Sniffing the Rigol's internal I2C bus

[psysc0rpi0n]

I haven't asked anyone to generate license keys. If anyone is kind enough to do that, I can provide a link to my memory dump!

Excellent!  Please prepare that link.
Ok, I reinstalled my raspi some time ago, but I can setup this stuff again. I get in touch with you tomorrow via pm ...

Many thanks... The link is ready. Let me tell you that I was able to generate the keys but none was accepted by the scope! Not sure if this changes anything!

[hammy]

I tried to generate license-keys for psysc0rpi0n. Unfortunately they are not valid. 
Is anyone out there who was successful to generate these license-keys with a recent MSO? Maybe anyone would be so kind to give it a try with psysc0rpi0n's dump?

Cheers
hammy

[qwertymodo]

The problem is likely with the dump itself. As I stated before, my suspicion is that they added code to clear the memory after verifying the installed keys, which is why the timing of the dump affects the results (you need to halt the scope after the keys are loaded but before they are cleared). If that is the case, it's not going to matter how many people try with the same dump, because the dump itself is no good.

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

The problem is likely with the dump itself. As I stated before, my suspicion is that they added code to clear the memory after verifying the installed keys, which is why the timing of the dump affects the results (you need to halt the scope after the keys are loaded but before they are cleared). If that is the case, it's not going to matter how many people try with the same dump, because the dump itself is no good.

Sent from my m8wl using Tapatalk

And is that timing known? The dump I have was taken right after the Rigol logo disappear...  Was this the timing you talked about?
If I try to take the dump at any other timing, rigol tool will find no keys...

Sent from my GT-I9505 using Tapatalk

[qwertymodo]

No, the timing is not known, and I'm only guessing about that even being how it works. Sorry.

Sent from my m8wl using Tapatalk

[Edinson]

Hi,
I am struggling to get the memory dump of my DS1074Z Plus.
I am using an Olimex ARM-USB-OCD-H Adapter with OpenOCD in a Win7 32bit VM. I am not able to halt the CPU as I get the following error message. Has anyone an idea how to solve it.

Thanks in Advance
Edi

Code: [Select]

C:\>c:\Rigol\openocd-0.9.0\bin\openocd.exe -f c:\Rigol\Olimex.cfg
Open On-Chip Debugger 0.8.0 (2014-04-28-08:39)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.sourceforge.net/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'jtag'
trst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain connect_de
assert_srst
adapter_nsrst_delay: 100
jtag_ntrst_delay: 100
dcc downloads are enabled
adapter speed: 6000 kHz
Info : clock speed 6000 kHz
Info : JTAG tap: imx28.cpu tap/device found: 0x079264f3 (mfg: 0x279, part: 0x792
6, ver: 0x0)
Info : Embedded ICE version 15
Error: unknown EmbeddedICE version (comms ctrl: 0xfffffffe)
Info : imx28.cpu: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection from 4444
Info : Halt timed out, wake up GDB.
Error: timed out while waiting for target halted
in procedure 'halt'

The Olimex.cfg file is

Code: [Select]

source [find interface/ftdi/olimex-arm-usb-ocd-h.cfg]
source [find target/imx28.cfg]
adapter_khz 6000


[Strada916]

Edinson. Pretty sure you don't need to do a memory dump on ds1074 just use the generator.

Sent from my SM-G925I using Tapatalk

[Edinson]

It's the Plus-Version with MSO-Option, so I guess I need to do the memory dump.
I tried the kexgen before, it didn't work.

[Strada916]

Ok soz

Sent from my SM-G925I using Tapatalk

[Edinson]

I tried with OCD 0.8 and 0.9 and different config files for the adapter (exchanging) the configs of OCD0.8 and 0.9 as well. Driver were installed using Zadig. Nothing worked. 

[Edinson]

Peter, thank you for your support.

The connection is basically the same as mine. I had additionally connected the SRS: Scope 6 - Olimex 15.
I will change it according your setup and retry.

Edi

[Edinson]

No change.
Still the Error with the EmbeddedICE version and I can't halt the CPU.

[Edinson]

Finally I got it. It was probably a connection problem   
I did it exactly as shown in the picture of PeDre... and it worked. Thank you PeDre for sharing.

I halted when the logo disappeared and did the dump.
Then I generated the keys with the compiled windows version of rigup (post #4113). Thank you Neuro

And now I have an unlocked DS1074Z-Plus.

Edi

[psysc0rpi0n]

Finally I got it. It was probably a connection problem   
I did it exactly as shown in the picture of PeDre... and it worked. Thank you PeDre for sharing.

I halted when the logo disappeared and did the dump.
Then I generated the keys with the compiled windows version of rigup (post #4113). Thank you Neuro

And now I have an unlocked DS1074Z-Plus.

Edi

Nice one! Lucky guy! I didn't have such luck! My Rigol still's locked!

[Daruosha]

I'm sure my question has been answered somewhere, but I cannot find it. My USB Blaster in JTAG mode has TCK,  TDO, TDI, TMS, Vcc and GND, But in the apparently the JTAG port on the scope has more pins like SRST and a few more? Anyone kind enough to help me with the wiring?

(I really need to read a bit about JTAG, stupid questions)

[psysc0rpi0n]

I'm sure my question has been answered somewhere, but I cannot find it. My USB Blaster in JTAG mode has TCK,  TDO, TDI, TMS, Vcc and GND, But in the apparently the JTAG port on the scope has more pins like SRST and a few more? Anyone kind enough to help me with the wiring?

(I really need to read a bit about JTAG, stupid questions)

Page 150 of this thread! I think that is what you need!

You might also need to see this link if you ever need to match pins names if they are named different.

[nctnico]

Just out of curiosity: what is different about the MSO1000Z which makes it difficult to hack? Can't it be upgraded using a license key? If it can be upgraded using a license key then I guess someone needs to figure out what Rigol has changed in their key generation algorithm.

[Fungus]

Can the "soft" items (eg. advanced triggers) be upgraded with a keygen and entering a code on the front panel?

[Howardlong]

Just out of curiosity: what is different about the MSO1000Z which makes it difficult to hack? Can't it be upgraded using a license key? If it can be upgraded using a license key then I guess someone needs to figure out what Rigol has changed in their key generation algorithm.

Pretty much. There's a change to the algorithm/key stuff in the MSO, and as I understand it no one with the right skills (and the scope) has had that most valuable of assets, enough time, to invest to come up with a less intrusive method. When I did it as a script monkey guinea pig some time ago, it took about half a day, but we didn't have it quite so well documented back then.

[Daruosha]

I'm sure my question has been answered somewhere, but I cannot find it. My USB Blaster in JTAG mode has TCK,  TDO, TDI, TMS, Vcc and GND, But in the apparently the JTAG port on the scope has more pins like SRST and a few more? Anyone kind enough to help me with the wiring?

(I really need to read a bit about JTAG, stupid questions)

Page 150 of this thread! I think that is what you need!

You might also need to see this link if you ever need to match pins names if they are named different.

any news about your situation? could you manage to make successful dump and generate keys?

[psysc0rpi0n]

I'm sure my question has been answered somewhere, but I cannot find it. My USB Blaster in JTAG mode has TCK,  TDO, TDI, TMS, Vcc and GND, But in the apparently the JTAG port on the scope has more pins like SRST and a few more? Anyone kind enough to help me with the wiring?

(I really need to read a bit about JTAG, stupid questions)

Page 150 of this thread! I think that is what you need!

You might also need to see this link if you ever need to match pins names if they are named different.

any news about your situation? could you manage to make successful dump and generate keys?

I'm able to make the memory dump and  generate the keys, but the scope rejects all of the generated keys...

Sent from my GT-I9505 using Tapatalk

[carl_lab]

I 'm going to buy a new MSO 4/16ch ~100MHz in the next months.
Rigol MSO1074Z or MSO1104Z fits very close to my specs...

So anyone got these models with current firmware revision successfully hacked?

I'm still hoping anyone will write a working keygen for the MSO models to activate upgrades with no need for a JTAG adaptor and opening the case ...

@Edinson
Have you thought about upgrading your DS1074Z-Plus to an MSO?
I'm not sure the LA probe has an active head or is it just a flat cable?

Who is the importer for Rigol in Germany?
Batronix?
Do they sell used demo models?
 

[RoGeorge]

This post is just to easily follow the subject.

[Edinson]

@Edinson
Have you thought about upgrading your DS1074Z-Plus to an MSO?
I'm not sure the LA probe has an active head or is it just a flat cable?

I am considering it and wanted to have this option. The LA probe is from my understanding the same as for the MSO's. My DS1074Z-Plus has firmware version 04.03.SP2.

[carl_lab]

@Edinson
Have you thought about upgrading your DS1074Z-Plus to an MSO?
I'm not sure the LA probe has an active head or is it just a flat cable?

I am considering it and wanted to have this option. The LA probe is from my understanding the same as for the MSO's. My DS1074Z-Plus has firmware version 04.03.SP2.

The LA probe kit + MSO license is a little bit expensive (about 300€ incl. VAT).
Price difference between MSO and DS-plus is about 170€, that's why I probably go for the MSO.
I think hacking this feature only makes sense, if you could get a cheap probe set.