Author Topic: Hacking the Rigol MSO5000 series oscilloscopes (Read 930139 times)

reztek · « **Reply #2525 on:** April 20, 2023, 07:27:25 pm »

Quote from: ken830 on April 19, 2023, 10:48:40 am

Okay... I've gotten as far as extracting the appEntry from the V00.01.03.03.00 GEL file.

It's got an MD5 checksum of AD018912E3D9BA19809EB3A44B63FEA0

But I don't know what to edit. Are people just patching the appEntry back to the previously patched appEntry or something?? I'm still trying to read through the whole thread.

EDIT: After a lot more reading, I found that back in 2020, omgoleus pretty much went through the same thought process and asked the same questions that I have and I'm asking today. I even started down the path of disassembling appEntry. omgoleus did write a nifty script to do partially automate the comparison process of the previously-patched appEntry. I'll attempt to try this later... it's 4:30am and I have to wake up for an 8am daily stand-up meeting for my day job soon.

Would you mind sharing the process/tools used to unpack the scope`s firmware?

ken830 · « **Reply #2526 on:** April 20, 2023, 10:59:50 pm »

Quote from: reztek on April 20, 2023, 07:27:25 pm

Quote from: ken830 on April 19, 2023, 10:48:40 am
Okay... I've gotten as far as extracting the appEntry from the V00.01.03.03.00 GEL file.

It's got an MD5 checksum of AD018912E3D9BA19809EB3A44B63FEA0

But I don't know what to edit. Are people just patching the appEntry back to the previously patched appEntry or something?? I'm still trying to read through the whole thread.

EDIT: After a lot more reading, I found that back in 2020, omgoleus pretty much went through the same thought process and asked the same questions that I have and I'm asking today. I even started down the path of disassembling appEntry. omgoleus did write a nifty script to do partially automate the comparison process of the previously-patched appEntry. I'll attempt to try this later... it's 4:30am and I have to wake up for an 8am daily stand-up meeting for my day job soon.

Would you mind sharing the process/tools used to unpack the scope`s firmware?

The GEL is a TAR, and inside of that, is a GZIP (app.img.gz), and inside of that is app.img, which is a UBI image... I used UBI Reader (https://github.com/jrspruitt/ubi_reader) to extract the files. Took a little bit of work to get it to work in my Ubuntu WSL on my Windows10 machine.

Tabovl · « **Reply #2527 on:** April 29, 2023, 09:39:20 am »

I found a nice blog where there is a detailed analysis of the update files, their modification and recompilation. The procedure for unlocking restrictions is not described here, but I believe that it can still help.

https://mensi.ch/blog/articles/playing-around-with-the-rigol-mso5074

tcottle · « **Reply #2528 on:** May 09, 2023, 04:25:57 pm »

Quote from: NoisyBoy on April 11, 2023, 03:09:19 pm

The link shows it is again their public file upload site in China, not their official firmware site. I would highly recommend folks to wait for official firmware to show up in their home country before doing upgrade. For two reasons, so you can get support from Rigol if the upgrade goes south. Second, I would never download firmware from a dubious site in China, let alone running it.

This happened once with the existing firmware 01.03.02.02, when it showed up in the exact same site, then disappeared, then it showed up on the official download site weeks later. I would wait.

01.03.03.00 is available on the MSO5000 downloads page https://www.rigolna.com/products/digital-oscilloscopes/mso5000/
but on the support/firmware page still shows 01.03.02.02 ...

eutectique · « **Reply #2529 on:** May 09, 2023, 10:37:44 pm »

For the record, GEL files from supportcn.rigol.com and rigolna.com web sites have the same SHA256 hash:

Code: [Select]

> sha256sum cn/DS5000\(ARM\)Update\ v00.01.03.03.00/DS5000Update.GEL na/DS5000\(ARM\)Update\ v00.01.03.03.00/DS5000Update.GEL 
f89cdf7816b0467e6ebe46d4f5da1cf0a95fffd93b83a245911026520d66b794  cn/DS5000(ARM)Update v00.01.03.03.00/DS5000Update.GEL
f89cdf7816b0467e6ebe46d4f5da1cf0a95fffd93b83a245911026520d66b794  na/DS5000(ARM)Update v00.01.03.03.00/DS5000Update.GEL

Though, the .zip files differ in size.

core · « **Reply #2530 on:** May 10, 2023, 12:03:48 pm »

FW 01.03.03.00 also avalable at https://www.rigol.eu/En/Index/listView/catid/28/tp/6/cat/7/xl/24

sha256sum is the same as the others :
f89cdf7816b0467e6ebe46d4f5da1cf0a95fffd93b83a245911026520d66b794 DS5000Update.GEL

core · « **Reply #2531 on:** May 10, 2023, 01:17:43 pm »

Everything was fine here too.

I will use my previous upgrade post, updated for v00.01.03.00.03 -> v00.01.03.03.00.

Steps I've followed :

1. Backup everything just in case (optional but recommended)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356
- get and unzip the first script file, put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade
- wait until 100%, then turn off/on
- repeat for the second script

2. Install the official firmware v00.01.03.03.00; I have used the above link from rigol.eu
- get the official firmware and unzip
- same steps like above, with the firmware file of course

3. Hack
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650
- get and unzip the file 01_03_03_00.zip and put the three files on USB stick
- same steps like above
- there will be some messages on the screen. You will be asked to press a key, two times. At the end the oscilloscope will reboot, just wait.
- all the options will be activated

4. Calibration - very important
- remove the input probes
- Utility/System/SelfCal
- then turn off/on

Thanks everybody !

oldjackbob · « **Reply #2532 on:** May 11, 2023, 12:27:04 pm »

Is there a change log for v00.01.03.03.00?

Or, put another way, why should I upgrade?

TIA,

Mark

skander36 · « **Reply #2533 on:** May 11, 2023, 12:45:27 pm »

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4808120/#msg4808120

ultranalog · « **Reply #2534 on:** May 11, 2023, 02:20:42 pm »

I was a few versions behind, but the VNC server is truly a game changer for me. It is so much faster than the HTTP interface. This will be great for working with customers or recording video without HDMI grabbers.

core · « **Reply #2535 on:** May 11, 2023, 05:21:19 pm »

Indeed, the VNC server is very fast, the screen update and also the commands response.
The menu is changed, and there is an additional operator in Math, AX+B.
Also, the touch screen response seems to be faster.
Regarding the CH4 colour, I'm not sure that it's a significant changes.

The attached pictures are from VNC.

core · « **Reply #2536 on:** May 11, 2023, 05:26:03 pm »

I cannot attach more than one picture, I will try one by one.

core · « **Reply #2537 on:** May 11, 2023, 05:26:40 pm »

And the third.

Tabovl · « **Reply #2538 on:** May 11, 2023, 06:50:11 pm »

I tried to update FW 00.01.03.03.00 according to the given method:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4856702/#msg4856702

All options are unlocked, SSH unlocking works in the same way as for previous versions.

olfrei · « **Reply #2539 on:** May 14, 2023, 02:18:48 pm »

People, help

all three files are in the root of usb stick. Tried to apply 2GB -32GB USB Sticks. Firmware version 01_03_03_00

skander36 · « **Reply #2540 on:** May 14, 2023, 08:03:22 pm »

Check for hidden characters in the name of the file (patch.txt).

rpro · « **Reply #2541 on:** May 15, 2023, 10:15:53 am »

Make sure you unzip the zip file first and copy the contained 3 files unzipped. (Do not copy these files by dragging from a zipped folder view of the zip file contents).

sjm · « **Reply #2542 on:** May 20, 2023, 08:01:22 am »

Yes, I also confirm success in upgrading to FW 00.01.03.03.00 and applying the patch/hack.

codesurfer · « **Reply #2543 on:** May 21, 2023, 11:29:33 am »

Many thanks to all who have given their time and energy to make this patch/hack!

I originally ran into issues because I was using the wrong patch for my current FW version, but once I caught that it worked like a charm!!!

supertrabuco · « **Reply #2544 on:** May 21, 2023, 08:03:15 pm »

Hello, hack working very well, thanks to all colleagues who have helped has to work and be so easy to do ..... I have to admit that I was a little nervous until I saw it running again

, Greetings

HellKern · « **Reply #2545 on:** May 22, 2023, 04:24:47 pm »

Thank You! Worked as a charm on my new MSO5074, also thanks to @mosafet for label files(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4735574/#msg4735574), it fits very nice

Varz · « **Reply #2546 on:** May 30, 2023, 09:02:24 am »

Hello to all!

I became the owner of Rigol MSO5074
Firmware: 0A.01.03.00.01
Hardware: 01.01.000
Boot: 2018.06.27
Build: 2021-05-04 15:50:32

I made a backup in three different ways

Method №1 - Through SSH
Opened an SSH channel in the oscilloscope
described here #878
Now you can connect a PC to the oscilloscope via LAN
this feature remains until the oscilloscope is rebooted

To connect, you need to install the PuTTY program on your PC
Used the commands:
Create a backup (copy all files, including licenses)

Code: [Select]

mkdir /media/sda1/calib_backup
cp -v /rigol/data/* /media/sda1/calib_backup
sync

Copy Calibration (Calibration files only)

Code: [Select]

cp -v /media/sda1/calib_backup/*.hex /rigol/data/
sync

calib_backup folder will appear on the USB drive (27 files) - size 2Mb
//*********************************
Method №2
The method is described here #1384
The process lasts 60 seconds.
folder and file will appear on the USB stick:
- backup folder (28 files) - size 2MB
- memdump file - size 469 762 048 bytes
//*********************************
Method №3 - NAND
The method is described here #1384
The process lasts 04m. 19 sec. (259 sec.)
The following files will appear on the USB drive:
- file mtd0_Env.bin - size 262 144 bytes
- file mtd1_DATA.bin - size 67 108 867 bytes
- file mtd10_App2.bin - size 104 857 600 bytes
- file mtd11_Reserved.bin - size 70 254 592 bytes
- file mtd12_User.bin - size 628 621 312 bytes
- file mtd2_Bmp.bin - size 4 194 304 bytes
- file mtd3_Bmp1.bin - size 4 194 304 bytes
- file mtd4_Bit1.bin - size 8 388 608 bytes
- file mtd5_Sys1.bin - size 35 554 432 bytes
- file mtd6_App1.bin - size 104 857 600 bytes
- file mtd7_Bmp2.bin - size 4 194 304 bytes
- file mtd8_Bit2.bin - size 8 388 608 bytes
- file mtd9_Sys2.bin - size 33 554 432 bytes
Total capacity 1,047,296,000 bytes (1 GB)
//*********************************

We see that the result of work in each method is different

which method is the most correct?

How can I restore the oscilloscope based on the files from each method?

Thank you!

tv84 · « **Reply #2547 on:** May 30, 2023, 09:20:14 pm »

Quote from: Varz on May 30, 2023, 09:02:24 am

How can I restore the oscilloscope based on the files from each method?

Since you are not able to see the differences between the different procedures/backups, it's better to not attempt any restore yourself.

You should attempt restore as a last resort and, then, ask a friend to do it for you.

bmx · « **Reply #2548 on:** May 31, 2023, 04:21:17 am »

or do not attemp the backup yourself anyway, that's very dangerous. Please at least delete the post so no people will overwrite their cal data by doing a '' backup ''

Varz · « **Reply #2549 on:** May 31, 2023, 04:59:50 am »

Quote from: tv84 on May 30, 2023, 09:20:14 pm

Since you are not able to see the differences between the different procedures/backups, it's better to not attempt any restore yourself.
You should attempt restore as a last resort and, then, ask a friend to do it for you.

The circle is closed
A friend advised to read this forum, the forum sent back to a friend

I am asking as a last resort
why make backups in three different ways if you can't use them?


EEVblog Main Site	EEVblog on Youtube	EEVblog on Twitter	EEVblog on Facebook	EEVblog on Odysee

Author Topic: Hacking the Rigol MSO5000 series oscilloscopes (Read 930139 times)

Share me