Sniffing the Rigol's internal I2C bus

[Rigol-Friend]

Gaijin:

THANKS A LOT, very good !       

[neslekkim]

Hi,

please, can anybody give me the SCPI commands for switching the input impedance to 50 ohms and back to 1 Megaohms of the DS2072?

:CHAN1:IMP OMEG
:CHAN1:IMP FIFTY

Does it exist an cheatsheet for such commands?

[gaijin]

There is a programming guide that lists the SCPI commands.
It's in a pdf on the cd that comes with the scope
or it's here:
rigol.com/download/Oversea/DS/Programming_guide/DS2000_ProgrammingGuide_EN.pdf
It doesn't list the option to change the input impedance, the guide made before the ds2000A.

[neslekkim]

yes, I downloaded the version for 2000A, but it's 648 pages long, an cheatsheet could be an compilation of the most usefull stuff..
this thread is way to long to find the nifty pieces now, i have tried a couple of times to go through it.

[fcab100]

No 50Ohm option here with DSHH. It's still gray out.

wonder What 0x1C020 actually does

ds2072 hw 2

[Teneyes]

@Cybernet   Great Work, 2 cases of Radler for you!      
Could the CAN decoding feature be in the GEL also??

Yes He CAN!!!
Fricking Amazing Cybernet  Great Work,
3 more cases of Radler for you!      

Of coarse, Rigol will be offering Cybernet a contract to Encrypt the next Firmware

[Marchello]

Now i have DS2302! (in his youth he was a DS2072)

Thanks Cybernet!

[cybernet]

@Cybernet   Great Work, 2 cases of Radler for you!      
Could the CAN decoding feature be in the GEL also??

Yes He CAN!!!
Fricking Amazing Cybernet  Great Work,
3 more cases of Radler for you!      

Of coarse, Rigol will be offering Cybernet a contract to Encrypt the next Firmware

that goes to zombie28 because he noticed the obsfuscation of keys - the rest was just stupid function name mapping from one version to another and following the trails to the option codes.
i already saw the difference between ds2000a and ds2000 - same keys are used, but the inital epoint_set functionn uses (x,x,0,g) instead of (x,y,0,g) as arguments - doesnt make a difference in the rikey.c,
so im not sure whats going on (my math skills again ...  ) - jtag dump from a ds2000a would be useful.

[A Hellene]

Kudos, people!

This is what team-work can do!
These are the benefits of the 'us' mentality versus the 'I' mentality!
Kudos to every individual who has been involved in this project!
Also, shame to every one of them for temping me to throw some more cash in to that market (which is killing our market)!

Let me throw my two cents in, by treating the thread with some food for thought:

There is an Actel ProASIC3 FPGA on board, hardwired to a twenty-slot ten-resistors network. This resistor network probably constitutes some kind of a revision number word, with each resistor pulling up or down a certain data line if the data word is ten-bits long, or leaving that line tri-stated also if the data word is twenty-bits long. This data word is --most probably-- read by the aforementioned FPGA and reported to the main processor.

This might not be easily spotted in the firmware disassembly listings because that data word is not read by the processor's I/O ports directly, but by the FPGA I/Os and reported via some (DMA, most likely) channel data burst, since the specific FPGA in question seems to be some kind of external memory manger accessing the Spansion FLASH boot and data storage memory chip.

Though I have not yet seen what's inside the DS2000 firmware (nor do I own a DS2000 unit in order to investigate it any further) I would consider the possibility of the FW actively reading that hardware jumpers revision word existing on the PCB in order to decide whether it should enable certain functions (like the 50 Ohm one, for example) or not.

If this is true, it could make it possible for the end user to be reverting their hardware on demand between the various revisions (i.e. non-A/A/AS or whatever) by just modifying the PCB revision number word jumpers (by adding in or by removing the jumper-resisrors that correspond to the data word bits).


-George

[cosmos]

There is an Actel ProASIC3 FPGA on board, hard wired to a twenty-slot ten-resistors network. This resistor network probably constitutes some kind of a revision number word, with each resistor pulling up or down a certain data line if the data word is ten-bits long, or leaving that line tri-stated also if the data word is twenty-bits long. This data word is --most probably-- read by the aforementioned FPGA and reported to the main processor.

In the ds4k these straps are marked, and they correspond to the reported extended revision number.
Changing the straps had no immediate effect on the BW in a ds4k.
It appears that the proASIC is the same or nearly the same s in the ds2k.

[PA0PBZ]

No 50Ohm option here with DSHH. It's still gray out.

wonder What 0x1C020 actually does

ds2072 hw 2

If the DS2000A series has the 50 Ohm as standard, it would not make sense to have an option code for that.

[zombie28]

i already saw the difference between ds2000a and ds2000 - same keys are used, but the inital epoint_set functionn uses (x,x,0,g) instead of (x,y,0,g) as arguments - doesnt make a difference in the rikey.c,
so im not sure whats going on (my math skills again ...  ) - jtag dump from a ds2000a would be useful.

For a given elliptic curve and a given value of x, there are at most two values of y that match this curve (let's call them y0 and y1). So to define some point on the curve you need to provide either both coordinates (x, y) or a value of x and a single bit (0 or 1) telling which value of y you chose. In the latter case the actual value of y will be computed by epoint_set function (it's called point decompression). When you call epoint_set(x,x,0,g), then you will get g = (x,y0), when you call epoint_set(x,x,1,g), then you will get g = (x,y1), and when you call epoint_set(x,y,0,g), then you will get g = (x,y), but y must be either y0 or y1 to match the curve.

[A Hellene]

In the ds4k these straps are marked, and they correspond to the reported extended revision number.

Thank you for the information. Does the DS4k line have any hardware revisions (other than the basic one) with extended functionality, like the DS2kA and DS2kAS for example?

It appears that the proASIC is the same or nearly the same s in the ds2k.

In the DS1002 line, the corresponding stage is the Lattice MachXO CPLD (which I called a LUT because it is not exactly a CPLD or an FPGA, but something in between).


-George

[Maurizio]

thetooth that is the same as the latest non A firmware, so either Rigol gave you the wrong firmware or they are going to use the same firmware for both the A and non A scopes.  Probably they gave you the wrong one though as your scope shows something newer - I wouldn't load it!

Also, it isn't a rar but a zip you've attached.

yeah i gathered, also funnily enough the rigol rep sent me the image as a jpg file with instructions to rename it since he seemed to think it would be eaten.

I sent an email back to ask if they were sure this was for the A version so might see something new after all.


That sure did take a few attempts, i think the threshold is about 500ms lel

As reference, if it helps, these are the long infos from my brand new ds2102A just arrived last week.
All infos are the same of the picture of Thetooth except of the model name.
Only my 2 cents.

Maurizio

[AndersAnd]

In the ds4k these straps are marked, and they correspond to the reported extended revision number.

Thank you for the information. Does the DS4k line have any hardware revisions (other than the basic one) with extended functionality, like the DS2kA and DS2kAS for example?

There's both a DS4000 and a MSO4000 HW version. MSO4000 is just a DS4000 with buil-in 16-bit logic analyzer.

[A Hellene]

There's both a DS4000 and a MSO4000 HW version. MSO4000 is just a DS4000 with buil-in 16-bit logic analyzer.

Thank you. I suppose that both of these lines share the same PCB, since this way cuts the development and production costs dramatically.


-George

[AndersAnd]

There's both a DS4000 and a MSO4000 HW version. MSO4000 is just a DS4000 with buil-in 16-bit logic analyzer.

Thank you. I suppose that both of these lines share the same PCB, since this way cuts the development and production costs dramatically.


-George

Yes I believe it's the same PCB, just with or without the extra LA components being mounted, and maybe a jumper to tell if it's a DS or MSO version.

[A Hellene]

This is exactly what my previous thought was based on.


-George

[NikWing]

hey all

I've just started reading this thread from the beginning. You're really great, wow
Thanks to everyone who contributed

I'm going to order a DS2102A-S later today or tomorrow, and after reading a bit here I just want to be really sure not to do something wrong.
So please tell me, if I order the 100 MHz DSO, will it be possible to unlock it to 300 MHz?
Despite it has the generator inside, it should be possible to find a way to unlock the other features?

That would really help me.
I also pondered just getting a 2102A without the generator and get a stand-alone device later. But since the A-S versions have one built-in (although it's just 25 MHz), it wouldn't take up extra space etc ...
That's why I'm still not sure if I do the right thing ^^;

Thanks!

[cosmos]

In the ds4k these straps are marked, and they correspond to the reported extended revision number.

Thank you for the information. Does the DS4k line have any hardware revisions (other than the basic one) with extended functionality, like the DS2kA and DS2kAS for example?

