Sniffing the Rigol's internal I2C bus

[cybernet]

Hello,

I got a brand new unmodified DS2202_A_. So I would like to help to enhance the situation... 

I don't have mature experience in hacking this sort of stuff. How can I help you guys? Are there any pointers how to create a memory dump from this beast? Where to send the dump? 

Please don't hesitate do contact me with your requests... 

cool, can u request a firmware update with your distributor (even if there is none they might send u a current)  ? getting a .GEL file would be nize - other options, see the DG4000 thread - on howto do an JTAG memory dump.

[AndersAnd]

I got a brand new unmodified DS2202_A_. So I would like to help to enhance the situation... 

I don't have mature experience in hacking this sort of stuff. How can I help you guys? Are there any pointers how to create a memory dump from this beast? Where to send the dump? 

Please don't hesitate do contact me with your requests... 

cool, can u request a firmware update with your distributor (even if there is none they might send u a current)  ? getting a .GEL file would be nize - other options, see the DG4000 thread - on howto do an JTAG memory dump.

I saw you mentioned you were going to write a how-to guide for Rigol JTAG memory dumps here Cybernet: https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/msg298338/#msg298338
Did you ever get around to writing one?

[tirulerbach]

cool, can u request a firmware update with your distributor (even if there is none they might send u a current)  ? getting a .GEL file would be nize - other options, see the DG4000 thread - on howto do an JTAG memory dump.

i'm sorry, but because of different reasons, currently this is not an option...  (please, don't ask...) maybe in a few days to weeks this is possible... 

[tirulerbach]

as requested, the detailed system informations:

[ZeroAviation]

Hello,

I got a brand new unmodified DS2202_A_. So I would like to help to enhance the situation... 

I don't have mature experience in hacking this sort of stuff. How can I help you guys? Are there any pointers how to create a memory dump from this beast? Where to send the dump? 

Please don't hesitate do contact me with your requests... 

Where'd you get it?

Same question! Where did you get it?

CAN is the only thing holding me back on getting the 2000 series.

[Avotronics]

HI
anyone tried entering a key after their DO832 has had the thermal retrofit ?
The job sheet shows new firmware 1.08 was installed as well.
I'm not having much luck. but not sure I'm doing it correctly either, not that there much I can for wrong other than a typo.
getting a sinking feeling Rigol have changed the key algorithm

Rigol has changed the DP832 keys.

How it works:
1 Download firmware at http://www.riglol.3owl.com/firmware/DP832.rar
2 Downgrade firmware to 01.06.00
3 Generate Key on riglol.3owl.com
4 Install the keys
5 Upgrade firmware to 01.08.00

I've mirrored the firmware(s) at http://rigol.avotronics.co.uk
For some reason I'm having trouble mirroring subdirectories at 3owl but I'm using a workaround for now.

So the mirror link is http://rigol.avotronics.co.uk/riglol/firmware/DP832.rar
Maybe add a link to the firmware page/file on this front page: http://www.riglol.3owl.com and add a note about not upgrading to 01.08.00 before entering keys.

Can't do anything about riglol or gotroots pages, but I've updated http://rigol.avotronics.co.uk to be more informative. Bit basic as I'm struggling with stupid ipad till tomorrow/Wednesday. You'd better check it for wrongness, wasn't sure if those instructions were just for dp832.

[Mark_O]

I got a brand new unmodified DS2202_A_. So I would like to help to enhance the situation... 

I don't have mature experience in hacking this sort of stuff. How can I help you guys? Are there any pointers how to create a memory dump from this beast? Where to send the dump? 

Please don't hesitate do contact me with your requests... 

cool, can u request a firmware update with your distributor (even if there is none they might send u a current)  ? getting a .GEL file would be nize -

I see the software version has changed to 2 as well.  It would be interesting to see the detailed SysInfo screen, for all the section Versions information.

If you can get ahold of a GEL file for your current software level, then you could try a downgrade to ver1.1.0.2 (may not allow it), run the previous hack, then upgrade back to v2.

