Sniffing the Rigol's internal I2C bus

[MrKrabs]

Hey cybernet,

I was reverse engineering your reverse engineering , trying to port your DS4000 firmware hack which is version 00.02.00.00.04 to the latest version 00.02.01.00.03.

I was able to find the 2 magic bytes to modify (0x4899 into 0x2060) in the new firmware and then recalculated the CRC for section 00.

Then I updated the firmware on my DS4014 with my patched firmware. The update worked fine (I know because I had a 00.01.xx firmware), BUT it didn't enable the BW options neither gave me 1ns TB option.

I then went back to your 00.02.00.00.04 firmware and confirmed it enabled the BW options & 1ns TB, so I know it works on my DS4K.

Do you have any idea what the deal is with the latest DS4K firmware? I found the 0x4899 byte at 0x128a3c. It at least matched the nearby bytes almost perfectly when comparing with your firmware.

There's a big chance, of course, I was just changing the wrong bytes

Here's a diff of the hexdumps:

Code: [Select]

$ diff DS4000Update.00.02.01.00.03.orig.GEL.hex DS4000Update.00.02.01.00.03.modified.GEL.hex
4c4
< 00000030  32 62 77 f0 00 00 00 00  00 00 04 20 01 00 00 00  |2bw........ ....|
---
> 00000030  5d 10 2a 87 00 00 00 00  00 00 04 20 01 00 00 00  |].*........ ....|
75940c75940
< 00128a30  00 e8 00 00 09 e1 2d 0d  49 e1 e7 00 48 99 01 e8  |......-.I...H...|
---
> 00128a30  00 e8 00 00 09 e1 2d 0d  49 e1 e7 00 20 60 01 e8  |......-.I... `..|

Cheers!

[AndersAnd]

Note: This utility only works with firmware version 00.01.01.00.02.  If you need a copy of this firmware version, see Marmad's post (Reply #2) in this thread: https://www.eevblog.com/forum/testgear/first-impressions-and-review-of-the-rigol-ds2072-ds2000-series-dso/

Nice work.

The same FW 00.01.01.00.02 can also be downloaded here: http://rigol.avotronics.co.uk/ds2000-series/

Nice summary. andyturk (the OP) should copy and paste a link to this post in the first post of the thread.

Good idea. Done.

@andyturk (the OP) maybe you should also add a link to Marc M's SNMODFIX utility in the OP too, to make it easier to find.

[Altemir]

MrKrabs
BW options on DS4000?  Can you upload screenshots of this options and photo of your DSO? You has got 500MHz on 100MHz DS4014??? 

[marmad]

MrKrabs
BW options on DS4000?  Can you upload screenshots of this options and photo of your DSO? You has got 500MHz on 100MHz DS4014??? 

It's not actually an "option" - but yes, changing the model number internally on a DS4000 (and all - at least for the initial HW versions - of the other Rigol products in the DS/DG families) changes the bandwidth and/or enabled options. cybernet made a modified FW GEL file for the DS4000 (using FW v.02.00.00.04) which, when loaded, changes the model number - and thus the bandwidth.

[Altemir]

It's not actually an "option" - but yes, changing the model number internally on a DS4000 (and all - at least for the initial HW releases - of the other Rigol products in the DS/DG families) changes the bandwidth and/or enabled options. cybernet made a modified FW GEL file for the DS4000 (using FW v.02.00.00.04) which, when loaded, changes the model number - and thus the bandwidth.

If I had a custom firmware for the MSO4024, I would be able to measure the frequency response of up to 2GHz.

[AndersAnd]

cybernet made a modified FW GEL file for the DS4000 (using FW v.02.00.00.04) which, when loaded, changes the model number - and thus the bandwidth.

The DL link for cybernet's custom DS4000/MSO4000 firmware posted here doesn't work anymore though.

download, rename to DS4000Update.GEL -> http://www.filedropper.com/ds405xupdate

Can anyone upload it again, maybe here: https://mega.co.nz

[cosmos]

made a modified FW GEL file for the DS4000 (using FW v.02.00.00.04) which, when loaded, changes the model number - and thus the bandwidth.

The DL link for cybernet's custom firmware posted here doesn't work anymore though.

download, rename to DS4000Update.GEL -> http://www.filedropper.com/ds405xupdate

Can anyone upload it again, maybe here: https://mega.co.nz

http://wikisend.com/download/134080/DS405XUpdate.zip

[AndersAnd]

Thanks cosmos

If I had a custom firmware for the MSO4024, I would be able to measure the frequency response of up to 2GHz.

1) Just download cybernet's custom 00.02.00.00.04 based DS4000/MSO4000 FW [Filename DS405XUpdate_00.02.00.00.04.zip] here: http://rigol.avotronics.co.uk/msods4000-series/

2) Then follow the cybernet's instructions posted here.

[marmad]

1) Just download cybernet's custom 00.02.00.00.04 based DS4000/MSO4000 FW from the link cosmos just provided: http://wikisend.com/download/134080/DS405XUpdate.zip

2) Then follow the cybernet's instructions posted here.

Has this been confirmed to work on an MSO4000?

Unless it has, I don't think I'd risk changing my MSO model number into a DS model number.

EDIT: I just saw that in cybernet's original post he mentions that it will leave the 'MSO' part of the number intact - but have there been any MSO users that have used it yet?

[Avotronics]

Can I have confirmed please:

Is the DS405XUpdate only for DS405X models or all DS4000.
I'm not reading the whole thread, I just need to know where to put it on my rigol site.

Thanks

[neslekkim]

2) Then follow the cybernet's instructions posted here.

There the geltool is mentioned again, where do one find that?

[marmad]

Is the DS405XUpdate only for DS405X models or all DS4000.
I'm not reading the whole thread, I just need to know where to put it on my rigol site.

According to cybernet's post, any DS4/MSO4 - changing only the digit of the model number (0x4 = 500mhz) which specifies bandwidth (but no guarantees).

[Avotronics]

Is the DS405XUpdate only for DS405X models or all DS4000.
I'm not reading the whole thread, I just need to know where to put it on my rigol site.

According to cybernet's post, any DS4/MSO4 - changing only the digit of the model number (0x4 = 500mhz) which specifies bandwidth (but no guarantees).

Thanks

[Avotronics]

Cybernet's modded firmware can be found here permanently.
Sorry, direct linking isn't available.

http://rigol.avotronics.co.uk/msods4000-series/

[AndersAnd]

Has this been confirmed to work on an MSO4000?

Can't remember if anyone has tested it on an MSO4000, but I'm pretty sure it does work as DS and MSO models use the same firmware.
cybernet also wrote it works with both DS4000 and MSO4000 and also both 2 and 4 channel models:

this sets model type 0x4 = 500mhz
(whatever channel#, whatever MSO y/n it leaves that intact)

[AndersAnd]

Cybernet's modded firmware can be found here permanently.
Sorry, direct linking isn't available.

http://rigol.avotronics.co.uk/msods4000-series/

Thanks.
You should probably host Marc M's snmodfix.zip and guide for DS2000 S/N restoration too.
And also the JTAG memory dump guide posted earlier.

[marmad]

cybernet also wrote it works with both DS4000 and MSO4000 and also both 2 and 4 channel models:

Not quite: cybernet wrote:

anyhow no guarantees for anything like always  ...

You might just mention that when steering people towards something which, as far as I know, is untested on an MSO4. If it goes wrong it can be a costly and/or time-consuming problem to fix - not for you - but for the person you steered.

[marmad]

I have received feedback from the Swedish distributor that the DS2072 which is on sales (special offer as DS2072A replaces the old model) is in fact HW version 2.

Is it worth to buy the HW version 2? Or is the A version even better?

As I recommended to you in another thread which you started, unless you want an S-model (with the AWG) - if you can get the non-A HW v.2 model, IMO, that's what you should get. The hardware is the same - and you'll be able to upgrade to any new firmware while keeping all of your unpaid-for options. OTOH, the A-model owners MAY need some new hacking with every new version of FW released to avoid losing their options.

[MrKrabs]

2) Then follow the cybernet's instructions posted here.

There the geltool is mentioned again, where do one find that?

cybernet hasn't released it (yet?). I modified the firmware by hand

[MrKrabs]

Can I have confirmed please:

Is the DS405XUpdate only for DS405X models or all DS4000.
I'm not reading the whole thread, I just need to know where to put it on my rigol site.

Thanks

Please upload this one too:

http://www.wikisend.com/download/436838/DS4000update_00.02.01.00.03.zip (original firmware, latest version)

[Altemir]

Please upload this one too:

http://www.wikisend.com/download/436838/DS4000update_00.02.01.00.03.zip (original firmware, latest version)

I have putted it version to first post of topic Rigol MSO4000 and DS4000. Tests, bugs, firmware, questions, etc...

[zombie28]

One of the forum members tested my DS2k 00.02.01.00.03 firmware patch and reported that it works fine, ie. allows to use the old keygen with A scopes without any problems. This patch is a temporary solution for those who cannot or don't want to do memory dumps (at least until it's possible via USB). Of course extracting keys from memory is still preferred method, because license codes created this way should work even with future official firmware releases.

So, enjoy 
https://mega.co.nz/#!FFk10SCY!UuWPXyqZwmca00pa2clOth1ryh1Z-AAgJg2yibfoUw0

[AndersAnd]

One of the forum members tested my DS2k 00.02.01.00.03 firmware patch and reported that it works fine, ie. allows to use the old keygen with A scopes without any problems.

Nice. And the 50 ohm input option still works?

[alank2]

One of the forum members tested my DS2k 00.02.01.00.03 firmware patch and reported that it works fine, ie. allows to use the old keygen with A scopes without any problems.

Out of curiosity (don't have an A scope myself), what happens if you load the custom firmware, use a non-A key, then upgrade to stock firmware?  Do the options stay?

[zombie28]

One of the forum members tested my DS2k 00.02.01.00.03 firmware patch and reported that it works fine, ie. allows to use the old keygen with A scopes without any problems.

Nice. And the 50 ohm input option still works?

Here is quote from his mail:

I did this to verify your patched firmware:

-- Used SYSTEM:UNINSTALL to remove all my current options that I got using tirulerbach's rigup keygen (verified back to trial versions etc.)
-- Flashed your patched GEL
-- Installed DSHH key from riglol 1.03c

50 Ohm option + serial etc. are all intact.  I have 2ns