Hacking the Rigol MSO5000 series oscilloscopes

[calippo]

For instance, this part, right?

Truly appreciated for the quick help. Thanks again!

For completeness, here's the instructions for someone who just wants to patch:
1. In this message mabl posted the "auto patcher".
2. Download that and rename it to remove the .txt (Make sure you actually remove the .txt extension, don't be fooled by your stupid gui.)
3. Check the "About" menu on your scope to see what version and build of firmware you have. If you have a new scope as of the date of this message it probably has 01.03.00.01 with a build date of May. For that version/build you can use the patch file and patch.txt attached to this message. Otherwise you have to search.
4. Follow the instructions in mabl's message. You will know it works because the screen will turn white with text and give you some "hit any key" prompts.
5. If it doesn't get to that screen, it's probably because you're using too large of a flash drive or it's formatted wrong or the file still has a .txt extension.
6. If the black on white text tells you that it worked, it takes a pretty long time (1 minute) for anything else to happen. that's normal.
7. If it got that far but then the licenses don't show up, then you'll have to do some deeper troubleshooting.
8. If your scope becomes non-functional try turning it off and then back on again. If that doesn't work, then you will have to use the "secret menu" and restore the firmware. This is not that hard, but you'll have to search through the thread if it comes to that.
9. At the present time the collective wisdom of this community seems to agree that it is impossible to permanently brick your scope. Restoring firmware via secret menu is the worst case scenario.
10. I think, maybe, you're supposed to use the scope's menus to run its auto-calibration routine once you've done the upgrade?

[simogi]

Good evening,

Today my rigol MSO5074-A arrived.

I tried so right away (if you can tell) to expand it.


So I used your previous mail files, placed in root of a 16GB fat32 formatted usb key.

Inserted in the rigol, the oscilloscope turns on without doing the self-update.

I go to a local update menu and it worked.

after a few presses of any key (indicated by the display cmq).

My firmware was version 01.03.00.01 from May.

I thank everyone for their help.

I would like to understand more, than being a performer.

I hope you will let me, even if my questions may be considered simple for you.

Regards

[oliv3r]

Id be surprised if you got appEntry source. i did this for a samsung tv some time ago, all i got was the linux kernel i could have downloaded from the source webpage. none of their derivative works or things that used the Open Source libraries.

Still, id be happy to be wrong

I think I mentioned this before, but 'obviously'. But one can always seem to amaze you

Anyway, the request went through, and I got the sources. It was a painful experience. The first time, the archive was corrupted and could not be extracted, so a week went over that. I did get a new download (same archive, but the date inside was 2 days later, so for sure this was a new archive, and it worked. It was a 100 GiB vmware disk image :S Inside there was nothing useful. Just gcc and stuff to actually make the build work I suppose. I never ran the VM, just mounted the disk image and extracted the juicy bits.

So first up, is U-Boot, the bootloader used. The bootloader is involved when you do the SINGLE key press trick. I'm not convinced it is the correct version, as the fw4uboot.sh update script uses a function called 'showMessage' which I haven't found. Maybe it gets silently ignored? Could someone produce some screenshots with the 'SINGLE' key being in affect and the update messages when doing an update via that way? I recall that when pushing SINGLE, you get a menu to the left of the right key-columns, right?

Anyway, I wrote a wiki page explaining the work and branches, best to refer to that page rather then talking to much about it here: wiki.

Secondly, the Linux kernel. I haven't done the work there yet, need a bit more time for that, but have started on it locally There's a wiki too, but not filled with data yet. Linux kernel wiki.

Finally, I moved the previous 'firmware dumps' into a new location/name. Those are now rigol, sorry for breaking any links . The analysis wiki) still lives there too.

Finally, I've started a new thread, as this one is being abused and really only is about 'help, unlock my rigol' now a days so focus on software development, Reverse engineering etc, is now moved to here: Zynq 7000 based rigol software development (Need to get a permalink for that as I probably will change the title :p)

[tv84]

Still, id be happy to be wrong

I think I mentioned this before, but 'obviously'. But one can always seem to amaze you

As we say in portuguese: "quem não chora, não mama"

Edit:  Corrected the saying...

[Gandalf_Sr]

Still, id be happy to be wrong

I think I mentioned this before, but 'obviously'. But one can always seem to amaze you

As we say in portuguese: "quem não pede, não mama"

Hmmm, Google translate give that as... "who does not ask, does not breast"

[S. Petrukhin]

Anyway, the request went through, and I got the sources.

Rigol kept its promises and was open the source code? 

[Noy]

No, that wasn't a promise. And its not the full source code.
Only the stuff which are GPL based. They had to give it to him otherwise the possibility for law penalities  will be opened up.
Same thing did a work colleage for the "Thermomix" ;-)

[oliv3r]

No, that wasn't a promise. And its not the full source code.
Only the stuff which are GPL based. They had to give it to him otherwise the possibility for law penalities  will be opened up.
Same thing did a work colleage for the "Thermomix" ;-)

If you go back in the long long history of this thread, it is indeed mentioned that we're only have the u-boot and kernel sources as those are the most important part. So they kept their contractual promise.

Not sure if they ever promised to release 'appEntry' or anything, and that would have been so unexpected, it wasn't even on my radar But you never know.

[luky315]

I have two small question:
How are the .bspatchfiles created?
Is it possible to read the content of a .bspatch file in a human readable format or are they binary files?

[Cerebus]

diff and patch are standard unix utilities that respectively (1) figure out the differences between two text files and produce a [semi-]readable listing of the differences sometimes called a patch file (2) take the difference output of diff and one of the original files as input and produces the other original file as output.

bsdiff and bspatch are analogous non-standard utilities for binary files, with bsdiff producing a binary patch file that can be used as input to bspatch. The contents of the output of bsdiff are binary and opaque. I don't know if anyone has produced a utility to print out the intentions of a binary patch file; it would probably be relatively trivial to do, reverse-engineering the source for bsdiff.

You can find the home page for bdiff and bspatch here.

[luky315]

It would be interesting what exactly will be changed by this patch and in a second step it would be interesting to write my own patch.
"unfortunately" I have bought a DS7014 and not a MSO5000 :-(

[Cerebus]

I don't know if anyone has produced a utility to print out the intentions of a binary patch file; it would probably be relatively trivial to do, reverse-engineering the source for bsdiff.

I take that back. I had a quick search for a utility to print bspath files and couldn't find one, so I though I'd take my own advice and see if one could be run up quickly. So I grabbed the source for bsdiff. Yuck! For anyone who wants an example of how to take a short program (it's only 404 lines) and write it in such a bad style that it's incomprehensible, then take a look at the bsdiff source. Only comment things that are almost obvious, don't comment the things that are opaque, use single letter variable names, embed magic numbers in the code and so on, the list of coding sins is almost endless.

[bmx]

That's not how it works. You don't learn from the bspatch file.
If you want to know what it's doing:
 1/ patch the old binary
 2/ compare by yourself old bin vs new bin (hexdiff, whatever)

It will show you the expanded vision of the bspatch, but still nonsense to people nonsensitive to binary.

So you can go one step below:
 convert each machine language keywords to assembly keywords or binary blob to organized structures
 then manually diff the files produced against the old and new binary.

or have a look at riglol gitlab repo.

--upd:
take a breath... dive (https://github.com/WerWolv/ImHex)

[luky315]

Just to be clear: The "old" way with (reactivating) SSH and -fullopt is definitively closed?

[tv84]

Just to be clear: The "old" way with (reactivating) SSH and -fullopt is definitively closed?

If you use the "old" FW the way is open. If you use "newer" FWs, the way is definitely closed and you have to emulate that behavior.

[Julian.Berk]

ive tried it but it gives this message. any clue to what im doing wrong?
using the files supplied by omgoleus

[toeeks]

I can confirm that the instructions by omgoleus worked for me on a brand-new MSO5074 with the May 2020 firmware build.

@Julian.Berk: Are you sure you've actually removed the .txt extension from your downloaded patch file and unzipped it first? Can you share a screenshot of the root directory of the USB drive?

[Julian.Berk]

@toeeks thanks a bunch. i was incorrectly unzipping the file but now it works!!!!

[carlitos49]

Hello I have the MSO5074 (70MHz) which I purchased a little over one year ago and through this forum I was able to get all the options and features, 350MHz and all other options.  However they have now added a new Bode plotter feature with the latest firmware (V00.01.03.00.01 released on April of 2019) My current version installed version is V00.01.01.04.04.  I imagine that if I tried to update to the latest I would lose my previous hack and end-up with a lot of missing features and options but my real worry is if you do an update to their latest firmware release, is there any way to go back to what I had (my hacked firmware) or will it totally lock me out?  Any answers or suggestions to this dilemma would be greatly appreciated.
Thank you so much!

[Martin72]

Siglent owners doesn´t have these problems..
Once the (generated) license keys are installed, they remaining every firmware update because of it´s nature, being "real" license keys.
I´m not up to date what the 5000 rigol concerns, as I´ve changed to siglent early in this year.
So it´s still a problem when updating to a newer firmware, all the hacks are gone ?
There´s no keygen avaible, generating "true" license keys ?

[Sergey Astakhov]

my real worry is if you do an update to their latest firmware release, is there any way to go back to what I had (my hacked firmware) or will it totally lock me out?

Don't worry, the latest firmware can be hacked just like the old one. You just need to choose the correct patch file (it has its own for each firmware).

[Sergey Astakhov]

So it´s still a problem when updating to a newer firmware, all the hacks are gone ?
There´s no keygen avaible, generating "true" license keys ?

Yep, still no keygen, only by patching.

[Martin72]

Hm-Hm....
I´ve owned the rigol over a year, bought it in Nov. 2018.
And got a close conversation to the rigol support in that time.
Finally they thanked me for it in form as they giving me the full options license key for free..
This key and what it does I´ve send to a member here.
And it doesn´t have an impact on the hacking thing here since ?
Interesting...

[x-tro]

Guys, outstanding work!

I have MSO5104 with MSO5000(ARM)Update v00.01.03.00.01 with 2020-03-30 build. Does anyone have patch for this or maybe somebody can share May update with me ?

ps.
March MSO5000(ARM)Update v00.01.03.00.01 GEL MD5: C85C5F4A64A8C9D435B589835225D527
March appEntry MD5: 2EFA4605B83BF1AF48BF6736BFAE3255

best regards
X-Tro

[omgoleus]

Hello I have the MSO5074 (70MHz) which I purchased a little over one year ago and through this forum I was able to get all the options and features, 350MHz and all other options.  However they have now added a new Bode plotter feature with the latest firmware (V00.01.03.00.01 released on April of 2019) My current version installed version is V00.01.01.04.04.  I imagine that if I tried to update to the latest I would lose my previous hack and end-up with a lot of missing features and options but my real worry is if you do an update to their latest firmware release, is there any way to go back to what I had (my hacked firmware) or will it totally lock me out?  Any answers or suggestions to this dilemma would be greatly appreciated.
Thank you so much!

Go ahead and update to the newest firmware from April 2019, and then install the patch as per the instructions that have worked out over the course of this thread. If you go back about 20 messages from here, my message has a summary of what others worked out, which is focused strictly on the newest version. Then you will have the bode plotting and the unlock!

The procedure is easy enough, you will just need to download the firmware onto a USB key to update, and then erase that and put the patcher and patch file on the USB key to patch. Thanks to mabl and others it’s really very smooth.