Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 381216 times)

0 Members and 5 Guests are viewing this topic.

Offline imo

  • Super Contributor
  • ***
  • Posts: 2657
  • Country: li
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #900 on: March 06, 2019, 06:26:04 pm »
Is this great effort somehow applicable to the DS7000 as well??
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1900
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #901 on: March 06, 2019, 06:38:58 pm »
Is this great effort somehow applicable to the DS7000 as well??

Google says:

"Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory..."

From earlier in this thread.
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #902 on: March 06, 2019, 07:13:31 pm »
"Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory..."

I'm pretty sure the sshd hack would also work on these scopes, once they have ssh disabled. Patching them should also not be an issue. I looked already, but could not find a GEL of the DS7000...
 
The following users thanked this post: imo, NoisyBoy

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 406
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #903 on: March 06, 2019, 07:28:10 pm »
Hey mabl and other members,

Thanks for all the great information shared, one question I have is for whatever reason if I need to back out the patch to restore to official firmware state, is there a tested process to do that?  Is is just to reapply the official update, or is there more?

I read the serial number could be lost after the patch, if I restore to official firmware state, then is the serial number restored? 

Thanks in advance for your help.
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #904 on: March 06, 2019, 07:32:45 pm »
I read the serial number could be lost after the patch, if I restore to official firmware state, then is the serial number restored? 
Serial number is saved in /rigol/data together with the calibration data. Once you loose that, you loos it, I think.

If I have is for whatever reason if I need to back out the patch to restore to official firmware state, is there a tested process to do that?  Is is just to reapply the official update, or is there more?

Either manually copy back appEntry over ssh, or flash the original firmware. I'm not sure if there is a patch against same-version flashing though. Could potentially be patched out, though.
 
The following users thanked this post: NoisyBoy

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1900
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #905 on: March 06, 2019, 07:36:53 pm »
Secret menu allows installing any version, even previous ones.
 

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 406
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #906 on: March 06, 2019, 07:37:02 pm »
It would be really nice if in the same process, the script also provides an option to backup the calibration data, and optionally the entire scope data to the USB. 

Then followed by another option to restore calibration data only, or the entire scope data before the patch.

This will allow flexibility for a full rollback in case something went wrong in the patch process.

I know that is a lot of extra work in scripting, but as a solution architect for 30 years, such capability has always been invaluable when disaster strikes on numerous upgrades I have been involved in.  Sorry if it is too much to ask  ;D as I am not a developer.

Thanks in advance for all the great work done by the members of this wonderful community.

Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.

Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.

I don't think the hack is finished yet.

When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".

I'm sure a new thread can be started for that so that people can endlessly post "Does this still work?"
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #907 on: March 06, 2019, 11:21:06 pm »
Using a the matching antique toolchain https://github.com/qiupq/Xilinx-Compile-Tools-Sourcery-CodeBench, I now have bspatch, lua and an adapted version of fbpad running on my scope.

This is rather convenient, since now we can output info messages onto the screen while being able to use a "proper" programming language (instead of /bin/ash)  :scared:
« Last Edit: March 06, 2019, 11:31:06 pm by mabl »
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #908 on: March 07, 2019, 12:30:59 am »
Dear all, I have prepared a generic launcher, which will run another script on the flash drived, called run.sh. From this environment, one has access to bspatch and lua. The output of the script will be redirected to a virtual terminal on the framebuffer. So you will be able to see the output of the script. I envision, that additional lua code will enable reading  the keys of the oscilloscope, such that one can interact and say select which type of patch one wants.

I have attached an example which just outputs text from inside lua to this file. Its not spectacular, but it gives one a place to start working without generating the binaries etc.
 
The following users thanked this post: Shodge

Offline jackbob

  • Regular Contributor
  • *
  • Posts: 180
  • Country: us
    • My YouTube Channel
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #909 on: March 07, 2019, 04:20:43 am »
I don't think the hack is finished yet.

When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".

I don't think the hack is completely finished, there are still so many bugs even in the latest firmware that a new firmware release is bound to come out and may need to be re-hacked.

However, I did receive my 5074 today and it was as easy as downloading the file and inserting into the scope. It took about 45 minutes of reading through posts though. I purchased this scope over a month ago and it has been on back order. When I purchased the scope and checked the forum, the hack was as simple as SSH and editing a line in the start file. After reading through tons of off topic posts and stories I found the solution, at least as of now.

All I did to unlock the scope was
a)download and copy the file onto my fat32 formatted usb drive.
I got the file from this post https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282
(I also had to rename the file to DS5000Update.GEL)

b) plug the flash drive into the scope and run a local upgrade

c) enjoy the unlocked scope

I did not bother backing up the calibration data as my scope came with firmware version 01.01.04.04 and had a messed up calibration out of the box consistent with how others have described the calibration with the new firmware.
 
The following users thanked this post: NoisyBoy

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 406
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #910 on: March 07, 2019, 05:23:13 am »
That is the same procedure that I plan to follow.  Just curious, did you lose your license file after the patch update? 


I don't think the hack is finished yet.

When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".

I don't think the hack is completely finished, there are still so many bugs even in the latest firmware that a new firmware release is bound to come out and may need to be re-hacked.

However, I did receive my 5074 today and it was as easy as downloading the file and inserting into the scope. It took about 45 minutes of reading through posts though. I purchased this scope over a month ago and it has been on back order. When I purchased the scope and checked the forum, the hack was as simple as SSH and editing a line in the start file. After reading through tons of off topic posts and stories I found the solution, at least as of now.

All I did to unlock the scope was
a)download and copy the file onto my fat32 formatted usb drive.
I got the file from this post https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282
(I also had to rename the file to DS5000Update.GEL)

b) plug the flash drive into the scope and run a local upgrade

c) enjoy the unlocked scope

I did not bother backing up the calibration data as my scope came with firmware version 01.01.04.04 and had a messed up calibration out of the box consistent with how others have described the calibration with the new firmware.
 

Offline jackbob

  • Regular Contributor
  • *
  • Posts: 180
  • Country: us
    • My YouTube Channel
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #911 on: March 07, 2019, 05:48:42 am »
I did lose my license files but that doesn't bother me. I suppose if you are concerned with warranty issues you could copy them over before upgrading the firmware and restore them with an official firmware version if needed. I really doubt Rigol would refuse to work on a hacked scope. I have heard of DS1054z's coming from Rigol pre-hacked. They know what they are doing and rely on forums like this for sales. They wouldn't want a thread with the topic "Rigol refuses to service hacked scope" that would kill sales. Although Rigol's warranty service is a whole other topic.
 

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #912 on: March 07, 2019, 07:29:05 am »
Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.

Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.
Not wanting to toot my own horn much, but we have a wiki already :) (well not on the eevblog wiki, which we could also do) but https://gitlab.com/riglol/rigolee/ has an extensive README already on some of the things, and there's also a wiki (which lacks all the hacking details so far) https://gitlab.com/riglol/rigolee/wikis/home
 
The following users thanked this post: thm_w, tcottle, luma

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #913 on: March 07, 2019, 07:31:34 am »
It would be really nice if in the same process, the script also provides an option to backup the calibration data, and optionally the entire scope data to the USB. 

Then followed by another option to restore calibration data only, or the entire scope data before the patch.

This will allow flexibility for a full rollback in case something went wrong in the patch process.

I know that is a lot of extra work in scripting, but as a solution architect for 30 years, such capability has always been invaluable when disaster strikes on numerous upgrades I have been involved in.  Sorry if it is too much to ask  ;D as I am not a developer.

Thanks in advance for all the great work done by the members of this wonderful community.

Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.

Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.

I don't think the hack is finished yet.

When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".

I'm sure a new thread can be started for that so that people can endlessly post "Does this still work?"

https://gitlab.com/riglol/rigolee/blob/MSO5000/target/data_backup.sh this script backs your cal data etc up. If you generate a GEL file with it using GEL Packer, you have an 'update' that does a backup.

I'll create a few gel files and upload them for general consumption soon-ish.
 
The following users thanked this post: NoisyBoy

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #914 on: March 07, 2019, 08:18:33 am »
Secret menu allows installing any version, even previous ones.

I did not manage to enter that secret menu using the SINGLE key. It might only work for scopes with more recent boot loader? :-//
 

Offline mindy

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #915 on: March 07, 2019, 08:20:44 am »
Initially it did not worked for me from the first time as well.
Keep pressing "SINGLE" key at the same time as you Power On.
You should see two options at the top right corner.
 
The following users thanked this post: mabl

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #916 on: March 07, 2019, 08:22:55 am »
Initially it did not worked for me from the first time as well.
Keep pressing "SINGLE" key at the same time as you Power On.
You should see two options at the top right corner.
Worked first try! Thank you!


I'm not common with uboot, more with barebox.
What ist boot from Gold-Finger? Is it a common uboot command or rigol specific?

Not sure, but there is a header called GoldFinger on the scopes PCB.

EDIT: I just realized we could play the same trick again and use the secrete u-boot menu to execute arbitrary u-boot commands with a fake update. Interesting  :popcorn:
EDIT2: That actually works. Nice! We can definitely unbrick any scope and even clone scopes if we liked. Very nice.
« Last Edit: March 07, 2019, 09:06:42 am by mabl »
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2115
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #917 on: March 07, 2019, 11:05:28 am »
EDIT2: That actually works. Nice! We can definitely unbrick any scope and even clone scopes if we liked. Very nice.

We can make a similar replica but not a full clone...
 

Offline imo

  • Super Contributor
  • ***
  • Posts: 2657
  • Country: li
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #918 on: March 07, 2019, 11:46:09 am »
Not sure, but there is a header called GoldFinger on the scopes PCB.
The GoldFinger enables the 10bit ADCs  :-DD
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2115
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #919 on: March 07, 2019, 11:57:51 am »
GoldenEye enables 12-bit...  :-DD
 
The following users thanked this post: imo

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #920 on: March 07, 2019, 12:21:07 pm »

So ... the 'scope keeps a copy of the factory-installed firmware somewhere, and you can restore it by pressing a button at startup?

That's awesome if true. It means hacking new firmwares is risk-free.

No. It just restores default scope settings.

The method here seems to be setting the uboot variable bootparam to 0x44454654, this is then checked by /rigol/checkboot (returns 2 if set, 0 if not, 1 on failure to read); called from /rigol/shell/start.sh. If 2 was returned, it sets the -nonv flag for appEntry.

Note, this flag will also be set on u-boot secret menu firmware downgrade. So backup your calibration files.
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 4547
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #921 on: March 07, 2019, 12:24:33 pm »
The method here seems to be setting the uboot variable bootparam to 0x44454654

AKA "DEFT" as in default  :-+
Keyboard error: Press F1 to continue.
 
The following users thanked this post: mabl

Online tv84

  • Super Contributor
  • ***
  • Posts: 2115
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #922 on: March 07, 2019, 12:26:57 pm »
There is one thing important that you should remember:

Everytime there is a flash to the NAND, the system switches between NAND Area-A and NAND Area-B. So, the 2 last flashes are always present in the NAND.  (look at my NAND map, some msgs earlier)

And one can even force it to switch from one to the other, manually.
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #923 on: March 07, 2019, 12:30:46 pm »
True, I have yet to try out switching the boot system. But /rigol/data only exists once, doesn't it?
 

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 59
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #924 on: March 07, 2019, 01:53:42 pm »
But /rigol/data only exists once, doesn't it?
Yepp.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf