Hacking the Rigol MSO5000 series oscilloscopes

[NoisyBoy]

The link shows it is again their public file upload site in China, not their official firmware site.  I would highly recommend folks to wait for official firmware to show up in their home country before doing upgrade.  For two reasons, so you can get support  from Rigol if the upgrade goes south.  Second, I would never download firmware from a dubious site in China, let alone running it.

This happened once with the existing firmware 01.03.02.02, when it showed up in the exact same site, then disappeared, then it showed up on the official download site weeks later. I would wait.

[skander36]

It seem to be a legit location.
Firmware work very well after upgrade.
Anyone remember how to generate bspatch file?

[tv84]

It seem to be a legit location.

Sure it is. Can't understand why people find it more trustful to use a forum patched FW than to use the Rigol's official FW, just because it's on a chinese server/domain... 

[hve]

I didn't think about it, I ordered 5072.
But I would like to buy 1:10 probes on the 500MHz
https://aliexpress.ru/item/1005004828373989.html?

Hi Andrey

These 1:10 probes have indeed a bigger bandwidth than the original 350MHz Rigol ones.
But they seem are also a tiny bit more noisy

[Felo2023]

Succesful upgrade here! Thanks!

[skander36]

Succesful upgrade here! Thanks!

Did you mean upgrade with patching?

[mironex]

How does it look now patching for this version: Firmware v00.01.03.03.00?
Thank you.

[Ede]

Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!

Hi!  The link is no longer working, who has this information on the link?

I just tried the link above. There are two files for download. A word document and a file with the patched firmware.
I checked for viruses, all clear. Now I am reading the word document. I didn't patch it until now.

Update: I just did the firmware upgrade and patch according to above. It all works. Now I have the newest firmware and all options.
Thanks a lot to everybody!

[skander36]

This is for previous fw. version.
Every new version need a proper bspatch file created just for that version.

[Andrey_Ak]

Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!

Hi!  The link is no longer working, who has this information on the link?

I just tried the link above. There are two files for download. A word document and a file with the patched firmware.
I checked for viruses, all clear. Now I am reading the word document. I didn't patch it until now.

Update: I just did the firmware upgrade and patch according to above. It all works. Now I have the newest firmware and all options.
Thanks a lot to everybody!

This link does not work, does not open..
https://www.mediafire.com/folder/zh1uiu3umgoai/Documents

you can email me admin@tis.kz

I will be deeply grateful

[mopra]

I have RIGOL mso 5072, updated to 5074. But I noticed that some options in the menu are still not available. What can be wrong? Firmware 00,01,03,00,03

these options are not enabled.

can you tell me how to turn it on.

[skander36]

I think they are only informative. I don't remember to see them anytime active.
CH SampleRate is changing while the sample rate vary. Also the rest of them while you increase Horizontal scale.
Maybe if you attach original logic probe interface, I don't know.

[ken830]

Fairly new here. Obviously, lujji was able to read through this thread and create a patch for the previous fw version even before owning the scope, so I started to read too... I'm only up to mid-2019 when the ideal of using a patch file surfaced after SSH was removed by Rigol... Surely, there's got to be a better way to summarize the knowledge of this thread and how to create patch files without having to read the entire history, right?

[Andrey_Ak]

I asked a friend from Canada to download files from the link:
https://www.mediafire.com/folder/zh1uiu3umgoai/Documents
Now I have these files. Apparently this hosting does not work in our country.

Also, I got the MSO5072 the other day, firmware
in the device is: 00.01.03.02.02





I noticed that the fan is very quiet, much quieter than in the DS1054Z,
I really did not like it, since it is quiet, it means cooling is worse.


In the instructions, from the link above, I understood that you can unlock
all the options of the device with firmware 00.01.03.02.02 ?

Will SSH work with this firmware 00.01.03.02.02?

For the firmware 00.01.03.03.00 there is no hacking yet?
Is there a chance that SSH will not work with it?

[OliverHB]

Just switched my MSO5074 off. I can confirm that SSH works after applying the SSH enabler from faktorqm.

[albedo]

Hello to all . I am new to this forum and honestly it has been very complicated to find information on a specific subtopic in hundreds of posts . I think something should be done about this, maybe synthesize all the really useful info and create a software style manual or documentation 

[thm_w]

Fairly new here. Obviously, lujji was able to read through this thread and create a patch for the previous fw version even before owning the scope, so I started to read too... I'm only up to mid-2019 when the ideal of using a patch file surfaced after SSH was removed by Rigol... Surely, there's got to be a better way to summarize the knowledge of this thread and how to create patch files without having to read the entire history, right?

You can click Print in the top right, and ctrl-f to find posts, here are some examples:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3339974/#msg3339974
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3341214/#msg3341214 (same page, keep reading down)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3577757/#msg3577757

[faktorqm]

Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!

Hi faktorqm,

Great work done sorting it out and do such a detailed explanation.
Just one question to clarify from the guide at the beginning:

"Have an ethernet network wire to connect it directly to your computer. "

Do you connect ethernet cable to the oscilloscope through router or the connection was done directly - from oscilloscope to PC? If it is direct connection to PC without router, did you use LAN crossover cable or LAN straight through cable?

Thanks!

Hi! it's the same. it's just for practical purposes, I mean, if you connect it to a switch or router and it did not work, you will not know if the problem is the router, the switch, or the cable. Just for clarification, always is better to avoid failure points. At networking level, it's transparent.

[ken830]

Okay... I've gotten as far as extracting the appEntry from the V00.01.03.03.00 GEL file.

It's got an MD5 checksum of AD018912E3D9BA19809EB3A44B63FEA0

But I don't know what to edit. Are people just patching the appEntry back to the previously patched appEntry or something?? I'm still trying to read through the whole thread.

EDIT: After a lot more reading, I found that back in 2020, omgoleus pretty much went through the same thought process and asked the same questions that I have and I'm asking today. I even started down the path of disassembling appEntry. omgoleus did write a nifty script to do partially automate the comparison process of the previously-patched appEntry. I'll attempt to try this later... it's 4:30am and I have to wake up for an 8am daily stand-up meeting for my day job soon.

[trixy]

You can't use the old bspatch with the latest firmware because one of the functions moved. Try this one.

This is the same as the old patch except modified for the 00.01.03.03.00 firmware.

I don't know why you guys are using the hard method like objdump to figure out patches when there is Ghidra.

-----------------------------------

Edited for clarity.

[ken830]

Thanks.

I did start to go down the path with Ghidra, but I didn't know which specific changes needed to be made. I'm definitely not trying the hard way. I just haven't gotten through the entire thread yet to find the most recent, easiest way, I guess.

[trixy]

I did start to go down the path with Ghidra, but I didn't know which specific changes needed to be made. I'm definitely not trying the hard way. I just haven't gotten through the entire thread yet to find the most recent, easiest way, I guess.

For a quick start you can add both an original binary and a patched binary to a project. Fully analyze both then close and save one of them. Then in the open CodeBrowser go to Tools --> Program Differences and select the other binary. Then you can step through the differences and code using the blue arrows.

[reztek]

You can't use the old bspatch with the latest firmware because one of the functions moved. Try this one. Be warned I have not tried it myself so if someone that knows what they are doing (ie. you can recover) can verify first that would be great.

I don't know why you guys are using the hard method like objdump to figure out patches when there is Ghidra.

-----------------------------------

Tried the patch here. Seems to work OK, will report back if/when something changes, but so far everything good.

[trixy]

Tried the patch here. Seems to work OK, will report back if/when something changes, but so far everything good.

I finally had a chance to try it myself and I can also confirm it seems to work fine.

[ken830]

Tried the patch here. Seems to work OK, will report back if/when something changes, but so far everything good.

I finally had a chance to try it myself and I can also confirm it seems to work fine.

I just patched mine and it works! Thanks!! Now I will slowly go through the analysis with Ghidra and try to work out the process for myself thanks to your help!