Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 405678 times)

0 Members and 4 Guests are viewing this topic.

Offline omgoleus

  • Contributor
  • Posts: 13
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1900 on: November 26, 2020, 11:12:33 pm »
$ objdump ... file | sed ... | awk ... | whatever ... | c++filt

   c6958:       01 00 00 0a     beq     #4 <searchEventTable::sigCurrEventTime(int)+0x3650>
   c7210:       88 00 00 1a     bne     #544 <searchEventTable::sigCurrEventTime(int)+0x4124>
   c744c:       23 00 00 0a     beq     #140 <searchEventTable::sigCurrEventTime(int)+0x41cc>
  18c210:       b3 00 00 0a     beq     #716 <QList<menu_res::RDsoView*>::~QList()+0x104d8>
  18c22c:       1a 00 00 1a     bne     #104 <QList<menu_res::RDsoView*>::~QList()+0x10290>
  3997d0:       71 00 00 0a     beq     #452 <CIRQListener::sigHandler(int)+0x2dac>
  3997ec:       06 00 00 1a     bne     #24 <CIRQListener::sigHandler(int)+0x2c1c>
  44c6a4:       03 00 00 1a     bne     #12 <MemFilqe::~MemFile()+0x2344>
  44c6a8:       a9 ff ff eb     bl      #-348 <MemFile::~MemFile()+0x21e0>


I piped that same text into c++filt and it didn't do what you're showing. Looking at the documentation, as well as your example, it does not appear that there should be any special tricks or command line options needed; it should take this objdump text as input and spit out a demangled output.

Edit: I figured it out. Mac OS X comes with objdump from llvm and also c++filt that claims to be gnu. Neither of them work. However, if I install gnu binutils with homebrew, then the new gnu versions both work.  :wtf:

Also, the version of grep in Mac OS X has had a bug for ten years that hasn't been fixed: https://unix.stackexchange.com/questions/8892/trouble-with-grep-o-regex
yikes! careful if you're doing Unix development on a Mac!

Thanks!
« Last Edit: November 26, 2020, 11:35:21 pm by omgoleus »
 

Offline omgoleus

  • Contributor
  • Posts: 13
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1901 on: November 27, 2020, 08:09:36 am »
Woot, at the stroke of midnight the beast came to life!
This was my hand-edited appEntry running out of /tmp. I have to say, I was a little disappointed. when I did kill -9 of the appEntry process, nothing happened... It should be cool like in Tron when they shut down the Master Control Program...

The patch file and patch.txt for the May build of firmware 01.03.00.01 is attached. These are used with mabl's autopatcher. They are based on the version of the patch in this message from typoknig which includes the patch to disable phone-home.

Here's the contents of the patch.txt file:

Code: [Select]
file_to_patch=/rigol/appEntry
file_to_patch_md5sum=783a31ebdc0d4acb7b9dc244155ba1c6
patch_file=mayBuildPatch.bspatch
after_patch_md5sum=7e39040bfb086c666be3e7cc87dd73b0

I'm also attaching the final version of my shell script that uses objdump and diff to find the difference between the original and patched version of an older executable, and then figures out what file offsets need to be hex-edited in the newer executable to manually recreate the patch. Doing this in a shell script was way more complicated than doing it manually and in fact I made the patch and then went back and spent a full day making a shell script to recreate exactly what I did manually... but for me, this feels better than writing out step-by-step instructions. It only took so long because (repeating what I said before) the included version of various command line utilities on Mac... kind of suck...

If you want to use this script, be sure to read the comments carefully. I refer to gobjdump and gsed for the gnu versions, gnu would probably be the default versions if you're on Linux, so you'd have to fix that. Also I use associative arrays and the syntax is slightly different in zsh versus bash4 but I included both in comments. Also note that this script just finds the file offsets you need to edit; you have to do the editing yourself with a hex editor. I had to draw the line somewhere!

