How To Get 50 More Zed From Your Rigol DS1054Z

[Chris] has been spending a lot of time in the wife’s sewing room lately, and things got pretty serious late last night as he hacked his shiny new Rigol DS1054Z to unlock the 1104Z capabilities lurking within.

The rumors are true, and ungoverning the software is as simple as looking up your serial number and knowing the right URL for generating a valid license. [Chris] ran into a dud site, but that’s the price of doing business in the shadowy parking garage basements of the interwebs. Once he knocked on the right door and uttered the secret word, however, he became the proud owner of 50MHz additional bandwidth, decoders for SPI, I²C, and RS-232, twice the storage depth, and all teh triggers that ship with the 1104Z.

Stick around for [Chris]’s video walk-through. Can’t rationalize the purchase even at the ridiculously low price point? Here’s one way to make it happen. You’ll laugh, you’ll cry, you’ll learn some French.

78 thoughts on “How To Get 50 More Zed From Your Rigol DS1054Z

    1. Folks…I’m a newbie — just got a 1054z as a nth birthday present to myself (where n is a too large number). I’m in early stage learning by going thru the 1052e learning videos on YouTube. Lesson 2. The 52e appears to have a nice digital filter feature. The 54z only has a 20MHz on/off? Have I got that right? Does the “upgrade” hack change that? thanks

      1. Looks like you have trouble finding the exact value of your age. Use the DS1054Z, it is a nice oscilloscope at a great price. Then do the hack at http://www.gotroot.ca/rigol/riglol/ (that is the hack that works, there is another one but it did not work for me) and use ONLY the DSFR code in the options, after you input your serial number. Forget about the privatekey field, you don’t need it AFAIK. Once done, you will have a 100mhz oscilloscope. THEN use one probe on your left index finger (Channel 1) and another probe on your right big toe (Channel 2). Wait 5 seconds and you will be able to read your correct age in Gigaherz. Do not invert finger / toe sides or you will be fried.

        Seriously, a great 100mhz (after modding it) oscilloscope for little money!

    1. Not really a “hack”, somebody just reverse engineered the algorithm Rigol uses to make the product keys from the serial number. Usually it’s a bunch of obfsucated crap with hashes and XOR, but easy enough to dig through with a debugger of some description. They can’t block it because it’s the same process they would be using.

      1. That’s not at all what happened.

        Rigol uses EC crypto for their keys. They are using the MIRACL library, so they didn’t do this in house. That’s already a sign it might be secure, right?

        Obviously it wasn’t. Rigol did not use proper starting values, making the keys very weak. It was trivial (milliseconds of compute time) to figure out the private key.

        Interestingly, Rigol hasn’t fixed this since it was discovered on an earlier model. Intentional?

        1. Probably intentional. They don’t have to give you warranty if you use a hack and you get a better oscope for your hobby. That’s free marketing in the hobby market! Companies would never do this anyway.

  1. OK, so they oscope text says it is an 1104Z, but did the bandwidth actually increase to 100MHz? It would have been interesting if he had captured a 100 MHz reference signal before and after his mod.

    BTW, I have a real Rigol 1104Z, and mine cost $0. It was my 50th birthday gift from my wife.

    1. Yes.

      He links in to the review Dave Jones did, and one of the things that Dave noted in that and a companion review where he maps the circuit is that the input bandwidth is limited by capacitors in the circuit that are controlled from the microcontroller.

      There was some discussion in a previous thread about cloning Tektronix application modules (the one that sparked the DMCA takedown notice from Tektronix) about the ethics of software hacking like this, with some people saying that they think a hack like this is stealing. Now, Chris used a software hack to get the functionality, but by cutting and remapping the traces coming from the chip (that is, a hardware hack) you could achieve the same outcome, at least in terms of getting the higher bandwidth.

      As Chris says in the video, it seems that Rigol have made it at least somewhat hacker friendly to do these kinds of things. I’m kind of in the same boat as him – I’ve always thought that feature unlocking a cheaper scope is akin to overclocking a cheaper GPU or (perhaps more accurately) messing with the tune on a engine control unit in a car to get those extra horsepower they want to charge you more for.

    1. Obviously it has been done before! He used a website from the “Even Skeezier parts of the intertutes”. The video you linked to was posted 25 days before this post. Not everyone lives on the “Even Skeezier parts of the intertutes” makes me think about what is “dripping” out of your computer or off of it. Did you google this hack before or after you saw this post?

  2. For those wondering, no, Rigol do not deliberately allow their scopes and other gear to be hacked in order to get more sales. They don’t like it, but they know they can’t stop it, and it’s the calculated risk they take when they decided on software performance restrictions. The number of scopes sold due to hackability is small-fry. They software limit the scope to reduce production and inventory cost and gain price leverage in various market segments. The vast majority of customers do not know about the hack, nor would they care if they did.

    1. I suspect they actually sell quite a few scopes that subsequently get upgraded by hobbyists – and if it weren’t so easy to upgrade, those hobbyists might go buy a different brand instead.

        1. I’m really looking forward to the day someone will legally challenge a manufacturer refusing to honor a warranty because a scope has been “upgraded”. In many countries, you can’t refuse a warranty just because you feel like it. You have to show the user did something wrong that could have caused the issue.
          Refusing to replace a failed LCD (for instance) because someone unlocked a bandwidth option really seems dodgy… and I’d like to see what happens if this is taken in court.

          1. In logic yes, in reality, no. Corporations in America don’t give a shit about anything moral, ethical, or humane, just money and greed. If they could squash a few people out of the money it takes to replace it or whatever, trust me, they will.

  3. I’d really like to see someone (Dave @eevblog?) do a full set of calibration tests on a hacked scope. I strongly suspect that the 50 & 70 MHz versions are a means of selling off the 100 MHz scopes that don’t pass the final QC tests. The front end is analog and parts tolerances are still an issue when you’re trying to keep the price down. The 70 MHz version being an attempt to squeeze a bit more out of the bottom line from units that are only slightly off spec.

    Software features are an entirely different matter. I don’t see why any of the vendors charge as much as they do for those other than they can. Eventually one of them will go all in for market share and unlock everything.

      1. Have you ever seen pictures of the *thing* that was Bob Pease’s desk/office/lab at Nat Semi? Go easy on [Dave @eevblog]. Clutter is the telltale sign of the presence of superior intelligence! The smartest people I know, to a one of them, have desks which are their own security systems by virtue of the sheer chaos atop, beside, and below them. Ask them to find absolutely anything within that chaos and they’ll hand it to you in seconds.

  4. Just got my new DS1054Z and did the hack directly after unboxing and … BÄM …it worked perfectly even from gotroot :-).
    Thanks a lot giving me a scope worth 1300€ paying 350€. If this is a marketing tool by Rigol I think they are going to become a market leader in the market for hobbyists in the future. And by the way I´m not ashemed doing this hack. Don´t believe that Rigol didn´t get their share. All they loose is the extra money but this will be overcompensated by the volume of scopes they sell. Just my 2 cents :-)

    1. What firmware did you have loaded in your scope before you started? What option from that site did you use? I see a default of AAAA, but I don’t see an entry for what that enables.

    1. I just powered up my DS1054Z for the first time and when I look at the installed options, it lists them all as “Trial” with about 32hrs left. Does that mean my scope is like a DS1104Z until Cinderella appears in 32hrs and then it reverts back to uninstalled options? Should I do the hack before or after the 32hrs are up? Will there be any difference in performance between what I have now (in the first 32hrs) and what I’ll have after the hack (after the 32hrs)?

      1. Thanx very much for the info. Two questions:
        (1) Before the hack, did the scope list the installed options as “Trial”? What did it show them as after the hack?
        (2) To what options does the code DSER correspond?

        Thanx again

        1. The DSER option unlocks all features EXCEPT the 500uV option which is / was buggy.
          From http://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg432125/#msg432125
          Search for icaro600
          Quote:
          —————————————————————————————————————————————————-
          icaro600:
          Re: Sniffing the Rigol’s internal I2C bus
          « Reply #3221 on: April 25, 2014, 04:33:31 AM »
          Use one of the On-Line Keygenerator (you want to use it for DS1000z) at* >
          RigLol keygen: http://riglol.3owl.com
          Canadian mirror: http://gotroot.ca/rigol/riglol/
          UK mirror: http://rigol.avotronics.co.uk/mirrors/riglol/

          Do NOT install 500uV Vertical Sensitivity, as it doesn’t work properly (buggy*). Therefore do NOT use ‘DSBA’ – 500uV Vertical, or ‘DSFR’ – all options.

          1. Type in your unit’s Serial Number.
          2. Type in DSER* for all options without the 500µV. This Option may not be in the Keygen’s list, but it will work!
          3. Do NOT enter anything for ‘Privatekey’, it will be inserted automatically for you (based on the DS1000z).
          4. Press [GENERATE], and record the resulting Option Code.
          5. When you are done enter the Option Code manually in the DS1000z using a single string without using any ‘dash’ (-) using Rigol’s Procedure for activating the Trial Options in the D1000z. As I recall the procedure is available on Rigol’s Web Site under DS1000z.
          ————————————————————————————————————————————————————
          Only the Canadian mirror:
          http://gotroot.ca/rigol/riglol/
          is working.
          Downloading the source code will give you a set of .exe one for Windows to be run from a CMD prompt:
          ————————————————————————————————————————————————————-
          D:\Rigol DS1054Z>riglol.exe
          Riglol 1.03d

          Usage: riglol.exe
          serial number of device (D…………)
          device options, 4 characters, see below
          private key (optional)

          DP832 starting from v1.09 device options:
          first character: F = official, B = trial
          F3PT – Accuracy
          F6PT – Analyzer and Monitor
          F6LT – LAN
          FALT – RS232
          FLLT – Trigger

          DP832 up to v1.06 device options:
          first character: M = official, 5 = trial
          MWSS – Trigger
          MWTB – Accuracy
          MWTC – LAN and RS232
          MWTE – Analyzer and Monitor

          DS1000z device options:
          DSAB – Advanced Triggers
          DSAC – Decoders
          DSAE – 24M Memory
          DSAJ – Recorder
          DSBA – 500uV Vertical

          DS2000 device options:
          first character: D = official, V = trial
          DSAB – Advanced Triggers
          DSAC – Decoders
          DSAE – 56M Memory
          DSAJ – 100MHz
          DSAS – 200MHz
          DSAZ – all options

          DS4000 device options:
          first character: D = official, V = trial
          DSHB – RS232 Decoder
          DSHC – SPI Decoder
          DSHE – I2C Decoder
          DSHJ – CAN Decode
          DSHS – FlexRay Decoder
          DSH9 – all options

          DSA815 device options:
          first character: A = official, S = trial
          AAAB – Tracking Generator
          AAAC – Advnced Measurement Kit
          AAAD – 10Hz RBW
          AAAE – EMI/Quasi Peak
          AAAF – VSWR

          MAKE SURE YOUR FIRMWARE IS UP TO DATE BEFORE APPLYING ANY KEYS

          D:\Users\PoulAgertoft\Dropbox\Downloads\Rigol DS1054Z>riglol.exe DS1ZA171912343
          DSER
          RDJ9JBB-N3SWWUS-QQAER8Z-ZUPTRTA
          ————————————————————————————————————————————————————–
          I did the DSER, which is not mentioned on the DS1000z device options on the website or in rigol.exe,
          my DS1054Z, SW 00.04.03, it worked like a charm the first time :)
          Hope this helps.

  5. No problem!
    I have been a bit disappointed for the RF interferences at 125MHz and more, also with the original 50MHz bandwidth.
    Uhmm… It should be not so tricky avoiding a -40dBfs interference for an experienced company. I can not think they are not able to solve that problem.
    A cheap instrument can not be as good as more expensive instruments of the same company… I wouldn’t be astonished if they made something to add noise, making the DS1000 series worse than more expensive series!
    It would be a few pF capacitor, or a wire protruding as an antenna or a tin drop… :-)

  6. I was able to successfully apply the “fix” to my 2015 production 1054Z. However, for some reason i wasn’t able to do it first time – i have restarted the device and regenerated the key (even though i have found out it is exactly the same like the first one, no mistakes) and this time i was able to unlock.

    I have stumbled on similar reports of people not being able to unlock with 1st try so if yours decides to throw away the coding the first time – just make sure you put all the numbers right, restart and retry. Most probably it is going to work

    1. I’m about to buy a ds1054z. Did you use the gotroot.ca link to generate your code? It looks like it is the only page still up. The YouTube video I saw stated the code from that website didn’t work?

  7. Yep, this still works. Got mine today and got it to work right out of the box, no FW upgrading or anything. Did it when the features were still under “Trial”, didn’t seem to matter.

    I downloaded the binaries and used those rather than the web interface (paranoid).

    Website: http://www.gotroot.ca/rigol/riglol/
    Model: DS1054z
    FW: 00.04.03.SP2
    Board: 0.1.1
    Code: DSER

    Now identifies as DS1104Z.

  8. Still works!

    My DS1054Z came today with firmware 00.04.03 and board 0.1.1. Upgraded to latest firmware and then used DSER option code. Now identifies as DS1104Z with all options.

    Analog bandwidth of my model is approx. 125MHz@-3dB.

  9. Works fine.

    My unit came with fw 00.04.03 board 0.1.1. Updated to 00.04.03.SP2 and used DSER option code.
    Now identifies as DS1104Z with all options.

    Analog bandwidth of my unit is approx. 125MHz@-3dB.

  10. Still works!

    My DS1054Z came today with firmware 00.04.03 and board 0.1.1. Upgraded to latest firmware and then used DSER option code. Now identifies as DS1104Z with all options.

    Analog bandwidth of my unit is approx. 125MHz@-3dB.

  11. I finally got around (and the courage) to try this hack…worked like a charm. I used the code DSER (all options but the 500uV). I tested and saved .jpg files of a 5V 20MHz clock before and after the hack (using x10 probe). Before the hack, the risetime for the clock was measured by the ‘scope as 2.50ns; after the hack, the same clock was measured by the scope as 2.20ns so I know the physical bandwidth did increase and it’s not the ‘scope just reporting an increased bandwidth. I then went on and update to the latest firmware and again, no problems.

  12. Just got a DS1074Z Plus, SV 00.04.03, BV 2.1.1; codes do not work anymore. Tried a couple just to be sure. Also took a break and came back and tried it again, re-entering serial number. It says “Invalid License”.

  13. Tried this on my (new!) DS1054Z bought just a few weeks ago. Firmware version is 4.03.SP2. Had a couple of false starts either due to finger trouble or duff sites. The original site used by Chris has disappeared and the mirror didn’t seem to work but I found the original site on the internet archive at https://web.archive.org/web/20131215225141/http://riglol.3owl.com/ and it worked just fine using the DSER option.
    The scope now has all the options and reports itself as a DS1104Z. It came with all of the options licensed as ‘trial’ versions for a limited time evaluation but they are now licensed as ‘official’ with no time limit. Great result. A DS1104Z-Plus would have cost more than double and I have no need for the upgradeability to logic analyser etc. capabilities (I use a Saleae).

  14. Tried a number of RigloL keygen sites. NONE work. Locked out for 12 hours. Will try once more. If unsuccessful, I am going to conclude that it doesn’t work now. Computers don’t just work sometimes.. this is quite ridiculous if you think about it. Some have success, others don’t, really?

  15. I am planning to purchase a Rigol DS1054Z very soon, and am considering the hack to upgrade it. However, before I do, I was wondering if there was any risk to doing it; could I enter an incorrect key by accident and brick the scope?

  16. Delighted and relieved to confirm that this worked on my brand new (delivered today!) DS1054Z, software 00.04.04 SP1, board version 0.1.4

    I downloaded the zip file from http://www.gotroot.ca/rigol/riglol/ (see link and end of that page) and ran the Linux version found in the /bin/linux directory, using option code DSFR (everything), and didn’t provide the optional private key.
    Executable binaries for OSX and Windows are also provided.

    Entered the resulting code into the ‘scope and all options are now available, showing as “Official” with no “left-time”.
    The model number displayed on-screen is now DS1104Z.
    All options and model number are retained through a power-cycle.

    W00t!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s