Sniffing the Rigol's internal I2C bus

[dudarobe]

This has pobably been asked a million times so sorry in advance. Can a new ds2072a be hacked to enable the extra options? And if so what are the most updated methods to doing so. I saw the riglol site a few pages back, do you just enter the generated key into the oscillosope? Thanks 

Hello, 4 days ago I bought a new ds2072a at www.conrad.de, the hardware 2.0, without any problem after the procedure from post # 3705, after 3 minutes I was overjoyed oscilloscope with installed full options to 300MHz.

[Edgar Amalyan]

Hello, 4 days ago I bought a new ds2072a at www.conrad.de, the hardware 2.0, without any problem after the procedure from post # 3705, after 3 minutes I was overjoyed oscilloscope with installed full options to 300MHz.

That's great, for around $800 with the free options I think the DS2072 is the scope to get. Have you tested 300MHz on the scope? Rigol says the scope can be unlocked up to 200MHz through the keys.

[Alexcn]

Dear All

I would like to thank each of you that made this upgrade possible.

As a student having a DS2072A upgraded to 300mhz oscilloscope is something that makes me more motivated!

A few notes on my experience.

DS2072A bought in March
Windows 8.1
Original firmware 02.00 - I have to update to 03.01.04 (before I was unable to read the memory)
I have to use the 32M dump files (12M and 16M doesn't work)
I use LAN port (It doesn't work by USB)


All the best for all of you and for RIGOL!!

[BTO]

My God
248 Pages

is this post still going

@ Edgar

Mate, if your still having issues
i have exactly the same scope and i've upgraded it to 300MHz

YES .. IT WORKS

contact me directly
and as i've done for so many others
we can skype and i'll show you how to do it all

if you want to read it for yourself

LET ME SAVE YOU THE PAIN OF READING THIS ENTIRE UNCONTROLLABLE MONSTER OF A POST

I've created a summary of this post
SPECIFIC FOR THE DS 2072A

HERE YOU GO

https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/

IF YOU STILL HAVE ISSUES
PM me and i'll help you out

[BTO]

Just so there's no confusion

The Rigol DS2072A Unlocks TO 300MHz   not 200

however, it's optional to go to 200, but, why would you
if your unlocking features , unlock them all

it's 300MHz  and 56Mpts Memory Depth

TRUST ME

[Edgar Amalyan]

Thanks for the info. I haven't purchased the DS2072 yet but will do so in a month. Anyway, your guide looks simple enough, will do the unlock and message you if I encounter problems.

[Eray]

anyone, please dont leave me to read 248 pages of this thread and point to DSA815 hack stuff

[Lupini]

Hello,

I'm very happy : my MSO2072A is became a MSO20302A 

My version :

Before :

After :

Thanks all

[rednax]

Hi everyone,

Is there any progress in unlocking the MSO1104z?

[0ff]

Hey rednax,

in fact rmd79 and myself are looking into it.
We've found a temporary unlock, i.e. jtag-based and not surviving reboots, but apart from that we're basically stepping through disassemblies hoping for a magic insight

If you'd like to join our efforts, just PM me

Regards

[Trax]

Hi everyone,

Is there any progress in unlocking the MSO1104z?

I would also be very interested in an option to unlock all features of a MSO1074z, its essential for my decision if to buy one or not.

Trax

[amor4ti]

Hi..

Any luck with hacking MSO1104Z & DG1000Z (memory option)?

Thanks

[remilton]

I can confirm that Rigup 0.04 is not working for the latest batch of ds2072a scopes.  I received mine last week and received the 'upgrade unavailable' message on ver 3 firmware and ver 2 hardware.  I tried for 300mhz and 200mhz with no joy.  I think we are going to need a new keygen.

By the way, the page at http://gotroot.ca/rigol/riglol/ , what is that very long key it generates after you enter your serial, option, and private key and what are you supposed to do with it?

[0ff]

To all you MSO1000Z Owners: It's done, we found what Rigol changed for the MSO1k and we patched rigup to generate working keys.

Usage: Well, get the file, compile the source, call rigup like this:

Code: [Select]

./rigup license mso1074z.txt 0x1C0FFNote: The License option *must* be supplied as hex, these are valid values:
0x1C001 - TRIGGER
0x1C002 - DECODER
0x1C004 - MEM-DEPTH
0x1C008 - RECORDER
0x1C00F - All of the above

There are also these options, but they will modify your scope into a MSO1000Z. They are mostly untested and might harm your children.
0x1C010 -
0x1C020 -
0x1C040 -
0x1C080 -
0x1C0FF - all Options

Generate the mso1074z.txt like this:

Code: [Select]

./rigup scan YourDump.bin > mso1074z.txt
Note: You will need to open the scope to get a dump. I'm not going to change that, but if anyone of you would like to reverse the firmware signing process, there is a hidden DBGCMD that might provide useful as an entry point for custom SCPI logic.

I want to thank rmd79 for his continuing efforts as well as all original authors of the rigup tool! You guys are the one who deserve any credit!
Also, thanks to sptm14 for you keeping all the info from the public. This motivated me to actually walk through their code!

Best regards,
Fabian

[rmd79]

Great work

The only thing I had to do was edit the main "Makefile" and change:

LDFLAGS                 := -O2 -Wl,-dead_strip

back to the original line:

LDFLAGS                 := -O2 -Wl,--gc-sections -s

Otherwise when running rigup license I would get the command-line help screen and then a segfault.

Other than that issue, its generating valid keys for my MSO1074Z-S.

Thanks heaps for your help,
Rob.

[0ff]

Uh, sorry for that! I needed it to get rigup running on OS X.

Also as a general note: This is probably the most dirty version of rigup out there. I didn't take the time to clean things up, if anyone wants to do this, feel free!
Most important changes are probably in the charmaps, encode.c + decode.c + rmd79's patches.

Everything else was just me testing stuff.

I don't think it's worth the effort to make a single version of rigup, as this would need multiple checks on the model. But if you think otherwise: be my guest

Best regards,
Fabian

[Howardlong]

Agreed, great work, I can confirm this worked on an MSO1074Z-S.

[BloodyCactus]

there is a hidden DBGCMD that might provide useful as an entry point for custom SCPI logic.

interesting that DBGCMD is still there in DG1032Z.. shame :FRE does not work tho I dont get the dbgcmd rx/tx outputs but maybe need to do some more poking around..

SCP Module Ver : 00.02.03.00.

hmm

[0ff]

Hey rednax, which kind of hack are you looking for?
The keygen should actually work for your MSO1104Z, too - with that you can enable all official options.

[rednax]

Hey rednax, which kind of hack are you looking for?
The keygen should actually work for your MSO1104Z, too - with that you can enable all official options.

Hi 0ff,

I just didn't notice the lasted developments! Great work guys!
(I deleted my previous post)

[Trax]

To all you MSO1000Z Owners: It's done, we found what Rigol changed for the MSO1k and we patched rigup to generate working keys.

Usage: Well, get the file, compile the source, call rigup like this:

Code: [Select]

./rigup license mso1074z.txt 0x1C0FFNote: The License option *must* be supplied as hex, these are valid values:
0x1C001 - TRIGGER
0x1C002 - DECODER
0x1C004 - MEM-DEPTH
0x1C008 - RECORDER
0x1C00F - All of the above

There are also these options, but they will modify your scope into a MSO1000Z. They are mostly untested and might harm your children.
0x1C010 -
0x1C020 -
0x1C040 -
0x1C080 -
0x1C0FF - all Options

Generate the mso1074z.txt like this:

Code: [Select]

./rigup scan YourDump.bin > mso1074z.txt
Note: You will need to open the scope to get a dump. I'm not going to change that, but if anyone of you would like to reverse the firmware signing process, there is a hidden DBGCMD that might provide useful as an entry point for custom SCPI logic.

I want to thank rmd79 for his continuing efforts as well as all original authors of the rigup tool! You guys are the one who deserve any credit!
Also, thanks to sptm14 for you keeping all the info from the public. This motivated me to actually walk through their code!

Best regards,
Fabian

wow so just to clarify this with this tool I can unlock all features of a MSO1074z scope if I buy one for Xmas? is that right?

[Howardlong]

FWIW here is what I understand to be the list of options:

(CSAR = 0x1C001) Triggers
(CSAB = 0x1C002) Decoders
(CSA3 = 0x1C004) Mem-depth
(CSAJ = 0x1C008) Recorder
(CSAS = 0x1C010) DG
(CSRA = 0x1C020) 500uV
(CSBA = 0x1C040) Power Ana.
(CS3A = 0x1C080) Bandwidth (100MHz)
(CSHY = 0x1C0FF) All

I don't know what "DG" or "Power Ana" is.

As with the DS1000Z series, 500uV doesn't work properly. Here is my understanding. On ch2, 3, 4 was tried, the traces for those channels went off the top of the screen and they couldn't be retrieved without dropping back to 1mV/div. Ch1 worked at 500uV on the example I am aware of but had about -400uV of DC offset. A self calibration was run, but it made no difference.

The bandwidth on this example before applying the CS3A 100MHz option, measured with an HP 8656B 50 ohm terminated RF signal generator, was 91MHz and after it was 141MHz.

[msraya]

Hello!

Good work and thank you to share knowledge! 

I have in the lab a ICEbear Blackfin JTAG debugger (http://www.section5.ch/icebear) that I have never used .
You do think it is possible to use this tool to dump the memory?
Someone use it for that purpose?

Regards
Manuel

[0ff]

Hey Manuel,

that depends on your scope.
My MSO1074z is not built around a blackfin, but rather the freescale iMX28.
It's really only important to have an adapter that's compatible with openOCD, that's all that matters.

Oh an Howard: Thanks for your input with completing the license codes, this is just awesome

Regards

[swanawood]

Hi folks!

My new DS1054Z has just arrived; I am trying to dum mem via SCPI command (windoz).
I got no success:

with Rigol Bildschirmkopie LAN When I send(&receive) the dump command:
:SYST:UTIL:READ? 1,33554432

I get the error "There was an error when sending the SCPI command."
Other commands via Bildschirmkopie works (for example ":SYSTem:LANGuage?" gives "ENG")


With the netcat via command prompt (192.168.200.22 is the rigol IP address):

echo :SYST:UTIL:READ? 1,33554432 | ncat -i 1 192.168.200.22 5555 > memory.dump

the file is created but inside there is "command error"

My versions:
sw ver: 00.04.02.SP3
board ver: 0.1.1


Any idea ? does someone has the same versions and able to dump ?


p.s.
Anyway I succeded in installing options via caroot k**gen, but I would like to be able to dump memory.

Thanks