Hacking the Rigol MSO5000 series oscilloscopes

[ToThePub]

That's because the patch literally patches the firmware. So whenever there is a new firmware, a new patch has to be created.

[mwb1100]

That's because the patch literally patches the firmware. So whenever there is a new firmware, a new patch has to be created.

Has there ever been a post explaining what gets patched?  I've poked around, but there are literally more than 2000 posts in the thread.

I'm pretty sure the answer is no, and I can understand why.  But I figured I'd ask - just in case the info is out there.

[ToThePub]

To massively over simply the process: You have to patch the firmware file (It's actually just software but anyway by patching the assembly code) so when the software internally says "is this scope licensed for 350Mhz" the returned value is always "Yes". Likewise when the scope queries itself to say "Is this scope licensed for XXXX (feature/function)" the answer is "Yes".
If you know what you are doing, you can take the information that's already in this thread, compare the before and after patched file, and see what's changed.

[faktorqm]

OK succesfully updated to the latest version. English menu, everything all right.

Regarding the patch: It does not work (as expected). Because the md5 hash for the AppEntry file is 349b25b8653bbeb7849527425c2fca03 and the the scripts waits for 8902f64eff40eff094af1dbeccfd461a which is the md5 for the older version AppEntry file.

Assuming that the patch does something like sed command to add -All option to the file, we would need to recalculate also the resulting md5. But if my assumption it's not correct, it will not work xD.

Also I can confirm that both backups scripts work as expected with the new firmware.

Thanks to all for your efforts.

[MegaVolt]

Files with different update dates have the same content. (MD5)

974b1cababda14c92d94d0077b8760eb *DS5000Update_17.10.2021.GEL
974b1cababda14c92d94d0077b8760eb *DS5000Update_18.10.2021.GEL

[faktorqm]

OK, so it will be as easy to modify the patch.txt with the new md5 but keeping the resulting md5 file as it is?

[NoisyBoy]

I doubt it is a matter of simply modifying the checksum, you need a new bpatch file.  Hopefully someone will be kind enough to create one in the near future.

[thm_w]

OK, so it will be as easy to modify the patch.txt with the new md5 but keeping the resulting md5 file as it is?

MegaVolt was responding to your earlier post, mentioning multiple firmwares. The same MD5 means that the two files are identical, eg the same version.
Changing the patch.txt would work only if the "bpatch" step is the same, which it is unlikely to be. Someone has to go in and figure out that .bpatch

Anyway the rigolcn link doesn't work for me, it looks like they pulled the download. Could you upload the v00.01.03.02.02 file somewhere?

[Martin72]

That's because the patch literally patches the firmware. So whenever there is a new firmware, a new patch has to be created.

You get the scope with all options except bandwith and memory today, I remember I´ve get the options from rigol for free, enter the codes on the website, getting then the generated licenses.
So the scope remains the options after firmware upgrade - What´s the problem to generate(hack) license keys for bandwith and memory?
Is there still no solution after 5yrs the scope is on the market?

[mwb1100]

Is there still no solution after 5yrs the scope is on the market?

The license key I was given for the MSO5000 bundle was 140 characters long as opposed to 28 characters for the DS1054z or 16 characters for the SDS1104X-E

I'm not a hash or crypto expert, so I don't know if this is an indication of how much effort would need to go into brute force cracking the key generator, but maybe it is?

Or if the key generators weren't brute forced, were they leaked and that didn't happen for the MSO5000?

[NoisyBoy]

I went to the US Rigol site, and it is just the same 03.00.03 version as it has been for the past year.  If they pulled it from the China site already and it is not available anywhere else, I wonder if they found some new issues with it.  I would recommend those who found their scope to operate satisfactorily wait until an update is available globally so you don't end up with the extra effort of downgrading to the previous version.

[mwb1100]

It's not uncommon for firmware updates to only be on some regional sites and not all of them - particularly early on. And Rigol seems to have an update release process that's more challenged than most (for example, the fact that the filename on the Rigol NA site for the MSO5000  01.03.00.03 update comes in a file named MSO5_FW_V1_1_4_4.zip).

Also, it seems that the 01.03.02.02 update is downloadable from Rigol's China support site, but not from that website's UI (at least it wasn't on Jan 9). You have to get it using the direct link.


I see the direct link goes 404 now...  An indication that people should probably not install it unless they are really OK with risk.

[Martin72]

I went to the US Rigol site, and it is just the same 03.00.03 version as it has been for the past year.  If they pulled it from the China site already and it is not available anywhere else, I wonder if they found some new issues with it.  I would recommend those who found their scope to operate satisfactorily wait until an update is available globally so you don't end up with the extra effort of downgrading to the previous version.

It is a little bit ago I had the scope but when I remember it right, having a new firmware only in china avaible is somekind of beta-status.
I wouldn´t take this...

[dhyddr]

chinese guy here

the new MSO5000 FW from Rigol china Website v00.01.03.02.02 is on trouble now

rename the gel file to DS5000update.GEL use to update the scope will be stuck on the Rigol logo 

Don't download that

I contact the Rigol TS team give me a Demo version of  v00.01.03.02.02 can be successful uptdate

Use the v00.01.03.02.02 appEntry bsdiff from the older one generate the bspatch,  No success still stuck on the Rigol logo 

[dhyddr]

 I also can Use HXD to modify the scope's bandwidth to 350MHZ

but I can't enable the all option

any post here?

[JCS666]

>>Anyway the rigolcn link doesn't work for me, it looks like they pulled the download. Could you upload the v00.01.03.02.02 file somewhere?<<

At the moment the new firmware is not public, only youtubers have this.

[markone]

I went to the US Rigol site, and it is just the same 03.00.03 version as it has been for the past year.  If they pulled it from the China site already and it is not available anywhere else, I wonder if they found some new issues with it.  I would recommend those who found their scope to operate satisfactorily wait until an update is available globally so you don't end up with the extra effort of downgrading to the previous version.

It is a little bit ago I had the scope but when I remember it right, having a new firmware only in china avaible is somekind of beta-status.
I wouldn´t take this...

Martin, here things are a little different because the "direct" link to FW update on chinese server that was published in this thread was not present in ANY Rigol support pages in the world, reason why I asked explanation some posts ago without receive any answer,  as a result I would never use that file.

[faktorqm]

I installed it and not have any problems. Also I saw a video (it is in spoken Spanish) with a guy installing it and working with it. I just renamed MSO5000 to DS5000 and started working. For the time being, I will revert back and apply the patch and wait until this version (and the patch) came publicly available again.

[markone]

I installed it and not have any problems. Also I saw a video (it is in spoken Spanish) with a guy installing it and working with it. I just renamed MSO5000 to DS5000 and started working. For the time being, I will revert back and apply the patch and wait until this version (and the patch) came publicly available again.

I have a question : apart the hack disruption, there are other negative aspects with this upgrade ?

[JCS666]

I installed it and not have any problems. Also I saw a video (it is in spoken Spanish) with a guy installing it and working with it. I just renamed MSO5000 to DS5000 and started working. For the time being, I will revert back and apply the patch and wait until this version (and the patch) came publicly available again.

I have a question : apart the hack disruption, there are other negative aspects with this upgrade ?

No.

[markone]

I installed it and not have any problems. Also I saw a video (it is in spoken Spanish) with a guy installing it and working with it. I just renamed MSO5000 to DS5000 and started working. For the time being, I will revert back and apply the patch and wait until this version (and the patch) came publicly available again.

I have a question : apart the hack disruption, there are other negative aspects with this upgrade ?

No.

Great  .

[normi]

So that everyone is clear on this, all patch updates will erase the hack and will require the patch image to be modified.

The solution would be to create a license key generator which would be independent of the changes made by patching, no one has come forward with that solution most likely because someone eventually creates a hack for the new patch.

The Chinese patch could be a beta version, but Rigol releases the patches at different times in the various markets. I have received beta versions which had fixes that were only released 8 months after, and Rigol was confident that there were no issues with the beta. See a video in English from someone who tested it, the patch seems to be solely related to items required for the VNC feature to work.

 

[NoisyBoy]

If you take a careful look at the original download link for the new firmware,
https://supportcn.rigol.com/Public/Uploads/uploadfile/files/ftp/Firmware/MSO5000(ARM)Updatev00.01.03.02.02.zip

It is not the same link that you would download official firmware from the China Rigol website.  It appears to be a file located in the public upload directory of the support website.  My guess is it is a test firmware someone in Rigol uploaded to their support site, so the people they are working with can download it for testing, or to address a certain problem.  Someone noted the existence of this file and published the link, which Rigol subsequently took down (not uncommon for test firmware).

So while this version of the firmware does deliver some additional capabilities, it may be premature to treat this as an next version of the firmware update.  Depending on your intention, you may, or may not want to use it.  I noticed the original link was never brought up in the discussion, and I just want everyone to be aware of it.

[markone]

If you take a careful look at the original download link for the new firmware,
https://supportcn.rigol.com/Public/Uploads/uploadfile/files/ftp/Firmware/MSO5000(ARM)Updatev00.01.03.02.02.zip

It is not the same link that you would download official firmware from the China Rigol website.  It appears to be a file located in the public upload directory of the support website.  My guess is it is a test firmware someone in Rigol uploaded to their support site, so the people they are working with can download it for testing, or to address a certain problem.  Someone noted the existence of this file and published the link, which Rigol subsequently took down (not uncommon for test firmware).

So while this version of the firmware does deliver some additional capabilities, it may be premature to treat this as an next version of the firmware update.  Depending on your intention, you may, or may not want to use it.  I noticed the original link was never brought up in the discussion, and I just want everyone to be aware of it.

This is exactly what I tried to explain a couple of times in my previous posts, just to clarify that in this case Rigol has no responsibility about that peculiar version.

[JCS666]

Extract of Release Notes.txt

v00.01.03.02.02 2023/01/04
   
     - Add shortcut button and VNC remote function
    - Waveform, cursor movement, gesture operation vertical and horizontal gear switching speed optimization
    - Cursor optimization: cursor jump optimization, ZOOM area and main time base cursor linkage, etc
    - The color of the CH4 waveform is modified, and the brightness of the waveform is improved
    - ZOOM mode optimization: mask color adjustment, switching speed, area movement optimization
    - SCPI instruction response speed optimization: reset, measurement, waveform read instruction response optimization