I'd like to thank the people in the last few days of messages who offered help... you can see who they are by scrolling back. I probably could have got it to work simply based on the info that already existed in the thread, but it would have taken a lot longer and involved a lot more trial and error and a lot more anxiety about flying blind and worrying that I was going to brick my scope. I especially want to observe, for the benefit of anyone else thinking about doing this from scratch, that the most useful piece of information was sb42 telling me the number of lines of diff to expect between patched and unpatched and clarifying my misunderstanding about diff between different versions. A close second was bmx and sb42 pointing me in the direction of objdump rather than a full reverse engineering tool.

Finally, mabl you were totally right that this was rewarding to figure out!

For completeness, here's the instructions for someone who just wants to patch:
1. In this message mabl posted the "auto patcher".
2. Download that and rename it to remove the .txt (Make sure you actually remove the .txt extension, don't be fooled by your stupid gui.)
3. Check the "About" menu on your scope to see what version and build of firmware you have. If you have a new scope as of the date of this message it probably has 01.03.00.01 with a build date of May. For that version/build you can use the patch file and patch.txt attached to this message. Otherwise you have to search.
4. Follow the instructions in mabl's message. You will know it works because the screen will turn white with text and give you some "hit any key" prompts.
5. If it doesn't get to that screen, it's probably because you're using too large of a flash drive or it's formatted wrong or the file still has a .txt extension.
6. If the black on white text tells you that it worked, it takes a pretty long time (1 minute) for anything else to happen. that's normal.
7. If it got that far but then the licenses don't show up, then you'll have to do some deeper troubleshooting.
8. If your scope becomes non-functional try turning it off and then back on again. If that doesn't work, then you will have to use the "secret menu" and restore the firmware. This is not that hard, but you'll have to search through the thread if it comes to that.
9. At the present time the collective wisdom of this community seems to agree that it is impossible to permanently brick your scope. Restoring firmware via secret menu is the worst case scenario.
10. I think, maybe, you're supposed to use the scope's menus to run its auto-calibration routine once you've done the upgrade?

« Last Edit: November 27, 2020, 10:08:47 pm by omgoleus »
 
The following users thanked this post: thm_w, ebclr, Altemir, ve2mrx, TmaxElectronics, whatisthis, Elm, UA3MQJ, brunortt, dnhkng, toeeks, realswift

Offline calippo

  • Newbie
  • Posts: 3
  • Country: it
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1902 on: November 27, 2020, 09:41:02 pm »
Hello guys, I know I am not the first and I won't be last asking this... so try to understand.... probably some of you went already through the pain of reading this massive thread...  :scared:

Is there a comprehensive tutorial or sticky post that collects all steps to update the fw in order to unlock all the features of the MSO5074 I am planning to buy?

Again, my apologies to ask again, but due the lack of the sticky post on page #1... is quite hard to find where to start or a proper howto.  ^-^

Cheers mates and stay safe!
 

Offline omgoleus

  • Contributor
  • Posts: 13
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1903 on: November 27, 2020, 10:10:01 pm »
Hello guys, I know I am not the first and I won't be last asking this... so try to understand.... probably some of you went already through the pain of reading this massive thread...  :scared:

Is there a comprehensive tutorial or sticky post that collects all steps to update the fw in order to unlock all the features of the MSO5074 I am planning to buy?

Again, my apologies to ask again, but due the lack of the sticky post on page #1... is quite hard to find where to start or a proper howto.  ^-^

Cheers mates and stay safe!

See my message above yours, I edited it to include everything you need.
 

Offline calippo

  • Newbie
  • Posts: 3
  • Country: it
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1904 on: November 27, 2020, 10:14:18 pm »
For instance, this part, right?

Truly appreciated for the quick help. Thanks again! :)

Quote
For completeness, here's the instructions for someone who just wants to patch:
1. In this message mabl posted the "auto patcher".
2. Download that and rename it to remove the .txt (Make sure you actually remove the .txt extension, don't be fooled by your stupid gui.)
3. Check the "About" menu on your scope to see what version and build of firmware you have. If you have a new scope as of the date of this message it probably has 01.03.00.01 with a build date of May. For that version/build you can use the patch file and patch.txt attached to this message. Otherwise you have to search.
4. Follow the instructions in mabl's message. You will know it works because the screen will turn white with text and give you some "hit any key" prompts.
5. If it doesn't get to that screen, it's probably because you're using too large of a flash drive or it's formatted wrong or the file still has a .txt extension.
6. If the black on white text tells you that it worked, it takes a pretty long time (1 minute) for anything else to happen. that's normal.
7. If it got that far but then the licenses don't show up, then you'll have to do some deeper troubleshooting.
8. If your scope becomes non-functional try turning it off and then back on again. If that doesn't work, then you will have to use the "secret menu" and restore the firmware. This is not that hard, but you'll have to search through the thread if it comes to that.
9. At the present time the collective wisdom of this community seems to agree that it is impossible to permanently brick your scope. Restoring firmware via secret menu is the worst case scenario.
10. I think, maybe, you're supposed to use the scope's menus to run its auto-calibration routine once you've done the upgrade?
 

Offline simogi

  • Contributor
  • Posts: 5
  • Country: it
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1905 on: November 30, 2020, 09:18:58 pm »
Good evening,

Today my rigol MSO5074-A arrived.

I tried so right away (if you can tell) to expand it.


So I used your previous mail files, placed in root of a 16GB fat32 formatted usb key.

Inserted in the rigol, the oscilloscope turns on without doing the self-update.

I go to a local update menu and it worked.

after a few presses of any key (indicated by the display cmq).

My firmware was version 01.03.00.01 from May.

I thank everyone for their help.

I would like to understand more, than being a performer.

I hope you will let me, even if my questions may be considered simple for you.

Regards
« Last Edit: November 30, 2020, 09:24:07 pm by simogi »
 

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1906 on: December 05, 2020, 04:47:29 pm »
Id be surprised if you got appEntry source. i did this for a samsung tv some time ago, all i got was the linux kernel i could have downloaded from the source webpage. none of their derivative works or things that used the Open Source libraries.

Still, id be happy to be wrong :)
I think I mentioned this before, but 'obviously'. But one can always seem to amaze you ;)

Anyway, the request went through, and I got the sources. It was a painful experience. The first time, the archive was corrupted and could not be extracted, so a week went over that. I did get a new download (same archive, but the date inside was 2 days later, so for sure this was a new archive, and it worked. It was a 100 GiB vmware disk image :S Inside there was nothing useful. Just gcc and stuff to actually make the build work I suppose. I never ran the VM, just mounted the disk image and extracted the juicy bits.

So first up, is U-Boot, the bootloader used. The bootloader is involved when you do the SINGLE key press trick. I'm not convinced it is the correct version, as the fw4uboot.sh update script uses a function called 'showMessage' which I haven't found. Maybe it gets silently ignored? Could someone produce some screenshots with the 'SINGLE' key being in affect and the update messages when doing an update via that way? I recall that when pushing SINGLE, you get a menu to the left of the right key-columns, right?

Anyway, I wrote a wiki page explaining the work and branches, best to refer to that page rather then talking to much about it here: wiki.

Secondly, the Linux kernel. I haven't done the work there yet, need a bit more time for that, but have started on it locally ;) There's a wiki too, but not filled with data yet. Linux kernel wiki.

Finally, I moved the previous 'firmware dumps' into a new location/name. Those are now rigol, sorry for breaking any links :(. The analysis wiki) still lives there too.

Finally, I've started a new thread, as this one is being abused and really only is about 'help, unlock my rigol' now a days :) so focus on software development, Reverse engineering etc, is now moved to here: Zynq 7000 based rigol software development (Need to get a permalink for that as I probably will change the title :p)
« Last Edit: December 05, 2020, 10:29:59 pm by oliv3r »
 
The following users thanked this post: thm_w, bmx, omgoleus

Online tv84

  • Super Contributor
  • ***
  • Posts: 2250
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1907 on: December 05, 2020, 06:07:28 pm »
Still, id be happy to be wrong :)
I think I mentioned this before, but 'obviously'. But one can always seem to amaze you ;)

:clap: As we say in portuguese: "quem não chora, não mama"

Edit:  |O Corrected the saying...
« Last Edit: December 06, 2020, 02:58:31 pm by tv84 »
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1725
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1908 on: December 06, 2020, 01:52:23 am »
Still, id be happy to be wrong :)
I think I mentioned this before, but 'obviously'. But one can always seem to amaze you ;)

:clap: As we say in portuguese: "quem não pede, não mama"
Hmmm, Google translate give that as... "who does not ask, does not breast"
If at first you don't succeed, get a bigger hammer
 

Offline S. Petrukhin

  • Super Contributor
  • ***
  • Posts: 1042
  • Country: ru
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1909 on: December 06, 2020, 09:15:11 pm »
Anyway, the request went through, and I got the sources.

Rigol kept its promises and was open the source code?  :)
And sorry for my English.
 

Offline Noy

  • Frequent Contributor
  • **
  • Posts: 338
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1910 on: December 06, 2020, 11:00:26 pm »
No, that wasn't a promise. And its not the full source code.
Only the stuff which are GPL based. They had to give it to him otherwise the possibility for law penalities  will be opened up.
Same thing did a work colleage for the "Thermomix" ;-)
 

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1911 on: December 07, 2020, 08:36:06 am »
No, that wasn't a promise. And its not the full source code.
Only the stuff which are GPL based. They had to give it to him otherwise the possibility for law penalities  will be opened up.
Same thing did a work colleage for the "Thermomix" ;-)

If you go back in the long long history of this thread, it is indeed mentioned that we're only have the u-boot and kernel sources as those are the most important part. So they kept their contractual promise.

Not sure if they ever promised to release 'appEntry' or anything, and that would have been so unexpected, it wasn't even on my radar :) But you never know.
 

Offline luky315

  • Regular Contributor
  • *
  • Posts: 144
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1912 on: December 10, 2020, 02:24:12 pm »
I have two small question:
How are the .bspatchfiles created?
Is it possible to read the content of a .bspatch file in a human readable format or are they binary files?
 

Online Cerebus

  • Super Contributor
  • ***
  • Posts: 7646
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1913 on: December 10, 2020, 03:23:30 pm »
diff and patch are standard unix utilities that respectively (1) figure out the differences between two text files and produce a [semi-]readable listing of the differences sometimes called a patch file (2) take the difference output of diff and one of the original files as input and produces the other original file as output.

bsdiff and bspatch are analogous non-standard utilities for binary files, with bsdiff producing a binary patch file that can be used as input to bspatch. The contents of the output of bsdiff are binary and opaque. I don't know if anyone has produced a utility to print out the intentions of a binary patch file; it would probably be relatively trivial to do, reverse-engineering the source for bsdiff.

You can find the home page for bdiff and bspatch here.
Anybody got a syringe I can use to squeeze the magic smoke back into this?
 

Offline luky315

  • Regular Contributor
  • *
  • Posts: 144
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1914 on: December 10, 2020, 03:36:11 pm »
It would be interesting what exactly will be changed by this patch and in a second step it would be interesting to write my own patch.
"unfortunately" I have bought a DS7014 and not a MSO5000 :-(
 

Online Cerebus

  • Super Contributor
  • ***
  • Posts: 7646
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1915 on: December 10, 2020, 03:55:02 pm »
I don't know if anyone has produced a utility to print out the intentions of a binary patch file; it would probably be relatively trivial to do, reverse-engineering the source for bsdiff.

I take that back. I had a quick search for a utility to print bspath files and couldn't find one, so I though I'd take my own advice and see if one could be run up quickly. So I grabbed the source for bsdiff. Yuck! For anyone who wants an example of how to take a short program (it's only 404 lines) and write it in such a bad style that it's incomprehensible, then take a look at the bsdiff source. Only comment things that are almost obvious, don't comment the things that are opaque, use single letter variable names, embed magic numbers in the code and so on, the list of coding sins is almost endless.
Anybody got a syringe I can use to squeeze the magic smoke back into this?
 

Offline bmx

  • Contributor
  • Posts: 22
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1916 on: December 11, 2020, 05:27:34 am »
That's not how it works. You don't learn from the bspatch file.
If you want to know what it's doing:
 1/ patch the old binary
 2/ compare by yourself old bin vs new bin (hexdiff, whatever)

It will show you the expanded vision of the bspatch, but still nonsense to people nonsensitive to binary.

So you can go one step below:
 convert each machine language keywords to assembly keywords or binary blob to organized structures
 then manually diff the files produced against the old and new binary.

or have a look at riglol gitlab repo.

--upd:
take a breath... dive (https://github.com/WerWolv/ImHex)

« Last Edit: December 11, 2020, 05:39:41 am by bmx »
 

Offline luky315

  • Regular Contributor
  • *
  • Posts: 144
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1917 on: December 11, 2020, 04:00:32 pm »
Just to be clear: The "old" way with (reactivating) SSH and -fullopt is definitively closed?
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2250
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1918 on: December 11, 2020, 04:24:16 pm »
Just to be clear: The "old" way with (reactivating) SSH and -fullopt is definitively closed?

If you use the "old" FW the way is open. If you use "newer" FWs, the way is definitely closed and you have to emulate that behavior.
 
The following users thanked this post: luky315

Offline Julian.Berk

  • Newbie
  • Posts: 2
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1919 on: December 16, 2020, 05:11:23 pm »
ive tried it but it gives this message. any clue to what im doing wrong?
using the files supplied by omgoleus
« Last Edit: December 16, 2020, 05:13:35 pm by Julian.Berk »
 

Offline toeeks

  • Contributor
  • Posts: 6
  • Country: scotland
    • toeeks.eu
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1920 on: December 17, 2020, 09:56:06 am »
I can confirm that the instructions by omgoleus worked for me on a brand-new MSO5074 with the May 2020 firmware build. :-+

@Julian.Berk: Are you sure you've actually removed the .txt extension from your downloaded patch file and unzipped it first? Can you share a screenshot of the root directory of the USB drive?
« Last Edit: December 17, 2020, 10:21:50 am by toeeks »
 
The following users thanked this post: Julian.Berk

Offline Julian.Berk

  • Newbie
  • Posts: 2
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1921 on: December 17, 2020, 10:30:52 am »
@toeeks thanks a bunch. i was incorrectly unzipping the file but now it works!!!!
 

Offline carlitos49

  • Newbie
  • Posts: 3
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1922 on: December 19, 2020, 07:19:46 pm »
Hello I have the MSO5074 (70MHz) which I purchased a little over one year ago and through this forum I was able to get all the options and features, 350MHz and all other options.  However they have now added a new Bode plotter feature with the latest firmware (V00.01.03.00.01 released on April of 2019) My current version installed version is V00.01.01.04.04.  I imagine that if I tried to update to the latest I would lose my previous hack and end-up with a lot of missing features and options but my real worry is if you do an update to their latest firmware release, is there any way to go back to what I had (my hacked firmware)??? or will it totally lock me out?  Any answers or suggestions to this dilemma would be greatly appreciated.
Thank you so much!
 

Offline Martin72

  • Super Contributor
  • ***
  • Posts: 1796
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1923 on: December 19, 2020, 11:02:53 pm »
Siglent owners doesn´t have these problems.. ;)
Once the (generated) license keys are installed, they remaining every firmware update because of it´s nature, being "real" license keys.
I´m not up to date what the 5000 rigol concerns, as I´ve changed to siglent early in this year.
So it´s still a problem when updating to a newer firmware, all the hacks are gone ?
There´s no keygen avaible, generating "true" license keys ?
« Last Edit: December 19, 2020, 11:42:15 pm by Martin72 »
 

Offline Sergey Astakhov

  • Contributor
  • Posts: 7
  • Country: ru
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1924 on: December 19, 2020, 11:39:51 pm »
my real worry is if you do an update to their latest firmware release, is there any way to go back to what I had (my hacked firmware)??? or will it totally lock me out?

Don't worry, the latest firmware can be hacked just like the old one. You just need to choose the correct patch file (it has its own for each firmware).

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf