EEVblog Electronics Community Forum

Products => Test Equipment => Topic started by: Agne on December 02, 2018, 04:19:19 pm

Title: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 02, 2018, 04:19:19 pm
TL;DR This thread is only for hacking of the Rigol 5000 oscilloscope. I own a Rigol 5000 series oscilloscope and have tried the old (Rigol 1000z & 2000A series) trick of dumping the RAM using SCPI commands but unfortunate this does not appear to work on the 5000 series. Next step is trying the JTAG memory dumping method.

------------------------------------------------------------------------------------------------------------------
Since the previous thread about the Rigol 5000 series oscilloscope has been completely derailed from discussing the Rigol 5000 to arguing about A and B brands and if Lecroy and Tektronix are still A brands etc, I would like to start this new thread dedicated to hacking of the 5000 series.

To keep this thread clear from what made the previous thread unusable from a Rigol 5000 hackers perspective I would like to set some simple rules for it.

* This tread is only for hacking the Rigol 5000 series oscilloscope
* If you would like to discuss other things such as if you should buy the 5000 series or what is an A or B brand then please post that in a different thread.
-----------------------------------------------------------------------------------------------------------------------

With that over with lets discuss what hacking progress has been made so far.
I have tried on my 5000 series scope the SCPI memory dump command that was successfully used on the Rigol 1000z and 2000A series oscilloscopes. Unfortunately the command does not work on the 5000 series. When using the memory dump command with Netcat on my mac I get no reply from the scope and when using RigolBildschirmkopie I get “there was an error when sending the SCPI comand”. To verify that SCPI was working I tried the *IDN? , :SYSTEM:TIME? and the SYSTEM:DATE? commands and they worked with out issue.

Rigol appears to have either removed or changed the name of the SCPI command used to dump the memory on the older scopes. At this point I think using  JTAG to dump the memory is our best bet. I will post an update when I know more.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 02, 2018, 08:31:44 pm
I have now opened my Rigol 5000 series scope and looked for possible JTAG connectors. There appears to be spaces for two JTAG connectors on the board, one for the Zynq FPGA and one for the Spartan FPGA.

Unfortunately Rigol have not mounted the pin headers for the JTAG on the PCB.
This reduces there BOM cost by a few cents and makes connecting a JTAG programmer to the board more difficult.

I have attached below some images showing the inside of the scope and I have highlighted the possible location for the JTAG connectors. The connector that I am most interested in is small 9 pin one because it looks like the JTAG connector used to dump the memory on the Rigol 1000Z and 2000A series oscilloscopes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 02, 2018, 09:09:37 pm
I'd look at the unmarked 14 pin connector to the right.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 02, 2018, 11:25:59 pm
After looking for a simple solution to the problem of not having pin headers mounted on the JTAG connectors and not wanting to completely disassemble the scope to permanently solder in pin headers I found solderless press fit pin headers. I have ordered some and my hope is that I can push them in partially, just enough to make good contact while still being able to remove them when done.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 03, 2018, 07:35:34 am
I wouldn't use press-fit connectors. You'll need to put way too much force on the board which might damage it. Ceramic capacitors don't like being bend. Just take it apart and solder a connector in.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 03, 2018, 07:59:07 am
I wouldn't use press-fit connectors. You'll need to put way too much force on the board which might damage it. Ceramic capacitors don't like being bend. Just take it apart and solder a connector in.

Agreed, solder a normal header in.

Or you could use pogo pins, but you'd need to find a way to maintain pressure on the pins.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 09:12:46 am
If you don't want to solder headers in, get a long pin header  - 10mm or more, then bend alternate pins. It can then be inserted such that the bent pins exert pressure on the sides of the holes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 09:21:24 am
If you don't want to solder headers in, get a long pin header  - 10mm or more, then bend alternate pins. It can then be inserted such that the bent pins exert pressure on the sides of the holes.

If you get square pins they might exert enough pressure to make contact all by themselves.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 09:23:30 am
If you don't want to solder headers in, get a long pin header  - 10mm or more, then bend alternate pins. It can then be inserted such that the bent pins exert pressure on the sides of the holes.

If you get square pins they might exert enough pressure to make contact all by themselves.
You need bent pins so each pin is independently spruing
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 03, 2018, 09:42:20 am
is the upgrade licence file encypted?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: glenenglish on December 03, 2018, 10:01:39 am
how about I buy a 70 also and buy the upgrade to 100 in the same breath ? that should be useful.
I'll have mine in 2 weeks or so... am a Xilinx man...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 10:12:27 am
is the upgrade licence file encypted?

In the programming guide it shows this example of installing a license key:

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=586757;image)

The key's definitely a lot longer than a key for a DS1054Z.  :popcorn:

Does anybody have a license file? Can you look at it and see if the contents look like that?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 10:34:59 am
is the upgrade licence file encypted?

In the programming guide it shows this example of installing a license key:

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=586757;image)

The key's definitely a lot longer than a key for a DS1054Z.  :popcorn:

Does anybody have a license file? Can you look at it and see if the contents look like that?
Pretty sure Dave mentioned he had one
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EEVblog on December 03, 2018, 10:46:10 am
is the upgrade licence file encypted?

The license file is a single line of text as shown above.
"DS5000-2RL@" followed by 128 bytes of key data
Where 2RL seems to be the license type code
My license file didn't work though.
They need your serial number to generate the key.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 03, 2018, 12:27:55 pm
(128 bytes => 1024 bits)

It seems to me that we will be seeing asymmetric crypto  >:( . I think the MSO7000 will be the same.

As such, there won't be any licenses soon and the solution could be SW patches.

If the FW is signed, that is another ballgame (HW patch...  ::) ). 

Nonetheless, waiting for the memdump...  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 03, 2018, 12:52:42 pm
is the upgrade licence file encypted?

The license file is a single line of text as shown above.
"DS5000-2RL@" followed by 128 bytes of key data
Where 2RL seems to be the license type code

Then it seems the hex string is a 1024-bit digital signature of the license code.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 01:06:53 pm
Then it seems the hex string is a 1024-bit digital signature of the license code.

Most likely the license type+the serial number.

If somebody can find the hash code in the ROM then it's easy to make a key generator.

The bad news would be if it's a 1024-bit signature of the license type+serial number+a secret salt value that's written to the flash memory at the same time as the serial number.

It would mean you need to get the salt value out and that might only be possible by opening it up and using JTAG.

Finger crossed that they didn't do that.

If this thing runs Linux then step (1) would be to get access to the file system and dump all the files. See if there's anything interesting in there.

Step (2) would be to dump all the files before/after installing an option and see what changes.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 01:40:44 pm
Can anybody post all the RS232 logging messages from a bootup? Maybe there's useful info in there.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TNorthover on December 03, 2018, 03:04:58 pm
Most likely the license type+the serial number.

If somebody can find the hash code in the ROM then it's easy to make a key generator.

If it's an actual 1024-bit signature rather than a simple hash or something (as the size suggests) then no-one is going to be generating them any time soon. You also need Rigol's private key.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 03, 2018, 03:05:44 pm
Fungus,

With asym crypto involved and the boot signed, there's no salt reading or flash dumps that can help.

The most one can do is obtain the public key. But that is useless to create new software.

Let's wait for the next steps.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 04:38:38 pm
If I wanted to make a product like this with good security, I'd include a random number stored in the device as part of the production process, with a factory database of this number versus serial number, and use that rather than the serial no. for authenticating/decrypting license keys, so the actual serial number bears no useable relationship to the license key.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 03, 2018, 04:41:00 pm
Didn't the distributor generate the key though? I assume that means no asym crypto or the key isn't that safe.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 04:57:10 pm
Didn't the distributor generate the key though? I assume that means no asym crypto or the key isn't that safe.

They generate them on the Rigol web site.

Rigol could have a private key on there.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 03, 2018, 05:03:49 pm
Didn't the distributor generate the key though? I assume that means no asym crypto or the key isn't that safe.

They generate them on the Rigol web site.

Rigol could have a private key on there.


Oh right. The internet. I forgot about the internet.  :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 05:04:46 pm
Dave posted the boot output in another thread (https://www.eevblog.com/forum/blog/new-rigol-scope/msg1954405/#msg1954405).

Code: [Select]
U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)

I2C:   ready
Memory: ECC disabled
DRAM:  448 MiB
DPU:   20170604
NAND:  OnDie ECC supported, 1024 MiB
zynq-In:    serial
zynq-Out:   serial
zynq-Err:   serial
Net:   Gem.e000b000
BootParam=0x0
Hit any key to stop autoboot:  0

NAND read: device 0 offset 0x4900000, size 0x3591fd
þ
NAND read: device 0 offset 0x4900000, size 0x8
 8 bytes read: OK

NAND read: device 0 offset 0x4500000, size 0x12c008
 1228808 bytes read: OK
Loading logo, x=310,y=247,width=404,height=89

NAND read: device 0 offset 0x5100000, size 0xd8ebf0
 14216176 bytes read: OK
 ## Loading kernel from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Kerstrel Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x030000f8
     Data Size:    3302448 Bytes = 3.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00100000
     Entry Point:  0x00100000
     Hash algo:    sha1
     Hash value:   bece162e8cad943c68714d8eb8020d68e1db896b
   Verifying Hash Integrity ... sha1+ OK
 ## Loading ramdisk from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  kerstrel-Update-Ramdisk
     Type:         RAMDisk Image
     Compression:  gzip compressed
     Data Start:   0x03328c5c
     Data Size:    10901113 Bytes = 10.4 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    sha1
     Hash value:   55bdcbebccba845da403130143793ee0135e53a1
   Verifying Hash Integrity ... sha1+ OK
 ## Loading fdt from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x0332661c
     Data Size:    9597 Bytes = 9.4 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   da2d17ba0d5a71b5897deec4cb026014f3132185
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x332661c
   Loading Kernel Image ... OK
   Loading Ramdisk to 1b099000, end 1bafe679 ... OK
   Loading Device Tree to 1b093000, end 1b09857c ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 3.12.0-xilinx (rigolee[member=167213]Jim[/member]) (gcc version 4.8.1 (Sourcery CodeBench Lite 2013.11-53) ) #43 SMP PREEMPT Sat Jul 28 12:14:01 CST 2018
CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
PERCPU: Embedded 8 pages/cpu @c09f1000 s8384 r8192 d16192 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 113792
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 437416K/458752K available (4197K kernel code, 255K rwdata, 1716K rodata, 176K init, 179K bss, 21336K reserved, 0K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xdc800000 - 0xff000000   ( 552 MB)
    lowmem  : 0xc0000000 - 0xdc000000   ( 448 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to dc802000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1725.23 BogoMIPS (lpj=8626176)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L310 cache controller enabled
l2x0: 8 ways, CACHE_ID 0x410000c8, AUX_CTRL 0x72360000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xdc84e000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xdc84e000
hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 4 bytes.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xdc880000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti[member=183778]linux[/member].it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (db099000 - dbafe000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 7 counters available
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 875
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
DPU:Map vRam to 0xdca00000
DPU:Map iReg to 0xdcc00000
DPU:Ver=0x20170711
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 6249999) is a xuartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 6249999) is a xuartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xDC858000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
xusbps-ehci xusbps-ehci.1: Xilinx PS USB EHCI Host Controller
xusbps-ehci xusbps-ehci.1: new USB bus registered, assigned bus number 1
xusbps-ehci xusbps-ehci.1: irq 76, io mem 0x00000000
xusbps-ehci xusbps-ehci.1: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Update timer was detected
rtc-rx8010sj 0-0032: rtc core: registered rtc-rx8010sj as rtc0
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ADADAH4), 1024MiB, page size: 2048, OOB size: 64
Bad block table found at page 524224, version 0x01
Bad block table found at page 524160, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
0x000010100000-0x000016500000 : "App2"
0x000016500000-0x00001a800000 : "Reserved"
0x00001a800000-0x000040000000 : "User"
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
rtc-rx8010sj 0-0032: setting system clock to 2018-11-10 12:15:08 UTC (1541852108)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
Starting rcS...
++ Mounting filesystem
++ Setting up mdev
++ Starting ftp daemon
rcS Complete
<root@rigol>rpcbind: cannot create socket for udp6
rpcbind: cannot create socket for tcp6
2018-11-10 12:15:21: (log.c.166) server started
7 2048 16 2 "/dev/fb0"
Mount user space to:/user
default setting by user set
Rigol Device gadget: Rigol Device ready
usbcore: registered new interface driver usbtmc


I don't know anything about that world, does anybody know if Xilinx do a complete secure boot process?

(and can you tell if they're using it from that output?)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 03, 2018, 05:42:12 pm
If I wanted to make a product like this with good security, I'd include a random number stored in the device as part of the production process, with a factory database of this number versus serial number, and use that rather than the serial no. for authenticating/decrypting license keys, so the actual serial number bears no useable relationship to the license key.
But that wouldn't stop patching the binaries just like the older Agilent DSO6000 / DSO7000 scopes. I don't think the licensing system is very complicated because it just costs time with very little return.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lukier on December 03, 2018, 05:47:30 pm
Dave posted the boot output in another thread (https://www.eevblog.com/forum/blog/new-rigol-scope/msg1954405/#msg1954405).

Code: [Select]
## Loading kernel from [b]FIT Image[/b] at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Kerstrel Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x030000f8
     Data Size:    3302448 Bytes = 3.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00100000
     Entry Point:  0x00100000
[b]     Hash algo:    sha1
     Hash value:   bece162e8cad943c68714d8eb8020d68e1db896b
   Verifying Hash Integrity ... sha1+ OK[/b]

Yup, looks like secure boot process, FIT images instead of straight kernel/initrd/dtb, SHA1 signatures. Smart.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 03, 2018, 05:53:08 pm
If I didn't miss something, I can see 128 hex characters, which should give only 512-bits. That should make it much easier.  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 03, 2018, 06:29:03 pm
If I wanted to make a product like this with good security, I'd include a random number stored in the device as part of the production process, with a factory database of this number versus serial number, and use that rather than the serial no. for authenticating/decrypting license keys, so the actual serial number bears no useable relationship to the license key.

That just becomes  obscurity rather than security.   The serial number is just a look up, so they know which public key to use to encrypt the data with.   If you were able to find the public key,  you can't do much useful with it.   I'm picking you want to target the Zync as it whats running linux.   Its certainly got secure boot

If implemented properlhy, this is hard.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 06:48:59 pm
If I wanted to make a product like this with good security, I'd include a random number stored in the device as part of the production process, with a factory database of this number versus serial number, and use that rather than the serial no. for authenticating/decrypting license keys, so the actual serial number bears no useable relationship to the license key.

That just becomes  obscurity rather than security.   The serial number is just a look up, so they know which public key to use to encrypt the data with.   If you were able to find the public key,  you can't do much useful with it.   I'm picking you want to target the Zync as it whats running linux.   Its certainly got secure boot



It would prevent a keygen - AIUI the previous riglol hack duplicates Rigol's process for generating a license from the serial number. If the scope's internal process used a key derived from Rigol's serial->key database, then it would not be possible to generate compatible license keys.
Of course there are plenty of other hack avenues, but with a more expensive scope, people will be less likely to want to do anything potentially warranty-voiding.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: imo on December 03, 2018, 06:56:23 pm
Hackers of all lands unite!  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TNorthover on December 03, 2018, 08:26:39 pm
Quote
That just becomes  obscurity rather than security.   The serial number is just a look up, so they know which public key to use to encrypt the data with.   If you were able to find the public key,  you can't do much useful with it.   I'm picking you want to target the Zync as it whats running linux.   Its certainly got secure boot



It would prevent a keygen - AIUI the previous riglol hack duplicates Rigol's process for generating a license from the serial number. If the scope's internal process used a key derived from Rigol's serial->key database, then it would not be possible to generate compatible license keys.

Except that the scope needs to know something about this super-secret key to verify they used the correct one at generation time. At best it's just another public/private layer which doesn't help.

And generating a secure license key is really not the hard part of this problem in the first place. There are a few pitfalls, but realistically just cryptographically signing the serial+feature with an off the shelf algorithm is likely impossible to duplicate. Rigol would hold the private key, and there'd be nothing we could do to replace or discover it.

The hard part is securing the entire boot chain to guarantee all running code has been signed by Rigol (to prevent people bypassing the license checks entirely). Mobile phones have been contending with that problem for the last decade, with limited success. I doubt Rigol will do any better, but on the other hand there are multiple orders of magnitude more people attacking phones so maybe they'll do just well enough.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 03, 2018, 08:40:23 pm
Let's not be paranoid. The only thing that could stop (meaning: make it sufficiently difficult) an attack is activating secure boot. All other things are within reach.

@lukier, SHA1 is an hash algorithm, not a digital signing algo! The fact that the NAND blocks are hashed doesn't mean much.

I don't think we have reached the secure boot point but, if we did, this is an electronics community forum so, something like this:
How to Break Secure Boot on FPGA SoCs through Malicious Hardware (https://eprint.iacr.org/2017/625.pdf) would be possible with the right guys... 

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 03, 2018, 08:46:57 pm
Some fun info:
"How to Break Secure Boot on FPGA SoCs through Malicious Hardware"
https://eprint.iacr.org/2017/625.pdf
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lukier on December 03, 2018, 09:14:44 pm
@lukier, SHA1 is an hash algorithm, not a digital signing algo! The fact that the NAND blocks are hashed doesn't mean much.

Sure, but if they bother to load via FIT then it is very likely that secure boot is enabled, this u-boot is signed and there is a chain of crypto there.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 03, 2018, 10:12:18 pm
I feel resonably confident that they would have used secure boot.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 03, 2018, 10:20:10 pm
I feel resonably confident that they would have used secure boot.

I don't. If that was the case, we would be seeing something like the attached pic.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: glenenglish on December 03, 2018, 10:21:01 pm
There are also a couple of fixed numbers in the system.
The ZYNQ and the Spartan 6 have a DNA number.

I use it to generate MAC addresses in my gear.

Bitstream reverse engineering is "Non trivial"...

If the JTAG pins are available, and the external clocks are stopped, that might be of use.

This is this MFRs 2nd go at this, so they probably have hardened it up.

The other thing is, they might be using  PARTIAL RECONFIGURATION in the FPGA. Would make sense for different bandwidths as the filter structures are quite different for really high bandwidths. Although if it were me, I'd probably leave the filter structures the same for all bandwidths and just change the taps, which could be loaded on the fly, or initialized at load time as initialized block rams. lots of options..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 03, 2018, 11:16:02 pm
I got some firmware from some undisclosed "Address" in the interwebs, please don't ask for binaries and don't tell :)

I can brief you on some interesting snippets I found after mounting UBIFS mount points and whatnot from the firmware, please notice which binaries are stripped of symbols:

Code: [Select]
tools $ file *
axi:       ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
axi_GP0:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
beeper:    ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
cfger:     ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, stripped                 <——— !!!
checkAXI:  ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
checkboot: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
dpuTest:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
fram:      ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
socket:    ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, stripped                <——— !!!
spi2cpld:  ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
spi2dev:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
spi2k7:    ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
spi2pll:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
ssd2543:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
touch:     ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped

Our encrypted targets, which might eventually give access to custom firmware flashing are: fw4linux.sh and fw4boot.sh. You read right, they are encrypted shell scripts.

But how do we decrypt them? Seems like cfger does play a role early in the boot process (and also later on in "application selection"):

Code: [Select]
############################################
 #fetch system information from bootloader
 ############################################
$TOOLS/cfger -i /tmp/sysinfo.txt

Also cfger gets fed by some NAND data, also early in the boot process we can see this:

Code: [Select]
#Read Nand Block 0 data
nanddump -s 0 -l 0x40000 -f /tmp/env.bin /dev/mtd0

So if someone can get such a dump (from the lucky ones having the real device already on their benches), it will inform my analysis. I know this information is rather fragmented and incomplete, but I'm still putting the pieces together and have more juicy bits for future posts.

The application side is fairly huge (21MB), so I'm currently dissecting it section by section, fishing out the interesting regions. It might take some time but we'll get there.

I had a ton of fun last weekend so far and I'll keep digging in the near future, stay tuned ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 03, 2018, 11:38:14 pm
Thank you to all that provided feedback on the press fit pin headers. As a result of your feedback I am looking at alternative connector solutions.

While waiting for my new JTAG programmer to arrive I have been looking at alternative ways of hacking the oscilloscope. I decided to perform a port scan using Nmap to see if Rigol have let any vulnerable ports open. Results of the scan are below

Code: [Select]
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-03 23:44 W. Europe Standard Time

NSE: Loaded 148 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 23:44

Completed NSE at 23:44, 0.00s elapsed

Initiating NSE at 23:44

Completed NSE at 23:44, 0.00s elapsed

Initiating ARP Ping Scan at 23:44

Scanning 192.168.2.134 [1 port]

Completed ARP Ping Scan at 23:44, 0.66s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 23:44

Completed Parallel DNS resolution of 1 host. at 23:44, 5.51s elapsed

Initiating SYN Stealth Scan at 23:44

Scanning RIGOL_MS5A********* (192.168.2.134) [1000 ports]

Discovered open port 80/tcp on 192.168.2.134

Discovered open port 111/tcp on 192.168.2.134

Discovered open port 22/tcp on 192.168.2.134

Discovered open port 21/tcp on 192.168.2.134

Discovered open port 5555/tcp on 192.168.2.134

Completed SYN Stealth Scan at 23:44, 0.59s elapsed (1000 total ports)

Initiating Service scan at 23:44

Scanning 5 services on RIGOL_MS5A********* (192.168.2.134)

Completed Service scan at 23:46, 151.31s elapsed (5 services on 1 host)

Initiating OS detection (try #1) against RIGOL_MS5A********* (192.168.2.134)

NSE: Script scanning 192.168.2.134.

Initiating NSE at 23:46

Completed NSE at 23:46, 0.58s elapsed

Initiating NSE at 23:46

Completed NSE at 23:46, 1.04s elapsed

Nmap scan report for RIGOL_MS5A********* (192.168.2.134)

Host is up (0.0025s latency).

Not shown: 995 closed ports

PORT     STATE SERVICE  VERSION

21/tcp   open  ftp      BusyBox ftpd (D-Link DCS-932L IP-Cam camera)

22/tcp   open  ssh      OpenSSH 6.0 (protocol 2.0)

| ssh-hostkey:

|   1024 dc:eb:8b:b2:55:43:48:10:0c:7b:49:70:74:**:**:** (DSA)

|   2048 e4:02:cd:a8:fd:c7:68:54:f4:26:49:0a:50:**:**:** (RSA)

|_  256 6f:c4:43:18:a3:95:f1:88:4f:f1:73:28:39:**:**:** (ECDSA)

80/tcp   open  http     lighttpd 1.4.33

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: lighttpd/1.4.33

|_http-title: 400 - Bad Request

111/tcp  open  rpcbind  2-4 (RPC #100000)

| rpcinfo:

|   program version   port/proto  service

|   100000  2,3,4        111/tcp  rpcbind

|   100000  2,3,4        111/udp  rpcbind

|   395183  1            873/udp 

|   395183  1            877/tcp 

|   395184  1            873/udp 

|   395184  1            877/tcp 

|   395185  1            873/udp 

|_  395185  1            877/tcp 

5555/tcp open  freeciv?

MAC Address: **:**:**:**:**:** (Rigol Technologies)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Uptime guess: 0.015 days (since Mon Dec 03 23:25:16 2018)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=259 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: Device: webcam; CPE: cpe:/h:dlink:dcs-932l



TRACEROUTE

HOP RTT     ADDRESS

1   2.52 ms RIGOL_MS5A******** (192.168.2.134)



NSE: Script Post-scanning.

Initiating NSE at 23:46

Completed NSE at 23:46, 0.00s elapsed

Initiating NSE at 23:46

Completed NSE at 23:46, 0.00s elapsed

Read data files from: C:\Program Files (x86)\Nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 164.92 seconds

           Raw packets sent: 1026 (46.790KB) | Rcvd: 1016 (41.042KB)



Rigol have left the SSH interface open. I can connect to it but unfortunately I do not yet have the root password. Does anyone know of any root passwords that Rigol have used on there scopes in the past?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 12:41:33 am
I got some firmware from some undisclosed "Address" in the interwebs, please don't ask for binaries and don't tell :)

I can brief you on some interesting snippets I found after mounting UBIFS mount points and whatnot from the firmware, please notice which binaries are stripped of symbols:

Does the firmware file also contain the hashed root password in the /etc/password or /etc/shadow files? If the files are in the firmware could you post them?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 04, 2018, 12:49:34 am
Yep: root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 04, 2018, 01:40:00 am
Queue John the Ripper

btw, any other userid's in case they prevent direct root login(guess you could also check that if you have the filesystem).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 04, 2018, 03:08:08 am
Nope, there's only root under /etc/passwd and the sshd_config is all commented out except UsePrivilegeSeparation no directive. Shadow is empty.

Code: [Select]
# This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.

 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.

 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::

 # The default requires explicit activation of protocol 1
 #Protocol 2

 # HostKey for protocol version 1
 #HostKey /etc/ssh_host_key
 # HostKeys for protocol version 2
 #HostKey /etc/ssh_host_rsa_key
 #HostKey /etc/ssh_host_dsa_key
 #HostKey /etc/ssh_host_ecdsa_key

 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
 #ServerKeyBits 1024

 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO

 # Authentication:

 #LoginGraceTime 2m
 #PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10

 #RSAAuthentication yes
 #PubkeyAuthentication yes

 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

 # For this to work you will also need host keys in /etc/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no

 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes

 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no

 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes

 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no

 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
UsePrivilegeSeparation no
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
 #PermitTunnel no
 #ChrootDirectory none

 # no default banner path
 #Banner none

 # override default of no subsystems
Subsystem sftp /usr/lib/sftp-server

 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 # X11Forwarding no
 # AllowTcpForwarding no
 # ForceCommand cvs server

[0x00000000]> cat /root/etc/passwd
root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh

[0x00000000]> cat /root/etc/shadow
[0x00000000]> cat /root/etc/ssh_config
 # $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $

 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
 # users, and the values can be changed in per-user configuration files
 # or on the command line.

 # Configuration data is parsed as follows:
 #  1. command line options
 #  2. user-specific file
 #  3. system-wide file
 # Any configuration value is only changed the first time it is set.
 # Thus, host-specific definitions should be at the beginning of the
 # configuration file, and defaults at the end.

 # Site-wide defaults for some commonly used options.  For a comprehensive
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.

 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
 #   GSSAPIDelegateCredentials no
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
 #   ConnectTimeout 0
 #   StrictHostKeyChecking ask
 #   IdentityFile ~/.ssh/identity
 #   IdentityFile ~/.ssh/id_rsa
 #   IdentityFile ~/.ssh/id_dsa
 #   Port 22
 #   Protocol 2,1
 #   Cipher 3des
 #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
 #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
 #   EscapeChar ~
 #   Tunnel no
 #   TunnelDevice any:any
 #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 04, 2018, 05:03:45 am
I'm trying to work out who the 'newbie' accounts are.  Language comparisons are very interesting.   brainstorm started out well, but is quicky slipping back to their natural writing style.
All good and fun, untill you start selling pcbs
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Dwaine on December 04, 2018, 05:04:25 am
 :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: glenenglish on December 04, 2018, 06:47:38 am
The TAP access on the FPGA is fairly extensive. once the processor is stopped (but DRAM refresh allowed to run) that will enable loading an alternative bitstream for the PL, (while maintaining PS coherence) ... which would permit access via AXI transfers into the memory space .....and  rather personal inspection of memory, trace, all sorts of things, useful if you know something about  linux internals. I guess that would start with trapping where you fail when entering the incorrect feature code.

-glen
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 04, 2018, 07:59:27 am
@lukier, SHA1 is an hash algorithm, not a digital signing algo! The fact that the NAND blocks are hashed doesn't mean much.

Yep. It's probably just checking for file corruption, nothing to do with security/secrecy.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 04, 2018, 08:05:40 am
Yep: root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh ;)

I searched google for that string and got many hits, including this page: http://xilinx.wikidot.com/zynq-rootfs (http://xilinx.wikidot.com/zynq-rootfs)

Could it be a default password?  :popcorn:

Queue John the Ripper

No need.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lukier on December 04, 2018, 08:24:54 am
This all sounds so lame it must be intentional  :-DD Even pricing-wise the base 70 MHz model is more expensive than Keysight DSOX1000. Hackability as a marketing feature :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 04, 2018, 08:36:59 am

 root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh ;)

user: root
pass: root



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 10:27:11 am
This all sounds so lame it must be intentional  :-DD Even pricing-wise the base 70 MHz model is more expensive than Keysight DSOX1000. Hackability as a marketing feature :D

I wouldn't be surprised! That's where EEVBLOG does a wonderful (and totally free) job for these manufacturers.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lukier on December 04, 2018, 10:35:10 am
I wouldn't be surprised! That's where EEVBLOG does a wonderful (and totally free) job for these manufacturers.

:)

To be honest at first I wanted to pull the trigger on this Rigol, but the logic probe wasn't in stock anywhere (Batterfly/Batronix et al) and also I was worried the FW is crap, which we now know from Dave's video it is.

So without the hack I would end up with the most overpriced 70 MHz scope with crappy FW and even with the hack it would be crappy, probably even more bugs in the unlocked functionalities. Also lack of 50 Ohm kind of put me off.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 03:30:39 pm
Crosschecking with brainstorm "special" information, those who want a flavor of the MSO5000 files can look at this msg (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803).

They shouldn't be much different.  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 04, 2018, 03:52:35 pm
Don't take rigol for SuperSmart. 3 years ago my looking into the DS2000 revealed they are SuperDumb. Look up my "Project Yaigol" post for details. Stealing from each other and blind copying without understanding how it is supposed to work seems to be a norm in that"industry".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 04, 2018, 03:54:21 pm
Yada Yada... Look up my "Project Yaigol" post for details.

Oh, FFS. 

(https://i.pinimg.com/originals/20/5e/d1/205ed1d14618ca22a3471215c818cb82.jpg)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 05:31:50 pm

 root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh ;)

user: root
pass: root

I can now confirm that the super secret password for the Rigol 5000 series oscilloscope is: root

With an open SSH interface and the password for the root account getting access to the file system became very easy.

Code: [Select]
login as: root
root@192.168.2.134's password:
<root@rigol>cd /
<root@rigol>df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                31.0M     21.9M      9.1M  71% /
devtmpfs                213.6M         0    213.6M   0% /dev
none                    100.0M    284.0K     99.7M   0% /tmp
/dev/ubi6_0              85.1M     69.6M     15.6M  82% /rigol
/dev/ubi1_0              37.2M    276.0K     35.0M   1% /rigol/data
/dev/ubi12_0            516.6M     67.3M    444.6M  13% /user
<root@rigol>ls
bin         home        lost+found  proc        sys         usr
checkapp    lib         media       rigol       tmp         var
dev         licenses    mnt         root        ubifs-util
etc         linuxrc     opt         sbin        user
<root@rigol>
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 06:08:14 pm
I have now extracted the 66.7 MB firmware.gel file from the oscilloscope.


Can you get me a memdump?  /dev/mem

I will try to dump the memory
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 06:48:13 pm
I think I am going to need some help with the RAM dump since Linux have made copying the RAM more difficult in newer versions.

For those playing along at home the scope report the Linux version as “3.12.0-xilinx”

Any suggestions how to dump the RAM over SSH?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 06:54:19 pm
I think I am going to need some help with the RAM dump since Linux have made copying the RAM more difficult in newer versions.

For those playing along at home the scope report the Linux version as “3.12.0-xilinx”

Any suggestions how to dump the RAM over SSH?

Can't you insert the USB drive and execute "cp /dev/mem" to the USB drive? Don't worry if it gives you an error as long as it copies something "big".

BTW, what is the FW version of your scope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 07:08:08 pm
I completely forgot that the scope had a USB port. How nice of Rigol to give us an open SSH interface, simple password and a convenient USB port. It is almost like they have rolled out the red carpet for us.

The scope reports FW version 00.01.01.02.03
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 04, 2018, 07:22:31 pm
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 07:39:16 pm
With a little bit of work I got a 448 MB memory dump
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 07:40:53 pm
I completely forgot that the scope had a USB port.

It's the problem with these advanced equipments that should only be connected to the internet! They also have USB interface... beware SEC Consult!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 04, 2018, 08:40:13 pm
I completely forgot that the scope had a USB port.

It's the problem with these advanced equipments that should only be connected to the internet! They also have USB interface... beware SEC Consult!

LOL. Yeah another one security risk that will end the world... |O :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 04, 2018, 08:41:42 pm
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.

Why? A large part of their business is built on hacking.

I bet sales of the DS1054Z paid for a lot of the development of that ASIC.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 04, 2018, 10:02:11 pm
Indeed, there are a ton of similarities with that post against what I did a few days ago, thanks for sharing @tv84 :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 04, 2018, 10:06:37 pm
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.
Why are you surprised? According to Dave a lot of functionality needs at least some attention. Securing things usually is last on the list. Get the product out first. Rigol can always choose to plug holes in later firmware releases if necessary.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 10:11:18 pm
Indeed, there are a ton of similarities with that post against what I did a few days ago, thanks for sharing @tv84 :)

So, cfger is indeed the encryptor/decryptor of the shell scripts. It uses AES encryption.

<root@rigol>./cfger -h
 -r name:read the value of name
 -i file:read model,version,date to file
 -c name value: compare bwtween the value of name with value
 -s name value: set the value of name
 -t file: remove the all zero of the file
 -d input output: decrypt the input to output by aes
 -e input output: crypt the input to output by aes
 -h : show this help information

Enjoy:   :popcorn:
Code: [Select]
.data:000196D4 AES_KEY         DCD 0xFECFD8BA          ; DATA XREF: sub_B174+34o
.data:000196D8 dword_196D8     DCD 0xC4B5AABB
.data:000196DC dword_196DC     DCD 0xBFD4D8C3
.data:000196E0 dword_196E0     DCD 0xDDBEFDCA
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 01:33:07 am
Any idea why  scripts are encrypted.  I'm assuming that they have to be decrypted before they are executed?







Indeed, there are a ton of similarities with that post against what I did a few days ago, thanks for sharing @tv84 :)

So, cfger is indeed the encryptor/decryptor of the shell scripts. It uses AES encryption.

<root@rigol>./cfger -h
 -r name:read the value of name
 -i file:read model,version,date to file
 -c name value: compare bwtween the value of name with value
 -s name value: set the value of name
 -t file: remove the all zero of the file
 -d input output: decrypt the input to output by aes
 -e input output: crypt the input to output by aes
 -h : show this help information

Enjoy:   :popcorn:
Code: [Select]
.data:000196D4 AES_KEY         DCD 0xFECFD8BA          ; DATA XREF: sub_B174+34o
.data:000196D8 dword_196D8     DCD 0xC4B5AABB
.data:000196DC dword_196DC     DCD 0xBFD4D8C3
.data:000196E0 dword_196E0     DCD 0xDDBEFDCA
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 05, 2018, 07:50:07 am
Here are the 2 scripts decrypted with AES-CBC.

AES_KEY: BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 07:57:04 am
What would be interesting to know, is if the AES_KEY is the same for all machines, or if each one is unique.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 05, 2018, 08:01:01 am
Here are the 2 scripts decrypted with AES-CBC.

AES_KEY: BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD

 :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 09:30:35 am
I'm curious as to why Rigol went to the effort of encrypting these scripts, but then left the AES key 'lying around'.   That is odd.
Looking at these scripts, they essentially just check that some files are valid, ( Checking a CRC ) and then copying them to an appropriate place..  Its useful perhaps to know where the files are copied to, but i'm wondering if theres anything else to learn from that...





Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EEVblog on December 05, 2018, 09:51:11 am
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.
Why? A large part of their business is built on hacking.
I bet sales of the DS1054Z paid for a lot of the development of that ASIC.

Majority of income comes from sales of units to education and large organisations don't care about the hack.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 05, 2018, 03:19:45 pm
So if someone can get such a dump (from the lucky ones having the real device already on their benches), it will inform my analysis. I know this information is rather fragmented and incomplete, but I'm still putting the pieces together and have more juicy bits for future posts.

Attached is the contents of the 256 kB  file env.bin. (It starts with a CRC32, the file attached, and the rest is 0x00...)

What would be interesting to know, is if the AES_KEY is the same for all machines, or if each one is unique.

It's the same since it's embedded in the cfger app. You can see the decrypted_scripts of the DS7000 using the same key in my updated DS7000 msg.


BTW, interesting that the memdump contains these references:

200MHz to 350MHz Bandwidth Upgrade Option
200MHz to 500MHz Bandwidth Upgrade Option
350MHz to 500MHz Bandwidth Upgrade Option
600MHz to 1GHz Bandwidth Upgrade Option
600MHz to 2GHz Bandwidth Upgrade Option
1GHz to 2GHz Bandwidth Upgrade Option
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 07:06:07 pm
I received an unsolicted Private message last night.  It was from a user with NO posts, and just registered yesterday.   I'm sure they are reading the thread.   Their github profile suggests they are in China. but who knows.    I checked the github repo, and i coud'nt find anything relevent.. Anyone else get this message.



Hello, I have cracked the MSO5074 into 350MHz model version, and I will publish it to my github (http://github.com/__deleted__ (http://github.com/__deleted__)) until all option unlocked. But I did a wrong thing: I erased my scope's option FRAM. So If you have buy a MSO5074, I can upgrade it's bandwidth, and I want a FRAM dump from your scope to reverse the option part for this scope. Thanks!

You can contact me by this mail:  deleted@gmail.com
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 05, 2018, 07:32:07 pm
I received an unsolicted Private message last night.  It was from a user with NO posts, and just registered yesterday.   I'm sure they are reading the thread.   Their github profile suggests they are in China. but who knows.    I checked the github repo, and i coud'nt find anything relevent.. Anyone else get this message.



Hello, I have cracked the MSO5074 into 350MHz model version, and I will publish it to my github (http://github.com/__deleted__ (http://github.com/__deleted__)) until all option unlocked. But I did a wrong thing: I erased my scope's option FRAM. So If you have buy a MSO5074, I can upgrade it's bandwidth, and I want a FRAM dump from your scope to reverse the option part for this scope. Thanks!

You can contact me by this mail:  deleted@gmail.com

Did you contact him? Did the github have anything relevant?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 07:46:12 pm
The GitHub repo, didtn appear to have anything relevant in it, no and no i've not contacted him. 


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Carrington on December 05, 2018, 08:35:07 pm
LOL ... What a funny and weird situation.  :)
Title: Unconfirmed 'cracking' of Rigol 5000
Post by: mrpackethead on December 06, 2018, 07:14:59 am
A unconfirmed claim of of the MSO5000 has been made by a chinese student.   

Quote
"Well, I have patched the firmware, let it jump out license verify produce. But I can't make it public until next year March. Because Rigol sold out about less than 300 units now.

In fact I'm working on my friend's scope and I havent ordered yet (lack of money...Im just a ungraduated). I m wonder if I make it public prematurely, maybe they will fix it and it can't be cracked anymore.

Btw, there's no keygen for 5000 series oscilloscope because it cant be realize. The only way to crack it is to patch firmware.

The detail of crack this scope I will
publish it to my github when my scope is successfully cracked."

Sadly he does not want to provide the info, I think he is worried that Rigol will patch the issue before he has collected enough money to buy his own.      If he was able to crack it, i'm sure that others will be able to do it as well, pretty quickly.   if he wants the 'claim to fame' of being the guy who cracked it, he will need to publish it before anyone else does i guess.   though it seems he just wants the 350Mhz scope for the 70Mhz price.









Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EEVblog on December 06, 2018, 12:54:23 pm
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 06, 2018, 01:00:54 pm
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

I guess this mark the beginning of gigantic pages ahead for this thread.  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 06, 2018, 01:09:28 pm
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

Rigol is now one firmware update away from completely owning the non-pro 'scope market?  :popcorn:

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 06, 2018, 06:11:17 pm
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

If they aren't anonymous who was it? Or are they planning on sharing later?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 06, 2018, 07:19:31 pm
The problem with claims is that they are just claims untill there is something to substainate them.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JPortici on December 06, 2018, 07:38:46 pm
so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 06, 2018, 07:40:46 pm
The problem with claims is that they are just claims untill there is something to substainate them.

From what we've seen so far it doesn't look like it will be difficult for somebody who really knows the Xilinx system.

OTOH if it can be unlocked to 1GHz then Rigol has a real problem on its hands: How on earth are they going to manufacture enough of them?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 06, 2018, 07:41:42 pm
If the scopes can do 1 GHz and are reasonably flat I'd consider adding a 50 ohm termination internally on one channel. It would be permanently 50 ohms but could perform well. Pretty easy to power an HP 1152a active probe externally.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on December 06, 2018, 07:43:20 pm
so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?
Quite possibly, we've seen this happen before.  ::)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Monkeh on December 06, 2018, 07:44:32 pm
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.
Why are you surprised? According to Dave a lot of functionality needs at least some attention. Securing things usually is last on the list. Get the product out first. Rigol can always choose to plug holes in later firmware releases if necessary.

Which is a bass ackwards way of developing and shipping an appliance with a network connection no matter how you look at it.

so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?
Quite possibly, we've seen this happen before.  ::)

And the next big Siglent release will probably come with a buttload of shilling and aggressive forum posts from people with a financial stake in their sales, what's new?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on December 06, 2018, 08:31:59 pm
so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?
Quite possibly, we've seen this happen before.  ::)

And the next big Siglent release will probably come with a buttload of shilling and aggressive forum posts from people with a financial stake in their sales, what's new?
Ok so you missed the member being banned for daring to question the capabilities of the forums favorite DSO.
Go have a look in the Supporters lounge for links that can point you to those events.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 06, 2018, 08:34:35 pm
Gentlemen, please discuss this in the generic MSO5000 thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 06, 2018, 09:30:18 pm
Gentlemen, please discuss this in the generic MSO5000 thread.

And leave moderation to the moderators.. Thats their job.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 06, 2018, 09:33:54 pm
The problem with claims is that they are just claims untill there is something to substainate them.

From what we've seen so far it doesn't look like it will be difficult for somebody who really knows the Xilinx system.

OTOH if it can be unlocked to 1GHz then Rigol has a real problem on its hands: How on earth are they going to manufacture enough of them?

But we have not 'seen' anything other than claims. 

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 06, 2018, 09:38:14 pm
The problem with claims is that they are just claims untill there is something to substainate them.
From what we've seen so far it doesn't look like it will be difficult for somebody who really knows the Xilinx system.

OTOH if it can be unlocked to 1GHz then Rigol has a real problem on its hands: How on earth are they going to manufacture enough of them?
Even at a low price having 1GHz of bandwidth without real 50 Ohm inputs is going to be a problem. Then again the same hack may work on the MSO7000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mr. Scram on December 06, 2018, 09:49:12 pm
Which is a bass ackwards way of developing and shipping an appliance with a network connection no matter how you look at it.

And the next big Siglent release will probably come with a buttload of shilling and aggressive forum posts from people with a financial stake in their sales, what's new?
It's always the same people singing the same song, isn't it?  ::)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Carrington on December 06, 2018, 09:54:20 pm
Obviously I'm not going to say who they are ...
I wonder if Banksy has anything to do with all this.  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 06, 2018, 10:49:33 pm
We actually plan to release it after the RIGOL fix their bugs...

I can not believe you're refusing to release the hack method.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 06, 2018, 10:50:13 pm
Screen shots are one thing.  However untill a method is published and is verified independently it's unconfirmed.   The first party to publish it, will be able to 'claim' it.. It seems there are several parties all claiming to have done it so far.   I would guess its only going to be a matter of days before the first hacks are published.   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 06, 2018, 11:17:23 pm
We actually plan to release it after the RIGOL fix their bugs...

I can not believe you're refusing to release the hack method.
Maybe better to wait til the firmware has improved, so there's a hack for a better FW in case future versions get locked down more effectively
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TurboTom on December 06, 2018, 11:28:05 pm
Hope the firmware update also addresses the font of the hardware frequency counter...I almost had to throw up. If not, the hack will have to fix this...  ::)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 07, 2018, 12:16:43 am
We actually plan to release it after the RIGOL fix their bugs...
Which means... NEVER  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 12:40:02 am
rgwan,

Your group is not the only ones who have claimed to have hacked the scope. Others have already made the same claims.  The methodology for hacking it, is to find where the firmware checks the features, and just return true.   the fact that you posted it first, really doesnt make much difference,  someone will have.

You can assume that multiple Rigol dealers have read this, and that this information is already in the hands of Rigol.    What rigol choose to do, will be interesting.  They historically have not made any attempts to stop so-called hacking.   they may see it as a way to actually improve their sales. its entirely possible that the archtiecture was designed so it coudl be hacked.

Your saying it was hacked to 350Mhz, however it seems that Hanxiao was saying 1Ghz? is that correct?

Even if this thread was removed, its still the internet and its gone. you can't make it go away.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 12:42:18 am
Here are their screen shots of a 100MHz square wave and the FFT
Obviously I'm not going to say who they are, but they are sending me something (not related to this) for a video, and went, "oh, BTW, we hacked the MSO5000". It was a friend on their design team who cracked it. They seem legit.

Could you reveal if they are a different team from the china team?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mr. Scram on December 07, 2018, 12:46:37 am
OK I admit it.... I am the anonymous who patched Hanxiao's oscillscope...Yesterday we made a successful crack to unlock all options and 350Mhz bandwidth.

So...It is pity to made this thing public early...I have to order one now and create a repository to publish our cracking produce...

I request to set this topic hidden in this forum, if RIGOL saw that thread, there would be no cracking at all! I recommend don't discuss this topic until half-year passed...
Taking things off the internet isn't really a thing that exists. It's out here, for better or worse.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 01:01:57 am
rgwan,

Your group is not the only ones who have claimed to have hacked the scope. Others have already made the same claims.  The methodology for hacking it, is to find where the firmware checks the features, and just return true.   the fact that you posted it first, really doesnt make much difference,  someone will have.

You can assume that multiple Rigol dealers have read this, and that this information is already in the hands of Rigol.    What rigol choose to do, will be interesting.  They historically have not made any attempts to stop so-called hacking.   they may see it as a way to actually improve their sales. its entirely possible that the archtiecture was designed so it coudl be hacked.

Your saying it was hacked to 350Mhz, however it seems that Hanxiao was saying 1Ghz? is that correct?

Even if this thread was removed, its still the internet and its gone. you can't make it go away.

First, No... I did not make any statement on the analog bandwidth of it. The test is based on an all license on MSO5074 Unit.
Second, the efforts put into hacking is much harder than you thought. They did a fairly good job on license protection (but not the system as a whole).
I wish to see posts from other team that reach this far :P

Right now, all you've got is an unverified claim of a hack. Just like the other teams.     Nobody can verify anybodys claims because nobody can independantly test it.   

Sorry i've confused you with the other team, who it seems have acheived 1Ghz bandwidth.

And from what it seems, the hack is not that hard.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 01:05:44 am
Is that MSA24xxxxx number  the one ending 00001, the serial number?   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 07, 2018, 01:15:44 am
Is that MSA24xxxxx number  the one ending 00001, the serial number?

Yes. Fake or goofy.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 07, 2018, 01:26:49 am
I recommend don't discuss this topic until half-year passed...

Are you on a 6-month contract?   ::)

This story is stranger than the licensing protection!  :-DD


BTW, I think it's safe to say that Dave's pics have the same S/N...   

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=590110;image)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 07, 2018, 01:43:04 am
rgwan,

Your group is not the only ones who have claimed to have hacked the scope. Others have already made the same claims.  The methodology for hacking it, is to find where the firmware checks the features, and just return true.   the fact that you posted it first, really doesnt make much difference,  someone will have.

You can assume that multiple Rigol dealers have read this, and that this information is already in the hands of Rigol.    What rigol choose to do, will be interesting.  They historically have not made any attempts to stop so-called hacking.   they may see it as a way to actually improve their sales. its entirely possible that the archtiecture was designed so it coudl be hacked.

Your saying it was hacked to 350Mhz, however it seems that Hanxiao was saying 1Ghz? is that correct?

Even if this thread was removed, its still the internet and its gone. you can't make it go away.

Rigol has made some attempts to stop hacking. They changed the DSA815 spectrum analyzer keys so that the online tools no longer worked. If they went to the effort to create a reasonable license key system it seems odd they would leave ssh wide open. I have been on the fence trying to decide if they kind of want the 5000 hacked. In this case I think ssh being enabled was some sort of mistake and that we can expect it to be removed in a future release.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: vowstar on December 07, 2018, 02:36:26 am
:)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EEVblog on December 07, 2018, 03:10:56 am
I request to set this topic hidden in this forum, if RIGOL saw that thread, there would be no cracking at all! I recommend don't discuss this topic until half-year passed...

Sorry but we don't hide threads here.
I'll happily remove the images I got, but I'm not going to remove anyone else's images or posts, they'll have to do that themselves.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 03:47:21 am
Once again, I would like to recommend the administrator in this forum hide this thread. It is too dangerous. And Rigol's new 1000Z-S series seems can't be unlock any more. I don't want to see this happen again.

Rigols distributors have read this thread, i know that for a fact.  I would be very suprised if some Rigol people have not read it as well.     

It would not surprise me if in fact, Rigol is deliberately seeding this thread with bits of information to bolster interest, and potentially boost sales. 

Its an interesting Serial number.  Did you get the first one?


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 03:56:07 am
I request to set this topic hidden in this forum, if RIGOL saw that thread, there would be no cracking at all! I recommend don't discuss this topic until half-year passed...

Sorry but we don't hide threads here.
I'll happily remove the images I got, but I'm not going to remove anyone else's images or posts, they'll have to do that themselves.

Seems team rigol, ( rgwan and freinds ) have come and deleted their pics.. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 07, 2018, 04:17:29 am
Noone is going to wait my friend, life is too short. Magic things happened on this forum before, they will happen again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Hanxiao on December 07, 2018, 05:10:12 am
For those who are working hard to make this happened. We appreciate the work done by all the people who are taking their time to make this cheap and powerful instrument available to everybody.
However, we have to recognize that the amount of work to make progress on cracking will rise exponentially while RIGOL fixing each of the BUG we use to crack it. When we are talking about profiting the community as a whole, we not only need to consider how soon we could get the joy but more importantly how many people will benefit from it. We admit all the efforts, however, release the crack now is more like to kill the Goose That Laid the Golden Eggs, which sabotages the interests of the whole community.

If you already own one, that is great, now the firmware is patchable and we are able to get everything working, but based on our prediction, the amount of MSO5000 series on the market is just around hundreds of units, let's wait for others. Aside from the factory lead time, there are still tons of BUGs inside the current firmware, from FFT leakage to various BUG in LA. 

Thanks for RIGOL to provide such this relatively cheap instrument with such high performance.


8256485683450c0341861cd090fab646
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: vowstar on December 07, 2018, 05:19:17 am
Also thanks for RIGOL to provide such this relatively cheap instrument with such high performance.


8256485683450c0341861cd090fab646 YOU UNDERSTAND
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 07, 2018, 05:25:58 am
I feel like it is right time for  a sockpuppet accounts check.

Edit: How come you new hacker guys f..ked up so badly with the S/N ...001?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 07, 2018, 05:35:27 am
Also thanks for RIGOL to provide such this relatively cheap instrument with such high performance.


8256485683450c0341861cd090fab646 YOU UNDERSTAND

I think we all understand where you guys are coming from but even beyond hacking for other people to get use of it there is the aspect of just being able to do it. I am personally less interested in the scope as a piece of hardware as I already have something in the class. My interest is simply in seeing how much work it is this time. If I knew a hack were out and available I probably wouldn't buy one at all but knowing that even if it is hacked as of now it's a secret makes it even more interesting to me.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 07, 2018, 05:38:34 am
so does this mean that we're going to have another big wave of scopes where no complaints are allowed whiny complaints seem childish because shut up they're cheap and hackable and nobody's forcing you to use one?

FTFY.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 07, 2018, 05:49:41 am
The point is you can NOT realistically expect this internet crowd here to hold hand in hand singing the song ...

"Just wait ... wait .. till Rigol fix their firmware ...
Rigol is blind not knowing this thread ...
once they fixed it, we will release the hack...
and all will be living happily ever after ..."

... NOT.

Back to pure technical discussion please and refrain from politics , intrigue tactics and etc.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 07, 2018, 05:54:13 am
The other way o look at is is: If this is hackable then the bean counters at Rigol will see the sales figures of the base model and think, "Why would we try to stop that?"

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 06:06:37 am
The other way o look at is is: If this is hackable then the bean counters at Rigol will see the sales figures of the base model and think, "Why would we try to stop that?"

My gut feeling is that our new guests on this forum are actually from Rigol and are just doing some marketing to drum up some interest.  If that is the case, then its a new spin on what the PCB fabs were doing for a while. :-)

 I know of two groups, one in the US and one in Europe who are both working on this and one of them will post a hack as soon as they have it sorted, there is a few other users who are tinkering as well.   I dont' have a scope yet ( get it in Jan ), and when i do, i'll be keen to see how the hacks work, but if i use the features, i'll just be doign the boring thing and paying for it.  ( because thats the right thing to do ).

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: imo on December 07, 2018, 07:55:08 am
Sure - Rigol, distributors, competitors, customers, hackers - all may read and contribute to this thread. You cannot avoid that. It has no sense to elaborate who is who here.. Let us wait on some real results we may test.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 08:02:34 am
30A989AFC82C0A21139573591DE4E5FF37994F7D1506A9ACF2B5997005C2649F

Without any evidence of a hack, the people claiming it are losing face ( 丢脸 ) very quickly.     
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 07, 2018, 08:24:24 am
30A989AFC82C0A21139573591DE4E5FF37994F7D1506A9ACF2B5997005C2649F

Without any evidence of a hack, the people claiming it are losing face ( 丢脸 ) very quickly.   

Yes, it's been, what, a whole 12 hours now?

I agree that if you're not going to publish then just keep your mouth shut but they might just be in bed or something.

I dont' have a scope yet ( get it in Jan ), and when i do, i'll be keen to see how the hacks work, but if i use the features, i'll just be doign the boring thing and paying for it.  ( because thats the right thing to do ).

If you're going to spend that much you should probably buy the R&S, not Rigol.  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 07, 2018, 11:21:55 am
did you notice what seemed to be the Build date of the firmware (top right of the screen)?  December 6... very strange... maybe it was someone from Rigol or a rogue employee
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 07, 2018, 11:34:09 am
That's the current hour/date in the scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: timgiles on December 07, 2018, 11:46:07 am
Well anyone who has watched the latest episode of SouthPark can see there are some on this forum that have lost the ability to have patience - too much getting used to amazon next day ordering!

Let those working on it work. Rigol will do or not do - now and in the future. If they change their approach to all firmware, prehaps other workarounds will be found. Prehaps Rigol really is seeing this as a chance to capture several market slices - business with paid for licences and home hackers. We know it costs the same if it has a 200Mhz, 1Ghz (?) or 70Mhz label on it - so it can only be good for Riogl. Business, universities - are unlikely to hack.

Time will tell.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 07, 2018, 11:53:23 am
That's the current hour/date in the scope.

No, it said ‘Build date’ on the photo
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 07, 2018, 12:10:58 pm
That's the current hour/date in the scope.

No, it said ‘Build date’ on the photo

:) Good point.

But I went to "wayback machine" to have a look at the images from Dave's+chinese pics and they all have consecutives hours.

The "build" is the time when the "screen dump" was built.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: glenenglish on December 08, 2018, 07:56:29 pm
If indeed Rigol pursue the market this way, and they monitor these forums, then in the interests of getting these sort of "Expandable" products, I suggest readers posting here to be nice with their comments.

I have  bought a 100 MHz version,  waiting on delivery. I'd like them and the local rep to make some decent margin on this scope, I think having an entry at the low price of the  70 MHz scope that is "Expandable" is canabalizing  their market, IMO they don't really have to go that cheap , unless they really have the cost right down to peanuts. In the west we might think 3x to 4x cost is about the minimum sell price for pro gear, but these guys often work on maybe 1.2 to 1.5x and it is just a numbers game.

Rigol's competition  are responsible for bringing high performance low cost scopes from all the A class manufacturers. It's the reason I support AMD with their Ryzen , and have all my systems here now Ryzen. (even though I can afford any processor I want) - they are responsible for holding Intel to account and providing some innovation in that market segment.
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 08, 2018, 08:44:14 pm
If indeed Rigol pursue the market this way, and they monitor these forums...

They've been doing it that way for quite a while:

https://www.youtube.com/watch?v=LnhXfVYWYXE (https://www.youtube.com/watch?v=LnhXfVYWYXE)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 08, 2018, 08:51:36 pm
One question: If this thing runs Linux and has a shell account then can it run batch files, etc?

What's installed in the system? Is there a C compiler?

Can you upload executable files and get it to do new things that way?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 08, 2018, 09:30:06 pm
One question: If this thing runs Linux and has a shell account then can it run batch files, etc?

What's installed in the system? Is there a C compiler?

Can you upload executable files and get it to do new things that way?
Forum member RHB is having a long term plan for something like that. A lot of scopes run on the Zync platform nowadays so except for the ADCs and display size many oscilloscopes are practically identical. Don't get excited yet because writing firmware for an oscilloscope is a massive task but once there is a core feature set then it shouldn't be hard to port it to different hardware platforms.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 09, 2018, 09:39:27 pm
So “hypothetically” if a hack existed that took a 70mhz model to 350 what would the preference here be?  Share it? Hide it? Wait six months?

Another party ( not the rgwan lot ) has claimed they have enabled 350 and has said it’s reasonably trivial. They are unsure of what to do.  It’s entirely for educational purposes only and if you need 350m then you should buy the license.  This is however a very interesting thing if you are interested in the security of embedded systems
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 10, 2018, 06:42:50 am
Well thats really strange. They said that it is trival. So, how about you to ask them for the reason why they dont choose to release it now?

Btw, you have said that you re interested in embedded system security, why do you dont analyze firmware yourself? The process of analysing is more fun than the answer. So, dont hesitate to wait our answer anymore. Try to find your own! LOL

 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 10, 2018, 08:31:58 am
Well thats really strange. They said that it is trival. So, how about you to ask them for the reason why they dont choose to release it now?

Btw, you have said that you re interested in embedded system security, why do you dont analyze firmware yourself? The process of analysing is more fun than the answer. So, dont hesitate to wait our answer anymore. Try to find your own! LOL

They may have done something different than you from the sounds of it. No mention of unlocking the rest of the options just the bandwidth.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 10, 2018, 09:13:48 am
Walking through the firmware behind the devices can be an interesting way to spend a rainy afternoon, I never would have assumed my Siglent was full of unicorn's and pikachu's
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 10, 2018, 09:46:09 am
The Christmas gift for all Rigol fans out here:

Go to /rigol/shell/start.sh

and add the "-fullopt" to the command line that executes appEntry (before the &).

PS: And it's not an hack. It's a feature!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 10, 2018, 09:51:06 am
Do these things come with a text editor? Vim?  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 02:19:48 pm
The Christmas gift for all Rigol fans out here:

Go to /rigol/shell/start.sh

and add the "-fullopt" to the command line that executes appEntry (before the &).

PS: And it's not an hack. It's a feature!

How odd! That was remarkably easy to do...

No change to the 'Option list' but lots of options are now enabled...

Nice to have the 2 sig gens working, that's easy to test.
200M memory depth works
Power analysis is available

I'd be interested to know what the bandwidth was now... Off to find a decent signal generator under my desk...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 10, 2018, 02:48:25 pm
How odd! That was remarkably easy to do...

Disappointed? You wanted more of a fight...?  :popcorn:

If the bandwidth has changed to 350Mhz then nobody else is going to be selling oscilloscopes to hobbyists in the next few years.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobBarter on December 10, 2018, 03:30:36 pm
Would be interested to find out if this also turns a 2 channel into 4 channel.  I assume the same technique would work on a MSO7000?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: commongrounder on December 10, 2018, 03:37:16 pm
Would be interested to find out if this also turns a 2 channel into 4 channel.  I assume the same technique would work on a MSO7000?
Was also thinking the same thing, although, for the US$99.00 difference, you get the two additional 350 MHz probes. That’s assuming they perform well for the price.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 03:40:55 pm
Can’t say if it turns a 2 channel into a 4 channel, mine is the 5074. I paid the extra 90 euros for a 4 channel as that way I got warranty on all 4 channels and an extra couple of probes. I would imagine it enables 4 channels though, can’t see why it wouldn’t.

Anybody with  a 7000 series can give it a go, it’s a very simple process.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: commongrounder on December 10, 2018, 03:45:08 pm
Can’t say if it turns a 2 channel into a 4 channel, mine is the 5074. I paid the extra 90 euros for a 4 channel as that way I got warranty on all 4 channels and an extra couple of probes. I would imagine it enables 4 channels though, can’t see why it wouldn’t.

Anybody with  a 7000 series can give it a go, it’s a very simple process.
I don’t think there are any two-channel 7000 series scopes. The base model is the 7014 four channel.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 03:50:35 pm
The software options were of more interest, and the AWGs. Plus the extra bandwidth of course.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 05:07:09 pm
Ok, all I can find is a crappy 160MHz generator.

Two screen captures attached, one before 'enhancement', one after.  Note that the fastest timebase has changed from 5ns/div to 1ns/div - that must be a clue something is going on! Signal voltage shows less attenuation after 'enhancement'.

Also note the appearance of the 2 sig gen buttons on the bottom of the screen.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 10, 2018, 05:15:12 pm
The Christmas gift for all Rigol fans out here:

Go to /rigol/shell/start.sh

and add the "-fullopt" to the command line that executes appEntry (before the &).

PS: And it's not an hack. It's a feature!
Does the license screen show the options as PERMANENT or maybe it is a 30-day demo activation?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 05:18:35 pm
The Christmas gift for all Rigol fans out here:

Go to /rigol/shell/start.sh

and add the "-fullopt" to the command line that executes appEntry (before the &).

PS: And it's not an hack. It's a feature!
Does the license screen show the options as PERMANENT or maybe it is a 30-day demo activation?

On the scope I played with there was no change to the list of displayed options. Things like the AWG's and power analysis are shown as not enabled - BUT they work.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 10, 2018, 05:21:35 pm
Does the license screen show the options as PERMANENT or maybe it is a 30-day demo activation?

It's a feature so, I think, it's independent from the license scheme. But TopLoser may provide a license menu printscreen.

If I understood correctly, the 4CH option is not activated.

BTW, what is the BND option? Was it activated?

Things like the AWG's and power analysis are shown as not enabled - BUT they work.

If that's the case, then probably all is activated...   Can someone test each of the Options to see if they are active?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 05:28:57 pm
Does the license screen show the options as PERMANENT or maybe it is a 30-day demo activation?

It's a feature so, I think, it's independent from the license scheme. But TopLoser may provide a license menu printscreen.

If I understood correctly, the 4CH option is not activated.

BTW, what is the BND option? Was it activated?

Things like the AWG's and power analysis are shown as not enabled - BUT they work.

If that's the case, then probably all is activated...   Can someone test each of the Options to see if they are active?

All that I tested is activated. The BND option is the 'Option Bundle'.

Options screen is absolutely unchanged, shows same as out of the box.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: casinada on December 10, 2018, 05:35:20 pm
Does it activate all the digital decoding options?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 10, 2018, 05:35:25 pm
All that I tested is activated.

Then I think all is active completely independent from what the license menu says.

I think the options are based on the type of equipment (MSO, DS, DS5000, DS7000, etc).

So, in the DS7000 you might imagine what are the options that the -fullopt" will enable...

Code: [Select]
00    "BW1T2"           DS7000
01    "BW1T3"           DS7000
02    "BW1T5"           DS7000
03    "BW2T3"           DS7000
04    "BW2T5"           DS7000
05    "BW3T5"           DS7000
06    "MSO"
07    "2RL"    MSO5000  DS7000
08    "5RL"             DS7000
09    "BND"    = COMP + EMBD + AUTO + FLEX + AUDIO + AERO + PWR + AWG
10    "COMP"   MSO5000  DS7000
11    "EMBD"   MSO5000  DS7000
12    "AUTO"   MSO5000  DS7000
13    "FLEX"   MSO5000  DS7000
14    "AUDIO   MSO5000  DS7000
15    "SENSOR
16    "AERO"   MSO5000  DS7000
17    "ARINC"
18    "AWG"    MSO5000
19    "JITTER"
20    "MASK"
21    "PWR"    MSO5000  DS7000
22    "DVM"
23    "CTR"
24    "EDK"
25    "4CH"
26    "BW07T1" MSO5000
27    "BW07T2" MSO5000
28    "BW07T3" MSO5000
29    "BW07T5"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 10, 2018, 07:06:47 pm
We have an interesting situation here now, and it will tell us what rigols intention is.

If they move to close this 'feature', then we coudl summize that they don't want to allow people to hack their scopes;
If they dont, then you can assume that they are deliberately doing this.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: imo on December 10, 2018, 07:31:20 pm
That is an intention, sure. That is a clever way how to dump and not to be subject to anti-dumping.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thesgoat on December 11, 2018, 06:32:07 am
Can’t say if it turns a 2 channel into a 4 channel, mine is the 5074. I paid the extra 90 euros for a 4 channel as that way I got warranty on all 4 channels and an extra couple of probes. I would imagine it enables 4 channels though, can’t see why it wouldn’t.

Anybody with  a 7000 series can give it a go, it’s a very simple process.
I don’t think there are any two-channel 7000 series scopes. The base model is the 7014 four channel.

Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 11, 2018, 06:46:01 am
How odd! That was remarkably easy to do...

Disappointed? You wanted more of a fight...?  :popcorn:


To be honest, yes, I'm quite disappointed as this hack is so easy that is not even funny.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 11, 2018, 06:54:30 am
 Team China, apparently took a differnet approached and patched the firmware.

I'm not sure why but i am thinking that i read rumours of this thing running up to 1Ghz.    Was i just dreaming? 

EDIT. No dave posted that someone has claimed its running up to 1Ghz. THat is a bit of a different level of post.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 11, 2018, 06:57:56 am
Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory...

Any chance to see the verification of 500 MHz bandwidth ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 11, 2018, 07:07:16 am
Well thats really strange. They said that it is trival. So, how about you to ask them for the reason why they dont choose to release it now?

Btw, you have said that you re interested in embedded system security, why do you dont analyze firmware yourself? The process of analysing is more fun than the answer. So, dont hesitate to wait our answer anymore. Try to find your own! LOL

simply just wanting to make sure that posting it here was ok.   And once that was ok, well, just 3 hours later their answer was posted.   It also works on the 7000 series.      Sadly rgwan, if you did hack it first, you'll never get remembered as the guy who did it. That honor goes to tv84 who published a hack first..   Now your hack, may have been different.   My suspicion is that you patched the firmware?  This would be a different approach and potentially quite interesting as well, if you'd like to share it and save face ( 留面子 )





Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 11, 2018, 07:56:19 am
Has anyone got hands on a MSO pod yet - that would be the obvious next thing to investigate
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobBarter on December 11, 2018, 08:39:54 am
To keep Rigol happy, if it wasn't for this hack I would not be considering a Rigol as my next scope, more likely RTB2000 or RTM3000 (discounted the Keysight now) but with gritted teeth due to the ridiculous option pricing).  Now firmly back in my option list (just can't decide if 5000 or 7000).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 11, 2018, 09:16:05 am
If the "hack" worked after 1 or two more patches I'd definitely go 7000 over 5000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JPortici on December 11, 2018, 09:17:17 am
To keep Rigol happy, if it wasn't for this hack I would not be considering a Rigol as my next scope, more likely RTB2000 or RTM3000 (discounted the Keysight now) but with gritted teeth due to the ridiculous option pricing).  Now firmly back in my option list (just can't decide if 5000 or 7000).
you were considering a scope with a 10bit adc, now you are considering a scope that at the max amplification will be a 5-6 bit scope (1mV/div is 5mV/div digitally zoomed!) then look at how the decode and search is implemented
having options for free is tempting, but consider everything :) (maybe you don't care at all about small signals, or looking at data lines in a certain way)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MrW0lf on December 11, 2018, 10:21:59 am
you were considering a scope with a 10bit adc, now you are considering a scope that at the max amplification will be a 5-6 bit scope

Are you trying to steal the christmas? It is well established that cheap and hackable renders all other "nuances" irrelevant... :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 11, 2018, 11:10:06 am
Some people are able recognize that they actually spend most of their time in 1 or 2 volts/div and that presence/absence of a uV range is therefore moot.

Raw bandwidth, number of channels, etc.? That never goes out of fashion.

If you need uV and massive DC offset ability then that's fine, buy a 'scope that can do it. Just don't waste yout life hating on 'scopes that don't do it. Lots of people genuinely don't need it.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobBarter on December 11, 2018, 11:13:24 am
£970 vs £2500 (incl. the 50% PK1 pack) is quite persuasive but I appreciate that the R&S is the next level up.  And that comparison doesn't cover bandwidth.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 11, 2018, 11:20:20 am
£970 vs £2500 (incl. the 50% PK1 pack) is quite persuasive but I appreciate that the R&S is the next level up.  And that comparison doesn't cover bandwidth.

Yep. The next step up from this is now a huge difference in price. You'll pay dearly for those little extras.

(a bit like the next step up from the DS1054Z was huge until that Siglent came along)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 11, 2018, 11:25:59 am
£970 vs £2500 (incl. the 50% PK1 pack) is quite persuasive but I appreciate that the R&S is the next level up.  And that comparison doesn't cover bandwidth.
Yep. The next step up from this is now a huge difference in price. You'll pay dearly for those little extras.
I wouldn't call protocol decoding which is actually working a 'little extra' if you need this kind of functionality. It is kind off buying a car without windscreen whipers. If it never rains that will be OK but if you drive through rain regulary then such a car will become useless real quick.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 11, 2018, 11:45:58 am
I wouldn't call protocol decoding which is actually working a 'little extra' if you need this kind of functionality.

It's very easy to not buy one of these if those are your needs.

It is kind off buying a car without windscreen whipers. If it never rains that will be OK but if you drive through rain regulary then such a car will become useless real quick.

No it isn't. It's more like buying a car that can't fit a sofa in the back - useless if you're a removal man but fine for most people.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MrW0lf on December 11, 2018, 11:49:35 am
Lots of people genuinely don't need it.

Most people actually do not need new scope at all, but then suddenly something black with pink ring around female connector surfaces... Pretty dirty (https://www.eevblog.com/forum/blog/new-rigol-scope/msg1954405/#msg1954405) move!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 11, 2018, 12:20:51 pm
Note that channel 3 costs extra.  :popcorn:

(who says Rigol doesn't understand marketing?)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 11, 2018, 03:33:29 pm
Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory...

Could you upload a pic of your licensing menu? Just for comparison with 5000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pascal_sweden on December 11, 2018, 04:14:49 pm
Lots of people genuinely don't need it.

Most people actually do not need new scope at all, but then suddenly something black with pink ring around female connector surfaces... Pretty dirty (https://www.eevblog.com/forum/blog/new-rigol-scope/msg1954405/#msg1954405) move!

Channel 3 = Input channel or Pay-TV channel? :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jnz on December 11, 2018, 06:05:12 pm
If they patch the bugs, and don't fully close the hacking options, I'll replace both my older Teks with them without blinking.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 11, 2018, 06:35:39 pm
Channel 3 = Input channel or Pay-TV channel? :)

Pay-per-Use
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 11, 2018, 06:40:13 pm
If they patch the bugs, and don't fully close the hacking options, I'll replace both my older Teks with them without blinking.

I sort of go the same way. IF they fix the bugs, I'll buy one for my garage replacing a fluke scopemeter.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 12, 2018, 05:24:38 pm
Any news on whether the hack upgrades the bandwidth?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 12, 2018, 05:29:27 pm
Any news on whether the hack upgrades the bandwidth?

Above someone showed the amplitude increased on a 160MHz sine after applying option so it seems like it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 12, 2018, 09:26:16 pm
Do you mean if it upgrades it past 350Mhz.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bson on December 13, 2018, 12:03:39 am
Nope, there's only root under /etc/passwd and the sshd_config is all commented out except UsePrivilegeSeparation no directive. Shadow is empty.
They don't seem to have disabled key based authentication, so it might be possible to drop a public key into ~root/.ssh/authorized_keys and used that to circumvent the password check for ssh.  Assuming you can write to ~root/.ssh.

Edit: oh, nvm I see now the secret password was much of a secret. :)  But this might be useful to keep in mind when dealing with other systems where you can write to ~root/.ssh but don't have the password to login.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 13, 2018, 01:14:50 pm
-“It appears Rigol’s engineers are designing their products to capitalize on the hacker’s proclivity to buy their tools to get the ‘free’ upgrade. This, of course, sounds just slightly insane, but no one seems to mind.”

It’s just an old marketing trick.

Suppose you want people to buy your products over a competitor’s. You add some bells and whistles to your product to offer more value and differentiate yourself on the market, but that also increases the price slightly and people don’t really need the extra features, so they won’t choose your product over simpler and cheaper competing products.

What then? Well, you pretend that the extra features are really really expensive high tech by locking them out and selling a “professional” version at many times the price. Then you let it slip that the features can be hacked into use on the “cheaper” models.     I am quite confident that the first 'claim' of the hack ( though unverified ) was exactly this. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 13, 2018, 02:43:46 pm
It’s just an old marketing trick.

Siglent has been using PRO_MODE all these years... Which is precisely the same thing.

I am quite confident that the first 'claim' of the hack ( though unverified ) was exactly this.

Don't agree. I believe it was a true "hack" and it came up, when it did, only because its authors had ruined the FRAM mem and were looking for someone who could provide a copy in exchange. If it were not for that detail, we would know about it only in a few months' time.

And, in no place I saw evidence that they were aware of the built-in feature.

Of course, having a equipment with a special S/N didn't help the cause...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 13, 2018, 02:51:15 pm
Wish Dave will do a video on hacking this new Rigol, and do the verification on the hack, like he did while ago on DS1052E.  :P

https://youtu.be/LnhXfVYWYXE
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 13, 2018, 02:54:47 pm
verification on the hack

It's a built-in feature. Not an hack!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 13, 2018, 02:58:05 pm
verification on the hack

It's a built-in feature. Not an hack!

Oh, ok, I stand corrected, actually this is even better, just apply the "fix" then verify if enabled features  are working, especially the bandwidth increase.  >:D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 13, 2018, 03:33:37 pm
-“It appears Rigol’s engineers are designing their products to capitalize on the hacker’s proclivity to buy their tools to get the ‘free’ upgrade. This, of course, sounds just slightly insane, but no one seems to mind.”

Write my words on the wall: no conspiracy marketing tricks here, all of this is just because the Chinese do mot know any better than copy each other whitout understanding how the code they copy works. I predict we will contunue see stupid things lke this one for the years ahead.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 13, 2018, 05:32:42 pm
Broad brush generalisations about one races abillitys are just that. Generalisations.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on December 13, 2018, 06:01:46 pm
Write my words on the wall: no conspiracy marketing tricks here, all of this is just because the Chinese do mot know any better than copy each other whitout understanding how the code they copy works. I predict we will contunue see stupid things lke this one for the years ahead.
I sense too much xenophobia in this post...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 13, 2018, 06:05:04 pm
Write my words on the wall: no conspiracy marketing tricks here, all of this is just because the Chinese do mot know any better than copy each other whitout understanding how the code they copy works. I predict we will contunue see stupid things lke this one for the years ahead.
I sense too much xenophobia in this post...

I don't think he's afraid of the chinese, that's ridiculous. That's a horribly stupid word people started over using. He's just racist against the chinese.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on December 13, 2018, 06:18:07 pm
I don't think he's afraid of the chinese, that's ridiculous. That's a horribly stupid word people started over using. He's just racist against the chinese.
No it is absolutely not ridiculous. But this is OT in this thread (and perhaps even on this forum altogether).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 13, 2018, 10:00:17 pm
Broad brush generalisations about one races abillitys are just that. Generalisations.
It is not about race but about how a country is being run. The Chinese educational system for example supresses critical and out-of-the-box thinking. Basically killing any creativity needed to come up with a novel product.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 14, 2018, 11:11:58 am
The Chinese educational system for example supresses critical and out-of-the-box thinking.

With 100% success rate, right?

(and I'm not sure the educational system in many other countries actively promotes critical thinking - look at the percentage of people in 'developed' countries who believe homeopathy works or that gods are real things).
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 14, 2018, 01:40:29 pm
The Chinese educational system for example supresses critical and out-of-the-box thinking. Basically killing any creativity needed to come up with a novel product.

Most educational systems in fact do this, its not just a chinese thing.   Fortunately out of the population there are always a few free minded individuals who say "MEH to that" and go and be creative anyway.   An above average number seem to lurk around here though.  :)

Some  interesting inventions that the chinese were responsible for included;

Paper, Movable type printing, GunPowder, The compass, Alcohol, Clocks, Tea Production, Silk, Umbrellas, Iron Smelthing, Bronze, Kites, Growing food in rows, Toothbrushes, and paper money.   


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: The Doktor on December 14, 2018, 02:01:52 pm
Some  interesting inventions that the chinese were responsible for included;

Paper, Movable type printing, GunPowder, The compass, Alcohol, Clocks, Tea Production, Silk, Umbrellas, Iron Smelthing, Bronze, Kites, Growing food in rows, Toothbrushes, and paper money.   

So nothing of any real value?  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 14, 2018, 02:03:42 pm
Certainly not in this thread. Take it elsewhere please?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 14, 2018, 02:53:26 pm
I think its helpful in the background information for working out why Rigol have released a product in the way they have. Understanding the motivation often will provide clues about implementation of a solution. 


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 14, 2018, 03:35:38 pm
Paper, Movable type printing, GunPowder, The compass, Alcohol, Clocks, Tea Production, Silk, Umbrellas, Iron Smelthing, Bronze, Kites, Growing food in rows, Toothbrushes, and paper money.   
:palm: The Egyptians build pyramids long before that. Look at them today. Roman empire: same story. You have to look at the more recent history to see why the Chinese need to catch up so much when it comes to engineering and producing a good product.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 14, 2018, 04:06:52 pm
Certainly not in this thread. Take it elsewhere please?

+1

C'mon guys, please, this is technical thread, please take your hate on the Rigol's product and also xenophobic stuffs  :palm: out of here, again, please.

Also for the Rigol competing parties, you know who you are, even you keep pretending to be casual end user, it isn't nice to keep bashing this product in this particular "technical" discussion if you don't have any interest on it.

Totally understand you feel really threatened by this Rigol's move, that probably may affect your sales on Rigol competing brand scope that you're selling, again, this is not the right place.

"Constantly" bashing this product and Rigol brand ? Please, again pretty please, vent it here at the official Dave's video blog thread ..

 -> EEVblog #1146 - New Low Cost Rigol MSO5000 Oscilloscope (https://www.eevblog.com/forum/blog/new-rigol-scope/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 14, 2018, 04:31:22 pm
Rigol needs to recover the $$$ from the custom ASIC R&D and using them in as many models as possible makes a lot of sense
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 14, 2018, 05:43:15 pm
I think its helpful in the background information for working out why Rigol have released a product in the way they have.

Simple: They've been allowing hacks for many years now and know the economics, numbers and demographics of the people doing it.

They know it makes business sense to sell oscilloscopes that way.

ie. They'd rather sell one of these to hacker and make $100 than watch that same hacker buy a Siglent.

PS: What would be the BOM on one of these? I bet they still make a couple of hundred bucks even if they sell one for $999.

(and most people will  pay $999 for a "four channel" model just to get four decent probes)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 14, 2018, 10:56:44 pm
Rigol needs to recover the $$$ from the custom ASIC R&D and using them in as many models as possible makes a lot of sense

Indeed, the FW has references and looks like it can be used for:

DS/MSO5000, DS/MSO7000, DS/MSO8000 and DS/MSO9000

The app can even be called with the parameter -ds8000 but I have no feedback on what are the consequences besides slightly changing the Info Version menu. If anyone discovers that, please share.

(https://i.ibb.co/ZgyNQ2h/Rigol-MSO5000-ds8000-fullopt.jpg)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 14, 2018, 11:06:28 pm
Is the same firmware used on the 5000 and 7000 models or do we need to wait for a 5000 version update to know that?

Keysight 2000 and 3000 series used same firmware so I guess it’s possible?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 14, 2018, 11:22:18 pm
Interesting times ahead... Rigol seem to have their future planned round this chipset so frequent updates should be assured.

I’m hoping to get access to a 3 GHz signal generator soon, have the ‘fully featured’ 5074 sweep it with the enabled AFG and see what the response is.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on December 15, 2018, 12:08:53 am
Confirming the rather funny ssh root/root situation.

Couple DS7000s we got at work today. Walked right in. SCP'd some nice screen saver images over while I was in there. Being they're work machines, I didn't want to run right into using --fullopt. Instead, prolly spend Monday picking through what that touches.

Eyeballing a DS5000 right now. Dim screen reports have me a little worried though. It's a different screen than the 7k, so can't use it for reference (which, in person, is fairly decent screen wise).

Those BW strcpy's are a little funny. 4G.....Rigol seems pretty optimistic in the future it seems :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 15, 2018, 08:52:23 am
Couple DS7000s we got at work today. Walked right in. SCP'd some nice screen saver images over while I was in there. Being they're work machines, I didn't want to run right into using --fullopt. Instead, prolly spend Monday picking through what that touches.

You don't need to make any change. Just get in, kill the app and launch it with the parameter. It's "safe", it's a feature.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 15, 2018, 10:46:32 am

the root/root is the default user/pass that Xilinx use in their linux distributions.    It appears Rigol did'nt bother to change it.


Confirming the rather funny ssh root/root situation.

Couple DS7000s we got at work today. Walked right in. SCP'd some nice screen saver images over while I was in there. Being they're work machines, I didn't want to run right into using --fullopt. Instead, prolly spend Monday picking through what that touches.

Eyeballing a DS5000 right now. Dim screen reports have me a little worried though. It's a different screen than the 7k, so can't use it for reference (which, in person, is fairly decent screen wise).

Those BW strcpy's are a little funny. 4G.....Rigol seems pretty optimistic in the future it seems :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: martin.hoeer on December 16, 2018, 09:42:10 pm
@TV84

Please let me know where to enter /rigol/shell/start.sh and the other stuff. I tried ultrasigma and Putty but was not successfull.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 16, 2018, 10:30:05 pm
I downloaded PUTTY and connected to the IP address that my MSO5000 displayed on the interface info page. Use SSH on default port 22.

Enter the ‘root’, ‘root’ as username and password.

Usual linux ‘cd /rigol/shell’ command to get to the correct directory

Then ‘vi start.sh’ to edit the file

Google VI to find out how to edit the file, it’s not that bad.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: orion242 on December 17, 2018, 01:59:52 am
Somewhat of a disappointment.  Was hoping to hear the long story on breaking this guy.

Now with info at hand, I'm left wondering do I go MSO7x or MSO5x.  I had the original 1054 and when the 'Z' came out, quickly swapped out.  So 5x or 7x has me ready to again upgrade in the Rigol path.  Would be nice to see Dave address current state of things.

Sells scopes, IMO.   I may not need it at the hobby level, but I want it at the price....  Bigger screens, big plus alone.  Should be able to get a few bucks for what I have currently.  Its an interesting path to market.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MrW0lf on December 17, 2018, 09:53:05 am
Now with info at hand, I'm left wondering do I go MSO7x or MSO5x.

Note that 7 has just as slow FFT as 5 looking ad random demo videos. Far slower than Zynq based or PC scopes. At price point they sell 5 it is more less understandable but for 7 bit weird. Dunno if it can be made better with firmware tweaks or processing power is just not there.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 17, 2018, 10:51:52 am
The GEL file format for this interation may be differnet from previous versions;    ( https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg982910/#msg982910 (https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg982910/#msg982910)  ).     The python scripts that were used previously dont' seem to make much sense.

Anyone got any tips. 


C:\Users\OEM\Downloads>python unpack.py rigolfirmware\firmware.gel.tar
instrument series:      fw4linux.sh
firmware version:
updateType:     0x00000000
found 0 files

writing /header  (40 bytes)

original filesize:      70021120
bytes processed:        40

C:\Users\OEM\Downloads>

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: martin.hoeer on December 17, 2018, 02:03:12 pm
@TopLoser

Thank you for your description. With Putty, I can successfully connect to my MSO5104. It answers the command *IDN? correctly. But I have not been able to gain 'root' access to proceed with the other steps. Can you help me?

Thank you.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on December 17, 2018, 02:08:05 pm
@TopLoser

Thank you for your description. With Putty, I can successfully connect to my MSO5104. It answers the command *IDN? correctly. But I have not been able to gain 'root' access to proceed with the other steps. Can you help me?

Thank you.

Martin

Are you connecting with SSH on port 22?  Sounds like you may be using port 5555.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 17, 2018, 02:33:23 pm
Thank you for your description. With Putty, I can successfully connect to my MSO5104. It answers the command *IDN? correctly.

You're on the wrong port. That's not command shell access, it's SCPI access.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 17, 2018, 03:59:57 pm
Yes, use SSH on port 22.

Missed that info out as my scope is 5000 miles away at the moment. I’ve updated the post I made.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: riccardo.pittini on December 17, 2018, 05:52:11 pm
Has someone tried to verify if the "upgrade" enables also the other two channels on the MSO5XX2?  ^-^
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: martin.hoeer on December 17, 2018, 05:53:07 pm
Guys,

thank you for your speedy replies.

With  Putty set to SSH and port 22, I get the reply 'login as:'.
When I enter 'admin', I get the following request: 'admin@'IP address of my scope' password:'.
When I enter 'rigol' I get the reply 'Access denied.'

I thought this was the standard user name and password to be used.

I appreciate your patience with me and look forward to your replies.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: darthcloud on December 17, 2018, 05:54:09 pm
Come on read the thread..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 17, 2018, 05:58:23 pm
when it says login as:   use root
when it asks for password:  use root

 

Guys,

thank you for your speedy replies.

With  Putty set to SSH and port 22, I get the reply 'login as:'.
When I enter 'admin', I get the following request: 'admin@'IP address of my scope' password:'.
When I enter 'rigol' I get the reply 'Access denied.'

I thought this was the standard user name and password to be used.

I appreciate your patience with me and look forward to your replies.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 17, 2018, 06:24:25 pm
Has someone tried to verify if the "upgrade" enables also the other two channels on the MSO5XX2?  ^-^

No they haven’t, but tv84 thinks it won’t.  I’m not sure it’s worth saving 90 euros to find out the hard way. Buy the 4 channel model and you get 2 extra 350MHz probes and a warranty that covers all 4 channels.

But it would be interesting to have somebody verify it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: imo on December 17, 2018, 07:10:40 pm
when it says login as:   use root
when it asks for password:  use root
when it says "login as" use: root
when it asks for "password" use: root
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 17, 2018, 07:59:38 pm
when it says login as:   use root
when it asks for password:  use root
when it says "login as" use: root
when it asks for "password" use: root

Dunno why, seeing this thread title with the word "hacking" and reading these replies, made me chuckle.  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 17, 2018, 08:23:15 pm
when it says login as:   use root
when it asks for password:  use root
when it says "login as" use: root
when it asks for "password" use: root

Dunno why, seeing this thread title with the word "hacking" and reading these replies, made me chuckle.  :-DD

Yes, for now it should be titled "Logging into the MSO5000", no real hacking going on, yet...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 17, 2018, 08:59:52 pm
I’m not sure it’s worth saving 90 euros to find out the hard way. Buy the 4 channel model and you get 2 extra 350MHz probes and a warranty that covers all 4 channels.

I'm sure that's what Rigol was thinking when they planned this - get an extra 100 bucks out of everybody (I'm sure their probes don't cost even 10 bucks to manufacture).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on December 17, 2018, 11:24:42 pm
Confirmed on a MSO7k. Removed with no apparent I'll effects. Being slightly more legal and taking the "free decodes package" thing Rigol is doing right now since it's not mine, and I'd rather not get wrapped up in a debacle of enterprise machines with "grey zone" licenses. Good to know this DOES work though, even if it's hilariously easy and involved no true hacking. I would think that's what Rigol is banking on. Enterprise won't do it (much), but hobbyists will make a run on every tech store they can for ones to hack up.

Sadly, the MSO5074 I ordered from TEquip wasn't quite as in stock as I may have been lead to believe (or one of you buggers gigged me in the few hours between the quote and hitting buy  |O :palm: ). Ah well, working for uncle sam has taught me extreme patience :P

I am a little concerned about all this "MSO5k is dim" stuff though. The DS7k screen I can say is rather nice, enough so my boss, who has a rather 'spense MDO4k, has made jokes of swapping them when I'm not looking. Here's hoping Rigol didn't go mega cheap on the panel. A crappy display would color the entire experience.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 17, 2018, 11:50:55 pm
I am a little concerned about all this "MSO5k is dim" stuff though.
It looks like everybody wants a more challenging hack... Make the LCD LED backlight adjustable, it might be an interesting hack project
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Dwaine on December 18, 2018, 12:41:32 am
I had the same thought about the LCD screen.  It's great that their scope can be hacked.  Too bad you can't see the wiggly lines.  Question is....  How did that get out of the door like that?   Someone at Rigol must of said to themselves "Geezzz that display is kinda dark is it not?"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 18, 2018, 08:25:48 am
I had the same thought about the LCD screen.  It's great that their scope can be hacked.  Too bad you can't see the wiggly lines.  Question is....  How did that get out of the door like that?   Someone at Rigol must of said to themselves "Geezzz that display is kinda dark is it not?"

Think how noisy the fans are, someone at Rigol must of said to themselves "Geezzz that fan is kinda noisy is it not?"

But yeah, should be easy to mod. Maybe just change a resistor.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 18, 2018, 08:32:04 am
How many people who are complaining about the screen being dim have actually seen one?

The one I’ve got seems just fine, I wouldn’t have made any comment about it at all. Some of the buttons are a bit too small and ‘squishy’ for my liking but the screen is fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 18, 2018, 10:46:28 am
Hi,

The Display is not too dark :

https://www.eevblog.com/forum/blog/new-rigol-scope/440/ (https://www.eevblog.com/forum/blog/new-rigol-scope/440/)
(post #440)

Increase a little bit the grid intensity and it looks alright.
Not the brightest thing but alright, otherwise you can plug in a ext. display via the hdmi port.
Or a beamer... ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 18, 2018, 10:56:50 am
Hi,

The Display is not too dark :

https://www.eevblog.com/forum/blog/new-rigol-scope/440/ (https://www.eevblog.com/forum/blog/new-rigol-scope/440/)
(post #440)

ie. This one: https://www.eevblog.com/forum/blog/new-rigol-scope/msg2047141/#msg2047141 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2047141/#msg2047141)

(https://s15.directupload.net/images/181217/rdizjnmz.jpg)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on December 19, 2018, 12:57:23 am
Hmm, doesn't seem too bad!

Sort of hard to tell with all the different exposures :P But next to a Lecroy gives some reference.

So long as it's usable outside (maaaybe not direct sunlight though). If it's anything like a less glossy DS7k, it'll be fine.

Then we'll get to see side by side at the lab how they compare....soon....ish....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on December 19, 2018, 01:07:23 am
Hmm, doesn't seem too bad!

Sort of hard to tell with all the different exposures :P But next to a Lecroy gives some reference.
LeCroy WS3000 = Siglent SDS3000.......now quite old model, both versions updated to X versions with faster WFMS and greater mem depth.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 20, 2018, 06:48:20 am
eevblog is famous. Again. 

https://hackaday.com/2018/12/19/rigol-mso5000-hacked-features-unlocked/

In other news, most distributors of Rigol are out of stock of the MSO5074.   :-) what a suprise.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 20, 2018, 04:33:06 pm
Yep,

Only the 200 and 350Mhz models are on stock, i.e. by batronix.
With all options "for free" you can save a little bit more and buy the 5072 instead the 5074.
I think rigol won´t care about this, schools and other public institutions won´t buy the cheapest and hack it.
If they need 200Mhz they´ll buy it.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 20, 2018, 04:40:43 pm
With all options "for free" you can save a little bit more and buy the 5072 instead the 5074.

...if you've got some spare 350Mhz probes for the other two channels.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JDubU on December 20, 2018, 05:59:48 pm
...if you've got some spare 350Mhz probes for the other two channels.

The difference in cost between the 5074 and the 5072 is about the same as the cost of the two extra Rigol PVP2350 probes ($90 vs $94 USD).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Harjit on December 20, 2018, 06:03:16 pm
The Siglent SDS1104X-E seems sufficient for my needs. Any reason to buy the Rigol MSO5074 and then unlock features?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 20, 2018, 06:17:25 pm
The Siglent SDS1104X-E seems sufficient for my needs. Any reason to buy the Rigol MSO5074 and then unlock features?

More bandwidth? More memory? Built-in signal generator?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Romain on December 20, 2018, 06:20:10 pm
With all options "for free" you can save a little bit more and buy the 5072 instead the 5074.
Is that guaranteed?
Here in the UK the 5074 is about 130 USD more expensive than the 5072. Would love to have confirmation that the "upgrade" works for 2ch to 4ch!  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 06:22:18 pm
Only the 200 and 350Mhz models are on stock, i.e. by batronix.

With all options "for free" you can save a little bit more and buy the 5072 instead the 5074.

Telonic in the UK have plenty of the 5074 in stock.

Has anybody confirmed that you can enable the extra 2 channels of a 5072 with the 'feature'? If not then you have to spend a lot more than 90 euro at a later date to enable them if you want them.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 08:02:33 pm
Ok... time to get the thread back on the topic of hacking...

Couple of xrays of the MSO pod. It's not just a fancy bit of wire, it is active and has IC's in it at the probe end. Doesn't look like it's 'intelligent' active like the R&S one which had a PIC in it if I remember correctly.

Anybody fancy guessing what these 8 (identical I assume) IC's might be? Or do I have to get all medieval on it, no screws or clips unfortunately...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:11:45 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 08:13:43 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 20, 2018, 08:14:08 pm
Quote
Is that guaranteed?

It was just my thoughts because of "all options free" - If the bandwith is up to 350Mhz, the Memory up to 200M.....why shouldn´t be the 2 channels unlocked as well.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:15:34 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.

LMH7322 matches the package - hard to see if the pinouts are right from the x-ray
http://www.ti.com/lit/ds/symlink/lmh7322.pdf (http://www.ti.com/lit/ds/symlink/lmh7322.pdf)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:17:23 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.
ADCMP567 has 32 pins , x-ray shows 24
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 08:19:37 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.
ADCMP567 has 32 pins , x-ray shows 24

I Can't count, sorry.

Closer xray attached. I can get closer and tweak settings if it help.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:24:59 pm
As there's no processor or eeprom in there, the functionality is likely to me enabled by a pullup or pulldown on the connector - shouldn't be hard to find with some poking around with a 100R resistor to avoid smoke.
Power outs should be easy to find.
If you get the digital menus working, you can then tweak thresholds and see which pin(s) set this.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:28:25 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.
ADCMP567 has 32 pins , x-ray shows 24

I Can't count, sorry.

Closer xray attached. I can get closer and tweak settings if it help.
All the pinouts I can see are consistent with LMH7322
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 08:29:29 pm
Functionality is enabled in the scope even without it plugged in, just hit the LA button and you get all the options available.

Looks like it's an easy enough design to knock together for cheap then, if anybody can be arsed.

I'll have another look at what's holding the case together, it's not responded to force so far.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joeyjoejoe on December 20, 2018, 10:41:17 pm
Is it simple enough to DIY the logic analyzer header? A few hundred bucks from RIGOL otherwise!  :o
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tinhead on December 20, 2018, 11:03:27 pm
The Christmas gift for all Rigol fans out here:
...
PS: And it's not an hack. It's a feature!

great, i have read this thread a bit, but oversaw your post, and ordered day later SDS1204X-E instead of Rigol (due to 4 vs 2 channels).
Anyway, will do it as eastern gift ^^
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 21, 2018, 07:36:20 am
Quote
Is that guaranteed?

It was just my thoughts because of "all options free" - If the bandwith is up to 350Mhz, the Memory up to 200M.....why shouldn´t be the 2 channels unlocked as well.

All,

The best way is for someone to test on a 2ch scope. My feeling is that all is defined by the S/N.

So, if you change  it to MSO or to 4ch the fullopt probably will enable the corresponding features.

I cant test this theory but I may be able to patch something  to anyone who is willing to try. Pm me.

PS: this includes transforming a 5000 in 7000 and beyond...  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 21, 2018, 11:16:16 am
Anybody fancy guessing what these 8 (identical I assume) IC's might be? Or do I have to get all medieval on it, no screws or clips unfortunately...

Normally they're comparators with selectable references for all the different voltages in the menu:

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=601918;image)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 21, 2018, 11:18:19 am
I concur with mikelectricstuff about the https://www.ti.com/lit/ds/symlink/lmh7322.pdf, (https://www.ti.com/lit/ds/symlink/lmh7322.pdf,) good catch!... not entirely sure on the shorted latch pins though (LEA, (not LEA) and VCCOA) since not all QFN footprints have the 3 "shorted" legs on the same pins, perhaps some of the parts have different orientations on the board? Other intended functions or just routed differently on the PCB?

I also wonder if TopLoser could get some of the values of the passives by probing the pins of the probe and get some cap/resistance values out of it so that we can compare it with the typical applications on the aforementioned datasheet?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 21, 2018, 11:20:16 am
For the people wondering about the MSO5072 being "upgradeable" to 4ch via the magic flag... all that needs to be said is: yep ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: madmac on December 21, 2018, 11:52:52 am
Had a quick look at the 50 way logic connector while having coffee

0V     X    X    D7P
D7N   X    X    D6P
D6N   X    X    D15P
D15N  X    X    D14P
D14N  X    X    D0V

0V     X    X    D5P
D5N   X    X    D4P
D4N   X    X    D13P
D13N  X    X    D12P
D12N  X    X    0V

0V     X    X    D3P
D3N   X    X    D2P
D2N   X    X    D11P
D11N  X    X    D10P
D10N  X    X    0V

0V     X    X    D1P
D1N   X    X    D0P
D0N   X    X    D9P
D9N   X    X    D8P
D8N   X    X    0V

4V0    X    X    0V
4V0    X    X    2V4
D0-7V X    X    D8-15 VREF   10:1 INPUT  +/- 1V5
-2V5   X    X    0V
0V     X    X    DETECT  LOW FOR PROBE ATTACHED


Input range is +/- 15 volts.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: madmac on December 21, 2018, 11:54:47 am
Should have added top of table is power on off side   and  lower pin  X   X  upper pin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 21, 2018, 11:57:01 am
Had a quick look at the 50 way logic connector while having coffee

...
D0-7V X    X    D8-15 VREF   10:1 INPUT  +/- 1V5
...


If the reference voltages com from the 'scope then that makes it a lot easier.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joeyjoejoe on December 21, 2018, 05:41:13 pm
For the people wondering about the MSO5072 being "upgradeable" to 4ch via the magic flag... all that needs to be said is: yep ;)

Started to see the 4 chan out of stock in Canada, I suspect the 2 channel will follow suit now.

Genius marketing move. I'm not even in the market for a scope and I'm considering one...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 21, 2018, 06:13:12 pm
Anybody who thinks the hackers are getting something for free has it all ass-backwards.

The hackers are paying the regular price, it's all the businesses and educational institutions that are paying extra.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 21, 2018, 06:43:44 pm
Quote from: Fungus link=topic=154682.msg2058286#msg2058286
The hackers are paying the regular price, it's all the businesses and educational institutions that are paying extra.

I"m not so sure. Let's wait until the real hacking begins.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 21, 2018, 07:08:37 pm
Quote from: Fungus link=topic=154682.msg2058286#msg2058286
The hackers are paying the regular price, it's all the businesses and educational institutions that are paying extra.

I"m not so sure. Let's wait until the real hacking begins.

OK, maybe not all.  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 21, 2018, 07:36:54 pm
The hackers are paying the regular price, it's all the businesses and educational institutions that are paying extra.
I'm pretty sure sane businesses and educational institutes are going to wait until the hobbyists bought enough units so Rigol finishes the firmware. It also depends on whether Rigol blocks the extremely simple workaround (it isn't even a hack) to enable all features in a future firmware update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joeyjoejoe on December 21, 2018, 07:48:38 pm
I feel like removing the firmware hack would tank potential hobbyist sales? This might not be much, but again, in a world where hobbyists aren't buying the high end features, and institutions are, it's just icing on the cake to attract that market.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 21, 2018, 07:55:18 pm
I feel like removing the firmware hack would tank potential hobbyist sales? This might not be much, but again, in a world where hobbyists aren't buying the high end features, and institutions are, it's just icing on the cake to attract that market.
When I read the posts in the test equipment section I get the feeling there are quite a few hobbyists out there which spend several $k on a single piece test equipment. This market isn't big but it does seem to exist.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 21, 2018, 07:59:18 pm
Simply removing the feature is not a show stopper. We now know it can be done.  :popcorn:

What I would like to know is: how similar is the HW in the 5000 and 7000 models? Can someone please elaborate?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 21, 2018, 08:12:54 pm
I guess Rigol and it's big distributors are watching the market, observing and going to conclude whether next move will be to lock or keep it open.

For sure they will at least get the free marketing and gathered accurately on the market reaction on this price level.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 22, 2018, 04:59:25 pm
I guess Rigol and it's big distributors are watching the market, observing and going to conclude whether next move will be to lock or keep it open.

They've had ten years to make that decision before launching this one.

I'm guessing DS1054Z sales already showed the economics work just fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 22, 2018, 11:03:41 pm
I am between two chairs…

Buying the option bundle which costs about 700€ incl. tax don´t worry me.
The memory upgrade.... I´m not interested in - 100M standard is more than enough.
But the bandwith upgrades..
The price killing me as an owner of a 5074.
Buying the options but hacking the bandwith, this is in my mind, weird… ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 22, 2018, 11:10:37 pm
Maybe an ‘extended trial’ would be an acceptable option for you  ;)

Bear in mind that Rigol will offer a ‘free option bundle’ for these scopes at some time in the future. That would make you pretty upset if you paid for the bundle already...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 23, 2018, 10:21:52 am
I am between two chairs…

Buying the option bundle which costs about 700€ incl. tax don´t worry me.
The memory upgrade.... I´m not interested in - 100M standard is more than enough.
But the bandwith upgrades..
The price killing me as an owner of a 5074.
Buying the options but hacking the bandwith, this is in my mind, weird… ;)

Don't understand your dilemma.  ??? The fullopt provides max BW and options simultaneously. If you have extra cash, go for the 7000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 23, 2018, 11:43:02 am
I am between two chairs…

Buying the option bundle which costs about 700€ incl. tax don´t worry me.
The memory upgrade.... I´m not interested in - 100M standard is more than enough.
But the bandwith upgrades..
The price killing me as an owner of a 5074.
Buying the options but hacking the bandwith, this is in my mind, weird… ;)
I don't get it. You bought this for private use didn't you? If yes, then hack it and be done with it.

I also understand that you aren't very happy with the current state of the firmware. Don't make the mistake I made in trusting firmware issues will be fixed soon. If you are going to spend more cash then buy a scope which works out of the box right now. When I was in your situation I didn't listen to this advice and I wish I did. I ended up buying a different scope and the cheaper Chinese scope ended up to be a total waste of money.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 23, 2018, 01:49:22 pm
Hey all,

I'm very curious about the inside of these (both the 5k and 7k) and am curious if some of you can post further details other then the bootlog dave has already posted earlier.

I'm particularly interested in the output of

Code: [Select]
dmesg
cat /proc/cpuinfo
lspci
lsusb
df
cat /proc/mtd

Are the first things I can think of. Further more, in one of the MSO7000 video's, dave mentioned that the TX uart wasn't working, but in a MSO5000 video he was sending commands to the shell (He typed things like help which printed the busbox help screen for example) I don't think at that point the root password was yet known, so I am thinking this was done over the serial TX line. So can someone confirm/deny that the TX works normally as expected on both MSO's?

Fear not, this is not a thread de-rail-ment :) I am curious as, while we have found how to start the application with all options enabled, the actual keys not changed, and thus a firmware upgrade can quite happily drop the option. We best be prepared for that right? So in my opinion the scope is not yet hacked and there's still some work left for us.

Finally, what's with the secrecy of the GEL files for the scopes? Before forking over, quite a substantial amount and then brick it, I'm thinking of getting a Zynq development board and see if I can 'install' the firmware onto it. As such, I'd need the actual GEL file (the more versions of the different scopes, the beter). So is anybody able to share me any GEL file they have gotten yet? Meanwhile I'll try to request a firmware file from Rigol the good old manual way.
Turns out, when going to https://www.rigol.eu/products/digital-oscilloscopes/7000/ (https://www.rigol.eu/products/digital-oscilloscopes/7000/) the file is right there in the download section ...

Still, if anybody has other versions, beta or whatnot for the 5k and 7k it may still help with further analysis.

Thanks for listening :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 23, 2018, 01:58:52 pm
No derailment. That's precisely the goal of this thread.

I can get you the 5000 GEL.

You can always look at this msg:

https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803 (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 23, 2018, 02:21:46 pm

I'm particularly interested in the output of

Code: [Select]
dmesg
cat /proc/cpuinfo
lspci
lsusb
df
cat /proc/mtd




Code: [Select]
<root@rigol>dmesg
CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
On node 0 totalpages: 114688
free_area_init_node: node 0, pgdat c0631c80, node_mem_map c0669000
  Normal zone: 896 pages used for memmap
  Normal zone: 0 pages reserved
  Normal zone: 114688 pages, LIFO batch:31
PERCPU: Embedded 8 pages/cpu @c09f1000 s8384 r8192 d16192 u32768
pcpu-alloc: s8384 r8192 d16192 u32768 alloc=8*4096
pcpu-alloc: [0] 0 [0] 1
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 113792
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 437416K/458752K available (4197K kernel code, 255K rwdata, 1716K rodata, 176K init, 179K bss, 21336K reserved, 0K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xdc800000 - 0xff000000   ( 552 MB)
    lowmem  : 0xc0000000 - 0xdc000000   ( 448 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to dc802000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1725.23 BogoMIPS (lpj=8626176)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L310 cache controller enabled
l2x0: 8 ways, CACHE_ID 0x410000c8, AUX_CTRL 0x72360000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xdc84e000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xdc84e000
hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 4 bytes.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xdc880000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
PCI: CLS 0 bytes, default 64
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (db099000 - dbafe000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 7 counters available
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 875
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
DPU:Map vRam to 0xdca00000
DPU:Map iReg to 0xdcc00000
DPU:Ver=0x20170711
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 6249999) is a xuartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 6249999) is a xuartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xDC858000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
xusbps-ehci xusbps-ehci.1: Xilinx PS USB EHCI Host Controller
xusbps-ehci xusbps-ehci.1: new USB bus registered, assigned bus number 1
xusbps-ehci xusbps-ehci.1: irq 76, io mem 0x00000000
xusbps-ehci xusbps-ehci.1: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Update timer was detected
rtc-rx8010sj 0-0032: rtc core: registered rtc-rx8010sj as rtc0
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ADADAH4), 1024MiB, page size: 2048, OOB size: 64
Bad block table found at page 524224, version 0x01
Bad block table found at page 524160, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
0x000010100000-0x000016500000 : "App2"
0x000016500000-0x00001a800000 : "Reserved"
0x00001a800000-0x000040000000 : "User"
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
rtc-rx8010sj 0-0032: setting system clock to 2018-12-23 22:14:55 UTC (1545603295)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
UBI: attaching mtd6 to ubi6
UBI: scanning is finished
UBI warning: print_rsvd_warning: cannot reserve enough PEBs for bad PEB handling, reserved 19, need 160
UBI: attached mtd6 (name "App1", size 100 MiB) to ubi6
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 800, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 137759694
UBI: available PEBs: 0, total reserved PEBs: 800, PEBs reserved for bad PEB handling: 19
UBI: background thread "ubi_bgt6d" started, PID 655
UBIFS: background thread "ubifs_bgt6_0" started, PID 658
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 6, volume 0, name "app"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 97263616 bytes (92 MiB, 766 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
UBIFS: reserved for root: 0 bytes (0 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 29D18BC9-40D5-47EB-8093-D75BB394A334, small LPT model
UBI: attaching mtd1 to ubi1
UBI: scanning is finished
UBI: attached mtd1 (name "DATA", size 64 MiB) to ubi1
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 512, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 1383059050
UBI: available PEBs: 0, total reserved PEBs: 512, PEBs reserved for bad PEB handling: 160
UBI: background thread "ubi_bgt1d" started, PID 687
UBIFS: background thread "ubifs_bgt1_0" started, PID 691
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 1, volume 0, name "DATA"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 42917888 bytes (40 MiB, 338 LEBs), journal size 2158592 bytes (2 MiB, 17 LEBs)
UBIFS: reserved for root: 2027117 bytes (1979 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 678F0810-83AE-49F3-AD8C-BB561AFDEDBD, small LPT model
UBI: attaching mtd12 to ubi12
UBI: scanning is finished
UBI: attached mtd12 (name "User", size 600 MiB) to ubi12
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 4796, bad PEBs: 4, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 1737885595
UBI: available PEBs: 0, total reserved PEBs: 4796, PEBs reserved for bad PEB handling: 156
UBI: background thread "ubi_bgt12d" started, PID 728
UBIFS: background thread "ubifs_bgt12_0" started, PID 732
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 12, volume 0, name "USER"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 586502144 bytes (559 MiB, 4619 LEBs), journal size 29331456 bytes (27 MiB, 231 LEBs)
UBIFS: reserved for root: 4952683 bytes (4836 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 7C7DEB0E-5611-4D11-9900-4290138ACF6B, small LPT model
xemacps e000b000.ps7-ethernet: Set clk to 24999999 Hz
xemacps e000b000.ps7-ethernet: link up (100/FULL)
Rigol Device gadget: Rigol Device ready
usbcore: registered new interface driver usbtmc
<root@rigol>cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 0 (v7l)
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

processor       : 1
model name      : ARMv7 Processor rev 0 (v7l)
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

Hardware        : Xilinx Zynq Platform
Revision        : 0000
Serial          : 0000000000000000
<root@rigol>lspci
<root@rigol>lsusb
Bus 001 Device 001: ID 1d6b:0002
<root@rigol>df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                31729     22410      9319  71% /
devtmpfs                218708         0    218708   0% /dev
none                    102400       284    102116   0% /tmp
/dev/ubi6_0              87160     71224     15936  82% /rigol
/dev/ubi1_0              38072       256     35836   1% /rigol/data
/dev/ubi12_0            529048       408    523804   0% /user
<root@rigol>cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00020000 "Env"
mtd1: 04000000 00020000 "DATA"
mtd2: 00400000 00020000 "Bmp"
mtd3: 00400000 00020000 "Bmp1"
mtd4: 00800000 00020000 "Bit1"
mtd5: 02000000 00020000 "Sys1"
mtd6: 06400000 00020000 "App1"
mtd7: 00400000 00020000 "Bmp2"
mtd8: 00800000 00020000 "Bit2"
mtd9: 02000000 00020000 "Sys2"
mtd10: 06400000 00020000 "App2"
mtd11: 04300000 00020000 "Reserved"
mtd12: 25800000 00020000 "User"
<root@rigol>

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 23, 2018, 07:17:44 pm

I don't get it. You bought this for private use didn't you? If yes, then hack it and be done with it.

I also understand that you aren't very happy with the current state of the firmware. Don't make the mistake I made in trusting firmware issues will be fixed soon. If you are going to spend more cash then buy a scope which works out of the box right now. When I was in your situation I didn't listen to this advice and I wish I did. I ended up buying a different scope and the cheaper Chinese scope ended up to be a total waste of money.


You´re right.
Two times…
It´s for private use only so why I´m afraid - Maybe because I´ve done this never before except hacking my 1054Z which was easy enough for me to do.

Quote
Don't make the mistake I made in trusting firmware issues will be fixed soon.


They´re two models I like to have, one is the R&S RTM 2/3000 series or a DSO 3000 from keysight.

Serial decoding will become more important for me so I had to buy the options also.
And then comes the MSO5000 along…
Not bad at all, "only" the firmware must be fixed on various points and this is my hope instead of spending an enormous amount of money for the above mentioned scopes.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 23, 2018, 07:36:43 pm
Another option is to lower the requirements a little bit. In the end I bought a scope from GW Instek which just works. The highest bandwidth model of the MSO2000E version will still set you back around 2000 euro so it is not particulary cheap. OTOH it does have a few features the other oscilloscopes don't have: input filtering and you can change the decoding settings afterwards. There isn't such a thing as a perfect oscilloscope.

The hackability of the Rigol scopes may seem like a lot of fun and getting things 'for free' but in the end that doesn't help you if the features don't work the way you need them to work. Let alone if you are going to pay for the options.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 23, 2018, 08:22:00 pm
Another option is to lower the requirements a little bit. In the end I bought a scope from GW Instek which just works. The highest bandwidth model of the MSO2000E version will still set you back around 2000 euro so it is not particulary cheap. OTOH it does have a few features the other oscilloscopes don't have: input filtering and you can change the decoding settings afterwards. There isn't such a thing as a perfect oscilloscope.

The hackability of the Rigol scopes may seem like a lot of fun and getting things 'for free' but in the end that doesn't help you if the features don't work the way you need them to work. Let alone if you are going to pay for the options.

C'mon, this is a pure technical thread, not just a general discussion for this scope, yet you're still keep pushing & pushing GW Instek here, while constantly keep bashing Rigol, sound really desperate, aren't you ?

Hows your GW Instek sales achievement this 2018 ? Wish its beyond the committed target.  :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 23, 2018, 09:06:26 pm
Another option is to lower the requirements a little bit. In the end I bought a scope from GW Instek which just works. The highest bandwidth model of the MSO2000E version will still set you back around 2000 euro so it is not particulary cheap. OTOH it does have a few features the other oscilloscopes don't have: input filtering and you can change the decoding settings afterwards. There isn't such a thing as a perfect oscilloscope.

The hackability of the Rigol scopes may seem like a lot of fun and getting things 'for free' but in the end that doesn't help you if the features don't work the way you need them to work. Let alone if you are going to pay for the options.

C'mon, this is a pure technical thread, not just a general discussion for this scope, yet you're still keep pushing & pushing GW Instek here, while constantly keep bashing Rigol, sound really desperate, aren't you ?
You've got it all wrong. Martin72 is on exactly the same path I was a couple of years ago. Looking for a good oscilloscope which does a lot except breaking the bank. As I wrote before: I wish I had listened to the advice I was given on this forum back then. And I also like to share what has been my solution in the end. I can't help it if that doesn't sit right with you but the facts are the facts.

BTW: I have nothing to gain by pushing any brand. I'm just a demanding test equipment user sharing what works for me and what doesn't.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 23, 2018, 09:15:12 pm
It’s a good answer nctnico but it’s the same one you post in every thread about every scope on sale!

Can we try and keep the clutter out of this thread please otherwise we end up with 500 pages of off-topic posts.

Can the 3 wise men stay away please  ;) You know who you are!!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 23, 2018, 09:55:50 pm
Back to Topic...

Unfortunately I left my rigol at work, nevertheless I want to try it out with the "hack" when I got it back.
Hacking the Rigol 1054Z was even for a noob as me easy.
This time it wouldn´t I guess.
I did just measurements all the years, don´t have experience with network things... :palm:  :-\
A little help is required to get the bee on the flower...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 23, 2018, 10:13:14 pm
A little talk about the the consequences of the "feature" is acceptable but we should do our best to keep this at the tech level.

BTW, if anyone could post true bandwidth sweeps, with/without fullopt, would be great.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 23, 2018, 10:20:25 pm
Is there somewhere a description how to modify the boot logo already? If not, I can provide one.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 23, 2018, 10:20:36 pm
It’s stupidly easy... (even I did it)

Download and install PuTTY on your PC
On your scope find its IP address by UTILITY, IO, LAN
Run PuTTY and connect using that IP address and SSH with port 22
Login as ‘root’ password ‘root’
Enter ‘cd /rigol/shell’
Enter ‘vi start.sh’

Change line 82 to read:
‘/rigol/appEntry  $PowerOn -run -fullopt &’

Google vi commands to find out how to insert text into the file
Basically press ‘i’ to enter edit mode then move cursor, insert text and then ESC to exit edit mode.

Save the file and quit ‘:wq’

Reboot.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 23, 2018, 10:26:09 pm
You've got it all wrong. Martin72 is on exactly the same path I was a couple of years ago. Looking for a good oscilloscope which does a lot except breaking the bank. As I wrote before: I wish I had listened to the advice I was given on this forum back then. And I also like to share what has been my solution in the end. I can't help it if that doesn't sit right with you but the facts are the facts.

BTW: I have nothing to gain by pushing any brand. I'm just a demanding test equipment user sharing what works for me and what doesn't.

Problem: You never see anything positive in anything made by Rigol. Ever. You're not seeing that you get a four-channel, 250Mhz 'scope, with siggen. It's a damn useful tool for diagnosing circuits even if some niggling little feature (or even three!) isn't perfectly to your liking. For $999? It's a steal.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 23, 2018, 11:03:33 pm
In 2015, I brought a DS1054Z to work.
Now we got 4 DS1054Z for our developement team, nuff said about rigol.


Quote
It’s stupidly easy... (even I did it)


Thanks for your explanation in your post  :)


Quote
BTW, if anyone could post true bandwidth sweeps, with/without fullopt, would be great.


I´m working on it.
Full mem/function generator wouldn´t be a problem, power analysis too.
But Bandwith.....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sparky on December 23, 2018, 11:42:29 pm
@nctnico, @Fungus

Just as this thread was getting itself back on track (thanks to TopLoser for nice x-ray images of the MSO pod!) it has again plunged into irrelevance -- speculation over the marketing tactics of some Chinese test equipment manufacturers!?!?  I even read something about Egyptians and pyramids some pages back!  WTH?  Seriously guys, it's as simple as this thread not the right place.  Stop it -- for the remainder of this thread.  Please, for all of us!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Frex on December 24, 2018, 07:40:28 am
Hello all,

I already have a MSO2072A hacked with full bandwidth and features, and very happy with.
Anyway, i look about the newest 5000 and 7000 series and they seems greats...
Even if a 7000 il a little out of budget with the MSO option  ;D
It's a great news too see there is a hack for the 5000.

I would like now is anybody have done some bandwidth measurement after the hack
to check it ? (using avalanche pulse generator).
Many tanks,

Frex
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 09:49:55 am
MSO5000 FW v01.01.02.03 (https://cld.pt/dl/download/7d02db7b-5669-43ba-a3d3-0636fc04753d/Firmware_01.01.02.03.GEL.tar)

(link will expire after 24h)

Thanks for that! This is the original GEL, as in the version that comes shipped on the scopes yeah? Do you have this for the 7000 as well? For that I only have 00.01.01.07.01 so far ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 09:55:37 am

I'm particularly interested in the output of

Code: [Select]
dmesg
cat /proc/cpuinfo
lspci
lsusb
df
cat /proc/mtd




Code: [Select]
<root@rigol>dmesg
CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
On node 0 totalpages: 114688
free_area_init_node: node 0, pgdat c0631c80, node_mem_map c0669000
  Normal zone: 896 pages used for memmap
  Normal zone: 0 pages reserved
  Normal zone: 114688 pages, LIFO batch:31
PERCPU: Embedded 8 pages/cpu @c09f1000 s8384 r8192 d16192 u32768
pcpu-alloc: s8384 r8192 d16192 u32768 alloc=8*4096
pcpu-alloc: [0] 0 [0] 1
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 113792
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 437416K/458752K available (4197K kernel code, 255K rwdata, 1716K rodata, 176K init, 179K bss, 21336K reserved, 0K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xdc800000 - 0xff000000   ( 552 MB)
    lowmem  : 0xc0000000 - 0xdc000000   ( 448 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to dc802000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1725.23 BogoMIPS (lpj=8626176)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L310 cache controller enabled
l2x0: 8 ways, CACHE_ID 0x410000c8, AUX_CTRL 0x72360000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xdc84e000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xdc84e000
hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 4 bytes.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xdc880000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
PCI: CLS 0 bytes, default 64
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (db099000 - dbafe000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 7 counters available
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 875
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
DPU:Map vRam to 0xdca00000
DPU:Map iReg to 0xdcc00000
DPU:Ver=0x20170711
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 6249999) is a xuartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 6249999) is a xuartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xDC858000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
xusbps-ehci xusbps-ehci.1: Xilinx PS USB EHCI Host Controller
xusbps-ehci xusbps-ehci.1: new USB bus registered, assigned bus number 1
xusbps-ehci xusbps-ehci.1: irq 76, io mem 0x00000000
xusbps-ehci xusbps-ehci.1: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Update timer was detected
rtc-rx8010sj 0-0032: rtc core: registered rtc-rx8010sj as rtc0
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ADADAH4), 1024MiB, page size: 2048, OOB size: 64
Bad block table found at page 524224, version 0x01
Bad block table found at page 524160, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
0x000010100000-0x000016500000 : "App2"
0x000016500000-0x00001a800000 : "Reserved"
0x00001a800000-0x000040000000 : "User"
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
rtc-rx8010sj 0-0032: setting system clock to 2018-12-23 22:14:55 UTC (1545603295)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
UBI: attaching mtd6 to ubi6
UBI: scanning is finished
UBI warning: print_rsvd_warning: cannot reserve enough PEBs for bad PEB handling, reserved 19, need 160
UBI: attached mtd6 (name "App1", size 100 MiB) to ubi6
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 800, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 137759694
UBI: available PEBs: 0, total reserved PEBs: 800, PEBs reserved for bad PEB handling: 19
UBI: background thread "ubi_bgt6d" started, PID 655
UBIFS: background thread "ubifs_bgt6_0" started, PID 658
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 6, volume 0, name "app"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 97263616 bytes (92 MiB, 766 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
UBIFS: reserved for root: 0 bytes (0 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 29D18BC9-40D5-47EB-8093-D75BB394A334, small LPT model
UBI: attaching mtd1 to ubi1
UBI: scanning is finished
UBI: attached mtd1 (name "DATA", size 64 MiB) to ubi1
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 512, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 1383059050
UBI: available PEBs: 0, total reserved PEBs: 512, PEBs reserved for bad PEB handling: 160
UBI: background thread "ubi_bgt1d" started, PID 687
UBIFS: background thread "ubifs_bgt1_0" started, PID 691
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 1, volume 0, name "DATA"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 42917888 bytes (40 MiB, 338 LEBs), journal size 2158592 bytes (2 MiB, 17 LEBs)
UBIFS: reserved for root: 2027117 bytes (1979 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 678F0810-83AE-49F3-AD8C-BB561AFDEDBD, small LPT model
UBI: attaching mtd12 to ubi12
UBI: scanning is finished
UBI: attached mtd12 (name "User", size 600 MiB) to ubi12
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 4796, bad PEBs: 4, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 1737885595
UBI: available PEBs: 0, total reserved PEBs: 4796, PEBs reserved for bad PEB handling: 156
UBI: background thread "ubi_bgt12d" started, PID 728
UBIFS: background thread "ubifs_bgt12_0" started, PID 732
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 12, volume 0, name "USER"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 586502144 bytes (559 MiB, 4619 LEBs), journal size 29331456 bytes (27 MiB, 231 LEBs)
UBIFS: reserved for root: 4952683 bytes (4836 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 7C7DEB0E-5611-4D11-9900-4290138ACF6B, small LPT model
xemacps e000b000.ps7-ethernet: Set clk to 24999999 Hz
xemacps e000b000.ps7-ethernet: link up (100/FULL)
Rigol Device gadget: Rigol Device ready
usbcore: registered new interface driver usbtmc
<root@rigol>cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 0 (v7l)
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

processor       : 1
model name      : ARMv7 Processor rev 0 (v7l)
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

Hardware        : Xilinx Zynq Platform
Revision        : 0000
Serial          : 0000000000000000
<root@rigol>lspci
<root@rigol>lsusb
Bus 001 Device 001: ID 1d6b:0002
<root@rigol>df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                31729     22410      9319  71% /
devtmpfs                218708         0    218708   0% /dev
none                    102400       284    102116   0% /tmp
/dev/ubi6_0              87160     71224     15936  82% /rigol
/dev/ubi1_0              38072       256     35836   1% /rigol/data
/dev/ubi12_0            529048       408    523804   0% /user
<root@rigol>cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00020000 "Env"
mtd1: 04000000 00020000 "DATA"
mtd2: 00400000 00020000 "Bmp"
mtd3: 00400000 00020000 "Bmp1"
mtd4: 00800000 00020000 "Bit1"
mtd5: 02000000 00020000 "Sys1"
mtd6: 06400000 00020000 "App1"
mtd7: 00400000 00020000 "Bmp2"
mtd8: 00800000 00020000 "Bit2"
mtd9: 02000000 00020000 "Sys2"
mtd10: 06400000 00020000 "App2"
mtd11: 04300000 00020000 "Reserved"
mtd12: 25800000 00020000 "User"
<root@rigol>


Many thanks for that. Sadly, this _still_ does not show me which zynq they are using. I think someone mentioned somewhere that it's a 7020, at least we know it's a dual-core. So that leaves out a few of them and we know it runs about 800 MHz based on the bogomips.

Also newly learned is that the 'DATA' partition holds /rigol/data, which I think is where keys and calibration data is stored.

Someone also mentioned somewhere we have a 16Mb eeprom for configuration data. I think it's mostly u-boot (haven't found that in the NAND list yet) and _maybe_ some often changing data.

They also mirror their system data, to ensure safe upgrades.

Has anybody been able to 'interrupt' u-boot yet with the any-key press? Normally if you press it a few times (space works great) just before the message appears (keyboard buffer an all that) it should pick it up, IF the tx is not disabled ... But I guess very few have it opened and a debug header connected other then dave ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 24, 2018, 10:05:35 am
What do you do with this gel file.   I can untar it, and get four .img.gz files, plus the encrypted shell scripts.    Futher untarring and and i get some .img files.. 
What do you do with those?


MSO5000 FW v01.01.02.03 (https://cld.pt/dl/download/7d02db7b-5669-43ba-a3d3-0636fc04753d/Firmware_01.01.02.03.GEL.tar)

(link will expire after 24h)

Thanks for that! This is the original GEL, as in the version that comes shipped on the scopes yeah? Do you have this for the 7000 as well? For that I only have 00.01.01.07.01 so far ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 10:10:58 am
Many thanks for that. Sadly, this _still_ does not show me which zynq they are using. I think someone mentioned somewhere that it's a 7020, at least we know it's a dual-core. So that leaves out a few of them and we know it runs about 800 MHz based on the bogomips.

You can see the Zynq model in my DS7000 FPGAs parsing. (see the DS7000 thread (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803))

I assume the Zynq is the same (7015). But I can parse the 5000 .bit file and verify that for you.

The 5000 .GEL version is the one that is currently being shipped.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 10:14:21 am
What do you do with those?

Massage them a bit (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803)...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 10:25:17 am
Many thanks for that. Sadly, this _still_ does not show me which zynq they are using. I think someone mentioned somewhere that it's a 7020, at least we know it's a dual-core. So that leaves out a few of them and we know it runs about 800 MHz based on the bogomips.

You can see the Zynq model in my DS7000 FPGAs parsing. (see the DS7000 thread (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803))

I assume the Zynq is the same (7015). But I can parse the 5000 .bit file and verify that for you.

Ah see that's where I saw it (lots of threads about the 5k and 7k. With the similarities between the two platform, the OP statement about this being only about the 5k should be redacted to be about 5k and 7k. Having the information in one thread is always easier :) I believe we have 3 threads now with information scattered...

But thanks. The 7010, 7015 and 7020 are similar enough that any dev board with these chips should be accurate enough. I think it's mostly CPU speed and maybe FPGA gate count that's different, so I guess they couldn't fit their bitstream into the 7010 and went one up ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 10:33:08 am
What do you do with this gel file.   I can untar it, and get four .img.gz files, plus the encrypted shell scripts.    Futher untarring and and i get some .img files.. 
What do you do with those?


MSO5000 FW v01.01.02.03 (https://cld.pt/dl/download/7d02db7b-5669-43ba-a3d3-0636fc04753d/Firmware_01.01.02.03.GEL.tar)

(link will expire after 24h)

Thanks for that! This is the original GEL, as in the version that comes shipped on the scopes yeah? Do you have this for the 7000 as well? For that I only have 00.01.01.07.01 so far ...

Well mostly compare between the different versions, as for the image files, they are regular linux filesystem images.

So the system.img file, is a FIT image that you can extract the kernel and initrd from. The kernel shouldn't be important, as we should be getting the sources from RIGOL on request (GPLv2). The initrd is interesting as that is the 'boot OS'. I'm not sure yet if this is their entire rootfs (likely) or just their first stage OS (which then in turn mounts the correct disks to continue booting). But since the other image is the 'app' image, my guess is that its the actual rootfs.

The final file in the system.img file is the ftd, flattened device tree, which contains the system configuration, such as all the various busses, gpios, LED's etc etc etc. Think ACPI tables for ARM if anything.

As for the app.img, well that contains the UI only as far as I can tell. It's based off of qt5, so replacing the shipped qt5 libraries with unstripped libraries may be an interesting thing to do (if they are stripped even), making gdb work a little easier if we'd want to gdb their main application.

The two script files are interesting, as it actually shows two potential upgrade paths. One is from within linux, the other from within u-boot. My guess is that if the upgrade fails via linux, if you have the usb stick with GEL inserted during boot, u-boot will parse the update file and perform the update. Why they did this I am not sure yet.

Further more, having the images, allows us to install them onto a zynq dev board (which can be had for about 100 USD) reducing the bricking risk of the scope immensely. As there is one way you can brick it, it seems. If one would wipe the 'env' partition, then we'd have an environment-less u-boot and without serial access, we don't know what the u-boot fallback would be.

Of course, the final goal is to blink a few LED's on the scope :D (and to RE the keys of course, where more information is always better)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 10:33:48 am
Ah see that's where I saw it (lots of threads about the 5k and 7k. With the similarities between the two platform, the OP statement about this being only about the 5k should be redacted to be about 5k and 7k. Having the information in one thread is always easier :) I believe we have 3 threads now with information scattered...

Makes some sense since they are so similar (or "too much similar"...). I'll ask OP to change the thread name.

BTW, what is the 3rd thread?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 10:38:42 am
Ah see that's where I saw it (lots of threads about the 5k and 7k. With the similarities between the two platform, the OP statement about this being only about the 5k should be redacted to be about 5k and 7k. Having the information in one thread is always easier :) I believe we have 3 threads now with information scattered...

Makes some sense since they are so similar (or "too much similar"...). I'll ask OP to change the thread name.

BTW, what is the 3rd thread?

You are right, it is only 2; i thought there was the 7000 'hacking-ish' thread and the original thread from dave about the new scope. I stand corrected :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 10:42:33 am
The two script files are interesting, as it actually shows two potential upgrade paths. One is from within linux, the other from within u-boot. My guess is that if the upgrade fails via linux, if you have the usb stick with GEL inserted during boot, u-boot will parse the update file and perform the update. Why they did this I am not sure yet.

The scope accepts the usual ultra-special Rigol vendor USB flashdrive (with the special boot sector).

Don't know yet what that allows but...  ;)

Tell me what zynq dev board do you have in mind for 100USD?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: A Hellene on December 24, 2018, 11:00:03 am
I am sorry for the following request, regarding DS1000Z in a thread about MSO5000... I am also sorry if that has already been answered and I have missed it.

The problem I face is that I have updated DS1000Z firmware to the buggy (and revoked) 04.04.03.05, which mangles long memory data while navigating through it; so I would like to downgrade to the last good known firmware version (04.04.03.02) or even to an older one I may have.

I remember having read in the past that DS1000Z firmware downgrade is a matter of writing a special signature on the flash drive that carries the downgrade firmware. Is there any chance I can have that special signature or any other help to downgrade the DS1000Z firmware, please?

-George
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 11:17:54 am
I remember having read in the past that DS1000Z firmware downgrade is a matter of writing a special signature on the flash drive that carries the downgrade firmware. Is there any chance I can have that special signature or any other help to downgrade the DS1000Z firmware, please?

George,

Don't hijack with such a OT. It's better to send a PM. Contact janekivi as he may be able to help. I think you have 2 ways: using the special Rigol USB vendor disk and patching the version number in the previous FW. I think Janekivi can help with both. I would have to do some development to replicate it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 24, 2018, 11:33:24 am
Re. logo screen: as there wasn’t any reply, I guess there isn’t such an information available yet. Or nobody is interested. :) Anyway…

First of all, you need to create a picture with your preferred image editing program with a maximum size of 1024 x 600 (full screen) and save it as a bitmap. I’ve programmed and uploaded (http://firebird.tms-taps.net/Rigol/MSO5000Logo.zip) a little Windows conversion tool that converts pictures (.bmp, .png or .jpg) to .hex logo format and also the other way around. If you don’t trust my exe or want to create a conversion tool for a different system, here’s the format of logo file:

LE dword  imageWidth;
LE dword  imageHeight;
LE word pixel[imageWidth * imageHeight];

The pixel format is rrrr rggg gggb bbbb;

After the .hex file has been created, copy it to a thumb drive and connect the drive to the scope. Open putty or any other ssh terminal and log in to the MSO (port 22, root/root, you know ;) ). First verify that the thumb drive has been mounted to /media/sda1:

Code: [Select]
<root@rigol> mount

rootfs on / type rootfs (rw)
/dev/root on / type ext2 (rw,relatime,errors=continue)
devtmpfs on /dev type devtmpfs (rw,relatime,size=218708k,nr_inodes=54677,mode=755)
none on /proc type proc (rw,relatime)
none on /sys type sysfs (rw,relatime)
none on /tmp type tmpfs (rw,relatime,size=102400k)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
/dev/ubi6_0 on /rigol type ubifs (rw,relatime)
/dev/ubi1_0 on /rigol/data type ubifs (rw,sync,relatime)
/dev/ubi12_0 on /user type ubifs (rw,sync,relatime)
>>> /dev/sda1 on /media/sda1 type vfat (rw,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=936,iocharset=utf8,shortname=mixed,errors=remount-ro)

If this is the first time you’re doing this, backup the original Rigol logo:
Code: [Select]
<root@rigol> dd if=/dev/mtd7 of=/media/sda1/logo_orig.hex

8192+0 records in
8192+0 records out
4194304 bytes (4.0MB) copied, 1.070000 seconds, 3.7MB/s

Now install your logo. Of course you need to enter the file name of your logo and this must be case sensitive:

Code: [Select]
<root@rigol> flash_eraseall /dev/mtd7

Erasing 128 Kibyte @ 400000 - 100% complete.

<root@rigol> nandwrite -p /dev/mtd7 /media/sda1/Logo_FireBird.hex

Writing at 0x00000000
Writing at 0x00020000
Writing at 0x00040000
Writing at 0x00060000
Writing at 0x00080000
Writing at 0x000a0000
Writing at 0x000c0000
Writing at 0x000e0000
Writing at 0x00100000
Writing at 0x00120000

Reboot and have fun. :)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: A Hellene on December 24, 2018, 11:39:00 am
George,

Don't hijack with such a OT. It's better to send a PM. Contact janekivi as he may be able to help. I think you have 2 ways: using the special Rigol USB vendor disk and patching the version number in the previous FW. I think Janekivi can help with both. I would have to do some development to replicate it.

Thank you for the reply.
Once more, I am sorry for the off-topic; yet, reading about MSO5000 hacking reminded me of my DS1000Z issue...


-George
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 11:47:00 am
Re. logo screen: as there wasn’t any reply, I guess there isn’t such an information available yet. Or nobody is interested. :) Anyway…

People are shy... :)  Keep those contributions! If everyone does a bit, it costs less.

What about MTD3? What is the BMP there?

BTW, dump both original BMP from the NAND and attach them here (as .PNGs). People like to look at some images.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 24, 2018, 11:53:14 am
Rigol is talking in their update script about app A and B. All app A blocks are empty.

Code: [Select]
dev:    size   erasesize  name
mtd0:  00040000 00020000 "Env"          ; Environment as a NULL terminated list and a dword at the beginning
mtd1:  04000000 00020000 "DATA"         ; UBI FS -> /rigol/data
mtd2:  00400000 00020000 "Bmp"          ; unused FF
mtd3:  00400000 00020000 "Bmp1"         ; App A unused FF
mtd4:  00800000 00020000 "Bit1"         ; App A unused FF
mtd5:  02000000 00020000 "Sys1"         ; App A unused FF
mtd6:  06400000 00020000 "App1"         ; App A unused FF
mtd7:  00400000 00020000 "Bmp2"         ; App B Boot Logo        <- logo.hex
mtd8:  00800000 00020000 "Bit2"         ; App B Zynq Bitstream   <- zynq.bit
mtd9:  02000000 00020000 "Sys2"         ; App B Linux Kernel     <- system.img
mtd10: 06400000 00020000 "App2"         ; App B UBI FS -> /rigol <- app.img
mtd11: 04300000 00020000 "Reserved"     ; unused FF
mtd12: 25800000 00020000 "User"         ; UBI FS -> /user
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 24, 2018, 11:54:33 am
BTW, dump both original BMP from the NAND and attach them here (as .PNGs). People like to look at some images.

Yep, might be handy someday, when someone yells ... "I want the original logo back, where can I find one ..."  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 12:07:20 pm
Yep, might be handy someday, when someone yells ... "I want the original logo back, where can I find one ..."  :-DD

Better yet: "I would love to have my brick with the original logo, please help!!"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 12:10:53 pm
Rigol is talking in their update script about app A and B. All app A blocks are empty.

Interesting... We can have 2 different environments loaded in the machine...

Anyone with 7000 can check if it's the same scheme?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 24, 2018, 01:32:58 pm
What do you do with this gel file.   I can untar it, and get four .img.gz files, plus the encrypted shell scripts.    Futher untarring and and i get some .img files.. 
What do you do with those?


MSO5000 FW v01.01.02.03 (https://cld.pt/dl/download/7d02db7b-5669-43ba-a3d3-0636fc04753d/Firmware_01.01.02.03.GEL.tar)

(link will expire after 24h)

Thanks for that! This is the original GEL, as in the version that comes shipped on the scopes yeah? Do you have this for the 7000 as well? For that I only have 00.01.01.07.01 so far ...

Well mostly compare between the different versions, as for the image files, they are regular linux filesystem images.
.....

Thanks for the background infomation. Its really helpful.  I have a very generic debian vm on my laptop. Am i am able to mount these images somehow, so i can start to have a poke around?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 02:00:37 pm
The two script files are interesting, as it actually shows two potential upgrade paths. One is from within linux, the other from within u-boot. My guess is that if the upgrade fails via linux, if you have the usb stick with GEL inserted during boot, u-boot will parse the update file and perform the update. Why they did this I am not sure yet.

The scope accepts the usual ultra-special Rigol vendor USB flashdrive (with the special boot sector).

Don't know yet what that allows but...  ;)

Tell me what zynq dev board do you have in mind for 100USD?
I'm curious about this special 'vendor' usb stick. Is it something we can obtain/download/create?
I guess dumping the environment from /dev/mtd0 (and attaching it here) yields us all the scripts etc, if anybody could be so kind :)

As for the zynq dev board, there's the mini Zed for 89 USD, but is a 7007s (single core) so I feel too far from the scope. The Pynq however looks promising with a 7020, there seems to be a few flavors however, like https://nl.farnell.com/tul-corporation/1m4-m000127000/dev-kit-32bit-arm-cortex-a9-mpu/dp/2913031?st=pynq for example is only 101 Euro. But then i can't buy privately at farnell. So will have to do some more digging, but even so; it still sounds very reasonable :)

I find pricing for these boards can very, not sure why. (Same board, different sites, double the price). If I find a nice vendor where i can buy stuff; i'll post a link
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 02:01:50 pm
Re. logo screen: as there wasn’t any reply, I guess there isn’t such an information available yet. Or nobody is interested. :) Anyway…

People are shy... :)  Keep those contributions! If everyone does a bit, it costs less.

What about MTD3? What is the BMP there?
That's probably u-boot's splash screen. I'd be suprised if it is initially different from the other two to keep a 'smooth' logo experience.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 02:04:38 pm
Rigol is talking in their update script about app A and B. All app A blocks are empty.

Code: [Select]
dev:    size   erasesize  name
mtd0:  00040000 00020000 "Env"          ; Environment as a NULL terminated list and a dword at the beginning
Standard u-boot environment created from a text file and 'compiled' with mkimage. The dword in front is the header.
Code: [Select]
mtd1:  04000000 00020000 "DATA"         ; UBI FS -> /rigol/data
As I mentioned earlier, probably configuration data and the like
Code: [Select]
mtd2:  00400000 00020000 "Bmp"          ; unused FF
Hmm strange that it is unused, I would have expected the logo for u-boot to use.
Code: [Select]
mtd3:  00400000 00020000 "Bmp1"         ; App A unused FF
mtd4:  00800000 00020000 "Bit1"         ; App A unused FF
mtd5:  02000000 00020000 "Sys1"         ; App A unused FF
mtd6:  06400000 00020000 "App1"         ; App A unused FF
This will be populated the first time an update is performed, the update script updates the 'backup', and boots from that next time.
Code: [Select]
mtd7:  00400000 00020000 "Bmp2"         ; App B Boot Logo        <- logo.hex
mtd8:  00800000 00020000 "Bit2"         ; App B Zynq Bitstream   <- zynq.bit
mtd9:  02000000 00020000 "Sys2"         ; App B Linux Kernel     <- system.img
mtd10: 06400000 00020000 "App2"         ; App B UBI FS -> /rigol <- app.img
mtd11: 04300000 00020000 "Reserved"     ; unused FF
mtd12: 25800000 00020000 "User"         ; UBI FS -> /user
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 02:11:17 pm
I'm curious about this special 'vendor' usb stick. Is it something we can obtain/download/create?
I guess dumping the environment from /dev/mtd0 (and attaching it here) yields us all the scripts etc, if anybody could be so kind :)

It can be created, sure. I'll rewind a liitle my efforts with the DS1054Z and then I'll tell you how to create a vendor disk.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TillMundy on December 24, 2018, 03:45:00 pm
I have tested out the bandwidth with the MSO5000 "hack". I have attached some photos below. The amplitude of my signal generator is not linear so be wary of the changes in amplitude between images.
On the topic of screen brightness; At first when I opened the scope I thought it seemed dim. After using it for a day I didn't notice or care. Then I had to do some other measurements using two scopes. I put my Siglent SDS1104 next to it and boy is there a difference. The Siglent's small display is incredibly bright and clear. On the MSO5000 it is not only a dim screen but also bad diffusion of the back lights. All the edges of the MSO5000 are brighter than the rest of the display. I think they may have reduced the back-light brightness to reduce this effect. Comparing the display to a DSA815 the MSO5000 is still much dimmer and lower resolution.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 04:02:42 pm
and boy is there a difference. The Siglent's small display is incredibly bright and clear. On the MSO5000 it is not only a dim screen but also bad diffusion of the back lights. All the edges of the MSO5000 are brighter than the rest of the display. I think they may have reduced the back-light brightness to reduce this effect. Comparing the display to a DSA815 the MSO5000 is still much dimmer and lower resolution.

Once we know how the backlight is connected to linux, we can see if they purposely lowered the brightness. Since this is a device that is intended to be in use for years to come (10 years is not super unreasonable, considering I had my DS1052 for about 10 years now and would still had it if I didn't sell it cause I wanted the MSO5000 :))

Given that, it could very well that Rigol actually did a lifetime analysis (I know we did at our work) taking LED degradation into account when in use 24/7 and have set the brightness to 50% or something. Or, it's just shit :) we don't know yet.

You can always check /sys/class/led to see if there's a backlight there, or do a `find /sys -iname '*backlight*'`to see if the backlight is controllable. I'll dig into the decompiled device tree soon and see if I can find something.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 24, 2018, 05:01:43 pm
Is all options != 350mhz?  It almost seems like it’s 500mhz ?

I had seen rumors of making it run at 1ghz?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 24, 2018, 05:19:32 pm

Has anybody been able to 'interrupt' u-boot yet with the any-key press? Normally if you press it a few times (space works great) just before the message appears (keyboard buffer an all that) it should pick it up, IF the tx is not disabled ... But I guess very few have it opened and a debug header connected other then dave ...

Yes you can halt the boot process

Code: [Select]
[12/24 17:12:56.0]
[12/24 17:12:56.0]U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)
[12/24 17:12:56.0]
[12/24 17:12:56.0]I2C:   ready
[12/24 17:12:56.0]Memory: ECC disabled
[12/24 17:12:56.0]DRAM:  448 MiB
[12/24 17:12:56.1]DPU:   20170604
[12/24 17:12:56.1]NAND:  OnDie ECC supported, 1024 MiB
[12/24 17:12:57.1]zynq-In:    serial
[12/24 17:12:57.1]zynq-Out:   serial
[12/24 17:12:57.1]zynq-Err:   serial
[12/24 17:12:57.1]Net:   Gem.e000b000
[12/24 17:12:57.1]BootParam=0x0
[12/24 17:12:57.1]Hit any key to stop autoboot:  0
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)
[12/24 17:12:57.1]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.3](
[12/24 17:12:57.3]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.3]rigol-uboot>
[12/24 17:12:57.3]  aesTest base bdinfo beeper boot bootd bootm bootp bootz checkGTP checkVer
[12/24 17:12:57.3]  clk cmp coninfo cp cpldver crc32 dcache ...
[12/24 17:12:57.3]rigol-uboot>

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TillMundy on December 24, 2018, 05:28:02 pm
Is all options != 350mhz?  It almost seems like it’s 500mhz ?

I had seen rumors of making it run at 1ghz?
Some features stop working after 350Mhz. For example the counter option does not work after 350Mhz. Also the frequency measurement gets iffy after 500Mhz. It will show the correct frequency 50% of the time.

It will measure and show waveforms at 1Ghz but the quality is poor and I would not consider this "hack" to unlock a 1Ghz scope.

Sent from my LM-Q910 using Tapatalk

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tinhead on December 24, 2018, 05:51:20 pm

It will measure and show waveforms at 1Ghz but the quality is poor and I would not consider this "hack" to unlock a 1Ghz scope.


ehm, on your picture, you do sample with 2GSa/s, i though it can get up to 8GSa/s?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 24, 2018, 06:03:03 pm

It will measure and show waveforms at 1Ghz but the quality is poor and I would not consider this "hack" to unlock a 1Ghz scope.


ehm, on your picture, you do sample with 2GSa/s, i though it can get up to 8GSa/s?

Only at the 500MHz.

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=604624;image)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TillMundy on December 24, 2018, 06:45:13 pm
Sorry I was just on the wrong time scale.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 07:00:31 pm

Has anybody been able to 'interrupt' u-boot yet with the any-key press? Normally if you press it a few times (space works great) just before the message appears (keyboard buffer an all that) it should pick it up, IF the tx is not disabled ... But I guess very few have it opened and a debug header connected other then dave ...

Yes you can halt the boot process

Code: [Select]
[12/24 17:12:56.0]
[12/24 17:12:56.0]U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)
[12/24 17:12:56.0]
[12/24 17:12:56.0]I2C:   ready
[12/24 17:12:56.0]Memory: ECC disabled
[12/24 17:12:56.0]DRAM:  448 MiB
[12/24 17:12:56.1]DPU:   20170604
[12/24 17:12:56.1]NAND:  OnDie ECC supported, 1024 MiB
[12/24 17:12:57.1]zynq-In:    serial
[12/24 17:12:57.1]zynq-Out:   serial
[12/24 17:12:57.1]zynq-Err:   serial
[12/24 17:12:57.1]Net:   Gem.e000b000
[12/24 17:12:57.1]BootParam=0x0
[12/24 17:12:57.1]Hit any key to stop autoboot:  0
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)
[12/24 17:12:57.1]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.3](
[12/24 17:12:57.3]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.3]rigol-uboot>
[12/24 17:12:57.3]  aesTest base bdinfo beeper boot bootd bootm bootp bootz checkGTP checkVer
[12/24 17:12:57.3]  clk cmp coninfo cp cpldver crc32 dcache ...
[12/24 17:12:57.3]rigol-uboot>
That, is awesome :) While they can still fix this trivially (by editing the environment and disabling it) I was afraid that TX would not work. I guess Dave just made a booboo somewhere where it did not work (in the video). Probably tried to late. (one of those things that need an edit in the video with a text overlay saying it does work.

But if the u-boot allows tftp or USB access (which I think it does) we can boot from tftp or via USB images.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 07:16:38 pm
If someone could be so kind as to get me a mtd0 dump, I can poke there a little.
cat /dev/mtd0 > /tmp/mtd0.dump
Not sure if this is 'the way' to do nanddumps though I think if it's an mtd we can just do this.
(or directly to usb) would be great; while at it, compare it to /tmp/env.bin; rigol seems to be saving the env there every boot so if they are different, if you could get me both files; that'd be even better :)

(rigol dumps their nand like this: nanddump -s 0 -l 0x40000 -f /tmp/env.bin /dev/mtd0 )

I'm quite certain that the content of these files should be identical (except maybe some padding at the end).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 07:22:24 pm
If someone could be so kind as to get me a mtd0 dump, I can poke there a little.

By your command.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 07:31:41 pm
From what I can gather so far, the buildroot base is identical for both firmware images (5000 and 7000 I have so far).

I have not dug too deep yet into the filesystem, just some early poking around, but I'm quite sure that the major differences will be if device = 5000 ... if device = 7000 ... kind of logic.

heck, the keyword 'flamingo' (MSO7000) lights up like a christmas tree when grepping in the extracted image filesystem, where kerstrel (MSO5000) can't be found anywhere.

The update (which is newer of course) for the MSO7000 did have a few changes. startEntry is now called flamingo_console. There is a new script called 'bw.sh' that opens/closes 20 MHz bandwith to something over SPI.

So it could be that these are separately developed binaries, only name changes or .. just a bit messy development ...

We'll know more in a few updates when they synchronize their update files. Until then, every update is worth poking around in :)

Comparing kernels between the two, I found so far that they are build from the exact same source, but the touchscreen drivers seem to differ:
Code: [Select]
-TOUCHSCREEN_Goodix_TS y
 TOUCHSCREEN_SSD2543 n -> y
The MSO5000 has the SD2543 touchscreen, and I think the MSO7000 has a Goodix ts.

So because of that, for now, the firmwares are unique between the two and they can't be interchanged. But who knows, the app may very well run on either scope. E.g. what happens if we run flamingo_console on a MSO5000; (safer is to try the other way around of course). Will that yield us a MSO7000 in a MSO5000 box >: ) For those playing along at home, remember to add extra cooling when trying that :p
Title: GPL Violations?
Post by: oliv3r on December 24, 2018, 07:37:08 pm
I do have a worry ...
I cannot seem to find anything GPL related to rigol. There is https://github.com/rigol but that seems all very much work in progress/abandoned/

So far, I see that:

They used buildroot to compile their OS -> GPLv2+
(and they have a -dirty tree, meaning uncommitted changes, so the hash may not point to anything public)
They use u-boot -> GPLv2+
They use Linux -> GPLv2+
They use busybox -> GPLv2

They've added some drivers from later kernels (app/drivers) which are NOT their own (strings shows they are GPL licensed)

CUPS is actually not viral licensed anymore, but I doubt they compiled it themselves ... it may not be part of build-root and so they just compiled it from source is my guess

some dbus stuff
some other libs and stuff

So clearly, currently they could be violating the GPL. While I don't think it's important yet to start bugging them about it (I doubt they have (m)any changes from upstream and the only code they wrote is in flamingo_console/appEntry) I am curious how they will deal with this ... I think this is their first-ish Linux offering ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on December 24, 2018, 08:41:40 pm
But thanks. The 7010, 7015 and 7020 are similar enough that any dev board with these chips should be accurate enough. I think it's mostly CPU speed and maybe FPGA gate count that's different, so I guess they couldn't fit their bitstream into the 7010 and went one up ...
Not exactly. 7015 is fundamentally different from 10/20 in that its' fabric has 4 MGTs (GTPs) which support up to 6.6 Gbps per channel. I suspect they use these transceivers to talk to their ASICs.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 25, 2018, 11:47:01 am
If someone could be so kind as to get me a mtd0 dump, I can poke there a little.

By your command.

Super thanks! So the positive is that apparently their default data contains tftp boot/NFS mounts. So during dev they probably where booting over the network, and so can we :)

Sadly, their stored environment is a little light on the details, it's missing quite a few environment variables. I think they manually generated their initial 'stored' environment which supplements their built-in environment. So we probably need that as well.

So yet another request to get some more data. In the u-boot console, the output of 'printenv' would be great. While in the u-boot console, i'm curious about 'sf probe' as well, it should list the SPI flash that's used to boot the device from. If that returns something useful, we can read (and dump) the spi flash via u-boot!

Not sure if we can dump the spi flash content to file, but tftp is easy. We do need to know the details of the flash-chip (size) but then it's
sf read 0x4900000 0 <size of flash>
tftp 0x4900000 spiflash.dump <size of flash>

(that does assume a working tftp setup, e.g. proper ip's etc)

To return the fruits of your labor however, here's the decompiled env.bin into env.cmd
Code: [Select]
backpart=B
baudrate=115200
bootdelay=1
bootver=2018.06.27
ethact=Gem.e000b000
ethaddr=00:0a:35:00:01:2a
gatewayip=172.16.3.1
ipaddr=172.16.3.254
modeboot=qspiboot
nandboot=loadzynq;ledoff;run bootlogo; nand read 0x3000000 0x1100000 0x1000000;bootm 0x3000000
netmask=255.255.255.0
nfsboot=nfs 0x3000000 172.16.3.38:/home/rigolee/workspace/nfs/system.img && bootm 0x3000000
serverip=172.16.3.252
stderr=serial
stdin=serial
stdout=serial
update=if tar 0x4000000 0x2000000 fw4uboot.sh; then  aesTest 0x2000000 ${temp_file_size} 0x2100000if exec 0x2100000; then echo update success!; else echo update failed!; fi;else echo can not find update shell!;fi;
upnet=nfs 0x4000000 172.16.3.38:/home/rigolee/workspace/nfs/FlamingoUpdate.GEL && run update
usbboot=if usb start; then echo Copying Linux from USB to RAM... && fatload usb 0 0x3000000 uImage && fatload usb 0 0x2A00000 devicetree.dtb && fatload usb 0 0x2000000 uramdisk.gz && bootm 0x3000000 0x2000000 0x2A00000; fi;
usbupdate=upgradeFromUSB
vendor=RIGOL TECHNOLOGIES
nandbootA=checkGTP;loadzynq 0x4900000;ledoff;loadlogo 0x4500000;nand read 0x3000000 0x5100000 0xd8ebf0;bootm 0x3000000
nandbootB=checkGTP;loadzynq 0xd900000;ledoff;loadlogo 0xd500000;nand read 0x3000000 0xe100000 0xd8ebf0;bootm 0x3000000
bootlogo=loadlogo 0xd500000
builddate=2018-10-11 16:45:53
softver=00.01.01.02.03
bootpart=B
bootcmd=if run nandbootB; then echo 'ok'; else setenv bootpart A;save;run nandbootA; fi

Note that the ordering is not alphabetical. U-Boot itself always saves the environment alphabetically (or printenv does at least) so it's likely that the out-of-order entries are entries rigol 'adds' to the end of the file.

I wonder if that mac address is unique or identical for all devices. MAC's shouldn't be stored in envs (u-boot will export them to the env of course).
Further more, there are a few commands that are interesting (aesTest for example) which of course is a wrapper around the u-boot zynq-only aes command. But where is it stored? (Hopefully in the aforementioned printenv) otherwise, it's part of the GPL sources, and then, we have to start pressing Rigol to share them as per GPL.

Also I'm not sure yet if they have a distr_bootcmd as part of their printenv. Otherwise the env entry will be bootcmd, which will boot from either of the nand-flashes.

Why that matters is because that way we cannot 'break into' the boot sequence externally. E.g. the USB stick won't be accessed as it will boot from NAND first. And while changing the environment is trivial; it's invasive :( Booting noninvasive from USB is of course much cooler :) But for that we need to full printenv (and potentially their u-boot compiled version).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 25, 2018, 12:03:22 pm
The two script files are interesting, as it actually shows two potential upgrade paths. One is from within linux, the other from within u-boot. My guess is that if the upgrade fails via linux, if you have the usb stick with GEL inserted during boot, u-boot will parse the update file and perform the update. Why they did this I am not sure yet.

The scope accepts the usual ultra-special Rigol vendor USB flashdrive (with the special boot sector).

Don't know yet what that allows but...  ;)

Tell me what zynq dev board do you have in mind for 100USD?
<snip>
I find pricing for these boards can very, not sure why. (Same board, different sites, double the price). If I find a nice vendor where i can buy stuff; i'll post a link

I was going to come back on that, it turns out, xilinx has a site which lists tons of boards.
https://www.xilinx.com/products/boards-and-kits/device-family/nav-zynq-7000.html (https://www.xilinx.com/products/boards-and-kits/device-family/nav-zynq-7000.html)

You have to sort prices from high-to low and start at about page 3; as there is a lot of 'contact vendor for price' that gits listed first otherwise.

The cheapest is 69 USD, but that's a single-core zynq-7007s. But for 75 USD we can start with a nice 7010 dual-core; https://www.xilinx.com/products/boards-and-kits/1-pcz4k3.html (https://www.xilinx.com/products/boards-and-kits/1-pcz4k3.html) though as noted by asmi
Not exactly. 7015 is fundamentally different from 10/20 in that its' fabric has 4 MGTs (GTPs) which support up to 6.6 Gbps per channel. I suspect they use these transceivers to talk to their ASICs.

So I went digging into that a little; the low-budge (single and dual cores upto including the 7020) are the same, albeit GPIO and FPGA size difference, with indeed the 7012s and 7015 have the 4 MGT's, which I agree is probably how they are talking to their ASIC. So Ideally, we should find a 7015 based board, even if just to get the identical SoC.

The main reason to get a zynq based board is to avoid bricking the device; but if we can extract the SPI flash rom; worst case, we need to jtag back the SPI flash; the rest of the software is fully recoverable, though the /rigol/data (/dev/mtd1) partition will be critical to backup (calibration data, serial number etc are likely stored there).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 25, 2018, 01:41:01 pm
I wonder if that mac address is unique or identical for all devices.
I have the same MAC in my environment but 00:0a:35 is a Xilinx MAC and I haven't captured it during a normal boot. During normal operation, the packets have Rigol MACs (00:19:af).
Title: Re: GPL Violations?
Post by: bitwelder on December 26, 2018, 08:30:03 am
So clearly, currently they could be violating the GPL. While I don't think it's important yet to start bugging them about it (I doubt they have (m)any changes from upstream and the only code they wrote is in flamingo_console/appEntry) I am curious how they will deal with this ... I think this is their first-ish Linux offering ...
Just for starters, do the 'scope comes with the usual leaflet (or pages at the end of the manual) about notes on GPL licensed components and how to request the source code?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Karel on December 26, 2018, 10:26:17 am
They only have to provide the sourcecode (of the GPL'ed parts) if they modified it.
Maybe they use unmodified GPL'ed software.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 11:12:51 am
They only have to provide the sourcecode (of the GPL'ed parts) if they modified it.
Maybe they use unmodified GPL'ed software.

They modified it :) trust me. Not sure yet about u-boot (as I wasn't able to dig into that, but they very likely changed the default environment (visible with printenv) which is a code change; so it starts there. Also they added the 'localversion=RIGOLEE' so that's a modification in itself. Granted. these are modifications that don't matter so I hope they left it at that.

Then they modified the linux kernel (they modified the xilinixfb driver, and at the least added a compatible devDPU). They added a devIRQ (probably because their ancient kernel didn't support /sys/class/gpio properly) They backported some other drivers, (/rigol/app/drivers) some, of which they are not the copyright holders.

I'm not familiar enough with buildroot to know what they changed their, but I doubt they left it unchanged (as they'd need to commit their own changes for the whole build-system that they need; so it's very likely it is modified.

Then of course we have some userspace tools; but I do agree they probably didn't touch these (busybox, cups, oprofile).

As for their own application; yes, that is their own and they can do with it as they wish of course :)

Now what I'd be interesting is, is the HDL that runs in the zynq. Not to RE or even to analyze, but to improve and replace. The video bit comes to mind. As they are using a QT stack, the video drivers are actually part of QT (linuxfb) so that are changes that are even in the realm of possibilities. But I think you need partial reconfiguration of the FPGA for that, and need to know _what_ to partially reconfigure, so you need at least some information of the bitstream blob I recon.

TL;DR
They could have the written offer for the code, but barring that, they would be in violation. Also, for both (us and them) it would be just so much easier to just push the repo's in question to somewhere public and be done with it.

Just for starters, do the 'scope comes with the usual leaflet (or pages at the end of the manual) about notes on GPL licensed components and how to request the source code?
Anybody who has the box and manuals already took a peak with regards to a software offer? I do know it must be somewhere on the scope, as there is /license/ on the device with the licenses of some of the parts in it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 11:49:52 am
Dump of MSO5074 NAND for anybody that's interested...

https://www.dropbox.com/s/zb9ay97a0df00cb/Rigol%20MSO5074%20NAND.zip?dl=0 (https://www.dropbox.com/s/zb9ay97a0df00cb/Rigol%20MSO5074%20NAND.zip?dl=0)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 12:05:12 pm
Anybody who has the box and manuals already took a peak with regards to a software offer? I do know it must be somewhere on the scope, as there is /license/ on the device with the licenses of some of the parts in it.

No mention on the box or in any of the documents that came with it, nothing on the outside of the scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 12:26:53 pm
Dump of MSO5074 NAND for anybody that's interested...

https://www.dropbox.com/s/zb9ay97a0df00cb/Rigol%20MSO5074%20NAND.zip?dl=0 (https://www.dropbox.com/s/zb9ay97a0df00cb/Rigol%20MSO5074%20NAND.zip?dl=0)

While this is super appreciated! I think you should at least remove mtd1 from there, as that contains scope specific parameters is my guess (If not, its okay, i think it is mapped to /rigol/data if you want to check), such as serial numbers and licenses.

EDIT Yes this does indeed contain your license keys, MAC address and other info, so do please remove mtd1 from the download. I am grateful for it as it allows me to poke more into the firmware's inner workings, so thanks for that :)

Now all we need is a way to dump the u-boot binary from the SPI flash and I have everything to replicate a scope :p
So if we can get the output of 'sf probe' we know u-boot can talk to it, and if so, we can use sf read to read it into memory. Getting it from memory into a file (without TFTP) I don't know yet ... So if anyone is willing to do this via serial console and u-boot, I can figure out if/how it's possible (TFTP, maybe xmodem?) worst case, we just do a md (memory dump) and capture the output of the serial line and write a simple script to convert the memory dump back into code.

Which then would be:
Code: [Select]
sf probe
sf read 0x4900000 0 <size of flash> (assuming its 16 Mbit, sf probe prints it) that will be 0x1000000)
md 0x4900000 0x1000000
becuase the serial console is quite slow, that will run for a few minutes, so logging of the serial output is required. (When using screen for example you can make it log everything into a file. Not sure if putty has that capability but https://www.viktorious.nl/2013/01/14/putty-log-all-session-output/ (https://www.viktorious.nl/2013/01/14/putty-log-all-session-output/) seems to suggest it is so.

While here, also do a printenv :)

I have ordered the MYIR z-turn lite 7010 so we'll see when it arrives here. Not to bad for 95 Euro's (I got the GPIO breakout board). Probably will take 6 weeks to get here though :(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 12:30:13 pm

While this is super appreciated! I think you should at least remove mtd1 from there, as that contains scope specific parameters is my guess (If not, its okay, i think it is mapped to /rigol/data if you want to check), such as serial numbers and licenses.


This scope is a sacrificial lamb off to slaughter, warranty is already void and I suspect it will suffer all sorts of abuse before it finally dies...

Bring it on!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 26, 2018, 12:37:25 pm
I have ordered the MYIR z-turn lite 7010 so we'll see when it arrives here. Not to bad for 95 Euro's (I got the GPIO breakout board). Probably will take 6 weeks to get here though :(

I also bought the 7020... :)

Do you read PMs?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 01:40:29 pm

So if we can get the output of 'sf probe' we know u-boot can talk to it, and if so, we can use sf read to read it into memory.

While here, also do a printenv :)


Ok... breaking into u-boot is a right pain so far. There is the 'Hit any key' message but the countdown timer starts at zero so no time to hit a key. I tried holding SPACE down continuously during the boot process and never managed to break in.

But... if I spew a stream of data at the scope during boot I can break in...

rigol-uboot>sf probe
zynq_qspi_setup_slave: No QSPI device detected based on MIO settings
SF: Failed to set up slave
Failed to initialize SPI flash at 0:0

rigol-uboot>printenv
Invalid input(hxh)

Not very promising so far...


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 01:50:39 pm
I have ordered the MYIR z-turn lite 7010 so we'll see when it arrives here. Not to bad for 95 Euro's (I got the GPIO breakout board). Probably will take 6 weeks to get here though :(

I also bought the 7020... :)

Do you read PMs?
I do now :D

what do you mean 'also' :p the z-turn lite? I don't think that exists in a 7020 flavor :p Which board did you order? :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 01:59:21 pm

So if we can get the output of 'sf probe' we know u-boot can talk to it, and if so, we can use sf read to read it into memory.

While here, also do a printenv :)


Ok... breaking into u-boot is a right pain so far. There is the 'Hit any key' message but the countdown timer starts at zero so no time to hit a key. I tried holding SPACE down continuously during the boot process and never managed to break in.

But... if I spew a stream of data at the scope during boot I can break in...

rigol-uboot>sf probe
zynq_qspi_setup_slave: No QSPI device detected based on MIO settings
SF: Failed to set up slave
Failed to initialize SPI flash at 0:0

rigol-uboot>printenv
Invalid input(hxh)

Not very promising so far...

Huh? hxh is weird, it's almost as it doesn't like your command ... you can always do a 'help' to see if the command is different, I recall that in very old u-boots it may be env print for example. If you do not mind editing your environment, you can very easily increase the timeout :)

from the u-boot console, you can do
Code: [Select]
rigol-uboot> setenv bootdelay 2
for example, followed by either a `saveenv` or just `save`<enter>. These days it is saveenv, but i see rigol use in the scripts (to modify the bootpart parameter) use save instead.
Code: [Select]
rigol-uboot> save

Alternativly, you can do all this from linux (which we learned from the fw4linux.sh script :)
This requires /tmp/env.bin to be available (which it always is as several scripts extract it using "nanddump -s 0 -l 0x40000 -f /tmp/env.bin /dev/mtd0" via rc.S) So double check if the file exists:
Code: [Select]
ls -laF /tmp/env.bin
and then modify the env :)
Code: [Select]
/rigol/tools/cfger -s "bootdelay 2"
flash_eraseall /dev/mtd0
nandwrite -p /dev/mtd0 /tmp/env.bin

edit: clarified changing bootdelay from the u-boot shell
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 02:02:31 pm
Help? Been there done that....

rigol-uboot>bollocks
Unknown command 'bollocks' - try 'help'
rigol-uboot>help
Invalid input(hxh)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 02:06:39 pm
Ok....
rigol-uboot>setenv bootdelay=3 save
 ## Error: illegal character '='in variable name "bootdelay=3"

Leave out the '=' and no error messages (or otherwise)
rigol-uboot>setenv bootdelay 3 save

Scared to have to reboot and see if it worked!


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 02:18:52 pm
I'm sorry I wasn't clear, but they are two commands
so
Code: [Select]
setenv bootdelay 3
followed by
Code: [Select]
save
without the save, nothing happens. You basically just set the bootdelay variable to read '3 save' and after a reboot it's gone (reset, without the save)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 02:24:14 pm
I'm sorry I wasn't clear, but they are two commands
so
Code: [Select]
setenv bootdelay 3
followed by
Code: [Select]
save
without the save, nothing happens. You basically just set the bootdelay variable to read '3 save' and after a reboot it's gone (reset, without the save)

Ok cool... well it made no difference so I tried the Linux way:

Code: [Select]
/rigol/tools/cfger -s "bootdelay 5"
flash_eraseall /dev/mtd0
nandwrite -p /dev/mtd0 /tmp/env.bin

That made no difference either, countdown is still instantaneous.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 02:29:06 pm
Help? Been there done that....

rigol-uboot>bollocks
Unknown command 'bollocks' - try 'help'
rigol-uboot>help
Invalid input(hxh)

LOL they removed the 'help' command to make the binary smaller (or remove it to please the user lol)

ok, so then i'll just have to get the info from an older u-boot manual.
until now, i had to do all this from memory :p
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 26, 2018, 05:22:47 pm
Would it be possible to hack it so it boots faster?

I mean, what's it doing for a whole minute? That's an eternity.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 05:28:35 pm
Help? Been there done that....

rigol-uboot>bollocks
Unknown command 'bollocks' - try 'help'
rigol-uboot>help
Invalid input(hxh)

LOL they removed the 'help' command to make the binary smaller (or remove it to please the user lol)

ok, so then i'll just have to get the info from an older u-boot manual.
until now, i had to do all this from memory :p

I just went though a list of 'standard uboot commands and quite a few work as expected. BDINFO and VERSION churn out some info, but HELP and PRINTENV are very much absent.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 26, 2018, 07:17:41 pm
So, the zynq.bit parsing is below:

Code: [Select]
00000000 - FFFFFFFF             Padding
00000004 - FFFFFFFF             Padding
00000008 - FFFFFFFF             Padding
0000000C - FFFFFFFF             Padding
00000010 - FFFFFFFF             Padding
00000014 - FFFFFFFF             Padding
00000018 - FFFFFFFF             Padding
0000001C - FFFFFFFF             Padding
00000020 - 000000BB             Bus width auto detect, word 1
00000024 - 11220044             Bus width auto detect, word 2
00000028 - FFFFFFFF             Padding
0000002C - FFFFFFFF             Padding
00000030 - AA995566             Sync Word (BPI/SPI Mode)
00000034 - 20000000             T1 - 00000000  NOP      (1x)
00000038 - 30022001 00000000    T1 W 00000001  TIMER
00000040 - 30020001 00000000    T1 W 00000001  WBSTAR
00000048 - 30008001 00000000    T1 W 00000001  CMD      NULL - No Operation
00000050 - 20000000             T1 - 00000000  NOP      (1x)
00000054 - 30008001 00000007    T1 W 00000001  CMD      RCRC - Reset CRC
0000005C - 20000000             T1 - 00000000  NOP      (2x)
00000064 - 30026001 00000000    T1 W 00000001  FALL_EDGE
0000006C - 30012001 02003FE5    T1 W 00000001  COR0
00000074 - 3001C001 00000000    T1 W 00000001  COR1
0000007C - 30018001 0373B093    T1 W 00000001  IDCODE
00000084 - 30008001 00000009    T1 W 00000001  CMD      SWITCH - Switch CCLK Frequency
0000008C - 20000000             T1 - 00000000  NOP      (1x)
00000090 - 3000C001 00000401    T1 W 00000001  MASK
00000098 - 3000A001 00000501    T1 W 00000001  CTL0
000000A0 - 3000C001 00000000    T1 W 00000001  MASK
000000A8 - 30030001 00000000    T1 W 00000001  CTL1
000000B0 - 20000000             T1 - 00000000  NOP      (8x)
000000D0 - 30002001 00000000    T1 W 00000001  FAR
000000D8 - 30008001 00000001    T1 W 00000001  CMD      WCFG - Write Config Data
000000E0 - 20000000             T1 - 00000000  NOP      (1x)
000000E4 - 30004000             T1 W 00000000  FDRI
000000E8 - 500D621C             T2 W 000D621C
00358964 - 20000000             T1 - 00000000  NOP      (2x)
0035896C - 30008001 0000000A    T1 W 00000001  CMD      GRESTORE - Pulse GRESTORE Signal
00358974 - 20000000             T1 - 00000000  NOP      (1x)
00358978 - 30008001 00000003    T1 W 00000001  CMD      DGHIGH/LFRM - Last Frame Write
00358980 - 20000000             T1 - 00000000  NOP      (100x)
00358B10 - 30008001 00000005    T1 W 00000001  CMD      START - Begin Startup Sequence
00358B18 - 20000000             T1 - 00000000  NOP      (1x)
00358B1C - 30002001 03BE0000    T1 W 00000001  FAR
00358B24 - 3000C001 00000501    T1 W 00000001  MASK
00358B2C - 3000A001 00000501    T1 W 00000001  CTL0
00358B34 - 30000001 E3AD7EA5    T1 W 00000001  CRC
00358B3C - 20000000             T1 - 00000000  NOP      (2x)
00358B44 - 30008001 0000000D    T1 W 00000001  CMD      DESYNC - Reset DALIGN Signal
00358B4C - 20000000             T1 - 00000000  NOP      (400x)

The IDCODE = 0373B093 corresponds to the Xilinx Zynq-7015. The same as in the DS7000.

The decrypted scripts (CORRECTED) are attached. In order to correctly decrypt them, we must set the IV = AES_KEY.

Code: [Select]
<root@rigol>./cfger -h
 -r name:read the value of name
 -i file:read model,version,date to file
 -c name value: compare bwtween the value of name with value
 -s name value: set the value of name
 -t file: remove the all zero of the file
 -d input output: decrypt the input to output by aes
 -e input output: crypt the input to output by aes
 -h : show this help information

The file /tmp/env.bin is protected by a CRC-32 (ISO-HDLC) in it's first 4 bytes. cfger tests this CRC before doing anything.

PS: To those who already downloaded the scripts, sorry. Must download again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: photon on December 26, 2018, 09:27:49 pm
For the record, this scope is not being hacked. It is currently open as Rigol currently wishes. Change the title from "Hacking" to "EEVblog Promoting". Nothing is free.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 09:33:33 pm
I'm sorry I wasn't clear, but they are two commands
so
Code: [Select]
setenv bootdelay 3
followed by
Code: [Select]
save
without the save, nothing happens. You basically just set the bootdelay variable to read '3 save' and after a reboot it's gone (reset, without the save)

Ok cool... well it made no difference so I tried the Linux way:

Code: [Select]
/rigol/tools/cfger -s "bootdelay 5"
flash_eraseall /dev/mtd0
nandwrite -p /dev/mtd0 /tmp/env.bin

That made no difference either, countdown is still instantaneous.

Hmm, I doubt cfgver is checking anything in that file, like filtering bootdelay, so it could be, that they removed it from the binary.

In any case, we _can_ get in if needed, so that's a win. I am curious that, next time your in u-boot, what "echo $bootdelay" will say. It should yield the 5 you saved, if not, we did something wrong with the cfgver tool (or whatever it was, I forget)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 09:34:53 pm
Would it be possible to hack it so it boots faster?

I mean, what's it doing for a whole minute? That's an eternity.

At some point, I do see a few 'useless' things that can be sped up if done in parallel (some tasks in the scripts say cost 8s for example)

That said, they are using a QT stack on a relative slow CPU, so that won't go much faster, and any init the application (the GUI) does, well we can't speed that up without the source code :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 09:39:02 pm
Help? Been there done that....

rigol-uboot>bollocks
Unknown command 'bollocks' - try 'help'
rigol-uboot>help
Invalid input(hxh)
LOL they removed the 'help' command to make the binary smaller (or remove it to please the user lol)

ok, so then i'll just have to get the info from an older u-boot manual.
until now, i had to do all this from memory :p

I just went though a list of 'standard uboot commands and quite a few work as expected. BDINFO and VERSION churn out some info, but HELP and PRINTENV are very much absent.

Its just bizare that they disabled printenv ... or help. It may be that in old u-boot versions it was a subcommand of 'env' so 'env print' but even so ... it just makes our job a little harder, not impossible :) The first thing I need to do is cook up a new dtb that exposes the SPI flash memory to linux :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 09:45:43 pm
So, the zynq.bit parsing is below:

Code: [Select]
00000000 - FFFFFFFF             Padding
00000004 - FFFFFFFF             Padding
00000008 - FFFFFFFF             Padding
0000000C - FFFFFFFF             Padding
00000010 - FFFFFFFF             Padding
00000014 - FFFFFFFF             Padding
00000018 - FFFFFFFF             Padding
0000001C - FFFFFFFF             Padding
00000020 - 000000BB             Bus width auto detect, word 1
00000024 - 11220044             Bus width auto detect, word 2
00000028 - FFFFFFFF             Padding
0000002C - FFFFFFFF             Padding
00000030 - AA995566             Sync Word (BPI/SPI Mode)
00000034 - 20000000             T1 - 00000000  NOP      (1x)
00000038 - 30022001 00000000    T1 W 00000001  TIMER
00000040 - 30020001 00000000    T1 W 00000001  WBSTAR
00000048 - 30008001 00000000    T1 W 00000001  CMD      NULL - No Operation
00000050 - 20000000             T1 - 00000000  NOP      (1x)
00000054 - 30008001 00000007    T1 W 00000001  CMD      RCRC - Reset CRC
0000005C - 20000000             T1 - 00000000  NOP      (2x)
00000064 - 30026001 00000000    T1 W 00000001  FALL_EDGE
0000006C - 30012001 02003FE5    T1 W 00000001  COR0
00000074 - 3001C001 00000000    T1 W 00000001  COR1
0000007C - 30018001 0373B093    T1 W 00000001  IDCODE
00000084 - 30008001 00000009    T1 W 00000001  CMD      SWITCH - Switch CCLK Frequency
0000008C - 20000000             T1 - 00000000  NOP      (1x)
00000090 - 3000C001 00000401    T1 W 00000001  MASK
00000098 - 3000A001 00000501    T1 W 00000001  CTL0
000000A0 - 3000C001 00000000    T1 W 00000001  MASK
000000A8 - 30030001 00000000    T1 W 00000001  CTL1
000000B0 - 20000000             T1 - 00000000  NOP      (8x)
000000D0 - 30002001 00000000    T1 W 00000001  FAR
000000D8 - 30008001 00000001    T1 W 00000001  CMD      WCFG - Write Config Data
000000E0 - 20000000             T1 - 00000000  NOP      (1x)
000000E4 - 30004000             T1 W 00000000  FDRI
000000E8 - 500D621C             T2 W 000D621C
00358964 - 20000000             T1 - 00000000  NOP      (2x)
0035896C - 30008001 0000000A    T1 W 00000001  CMD      GRESTORE - Pulse GRESTORE Signal
00358974 - 20000000             T1 - 00000000  NOP      (1x)
00358978 - 30008001 00000003    T1 W 00000001  CMD      DGHIGH/LFRM - Last Frame Write
00358980 - 20000000             T1 - 00000000  NOP      (100x)
00358B10 - 30008001 00000005    T1 W 00000001  CMD      START - Begin Startup Sequence
00358B18 - 20000000             T1 - 00000000  NOP      (1x)
00358B1C - 30002001 03BE0000    T1 W 00000001  FAR
00358B24 - 3000C001 00000501    T1 W 00000001  MASK
00358B2C - 3000A001 00000501    T1 W 00000001  CTL0
00358B34 - 30000001 E3AD7EA5    T1 W 00000001  CRC
00358B3C - 20000000             T1 - 00000000  NOP      (2x)
00358B44 - 30008001 0000000D    T1 W 00000001  CMD      DESYNC - Reset DALIGN Signal
00358B4C - 20000000             T1 - 00000000  NOP      (400x)

The IDCODE = 0373B093 corresponds to the Xilinx Zynq-7015. The same as in the DS7000.

The decrypted scripts (full) are attached.

The file /tmp/env.bin is protected by a CRC-32 (ISO-HDLC) in it's first 4 bytes. cfger tests this CRC before doing anything.

That's the same bit as from the MSO7000 thread right? Nice to have it all in one place :) Not sure what I'm seeing in the zynq bit file, more curious as to whether its possible to do any partial reconfiguration. I know FPGA's support it, just need to know what's needed, as I desperately want to overwrite some bits (like the display unit).

As for the env.bin; a u-boot environment is a \n separated text file, usually with the .cmd extension. It's just a lit of environment variables per line. mkimage will turn this into a .bin file, where the \n's are more or less replaced with \0's and a header is prepended. Part of the header is indeed a checksum (Don't recall if the header is only the checksum).

Anyhow, they basically re-invented the wheel with their cfger, as the fw_printenv and fw_setenv tools do exactly this :) I think fw_printenv can even do it directly on /dev/mtd0 rather then dumping it locally and modifying it locally. Besides, they should have kept the env in the spi flash; as having it on raw nand storage (as they do now) and writing it (hopefully only during updates) is error prone. Raw flash access (via write) is not wear-leveled, no bit correction preformed etc (but u-boot can't access it otherwise, well not their ancient u-boot version).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 09:46:50 pm
I'm sorry I wasn't clear, but they are two commands
so
Code: [Select]
setenv bootdelay 3
followed by
Code: [Select]
save
without the save, nothing happens. You basically just set the bootdelay variable to read '3 save' and after a reboot it's gone (reset, without the save)

Ok cool... well it made no difference so I tried the Linux way:

Code: [Select]
/rigol/tools/cfger -s "bootdelay 5"
flash_eraseall /dev/mtd0
nandwrite -p /dev/mtd0 /tmp/env.bin

That made no difference either, countdown is still instantaneous.

Hmm, I doubt cfgver is checking anything in that file, like filtering bootdelay, so it could be, that they removed it from the binary.

In any case, we _can_ get in if needed, so that's a win. I am curious that, next time your in u-boot, what "echo $bootdelay" will say. It should yield the 5 you saved, if not, we did something wrong with the cfgver tool (or whatever it was, I forget)

Seems to be stuck at 1. But I can reliably get into uboot now by streaming crap at the scope at boot time.

rigol-uboot>echo $bootdelay
1
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 26, 2018, 10:05:29 pm
That's the same bit as from the MSO7000 thread right? Nice to have it all in one place :)

No it isn't. This one is from the MSO5000.

That means the 2 bit files should be the same in 5000 and 7000 !!!! :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 27, 2018, 06:46:22 am
Seems to be stuck at 1. But I can reliably get into uboot now by streaming crap at the scope at boot time.

rigol-uboot>echo $bootdelay
1
that's interesting; as initially it is set to 0. Well I'll dig into this at some point.

Meanwhile, what do you mean with a stream of crap? I know you can set keys to allow interrupts, space is or 'c' are common. CTRL-c also tends to work to interrupt a running bootscript. Is it just random keyboard mashing; is it isolated to an area of button mashing?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 27, 2018, 06:48:44 am
That's the same bit as from the MSO7000 thread right? Nice to have it all in one place :)

No it isn't. This one is from the MSO5000.

That means the 2 bit files should be the same in 5000 and 7000 !!!! :)
I'm not surprised at that at all. I think MS07000 and MSO5000 are more or less the same platform. Not sure I understand the difference in PCB yet however ... I doubt they are using different ASIC's though; maybe yield differences for now; but then, that means if yields get better, there will be even less differences ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 27, 2018, 07:19:35 am
<decrypted files>
They are more or less identical, except hashes and so, to the MSO7000 files. No suprise there :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 27, 2018, 08:23:36 am
Meanwhile, what do you mean with a stream of crap? I know you can set keys to allow interrupts, space is or 'c' are common. CTRL-c also tends to work to interrupt a running bootscript. Is it just random keyboard mashing; is it isolated to an area of button mashing?

I just loop output back to input, that does it!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 27, 2018, 01:24:50 pm
Meanwhile, what do you mean with a stream of crap? I know you can set keys to allow interrupts, space is or 'c' are common. CTRL-c also tends to work to interrupt a running bootscript. Is it just random keyboard mashing; is it isolated to an area of button mashing?

I just loop output back to input, that does it!

like shortening RX to TX? that's bizare :D It must be one of the character (combinations) in there. It IS possible they have set a 'password' as the any-key and it happens to be part of the input lol, like rigolee or dirty :p
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 27, 2018, 01:59:38 pm
Meanwhile, what do you mean with a stream of crap? I know you can set keys to allow interrupts, space is or 'c' are common. CTRL-c also tends to work to interrupt a running bootscript. Is it just random keyboard mashing; is it isolated to an area of button mashing?

I just loop output back to input, that does it!

like shortening RX to TX? that's bizare :D It must be one of the character (combinations) in there. It IS possible they have set a 'password' as the any-key and it happens to be part of the input lol, like rigolee or dirty :p

Scope hacked its own password, how cool is that lol
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on December 27, 2018, 02:20:31 pm
That's the same bit as from the MSO7000 thread right? Nice to have it all in one place :) Not sure what I'm seeing in the zynq bit file, more curious as to whether its possible to do any partial reconfiguration. I know FPGA's support it, just need to know what's needed, as I desperately want to overwrite some bits (like the display unit).
There seems to be a lot of myths regarding partial reconfiguration floating around, so please watch this video from Xilinx explaining what PR actually is and how it works: https://www.xilinx.com/video/hardware/partial-reconfiguration-in-vivado.html (https://www.xilinx.com/video/hardware/partial-reconfiguration-in-vivado.html)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 02:31:26 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 27, 2018, 02:58:57 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

What did you do to "log in"?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 03:02:51 pm
IO -> lan settings -> IP
enter that ip into putty, ssh, port 22, entering root and root when asked

Code: [Select]
login as: root
root@192.168.1.109's password:
Access denied

it's connected to my home network. the webinterface of the rigol is working.

also tried termius on the iphone, same error.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 27, 2018, 03:11:06 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

I think now the title of the thread is going to start making sense...  ::)

Gentlemen, start your engines!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 03:17:22 pm
Here's version 00.01.01.02.03 (http://firebird.tms-taps.net/Rigol/DS5000Update.GEL). You could put it on a thumb drive and try to downgrade. But maybe someone else would like to try something with 1.2.4 first.

P.S.: Upload will be finished in about 10 minutes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: wulfman on December 27, 2018, 03:17:39 pm
Can an older version of firmware be loaded ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 03:20:30 pm
Here's version 00.01.01.02.03 (http://firebird.tms-taps.net/Rigol/DS5000Update.GEL). You could put it on a thumb drive and try to downgrade. But maybe someone else would like to try something with 1.2.4 first.

P.S.: Upload will be finished in about 10 minutes.
thank you! will try and report

Nope, doesnt work. "Failed to upgrade! Check the upgrade file."
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 27, 2018, 03:24:21 pm
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 27, 2018, 03:27:10 pm
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!

Can you replace /etc/passwd?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 27, 2018, 03:35:44 pm
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!

Can you replace /etc/passwd?

I'll leave that to tv84 and oliv3r. It's encypted and probably can't be transferred to another scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 27, 2018, 03:47:00 pm
Here's version 00.01.01.02.03 (http://firebird.tms-taps.net/Rigol/DS5000Update.GEL). You could put it on a thumb drive and try to downgrade. But maybe someone else would like to try something with 1.2.4 first.

P.S.: Upload will be finished in about 10 minutes.
thank you! will try and report

It most probably won't let you downgrade. That should be where the USB vendor disk comes into play.

Let's first try to reset the password and then we'll deal with the downgrade thing. It would be interesting to recover the new GEL that should be inside that scope. Working on it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 03:51:58 pm
Can we patch the update script so that it thinks that it is at least the same version?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 27, 2018, 03:57:00 pm
I'll leave that to tv84 and oliv3r. It's encypted and probably can't be transferred to another scope.

Nah, it's just a hash of the word "root".

Can you post the contents of your new "/etc/passwd"? Maybe we can crack it.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on December 27, 2018, 06:03:48 pm
Got an update from Tequip....updated Jan 31 ship date (site says 15 in stock  |O )

When it DOES show up....eventually lol....I'm treating this as a hobby project of hacking first (that happens to spit out a nice scope at the end). Edit:: Called. Stock system error. Should go out Friday or early next week.

Nearly guaranteed to have the "fixed" firmware with a no longer obvious root password. Guess we can safely assume that wasn't intentional  ::).

~Let the fun begin!~
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on December 27, 2018, 06:05:44 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Same here. The distributor thought it was a nice thing to update the firmware before shipping.  |O
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 27, 2018, 06:46:30 pm
Just took a look at current user manual for MSO5000 and compared it to the old mso/ds7000 manual. In a new MSO5000 manual, you can apply math on math !!
You can have previous math channels as sources. In initial DS7000 manual that wasn't the case.
It is implemented pretty much very similar to how R&S did it in 2000/3000....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 06:51:30 pm
Can we patch the update script so that it thinks that it is at least the same version?
It took a bit longer but let’s see if we can fool that little bastard. :) If I didn't mess things up, here’s a file (http://firebird.tms-taps.net/Rigol/DS5000UpdateX.GEL) that should change the environment to make the scope think that it has the older firmware installed and that this is a installation of the same version.

After you’ve downloaded the file, rename it to “DS5000Update.GEL” before you put it on the thumb drive. Good luck!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Swap_File on December 27, 2018, 07:02:06 pm
Got an update from Tequip....updated Jan 31 ship date (site says 15 in stock  |O )

I just got done talking with someone from Tequipment, there was a mix up on the updated ship date and all the back ordered scopes (or my one at least :P) is supposed to be going out early next week.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 27, 2018, 07:45:00 pm
Distributor of rigol 'suggested' they ahve received instructions from rigol that they need to upgrade any exisiting units they have before they ship, and that they should be contacting customers who have already got theirs to arrange an upgrade.

Since my distirbutor ( whos siting on mine, pending pickup  has already been paid for this one, he contacted me to ask if i wanted it upgraded.  ( smart cookie ).

Read between the lines. Rigol does not want these being hacked. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: orion242 on December 27, 2018, 08:40:42 pm
Hmm.  Maybe we should refuse delivery...sorry return to sender.  lol.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 27, 2018, 08:46:53 pm
Read between the lines. Rigol does not want these being hacked.

Too late. We have a ton of info now.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 09:26:42 pm
Can we patch the update script so that it thinks that it is at least the same version?
It took a bit longer but let’s see if we can fool that little bastard. :) If I didn't mess things up, here’s a file (http://firebird.tms-taps.net/Rigol/DS5000UpdateX.GEL) that should change the environment to make the scope think that it has the older firmware installed and that this is a installation of the same version.

After you’ve downloaded the file, rename it to “DS5000Update.GEL” before you put it on the thumb drive. Good luck!
Wow! that was quick and WORKING!! i can login now
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 09:45:43 pm
You just flashed 1.2.3... No use.
During my tests, the firmware were flashed into the app A space (mtd3, 4, 5 and 6). Dumping mtds 7 to 10 might provide the new f/w.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 27, 2018, 09:46:25 pm
New Firmware ?
But official there´s no update avaible(rigolna, rigol eu)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 09:48:49 pm
But, nonetheless. Tell us what you see in the /user/download/
empty
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 09:56:46 pm
New Firmware ?
It has a higher version number but we do not know if the login lock out is the only change.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 27, 2018, 10:10:42 pm
By the way, it seems on the rigol HK site you could download the former version.

Relase Note :

Quote
[Supported Model]    All the MSO5000 Series Digital Oscilloscopes
[Latest Revision Date]  2018/10/15

[Updated Contents]
--------------------

v00.01.01.02.03  2018/10/15

     - Release the production version

edit:

http://www.rigol.com/File/ProductSoftWare/20181017/DS5000(ARM)Update.rar (http://www.rigol.com/File/ProductSoftWare/20181017/DS5000(ARM)Update.rar)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 27, 2018, 11:23:25 pm
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 27, 2018, 11:39:16 pm
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
That is an encrypted password.  Unix/Linux does not decrypt passwords in /etc/passwd, it only encrypts user typed password using the same key and compares it to the string stored in /etc/passwd
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 27, 2018, 11:45:46 pm
I think he was asking for someone to have a go at cracking it as it seems like a very small hash.

Its not something stupid like root as the password?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 28, 2018, 01:31:19 am
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
20 minutes with hashcat on a radeon hd7900 -> Rigol201  :-DD

for those interested. researching this took longer then 20mins ;-) linux seems to use DES by default for encrypting passwords. 13 chars and no $-signs point to using that default. i copied the hash part into a file (rigol.hash) and here's the command i used for hashcat:
Code: [Select]
hashcat64.exe -a 3 -m 1500 rigol.hash
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: djnz on December 28, 2018, 05:28:48 am
Have you guys thought of a way to side-load an authorized_keys file into .ssh if rigol decides to change the password again?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 07:46:34 am
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!

Can you replace /etc/passwd?
The password is stored in the ramdisk, which is part of the FIT image, so while you can change it, it is never saved to disk. Also even if we changed it, the hash of the initrd wouldn't mach of the FIT image anymore, so we'd have to update as well. Not impossible, not trivial either.

What is rather easy is modify the start.sh script once in, to change/wipe the password after startup :) the start.sh is part of the app partition, which is a regular r/w mounted filesystem.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 07:49:03 am
Can we patch the update script so that it thinks that it is at least the same version?
I would assume so; we can re-crypt it with cfger I believe and they can't/shouldn't change the keys easily, as they'd want the 'new' keys to still be accepted by old scopes
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 07:49:43 am
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Same here. The distributor thought it was a nice thing to update the firmware before shipping.  |O
I wonder where they are getting it from ... Or even more importantly, if they are telling their users to upgrade; where should we get it from?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 28, 2018, 08:17:01 am
Same here. The distributor thought it was a nice thing to update the firmware before shipping.  |O
I wonder where they are getting it from ...

Same place they get the 'scopes they're selling....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TrickTronic on December 28, 2018, 08:32:46 am
CONFIRMATION

Hey Guys! Thx a million times you crafty geniuses!!  ;D :-+ :-+ :-+

Type: MSO5074
Firmware: 00.01.01.02.04

Successful SSH Login via Putty:
USR: root
PWD: Rigol201


I followed the instructions from @TopLoser:
 ##################################
Download and install PuTTY on your PC
On your scope find its IP address by UTILITY, IO, LAN
Run PuTTY and connect using that IP address and SSH with port 22
Login as ‘root’ password ‘root’
Enter ‘cd /rigol/shell’
Enter ‘vi start.sh’

Change line 82 to read:
‘/rigol/appEntry  $PowerOn -run -fullopt &’

Google vi commands to find out how to insert text into the file
Basically press ‘i’ to enter edit mode then move cursor, insert text and then ESC to exit edit mode.

Save the file and quit ‘:wq’

Reboot.
 ##################################

Rock on guys! Great work!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 28, 2018, 09:09:53 am
What's "wifi.sh"?  :popcorn:

(and "send_mail.sh"...do these things send email?)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 28, 2018, 09:29:44 am
Noob question, assuming Rigol does not want to screw up existing early buyers/adopters for future firmware upgrades, also with assumption there will be no major hardware change/revision for newly produced scopes.

With current state of hacks done, will they able to lock this opening permanently if they want to thru newer firmware "only"  ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 09:43:22 am
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
20 minutes with hashcat on a radeon hd7900 -> Rigol201  :-DD

for those interested. researching this took longer then 20mins ;-) linux seems to use DES by default for encrypting passwords. 13 chars and no $-signs point to using that default. i copied the hash part into a file (rigol.hash) and here's the command i used for hashcat:
Code: [Select]
hashcat64.exe -a 3 -m 1500 rigol.hash

I'm surprised that it took you that long; this looks like a very weak password :) I wonder how long it would have taken john the ripper without GPU acceleration...
So john automatically detects the password type and everything and starts to go right away. The 8 chars from the password do just happen to fit inside johns default 8 chars, so that's lucky :). Now on a single threaded i7 its taking its sweet time. After 1h30 I am not waiting on it anymore (but will let it runs it course out of curiosity).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 28, 2018, 09:55:23 am
With current state of hacks done, will they able to lock this opening permanently if they want to thru newer firmware "only"  ?
It’s hard to say if it is impossible to open future firmware updates but a lot of knowledge has been collected in the meantime which makes it easier for us. But as we learn from their changes, they will learn from our hacks and there is a possibility that a future version is not hackable and you’re stuck at a specific version if you don’t want to give up fullopt.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 09:59:23 am
What's "wifi.sh"?  :popcorn:

(and "send_mail.sh"...do these things send email?)
Yes, there are a few supported wifi modules (not sure if there is a UI element to configure them however)
The following drivers + firmwares are installed:
rtl8192cufw_A.bin  rtl8192cufw_B.bin  rtl8192cufw.bin  rtl8192cufw_TMSC.bin  rtl8812aufw.bin
So those wifi modules should work out of the box.

And yes, these can in theory send e-mails :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 10:00:59 am
Noob question, assuming Rigol does not want to screw up existing early buyers/adopters for future firmware upgrades, also with assumption there will be no major hardware change/revision for newly produced scopes.

With current state of hacks done, will they able to lock this opening permanently if they want to thru newer firmware "only"  ?
Yes, remote access they can. But best keep quiet so we don't give them idea's.

Ultimately however, with a screwdriver and other tools you can still bypass that; but even that's lockable.

In the end however, they will need to be able to do firmware updates themselves as well ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 28, 2018, 11:50:43 am
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 28, 2018, 11:54:17 am
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 28, 2018, 12:30:09 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??
Some oscilloscopes can send an e-mail as part of a data logging feature. If a trigger occured an e-mail notice will be send (and in some cases it is also possible to have a screendump or data send as an attachement).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: cybernet on December 28, 2018, 01:17:15 pm
 :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 01:56:26 pm
:-+
I wonder if you'd notice this thread :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 28, 2018, 02:14:35 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

Keysight 3000T can E-mail anything that it can save to USB file....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 28, 2018, 02:42:22 pm
it will be placed on a isolated vlan, with no internet access, and not attached to anything thats important.   given the poor security posture that Rigol takes,  these become a real possiblity for a security breech.   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 28, 2018, 02:49:16 pm
you can run an email server on a vlan if you needed the functionality....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 28, 2018, 02:55:49 pm
it will be placed on a isolated vlan, with no internet access, and not attached to anything thats important.   given the poor security posture that Rigol takes,  these become a real possiblity for a security breech.   

Maybe that's the reason they changed the password, not to stop hacking.

If they were after security they'd have used a longer hash function.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 28, 2018, 03:04:13 pm
Some oscilloscopes can send an e-mail as part of a data logging feature. If a trigger occured an e-mail notice will be send (and in some cases it is also possible to have a screendump or data send as an attachement).

Sorry for my ignorance in these modern features.  :-[

But, in the other day, I saw so much worries about the fact that the Siglent WIFI key wouldn't allow 63 chars and now I see scopes having the explicit capability of sending mails.... and everyone think that's a normal thing.

Well, life is good.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 28, 2018, 03:14:45 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....

"The system will COLLECT and JUDGE the following information"
"The working state of the key components and user defined function"

 :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 05:51:42 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....

"The system will COLLECT and JUDGE the following information"
"The working state of the key components and user defined function"

 :-DD

So that's why I need that touchscreen! :p

While I would not trust them to connect to the internet, it is so easy and happens before you know it; plug-in bam; problems. So if you are not tech-savvy, and do want to locally connect to your scope (ds-remote, lsi tools etc) but don't want it to poke on the internet ... without firewalling or network isolation, the scope just became a ... god knows what.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 28, 2018, 05:56:55 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....

"The system will COLLECT and JUDGE the following information"
"The working state of the key components and user defined function"

 :-DD

So that's why I need that touchscreen! :p

While I would not trust them to connect to the internet, it is so easy and happens before you know it; plug-in bam; problems. So if you are not tech-savvy, and do want to locally connect to your scope (ds-remote, lsi tools etc) but don't want it to poke on the internet ... without firewalling or network isolation, the scope just became a ... god knows what.

Yes they can check any installed licence keys (if a keygen becomes available) and check them against a list of official paid for keys... and disable them! Owner can obviously reinstall them unless Rigol nuke your scope remotely for being a bad boy!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 28, 2018, 06:02:48 pm
We'll have to add "remove email client" to the to-do list...

BTW, does it have a camera?   :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: orion242 on December 28, 2018, 06:38:46 pm
While I would not trust them to connect to the internet, it is so easy and happens before you know it; plug-in bam; problems. So if you are not tech-savvy, and do want to locally connect to your scope (ds-remote, lsi tools etc) but don't want it to poke on the internet ... without firewalling or network isolation, the scope just became a ... god knows what.

Next batch of zombies in the mirai botnet with root/root as the login.  Vlan it off with the rest of the untrusted crap in its own little safe space.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on December 28, 2018, 06:54:53 pm
Give it a manual IP and leave the gateway IP blank, it can't call home that way.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 28, 2018, 09:12:10 pm
firewall log files will be interesting to look at and see what is coming and going.   You've got a device thats esssneitally open with a linux stack on it, on the inside of your network..  could be used for any number of things..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 28, 2018, 09:23:16 pm
Give it a manual IP and leave the gateway IP blank, it can't call home that way.
You might think that but there are several ways to generate network traffic and get the gateway anyway.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 28, 2018, 10:52:16 pm
Just for reference.

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=607480)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 29, 2018, 08:27:26 am
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

I would like to post some other hack on appEntry. BTW, we have a u-boot dump without tear it down, analyzing it is little troublesome. Althrough we know how to interrupt autoboot, but how to check in u-boot it still remains a mystery.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 29, 2018, 08:55:59 am
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

I would like to post an SPI Flash dump on this thread and some other hack on appEntry. BTW, we have a u-boot dump without tear it down (In fact, the u-boot itself contains a command to switch between NOR and NAND Flash, because they share several pins), analyzing it is little troublesome. Althrough we know the u-boot passphrase, but how to check in u-boot it still remains a mystery.

I would suggest that you dont' post that here,   posting that probably will get you banned, however its ok, to post it somewhere else and post a link to it.     
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 29, 2018, 09:03:32 am
Or better yet, rely on PM's to share it,
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 29, 2018, 10:08:57 am
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

I would like to post an SPI Flash dump on this thread and some other hack on appEntry. BTW, we have a u-boot dump without tear it down (In fact, the u-boot itself contains a command to switch between NOR and NAND Flash, because they share several pins), analyzing it is little troublesome. Althrough we know the u-boot passphrase, but how to check in u-boot it still remains a mystery.
Not sure why this information would get you banned. U-Boot is GPL software for one. Secondly the software is already being shared via the forum.

Now, what are you talking about with NAND flash and NOR flash being shared via the same pins? So lets first assume this is possible, now, u-boot SPL (or the FSBL; calling it only FSBL for now) is being read via the bootrom. The bootrom uses the BOOT_MODE pins to configure the BootROM to boot from qspi SPI NOR flash. It happily reads the FSBL into the OCM (or via XIP even) and starts to execute the FSBL. U-boot is then loaded, but has no knowledge of the QSPI flash and only has the NAND pinmux set and loads the files from NAND.

What is special here, and I'm sure they can hack this into their u-boot, is that the SPL does have QSPI support, but u-boot regular does not. Because of that, I think they are using the vivado FSBL, as doing this with plain u-boot requires some hacks, as it does not support this.

Now, looking at Table 2-4, MIO-at-a-Glance; page 52 of the Zynq-7000 TRM (UG585) we see that the QSPI pins are part of pins 2 through 13, and the nand flash is 24 through 40. So there is no overlap. Now you also speak of SRAM and NOR. Yes, the zynq can boot via NOR flash, like nand, but not SPI, parallel NOR flash. Also confusingly the zynq supports SRAM, now I know the difference between the two, but some of the texts I found make it sound like there is also NOR based SRAM, which confuses me. So I think, for now, that it's either/or.

Reason I bring this up is because there are 2 SRAM chips connected to the zynq (top 2 chips via snake-trace). So it could be that these are connected to the PS via these pins 40 - 53 or they are part of the FPGA. Can't see that yet ... and don't know what the purpose would be of this yet. I don't see any linux configuration for it (but I may have glanced over it). I strongly believe it is part of the FPGA and is used as some sort of buffering mechanism for the big data stream.

As for the extracted data, please do feel free to send it to me in a PM :)

Edit: I was wrong. The NAND pins are indeed shared. I was looking at, what turns to be out, just the text field which was put RIGHT of the pins. Super annoying.

This does make things more interesting.

So, while we cannot touch u-boot, but it's quite likely, that neither can rigol. As they cannot access it from linux nor u-boot due to the pin-sharing with nand.

Well partially true; if you disable NAND, you can freely access SPI Flash again. As linux is running from nand, re-muxing it runtime; impossible

So in u-boot; there is sf probe, which could free the nand mux and force the spi mux, but that requires patches to u-boot, which are probably complex.

That said, loading a u-boot that does have SPI Flash support (and disables nand) is also possible. I don't know if we can do a switcheroo however :) So my guess, is they intended the SPI flash to be written at the factory once, and never be updated.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 29, 2018, 11:58:18 am
I can 100% sure that the SPI Flash contains FSBL, a Zynq bit (will be overridden by the boot progress) and a U-Boot image because there's no any Zynq boot image in the NAND Flash.

So far I know the boot progress (by analyzing SPI image) is: Zynq bootrom->QSPI FSBL(XIP)->load U-boot image from SPI Flash into 0x01000000->jump to U-boot->U-boot switch the pinmux to NAND Flash->U-Boot reads env->U-boot executes env->Linux.

About the QDR SRAM controlled by Zynq, I think it is used to handle the phosphor process. Because the phosphor process needs huge random access to the framebuffer, it is reasonable to use QDR SRAM.

So, our team thinks that acquire and some DSP function is processed by K7, and plotting is processed by Zynq PL.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 29, 2018, 12:07:41 pm
Our team got two MSO5072, one MSO5074. But none of them shipped with 1.1.2.4 version firmware.

My scope is on the way to my college. Estimated arrival time is around Jan.1 2018. If my scope shipped with 1.1.2.4 version firmware and it solves all issues I have mentioned before, I would like to share all my research.

BTW, Rigol have replied me about the crash issue, fft issue, and high resolution issue. They said that they are solved in the latest firmware, about two or three days we can get the final result.

To mrpackethead: you have successfully forced me to buy one prematurely, my hack will be available soon. Since you're so energetic, why not ask Rigol for the source of Linux, U-Boot, and some kernel module! In fact, their proprietary driver is also said GPL in the module descriptor. I don't see any contribution in this thread by you, you have said that you just want the principle of the hack, but even a tarball troubles you, so don't make yourself like a sage anymore. Do you know an old saying "The brave man attacks the braver man"?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 29, 2018, 01:09:43 pm
rgwan, you have too much inbox stuff, get me some space. :)

Rgwan just passed the post count (above me at 5) limit to be able to use forum's PM feature.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: wulfman on December 29, 2018, 01:48:51 pm
My new scope will be here on the 3rd.  :scared: :scared: :scared:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 29, 2018, 03:21:39 pm
I can 100% sure that the SPI Flash contains FSBL, a Zynq bit (will be overridden by the boot progress) and a U-Boot image because there's no any Zynq boot image in the NAND Flash.

So far I know the boot progress (by analyzing SPI image) is: Zynq bootrom->QSPI FSBL(XIP)->load U-boot image from SPI Flash into 0x01000000->jump to U-boot->U-boot switch the pinmux to NAND Flash->U-Boot reads env->U-boot executes env->Linux.

About the QDR SRAM controlled by Zynq, I think it is used to handle the phosphor process. Because the phosphor process needs huge random access to the framebuffer, it is reasonable to use QDR SRAM.

So, our team thinks that acquire and some DSP function is processed by K7, and plotting is processed by Zynq PL.

Yes, you are right; I was wrong :)
So i haven't anaylized their FSBL; but I'm curious as to the setting of the boot_mode register, as that will answer the XIP question. I am not sure why they'd use XIP, it would make far more sense to use the normal OCM method. Especially when they change there mux.

So what I think they did:

BootROM loads FSBL into OCM and jumps to FSBL that is compiled with SPI flash support
FSBL enables DRAM, loads u-boot from QSPI flash into DRAM and jumps to u-boot

U-Boot knows nothing of SPI flash, but enables NAND flash as it does not know anything about SPI flash.

Hopefully there are no GPIO's to enable/disable pins ... (CS, power enable etc)

However QPSI CS0 pin is 'pin 1' and NAND CS0 pin is at 'pin 0' so at least those should not overlap ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 29, 2018, 05:20:28 pm
Not sure why this information would get you banned. U-Boot is GPL software for one. Secondly the software is already being shared via the forum.

Quote from: EEVblog
As long as people don't attach hacked firmware files or keys onto my server I don't care what they publish.

Cause dave said so?   No problems with the thread or discussion though ( or links )
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 29, 2018, 10:13:14 pm
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

It´s not the only issue got to be fixed and also I wonder why this "update" isn´t avaible for download anywhere on their sites.
The "new" firmware seems to be a preliminary one, comes with "newer" 5000s out of stock, but isn´t the "final" version worth to be uploaded as an upgrade.
Maybe it is avaible when you choose online upgrade on scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 29, 2018, 10:15:27 pm
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

It´s not the only issue got to be fixed and also I wonder why this "update" isn´t avaible for download anywhere on their sites.
The "new" Firmware seems to be preliminary, comes with "newer" 5000s out of stock, but isn´t the "final" version worth to be uploaded as an upgrade.

Just ask your dealer, they will give you a link to it. I got one very quickly.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 29, 2018, 10:26:01 pm
Hm ?

I thought, new updates will be present on the regular rigol sites…..
You got a new update ? What does the "changes" say ?

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 29, 2018, 10:29:06 pm
Hm ?

I thought, new updates will be present on the regular rigol sites…..
You got a new update ? What does the "changes" say ?

Martin

Single file, no 'changelog'
https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0 (https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 30, 2018, 12:09:21 am
so does anyone tested out the three issues I mentioned before on scope shipped with new firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 30, 2018, 12:12:11 am
Also can someone confirm you can do math on math?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on December 30, 2018, 05:37:20 am
so far, rough diff is:

app.img:

shell/start.sh          # add -average_filter option to appEntry
shell/send_mail.sh  # finally! add model/version/serial/date to the body  :clap:
resource/scpi/MEAsure.xml # cmd id + 1??
bunch of other xml, hlp or hex files
appEntry (of course)
default/precision.hex
K160_TOP.bin

(edit) many many changes in appEntry, hard to diff, but so far, no change about our prefered start option.

system.img:

/etc/passwd                 #we already knew that
/etc/init.d/rcS              # remove echo ++ Starting ftp daemon
/etc/inittab                  # swap shell on ttyPS0 from /bin/ash to /bin/login, huh?
+/etc/passwd.root       # this is the old one
- /lib/firmware/rtfwifi/rtl{8812,8192}*.bin # bye bye

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 30, 2018, 07:53:18 am
Also can someone confirm you can do math on math?

Math on math
Math on math on math
Math on math on math on math
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on December 30, 2018, 08:16:54 am
should it be:
/rigol/appEntry $PowerOn  -run -fullopt &
or
/rigol/appEntry $PowerOn  -run -average_filter -fullopt &
?

I tried with -average_filter but can't find any difference. Anyway, I can't find the hi-res mode, there is a "fine" switch in the channel settings, but without any effect on the signal.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on December 30, 2018, 08:32:19 am
I tried with -average_filter but can't find any difference. Anyway, I can't find the hi-res mode, there is a "fine" switch in the channel settings, but without any effect on the signal.

I think they added this option to put the average filter by default since it's really ugly without averaging. Look at all their videos, it's always averaging, with color gradient.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on December 30, 2018, 08:44:04 am
I tried with -average_filter but can't find any difference. Anyway, I can't find the hi-res mode, there is a "fine" switch in the channel settings, but without any effect on the signal.

I think they added this option to put the average filter by default since it's really ugly without averaging. Look at all their videos, it's always averaging, with color gradient.

Well, averaging is disabled after startup, even with this option in the shell script.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 30, 2018, 09:23:55 am
Not sure why this information would get you banned. U-Boot is GPL software for one. Secondly the software is already being shared via the forum.

Quote from: EEVblog
As long as people don't attach hacked firmware files or keys onto my server I don't care what they publish.

Cause dave said so?   No problems with the thread or discussion though ( or links )
Righ, so a link is fine; still sharing the file, which I was after.

However, what if it is NOT a hacked firmware, but the actual firmware from the device. Just extracted from. Like in this case u-boot. I don't see how that would be wrong?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 30, 2018, 09:25:28 am
so far, rough diff is:

app.img:

shell/start.sh          # add -average_filter option to appEntry
shell/send_mail.sh  # finally! add model/version/serial/date to the body  :clap:
resource/scpi/MEAsure.xml # cmd id + 1??
bunch of other xml, hlp or hex files
appEntry (of course)
default/precision.hex
K160_TOP.bin

(edit) many many changes in appEntry, hard to diff, but so far, no change about our prefered start option.

system.img:

/etc/passwd                 #we already knew that
/etc/init.d/rcS              # remove echo ++ Starting ftp daemon
/etc/inittab                  # swap shell on ttyPS0 from /bin/ash to /bin/login, huh?
+/etc/passwd.root       # this is the old one
- /lib/firmware/rtfwifi/rtl{8812,8192}*.bin # bye bye

I wonder how it compares to the MS07000 firmware :)

The change from ash to login is so that you have to log in using the serial shell. While it makes sense, it's annoying :p

as for the wifi; I don't think they had the kernel module; so the firmware's didn't do much anyway.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 30, 2018, 09:28:17 am
Well, that proved that the 1.1.2.4 version firmware isn't the new firmware that Rigol solved this three issues.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 30, 2018, 09:31:14 am
But one interesting thing is they haven't disabled sshd yet. Although my worries come true, I still don't know why they don't disable it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 30, 2018, 09:37:28 am
However, what if it is NOT a hacked firmware, but the actual firmware from the device. Just extracted from. Like in this case u-boot. I don't see how that would be wrong?

That's something I would like clarification on as well, my guess is no, because "copyright" but I'm curious because over on the siglent side of the fence I have been typo patching. does nothing to bypassing features, just fixes typos that where present that broke a few existing commands.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 30, 2018, 10:25:54 am
I did a search for all types of start options and here is a list:

Code: [Select]
-notrace_ch     servtrace.cpp
-notrace_digi   servtrace.cpp
-notrace_eye    servtrace.cpp
-notrace_dx     servtrace.cpp
-notrace_la     servtrace.cpp
-log_trace      servtrace.cpp
-log_ch         servtrace.cpp
-log_la         servtrace.cpp
-log_eye        servtrace.cpp
-no_trace       tracethread.cpp  (trace not running)
-debug
-fullopt
-novcal             (calibration??)
-no_cfg         cdsophy.cpp
-noprivacy      servdso_session.cpp
-default        servdso_session.cpp (default settings)
-nonv
-ds8000         
-log_id         dsoengine_trace.cpp
-no_horiplay    dsoengine_playback.cpp
-log_engine     dsoengine_playback.cpp
-log_adc_cal    cdsorecengine_adc.cpp
-log_hori       cdsorecengine_hori.cpp
-noinit         cplatform.cpp
-no_autoplay    cdsoautostopengine.cpp
-log_afe        chcal.cpp
-average_filter cdsorecengine_ch.cpp
-peak_compress  horiunit.cpp
-wait_assert    iphyccu.cpp

On the right is the source code module that (I think) relates to it.

If anyone wants to do experiments and share their discoveries...


ATTENTION: use at your own risk; you may brick your scope!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on December 30, 2018, 10:45:47 am
 -DS8000 ??? :scared:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 30, 2018, 01:08:54 pm
-DS8000 ??? :scared:
But what about DS9000! That would be over 9000 easy!
Code: [Select]
USB device disconnected
DS7000Update.GEL
MSO8
DS8000Update.GEL
MSO5
DS5000Update.GEL
MSO9
DS9000Update.GEL
media
RIGOL TECHNOLOGIES,DS1000Z,SPARROW,201212

Looks like appEntry even borrows some code from the faithful sparrow line of devices!

For me, that's the trigger to get a MSO5000 now :)

There will be others based on the zynq platform; but there won't be a cheaper variant. Rigol may 'upgrade' the ancient DS1000Z series (DS3000?) or whatever but I doub't they'll do anything cheaper then the MSO5k. So I think Rigol wants the hacker/cheap market with the good old DS1000Z and the MSO5000 series is the first one up after that.

(I was thinking of getting a DS1000Z last year after being quite happy with my really old DS1052E, and a DS1054Z at work. I was in the 'hmm they are quite old platforms, I wonder when rigol will release an upgrade to these aging platforms. So it turns out to be the MSO5k series. And while I'd prefer to wait for a v2 hardware version (who knows what bugs linger in the current one) I think this is as good as it'll get for the next 10 years anyway in the low-budget end).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EddyCurrent on December 30, 2018, 01:29:38 pm
Luckily, the MSO5000 is not the first platform, which operates their Phoenix chip. I guess, they already made improvements in the first issue of MSO5000 (improved cooling of analog frontend e.g.) compared to MSO7000. This lowers risk of purchasing a buggy hardware. By the way, my first post on EEVblog plus I ordered a MSO5000 as well  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 30, 2018, 10:50:59 pm
Interesting piece of code:

Code: [Select]
    deb_msg(&v7, "servrecord_spy.cpp", 120, "void servRecord::disable_xxx(servRecord::RecordState)");
    QMessageLogger::debug(&v6);
    v3 = sub_43774(&v6, "servrecord_spy.cpp");
    v4 = sub_4F428(v3);
    v5 = sub_43774(v4, "stat:");
    sub_4F428(v5);
    result = QDebug::~QDebug(&v6);
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 30, 2018, 11:04:05 pm
Spy as in spy on what you are doing and send it somewhere?


Interesting piece of code:

Code: [Select]
    deb_msg(&v7, "servrecord_spy.cpp", 120, "void servRecord::disable_xxx(servRecord::RecordState)");
    QMessageLogger::debug(&v6);
    v3 = sub_43774(&v6, "servrecord_spy.cpp");
    v4 = sub_4F428(v3);
    v5 = sub_43774(v4, "stat:");
    sub_4F428(v5);
    result = QDebug::~QDebug(&v6);
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 30, 2018, 11:13:50 pm
doesn't quite read that way to me unless it ties into a much larger function, looks more like a thread hook to request a status string??

sub_43774 looks to be what pushes out a message and returns the value.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 30, 2018, 11:37:54 pm
Any guess's as to what -ds8000 does?  I'll give this a whirl in a few weeks, but curious to kno...


I did a search for all types of start options and here is a list:

Code: [Select]
-notrace_ch     servtrace.cpp
-notrace_digi   servtrace.cpp
-notrace_eye    servtrace.cpp
-notrace_dx     servtrace.cpp
-notrace_la     servtrace.cpp
-log_trace      servtrace.cpp
-log_ch         servtrace.cpp
-log_la         servtrace.cpp
-log_eye        servtrace.cpp
-no_trace       tracethread.cpp  (trace not running)
-debug
-fullopt
-novcal             (calibration??)
-no_cfg         cdsophy.cpp
-noprivacy      servdso_session.cpp
-default        servdso_session.cpp (default settings)
-nonv
-ds8000         
-log_id         dsoengine_trace.cpp
-no_horiplay    dsoengine_playback.cpp
-log_engine     dsoengine_playback.cpp
-log_adc_cal    cdsorecengine_adc.cpp
-log_hori       cdsorecengine_hori.cpp
-noinit         cplatform.cpp
-no_autoplay    cdsoautostopengine.cpp
-log_afe        chcal.cpp
-average_filter cdsorecengine_ch.cpp
-peak_compress  horiunit.cpp
-wait_assert    iphyccu.cpp

On the right is the source code module that (I think) relates to it.

If anyone wants to do experiments and share their discoveries...


ATTENTION: use at your own risk; you may brick your scope!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 31, 2018, 11:02:52 am
Finally, I got the scope. Its firmware version is 1.1.2.3. So, I have to wait for new firmware...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Swap_File on December 31, 2018, 03:53:44 pm
This won't help rgwan, but if anyone is looking for specific versions of the firmware:

Reply #396 has a copy of 1.1.2.3
Reply #445 has a copy of 1.1.2.4
Reply #386 has a modified copy of 1.1.2.3 that you can apparently downgrade to from 1.1.2.4
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 31, 2018, 06:40:20 pm
New bug found, signal generator frequency rounding off error. It causes non-synchronous between two channels.

For example, you can't output 1MHz and 12MHz by this scope and get a stable display on a scope, because the frequency of "12MHz output" / 12 does not exactly equal "1MHz output", in some scenario it will cause low-frequency oscillation.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 12:01:00 am
Happy New Year all,

and with the new year I present to you the GEL unpacker and firmware analysis repo :)

https://gitlab.com/riglol/rigolee
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 12:23:27 am
Nice work Oliver.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 01, 2019, 03:44:00 pm
@Oliv3r, thanks for the qspi push, but could you fix the missing / at col2 line 1 in qspi_unpack.sh and remove the -eu also?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 07:00:52 pm
Has anyone done a bandwidth sweep with -fullopt and -ds8000 simultaneously?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 07:07:07 pm
Has anyone done a bandwidth sweep with -fullopt and -ds8000 simultaneously?

What are you thinking might happen?     I need some high speed signal generators it seems.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 07:10:46 pm
I need some high speed signal generators it seems.

Precisely that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 07:44:04 pm
I need some high speed signal generators it seems.

Precisely that.

I'll get my scope mid next week,  though i'll not be in teh lab. ( picking it up in teh US, on my way home )..
Can we restore the scope if we brick it yet?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 07:58:48 pm
I need some high speed signal generators it seems.

Precisely that.

I'll get my scope mid next week,  though i'll not be in teh lab. ( picking it up in teh US, on my way home )..
Can we restore the scope if we brick it yet?

You have to do it with uboot, via serial port (requires open the box). Or JTAG...

First thing is do a NAND dump.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 08:34:29 pm
I need some high speed signal generators it seems.

Precisely that.

I'll get my scope mid next week,  though i'll not be in teh lab. ( picking it up in teh US, on my way home )..
Can we restore the scope if we brick it yet?

You have to do it with uboot, via serial port (requires open the box). Or JTAG...

First thing is do a NAND dump.

I'm ok, with opening the box.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 08:59:33 pm
Anyone played around with trying to make the fullopt stuff permanent? Tried Radare2 but I am not that great with it and appEntry is huge.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 09:16:29 pm
i beleive that rgwan has done this.  They have hand edited some of the code. The function that checks for the various licenses has been modifyed so that it always returns true.   A old school hack, but none the less very effective.

For some reason hes not wanting to share his hack
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 09:38:15 pm
that is classic binary patching a good but complicated solution. Will it survive a firmware upgrade?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 01, 2019, 09:41:28 pm
Only a license file will survive an upgrade.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 09:47:52 pm
Only a license file will survive an upgrade.

Yes, you'd need to go and 'hack' the new binarys. ( assuming they have changed ).    This is of course is unverified as nobody has seen his hack yet, and they seem unwillling to share it. ( I think they feel that Rigol will close the hack if they release it ).    It is very hard to know, who is who, Part of me thinks that Rigol itself might be feeding part of the info in this thread.  The change of password in teh latest fw, was extremely weak. There were lots of things that could have been done ( and simply )...  They theory that they want to be hacked has merit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 09:53:34 pm
Only a license file will survive an upgrade.

Yes, you'd need to go and 'hack' the new binarys. ( assuming they have changed ).    This is of course is unverified as nobody has seen his hack yet, and they seem unwillling to share it. ( I think they feel that Rigol will close the hack if they release it ).    It is very hard to know, who is who, Part of me thinks that Rigol itself might be feeding part of the info in this thread.  The change of password in teh latest fw, was extremely weak. There were lots of things that could have been done ( and simply )...  They theory that they want to be hacked has merit.

If it is what you say then the "hack" would simply be to share a patched binary. Not worth it if the "-fullopt" trick still works. If it won't survive an upgrade it's a lot of work each time + clearly needs more patching to pass the firmware upgrade unscathed. I don't blame them. I managed to find some interesting functions but a) radare2 is complicated b) i don't have the time to spelunk more :)


Perhaps more useful would be to dump the Rigol public keys.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 01, 2019, 09:57:25 pm
Only a license file will survive an upgrade.

Hm-hm....
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 01, 2019, 09:59:16 pm
The change of password in teh latest fw, was extremely weak.
Remember that this firmware has been created before the release of Dave’s teardown video. It was not a reaction to our hacks.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 01, 2019, 10:01:42 pm
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
There are license files for the demo mode of the decoders. Location and format of the files are known.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 01, 2019, 10:05:46 pm
OK, so only the difference between demo/installed is important for a hack who could "survive" FW updates..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:09:20 pm
Just updated https://gitlab.com/riglol/rigolee but be warned, as things are being developed, they are not always tested.

SO USE WITH CAUTION AND WARNING. You break stuff, it is your own responsibility.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:19:58 pm
@Oliv3r, thanks for the qspi push, but could you fix the missing / at col2 line 1 in qspi_unpack.sh and remove the -eu also?

Sorry; fixed in both scripts :(

I tested my scripts by running them as sh -x <script> so I did miss it

also, been on the clock really and only doing it inbetween jobs (vacation time is just differnt work :D)

As for set -eu; I rather not, I prefer the scripts to fail rather then burn. I am thinking of whether its worth it to add a few tests to catch these things; but they also take .. time.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:23:36 pm
I need some high speed signal generators it seems.

Precisely that.

I'll get my scope mid next week,  though i'll not be in teh lab. ( picking it up in teh US, on my way home )..
Can we restore the scope if we brick it yet?

You have to do it with uboot, via serial port (requires open the box). Or JTAG...

First thing is do a NAND dump.

The nand dump is not that important; I think we have enough to re-create it now.

What we do not have, is each users individual /rigol/data directory. I think we best create a script that backs that up.

Secondly, we do not have reliably what's in the SPI flash yet. We have 1 dump and we do not know yet how accurate or reliable it is yet.

So technically; because we have u-boot access via SPI flash we cannot brick anything that's not fixable via UART (IF we have the /rigol/data backup) and until we know what exactly lives there (MAC address for example) that we can restore otherwise (so in the case of the MAC address; DHCP server logs, sticker on the box etc). For other items that are unique to each scope (factory calibration?) we can't restore these.

TL;DR as long as we do not brick the SPI flash, we can always restore via UART.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:24:39 pm
Anyone played around with trying to make the fullopt stuff permanent? Tried Radare2 but I am not that great with it and appEntry is huge.
That's because appEntry is a statically compiled binary with everything in it; well almost everything. There's tons of XML output even compiled into the app. Crazy.

The only think I think they are loading externally via dlopen is Qt5.5 ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:26:08 pm
Only a license file will survive an upgrade.

Hm-hm....
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
That of course helps a great deal, even if indirectly. And I think it's basically files from /rigol/data ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 10:27:28 pm
Anyone played around with trying to make the fullopt stuff permanent? Tried Radare2 but I am not that great with it and appEntry is huge.
That's because appEntry is a statically compiled binary with everything in it; well almost everything. There's tons of XML output even compiled into the app. Crazy.

The only think I think they are loading externally via dlopen is Qt5.5 ...
Yeah it has a bunch of crap in it.  Some tantalizing bits including their scpi parser as well. I think they are using ecdsa for key digests which is smart, makes the short keys make more sense.


Sent from my iPhone using Tapatalk
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 10:34:31 pm
A byte pacthing solution is the most easy and obvious one, besides the -fullopt feature.

From what I've seen it could be done in a couple of days. Easy for me to believe that rgwan & friends have done it already. Don't discredit them.

A future-proof solution can also be done, it's just a matter of tuning other factors. Probably just as easy.

Discovering how to go beyond the stated features is the hard part (hoping that the HW is able to physically handle it...)

BTW, I'm not buying the theory that Rigol is making things easy on purpose. I believe that we'll see more evidences of that in future updates. Give them time.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on January 01, 2019, 10:42:15 pm
Hah, how much time would it take to remove sshd?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sparkv on January 01, 2019, 10:44:09 pm
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
There are license files for the demo mode of the decoders. Location and format of the files are known.

I don't have my instrument yet (mid/late January based on what TE told me), but the DATA partition (mtd1) contains some licensing and calibration information. Someone posted a dump of their NAND partitions so I am working off of that and extracted firmware. They silence the kernel while mounting this partition so it doesn't show up in kernel logs (it is UBIFS). I guess they were going for "out of sight out of mind" approach with that and user partitions.

Code: [Select]
############################################
 #Mount key data partition. cost:1s
 ############################################
/rigol/shell/mount_user_space.sh 0
$TOOLS/beeper

 #Don't allow the kernel to output
echo 0 > /proc/sys/kernel/printk


if [ $YourInput -eq '0' ]; then
#########################################################
# mount data partition for Calibration and License data
#########################################################
mount_mtd $SPACE_DATA $SPACE_DATA $DATA_PATH "DATA"
Result=$?
if [ $Result -ne 0 ]; then
if [ $Result -ne 1 ]; then
echo 'mounting DATA partition failed'
/rigol/tools/beeper 1
else
cp /rigol/default/*  $DATA_PATH
fi
fi
fi

The files that seem to be interesting there are not calibration files (.hex), but Key.data, sysvendor.bin and various .lic files. Key.data is read from and written to it seems based on options installed. sysvendor.bin is also read from/written to. Various .lic files are of format <OPTION>;<KEY>. There are also references to ECC cryptography in appEntry, which is what was used before for licensing. I looked at some old code for generating licenses that used ecc crypto and the hash of choice was SHA1 (20 bytes/40 hex characters). New keys seems to be SHA512 (64 bytes/128 hex characters). I could be completely wrong though as I have no way to test any of the stuff until my scope arrives. My Zynq board is in use elsewhere currently.

Did anyone try dumping the core to obtain memory dump of appEntry? If busybox was modified to disallow core dumps, there is a version for ARMv7 that is used for Siglent scopes (Zynq platform) that one can drop into /tmp and spawn from there. Should be fairly straight forward. Assuming busybox wasn't modified to disallow the core dumps:
Code: [Select]
cd /tmp
ps -ef | grep appEntry
ulimit -c unlimited
kill -ABRT <appEntry PID>
Core should be dumped and can be copied over to USB jumpdrive for analysis on PC. I'd try this myself if my scope was here.

Another option is to tap into AXI and see if DRAM can be read directly if the full DRAM dump is desired. Their AXI driver API seems fairly simple.

Been lurking around the forums and reading for a long time now, figured I'd register and see if I can contribute to hacking this thing, so Hello is in order.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 10:48:13 pm
Hah, how much time would it take to remove sshd?

"Roads? Where we're going, we don't need roads."

They can't take away the sshd from the .GEL that I have! And, there are other ways...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 10:56:11 pm
The files that seem to be interesting there are not calibration files (.hex), but Key.data, sysvendor.bin and various .lic files. Key.data is read from and written to it seems based on options installed. sysvendor.bin is also read from/written to. Various .lic files are of format <OPTION>;<KEY>. There are also references to ECC cryptography in appEntry, which is what was used before for licensing. I looked at some old code for generating licenses that used ecc crypto and the hash of choice was SHA1 (20 bytes/40 hex characters). New keys seems to be SHA512 (64 bytes/128 hex characters). I could be completely wrong though as I have no way to test any of the stuff until my scope arrives. My Zynq board is in use elsewhere currently.

The .hex files have smple CRC32 protecting them but, of course, are of no use.

The key.dat has a ECC Curve + PubKey inside. It's XXTEA encrypted.
The sysvendor.bin is also XXTEA encrypted with another key. Contains info about the scope inside (SN, MAC, etc)

The LICs are related to the key in key.dat.

In hash terms I see evidences only of SHA256 use but may be incomplete.