It appears that the proASIC is the same or nearly the same s in the ds2k.

In the DS1002 line, the corresponding stage is the Lattice MachXO CPLD (which I called a LUT because it is not exactly a CPLD or an FPGA, but something in between).


-George

My ds4k have the same strapping as in the picture and the scope reports extended HW version number: 0.1.2.3 (same access to extended info as on a ds2k).
This corresponds to the straps at the top "xx.xx" being 01.10 (1.2) and the strap field below being 011 (.3) .
Not sure if the singel "ch" strap is the first digit (0.), but it would not be surprising.
Makes me wonder if "ch" relates to the number of scope channels.
Someone with a two channel DS4000 might want to report what number they have.

The LA on MSO4000 looks to be plugged into a connector (not mounted in DS4000) next to the lone (display handling?) FPGA near the Blackfin.
There is a cut out in the PCB with mechanical supports for the probe connector on the front.
Presumably there is a LA board in between with some FPGA on it.
 
EDIT. 
Got info from DS4012 owner,  he have HW version number: 1.1.1.3 
so that looks like it confirms that first digit is 4ch/2ch indication. as the "ch" note on the PCB also suggested.

[AndersAnd]

I'm going to order a DS2102A-S later today or tomorrow, and after reading a bit here I just want to be really sure not to do something wrong.
So please tell me, if I order the 100 MHz DSO, will it be possible to unlock it to 300 MHz?

No, the A versions has not been hacked yet.

[A Hellene]

Not sure if the singel "ch" strap is the first digit (0.), but it would not be surprising.
Makes me wonder if "ch" relates to the number of scope channels.

*grin*

The LA on MSO4000 looks to be plugged into a connector (not mounted in DS4000) next to the lone (display handling?) FPGA near the Blackfin.
There is a cut out in the PCB with mechanical supports for the probe connector on the front.
Presumably there is a LA board in between with some FPGA on it.

It seems to be the same design strategy to the older DS1002E/DS1002D models line, which share the same exactly PCB that has headers to carry the 'optional' logic analyzer add-on board the D models include. There are two slightly different firmware update versions though, one for the E model and one for the D one, since there are no HW revision selection switches (the populated/unpopulated resistors network) on board.


-George

[neslekkim]

I'm going to order a DS2102A-S later today or tomorrow, and after reading a bit here I just want to be really sure not to do something wrong.
So please tell me, if I order the 100 MHz DSO, will it be possible to unlock it to 300 MHz?

No, the A versions has not been hacked yet.

but according to recent finds, one should think that is matter of minutes if just someone do an jtag dump of an A serie..
I'm definately going for the A(with s), but 100 or 200... that's the question..

[Carrington]

Cybernet has done it, again! *ole* 

Now I'm very busy and I can't test anything (check the BW for example).

Anyway. How is the new table?

Code table: Use DSAx for a official key, and use VSAx for a trial key.

x  200, 100, Mem, Dec, Trig

A   none
B   ==   ==   ==   ==   on
C   ==   ==   ==   on   ==
D   ==   ==   ==   on   on
E   ==   ==   on   ==   ==
F   ==   ==   on   ==   on
G   ==   ==   on   on   ==
H   ==   ==   on   on   on

Note: keys A..H wont change the model, only ADD an option.

2102:

J   ==   on   ==   ==   ==   
K   ==   on   ==   ==   on
L   ==   on   ==   on   ==
M   ==   on   ==   on   on
N   ==   on   on   ==   ==
P   ==   on   on   ==   on
Q   ==   on   on   on   ==
R   ==   on   on   on   on   <-  All 2102

2202:

S   on   ==   ==   ==   ==   
T   on   ==   ==   ==   on
U   on   ==   ==   on   ==
V   on   ==   ==   on   on
W   on   ==   on   ==   ==
X   on   ==   on   ==   on
Y   on   ==   on   on   ==
Z   on   ==   on   on   on   <-  All 2202

DONT USE BELOW Not recommended, as activates 2102 and also 2202:

2   on   on   ==   ==   ==
3   on   on   ==   ==   on
4   on   on   ==   on   ==
5   on   on   ==   on   on
6   on   on   on   ==   ==
7   on   on   on   ==   on
8   on   on   on   on   ==
9   on   on   on   on   on

[alank2]

I guess I'm not following everything here, has a key been generated that works on an A model yet?

Also, does anyone know HOW the keyboard connects to the blackfin, what pins/registers/interface?