Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 1108446 times)

0 Members and 5 Guests are viewing this topic.

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2825 on: April 17, 2024, 10:28:42 pm »
It shows that I have 9 remaining attempts, I can not reinstall the old keys, maybe because I have overwritten the FRAM with the option -r, which was a huge mistake.

Can someone please help me please, I'm stuck and I really do not know what to do now.

Thanks a lot, Best Regards, Seppeltronics

P.S.

Code: [Select]

C:\Program Files\Python312>python C:\mPro\rigol_kg2.py 192.168.178.21
╒════════╤══════════╤═════════════════════════════════════════════════════╕
│ Code   │ Status   │ Description                                         │
╞════════╪══════════╪═════════════════════════════════════════════════════╡
│ BW1T2  │ ----     │ 100MHz to 200MHz Bandwidth Upgrade Option           │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ BW1T3  │ ----     │ 100MHz to 350MHz Bandwidth Upgrade Option           │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ 2RL    │ ----     │ 200Mpts Deep Memory Option                          │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ COMP   │ ----     │ Computer Serial Triggering and Analysis(RS232/UART) │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ EMBD   │ ----     │ Embedded Serial Triggering and Analysis(IIC, SPI)   │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AUTO   │ ----     │ Automotive Serial Triggering and Analysis(CAN/LIN)  │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ FLEX   │ ----     │ FlexRay Serial Triggering and Analysis              │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AUDIO  │ ----     │ Audio Serial Triggering and Analysis(I2S)           │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AERO   │ ----     │ MIL-STD 1553 Serial Triggering and Analysis         │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ DG     │ ----     │ Dual Channel WaveGen 25 MHz AWG                     │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ PWR    │ ----     │ Integrated Power Analysis                           │
╘════════╧══════════╧═════════════════════════════════════════════════════╛
Model: MSO5104
Serial: MS5Axxxxxxx
Version: 00.01.03.03.00
MAC: xxxxxxxxxxxx

/rigol/tools/fram is OK!

Activating: 2RL [MSO5100-2RL@3E4A0AE42A4EBA87D0D2386EA52097B212B7B4241795F2E5FAE1B334D71125ED8483193F74962BF5239CB535F4A0E8C52B10CB8D78E3DE0DDB4829E00BE3E5FB]... unavailable.
Activating: 4CH [MSO5100-4CH@465DEAE53206FBAF54DE5529965053803D26BCDCE28A4F7300F3ABB08D0ECAE05FC91B7079D36AD9BA9B75F1FE43A8F8D3E072E66BFF829FB1D3ECD80A4EDADF]... not activated.
Activating: 5RL [MSO5100-5RL@07C63D3537E61E79F37B1AF921DA1E3F702F7CFD62BD7D4DE6744126C91B3B499CCE294FF6EE91266C7AF39508C422B4547A5128771F1B3EEA676EC526BAB968]... unavailable.
Activating: AERO [MSO5100-AERO@9A5BF1A593BB6641706BF4B4FE2EACF1D674A40E9AB5A051ECABA90CBDB449B4750ACC9EF39948F82ABF09F3623E8B2F477C658409FF9BA9EED6CDA09DED5681]... not activated.
Activating: ARINC [MSO5100-ARINC@4C4625134642B3F7F6CF25A931B626127A2C4F90FBDF5C0BFE50929AED48A66418DE536513E6D118C302162CB6D9935F2E97834326D2A35DE4A501C6D6F77B56]... not activated.
Activating: AUDIO [MSO5100-AUDIO@84941C0FB778ED1E49DEDEB6845C248EE2C0A78E204C2476737313F63E2698239217282C87029FB861D4362D2CB2812D2F722F795D8C48A583CCCB92F7145083]... not activated.
Activating: AUTO [MSO5100-AUTO@40B474039C7FD62F354C1DF7485AAC4520DF35BB692736D9D9A6E17D88C8EB391422059BD47E5FBE2E54D1CFFABB44B6E8D1C75B48D3D078821F08CF20AD2A6C]... not activated.
Activating: BND [MSO5100-BND@A3E981CE398B12B619091A018179A056880A62EC0B79E51CA77A2BA1FF71FFB270C99FB9DCA45A5CB4578AB8956D3FDDC833DF299332EE4A7633EF00849D1428]... not activated.
Activating: BW07T1 [MSO5100-BW07T1@861318EBA3D06E768236C4CC79DAC8E2578500FB692CFDCF5C4B58CDD8C0D680040BFF722AB67E9AA28CB2E60BF854FB3BBF8B3C72CA9C5294A29A02D7640C66]... unavailable.
Activating: BW07T2 [MSO5100-BW07T2@67A3F6DAB880B352AAB321ED08517773A36AEB8655F96F7A89D324E240346B0297D23332D4BD529C30A8C9878460D526AC8B169CD910C6C68161400F364ABEB8]... unavailable.
Activating: BW07T3 [MSO5100-BW07T3@841055F4B6F3B08F8A1CC8DF8F103BA13AA6334577D0A72FABDB0FC4E9A1564BA7DC077A83E3A19BD48E666F9C86618AB36BD0EAEAEB73F1F7C3FDB9C34B8CE5]... unavailable.
Activating: BW07T5 [MSO5100-BW07T5@7FC62088BBAE6FB7BEF24D5F9ACDF15A993171D4BB18C869E2A83971444B7EFD2B755E1BCCF4803F6F8D32C82809B64F2BAD5BDA2A4C6AE97536E688C5AF8061]... unavailable.
Activating: BW1T2 [MSO5100-BW1T2@30C8C051F2A5C5122479DB1A9237F3FB18CE7EC9CAC0474A9F405BDA27DBC4AD324CDBB888450CAB134E49ABA1BA51ABF611A5AE6539F8F6AEB9C7475DFD4FC5]... unavailable.
Activating: BW1T3 [MSO5100-BW1T3@9B39541513B135B0E36D63C88D920A1DEB2800C63A67D2BB0C45A56837DDF71B40D270BACE358EB33BEF49D03C7A0293F881509E2369CCE9E4C5276A62D151B8]... unavailable.
Activating: BW1T5 [MSO5100-BW1T5@14A80CA48B6399A2FD0259B668962B743EE83B24C2EECA9EC23864426A514EA9A003F34E7437506D187B3B573A339A1BC3FFD15FE8C2F1CDDBC46AB774984A13]... unavailable.
Activating: BW2T3 [MSO5100-BW2T3@A163523E816C85AC70197B68FC20C7811A358ED28965D9EF286B53C3184AB9443D27C803DC4D022259F45BD0187277224292443BDAF5C9006E8683851E3BA46A]... unavailable.
Activating: BW2T5 [MSO5100-BW2T5@325FE82B891D35567A0164B596F7B84B2CED2E85D640927932140BDBA24958C32073B268EEC9449ABEFBF68A05B58C9FE9A51BCAB10E8D8E4309986D65C31CE0]... unavailable.
Activating: BW3T5 [MSO5100-BW3T5@5971AE3EF0B6EBC19B025FF2DC37A7365EA3647B33E4C38ADDEC90FA2AA6AC8A8A3B178984F93FF4C8B91479CD1006B50837B99808BC40DF532C55E96C87B8F5]... unavailable.
Activating: COMP [MSO5100-COMP@939B60C9F5D8FBAF0C680782B6DF68630F54E9ACCA3A466FD76B88244001EF3B03A0E0CE1A4A2A08D082E1647E193A0E8B4F27C600A468301578CC1B386B943B]... not activated.
Activating: CTR [MSO5100-CTR@4D6B30EA86BCA834FF0F75B5F5AF1DC6762D3B3DD8EE072B1361EDD1F337D53E7F33866FD216EC06C5E963B787912936DC1FFFE1ACECFE34BA45709E15724534]... not activated.
Activating: DG [MSO5100-DG@21147A692BFC955C514E37C4ABF2FD02FA4A73EA6AE87D9AABAD2E213D985B162B3E86A4870CB12A32235C941A034243C17E1D8B5496BD64EB0273AD32FD8CDA]... unavailable.
Activating: DVM [MSO5100-DVM@88FF659CF14AB6CC7B9585DAD2B79E2F7470770A7BF0A8D4A58DC26EDD55BBE6024A63B1EBFB28282783790779B67897A6AE55C380ED2DB264D42870F2D880A5]... not activated.
Activating: EDK [MSO5100-EDK@952C31F126219EA1391F76F60D1978EE01E863D60644A3F1158B69DEEFA7DB70A075527F54FC28227B782D196A4BA0D9FEDB95361705B54028814FB6A511ECBA]... not activated.
Activating: EMBD [MSO5100-EMBD@66C79B675A739484D2F1AE25931E57D743DB0FC6D785369129F07A47B0DF531C05BFF41E826023872F46062E5D39F7DB7564FCB062E7636ABDFDAD877FA51D67]... not activated.
Activating: FLEX [MSO5100-FLEX@A259D940749CFAE8B96DDA399D458C5AA644CC1B48BAF3A017E97E794ABB4CD34BD6F518F092C8218B249A34DF6849B2BF9350BFDAA3D131D46106A681862B3C]... not activated.
Activating: JITTER [MSO5100-JITTER@45AA3452E542DA21A3C81DB164CF35F8AB4E4E80893DCEDA674D41D1555315513BF82C21F3BBA501B3EF412AC354B87A616F9AF5C6A4E0C24D320F8A93E58EA4]... not activated.
Activating: MASK [MSO5100-MASK@390F7931353BEEABC4BF1425831F8612D86434BAF1A4E10D3DDEE918D0BD5F351F405EEF53FE29E94C8626786EE574A4FE7E59881B8BFCEBCF28B107DCFDDC22]... not activated.
Activating: MSO [MSO5100-MSO@193ED0D231141DFCB71C33A87270041321C73F0EFE0F1952ACE67C1AD73EB6332EAC4E061625B0D8F98AA55612D69133BA083BE8AED736692A896A96AB61E30B]... activated.
Activating: PWR [MSO5100-PWR@2A27DA3963D0C599C5CF9B25F819A8E90EE374C9BAE04D6316FBD56C53AAACC41E649376B6D7C5FB7A0099244929475914A9867E874E6E1EB3F381F37D8193F6]... not activated.
Activating: SENSOR [MSO5100-SENSOR@0622D1C5DF405041F4292641D9965F9CC0626EE6179150AD13A1762715462F61301B178B556C1F1A49D3755F8FB8E2DB3154AB0F14BDC510591DAB78638F0D54]... not activated.
╒════════╤══════════╤═════════════════════════════════════════════════════╕
│ Code   │ Status   │ Description                                         │
╞════════╪══════════╪═════════════════════════════════════════════════════╡
│ BW1T2  │ ----     │ 100MHz to 200MHz Bandwidth Upgrade Option           │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ BW1T3  │ ----     │ 100MHz to 350MHz Bandwidth Upgrade Option           │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ 2RL    │ ----     │ 200Mpts Deep Memory Option                          │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ COMP   │ ----     │ Computer Serial Triggering and Analysis(RS232/UART) │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ EMBD   │ ----     │ Embedded Serial Triggering and Analysis(IIC, SPI)   │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AUTO   │ ----     │ Automotive Serial Triggering and Analysis(CAN/LIN)  │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ FLEX   │ ----     │ FlexRay Serial Triggering and Analysis              │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AUDIO  │ ----     │ Audio Serial Triggering and Analysis(I2S)           │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AERO   │ ----     │ MIL-STD 1553 Serial Triggering and Analysis         │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ DG     │ ----     │ Dual Channel WaveGen 25 MHz AWG                     │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ PWR    │ ----     │ Integrated Power Analysis                           │
╘════════╧══════════╧═════════════════════════════════════════════════════╛


Hi mate, Seriously if you're having that much trouble,  Just do the method that i offered you and you'll be ready to go and
all upgraded, As i said, NO ONE has ever (with my help) not successfully upgraded.
Just follow that link i gave you in my previous post
Download the zip file
Download video #2
if you have any questions let me know, But there really are only 3 steps to it

1. Backup
2. Upgrade to version 1.3.3.0
3. Patch the firmware

if you're already on 1.3.3.0 you can just do step 3 (Copy the 3 files to USB stick) in your scope , run the LOCAL UPGRADE
and you'll be fine.
QUESTION EVERYTHING!!!
 

Offline reztek

  • Newbie
  • Posts: 7
  • Country: br
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2826 on: April 18, 2024, 08:52:46 pm »
Quote
It shows that I have 9 remaining attempts, I can not reinstall the old keys, maybe because I have overwritten the FRAM with the option -r, which was a huge mistake.

Can someone please help me please, I'm stuck and I really do not know what to do now.

Thanks a lot, Best Regards, Seppeltronics

Was having the same problem. In my case, I had to setup a static IP on the scope and on the PC and connected both directly (no switch or router in between) and after that the script run flawlessly.
 

Offline thorstormlord

  • Contributor
  • Posts: 26
  • Country: gr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2827 on: April 18, 2024, 09:04:56 pm »
Il.just post here that I did the static IP thing on my scope and the script still didn't work for me. The other method with the local upgrades works fine though sood the script doesn't like your setup you can do the local upgrades as a fall back
\m/ Heavy Metal is the Law. \m/
 
The following users thanked this post: BTO

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2828 on: April 18, 2024, 11:53:20 pm »
Quote
It shows that I have 9 remaining attempts, I can not reinstall the old keys, maybe because I have overwritten the FRAM with the option -r, which was a huge mistake.

Can someone please help me please, I'm stuck and I really do not know what to do now.

Thanks a lot, Best Regards, Seppeltronics

Was having the same problem. In my case, I had to setup a static IP on the scope and on the PC and connected both directly (no switch or router in between) and after that the script run flawlessly.

Hi Reztek
Mate, don't give yourself a headache ok
Seppletronics literally had the same problem you just did and was up shit creek and knee deep in trouble

SEPPLETRONICS IS SAVED AND UPDATED AND ALL OPTIONS UNLOCKED


Go to this link
https://www.eevblog.com/forum/testgear/post-hacking-rigol-mso5000-post-hacking-tutorial-deep-dive/

download the .zip upgrade file
download video #2

But in summary,
Just download the files and run through the steps 1 by 1,  since seppeletronics , Thorstormlord and many many others before you
have done the same thing and been successful, i don't see why it won't work for you either.
if you have trouble let me know, but i imagine you're going to come back in the next post and say , thanks very much it worked.

so go do that and then come back and tell us how happy you are   LOL
QUESTION EVERYTHING!!!
 

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2829 on: April 18, 2024, 11:54:41 pm »
Il.just post here that I did the static IP thing on my scope and the script still didn't work for me. The other method with the local upgrades works fine though sood the script doesn't like your setup you can do the local upgrades as a fall back
Exactly, Seppletronics had the same problem he's now upgraded through the local upgrade successfully
QUESTION EVERYTHING!!!
 
The following users thanked this post: seppeltronics

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2830 on: April 19, 2024, 12:02:41 am »
Il.just post here that I did the static IP thing on my scope and the script still didn't work for me. The other method with the local upgrades works fine though sood the script doesn't like your setup you can do the local upgrades as a fall back

I'm curious though, and, You've done DrMephisto's method.
it seems like it would be a good path to take considering that we don't need to do further patches. However, mate. in your opinion...
Why do you think it's not working for so many ?
You said
Quote
the script doesn't like your setup
However, if it's a method that works , it shouldn't matter what the script likes or not.
I've really been thinking about this and if it works for say 1 in every 10 people then it's not worth the risk is it .

Even if i try it as i suggested, and let's say it works for me, that's still not a high probability that it'll work for someone else.
Unless i could do something like prove for the next 10 people in a row (as a min.) with a video demo that it works, then ok.
but i think at this point it's just less headache to get to the next update and then patch at that point.

if however a better solution exists at that point, then.. Cool
but for now, i think the local upgrade option is the one that works the best, but i am curious why the other way doesn't work with a high
success rate.
QUESTION EVERYTHING!!!
 

Offline seppeltronics

  • Contributor
  • Posts: 19
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2831 on: April 19, 2024, 09:44:31 am »
Hello Reztek,

could you please share more details, how exactly did you do it?

- OS and version
- Type of network card
- IP adresses
- Call of the Script
- Log/Output of the script
-...

Thank you very much.

Best Regards, Seppeltronics
 

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2832 on: April 19, 2024, 10:14:01 am »
Try to uninstall all options first, wait for reboot, then install with regen private key flag.

I tried as described, first uninstalled and after reboot I installed with regen private key. Tried it several times but the oscilloscope only replies with "remaining attempts" as described by zauberpilz, now only 2 attempts left. What am I doing wrong? Could you please help?

Hey mate, Just wondering, How are you going with unlocking the scope.
Have you tried the method that i stated ?
You can keep persisting the method that you're doing or
You can do the method that i've put forward that we know works.

Just making sure everyone is up to date
QUESTION EVERYTHING!!!
 

Offline seppeltronics

  • Contributor
  • Posts: 19
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2833 on: April 19, 2024, 07:13:40 pm »
Zauberpilz and me had a call, as I understood it, he did not use the "01.03.03.00". Maybe that causes it?

What I also notices in the script, line 405, whatever that means?
Code: [Select]
'version': '1.0'
And I also wondered if it works for models like my MSO5104?
« Last Edit: April 19, 2024, 09:30:33 pm by seppeltronics »
 

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2834 on: April 20, 2024, 01:30:54 am »
Zauberpilz and me had a call, as I understood it, he did not use the "01.03.03.00". Maybe that causes it?

What I also notices in the script, line 405, whatever that means?
Code: [Select]
'version': '1.0'
And I also wondered if it works for models like my MSO5104?
Interesting....
QUESTION EVERYTHING!!!
 

Offline zauberpilz

  • Newbie
  • Posts: 6
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2835 on: April 21, 2024, 02:30:34 am »
I would guess version 1 of the keygen?
 

Offline zauberpilz

  • Newbie
  • Posts: 6
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2836 on: April 21, 2024, 02:31:57 am »
Since I am apparently the only user who was able to activate an MSO5000 100% with the keygen, albeit with minor initial problems, I will write here exactly what ultimately led to success for me.

First I installed the penultimate firmware (00.01.03.02.02) so that a fresh, unedited device is available. I then deactivated the already activated BND option using the keygen (rigol_kg2.py -d ip_addr) and restarted the device. Then I installed a new private key with the keygen (rigol_kg2.py -r ip_addr) and reinstalled the firmware a second time. This was probably unnecessary, but since I did it, I'll write it. After the firmware was reinstalled, I ran the keygen along with the IP address and everything was activated. To test whether the activations are permanent, I installed the latest firmware. And yes, all the optins were still marked “forever.” Writing the private key to the device with -r creates a file called priv.pem on the computer. If I understand correctly, it contains the original key for the device. So keep it safe! So far I don't know of a way to write it back into the device. But that should be doable. And if you want to shorten your search for a compatible USB stick. Then format your USB sticks with the Rufus tool and not with Windows! Since I always pre-format my USB sticks with this, ALL devices I connect them to recognize them without even a small problem. And to avoid problems when installing the firmware, simply reset the MSO to factory settings beforehand and everything will work wonderfully as it should. I hope this helps someone here.
« Last Edit: April 21, 2024, 02:37:25 am by zauberpilz »
 
The following users thanked this post: thm_w, Protegimus, wullie

Offline zauberpilz

  • Newbie
  • Posts: 6
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2837 on: April 21, 2024, 02:48:20 am »
There is someone else who did it.

reztek

I would have been surprised if it had only worked for me.
 

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2838 on: April 21, 2024, 08:56:37 am »
There is someone else who did it.

reztek

I would have been surprised if it had only worked for me.
Firstly thanks for the your post on how you did it successfully.

Secondly -  Do we know why the success rate is so low for activation via this method ? it seems strange that only a handful or less have done
it successfully, I've personally had approx 100 odd people approach me for a solution who said they tried it that way and failed. I'm really
trying to understand why the success rate of it is so low ...... Any Ideas   I'm literally reading through all teh posts of the hacks since
the 1052E (which i've already done) and the DS2000A (which i've already completed) and i'm now reading the MSO5000 path of which i have completed 10 pages of... i think 50 something

Thus far i have concluded that DS1052E merely had a Shared key, it was easy, one key for all.
DS2000A Use Symmetrical encryption so when the algorithm was obtained we could generate and unlock key (or.. Unlock options)
but ofcourse everyone chose the option to unlock all. Using this method legitimately unlocked and licenced the scope

it would seem that for MSO5000 rigole implemented Assymetrical encryption, simply put, there is a secret key that is held at rigol's end
that we don't have access to and for this reason we were not able to licence it and it was widely agreed (at least up to the first 10 pages, which gets us to 2018 i think it was) by those that are doing the hacking primarily that "Patching the software" would be the most viable solution.

so that's all fair and good, then dr Mephisto came up with this method of licencing the scope.
Now, here is the part i don't get . if it's a method that works

1.  Why are we being told "if it works" this will happen etc etc

2. Why is is there such a low success rate.  (Perhaps people are not doing it right, Perhaps it's a touch and go method.)  who knows.

any idea why this happens ?



QUESTION EVERYTHING!!!
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 3263
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2839 on: April 21, 2024, 10:39:19 am »
If I understand correctly, it contains the original key for the device. So keep it safe!

No, that file is the private key that was used to generate your licenses.

You can keep it but it's a bit irrelevant. Since you have the script you can re-generate a new priv key and a pack of new lics anytime.

The file that you should keep is the original Key.data, just in case.
 
The following users thanked this post: Protegimus, wullie

Offline smas

  • Newbie
  • Posts: 2
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2840 on: April 21, 2024, 05:09:26 pm »
Hi,

I was able to successfuly unlock all options on MSO5074 by using the phyton script rigol_kg2.py posted earlier on this forum by DrMefistO. I used the following procedure based on the experience of zauberpilz:

First, because the scope already had the patched firmware v00.01.03.03.00, I reverted it to the stock firmware v00.01.03.02.02 by using a usb stick and the factory menu (pressing SINGLE on reboot and selecting "Upgrade Firmware"). After that, I rebooted while pressing SINGLE and also did "Restore Defaults" from the same menu. After these steps, I verified in the scope (Util->Sys->Help->About and Opt List) that the firmware version became v00.01.03.02.02 and that all options were inactive.

Next, I connected the scope by a network cable to a WiFi router. I did not setup a static IP on the scope, it was assigned by the router automatically with DHCP. I checked what was the assigned IP address (192.168.1.82 in this example) and wrote it down. Next, I ran the rigol_kg2.py script on a linux laptop connected through WiFi to the same router. First, to check the network connection, I ran

Code: [Select]
$ python rigol_kg2.py -i 192.168.1.82
which returned a table of scope options (all were off), the scope's model, serial number, firmware version, etc. All looked as expected. This confirmed that the network setup was OK.

Next, I did

Code: [Select]
$ python rigol_kg2.py -r 192.168.1.82
This command first printed the same info table as the previous one, and after that

Code: [Select]
/rigol/tools/fram is OK!

Reading CFRAM...
100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 8192/8192 [00:21<00:00, 378.05it/s]
Reading CFRAM done.

Applying new CFRAM...
100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 8192/8192 [03:39<00:00, 37.30it/s]
New CFRAM applied.

Key.data backup created.
New Key.data applied.

After that it printed a lot of lines like these:

Code: [Select]
Activating: 2RL [MSO5000-2RL@ ...]... unavailable.
Activating: 4CH [MSO5000-4CH@ ...]... not activated.
Activating: 5RL [MSO5000-5RL@...]... unavailable.
Activating: AERO [MSO5000-AERO@...]... not activated.


Note the "unavailable", "not activated", etc. Also after that it again printed an option table with all options off. Nevertheless, I contunued, rebooted the scope while pressing SINGLE button and reinstalled THE SAME STOCK FIRMWARE v00.01.02.02 again using the factory menu.

After that, when the scope booted, I checked its assigned IP address, and confirmed that it was the same. Then, to check connection, I issued the command

Code: [Select]
$ python rigol_kg2.py -i 192.168.1.82
and got the info table with all the same information (all options disabled). After that I did

Code: [Select]
$ python rigol_kg2.py 192.168.1.82
This command first printed the same info table, and then

Code: [Select]
/rigol/tools/fram is OK!

Activating: 2RL [MSO5000-2RL@...
Activating: 4CH [MSO5000-4CH@...
Activating: 5RL [MSO5000-5RL@...
Activating: AERO [MSO5000-AERO@...


and more lines like this, after which I FINALLY SAW

Code: [Select]
╒════════╤══════════╤═════════════════════════════════════════════════════╕
│ Code   │ Status   │ Description                                         │
╞════════╪══════════╪═════════════════════════════════════════════════════╡
│ 2RL    │ Forever  │ 200Mpts Deep Memory Option                          │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ COMP   │ Forever  │ Computer Serial Triggering and Analysis(RS232/UART) │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ EMBD   │ Forever  │ Embedded Serial Triggering and Analysis(IIC, SPI)   │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AUTO   │ Forever  │ Automotive Serial Triggering and Analysis(CAN/LIN)  │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ FLEX   │ Forever  │ FlexRay Serial Triggering and Analysis              │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AUDIO  │ Forever  │ Audio Serial Triggering and Analysis(I2S)           │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AERO   │ Forever  │ MIL-STD 1553 Serial Triggering and Analysis         │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ DG     │ Forever  │ Dual Channel WaveGen 25 MHz AWG                     │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ PWR    │ Forever  │ Integrated Power Analysis                           │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ BW07T3 │ Forever  │ 70MHz to 350MHz Bandwidth Upgrade Option            │
╘════════╧══════════╧═════════════════════════════════════════════════════╛


After that I confirmed in the scope that all options were enabled. Next, I proceeded with upgrading to the stock firmware v00.01.03.03.00 using the local upgrade option from the scope menu, which went flawlessly. After upgrade finished I confirmed that all options were still active and I did the scope calibration as usual.

Hope this helps!
« Last Edit: April 22, 2024, 03:05:31 pm by smas »
 
The following users thanked this post: apulanta, Kean, core, Jaz, JCS666, wullie

Offline bulba99

  • Contributor
  • Posts: 44
  • Country: pl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2841 on: April 22, 2024, 02:32:28 pm »
@smas
are you sure you installed firmware v00.01.02.02 ?

Thank you for the guide.
 

Offline smas

  • Newbie
  • Posts: 2
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2842 on: April 22, 2024, 02:58:33 pm »
Hi bulba99,

Oops, I see that I made a misprint in the version number! I will fix the post.

The first thing I did, I downgraded the firmware from v00.01.03.03.00 (patched) to v00.01.03.02.02 (unpatched). The main reason to do that was to replicate the situation described by zauberpilz. Additionally, I wanted to certify that all options will remain activated after an upgrade from v00.01.03.02.02 to v00.01.03.03.00.
« Last Edit: April 22, 2024, 03:03:50 pm by smas »
 
The following users thanked this post: bulba99, JCS666

Offline seppeltronics

  • Contributor
  • Posts: 19
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2843 on: April 22, 2024, 07:01:50 pm »
Hello,

how do I downgrade to the older version and how do I get it? I'm not sure my backup worked. Is it possible with the official menu of the scope and how do I find the older version, is it available somewhere?

What does the press of the "Single Button" at the startup do? Is there a manual/tutorial on this?

Thanks a lot, best Regards, Seppeltronics.
 

Offline thm_w

  • Super Contributor
  • ***
  • Posts: 6722
  • Country: ca
  • Non-expert
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2844 on: April 22, 2024, 11:05:23 pm »
What does the press of the "Single Button" at the startup do? Is there a manual/tutorial on this?

Try it and you'll see. Pressing single brings you to the bootloader which allows upgrade/downgrade of the firmware and reset to factory defaults.
Normally you can only upgrade in the regular scope app.
Profile -> Modify profile -> Look and Layout ->  Don't show users' signatures
 

Offline seppeltronics

  • Contributor
  • Posts: 19
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2845 on: April 23, 2024, 07:52:12 am »
Is the Version 01.03.02.02 that was used sucessful available somewhere to download?

@BTO, if you have the 01.03.02.02, could you provide that on your Mega drive please?

Thanks a lot, Seppeltronics
 

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2846 on: April 23, 2024, 10:49:41 am »
Is the Version 01.03.02.02 that was used sucessful available somewhere to download?

@BTO, if you have the 01.03.02.02, could you provide that on your Mega drive please?

Thanks a lot, Seppeltronics
Ask and you shall receive....

LINK TO VERSION 01.03.02.02   AND  01.03.03.00
https://mega.nz/folder/A8cEgQRI#5FSoMrCurJi71T7VkRPgYQ
QUESTION EVERYTHING!!!
 

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2847 on: April 24, 2024, 02:40:42 am »
What does the press of the "Single Button" at the startup do? Is there a manual/tutorial on this?

Try it and you'll see. Pressing single brings you to the bootloader which allows upgrade/downgrade of the firmware and reset to factory defaults.
Normally you can only upgrade in the regular scope app.

I'm planning on getting to the bottom of why people are having so much difficulty getting through this process so..

Question : I have no problem getting into the Pre Boot menu and to the options of Default and Firmware upgrade.
Although i see 2 issues arisiing here

1. A lot of people are saying that DEFAULT takes you back to the original firmware version and locks all the unlocked options, that's not actually true. I did it last night.
   Default just (seems to) Take your scope back to default settings, so if you had a custom setup file as i do, it changes the settings back to default settings

2. AS FOR THE DOWNGRADE...
Firmware upgrade doesn't actually downgrade the scope, I read from a forum user to first run DEFAULT (and i did) and then to load 1.3.2.2 onto usb then run the firmware upgrade from the preboot menu
(and i did) it failed  I have tried 3 different 1.3.2.2 files on the forum and they all fail

Note : My scope is on 1.3.3.0  with all options unlocked with the Patch

ANY IDEAS

So if we break this up into stages (AND I'D LOVE TO HEAR FROM DR MEPHISTO)
Stage 1 - Getting into the Pre Boot Menu  .. Piece of cake - DONE
Stage 2 - Getting my scope down from 1.3.3.0 to either 1.3.2.2  or if needed 1.3.0.3  ,  Not able to do that yet

ANY IDEAS
QUESTION EVERYTHING!!!
 

Offline BTO

  • Frequent Contributor
  • **
  • Posts: 424
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2848 on: April 24, 2024, 01:44:16 pm »
Is the Version 01.03.02.02 that was used sucessful available somewhere to download?

@BTO, if you have the 01.03.02.02, could you provide that on your Mega drive please?

Thanks a lot, Seppeltronics
Ask and you shall receive....

LINK TO VERSION 01.03.02.02   AND  01.03.03.00
https://mega.nz/folder/A8cEgQRI#5FSoMrCurJi71T7VkRPgYQ

Quick update to this post of mine

Update 1 - I have deleted my last post as i no longer require the 1.3.2.2 upgrade file, I have worked out the problem.

Update 2 - the 1.3.2.2 Gel file at the link i have supplied is  100% good , verified and working

My scope until today was on Version 1.3.3.0, Upgraded VIA PATCH and all options unlocked.
I can confirm that i downgraded (using the file at the link) From 1.3.3.0 to 1.3.2.2

- After the downgrade of firmware version - I LOST ALL THE OPTIONS
- The firmware version did reflect that i was now on 1.3.2.2

I tested this 5 times over and i can confirm that even when you downgrade (as you would logically conclude) You can absolutely upgrade back again and re patch if need be.


THE PROCEDURE TO FOLLOW IS AS FOLLOWS (it's pretty simple)
I am also going to put a video at the same location as the link i have supplied for the Gel File


1. ACCESSING THE PRE-BOOT MENU (What some have called "The Hidden Menu)"
in the Pre Boot Menu you get 2 options
UPGRADE FIRMWARE
RESTORE DEFAULTS

To get to this point you
1. Start with the scope OFF
2. Turn the scope ON and Immediately and REPEATEDLY Press the "SINGLE" button (Say approx 2 presses per second) you don't need to be highly accurate, Just not too slow.

2. DOWNGRADING TO 1.3.2.2

1. Download the file from my link here
https://mega.nz/folder/A8cEgQRI#5FSoMrCurJi71T7VkRPgYQ

2. Get the file, Extract it  and put ONLY THE .GEL FILE  in the root of a USB stick (Formatted FAT32)
3. Follow the procedure in point 1  BUT SELECT "RESTORE DEFAULTS" (It's not necessary, but.. Be on the safe side)
4. Turn off your scope after step 3 has completed
5. Follow the procedure in point 1  BUT SELECT "UPGRADE FIRMWARE"
IF IT FAILS - All the lights will flash and the bottom of the screen (Within 10 seconds) will say "Upgrade failed, Please check file"  (i would check that you extracted it and i would try another USB)
IF IT SUCCEEDS - the bottom of the screen will say "Upgrading please waitting"  (no that's not a spelling error , that's what it actually says) , then it will say ... Successful.
Wait 10 seconds then... Restart the scope.
6. After this restart the scope and you'll see that your options have disappeared and that your scope version is now 1.3.2.2

Only catch is.. You cannot downgrade the version from the Local Upgrade option within the O/S, it must be done from the Pre-Boot Environment

Let me know if you have any issues.
Beyond that, i'm going to try to get this Dr Mefisto method working and make a video for it.  At least we now know we can try the method without fear of not being able to re patch again.
QUESTION EVERYTHING!!!
 

Offline Jaz

  • Newbie
  • Posts: 1
  • Country: ru
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2849 on: April 24, 2024, 03:32:47 pm »
I confirm, rigol_kg2.py script works well.
« Last Edit: April 24, 2024, 03:34:43 pm by Jaz »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf