Hacking the Rigol MSO5000 series oscilloscopes

[rogersstuart]

Does the print function work for anyone? I upgraded to the latest firmware and applied a patch from a post that said it's supposed to stop the scope from "phoning home." Networking does work. I can access the scope through my browser. But when I try to print to my LaserJet the scope always says "Printer Busy."

[zzzox]

Hi

My scope : MSO5072   01.03.00.01   hw 01.01.000 2018.06.27 2020-05-18
Omgoleus files worked.All option is unlocked forever.
Simply local upgrade from flash drive.(Kingston Data Traveler 100 G3 32GB Fat32).

MSO5000 with all option is great  oscilloscope.

Thanks to Dave and everyone on the forum 

B.R.

[luky315]

I find still interesting that a lot of people are installing a script "from the internet" without any idea what this script is changing or how.

[tv84]

I find still interesting that a lot of people are installing a script "from the internet" without any idea what this script is changing or how.

See the definition here.

Did you create your own software? BTW, with tools "from the internet"?

[Cerebus]

I find still interesting that a lot of people are installing a script "from the internet" without any idea what this script is changing or how.

Many people are driving "cars from a garage" while being blissfully ignorant of the operation of internal combustion engines. Not everybody knows, or even wants to know, or is capable of knowing, the exact internal workings of everything they use. There are risks in that ignorance at all levels and there are opportunity costs in acquiring the knowledge to make any action relatively risk free. Between the two extreme states, people make trade-offs.

[nh90wxr]

After heavy struggling the last days I have got success at the end, but only when I re-installed the already available fw 00.01.03.00.01 into my MSO5074, which I freshly received in the cw 1/2021. The fw in the item with build date 2020-05-18 (e.g. missing sshd) did not accept the 1301 patch - see picture with error message. But re-installed fw with the same version number 00.01.03.00.01 as prerequisite , taken from rigolna.com with build date 2020-03-30, made the significant difference to my approach. I would like to thank all contributors and their effort for making this nice enhancement to my item happen. 

[PT_Dreamer]

Hi, just wanted to thank all the work put into this "tune".
I was able to shift some bits to the MSO7024 firmware and got all the "Forevers".
No overshoots, in fact it is shooting just fine as the attached image shows.
I wasn't able to use the patchFinder script (it didn't find the appropriate sections) so I used IDA and the previous posted patches to find the required modifications.
I also changed the bootscreen but had to use mtd3 instead of mtd7 (probably depends on the current shadow image being used).
It is a shame about all the OT though, an "Hide all the BS button" would make things much less painful.

Cheers,
José 

[luky315]

That's amazing, could you please share your work?

[PT_Dreamer]

That's amazing, could you please share your work?

What do you want me to share?
I'm attaching the IDA diff for the 00.01.02.00.05 appEntry, you can apply it with idadif.py script.

[ineedds]

I'm struggling now.
You have same model and F/W with my 5072.
If you could, let me know the hacking procedures you've done and files.

[tweini]

Hi

My scope : MSO5072   01.03.00.01   hw 01.01.000 2018.06.27 2020-05-18
Omgoleus files worked.All option is unlocked forever.
Simply local upgrade from flash drive.(Kingston Data Traveler 100 G3 32GB Fat32).
[...]

Your attachment "01_03_00_01.zip" is  according to the chesums for the march firmware and it differs from the file from Omgoleus.

Best Regards
tweini

[PT_Dreamer]

I'm struggling now.
You have same model and F/W with my 5072.
If you could, let me know the hacking procedures you've done and files.

What exactly are you struggling with?

[MoriDove]

Hi, is MSO5074 Hacking the same as MSO5072 ?

[Cerebus]

Hi, is MSO5074 Hacking the same as MSO5072 ?

Yes, they're the exact same scope, the 72 comes with all four physical channels but 2 are disabled in software.

[Commodore8888]

Hi, just wanted to thank all the work put into this "tune".
I was able to shift some bits to the MSO7024 firmware and got all the "Forevers".
No overshoots, in fact it is shooting just fine as the attached image shows.
I wasn't able to use the patchFinder script (it didn't find the appropriate sections) so I used IDA and the previous posted patches to find the required modifications.
I also changed the bootscreen but had to use mtd3 instead of mtd7 (probably depends on the current shadow image being used).
It is a shame about all the OT though, an "Hide all the BS button" would make things much less painful.

Cheers,
José

The DOOM tradition continues!

Agreed on hacking the 7k series. I did the same with one we have at work for "educational purposes" (but actually this time!) after cracking my own MSO5000 once seeing some work done by mabl. In my case this was right when the NSA had released Ghirdra. Works quite well especially considering it's free. I would think HexRays should be a little worried. I've thought about selling my 5k to get a 7k, if only for the logic head being easier to deal with than the 5k. That said, folks seem to have done a decent job reversing the 5k's logic head into something less silly than the factory offering!

Only beef I ran into is I had to manually make changes to the binary with okteta, as at the time Ghirdra had a bug where it wouldn't correctly apply memory offsets when repacking the binary with your changes. This may be fixed now, been a while since I looked.

Was a lot of fun and a great opportunity to knock rust off my reversing skillset I'd recommend trying it to anyone else in here. It's not a super difficult challenge if you know a little assembly and your way around IDA Pro or Ghidra. Mostly just pointer redirection and some changing of JMP instructions.

[nichrist]

Hi
I am thinking to upgrade my old LAB Oscilloscope (a Rigol DS1052E bought back in2009) and to buy a DSO5000. The idea is of course to buy a base model and hack for the full power. I am currently between MSO5074 and MSO5072. MSO5074 is 100euro more expensive, is it worth the extra money? Can I hack MSO5072 to 4 channels?
Thank you

[Noy]

Yes you can hack the MSO5072 to 4 channel.
But consider the price of 2 additional 350MHz passive probes.. So 100€ more for 5074 with 4 probes are worth the money. Except you have already 2 additional probes (350MHz)

[Cnoob]

Just like to thank every one involved in working out how to hack the mso5000.
I've just hack my mso5104 which arrived yesterday.

[Commodore8888]

Went to pop my Dec 2018 MSO5000 open to swap in a little higher volume fan and made a not so nice discovery....

The metal inserts Rigol used to provide threads for their screws, might end up being so friendly to the ABS plastic the scope is made of  This thing has lived its whole life on a bench too.

The bigger issue is if this starts, you may one day find your scope feet are now stuck.

Still have a year of warranty left, so maybe I can get a new front cover :/

[Ogawa Mitsuaki]

Everyone who is working hard.
I am always grateful for your help.

I also made 70-> 350!
I bought the other options.

The MSO5000 gets very hot.
I installed a 5V fan and filter on the back panel.
5V is taken from the front USB of the MSO5000, but even with the hacked MSO5000, there are no problems so far.
If there is a problem, I will supply it from a USB HUB.

The parts for mounting were created with a 3D printer and attached with double-sided adhesive tape. The probe holder was also created with a 3D printer.

[jeffjmr]

Oh that probe holder is just what I need to keep my rat’s nest of probe cables off my bench.

How did you attach it and can I buy one?

Jeff

[Ogawa Mitsuaki]

Thank you everyone!

I made it as a hobby, so I don't sell it.
I can provide data for 3D printing.
Download the file and print it in 3D.
Since it is divided into 3 parts, please bond the parts with a solvent-based adhesive after printing.
It can be used with only two parts, MSO500_Holder.stl and MSO500_L-ShapedConnection.stl.
Attach it to MSO5000 with double-sided adhesive tape.

Also, this is the place for MSO5000 hacks, so let's end this topic.

If there is a place with such a topic, we will cooperate as much as possible, so please make a place. Or please tell me the location.

Thank you.

*postscript:
I put the modified 3D data on the next page.
There are 3D data for left side installation and 3D data for right side installation dedicated to MSO5000.
There is also general-purpose 3D data.

[Kean]

If there is a place with such a topic, we will cooperate as much as possible, so please make a place. Or please tell me the location.

Nice work!  It looks like it should work with many brands of scopes & probes.

There is a thread for 3D printed parts, and although it is mainly for replacement parts, I think this fits in there as well.
https://www.eevblog.com/forum/testgear/replacement-knobs-feet-and-fittings-for-test-equipment/
Or you could create a post specifically for your design at https://www.eevblog.com/forum/3d-printing/

[Ogawa Mitsuaki]

I went to the place where I was taught, but it wasn't what I envisioned ...

The parts (L-ShapedConnection) have been redesigned with a general-purpose shape so that they can be used with various oscilloscopes.
However, there are loose corners on the sides of the oscilloscope.
When pasting with double-sided adhesive tape, adjust the thickness before pasting.

If there is no request, this is the end.

Thank you.

[TDA7056]

Thanks folks! I can confirm that procedure described in the post #1901 worked flawlessly for May 2020 build.