Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 272508 times)

tangares2000, MegaVolt, salviador and 4 Guests are viewing this topic.

Online tv84

  • Super Contributor
  • ***
  • Posts: 1315
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1575 on: March 04, 2020, 03:41:24 pm »
Just an additional 2 cents:

We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.
 

Online Sighound36

  • Regular Contributor
  • *
  • Posts: 203
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1576 on: March 04, 2020, 03:56:20 pm »
No issues at all with our 7000 updates and working 'upgrades' though as stated we have an internal network only no outside connections
Seeking quality measurement equipment at realistic cost with proper service backup. If you pay peanuts you employ monkeys.
 

Offline mindy

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1577 on: March 04, 2020, 03:56:47 pm »
Just an additional 2 cents:

We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Thanks for clarification, I just wanted to be sure that we identified & backup all persistent data on the scope of all components, or at least the ones which store a scope specific data (FRAM, ...).
So GTP question is closed ;)
 

Offline the Goat

  • Newbie
  • Posts: 4
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1578 on: March 04, 2020, 05:41:52 pm »
We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Point of clarification: DEFCON means Defense Readiness Condition.  So you lower the DEFCON level when closer to danger, not elevate it. 8)
 

Online jemangedeslolos

  • Frequent Contributor
  • **
  • Posts: 256
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1579 on: March 04, 2020, 05:45:25 pm »
Here we learn every day  8)
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1315
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1580 on: March 04, 2020, 06:14:05 pm »
We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Point of clarification: DEFCON means Defense Readiness Condition.  So you lower the DEFCON level when closer to danger, not elevate it. 8)

 :-+  I was totally aware of it, although I wrote "level" when I meant "state" of alert. Thanks for the correction.
 

Online Sighound36

  • Regular Contributor
  • *
  • Posts: 203
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1581 on: March 04, 2020, 08:15:27 pm »
I thought that only meant defcon one was Tautech was on the prowl :-DD
Seeking quality measurement equipment at realistic cost with proper service backup. If you pay peanuts you employ monkeys.
 
The following users thanked this post: luma

Offline tautech

  • Super Contributor
  • ***
  • Posts: 18107
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1582 on: March 04, 2020, 08:18:50 pm »
I thought that only meant defcon one was Tautech was on the prowl :-DD
Who me ? Always !  >:D
Avid Rabid Hobbyist
 
The following users thanked this post: luma

Offline marshalljmp

  • Newbie
  • Posts: 2
  • Country: be
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1583 on: March 04, 2020, 10:56:34 pm »
https://www.temcom.com/instruments-presented-by-rigol-at-embedded-world-2020/

"As a further novelty, the BodePlot function has now been integrated in all MSO5000 series oscilloscopes as an addition to the existing standard application."

Can anybody confirm the Bodeplot function ?
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1465
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1584 on: March 04, 2020, 11:12:05 pm »
https://www.temcom.com/instruments-presented-by-rigol-at-embedded-world-2020/

"As a further novelty, the BodePlot function has now been integrated in all MSO5000 series oscilloscopes as an addition to the existing standard application."

Can anybody confirm the Bodeplot function ?
From the same source: Both series (MSO8000 and MSO5000) have been expanded with a 12-bit high resolution mode.
 

Online jemangedeslolos

  • Frequent Contributor
  • **
  • Posts: 256
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1585 on: March 05, 2020, 08:46:52 am »
and nothing for MSO7000  :rant:
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 10661
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1586 on: March 05, 2020, 09:37:08 am »
We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Point of clarification: DEFCON means Defense Readiness Condition.  So you lower the DEFCON level when closer to danger, not elevate it. 8)

DEFCON 1 is at the top of the list so you go upwards towards it.
 

Online Sighound36

  • Regular Contributor
  • *
  • Posts: 203
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1587 on: March 05, 2020, 09:47:09 am »
The bode plot is coming very, very soon by the end of the month for the 5000.

