Saleae Logic 16 clone not working with newest software

[sarah90]

I'm using a clone of the Logic 16 from Saleae. It was working fine with the official software from saleae up till version 1.1.18. Now they have released the 1.1.19 and 1.1.20 beta releases and things fall apart.

With the new software the device is still recognized as the real thing, but capturing data fails as no data is received over the usb interface. Saleae mentions in their blog that they found a way to block the logic16 clones.

However, soon after the 1.1.19 and 20 betas, the chinese began to release an updated model that is compatible with the latest software. Eg: http://www.ebay.com/itm/181455112504 and http://item.taobao.com/item.htm?id=37493618604

Given the fact that it was fixed within a couple of weeks after the software was released, one would expect the fix is easy.

Does anyone have details and knows how the older clones can be fixed?

[pickit2]

have you tried reverting back to version 1.1.18
the last time the fix was to replace the eeprom and to fit a diode.

have you noted the price hike for the clone Logic 16?
with a high postage cost it is, close to 40% of what Saleae are asking.

[sarah90]

Reverting to 1.1.18 is ok. Nothings gets killed by the new software. And it will continue to work with sigrok I think.

However the gui from saleae is better than anything I have found so far. Hope a cure will be found soon.

Lowest price for the new units I have found on ali was 55 usd including shipping. I paid 40 usd or so for mine.

[pickit2]

I see the ebay seller (above link) says they are supplied with 1.1.15 and you can update from saleae site, so there is no guarantee it has been fixed.

[sarah90]

I see the ebay seller (above link) says they are supplied with 1.1.15 and you can update from saleae site, so there is no guarantee it has been fixed.

But he also explicitly says "Support the official latest version 1.1.19, compatible with all the software versions from 1.1.15 to 1.1.20.". So I would expect it to work with the lastest beta.

But yeah there are no guarantees with this clone stuff. I'm wondering if many people are using these clones. I found only a single reference from someone having the same problems (here: https://www.frozentux.net/2014/06/saleae16-logic16-100m-16-channel-logic-analyzer/) 

[Gallymimu]

give those poor saleae guys a break.  It isn't that expensive they deserve some money for that product!

Let's stick to ripping off Rigol!

[trc13]

From the Saleae blog http://blog.saleae.com/

We’re taking a short break from new features to complete release-critical features – specifically improving the reliability of the firmware & FPGA designs, implementing the anti-clone features, and fixing critical device related bugs.

It seems like they are taking an initiative against clones moving forward. From what I've heard it's based on some sort of dynamic firmware update when the software is launched and from that they can tell if it is a clone or not.

[sarah90]

It seems like they are taking an initiative against clones moving forward. From what I've heard it's based on some sort of dynamic firmware update when the software is launched and from that they can tell if it is a clone or not.

Thanks and very interesting. Do you have more details on this firmware update mechanism? I'm thinking of doing some reversing on the latest software to gain some understanding of their protection mechanism and your info could help a lot.

There are also  some "magic" bytes in the eeprom of the device that are probably part of the protection scheme. If anyone has a device that is working with 1.1.19/20 and is willing to share these bytes, I can provide the details to get these bytes out of the device in a non destructive way.

[trc13]

I will see if I can find the posts where I read about the firmware checks a month or so ago. That may help lead you to more useful information.

Here is a snip from the July 3rd post from the Saleae blog.

Security / Clones
Regarding security, we’re taking it pretty seriously this time around.  Logic has been cloned, and there’s not much we can do about that, but we expect to be able to protect Logic16 and all the new products from cloning from here on out.  Mark reads the forum posts by our various friends in Asia who have successfully cloned Logic16; it’s very interesting and kind of a weird experience reading about how your product was cloned, I can assure you.  In the case of Logic16 we've developed a weird sense of respect for our advisories, and have learned a lot about how they see the world – and can imagine how if raised in similar circumstances, we would probably do the same thing and feel just fine about it.   All that said, we don’t expect that Logic16 clones will be able to work with any new versions of our software.

I do own a legitimate Logic-16, so if there is any information you could use from that, USBlyzer dump of program startup etc. let me know.

[sarah90]

I do own a legitimate Logic-16, so if there is any information you could use from that, USBlyzer dump of program startup etc. let me know.

Great. An USB dump of the program start with a short acquisition run would help a lot! USBlyzer (or wireshark) would be excellent. I think I can get the eeprom information from that. If not I'll send you details to dump the eeprom directly.

[trc13]

Using USBlyzer I was able to capture the init sequence from a cold (idle) state and it seems to remove itself and re-enumerate.

I also did a capture of it in the awake state (led glow) by launching the application again and did a quick (10ms) data acquisition and an application shutdown. I paused several seconds in between each step to make it easier to distinguish the different operations in the logs.

I sent a link to the log files in a PM.

No private shares here - post the info here in the thread for everyone to see, or use

[sarah90]

Using USBlyzer I was able to capture the init sequence from a cold (idle) state and it seems to remove itself and re-enumerate.

This is indeed the normal behaviour. The two main chips in the logic16 contain no firmware when plugged in. The software first downloads the firmware for the Cypress FX2LP high speed usb chip which leads to the re-enumeration. Then the software downloads the bitstream to the Xilinx FPGA and is now ready for sampling data. I suspect the "magic" happens in the second fpga phase.

[trc13]

That is probably why when I opened it up I couldn't find an EEPROM to probe with my logic 8 or get a raw dump from.

Let me know if you need a capture of it re-enumerating, I think I can do that with USBlyzer.

[sarah90]

That is probably why when I opened it up I couldn't find an EEPROM to probe with my logic 8 or get a raw dump from.

Let me know if you need a capture of it re-enumerating, I think I can do that with USBlyzer.

Thanks a lot for your support and I may get back to you on that, but currently I am a bit out of ideas how to crack this.

There is a small 2kbit (256 bytes) i2c eeprom in the logic16. On the original logic16 it is hardly visible as such as it is in a sot23 package (U7 marked with B2TH). It is a microchip 24AA02. On my clone it is a compatible one from atmel in so8 package.

This eeprom contains the vid/pid for the fx2 chip and some magic data (8+16 bytes) that is used by saleae to unlock the fpga. I'm pretty sure I was able to get the relevant bytes from the usb trace. I tried these in my clone device and it stopped working altogether (even in 1.1.15 and 18) with the same message as in the new software ("not able to keep up with the rate"). This leads me to believe that the magic data is locked to a device specific id that is unique to every spartan 3a device. There are some notes on the xilinx website about this mechanism.

This technique is quite secure because you can hide your key algorithm in the fpga bitstream which is pretty impossible to hack. Afaik at least. However the chinese have been able to hack it.

I'm really intrigued how they have done that and what they have done to get it working again with the latest software.

Saleae is about to release a non-beta version shortly and I'm wondering if that still works with the newest clones.

[yahoo]

Why not support the creators and not the thieves especially when it comes to so small OEM company with so good and useful product. If they cannot survive it will come back to all of us 

[tigrou]

Why not support the creators and not the thieves especially when it comes to so small OEM company with so good and useful product. If they cannot survive it will come back to all of us 

Especially since the price is affordable given the quality.
I bought it 3 years ago.

[towlerg]

FWIW both Saleae and Usbee used the size and format of EEPROM to detect clones on their first devices.

[CocaCola]

FWIW both Saleae and Usbee used the size and format of EEPROM to detect clones on their first devices.

If that is the case then simply cloning and swapping out the EEPROM for the same one used on the original should fix the issue...  There are only so many ways you can implement clone detection in a 'legacy' devices that didn't have a protection scheme built in to start with and checking for brand specific info/ID or a unique format quirk on the EEPROM you used that differs from the EEPROMs used on the bootlegs sure is novel...

Read the attached for more details...

[LabVIEWguru]

Why not support the creators and not the thieves especially when it comes to so small OEM company with so good and useful product. If they cannot survive it will come back to all of us 

yahoo - I looked up some of your previous posts. Since you are quick to moralize about this, I guess you'll be contacting some folks to make restitution for your "contributions?"

Just because a person wants to hack or expand the capabilities of a piece of hardware or software they own does not make them a "thief."

[CocaCola]

Why not support the creators and not the thieves especially when it comes to so small OEM company with so good and useful product. If they cannot survive it will come back to all of us 

If that is the way your moral compass points, why are you a member of this forum?

As LabVIEWguru hinted, there is some real hypocracy to be found in your previous postings to this forum...

"Oho!" said the pot to the kettle;
"You are dirty and ugly and black!
Sure no one would think you were metal,
Except when you're given a crack."

"Not so! not so!" kettle said to the pot;
"'Tis your own dirty image you see;
For I am so clean – without blemish or blot –
That your blackness is mirrored in me."

[yahoo]

yahoo - I looked up some of your previous posts. Since you are quick to moralize about this, I guess you'll be contacting some folks to make restitution for your "contributions?"

Just because a person wants to hack or expand the capabilities of a piece of hardware or software they own does not make them a "thief."

Under a "thief" I don't mean someone doing whatever he wants with the products he bought. I mean the people from Asia who steal products and replicate them for a fraction of the OEM price to get easy money.

We all change and move on during our life. So do I. It was time most of the products were not affordable at all for me and I did many things that I'm not so proud. Now I try to support at least the smaller companies with good products which I use for business. You can do whatever you feel is good for you. I don't mind. It was just my opinion.

[sarah90]

If that is the case then simply cloning and swapping out the EEPROM for the same one used on the original should fix the issue...  There are only so many ways you can implement clone detection in a 'legacy' devices that didn't have a protection scheme built in to start with and checking for brand specific info/ID or a unique format quirk on the EEPROM you used that differs from the EEPROMs used on the bootlegs sure is novel...

Read the attached for more details...

Thanks, but I don't think it is possible to distinguish the Microchip 24AA02 from the Atmel 24C02N on the i2c interface. They are compatible both in protocol and size. With the logic 8 the eeprom was 16 bytes while the clones were 16k bytes. The latter probably being cheaper 

The fx2lp on the clone has another footprint than the original. Don't know if that can be detected. Nevertheless I'm pretty sure the protection lies within the xilinx fpga matched to the content of the eeprom.

[yahoo]

Thanks, but I don't think it is possible to distinguish the Microchip 24AA02 from the Atmel 24C02N on the i2c interface. They are compatible both in protocol and size.

Most of the time it is true but in this particular case these two chips are not fully compatible and it is very easy to verify if it is Atmel or Microchip. From the spec we can see that Atmel 24C02N has about 5ms write time and for Microchip 24AA02 it is only 2ms. So write a byte or a page and after about 3ms try to address the chip. According to the received or missed acknowledge you will know which chip is connected. There are so many ways to verify the behavior of the chip out of the spec but they always can be detected easily by scanning the protocol. I also think it is not the case here and in Logic 16 they are using verification of the eeprom signature inside the FPGA by its unique ID. It's secure enough.

[Mozo1971]

I also use a Salea 8 and 16 channel clone. I use the 1.1.15 software release. It´s stable and has a good performance under Windows 7. So i can´t understand why it´s important to use a newer version?
By the way, the release notes for the newer "beta" releases something about "not stable" and critical of some installations.

[towlerg]

There are a lot of extra analysers and also new features and I suspect bug fixes. Check out the revision history.

So what harm if it is unstable (which it is not), you can always revert to 1.1.15, or have both versions installed.

George