Sniffing the Rigol's internal I2C bus

[McBryce]

Downgrading isn't possible.

McBryce.

[qwertymodo]

4.04.00.07 is the same as 4.04.SP1, that's just how it's displayed in the menu vs how the file is named in the download package. And looking at the site, that is the latest version.

Also, no downgrading.

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

Ok, so as I have the 4.0.3.SP2, I hope to be able to successfully dump the memory and generate the correct keys!

And if I accomplish it successfully, can I later upgrade the firmware without loosing the licenses, Is that what you meant by "surviving the upgrade"?

[qwertymodo]

When you go to do the memory dump, try to halt the scope immediately after the Rigol logo disappears, that's what worked for me.

And yes, I upgraded my scope to 4.04 after installing the keys, and they're all still installed.

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

When you go to do the memory dump, try to halt the scope immediately after the Rigol logo disappears, that's what worked for me.

And yes, I upgraded my scope to 4.04 after installing the keys, and they're all still installed.

Sent from my m8wl using Tapatalk

Ah yes, that was one other question I would like to ask about the correct timing to dump the memory...
When you guys say to halt the scope immediately after the Rigol logo disappears, I' not sure when does this happens! Is when I turn on the scope or do I need to do anything on the scope to make the logo appear and then disappear?

[qwertymodo]

It halts when you send the halt command to openocd. Basically, you turn on the scope, then start openocd, then you send commands to openocd (or if you set up an openocd.cfg file, it will execute the commands in the config file when you run it, so it's useful to put the halt command in the config file). You want to execute the halt command immediately after the logo disappears and the options menu appears, showing you how long you have left on the trial features.

My suspicion is that they added code that after it checks the status of the licenses, it clears the keys from memory, so if you let the scope sit idle for awhile, when you do the memory dump, you won't be able to generate licenses from it, but if you take the memory dump right away as soon as that screen comes up, it won't have run that cleanup code yet and the memory dump will be useable. That's just speculation on my part, but it seems like a reasonable enough theory.

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

It halts when you send the halt command to openocd. Basically, you turn on the scope, then start openocd, then you send commands to openocd (or if you set up an openocd.cfg file, it will execute the commands in the config file when you run it, so it's useful to put the halt command in the config file). You want to execute the halt command immediately after the logo disappears and the options menu appears, showing you how long you have left on the trial features.

My suspicion is that they added code that after it checks the status of the licenses, it clears the keys from memory, so if you let the scope sit idle for awhile, when you do the memory dump, you won't be able to generate licenses from it, but if you take the memory dump right away as soon as that screen comes up, it won't have run that cleanup code yet and the memory dump will be useable. That's just speculation on my part, but it seems like a reasonable enough theory.

Sent from my m8wl using Tapatalk

Hum, something is worrying me now! You say that the right timing is when the logo goes away and the screen with the trial options left time comes up with the remaining time! But I think my scope is not showing that screen anymore because all the remaining time is already gone! So I have all those options already expired! I remember that screen appears on all boots but before the remaining times are out!

[qwertymodo]

That's probably still fine.  Another guy earlier in the thread was successful with his memory dump taken while the Rigol logo was still on screen, so the timing isn't super exact.  I tried doing it then, but wasn't successful, I probably tried too early.  In any case, it's probably going to be a matter of trial and error at this point, unless somebody can disassemble the firmware and determine exactly where to set a breakpoint.

[psysc0rpi0n]

That's probably still fine.  Another guy earlier in the thread was successful with his memory dump taken while the Rigol logo was still on screen, so the timing isn't super exact.  I tried doing it then, but wasn't successful, I probably tried too early.  In any case, it's probably going to be a matter of trial and error at this point, unless somebody can disassemble the firmware and determine exactly where to set a breakpoint.

Ok, I hope I can still be in the game!
I'm not sure if anyone besides McBryce was able to dump it. The guy you say had an MSO or a DSO? I have an MSO1104Z. I've not being paying attention to what exactly are the models of scopes that people have been successful dumping the memory.

I wouldn't mind to learn how to do the firmware disassemble but obviously it's not an easy job, so probably I'm useless to that purpose unless someone wants to work with me! I'm also feeling that the MSO series, namely the 1000 series, are not widely spread among users, so probably not many people having one!

[qwertymodo]

The guy I was referring to had the same model as me, MSO1074Z (not sure if his was -S or not), sorry I can't find the post. The DS1000 series doesn't require a memory dump, all you need is the serial number.

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

The guy I was referring to had the same model as me, MSO1074Z (not sure if his was -S or not), sorry I can't find the post. The DS1000 series doesn't require a memory dump, all you need is the serial number.

Sent from my m8wl using Tapatalk

Yeah, hope I can do the same for the MSO1104Z. I think the only guy that has the same model has me was McBryce but I think he used an earlier version of the firmware than the one I have!

[McBryce]

Yup mine is an MSO1104Z-S and had a much older Firmware installed when I did the memory dump. I didn't have to worry about getting the timing correct.

McBryce.

[psysc0rpi0n]

Yup mine is an MSO1104Z-S and had a much older Firmware installed when I did the memory dump. I didn't have to worry about getting the timing correct.

McBryce.

McBryce, these 2 models, MSO1104Z and MSO1104Z-S, are probably not the case that they are precisely the same, regarding hardware, but one of them has firmware limitation, right?

[McBryce]

The "S" has an additional PCB as far as I can remember from Daves teardown. The Firmware is the same for all DSO1xxx and MSO1xxx as far as I know.

McBryce.

[qwertymodo]

Correct, there is an additional hardware board inside the -S model for the signal generator DAC hardware, but they are running the same firmware.

[ted572]

There is NEW Firmware available now for the MSO/DS1000Z Oscilloscopes
FW Version: 00.04.04.01.01
Released: 2016/09/14
 o  Added support for the multi-inteface of LXI
 o  Fixed bugs with Auto-Measurement functions

http://int.rigol.com/File/ProductSoftWare/20160914/DS1000Z(ARM)update.rar

[psysc0rpi0n]

Just for curiosity...

Will I get anything from the scope's JTAG port if I connect there a Logic Analyser?

[psysc0rpi0n]

Ok, but the Logic Analyser won't be able to pick up anything there?

Sent from my GT-I9505 using Tapatalk

[qwertymodo]

If you mean that you want to connect a logic analyzer to sniff the JTAG port, sure you could do that, but what would be the point?  All you would see is a logic analyzer dump of the JTAG activity.

[psysc0rpi0n]

If you mean that you want to connect a logic analyzer to sniff the JTAG port, sure you could do that, but what would be the point?  All you would see is a logic analyzer dump of the JTAG activity.

Yes, that's it! Well, I know I'll only get a bunch of 0's and 1's of maybe different frequencies... It was just for the fun! But I'm not sure how should I configure the Logic Analyser! Like what sample rate to choose and how many samples to collect, and that kind of stuff!

[qwertymodo]

That depends entirely on how fast you set your JTAG dongle to communicate.  You need the LA to be set to at least twice as fast as the JTAG bit rate, ideally more like 4-8x, and then number of samples really comes down to the memory limitations and how much data you want to sift through.

[psysc0rpi0n]

That depends entirely on how fast you set your JTAG dongle to communicate.  You need the LA to be set to at least twice as fast as the JTAG bit rate, ideally more like 4-8x, and then number of samples really comes down to the memory limitations and how much data you want to sift through.

And how do I know JTAG speed? Where do I set it?

[qwertymodo]

There's an openocd command for setting the speed.

[psysc0rpi0n]

There's an openocd command for setting the speed.

But can I use my Logic Analyser to set the speed of JTAG or if I use J_Link/OpenOCD and run it, will it detect the JTAG and be able to set the speed? Sorry, I'm just starting with this! It's the first time I deal with JTAG!

I have some doubts about how to connect the LA to the JTAG header.
I have this clone of Saleae Logic:
http://www.ebay.co.uk/itm/USB-saleae-Logic-Analyzer-Device-Set-USB-Cable-24MHz-8CH-24MHz-MCU-ARM-FPGA-/141694353386

It has 8 channels plus 2 GNDs.
I connected it like this:

Channel 0 --- TCK
Channel 1 --- TMS
Channel 2 --- TDI
Channel 3 --- TRST
Channel 4 --- 3V3/VREF (probably not needed)
Channel 5 --- TDO
Channel 6 --- SRST
Channel 7 --- Not Connected
Channel 8 --- GND
Channel 9 --- GND

But in the software, the SRST is not detected as the others are with the name of each pin. I'm not sure if it's normal...
Here is a picture of Saleae Logic Software:

[qwertymodo]

The logic analyser won't control anything, it's just a passive listener, you need a jtag dongle compatible with openocd, which will control the actual jtag communication.

Sent from my m8wl using Tapatalk