Along with some long standing bug fixes as well

The 7000 and 8000 will follow in the next month.

Not sure about the 12 bit high resolution mode though? as they all already have both high resolution and precision modes.
Seeking quality measurement equipment at realistic cost with proper service backup. If you pay peanuts you employ monkeys.
 
The following users thanked this post: jemangedeslolos

Offline the Goat

  • Newbie
  • Posts: 4
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1588 on: March 05, 2020, 01:27:55 pm »
We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Point of clarification: DEFCON means Defense Readiness Condition.  So you lower the DEFCON level when closer to danger, not elevate it. 8)

DEFCON 1 is at the top of the list so you go upwards towards it.

Ha ha!  You got me there.  :clap:
 

Offline piskers

  • Contributor
  • Posts: 11
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1589 on: March 05, 2020, 05:51:25 pm »
The scope doesn't have any mechanism to check if it's an "official" or "unofficial" license.

There is no way to be sure of that! There are plenty of possibilities they could use to detect if the firmware is modded. The easiest of which is to simply call the license checking function with an "unused/invalid" license ID that the user could not have a licence for. I don't want to overpanic, but remember we (atleast I) don't even fully understand the structure of their firmware yet. Who is calling the license checking function and whats the context? How is the license file being read and certified? They seem to hide that stuff pretty good from a disassembler. I only found the license checking function back then because it checked the -fullopt flag in earlier versions.  There a also plenty of places they could use to store whether a scope was hacked or not (not only the dedicated 8KiB FRAM IC): Zynq-7000 Soc/FPGA (eFuses), Kintex K7 FPGA (eFuses), Spartan-6 FPGA (eFuses). Let's not be foolish, I'm sure they also have some very clever software developers at rigol and it would be easy for them to trick us!

I didnt put a lot of effort into reverse engineering the firmware (yet), maybe some of you did. Maybe you understand the whole system, if so I'm sorry.

P.S. I also found some instructions that look for a "magic" file on an inserted USB drive. More about that if I find some more time to dig into it.
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1315
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1590 on: March 05, 2020, 06:40:34 pm »
The scope doesn't have any mechanism to check if it's an "official" or "unofficial" license.

There is no way to be sure of that! There are plenty of possibilities they could use to detect if the firmware is modded.

Re-read my phrase. I talked about licenses, not modded FW. ;)

"Some of you" group: CHECK!
 
The following users thanked this post: 2N3055

Offline piskers

  • Contributor
  • Posts: 11
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1591 on: March 05, 2020, 06:57:30 pm »
Well, but thats definitely not true because of the e-fuses:
BTW, with a full NAND backup you can reflash any of theses MSOs from scratch as long as you have your bootloader healthy.

 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1315
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1592 on: March 05, 2020, 07:09:27 pm »
Well, but thats definitely not true because of the e-fuses:
BTW, with a full NAND backup you can reflash any of theses MSOs from scratch as long as you have your bootloader healthy.

 :palm: Who talked about e-fuses? And changing e-fuses? Read carefully my words, as I and others (besides Rigol) have recreated the scope from scratch. I never said anything about creating perfect copycats...
« Last Edit: March 06, 2020, 10:45:48 am by tv84 »
 

Offline piskers

  • Contributor
  • Posts: 11
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1593 on: March 05, 2020, 07:22:37 pm »
You said you can reflash the devices from scratch, for example after a future firmware update when they try to detect modded firmwares. All I'm saying is that there are ways for rigol in which this is not true and one could loose warranty forever. Once written eFuses cannot be cleared again. There are many cases where manufacturers in the past used eFuses to prevent warranty service (Samsung Knox e.g.)
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 55
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1594 on: March 05, 2020, 08:30:54 pm »
They seem to hide that stuff pretty good from a disassembler.

They don't hide anything. It's just a C++ application which will always make the resulting assembly more irritating to follow than C, especially with the heavy use of QT5 which has many of its own types instead of using stl types.
« Last Edit: March 05, 2020, 08:37:06 pm by delfinom »
 

Offline skander36

  • Regular Contributor
  • *
  • Posts: 230
  • Country: ro
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1595 on: March 06, 2020, 07:49:41 am »
All I'm saying is that there are ways for rigol in which this is not true and one could loose warranty forever. Once written eFuses cannot be cleared again. There are many cases where manufacturers in the past used eFuses to prevent warranty service (Samsung Knox e.g.)

Yes there are ways to do more than that, but no producer will do . All  important scope brands are hacked but no one has taken such measures as far as I know ... they act to improve FW to be hard to crack but not like this .
One of the reason to not reacting as you said  is  that the procent of cracked fw of scopes is little from all sales.
The benefit is much bigger observing us reporting bugs and other info for their scopes .


 
« Last Edit: March 06, 2020, 12:48:03 pm by skander36 »
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1315
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1596 on: March 08, 2020, 04:42:07 pm »
I think I have already posted this somewhere but here it is again...
 
The following users thanked this post: KeBeNe, jemangedeslolos, NoisyBoy, core, serg_77, Sighound36, whatisthis

Offline peppy88

  • Contributor
  • Posts: 47
  • Country: ua
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1597 on: March 14, 2020, 04:45:51 pm »
1.02.00.02 patch

Before: 78d71292a1828ee597a341bd14797e18
After: 86d162a29297ae03af88a6d8f7c40247

Hi I am following this guide: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308

My MSO 5072 is already patched with the older 01.01.04.04 firmware and I already made a backup containing the memdump and backup folder.

Can someone please confirm if these are the correct steps to update to this:
1) Download Update from here https://int.rigol.com/Public/Uploads/uploadfile/files/ftp/DS/%E8%BD%AF%E5%9B%BA%E4%BB%B6/MSO5000(ARM)Update.rar
2) Unrar the files and copy the DS5000Update.GEL to blank usb (fat32)
3) Copy 01.02.00.02.bspatch.txt to usb and remove the .txt extension
4) Edit patch.txt file

file_to_patch=/rigol/appEntry
file_to_patch_md5sum=78d71292a1828ee597a341bd14797e18
patch_file=01.02.00.02.bspatch
after_patch_md5sum=86d162a29297ae03af88a6d8f7c40247

5) Save and copy to usb
6) Files on usb are
- DS5000Update.GEL
- 01.02.00.02.bspatch
- patch.txt
7) Attach the USB Drive back to the Scope, turn it on;
8 ) Wait for the screen shows that USB Drive was attached.
9) Press Utility/System/Help/Local upgrade
10) The screen will turn to white background and follow the instruction to press any keys.
11) After the upgrade process is finished, the scope will reboot.
12) Done! Enjoy!

Just want to confirm this is the correct procedure to minimize the change of bricking.


Thanks
« Last Edit: March 14, 2020, 07:58:41 pm by peppy88 »
 

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1598 on: March 14, 2020, 08:13:00 pm »
Well done!  Do you now get channel 3 coming on even if you have nothing attached to it when you press Auto (if you have a signal on channel 1)?  So far, this appears to be a major bug they introduced in the new firmware, but I don’t know if this is affecting all scopes, mine has 1.00.00 hardware.

If that is the case with you as well, my personal recommendations is not to upgrade until they fix the Auto problem, unless you see something in the small fix list that you need. 

No idea how the “in your face” Auto problem ever pass any QA test in Rigol. 
 

Online Sighound36

  • Regular Contributor
  • *
  • Posts: 203
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1599 on: March 14, 2020, 08:17:43 pm »
The MSO 8000 does not suffer this channel 3 issue NB
Seeking quality measurement equipment at realistic cost with proper service backup. If you pay peanuts you employ monkeys.
 
The following users thanked this post: NoisyBoy


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf