Sniffing the Rigol's internal I2C bus

[Daruosha]

I have the codes :-) will confirm it soon myself 

[cypcyp]

Thanks for answering. Unfortunately both hints - other browser, other machine - give me the same "wrong" key I already had tried.

[MarkF]

I have the codes :-) will confirm it soon myself 

I would be interested in what you have and how Rigol implemented it.

[Daruosha]

I have the codes :-) will confirm it soon myself 

I would be interested in what you have and how Rigol implemented it.

All I have is the trial license keys for my MSO1104z (all options excluding bandwidth upgrade and 500uV resolution) which Rigol kindly sent me as some sore of student bonus. I entered the keys through SCPI commands into the scope and they added 36 more hours to the remaining trial time. I wondered since the scope has no RTC and permanent license storage (not sure about this one yet), i can uninstall and then re-install the same trial licenses and achieve 36 trial hours cycles forever. 

RIGOL please don't read this post

[loaderr]

Hi all,
I'm trying to unlock MSO1074Z with expired trial license with no luck so far.
A while ago quertymodo had a theory that keys are get locked some time after logo disappears which sounds credible to me.
If someone still has a correct dump could you please try to compare relevant info from it (136 bytes starting at "01 00 84 00 10 00") with unsuccessful dump or just some other dump made later to prove the theory?
Thanks.

[psysc0rpi0n]

Hi all,
I'm trying to unlock MSO1074Z with expired trial license with no luck so far.
A while ago quertymodo had a theory that keys are get locked some time after logo disappears which sounds credible to me.
If someone still has a correct dump could you please try to compare relevant info from it (136 bytes starting at "01 00 84 00 10 00") with unsuccessful dump or just some other dump made later to prove the theory?
Thanks.

What you mean with "unsuccessful dump"? A dump that generated keys but which keys didn't worked? I can provide such dump but I cannot provide a successful where keys has been generated and worked!   

[loaderr]

That's exactly what I meant! Dump that generates license which doesn't pass validation. If we compare it with one that generate correct license than we will know if problem is in scrambled keys or something else. But we need 2 from the same device. I have the same problem - I have "bad" one but no good one. We need to wait for guy who where able to unlock their devices.

[Iakabos]

Has anyone tried messing around with the new dg1022z function generator yet to see if it's possible to unlock other options? It does have the option to purchase increased memory depth, which leads me to believe it's made similarly to their other products with frequency limited by software. I would be very interested if 60MHz could be unlocked, as the 25MHz model sells for $360 and the 60MHz sells for $860.

[psysc0rpi0n]

That's exactly what I meant! Dump that generates license which doesn't pass validation. If we compare it with one that generate correct license than we will know if problem is in scrambled keys or something else. But we need 2 from the same device. I have the same problem - I have "bad" one but no good one. We need to wait for guy who where able to unlock their devices.

Ah ok... that's not my case! I can only dump memory and generate "bad keys"!

[psysc0rpi0n]

Ok, I just got a new licence key (trial) for the scope. Should I do anything before/after/between applying the key and making a new dump file of my scope's memory? Someone said to try to compare the memory dumps of someone with working and non-working licence keys! I have now the possibility of having the options with Trial time again, make a new dump and try to generate new keys!

[psysc0rpi0n]

Looks line I'm not lucky! I tried twice the memory dump right after the Rigol logo disappears and the Options screen show up but the generated keys are the same as before!

[loaderr]

Yes, I found the same. FYI trial license is stored in memory starting at 0x43ee0058, you can dump if JTAG is still connected (small dump of 64Kb). Then run for some time and dump again - somewhere there should be counter that expires trial license. If we can roll it back trial will never expire

What I found so far is that option string is not decoded properly for some reason and on top of that public key is not decoded properly as well - trying to figure out why. Rigup does number of strange things that looks suspicious. If someone with knowledge why things were done in such way can contact me it would be really helpful.

In the mean time you can do a simple test - run rigup info with you trial license and see if it passes of fails - also check if options string is correct.

[loaderr]

Good news guys - I was finally able to unlock my 1074. 
I can confirm that there are no good or bad images - all are good but there is a subtle bug in rigup (actually it's a bug in FW ) that leads to incorrect hash calculation - if you are unlucky. If your XXTEAKEY ends in couple or more zeros you will hit this bug for sure. Tested on 04.03.SP2.
I fixed rigup, who needs sources - please email me.

Big thanks to original developers of rigup - they probably spent many days creating it. It took me the whole weekend together with IDA and debugger to figure out why it doesn't work - Rigol FW is bloody convoluted.

[psysc0rpi0n]

Good news guys - I was finally able to unlock my 1074. 
I can confirm that there are no good or bad images - all are good but there is a subtle bug in rigup (actually it's a bug in FW ) that leads to incorrect hash calculation - if you are unlucky. If your XXTEAKEY ends in couple or more zeros you will hit this bug for sure. Tested on 04.03.SP2.
I fixed rigup, who needs sources - please email me.

Big thanks to original developers of rigup - they probably spent many days creating it. It took me the whole weekend together with IDA and debugger to figure out why it doesn't work - Rigol FW is bloody convoluted.

My XXTEAKEY ends up in 000... So I'm affected by it, no? Is that rigup fix going to work to MSO1000 series?

[janekivi]

I have made some memory dumps from DS1045Z when updating firmware and entering keys.
In my case most of stuff is driving randomly in memory. At the end are licenses and keys and
serial which are always at there. Somewhere I found 5 licenses, last was my DSER. They can
be trial licenses from factory. All said "License is already used" when I was trying to enter them.
So, they can't be entered again without deleting them from eeprom...

[Daruosha]

I have made some memory dumps from DS1045Z when updating firmware and entering keys.
In my case most of stuff is driving randomly in memory. At the end are licenses and keys and
serial which are always at there. Somewhere I found 5 licenses, last was my DSER. They can
be trial licenses from factory. All said "License is already used" when I was trying to enter them.
So, they can't be entered again without deleting them from eeprom...

Have you tried to uninstall trial keys with SYSTem: OPTion:INSTall commamd ?

BTW, you can generate the keys simply by using the famous rigol keygen, no JTAG dump hassles.

[janekivi]

  I don't have problems with that. I try other things actually.
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/
But there was talk about using trial keys.
Uninstall doesn't delete trial keys as I see from dump. After uninstalling Your
generated key there is "Trial is over" text after every option too.

[janekivi]

SYSTem: OPTion:UNINSTall is deleting "All official options removed" or something like this.
But after some mem dumps I found 36 Hours Trial License Key ... key. Like for DP832
there is the same for DS1054Z too in here http://www.gotroot.ca/rigol/riglol/
And this is V for generating trial keys for DS1054Z
Option VSER is all  options like DSER but 36 hours trial version.
So others can be

DS1000z device options:
first character: D = official, V = trial

DSAB - Advanced Triggers
DSAC - Decoders
DSAE - 24M Memory
DSAJ - Recorder
DSBA - 500uV Vertical
DSEA - 100MHz
DSFR - all options
DSER - all options - 500uV Vertical

Currently I have DS1000Z-00.04.04.00.07 firmware.
Now if I add official license, all options are official and after delete
all options continue trial time. (and mem dump is messier at key regions
like he is generating all separate trial keys but factory ones are there too. )

[loaderr]

Hi all,
I uploaded fixed rigup sources to https://www.dropbox.com/sh/1yrh8s90ityn90s/AAA6PXlJk9gGQwoDOwO6TDQua?dl=0, feel free to use.
There are still some bugs as psysc0rpi0n was unable to unlock so far so use cautiously
I did some investigation how licenses are stored and it looks like they just programmed to flash and never erased. On startup FW scans all of them to decide which one to use. As longs as rigup works no need to worry about trials.

[psysc0rpi0n]

Hi all,
I uploaded fixed rigup sources to https://www.dropbox.com/sh/1yrh8s90ityn90s/AAA6PXlJk9gGQwoDOwO6TDQua?dl=0, feel free to use.
There are still some bugs as psysc0rpi0n was unable to unlock so far so use cautiously
I did some investigation how licenses are stored and it looks like they just programmed to flash and never erased. On startup FW scans all of them to decide which one to use. As longs as rigup works no need to worry about trials.

Thanks for sharing the semi-fixed rigol tool. Though I still have the MEM DEPTH locked! So, could you explain to us all how to generate the correct keys?? I have tried your tool but I could not generate correct keys, but somehow you achieved it!

It would be nice to know with some detail the steps you took to generate the keys using your semi-fixed version of rigup!

Cheers
Psy

[Smokey]

Curious why the DP831 power supply wasn't worked on here.  Are the keys actually implemented differently?

[Twingy]

Downloaded the 64MB image from MSO1074Z using Olimex JTAG USB-OCD-H.  Generated the license file using rigup scan, serial number is correct from JTAG image, other licenses including tea key look valid.  Attempted to generate a triggers key (CSAR=0x1C001) with from license file using rigup license.  Invalid license! for the generated key.  Tried 0x1C002, invalid license as well.  Tried the updated rigup source from loaderr and generates the same keys, nothing different.  Firmware is 00.04.03.SP2 BOARD 2.1.4.  Any help is appreciated.

[Twingy]

Another short update.  I changed the adapter_khz from 400 khz to 3000 (3 MHz) but the transfer speed off the mso1074 still appears to be limited to 25kB/sec, for ~45 min transfer period.  I performed all of the same steps using this new .bin image file and get same results, so I'm fairly certain the bin file is valid.

Additional Notes: On my mso1074z the jtag male header is missing.  Rather than try to solder on the header by removing the board/voiding the warranty etc, I used a male header and light force so as to avoid modifying the hardware in any way.  I also use rubber gloves to avoid getting finger prints all over the internals.

[2N3055]

Curious why the DP831 power supply wasn't worked on here.  Are the keys actually implemented differently?

For the 831 you just generate keys for 832, put your serial and go.. Worked fine on mine 831... I also made changes on one of the member DP832 python calibration script to work with DP831 and DM3068..

[Smokey]

Curious why the DP831 power supply wasn't worked on here.  Are the keys actually implemented differently?

For the 831 you just generate keys for 832, put your serial and go.. Worked fine on mine 831... I also made changes on one of the member DP832 python calibration script to work with DP831 and DM3068..

Sweet.  Good to know.  I didn't see that actually stated anywhere before.  Thanks!