Hacking the Rigol MSO5000 series oscilloscopes

[tv84]

I'll try (BW:500MHz) as soon as possible .

  Why?

[qali.pro]

  Why?

Thank you for your work and the work of others people on this topic.

[BM61]

@ qali.pro
I haven’t take a screenshoot when the problematic trace display ,using the 20M BW Limit, occoured!

[qali.pro]

@ qali.pro
I haven’t take a screenshoot when the problematic trace display ,using the 20M BW Limit, occoured!

I am sure 20M BW Limit problem , Cause by Stock firmware (01.03.00.03) not from patch file.

To solve the problem, please follow these steps :

Self-calibration
Make sure that the oscilloscope has been warmed up or operating for more than 30 minutes before
performing self-calibration.
1. Disconnect all the input channels.
2. Press Utility > System > SelfCal, and the press Start to execute self-calibration. The
self-calibration lasts for about 45 minutes.
3. Restart the oscilloscope.
,,,,
best regards

[mabl]

If anybody is interested, the SCPI command changes between version 01_03_00_01 and 01_03_00_03 are as follows:

Code: [Select]

diff 01_03_00_01.txt  01_03_00_03.txt
637a638,643
> CALibration:INIT:ADC:DATa                  selfcal    72 -1 ('INTEGER',) ()
> CALibration:INIT:ADC:DATa?                 selfcal    72 -1 () ('INTEGER',)
> CALibration:INIT:ADC:TCMP                  selfcal    71 -1 ('INTEGER',) ()
> CALibration:INIT:ADC:TCMP?                 selfcal    71 -1 () ('INTEGER',)
> CALibration:INIT:ADC:TDMX                  selfcal    70 -1 ('INTEGER',) ()
> CALibration:INIT:ADC:TDMX?                 selfcal    70 -1 () ('INTEGER',)
652c658
< CALibration:SAVE                           selfcal     2 -1 (['CHDelay', 'DDELay', 'GGND', 'MLF', 'PRECision'],) ()
---
> CALibration:SAVE                           selfcal     2 -1 (['CHDelay', 'DDELay', 'GGND', 'MLF', 'PRECision', 'SER'],) ()
1748a1755,1762
> SYSTem:KEEP:ACQuire                        utility  12093 -1 (['AVERages', 'HRESolution', 'NORMal', 'PEAK'],) ()
> SYSTem:KEEP:ACQuire?                       utility  12093 -1 () (['AVER', 'HRES', 'NORM', 'PEAK'],)
> SYSTem:KEEP:AVERages                       utility  12092 -1 ('INTEGER',) ()
> SYSTem:KEEP:AVERages?                      utility  12092 -1 () ('INTEGER',)
> SYSTem:KEEP:BWLimit                        utility  12091 -1 (['100M', '10G', '150M', '1G', '200M', '20G', '20M', '250M', '25M', '2G', '300M', '350M', '4G', '500M', '50M', '5G', '600M', '70M', 'OFF'],) ()
> SYSTem:KEEP:BWLimit?                       utility  12091 -1 () (['100M', '10G', '150M', '1G', '200M', '20G', '20M', '250M', '25M', '2G', '300M', '350M', '4G', '500M', '50M', '5G', '600M', '70M', 'OFF'],)
> SYSTem:KEEP:IMPedance                      utility  12090 -1 ('BOOL',) ()
> SYSTem:KEEP:IMPedance?                     utility  12090 -1 () ('BOOL',)
1752,1753d1765
< SYSTem:KIMPedance                          utility  12090 -1 ('BOOL',) ()
< SYSTem:KIMPedance?                         utility  12090 -1 () ('BOOL',)

So mostly new commands related to calibration, and new SYSTem:KEEP commands. Maybe related to saving the current setup?

[mabl]

here is patch for F.W 01_03_00_03

have fun

Thanks :-) But are you sure this patch is good? My scope crashes when the licenses are queried over SCPI or the web interface.

[qali.pro]

Thanks :-) But are you sure this patch is good? My scope crashes when the licenses are queried over SCPI or the web interface.

Hi mabl,

Thank you so much for your hard work and other contributors work .
Dose Issue came from original F.W or from patch F.W ?
I'm now testing LA and decoder .
I'll test SCPI today and  post my result .

[qali.pro]

Thank you mabl .

MSO5000 webcontrol (WEB Application) InstrumentUtilities page  call options.cgi to load Instrument License and Options and causes freeze screen.
/rigol/webcontrol/cgi-bin/options.cgi

SCPI it's work fine.

Patch appEntry causes freeze when you invoke options.cgi

I'll try fix this problem as soon as possible.

This is a diff between Orginal and Patch appEntry

Code: [Select]

2c2
< appEntry:     file format elf32-littlearm
---
> appEntry2:     file format elf32-littlearm
142769c142769
*<    c8498: 0a000001 beq c84a4 <_ZN16searchEventTable16sigCurrEventTimeEi@@Base+0x3650>
---
>    c8498: e1a00000 nop ; (mov r0, r0)
143327c143327
<    c8d50: 1a000088 bne c8f78 <_ZN16searchEventTable16sigCurrEventTimeEi@@Base+0x4124>
---
>    c8d50: ea000088 b c8f78 <_ZN16searchEventTable16sigCurrEventTimeEi@@Base+0x4124>
143470c143470
<    c8f8c: 0a000023 beq c9020 <_ZN16searchEventTable16sigCurrEventTimeEi@@Base+0x41cc>
---
>    c8f8c: e1a00000 nop ; (mov r0, r0)
345451c345451
<   18e1f0: 0a0000b3 beq 18e4c4 <_ZN5QListIPN8menu_res8RDsoViewEED1Ev@@Base+0x104d8>
---
>   18e1f0: e1a00000 nop ; (mov r0, r0)
345458c345458
<   18e20c: 1a00001a bne 18e27c <_ZN5QListIPN8menu_res8RDsoViewEED1Ev@@Base+0x10290>
---
>   18e20c: e1a00000 nop ; (mov r0, r0)
886012c886012
<   39db6c: 0a000000 beq 39db74 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2bb8>
---
>   39db6c: ea000000 b 39db74 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2bb8>
886018c886018
<   39db84: 0a000071 beq 39dd50 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2d94>
---
>   39db84: e1a00000 nop ; (mov r0, r0)
886025c886025
<   39dba0: 1a000006 bne 39dbc0 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2c04>
---
>   39dba0: e1a00000 nop ; (mov r0, r0)
886147c886147
<   39dd88: 0a00000d beq 39ddc4 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2e08>
---
>   39dd88: eb00000d bl 39ddc4 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2e08>
886274c886274
<   39df84: 1afffee5 bne 39db20 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2b64>
---
>   39df84: eafffee5 b 39db20 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2b64>
1074304,1074305c1074304,1074305
<   45594c: 1a000003 bne 455960 <_ZN7MemFileD1Ev@@Base+0x244c>
<   455950: ebffffa9 bl 4557fc <_ZN7MemFileD1Ev@@Base+0x22e8>
---
>   45594c: e1a00000 nop ; (mov r0, r0)
>   455950: e3a00001 mov r0, #1
1074312c1074312
<   45596c: ebffffa8 bl 455814 <_ZN7MemFileD1Ev@@Base+0x2300>
---
>   45596c: e1a00000 nop ; (mov r0, r0)




,,,,
Best regards

[TomManaged]

Hi everyone.

I nearly bought the MSO5204. Now I changed my mind and I'm about to buy an MSO5074 instead. Is there anything special to consider with regard to patch compatibility?
Is the firmware and required "patch" the same for MSO5072 and MSO5074, or are there differences or special considerations?

I am totaly new to this topic and the thread seems to be very long .
So i hope someone can give me a quick reply to help me out so i can buy the scope and get into topic deeper.

[normi]

Hi everyone.

I nearly bought the MSO5204. Now I changed my mind and I'm about to buy an MSO5074 instead. Is there anything special to consider with regard to patch compatibility?
Is the firmware and required "patch" the same for MSO5072 and MSO5074, or are there differences or special considerations?

I am totaly new to this topic and the thread seems to be very long .
So i hope someone can give me a quick reply to help me out so i can buy the scope and get into topic deeper.

The software is the same, the patch will enable all 4 channels on the MSO5072. The difference in cost between MSO5072 and 5074 is the cost of the 2 probes, plus you get the warranty to cover all 4 channels. This is why most persons buy the 5074 vs the 5072.

[TomManaged]

The software is the same, the patch will enable all 4 channels on the MSO5072. The difference in cost between MSO5072 and 5074 is the cost of the 2 probes, plus you get the warranty to cover all 4 channels. This is why most persons buy the 5074 vs the 5072.

Thanks. Yes that was my intention, to get 2 additional 350MHz probes. Good to hear that there is only one software and patch for all family members of the MSO5000 line.

[imoko]

Hi all,

I'm absolutly new to this forum and to oszis. I bought a MSO5072 because
I work with it at my student job and really like the controlling.

I just found this great forum and its huge informations, so I first wanted to ask if
my device with the following software informations can be hacked and if
somebody can give me some tips and information where to start?

I have following data read out of mine:
Firmware:     0A.01.03.00.01
Hardware:    01.01.000
Boot:            2018.06.27
Build:            2021-05-04 15:50:32

Thanks for any help.

[ziDot]

Hi all,

I'm absolutly new to this forum and to oszis. I bought a MSO5072 because
I work with it at my student job and really like the controlling.

I just found this great forum and its huge informations, so I first wanted to ask if
my device with the following software informations can be hacked and if
somebody can give me some tips and information where to start?

I have following data read out of mine:
Firmware:     0A.01.03.00.01
Hardware:    01.01.000
Boot:            2018.06.27
Build:            2021-05-04 15:50:32

Thanks for any help.

My actions step-by-step with same device and firmware:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3829616/#msg3829616

[qali.pro]

Hello,

Dont patch yet more testing is needed.
New Patch and workaround options.cgi  crashes MSO 
Problem is in 0x0039da74 Function 
For all the issues new and old Patch
----------------------
There is a new issue in this patch (no decode option) old patch  decode is fine>
----------------------
The patch file has been deleted for further testing and should be release soon 
,,,,
Best regards

[qali.pro]

Sharing SCPI testing tool might help someone.
First install Python3 and pip3 ,
And install pyvisa ,

Code: [Select]

pip install pyvisa-py
Change IP variable to your MSO IP (SCPIcmd.py)


Example in Command line :

Code: [Select]

python3  SCPIcmd.py -p ':SYSTem:MODules?' 
Result:

Code: [Select]

python3 SCPIcmd.py -p ':SYSTem:MODules?'
1,1,0,0,0


[qali.pro]

Hello everybody,




I apologize to everyone for the previous problems.
Here is a new patch for real fix all previous problems (finish tested it's working perfectly well for me).


FW:01_03_00_03
Build: 2021-10-18

1. Backup everything (optional)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356
- get and unzip the first script file, put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade
- wait until 100%, then turn off/on
- repeat for the second script

2. Install the official F.W v00.01.03.00.03 2021/10/18
- get the official firmware and unzip

https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-f24095b5-cc11-4e8d-8df9-d2bfdffd5efc/0/-/-/-/-/MSO5_FW_V1_1_4_4.zip

-  Put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade

3. Patch the F.W

- Download (attachment below) and unzip the file Patch.zip and put the three files on USB stick, then Utility/Help/Local upgrade


4. Calibration - very important
- remove the input probes
- Utility/System/SelfCal
- then turn off/on



Most asked questions :
1- Dose this patch still work?
Yes, only on F.W v00.01.03.00.03 2021/10/18.
2- Can you undo the patch with the factory reset ?
Yes , download official firmware and put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade it will be factory reset.

Have, Fun 

" alt="" class="bbc_img" />
" alt="" class="bbc_img" />
" alt="" class="bbc_img" />
" alt="" class="bbc_img" />

[RobbiTobi]

I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore. 
Do I am missing something?

[dreamcat4]

this why people keeps saying 'all bugs are fixed now' on the firmware

 

its these type of thing which Dave was complaining about in his initial review. when it first came out. i have been hoping for a re-review. like an update bug hunt with the newest firmware. but it has not happen yet?

but you would think so. given how many people have bought this scope. there are not others competing much close to it in the raw price / performance. once you figure out the per $ dollar value (per mhz / per msps / per channel). what with all the extra features like the signal gen, spectrum analyzer etc. included too

[qali.pro]

I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore. 
Do I am missing something?

Hi RobbiTobi,
Is problem come from a patch or original F.W?

[RobbiTobi]

I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore. 
Do I am missing something?

Hi RobbiTobi,
Is problem come from a patch or original F.W?

The device has been upgraded with patch.
But can not tell whether it is a FW bug or patch - i.m.h.o. presumingly a FW issue.

[normi]

Does this patch also block the calling home to Rigol, or does it just enable the license.

I would suggest persons test the new FW before they patch it to see if the FW has any bugs, if we don't test the FW then it will be difficult to report a bug to Rigol. I think there is a general resistance to report issues to support and therefore a number of issues don't get resolved or included in firmware fix. I see the Siglent guys report issues to Tautech instead of calling Siglent support, so this may be related to persons fearing support will discover they have hacked the scope. The manufactures are fully aware the scopes  are hacked, if they made them un-hackable they would lose a lot of business.

Some bugs may take years to be reported as scopes have so many options that many people never use all of them and so bugs go undiscovered.

[imoko]

Hello everybody,



I apologize to everyone for the previous problems.
Here is a new patch for real fix all previous problems (finish tested it's working perfectly well for me).


FW:01_03_00_03
Build: 2021-10-18

(Attachment Link) " alt="" class="bbc_img" />
(Attachment Link) " alt="" class="bbc_img" />
(Attachment Link) " alt="" class="bbc_img" />
(Attachment Link) " alt="" class="bbc_img" />

Hi quali.pro,

thanks for all your effort and congrats 

"zidot" already showed me how to patch my actual firmware.
Can you tell me if you would recommend to update my firmware to yours
(if this is possible?) and afterwards patch it or should I stay and patch it as it is?

I have following data read out of mine:
Firmware:     0A.01.03.00.01
Hardware:    01.01.000
Boot:            2018.06.27
Build:            2021-05-04 15:50:32

Thanks in advance.

[imoko]

Does this patch also block the calling home to Rigol, or does it just enable the license.

I would suggest persons test the new FW before they patch it to see if the FW has any bugs, if we don't test the FW then it will be difficult to report a bug to Rigol. I think there is a general resistance to report issues to support and therefore a number of issues don't get resolved or included in firmware fix. I see the Siglent guys report issues to Tautech instead of calling Siglent support, so this may be related to persons fearing support will discover they have hacked the scope. The manufactures are fully aware the scopes  are hacked, if they made them un-hackable they would lose a lot of business.

Some bugs may take years to be reported as scopes have so many options that many people never use all of them and so bugs go undiscovered.

Hi normi,

I have still a non patched version and can test some features if you tell me what
to do?

regards

[ultranalog]

I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore. 
Do I am missing something?

I noticed this last week.

I got out of it without pressing default, but don't know exactly how I did it. Probably disabled recording and re-enabled it.

[normi]

Does this patch also block the calling home to Rigol, or does it just enable the license.

I would suggest persons test the new FW before they patch it to see if the FW has any bugs, if we don't test the FW then it will be difficult to report a bug to Rigol. I think there is a general resistance to report issues to support and therefore a number of issues don't get resolved or included in firmware fix. I see the Siglent guys report issues to Tautech instead of calling Siglent support, so this may be related to persons fearing support will discover they have hacked the scope. The manufactures are fully aware the scopes  are hacked, if they made them un-hackable they would lose a lot of business.

Some bugs may take years to be reported as scopes have so many options that many people never use all of them and so bugs go undiscovered.

Hi normi,

I have still a non patched version and can test some features if you tell me what
to do?

regards

You could test RobbiTobi's problem and see if it exist without the hack.

I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore. 
Do I am missing something?