Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 901355 times)

spanakop and 9 Guests are viewing this topic.

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #375 on: December 27, 2018, 03:35:44 pm »
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!

Can you replace /etc/passwd?

I'll leave that to tv84 and oliv3r. It's encypted and probably can't be transferred to another scope.
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #376 on: December 27, 2018, 03:47:00 pm »
Here's version 00.01.01.02.03. You could put it on a thumb drive and try to downgrade. But maybe someone else would like to try something with 1.2.4 first.

P.S.: Upload will be finished in about 10 minutes.
thank you! will try and report

It most probably won't let you downgrade. That should be where the USB vendor disk comes into play.

Let's first try to reset the password and then we'll deal with the downgrade thing. It would be interesting to recover the new GEL that should be inside that scope. Working on it.
« Last Edit: December 27, 2018, 03:50:58 pm by tv84 »
 

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 68
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #377 on: December 27, 2018, 03:51:58 pm »
Can we patch the update script so that it thinks that it is at least the same version?
« Last Edit: December 27, 2018, 03:54:18 pm by FireBird »
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #378 on: December 27, 2018, 03:57:00 pm »
I'll leave that to tv84 and oliv3r. It's encypted and probably can't be transferred to another scope.

Nah, it's just a hash of the word "root".

Can you post the contents of your new "/etc/passwd"? Maybe we can crack it.

« Last Edit: December 27, 2018, 03:59:47 pm by Fungus »
 

Offline Commodore8888

  • Contributor
  • Posts: 32
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #379 on: December 27, 2018, 06:03:48 pm »
Got an update from Tequip....updated Jan 31 ship date (site says 15 in stock  |O )

When it DOES show up....eventually lol....I'm treating this as a hobby project of hacking first (that happens to spit out a nice scope at the end). Edit:: Called. Stock system error. Should go out Friday or early next week.

Nearly guaranteed to have the "fixed" firmware with a no longer obvious root password. Guess we can safely assume that wasn't intentional  ::).

~Let the fun begin!~
« Last Edit: December 27, 2018, 07:05:51 pm by Commodore8888 »
Mike D
 

Offline justanothername

  • Regular Contributor
  • *
  • Posts: 143
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #380 on: December 27, 2018, 06:05:44 pm »
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Same here. The distributor thought it was a nice thing to update the firmware before shipping.  |O
 

Online 2N3055

  • Super Contributor
  • ***
  • Posts: 6447
  • Country: hr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #381 on: December 27, 2018, 06:46:30 pm »
Just took a look at current user manual for MSO5000 and compared it to the old mso/ds7000 manual. In a new MSO5000 manual, you can apply math on math !!
You can have previous math channels as sources. In initial DS7000 manual that wasn't the case.
It is implemented pretty much very similar to how R&S did it in 2000/3000....
 

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 68
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #382 on: December 27, 2018, 06:51:30 pm »
Can we patch the update script so that it thinks that it is at least the same version?
It took a bit longer but let’s see if we can fool that little bastard. :) If I didn't mess things up, here’s a file that should change the environment to make the scope think that it has the older firmware installed and that this is a installation of the same version.

After you’ve downloaded the file, rename it to “DS5000Update.GEL” before you put it on the thumb drive. Good luck!
 

Offline Swap_File

  • Newbie
  • Posts: 6
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #383 on: December 27, 2018, 07:02:06 pm »
Got an update from Tequip....updated Jan 31 ship date (site says 15 in stock  |O )

I just got done talking with someone from Tequipment, there was a mix up on the updated ship date and all the back ordered scopes (or my one at least :P) is supposed to be going out early next week.
 

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2845
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #384 on: December 27, 2018, 07:45:00 pm »
Distributor of rigol 'suggested' they ahve received instructions from rigol that they need to upgrade any exisiting units they have before they ship, and that they should be contacting customers who have already got theirs to arrange an upgrade.

Since my distirbutor ( whos siting on mine, pending pickup  has already been paid for this one, he contacted me to ask if i wanted it upgraded.  ( smart cookie ).

Read between the lines. Rigol does not want these being hacked. 
On a quest to find increasingly complicated ways to blink things
 

Offline orion242

  • Supporter
  • ****
  • Posts: 746
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #385 on: December 27, 2018, 08:40:42 pm »
Hmm.  Maybe we should refuse delivery...sorry return to sender.  lol.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #386 on: December 27, 2018, 08:46:53 pm »
Read between the lines. Rigol does not want these being hacked.

Too late. We have a ton of info now.

 

Offline quix

  • Newbie
  • Posts: 6
  • Country: ch
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #387 on: December 27, 2018, 09:26:42 pm »
Can we patch the update script so that it thinks that it is at least the same version?
It took a bit longer but let’s see if we can fool that little bastard. :) If I didn't mess things up, here’s a file that should change the environment to make the scope think that it has the older firmware installed and that this is a installation of the same version.

After you’ve downloaded the file, rename it to “DS5000Update.GEL” before you put it on the thumb drive. Good luck!
Wow! that was quick and WORKING!! i can login now
 

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 68
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #388 on: December 27, 2018, 09:45:43 pm »
You just flashed 1.2.3... No use.
During my tests, the firmware were flashed into the app A space (mtd3, 4, 5 and 6). Dumping mtds 7 to 10 might provide the new f/w.
 

Online Martin72

  • Super Contributor
  • ***
  • Posts: 5670
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #389 on: December 27, 2018, 09:46:25 pm »
New Firmware ?
But official there´s no update avaible(rigolna, rigol eu)

Offline quix

  • Newbie
  • Posts: 6
  • Country: ch
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #390 on: December 27, 2018, 09:48:49 pm »
But, nonetheless. Tell us what you see in the /user/download/
empty
 

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 68
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #391 on: December 27, 2018, 09:56:46 pm »
New Firmware ?
It has a higher version number but we do not know if the login lock out is the only change.
 

Online Martin72

  • Super Contributor
  • ***
  • Posts: 5670
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #392 on: December 27, 2018, 10:10:42 pm »
By the way, it seems on the rigol HK site you could download the former version.

Relase Note :

Quote
[Supported Model]    All the MSO5000 Series Digital Oscilloscopes
[Latest Revision Date]  2018/10/15

[Updated Contents]
--------------------

v00.01.01.02.03  2018/10/15

     - Release the production version

edit:

http://www.rigol.com/File/ProductSoftWare/20181017/DS5000(ARM)Update.rar
« Last Edit: December 27, 2018, 10:19:33 pm by Martin72 »
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #393 on: December 27, 2018, 11:23:25 pm »
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #394 on: December 27, 2018, 11:39:16 pm »
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
That is an encrypted password.  Unix/Linux does not decrypt passwords in /etc/passwd, it only encrypts user typed password using the same key and compares it to the string stored in /etc/passwd
 

Offline Rerouter

  • Super Contributor
  • ***
  • Posts: 4694
  • Country: au
  • Question Everything... Except This Statement
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #395 on: December 27, 2018, 11:45:46 pm »
I think he was asking for someone to have a go at cracking it as it seems like a very small hash.

Its not something stupid like root as the password?
 

Offline quix

  • Newbie
  • Posts: 6
  • Country: ch
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #396 on: December 28, 2018, 01:31:19 am »
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
20 minutes with hashcat on a radeon hd7900 -> Rigol201  :-DD

for those interested. researching this took longer then 20mins ;-) linux seems to use DES by default for encrypting passwords. 13 chars and no $-signs point to using that default. i copied the hash part into a file (rigol.hash) and here's the command i used for hashcat:
Code: [Select]
hashcat64.exe -a 3 -m 1500 rigol.hash
« Last Edit: December 28, 2018, 01:39:22 am by quix »
 

Offline djnz

  • Regular Contributor
  • *
  • Posts: 179
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #397 on: December 28, 2018, 05:28:48 am »
Have you guys thought of a way to side-load an authorized_keys file into .ssh if rigol decides to change the password again?
 

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #398 on: December 28, 2018, 07:46:34 am »
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!

Can you replace /etc/passwd?
The password is stored in the ramdisk, which is part of the FIT image, so while you can change it, it is never saved to disk. Also even if we changed it, the hash of the initrd wouldn't mach of the FIT image anymore, so we'd have to update as well. Not impossible, not trivial either.

What is rather easy is modify the start.sh script once in, to change/wipe the password after startup :) the start.sh is part of the app partition, which is a regular r/w mounted filesystem.

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #399 on: December 28, 2018, 07:49:03 am »
Can we patch the update script so that it thinks that it is at least the same version?
I would assume so; we can re-crypt it with cfger I believe and they can't/shouldn't change the keys easily, as they'd want the 'new' keys to still be accepted by old scopes


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf