing the Rigol's internal I2C bus

[Circlotron]

Who here is going to be enterprising enough to produce a front panel RIGLOL sticker available to all of us with suitably hacked scopes?

[hematose]

I can confirm that using DSAE and other option codes on my MSO1074Z with this private key (trimmed the leading two zeros) does not work.

I'd be surprised if it was the option codes that were the problem though. The format seems to be pretty similar between the other scopes.

Maybe what is going on is that the LA functions are implemented as a special option so that there's another free bit that needs to be set to work with the MSO scopes?

[rmd79]

I think its fairly certain that the keys being generated by riglol are not going to work without some further changes somewhere.

Running './rigup info mso1074z-s.keys <key>" on a key that my scope accepts works and the key can be verified as OK.

Running the same command on a key generated by riglol (modified with the private key I found earlier) does not work, and my scope won't accept them either.  So, it looks like the keys can be verified but not created at the moment.

[ted572]

I posted the following new Rigol 2014 manuals:

  DP800 2014 Calibration Guide.pdf
is at >  https://www.eevblog.com/forum/testgear/rigol-dp832-firmware-updates-and-bug-list/msg512521/#msg512521

  DP800 Performance Verification Manual.pdf
is at >  http://beyondmeasure.rigoltech.com/acton/attachment/1579/f-050d/1/-/-/-/-/DP800%20Performance%20Verification%20Guide.pdf

  DSA800 Programming Guide PDF
ia at >  http://www.filedropper.com/dsa800programmingguidepdf

  DG4000 Calibration Guide.pdf
is at >  https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/msg512569/#msg512569

  DG4000 Performance Verification Guide.pdf
is at >  https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/msg512565/#msg512565

  DSA815 Service Guide.pdf
is at >  https://www.eevblog.com/forum/testgear/spectrum-analyzer-rigol-dsa815/msg512514/#msg512514

  DSA815 Performance Verification Guide.pdf
is at >  https://www.eevblog.com/forum/testgear/spectrum-analyzer-rigol-dsa815/msg512933/#msg512933   

  DSA815 10MHz Clock Frequency Adjustment.pdf (10MHz Frequency Standard)  Note: This procedure is not new.
is at >  https://www.eevblog.com/forum/testgear/spectrum-analyzer-rigol-dsa815/msg512575/#msg512575

  DS2000 Performance Verification Guide.pdf:
is at >  http://beyondmeasure.rigoltech.com/acton/attachment/1579/f-04ce/1/-/-/-/-/DS2000%20Performance%20Verification%20Guide.pdf

[ted572]

Installing DSA815 Options on units with firmware 00.01.09.00.07 and with BOOT Loader 03.
.
Note:  This will NOT work with units supplied from Rigol with Pre-installed .09 FW and Boot Loader .04.

Go to >  https://www.eevblog.com/forum/testgear/spectrum-analyzer-rigol-dsa815/msg513125/#msg513125

[Vtech]

Running the same command on a key generated by riglol (modified with the private key I found earlier) does not work, and my scope won't accept them either.  So, it looks like the keys can be verified but not created at the moment.

That is very odd. It is basically the same algorithm running in two ways - it encrypts the data when it creates the license key and it decrypts it when it runs the info command on a key. I think it must work. I mean when it produces the key using a set of data (serial number, option code and encryption keys) it has to be able to decrypt it using the same set of encryption keys. If it doesn't it means that something is messed up in riglol code.

[rmd79]

Yeah I thought it was odd as well.

I've attached some patches of the rigup-0.4 and riglol-20140717 code that I've been modifying.  Actually, the patches are not the code I've been working on, since thats a bit of a mess now, they are just the basics that would get anyone else to the same point I'm currently at.

So, with the patches you can use "rigup scan" to scan the MSO1000Z memory dump for the keys and generate the key file.  it should find the keys and also the serial number.  The riglol patch just adds the private key into riglol and makes riglol recognise the MSO1000Z serial number (which in my case begins with "DS1ZD", and I'm assuming they all do).

If there is someone here who wants to look further into this, I could provide the portion of my scope's memory dump containing the keys (or the whole thing), as well as the key file generated by "rigup scan", the valid license key that my scope accepts and that "rigup info" can verify as OK, and anything else you need.  Just PM me via the forum.

The point at where things may have gone wrong could be the code that breaks the public key and solves the private key.  I'm thinking that if "rigup info" can decode a valid key using the public key retrieved by "rigup scan", then it would make sense that if the code that calculates the private key is getting it wrong, riglol would not be able to produce a valid key.

I don't know how to go about verifying whether to not thats the case.

[ibraheem]

Hi! Amazing thread.. I read the first 50 pages or so for an insight, and tried searching through for an answer but I don't think it's been addressed.

Seems like there's a "new" DS1054Z model to the DS1000Z series, cheaper than the DS1074Z, has anyone used one and unlocked the DS1000Z range optional features?

[Strada916]

Ds1074z yes.  Find the riglol Web site in this thread. Enter serial number and option and pesto.

[ibraheem]

Ds1074z yes.  Find the riglol Web site in this thread. Enter serial number and option and pesto.

Yes I saw that, but I'm referring to the "new" DS1054Z (marketed as 50MHz):
http://www.rigol-uk.co.uk/Rigol-Digital-Oscilloscope-DS1054Z-p/ds1054z.htm#.VBcdkvldX_t

I would think it should work the same as the DS1074Z and the rest of the DS1000Z series () but would like to see if anyone has actually tried it?

[Strada916]

Since its new. Maybe not.

[leppie]

At over 100 pounds cheaper (perhaps translated to ~$150) the DS1054Z would be a real bargain if hackable. 

Edit: $399 at tequipment!!! Even cheaper http://www.tequipment.net/Rigol/DS1054Z/Digital-Oscilloscopes/

[ibraheem]

At over 100 pounds cheaper (perhaps translated to ~$150) the DS1054Z would be a real bargain if hackable. 

Edit: $399 at tequipment!!! Even cheaper http://www.tequipment.net/Rigol/DS1054Z/Digital-Oscilloscopes/

Yup I think it's worth a punt, going to put in an order and see what happens. This will be my first oscilloscope!

[Gandalf_Sr]

At over 100 pounds cheaper (perhaps translated to ~$150) the DS1054Z would be a real bargain if hackable. 

Edit: $399 at tequipment!!! Even cheaper http://www.tequipment.net/Rigol/DS1054Z/Digital-Oscilloscopes/

Don't forget that you can get 6% discount using the EEV Blog code.

[leppie]

I just ordered one too Even if not hackable, the features will complement my old 200MHz TDS well. 

[Jog]

Hello together,

sorry I am absolutly new but I hope I get help here. I bought a new DS2072a and try to "update" it into a ds2302a with all options, but without any success.

a) the firmware is 00.03. sp1 (from delievery on) so I can't downgrade into the 00.02. for the windows based upgrade (*IDN? with all info) = I became only the SN in 13! not 14 digits and nothing else.
b) rigkey under linux can only generate a key with a 14 digit SN (if I add a 0 at the end, it dosn't help and also the option DSA9) will not accepted due to his lenght and that because it fits?!

I work now since 2 days on a possibility and see no further possibilities 

For every hints I'm very thankeful!

many thanks if anybody can help!

[Mark_O]

At over 100 pounds cheaper (perhaps translated to ~$150) the DS1054Z would be a real bargain if hackable. 

Edit: $399 at tequipment!!! Even cheaper http://www.tequipment.net/Rigol/DS1054Z/Digital-Oscilloscopes/

A 4-channel scope, especially with the performance of the 1000z-series, is really mind-boggling at that price-point!  That becomes a no-brainer for those on a limited budget, looking for whatever they can find at a low price... unless they're sure they'll never need more than 2-channels, and are strapped for very dinero.

[poorchava]

Hi, I'm thinking about purchasing DS1054 or DS1074 and obviously "upgrading" it. I am aware of the Riglol tool, but it needs a private key. I went through all the posts in this topic, but all this is greatly confusing.

In the end: what are the missing steps for upgrading the scope in the sequence below?

-upgrade FW to latest version
-read serial of the device
-get private key
-input serial and desired options into Riglol tool
-enjoy!

Does getting the private key still involve taking scope apart and dumping memory? I haven't seen any post that would say otherwise, but I just wanted to make sure.

[frenky]

1. Type in your unit's Serial Number.
2. Type in DSER for all options without the 500µV. This Option may not be in the Keygen's list, but it will work!
3. Do NOT enter anything for 'Privatekey', it will be inserted automatically for you (based on the DS1000z).
4. Press [GENERATE], and record the resulting Option Code.
5. When you are done enter the Option Code manually in the DS1000z using a single string without using any 'dash' (-) using Rigol's Procedure for activating the Trial Options in the D1000z.

https://www.eevblog.com/forum/testgear/is-rigol-ds1074z-hackable-to-increase-bandwidth-to-100/msg499411/#msg499411

[PepeK]

Hello together,

sorry I am absolutly new but I hope I get help here. I bought a new DS2072a and try to "update" it into a ds2302a with all options, but without any success.

a) the firmware is 00.03. sp1 (from delievery on) so I can't downgrade into the 00.02. for the windows based upgrade (*IDN? with all info) = I became only the SN in 13! not 14 digits and nothing else.
b) rigkey under linux can only generate a key with a 14 digit SN (if I add a 0 at the end, it dosn't help and also the option DSA9) will not accepted due to his lenght and that because it fits?!

I work now since 2 days on a possibility and see no further possibilities 

For every hints I'm very thankeful!

many thanks if anybody can help!

Read this : https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/?topicseen

[exciler]

Hi!

Just got a DS1054Z yesterday from Batronix (in Germany) for 299 EUR (excl. Tax). Numbers are working
So I think it is very good value for the money, highly recommend it.

[Magnum]

Hi!

Just got a DS1054Z yesterday from Batronix (in Germany) for 299 EUR (excl. Tax). Numbers are working
So I think it is very good value for the money, highly recommend it.

I ordered one from Batronix, too. Which firmware version do you have on yours?

[poorchava]

So it's upgradeable to 100MHz?

[exciler]

So it's upgradeable to 100MHz?

At least it accepts the code, haven´t tested a 100 MHz signal yet.

Hi!

Just got a DS1054Z yesterday from Batronix (in Germany) for 299 EUR (excl. Tax). Numbers are working
So I think it is very good value for the money, highly recommend it.

I ordered one from Batronix, too. Which firmware version do you have on yours?

Need to check that tomorrow, but as the DS1054Z is pretty new, I do not expect any difference.

[ibraheem]

Brilliant! I should be receiving mine tomorrow so will post up results.

Based on the past few posts I'm under the impression the code to use is still DSER (i.e. it's still not a good idea to install the 500uV option?)