Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 283129 times)

trevers and 1 Guest are viewing this topic.

Offline Cerebus

  • Super Contributor
  • ***
  • Posts: 4855
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1675 on: April 21, 2020, 02:25:37 pm »
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.

I've applied this particular version of the patch for 01.03.00.01 and, just to give others comfort, it all seems to be working as intended.
Anybody got a syringe I can use to squeeze the magic smoke back into this?
 
The following users thanked this post: TrickTronic, typoknig, sjm

Offline el_man

  • Contributor
  • Posts: 14
  • Country: bg
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1676 on: April 21, 2020, 03:31:22 pm »
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.

I've applied this particular version of the patch for 01.03.00.01 and, just to give others comfort, it all seems to be working as intended.

I can confirm this too!  :-+
 
The following users thanked this post: sjm

Offline sjm

  • Newbie
  • Posts: 4
  • Country: fi
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1677 on: April 21, 2020, 10:57:27 pm »
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.

I've applied this particular version of the patch for 01.03.00.01 and, just to give others comfort, it all seems to be working as intended.

Yes, I confirm that this worked for me too. Thanks a lot.

I find it a bit strange that the updated firmware seems to be available only on the Rigol NA site, not on intl or EU.

BR, -sjm
 

Offline Cerebus

  • Super Contributor
  • ***
  • Posts: 4855
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1678 on: April 21, 2020, 11:22:43 pm »
I find it a bit strange that the updated firmware seems to be available only on the Rigol NA site, not on intl or EU.

No, we've seen this before. New firmware goes up on one of the Rigol sites and the others don't seem to keep in step. It's anybody's guess as to which site the firmware will appear on first, there's been no particular pattern in the past.
Anybody got a syringe I can use to squeeze the magic smoke back into this?
 

Offline TrickTronic

  • Contributor
  • Posts: 13
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1679 on: April 22, 2020, 10:22:06 am »
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.


I've applied this particular version of the patch for 01.03.00.01 and, just to give others comfort, it all seems to be working as intended.

Thanks to all contributors: You've done great work, works smoothly on my MSO5074!  :popcorn:
 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 105
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1680 on: April 22, 2020, 05:51:45 pm »
Did anyone ever try to run their own kernel on these things? That would be interesting as it would open up a nice list of tracing tools - like kprobes, ftrace and so on, which would be very helpful in reversing the scope hardware. The device drivers loaded into the kernel seem pretty simple from what i've seen.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1455
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1681 on: April 22, 2020, 07:17:24 pm »
Did anyone ever try to run their own kernel on these things?

I've ran 1 or 2 homemade apps but a kernel ? ?   :scared:  That's big boys stuff...
 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 105
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1682 on: April 22, 2020, 07:25:40 pm »
Did anyone ever try to run their own kernel on these things?

I've ran 1 or 2 homemade apps but a kernel ? ?   :scared:  That's big boys stuff...

Depends on whether it's a stock kernel, or whether rigol made a lot of modifications. I extracted the devicetree which tells the kernel what devices are living where on which bus, which is a good starting point. I have not received my scope (I ordered a MSO5072 yesterday). Can anyone with a scope check whether /proc/config.gz exists? Pretty unlikely, but you never know...

Looking at the rigol kernel modules it seems like they tried to do everything in userspace, which would be good.
 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 105
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1683 on: April 22, 2020, 07:32:41 pm »
Not sure whether it was already posted in the amount of thread pages, but attached is the devicetree file for the linux kernel. What i can make out of this is:

I2C BUS @e0004000:

0x32: RTC
0x14: Touchscreen
0x1c: TMP421 temperature sensor
0x1d: TMP421
0x52: FRAM
0x1f: ADC #1 adc128d818 (knobs?)
0x35: ADC #2
0x37: ADC #3

Ignore it if that was already posted in this thread somewhere.
« Last Edit: April 22, 2020, 07:35:11 pm by dxl »
 
The following users thanked this post: ve2mrx

Offline thinkfat

  • Supporter
  • ****
  • Posts: 1073
  • Country: de
    • Matthias' Hackerst├╝bchen
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1684 on: April 22, 2020, 07:52:28 pm »
The device tree reveals a lot and nothing at the same time. There's no interesting peripherals listed here, the really interesting stuff will be in the PL part of the Zynq-7000.
 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 105
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1685 on: April 22, 2020, 07:57:40 pm »
The device tree reveals a lot and nothing at the same time. There's no interesting peripherals listed here, the really interesting stuff will be in the PL part of the Zynq-7000.

It's at least a starting point to know what drivers are used for the hardware in the kernel. Of course there might be drivers in the kernel that are not listed in the dt that are used by some platform code. One thing i can't find in the upstream kernel is the DPU driver. Which might be possible, as graphics processing might be different in a scope... I can't say about the PL part in the Zynq, i have no knowledge about Zynq FPGAs.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1455
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1686 on: April 22, 2020, 08:47:26 pm »
Depends on whether it's a stock kernel, or whether rigol made a lot of modifications.

What is a "stock kernel" in a scope like this?  ???

Look here: https://gitlab.com/riglol/rigolee/
« Last Edit: April 22, 2020, 08:51:53 pm by tv84 »
 
The following users thanked this post: bitseeker

Offline sjm

  • Newbie
  • Posts: 4
  • Country: fi
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1687 on: April 22, 2020, 09:58:16 pm »
Can someone attach a screenshot of Bode plot function ;D

OK, let's see if this works... well I made a stupid 2x RC filter on a breadboard and after some trial and error with component values, I managed to make a nice bode plot.

BR, -sjm
 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 105
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1688 on: April 23, 2020, 08:53:46 pm »
I received my MSO5072 today. It came with 01.01.04.04, upgraded to latest firmware, applied the patches. all worked fine. Applying the bpatch was even faster than receiving the free options from Rigol :-). I now modified /rigol/shell/start.sh to automatically start ssh, hope i find some time during the next week
to solder the serial + jtag port...

Many thanks to the people who made that upgrade possible!
 
The following users thanked this post: thm_w, el_man

Offline MartinMajewski

  • Newbie
  • Posts: 2
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1689 on: April 23, 2020, 10:53:09 pm »
Hi all,

I read through a lot of posts of this thread, but there are 68 pages now! On the last couple of pages, I saw that the MSO5000 is pretty easily hackable without a big brick-risk. I am now about to order an MSO5074 or an MSO5104. Both have nearly all software options enabled because of a special offer. The only thing locked is the frequency.

So what I am not sure still is, if the frequencies can also be unlocked with this hack. The 70 Mhz Version is like 200 Euros (net) less, and I need the PLA2216, too. Should I spare myself the money and get the 70Mhz and "hack" as soon as I need more bandwidth, or should I go with the 100Mhz version "just in case"?

And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?

A status overview page would be really helpful on this topic for us noobs.


I really appreciate all your efforts! Stay safe!

Martin
 

Online stafil

  • Regular Contributor
  • *
  • Posts: 191
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1690 on: April 23, 2020, 10:58:20 pm »
Hi all,

I read through a lot of posts of this thread, but there are 68 pages now! On the last couple of pages, I saw that the MSO5000 is pretty easily hackable without a big brick-risk. I am now about to order an MSO5074 or an MSO5104. Both have nearly all software options enabled because of a special offer. The only thing locked is the frequency.

So what I am not sure still is, if the frequencies can also be unlocked with this hack. The 70 Mhz Version is like 200 Euros (net) less, and I need the PLA2216, too. Should I spare myself the money and get the 70Mhz and "hack" as soon as I need more bandwidth, or should I go with the 100Mhz version "just in case"?

And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?

A status overview page would be really helpful on this topic for us noobs.


I really appreciate all your efforts! Stay safe!

Martin

MSO5074, the hack works like a charm

Also given the hack is so easy, you will have hard time selling the 100Hz more than the 70Hz, so resale value is not as good for the 100Hz
 

Offline typoknig

  • Regular Contributor
  • *
  • Posts: 52
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1691 on: April 24, 2020, 12:46:11 am »
Hi all,

I read through a lot of posts of this thread, but there are 68 pages now! On the last couple of pages, I saw that the MSO5000 is pretty easily hackable without a big brick-risk. I am now about to order an MSO5074 or an MSO5104. Both have nearly all software options enabled because of a special offer. The only thing locked is the frequency.

So what I am not sure still is, if the frequencies can also be unlocked with this hack. The 70 Mhz Version is like 200 Euros (net) less, and I need the PLA2216, too. Should I spare myself the money and get the 70Mhz and "hack" as soon as I need more bandwidth, or should I go with the 100Mhz version "just in case"?

And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?

A status overview page would be really helpful on this topic for us noobs.


I really appreciate all your efforts! Stay safe!

Martin

MSO5074, the hack works like a charm

Also given the hack is so easy, you will have hard time selling the 100Hz more than the 70Hz, so resale value is not as good for the 100Hz

Another option that isn't enabled in the bundle is 200M memory. The 5074 is the best deal out of the MSO5000 line assuming you want 4 probes.
 
The following users thanked this post: Simon_RL

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 10808
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1692 on: April 24, 2020, 05:27:29 am »
Depends on whether it's a stock kernel, or whether rigol made a lot of modifications.

What is a "stock kernel" in a scope like this?  ???

They run Linux on a commercial chip. It comes with a kernel as a starting point.

 

Offline maginnovision

  • Super Contributor
  • ***
  • Posts: 1710
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1693 on: April 24, 2020, 08:15:10 am »
Can someone attach a screenshot of Bode plot function ;D

 :P
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1455
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1694 on: April 24, 2020, 08:47:40 am »
They run Linux on a commercial chip. It comes with a kernel as a starting point.

It does but without specific patches and drivers we're far from having a scope. I think when Linus developed the thing he wasn't doing circuit analysis...
 

Offline mantis

  • Newbie
  • Posts: 1
  • Country: ru
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1695 on: April 24, 2020, 08:57:59 am »
Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.
Thank you!
Works perfect!
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1639
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1696 on: April 24, 2020, 09:02:02 am »
...And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?
I think you're wrong, I believe the hack makes it as though the MSO5xxx has all the hacked features and they continue through power cycling.
If at first you don't succeed, get a bigger hammer
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1455
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1697 on: April 24, 2020, 09:08:47 am »
...And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?
I think you're wrong, I believe the hack makes it as though the MSO5xxx has all the hacked features and they continue through power cycling.

Sure it does. The hack doesnt resist to a FW upgrade but it resists to reboots!  :)
 

Offline pipe2null

  • Regular Contributor
  • *
  • Posts: 105
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1698 on: April 24, 2020, 08:34:41 pm »
...
So what I am not sure still is, if the frequencies can also be unlocked with this hack. The 70 Mhz Version is like 200 Euros (net) less, and I need the PLA2216, too. Should I spare myself the money and get the 70Mhz and "hack" as soon as I need more bandwidth, or should I go with the 100Mhz version "just in case"?
...

If you're going the cheap as possible route, I'd suggest NOT doing what I did:  I bought an MSO5072 last year on clearance (good thing) and hacked all features including the 2->4 channel upgrade (also good thing).  The 2 channel model only comes with 2 probes (less-good thing), which I knew prior to purchase but bought anyway since I had intended to buy a couple higher BW probes anyway (good thing, with max BW hack).  But I didn't consider the future resale of my scope and kinda wish I started out with the 4 channel 70MHz model instead since it comes with 4 probes.  When I eventually end up selling my scope, I'm NOT going to charge for hacked features, but leaving it as buyer's choice whether or not to undo hacks prior to shipping would help unload it (down the road a while), and having 4 probes to go with it would have been better.
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 111
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1699 on: April 25, 2020, 04:36:01 pm »
Did we already extract the u-boot image and environment? If so, is there an easy way to do this? Hints are very welcome.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf