Is this great effort somehow applicable to the DS7000 as well??
Google says:
"Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory..."
From earlier in this thread.
"Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory..."
I'm pretty sure the sshd hack would also work on these scopes, once they have ssh disabled. Patching them should also not be an issue. I looked already, but could not find a GEL of the DS7000...
Hey mabl and other members,
Thanks for all the great information shared, one question I have is for whatever reason if I need to back out the patch to restore to official firmware state, is there a tested process to do that? Is is just to reapply the official update, or is there more?
I read the serial number could be lost after the patch, if I restore to official firmware state, then is the serial number restored?
Thanks in advance for your help.
I read the serial number could be lost after the patch, if I restore to official firmware state, then is the serial number restored?
Serial number is saved in /rigol/data together with the calibration data. Once you loose that, you loos it, I think.
If I have is for whatever reason if I need to back out the patch to restore to official firmware state, is there a tested process to do that? Is is just to reapply the official update, or is there more?
Either manually copy back appEntry over ssh, or flash the original firmware. I'm not sure if there is a patch against same-version flashing though. Could potentially be patched out, though.
Secret menu allows installing any version, even previous ones.
It would be really nice if in the same process, the script also provides an option to backup the calibration data, and optionally the entire scope data to the USB.
Then followed by another option to restore calibration data only, or the entire scope data before the patch.
This will allow flexibility for a full rollback in case something went wrong in the patch process.
I know that is a lot of extra work in scripting, but as a solution architect for 30 years, such capability has always been invaluable when disaster strikes on numerous upgrades I have been involved in. Sorry if it is too much to ask
as I am not a developer.
Thanks in advance for all the great work done by the members of this wonderful community.
Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing? The forum is great, but finding the right bits now has got kind of hard.
Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.
I don't think the hack is finished yet.
When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".
I'm sure a new thread can be started for that so that people can endlessly post "Does this still work?"
Using a the matching antique toolchain
https://github.com/qiupq/Xilinx-Compile-Tools-Sourcery-CodeBench, I now have bspatch, lua and an adapted version of fbpad running on my scope.
This is rather convenient, since now we can output info messages onto the screen while being able to use a "proper" programming language (instead of /bin/ash)
Dear all, I have prepared a generic launcher, which will run another script on the flash drived, called
run.sh. From this environment, one has access to bspatch and lua. The output of the script will be redirected to a virtual terminal on the framebuffer. So you will be able to see the output of the script. I envision, that additional lua code will enable reading the keys of the oscilloscope, such that one can interact and say select which type of patch one wants.
I have attached an example which just outputs text from inside lua to this file. Its not spectacular, but it gives one a place to start working without generating the binaries etc.
I don't think the hack is finished yet.
When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".
I don't think the hack is completely finished, there are still so many bugs even in the latest firmware that a new firmware release is bound to come out and may need to be re-hacked.
However, I did receive my 5074 today and it was as easy as downloading the file and inserting into the scope. It took about 45 minutes of reading through posts though. I purchased this scope over a month ago and it has been on back order. When I purchased the scope and checked the forum, the hack was as simple as SSH and editing a line in the start file. After reading through tons of off topic posts and stories I found the solution, at least as of now.
All I did to unlock the scope was
a)download and copy the file onto my fat32 formatted usb drive.
I got the file from this post
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282(I also had to rename the file to DS5000Update.GEL)
b) plug the flash drive into the scope and run a local upgrade
c) enjoy the unlocked scope
I did not bother backing up the calibration data as my scope came with firmware version 01.01.04.04 and had a messed up calibration out of the box consistent with how others have described the calibration with the new firmware.
That is the same procedure that I plan to follow. Just curious, did you lose your license file after the patch update?
I don't think the hack is finished yet.
When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".
I don't think the hack is completely finished, there are still so many bugs even in the latest firmware that a new firmware release is bound to come out and may need to be re-hacked.
However, I did receive my 5074 today and it was as easy as downloading the file and inserting into the scope. It took about 45 minutes of reading through posts though. I purchased this scope over a month ago and it has been on back order. When I purchased the scope and checked the forum, the hack was as simple as SSH and editing a line in the start file. After reading through tons of off topic posts and stories I found the solution, at least as of now.
All I did to unlock the scope was
a)download and copy the file onto my fat32 formatted usb drive.
I got the file from this post https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282
(I also had to rename the file to DS5000Update.GEL)
b) plug the flash drive into the scope and run a local upgrade
c) enjoy the unlocked scope
I did not bother backing up the calibration data as my scope came with firmware version 01.01.04.04 and had a messed up calibration out of the box consistent with how others have described the calibration with the new firmware.
I did lose my license files but that doesn't bother me. I suppose if you are concerned with warranty issues you could copy them over before upgrading the firmware and restore them with an official firmware version if needed. I really doubt Rigol would refuse to work on a hacked scope. I have heard of DS1054z's coming from Rigol pre-hacked. They know what they are doing and rely on forums like this for sales. They wouldn't want a thread with the topic "Rigol refuses to service hacked scope" that would kill sales. Although Rigol's warranty service is a whole other topic.
Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing? The forum is great, but finding the right bits now has got kind of hard.
Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.
Not wanting to toot my own horn much, but we have a wiki already
(well not on the eevblog wiki, which we could also do) but
https://gitlab.com/riglol/rigolee/firmware/ has an extensive README already on some of the things, and there's also a wiki (which lacks all the hacking details so far)
https://gitlab.com/riglol/rigolee/firmware/-/wikis/home
It would be really nice if in the same process, the script also provides an option to backup the calibration data, and optionally the entire scope data to the USB.
Then followed by another option to restore calibration data only, or the entire scope data before the patch.
This will allow flexibility for a full rollback in case something went wrong in the patch process.
I know that is a lot of extra work in scripting, but as a solution architect for 30 years, such capability has always been invaluable when disaster strikes on numerous upgrades I have been involved in. Sorry if it is too much to ask as I am not a developer.
Thanks in advance for all the great work done by the members of this wonderful community.
Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing? The forum is great, but finding the right bits now has got kind of hard.
Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.
I don't think the hack is finished yet.
When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".
I'm sure a new thread can be started for that so that people can endlessly post "Does this still work?"
https://gitlab.com/riglol/rigolee/blob/MSO5000/target/data_backup.sh this script backs your cal data etc up. If you generate a GEL file with it using GEL Packer, you have an 'update' that does a backup.
I'll create a few gel files and upload them for general consumption soon-ish.
Secret menu allows installing any version, even previous ones.
I did not manage to enter that secret menu using the SINGLE key. It might only work for scopes with more recent boot loader?
Initially it did not worked for me from the first time as well.
Keep pressing "SINGLE" key at the same time as you Power On.
You should see two options at the top right corner.
Initially it did not worked for me from the first time as well.
Keep pressing "SINGLE" key at the same time as you Power On.
You should see two options at the top right corner.
Worked first try! Thank you!
I'm not common with uboot, more with barebox.
What ist boot from Gold-Finger? Is it a common uboot command or rigol specific?
Not sure, but there is a header called GoldFinger on the scopes PCB.
EDIT: I just realized we could play the same trick again and use the secrete u-boot menu to execute arbitrary u-boot commands with a fake update. Interesting
EDIT2: That actually works. Nice! We can definitely unbrick any scope and even clone scopes if we liked. Very nice.
EDIT2: That actually works. Nice! We can definitely unbrick any scope and even clone scopes if we liked. Very nice.
We can make a similar replica but not a full clone...
Not sure, but there is a header called GoldFinger on the scopes PCB.
The GoldFinger enables the 10bit ADCs
GoldenEye enables 12-bit...
So ... the 'scope keeps a copy of the factory-installed firmware somewhere, and you can restore it by pressing a button at startup?
That's awesome if true. It means hacking new firmwares is risk-free.
No. It just restores default scope settings.
The method here seems to be setting the uboot variable bootparam to 0x44454654, this is then checked by /rigol/checkboot (returns 2 if set, 0 if not, 1 on failure to read); called from /rigol/shell/start.sh. If 2 was returned, it sets the -nonv flag for appEntry.
Note, this flag will also be set on u-boot secret menu firmware downgrade. So backup your calibration files.
There is one thing important that you should remember:
Everytime there is a flash to the NAND, the system switches between NAND Area-A and NAND Area-B. So, the 2 last flashes are always present in the NAND. (look at my NAND map, some msgs earlier)
And one can even force it to switch from one to the other, manually.
True, I have yet to try out switching the boot system. But /rigol/data only exists once, doesn't it?
Thanks to everyone one whos worked on hacking this scope! Been a long time lurker on this forum and this is my first post.
Got my MSO5074 scope yesterday from Lambdaphoto and had it hacked in ~30mins. Super simple!
Interestingly when you use the web interface the options list shows many with the demo time.
Cheers again!