[Mark_O]

as requested, the detailed system informations:

Hey!  Where'd that come from?     Thanks.

[apelly]

I see the software version has changed to 2 as well.  It would be interesting to see the detailed SysInfo screen, for all the section Versions information.

There's a pic of my 2072a info earlier in the thread too, if you want to compare.

[tsmith35]

Comparing the two...

tirulerbach's info:
Model: DS2202A
Serial: DS2D.....
Software version: 00.02.00.00.04
Hardware version: 1.0.2.0.2
FPGA version -
SPU: 03.01.09
WPU: 00.07.01
CCU: 12.29.00
MCU: 02.13

apelly's info:
Model: DS2072A
Serial: DS2D15340.....
Software version: 00.02.00.00.04
Hardware version: 1.0.2.0.0
FPGA version -
SPU: 03.01.09
WPU: 00.07.01
CCU: 12.29.00
MCU: 02.13

[cybernet]

here we go - custom DS2000 firmware, based on FW 00.01.01.00.02 (imho latest)
tricked into believing its a 350Mhz model, thus enabling 200M BW limit & 1ns timebase.
i also tried 500Mhz, while this allows 500ps TB, it does not make a difference on screen (probably hitting some hardware limit)
the only thing i dont like is that the model type should be changed too as it still says DS2202.
i also tried options de-install/install - worked fine.


to the best of my knowledge the change does not affect the bootloader, its only a modification of the application payload, so i consider
it safe to play with - there is always the possibility to flash back a standard version. i killed it several times during testing, no problem whatsoever (just flash back another version)

nevertheless - no guarantees  whatsoever if u want to try this ! - no whining if something breaks !

CHG3_RILOL.GEL - > http://www.sendspace.com/file/ybkx21
download, rename to "DS2000Update.GEL" -> put on USB stick -> install via bootldr method (power on + HELP)

Code: [Select]

./geltool -c -f CUSTOM/ASM/CHG4/CHG4_RILOL.GEL

model: DS2202
version: 00.01.01.00.02
bitmask: 0x7
num_of_sections: 0x12


section: #00: CRC:568EAD3C ADDR:20040000 LEN:0037D7DC [VALID CRC]
section: #01: CRC:5A3AC3C3 ADDR:20000000 LEN:0017CCA8 [VALID CRC]
section: #02: CRC:52C1A46B ADDR:20000000 LEN:00010F60 [VALID CRC]
section: #03: CRC:3F65CE51 ADDR:20020000 LEN:000322F6 [VALID CRC]
section: #04: CRC:CD2A7325 ADDR:200D6000 LEN:0000245A [VALID CRC]
section: #05: CRC:4CAC7870 ADDR:200C8000 LEN:00007FB4 [VALID CRC]
section: #06: CRC:454D5A80 ADDR:200F0000 LEN:000663F4 [VALID CRC]
section: #07: CRC:BCB8589E ADDR:20120000 LEN:00001D54 [VALID CRC]
section: #08: CRC:885A8C98 ADDR:20000000 LEN:0006DC62 [VALID CRC]
section: #09: CRC:B7481D18 ADDR:20040000 LEN:000032D8 [VALID CRC]
section: #10: CRC:D2B695F5 ADDR:20000000 LEN:00000B64 [VALID CRC]
section: #11: CRC:3F1C1BCC ADDR:20000C00 LEN:0003C598 [VALID CRC]
section: #12: CRC:1AF2DF9D ADDR:201E4C00 LEN:00000118 [VALID CRC]
section: #13: CRC:550735A2 ADDR:2003D400 LEN:00009010 [VALID CRC]
section: #14: CRC:5161CEE1 ADDR:201FD800 LEN:00001661 [VALID CRC]
section: #15: CRC:4B530B40 ADDR:20045000 LEN:000BB808 [VALID CRC]
section: #16: CRC:52C4EDFB ADDR:20100000 LEN:00046EF0 [VALID CRC]
section: #17: CRC:00000000 ADDR:20122800 LEN:00000000 [VALID CRC]


[mtdoc]

Holy S#%t!   

[Co6aka]

But... Where's the Star Trek screensaver...? 

Oh man, I have good-ol-days hacking envy... 



Any clues yet as to what 'n where the model/type byte/word gets built up from?  The model number perhaps, or...?

[poida_pie]

We need someone here with a fast rise time step signal to load this modified f/w of cybernet's and show us the differences in b/w.
I would load it if I had a decent step signal of about 1ns or a bit less. The fastest I have access to is the trigger out from my DS2072
which seems to be about 1.5ns risetime.

[Abdu]

@ cybernet
Rise time = 0.35/BW
then
rise time (BW=200 MHz) = 1.75 ns (for DS2202 =1.8 ns)
rise time (BW=70 MHz) = 5 ns        (for DS2072 =5 ns)

this means the rise time of that the pulse generator is 5ns or the oscilloscope is 70 MHz.

[mtdoc]

True enough about not drawing any conclusions about actual BW based on the RT  of the displayed pulse - and the need to be tested with a very fast risetime pulse ( or high enough frequency function generator to find the 3 dB limit).  But still, the abilty to change the timebase, BW limit, etc at will is a commendable achievement and (I think) means the only limitation now is the hardware. Way to go cybernet! 

[Harvs]

A quick "qualitative" assessment from me.

The first overlay of the new firmware vs 200MHz hack, Red trace is the new firmware.  I guess you could argue there's some difference, but it's not conclusive.  Probably the signal being feed in doesn't have a high enough rise time.  I'm seeing around 1.5ns.

What is interesting though, is the second overlay, which is with the 200MHz limit applied.  There is an obvious drop in bandwidth compared to the "200MHz" firmware version without limits applied.

[AndersAnd]

CHG3_RILOL.GEL - > http://www.sendspace.com/file/ybkx21
download, rename to "DS2000Update.GEL" -> put on USB stick -> install via bootldr method (power on + HELP)

Code: [Select]

./geltool -c -f CUSTOM/ASM/CHG4/CHG4_RILOL.GEL

model: DS2202
version: 00.01.01.00.02
bitmask: 0x7
num_of_sections: 0x12


section: #00: CRC:568EAD3C ADDR:20040000 LEN:0037D7DC [VALID CRC]
section: #01: CRC:5A3AC3C3 ADDR:20000000 LEN:0017CCA8 [VALID CRC]
section: #02: CRC:52C1A46B ADDR:20000000 LEN:00010F60 [VALID CRC]
section: #03: CRC:3F65CE51 ADDR:20020000 LEN:000322F6 [VALID CRC]
section: #04: CRC:CD2A7325 ADDR:200D6000 LEN:0000245A [VALID CRC]
section: #05: CRC:4CAC7870 ADDR:200C8000 LEN:00007FB4 [VALID CRC]
section: #06: CRC:454D5A80 ADDR:200F0000 LEN:000663F4 [VALID CRC]
section: #07: CRC:BCB8589E ADDR:20120000 LEN:00001D54 [VALID CRC]
section: #08: CRC:885A8C98 ADDR:20000000 LEN:0006DC62 [VALID CRC]
section: #09: CRC:B7481D18 ADDR:20040000 LEN:000032D8 [VALID CRC]
section: #10: CRC:D2B695F5 ADDR:20000000 LEN:00000B64 [VALID CRC]
section: #11: CRC:3F1C1BCC ADDR:20000C00 LEN:0003C598 [VALID CRC]
section: #12: CRC:1AF2DF9D ADDR:201E4C00 LEN:00000118 [VALID CRC]
section: #13: CRC:550735A2 ADDR:2003D400 LEN:00009010 [VALID CRC]
section: #14: CRC:5161CEE1 ADDR:201FD800 LEN:00001661 [VALID CRC]
section: #15: CRC:4B530B40 ADDR:20045000 LEN:000BB808 [VALID CRC]
section: #16: CRC:52C4EDFB ADDR:20100000 LEN:00046EF0 [VALID CRC]
section: #17: CRC:00000000 ADDR:20122800 LEN:00000000 [VALID CRC]


Great work. 
I noticed the uploaded filename is CHG3_RILOL.GEL, but the code section below it says CUSTOM/ASM/CHG4/CHG4_RILOL.GEL
Is the code section for a different file than the uploaded one?

[Orange]

Just tried the modified firmware, and have to report that this is not OK.

The system behaves OK in 1 channel mode, rise time is 1.3 nS.... > It measures also correctly in 1 and 2 nS TB setting

In two channel mode (1nS TB), the trigger point shifts about 4 divisions, and measures rise time wrong as 730 pS....

In both modes (1 or 2 ch) there is no significant increase in rise time

This is basically the same behavior as I reported 4 months ago, while we were still playing with the FRAM...... 


Measured with Tek 284 pulser

[Mark_O]

The first overlay of the new firmware vs 200MHz hack, Red trace is the new firmware.  I guess you could argue there's some difference, but it's not conclusive.

I'd say not.  The variance is too small.

What is interesting though, is the second overlay, which is with the 200MHz limit applied.  There is an obvious drop in bandwidth compared to the "200MHz" firmware version without limits applied.

There is an obvious drop.  However, the unit with the 200 MHz hack actually has a BW closer to 230 MHz, with no way to engage filters at 200 MHz.  What you've shown is consistent with a 230/200 difference.  Not 350/200 difference.  To know for sure though (where the limiting factor is), you'd need a source pulse with <1 nS rise time.

[cybernet]

thx for playing with this (it was 6AM .. so i left it at the screenshots) - from the postings above i take:

1. it only changes the TB (to 1ns) but not the bandwidth limit (no 350Mhz).
2. channel 2 is offset - didnt try, but will - maybe a cal helps with that
    2. actually with 500ps TB what u describe happens on CH1 too. (visual resolution of TB is 1ns, and trigger jumps)
3. yes i pasted the wrong log-file, its CHG4 (500mhz) attempt - same principle however
4. testing was DG4202 with 50Mhz Square + Pulse - got nothing faster.

what i changed is what is read from the FRAM during boot - e.g. the function returns a static 0x2 (=DS2302) - but that seems to affect only TB.
there is a strtol based MHZ value to string function which sets other stuff, could be thats what changes the BW filter - will try that one next and post a CHG?_RIGLOL.GEL when its ready.

[olsenn]

Do you have a DSA815-TG or other spectrum analyzer with tracking generator? If so, you could enable the TG at zero-span and turn up the frequency until you reach the calculated -3db point on the DS2000.

[Carrington]

@ cybernet

Note: Probe used Agilent 10073D (500MHz).
Using a 1K probe the BW must be closer to the real oscilloscope BW.

Set BW to 200MHz:



Set BW no limit:

[AndersAnd]

@ cybernet

Note: Probe used Agilent 10073D (500MHz).

So it does change the BW to 350 MHz after all?
What signal did you measure it with and what's it's true rise time? (If you know it).
Have you measured the test signal on an even higher frequency scope?

Using the 10%-90% rise time to frequency conversion formula for Gaussian-response oscilloscopes:
Source:
Agilent Application Note 1420
Understanding Oscilloscope Frequency Response and Its Effect on Rise-Time Accuracy
http://cp.literature.agilent.com/litweb/pdf/5988-8008EN.pdf

0.35 / 1.500 ns = 233.3 MHz

0.35 / 1.120 ns = 312.5 MHz

Also a lot of overshoot in 350 MHz mode that you can't see with 200 MHz BW limit because it's filtered out.

@ cybernet
Rise time = 0.35/BW
then
rise time (BW=200 MHz) = 1.75 ns (for DS2202 =1.8 ns)
rise time (BW=70 MHz) = 5 ns        (for DS2072 =5 ns)

this means the rise time of that the pulse generator is 5ns or the oscilloscope is 70 MHz.

[Carrington]

What signal did you measure it with and what's it's true rise time?

Altera cyclone II output.
  - Real oscilloscope BW ~ 900ps.
  - Altera signal rise time ?

Only give me more time to do more tests. (Lunchtime here)