The memdumps from zynq are not helpful. At least, worse that I expected.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 11:00:22 pm
The files that seem to be interesting there are not calibration files (.hex), but Key.data, sysvendor.bin and various .lic files. Key.data is read from and written to it seems based on options installed. sysvendor.bin is also read from/written to. Various .lic files are of format <OPTION>;<KEY>. There are also references to ECC cryptography in appEntry, which is what was used before for licensing. I looked at some old code for generating licenses that used ecc crypto and the hash of choice was SHA1 (20 bytes/40 hex characters). New keys seems to be SHA512 (64 bytes/128 hex characters). I could be completely wrong though as I have no way to test any of the stuff until my scope arrives. My Zynq board is in use elsewhere currently.

The .hex files have smple CRC32 protecting them but, of course, are of no use.

The key.dat has a ECC Curve + PubKey inside. It's XXTEA encrypted.
The sysvendor.bin is also XXTEA encrypted with another key. Contains info about the scope inside (SN, MAC, etc)

The LICs are related to the key in key.dat.

In hash terms I see evidences only of SHA256 use but may be incomplete.

The memdumps from zynq are not helpful. At least, worse that I expected.

Yes they finally wised up and just have signed licenses -- however:

1. replace pub key with own pubkey
2. sign own license
3. ? ? ? ?
4. profit

:)


A byte pacthing solution is the most easy and obvious one, besides the -fullopt feature.

From what I've seen it could be done in a couple of days. Easy for me to believe that rgwan & friends have done it already. Don't discredit them.

A future-proof solution can also be done, it's just a matter of tuning other factors. Probably just as easy.

Discovering how to go beyond the stated features is the hard part (hoping that the HW is able to physically handle it...)

BTW, I'm not buying the theory that Rigol is making things easy on purpose. I believe that we'll see more evidences of that in future updates. Give them time.

Yes someone who is competent like rgwan could easily do it--he posted IDA screenshots so he has the right tools. Not all that different from changing the startup shell script to pass "-fullopt" -- both basically bytepatching ;)

Anyway, my scope is going to take a month to arrive (according to Tequipment) so I have plenty of time to try exploring.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 01:29:21 am
Well, does anyone noticed that the CH1 and CH3 has overshoot on measuring calibration square wave? And you can't remove it by adjust the probe.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 01:37:04 am
Btw, We already have our license generator, But patch the application is necessary, at least this application will send a report contains Sn and license state to Rigol server on power up. If you want your scope keep on the Internet, you have to patch it, otherwise you may lose your warranty.

So, we're waiting for new firmware. When it is ready, then We will ready to release.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 02, 2019, 03:29:06 am
Btw, We already have our license generator, But patch the application is necessary, at least this application will send a report contains Sn and license state to Rigol server on power up. If you want your scope keep on the Internet, you have to patch it, otherwise you may lose your warranty.

So, we're waiting for new firmware. When it is ready, then We will ready to release.

Wow, that's impressive. How did you guys do it? Did they mess up in the key validation/generation and leave the priv key exposed somehow? Or, knowing Rigol, something dumber :D I wouldn't put these scopes on the internet, given that they have SSH exposed. Best to keep them isolated!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on January 02, 2019, 09:16:10 am
Well, does anyone noticed that the CH1 and CH3 has overshoot on measuring calibration square wave? And you can't remove it by adjust the probe.

Sorry but I cannot confirm this.
If you want to see something funny, try this:
Connect generator 1 to CH1, enable and change to square. Manually enter 999kHz as frequency then observe the waveform change when increasing to 1MHz.
Not worth 269$.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 02, 2019, 09:36:15 am
Wow, that's impressive. How did you guys do it? Did they mess up in the key validation/generation and leave the priv key exposed somehow? Or, knowing Rigol, something dumber :D I wouldn't put these scopes on the internet, given that they have SSH exposed. Best to keep them isolated!
It would be impressive if it was verified.  What is impressive is olivers repo,  and tv84s infomation. This is the internet, been around way too long and am probably very cynical, but seen lots of claims of things, and have learned until you can actually verify things,  you can't put much weight on them.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 02, 2019, 09:47:33 am
Wow, that's impressive. How did you guys do it? Did they mess up in the key validation/generation and leave the priv key exposed somehow? Or, knowing Rigol, something dumber :D I wouldn't put these scopes on the internet, given that they have SSH exposed. Best to keep them isolated!
It would be impressive if it was verified.  What is impressive is olivers repo,  and tv84s infomation. This is the internet, been around way too long and am probably very cynical, but seen lots of claims of things, and have learned until you can actually verify things,  you can't put much weight on them.
Thanks :) Just dropping a nother note here however, it is all WiP and any damages to your scope are not my responsibility nor fault. Can't iterate this often enough, as I have not tested everything very well yet (the scripts on the scope) as I do not have one yet :)

What I really want at some point however is (broken scope anyone :D) is to desolder all parts and 'sand down' the PCB with pictures, as I want to know where all the ZYNQ pins connect too :p
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 02, 2019, 10:01:26 am
What I really want at some point however is (broken scope anyone :D) is to desolder all parts and 'sand down' the PCB with pictures, as I want to know where all the ZYNQ pins connect too :p

This might be a job for an Xray inspection?   Not sure how many layers the PCB is of course.. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 02, 2019, 10:12:15 am
If you want to see something funny, try this:
Connect generator 1 to CH1, enable and change to square. Manually enter 999kHz as frequency then observe the waveform change when increasing to 1MHz.
Not worth 269$.

Interesting watch.... changed the frequency halfway through and some nasty jitter disappeared
https://www.dropbox.com/s/93mhrk51i9q0ubh/IMG_7637.MOV?dl=0 (https://www.dropbox.com/s/93mhrk51i9q0ubh/IMG_7637.MOV?dl=0)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 10:56:57 am
We should start a new thread for those numerous bugs.

I have quite a few:
- Generator, the knob to change the frequency: turn left -> -10 , turn right +1

and some severe ones
- CH1, probe to ground: never read 0V, but depends on vertical scale:
acquisition Normal
  10V  ~10V
   5V   ~ 8V
   2V   ~ 5V
   1V   ~ 1V
500mV ~ 1.3V
200mV ~ 280mV
100mV ~ 320mV
 50mV  ~ -20mV
 20mV  ~ 4mV
 10mV  ~ 12mV
  5mV   ~ 15mV
  2mV   ~ out of scale
  1mV   ~ out of scale

- CH1: the thickness of the trace is almost 1 scale large
  CH1+CH2: the thickness is divided by 2
that's almost impossible to read a value.

And I have a lot more.  :-BROKE
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on January 02, 2019, 11:10:35 am

- Generator, the knob to change the frequency: turn left -> -10 , turn right +1

- CH1, probe to ground: never read 0V, but depends on vertical scale:


Generator Knob behaves like this only when decrasing from like 1MHz to sub 1Mhz (or 1kHz to Hz).
This is because the increments above 1Mhz are in 10kHz steps and the first decrement therefore is as well. If you are then in the kHz-range the decrements are 1kHz. I don't think this is a bug.

For your CH1 problem, this does not happen on my scope, probe to GND always reads 0V (more or less).

Also you have to adjust the scale of the math channel, this normally would be the larger scale setting of the two channels (when operation A+B is chosen).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 02, 2019, 12:14:49 pm
What I really want at some point however is (broken scope anyone :D) is to desolder all parts and 'sand down' the PCB with pictures, as I want to know where all the ZYNQ pins connect too :p

This might be a job for an Xray inspection?   Not sure how many layers the PCB is of course..
Well its worth a try sure; but it's a 4 or probably 6 layer board, with chips ontop. So it can give you an indication, very roughly. Best way is to just the PCB down layer for layer and scan the PCB.

But first a scope needs to break  >:D  or we raid the PCB factory's trash-bin where they dump broken PCB's  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TurboTom on January 02, 2019, 12:37:28 pm
Well its worth a try sure; but it's a 4 or probably 6 layer board, with chips ontop. So it can give you an indication, very roughly. Best way is to just the PCB down layer for layer and scan the PCB.

But first a scope needs to break  >:D  or we raid the PCB factory's trash-bin where they dump broken PCB's  :-DD

Access to an industrial X-ray tomography machine anyone? That should do the trick non-destructively.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 01:04:30 pm

- Generator, the knob to change the frequency: turn left -> -10 , turn right +1

- CH1, probe to ground: never read 0V, but depends on vertical scale:


Generator Knob behaves like this only when decrasing from like 1MHz to sub 1Mhz (or 1kHz to Hz).
This is because the increments above 1Mhz are in 10kHz steps and the first decrement therefore is as well. If you are then in the kHz-range the decrements are 1kHz. I don't think this is a bug.

For your CH1 problem, this does not happen on my scope, probe to GND always reads 0V (more or less).

Also you have to adjust the scale of the math channel, this normally would be the larger scale setting of the two channels (when operation A+B is chosen).

I took my old trusted DS1052E, connected MSO5.CH1 to DS1052E.TestSignal:
 (RigolDS1.png)
1V offset from ground.
(exact same behaviour as the MSO5.TestSignal)

I then plugged DS1052E.CH1 to MSO5.TestSignal:
 (NewFile0.bmp)
The test signal is perfect, ground aligned.

When I unplug every channel on the MSO, no one goes to gnd.
 (RigolDS0.png)

And with the math(A+B), it just confirms the numbers, the crap B is reading.
 (rigolDS2.png)

I really don't understand what's going on, bad scope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on January 02, 2019, 01:09:10 pm
Did you use the same probe in both scopes?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 01:13:05 pm
yes, even swapped every probes (2x100MHz, 4x350MHz), always the same result.

[edit] I'm now running the self cal procedure (manual didn't ask that, but meh, let's see)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on January 02, 2019, 01:23:05 pm
I'm now running the self cal procedure
Please record how long it takes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 01:49:37 pm
Much better after a self cal.

All channels properly aligned on gnd now.

It took almost one hour.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 02:03:49 pm
That's pretty embarrassing, self-cal won't work, it still produces that overshoot on measuring the 1khz square wave signal. Not only my scope like that, but we also have about four scopes have the same problem, this 4 scope contains one scope that is currently not patched. The not patched scope has the same behavior.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 02, 2019, 02:21:51 pm
Are you using the probe in x1 oder x10 config? I can see a little overshoot in x1 mode but it can be perfectly flattened in x10.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on January 02, 2019, 02:38:16 pm
That's pretty embarrassing, self-cal won't work
Have you disconnected all probes from the inputs before running self-cal?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 02:55:02 pm
I disconnected all input, absolutely.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 02:57:11 pm
That is no difference between x10 and x1. No matter how you adjust the probe, the little overshoot won't disappear.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 03:19:08 pm
And now, average(64) + fine + aliasing does something : a very fine trace (1px). To All: Do run a self cal.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Vtech on January 02, 2019, 04:38:55 pm
Coming back to the logic probe pod, I've created separate thread with teardown photos of RPL1116 pod for MSO1000Z series. It seems to be very similar to PLA2216  for MSO5000.
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451 (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451)

Not too difficult to replicate.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 02, 2019, 04:55:42 pm
TopLoser is playing with Photoshop...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 02, 2019, 04:58:58 pm
We should start a new thread for those numerous bugs.

So we did.  Here you go.  Bugs away!

https://www.eevblog.com/forum/testgear/rigol-5000-bugs/ (https://www.eevblog.com/forum/testgear/rigol-5000-bugs/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 02, 2019, 05:10:11 pm
TopLoser is playing with Photoshop...

That's a 4 or 6 layer board with the big heatsink still attached to the zynq.

Just for laughs I stitched 9 images together, some detail gets lost where they overlap, but it's better than nothing.

https://www.dropbox.com/s/aq11wb21pueidod/MSO5074%20big%20xray.zip?dl=0 (https://www.dropbox.com/s/aq11wb21pueidod/MSO5074%20big%20xray.zip?dl=0)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 02, 2019, 06:32:27 pm
Coming back to the logic probe pod, I've created separate thread with teardown photos of RPL1116 pod for MSO1000Z series. It seems to be very similar to PLA2216  for MSO5000.
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451 (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451)

Not too difficult to replicate.
Considering they also use the LMH7322 I think they are identical (in the schematic form) on page 6? TopLoser took some xray foto's. But yes, lets keep the conversation focused in your thread instead.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 02, 2019, 06:33:41 pm
We should start a new thread for those numerous bugs.

So we did.  Here you go.  Bugs away!

https://www.eevblog.com/forum/testgear/rigol-5000-bugs/ (https://www.eevblog.com/forum/testgear/rigol-5000-bugs/)
awesome great idea; we can talk about hacking here then :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 02, 2019, 06:48:48 pm
"Offtopic", last time...we should use the existing threads for it indeed...

And now, average(64) + fine + aliasing does something : a very fine trace (1px). To All: Do run a self cal.

Instead of using averaging, you could decrease the memory depth to make the trace thinner.
See also Daves video why digital scopes appear noisy (https://www.youtube.com/watch?v=Znwp0pK8Tzk&t=758s)

Quote
That is no difference between x10 and x1. No matter how you adjust the probe, the little overshoot won't disappear.

Although I don´t have the issue with my 5074, it sounds like a mismatch problem - we bought a couple of probes cause the originals were mostly "vanished"...
On some scopes there was no problem to adjust them.
Other scopes showed exactly your problem - we couldn´t compensate the overshoots completely, it´s a matter oft the Input capacity.
Only with their original probes everything was fine.
Either the input capacity on your rigol was different (tolerance) or the probes are defective.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on January 02, 2019, 09:32:18 pm

Quote
That is no difference between x10 and x1. No matter how you adjust the probe, the little overshoot won't disappear.

Although I don´t have the issue with my 5074, it sounds like a mismatch problem - we bought a couple of probes cause the originals were mostly "vanished"...
On some scopes there was no problem to adjust them.
Other scopes showed exactly your problem - we couldn´t compensate the overshoots completely, it´s a matter oft the Input capacity.
Only with their original probes everything was fine.
Either the input capacity on your rigol was different (tolerance) or the probes are defective.

A little to my dismay, I found the same result on the MSO7k we have at work. Tried different probes with slightly different loading, square waves from a few different sources. Same exact overshoot in every case at 1kHz, which seemed a bit odd :/
I'll try the other 7k in the office that came in from the same batch tomorrow as well.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 02, 2019, 09:36:15 pm
Quote
Same exact overshoot in every case at 1kHz

Oh.... :(

Only at 1Khz ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 03, 2019, 05:47:38 am
We should start a new thread for those numerous bugs.

So we did.  Here you go.  Bugs away!

https://www.eevblog.com/forum/testgear/rigol-5000-bugs/ (https://www.eevblog.com/forum/testgear/rigol-5000-bugs/)

Is there really any point at this stage? It will be 100% noise until there's been a firmware update or two,
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on January 03, 2019, 07:50:00 am

Quote
That is no difference between x10 and x1. No matter how you adjust the probe, the little overshoot won't disappear.

Although I don´t have the issue with my 5074, it sounds like a mismatch problem - we bought a couple of probes cause the originals were mostly "vanished"...
On some scopes there was no problem to adjust them.
Other scopes showed exactly your problem - we couldn´t compensate the overshoots completely, it´s a matter oft the Input capacity.
Only with their original probes everything was fine.
Either the input capacity on your rigol was different (tolerance) or the probes are defective.
A little to my dismay, I found the same result on the MSO7k we have at work. Tried different probes with slightly different loading, square waves from a few different sources. Same exact overshoot in every case at 1kHz, which seemed a bit odd :/
I'll try the other 7k in the office that came in from the same batch tomorrow as well.
The overshoot is likely due to a factory adjustment of the input circuit. Is there some way to run a self-calibration or adjustment procedure? I don't recall whether there is a trim capacitor in the input circuit or not.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: knotapun on January 03, 2019, 02:56:23 pm
I'm curious, it's been mentioned that the serial number and keys are stored in a location that is not overwritten when the firmware is updated, doesn't that mean that you can just copy a real licence over as long as you copy the serial number along with it?

After reading the whole thread of comments, I'm under the impression that it's entirely possible to do so.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 03, 2019, 09:17:04 pm
From what i understand the license file is encrypted.    It is highly probable that it requires the key that is hardware coded into the Zync.  Copying another licence file, wont' help you in this case.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on January 03, 2019, 11:18:04 pm

The overshoot is likely due to a factory adjustment of the input circuit. Is there some way to run a self-calibration or adjustment procedure? I don't recall whether there is a trim capacitor in the input circuit or not.

Tried it at a few other Hz today, ran the self cal as well. Still present. Solid 500mV over/undershoot on a 10v square. Looked about a 25uS RC constant around 63% of the way down from the spike. First time I saw it I thought it was the sig gen, but realized this was at 200uS/div....

No go on checking the other 7k. Was being used to debug some SPI to TFT screen stuff (which it does rather well).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 04, 2019, 10:11:31 am
Gentlemen,

Is it so difficult to take all this OT to another thread?   >:(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 04, 2019, 02:57:16 pm
Gentlemen,

Is it so difficult to take all this OT to another thread?   >:(

Like

https://www.eevblog.com/forum/testgear/rigol-5000-bugs (https://www.eevblog.com/forum/testgear/rigol-5000-bugs)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sparkv on January 04, 2019, 11:42:11 pm
So the image can boot on Xilinx QEMU it seems, and gets pretty far. I expected it to kernel panic early on, but it doesn't. I haven't gotten it to a point where it starts the appEntry, but it gets to a point where it's trying to mount UBIFS partitions and fails because I haven't provided the emulator with NAND image/options. Won't have my scope for another 2-3 weeks probably according to TE, but if it's possible to get some of it running on QEMU to "debug" and test, I'll take it  :-DD

Another problem is probably lack of certain devices (it just complains but proceeds with boot). I'm using BSP provided by Xilinx and not creating custom hardware definition. I might do that tonight/over the weekend just to speed up the boot.

If it can boot on QEMU and run appEntry that will make RE a whole lot easier, at least until I get the real hardware. But even then, having no fear or bricking/destroying instrument while testing stuff will make some things easier. I'll share steps once I have things working in a stable manner.

Code: [Select]
qemu-system-aarch64: -serial mon:pty: char device redirected to /dev/pts/19 (label serial0-base)
qemu-system-aarch64: -serial mon:pty: char device redirected to /dev/pts/20 (label serial2-base)
qemu-system-aarch64: warning: nic ethernet@e000c000 has no peer
rom: requested regions overlap (rom bootloader. free=0x000000000000ed70, addr=0x0000000000000000)


U-Boot 2018.01 (Jan 04 2019 - 11:47:57 -0800) Xilinx Zynq ZC702

Model: Zynq ZC702 Development Board
Board: Xilinx Zynq
Silicon: v0.0
I2C:   ready
DRAM:  ECC disabled 1 GiB
MMC:   Card did not respond to voltage select!
mmc_init: -95, time 12
sdhci@e0100000 - probe failed: -95
Card did not respond to voltage select!
mmc_init: -95, time 11

SF: Detected n25q512 with page size 256 Bytes, erase size 4 KiB, total 64 MiB
*** Warning - bad CRC, using default environment

In:    serial@e0001000
Out:   serial@e0001000
Err:   serial@e0001000
Model: Zynq ZC702 Development Board
Board: Xilinx Zynq
Silicon: v0.0
Net:   ZYNQ GEM: e000b000, phyaddr 7, interface rgmii-id
eth0: ethernet@e000b000
U-BOOT for xilinx-zc702-2018_2

BOOTP broadcast 1
DHCP client bound to address 192.168.76.9 (2 ms)
Hit any key to stop autoboot:  0
Zynq> tftpboot 0x03000000 image.ub
Using ethernet@e000b000 device
TFTP from server 10.5.3.218; our IP address is 192.168.76.9; sending through gateway 192.168.76.2
Filename 'image.ub'.
Load address: 0x3000000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
###########
15 MiB/s
done
Bytes transferred = 33554432 (2000000 hex)
Zynq> printenv baudrate
baudrate=115200
Zynq> bootm
 ## Loading kernel from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Verifying Hash Integrity ... OK
   Trying 'kernel@1' kernel subimage
     Description:  Kerstrel Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x030000f8
     Data Size:    3302448 Bytes = 3.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00100000
     Entry Point:  0x00100000
     Hash algo:    sha1
     Hash value:   bece162e8cad943c68714d8eb8020d68e1db896b
   Verifying Hash Integrity ... sha1+ OK
 ## Loading ramdisk from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  kerstrel-Update-Ramdisk
     Type:         RAMDisk Image
     Compression:  gzip compressed
     Data Start:   0x03328c5c
     Data Size:    10901113 Bytes = 10.4 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    sha1
     Hash value:   55bdcbebccba845da403130143793ee0135e53a1
   Verifying Hash Integrity ... sha1+ OK
 ## Loading fdt from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x0332661c
     Data Size:    9597 Bytes = 9.4 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   da2d17ba0d5a71b5897deec4cb026014f3132185
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x332661c
   Loading Kernel Image ... OK
   Loading Ramdisk to 0759a000, end 07fff679 ... OK
   Loading Device Tree to 07594000, end 0759957c ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 3.12.0-xilinx (rigolee@Jim) (gcc version 4.8.1 (Sourcery CodeBench                                                       Lite 2013.11-53) ) #43 SMP PREEMPT Sat Jul 28 12:14:01 CST 2018
CPU: ARMv7 Processor [410fc090] revision 0 (ARMv7), cr=10c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
PERCPU: Embedded 8 pages/cpu @c0e74000 s8384 r8192 d16192 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 260624
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 4096 (order: 2, 16384 bytes)
Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
Memory: 1022228K/1048576K available (4197K kernel code, 255K rwdata, 1716K rodat                                                      a, 176K init, 179K bss, 26348K reserved, 270336K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xf0000000 - 0xff000000   ( 240 MB)
    lowmem  : 0xc0000000 - 0xef800000   ( 760 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to f0004000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1454.89 BogoMIPS (lpj=7274496)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L2x0 series cache controller enabled
l2x0: 8 ways, CACHE_ID 0x00000000, AUX_CTRL 0x00000000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 0
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xf0050000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xf0050000
hw-breakpoint: debug architecture 0x4 unsupported.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xf0080000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@l                                                      inux.it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 4, 65536 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
TCP: reno registered
UDP hash table entries: 512 (order: 2, 16384 bytes)
UDP-Lite hash table entries: 512 (order: 2, 16384 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (c759a000 - c7fff000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 1 counters available
Boot process: fb dev not inited, boot process not start!
bounce pool size: 64 pages
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 1489
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
bg request_mem_region failed!
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at arch/arm/mm/ioremap.c:301 __arm_ioremap_pfn_caller+0xf                                                      c/0x17c()
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.12.0-xilinx #43
[<c0015074>] (unwind_backtrace+0x0/0x11c) from [<c0011568>] (show_stack+0x10/0x1                                                      4)
[<c0011568>] (show_stack+0x10/0x14) from [<c03f5c08>] (dump_stack+0x8c/0xd4)
[<c03f5c08>] (dump_stack+0x8c/0xd4) from [<c00218a4>] (warn_slowpath_common+0x60                                                      /0x84)
[<c00218a4>] (warn_slowpath_common+0x60/0x84) from [<c0021958>] (warn_slowpath_n                                                      ull+0x18/0x20)
[<c0021958>] (warn_slowpath_null+0x18/0x20) from [<c001a484>] (__arm_ioremap_pfn                                                      _caller+0xfc/0x17c)
[<c001a484>] (__arm_ioremap_pfn_caller+0xfc/0x17c) from [<c001a550>] (__arm_iore                                                      map_caller+0x4c/0x54)
[<c001a550>] (__arm_ioremap_caller+0x4c/0x54) from [<c001a25c>] (__arm_ioremap+0                                                      x14/0x1c)
[<c001a25c>] (__arm_ioremap+0x14/0x1c) from [<c02321b0>] (xilinxfb_of_probe+0x74                                                      /0x3d8)
[<c02321b0>] (xilinxfb_of_probe+0x74/0x3d8) from [<c02684a0>] (platform_drv_prob                                                      e+0x14/0x18)
[<c02684a0>] (platform_drv_probe+0x14/0x18) from [<c0267208>] (driver_probe_devi                                                      ce+0x11c/0x324)
[<c0267208>] (driver_probe_device+0x11c/0x324) from [<c02674bc>] (__driver_attac                                                      h+0x68/0x8c)
[<c02674bc>] (__driver_attach+0x68/0x8c) from [<c02656a8>] (bus_for_each_dev+0x7                                                      0/0x84)
[<c02656a8>] (bus_for_each_dev+0x70/0x84) from [<c02667f0>] (bus_add_driver+0xfc                                                      /0x268)
[<c02667f0>] (bus_add_driver+0xfc/0x268) from [<c0267ab8>] (driver_register+0x9c                                                      /0xe0)
[<c0267ab8>] (driver_register+0x9c/0xe0) from [<c00087ac>] (do_one_initcall+0xb8                                                      /0x15c)
[<c00087ac>] (do_one_initcall+0xb8/0x15c) from [<c05cfb9c>] (kernel_init_freeabl                                                      e+0x108/0x1cc)
[<c05cfb9c>] (kernel_init_freeable+0x108/0x1cc) from [<c03f1e50>] (kernel_init+0                                                      x8/0xe4)
[<c03f1e50>] (kernel_init+0x8/0xe4) from [<c000e5b8>] (ret_from_fork+0x14/0x3c)
---[ end trace ca10809752213256 ]---
DPU:Map vRam to 0x0
DPU:Map iReg to 0xf0200000
DPU:Ver=0x0
Could not allocate frame buffer memory
devDPU: probe of 40000000.ps7-fb failed with error -12
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-256x8bytes Num_Chans-8 Num_Peri-4 Num_Even                                                      ts-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 992063) is a x                                                      uartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 992063) is a x                                                      uartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xF005A000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0000/0x0000
ULPI integrity check: failed!
xusbps-dr e0002000.ps7-usb: Unable to init USB phy, missing?
ULPI transceiver vendor/product ID 0x0000/0x0000
ULPI integrity check: failed!
xusbps-dr e0003000.ps7-usb: Unable to init USB phy, missing?
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Unable to write register #23
i2c i2c-0: probing for rx8010 failed
rtc-rx8010sj: probe of 0-0032 failed with error -110
Retry another address of GTP
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
NAND device: Manufacturer ID: 0x20, Chip ID: 0xaa (ST Micro NAND 256MiB 1,8V 8-bit), 256MiB, page size: 2048, OOB size: 64
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
Bad block table not found for chip 0
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
Bad block table not found for chip 0
Scanning device for bad blocks
pl353_nand_calculate_hwecc status failed
Bad block table written to 0x00000ffe0000, version 0x01
pl353_nand_calculate_hwecc status failed
Bad block table written to 0x00000ffc0000, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
mtd: partition "Sys2" extends beyond the end of device "pl353-nand" -- size truncated to 0x1f00000
0x000010100000-0x000016500000 : "App2"
mtd: partition "App2" is out of reach -- disabled
0x000016500000-0x00001a800000 : "Reserved"
mtd: partition "Reserved" is out of reach -- disabled
0x00001a800000-0x000040000000 : "User"
mtd: partition "User" is out of reach -- disabled
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
Starting rcS...
++ Mounting filesystem
++ Setting up mdev
++ Starting ftp daemon
rcS Complete
pl353_nand_calculate_hwecc status failed

<snip>

Segmentation fault
mount: mounting /dev/ubi6_0 on /rigol failed: Invalid argument
**********Mount App partition failed.Check Nandflash********



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: wulfman on January 05, 2019, 03:08:19 pm
Scope arrived yesterday.  :)  old version of firmware installed but calibrated at the end of December. Seems that everything works as expected.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Swap_File on January 05, 2019, 05:28:16 pm
Scope arrived yesterday.  :)  old version of firmware installed but calibrated at the end of December. Seems that everything works as expected.

Same here, arrived from tequipment yesterday, currently on 1.1.2.3.  For now I'm keeping the scope on an isolated network, I let it warm up, ran a self cal, looked at some signals, and now am starting to poke around in it. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dren.dk on January 05, 2019, 07:03:40 pm
Does anybody know where the scope stores configuration settings?

I've tried altering stuff like the email configuration and then looked for modified files using: find / -type f -mmin -1 but I did not find any files with interesting content, so it seems there's no simple config file that stores the settings.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skip on January 06, 2019, 12:44:26 am
Scope arrived yesterday.  :)  old version of firmware installed but calibrated at the end of December. Seems that everything works as expected.

Likewise here. 

Neither the probe calibration signal nor a 1 Khz signal from the function generator (after "hacking" it of course) result in a stable waveform, there's lots of jitter!  This is a bit worrisome, is that expected?

I've been sniffing my scope on an isolated network for 3 hours now and so far the only network traffic was the initial DHCP address assignment.  If it's phoning home it's not doing it very aggressively.

Skip

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Swap_File on January 06, 2019, 01:28:42 am
Seems to be working OK for me, but maybe I haven't tried anything advanced enough yet?  Right now I'm mostly waiting a day for the trial clock to run down.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 06, 2019, 07:32:30 pm
When I tried to get http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx (http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx) from my browser I got a "Something went wrong."
I've tried it with 3 different serial numbers and it always starts to download the firmware GEL.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skip on January 06, 2019, 07:50:02 pm
When I tried to get http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx (http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx) from my browser I got a "Something went wrong."
I've tried it with 3 different serial numbers and it always starts to download the firmware GEL.

That's interesting.  I guess I spoofed myself!  I cleared my DNS cache and then I was able to download it once.  Trying again with a bogus SN failed and then I went back to my real SN and it failed again.  I tried clearing my DNS cached again and it didn't help.  Weird.

Did you try a bogus serial number?

Skip
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skip on January 06, 2019, 07:54:06 pm
On topic first:

I've set up a DNS spoofer and captured what happens when I try to do an "online upgrade".  After an DNS lookup of www.rigol.com (http://www.rigol.com) the scope does a regular http (not https) get of "/Support/ProductUpgradeFile?sn=MS5xxxxxxxxxx&hardware=1.0&behaviour=soft&software=00.01.01.02.03 HTTP/1.1". 

This returns an xml file that looks like this:
<?xml version="1.0" encoding="utf-8"?>
<meta>
  <firmware>
    <series>MSO5000</series>
    <version>00.01.01.02.03</version>
    <url>http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx (http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx)</url>
    <comment_cn>2.3????</comment_cn>
    <comment_en>2.3formalverison</comment_en>
    <filesize>66.78MB</filesize>
  </firmware>
</meta>

When I tried to get http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx (http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx) from my browser I got a "Something went wrong.
The page you requested does not exist, or the page has an error" error in Chinese.

Now offtopic:

The jitter is most apparent when you set the memory depth to 1k, you can just see it at 10k and it goes away at longer memory settings.  A screen shot is attached... (or inline??  How do you insert inline if this doesn't work??)

Skip
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 06, 2019, 08:01:21 pm
Did you try a bogus serial number?
I've tried some and they didn't work and lead to the error page. But I've captured an upload from the scope to the server.

http://www.rigol.com/up.aspx?act=up&filename=MS5A204700xxx.dat (http://www.rigol.com/up.aspx?act=up&filename=MS5A204700xxx.dat)

The "file" contained the scope's type and the current firmware, nothing else. Maybe it needs to register itself before it can download a firmware? I didn't have the time to repeat the tests to see if these uploads happen regularly.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FriedMule on January 07, 2019, 12:30:14 am
So if I bought a rigol mso5000 in next week, can it then be hacked?
Sorry I am asking, it's because I am a noob and all those 22 pages of informations and comments confuse me.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 07, 2019, 12:32:48 am
So if I bought a rigol mso5000 in next week, can it then be hacked?
Sorry I am asking, it's because I am a noob and all those 22 pages of informations and comments confuse me.

Right now yes it can have all the options and 350MHz bandwidth enabled.

After the next software upgrade... who knows.

Watch this space.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FriedMule on January 07, 2019, 12:37:46 am
Thanks for you wary fast answer!! :-)
Is there anything that I shall think about, except for the guaranty being void?
I mean before jumping out and buy.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 07, 2019, 12:51:23 am
Thanks for you wary fast answer!! :-)
Is there anything that I shall think about, except for the guaranty being void?
I mean before jumping out and buy.

You won't void the warranty unless you do something crazy stupid.

There is the very real risk that in future software updates all the 'bonus' features will disappear. Only you can decide if you want to take that risk.

A better place to discuss this is:
https://www.eevblog.com/forum/blog/new-rigol-scope/ (https://www.eevblog.com/forum/blog/new-rigol-scope/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 07, 2019, 07:13:37 am
Does anybody know where the scope stores configuration settings?

I've tried altering stuff like the email configuration and then looked for modified files using: find / -type f -mmin -1 but I did not find any files with interesting content, so it seems there's no simple config file that stores the settings.

There are two 16 MB QSPI flashes and an 8 KB I2C FRAM EEPROM. There are likely some (unique) configuration options in one of these.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 07, 2019, 08:16:29 am


There is the very real risk that in future software updates all the 'bonus' features will disappear. Only you can decide if you want to take that risk.


For about 24-48 hours while rigolhack does its work no doubt.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 11:32:12 am
So if I bought a rigol mso5000 in next week, can it then be hacked?
Sorry I am asking, it's because I am a noob and all those 22 pages of informations and comments confuse me.

Don't worry, people are still asking this about the DS1054Z.

Answer: Yes!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 11:35:33 am
There is the very real risk that in future software updates all the 'bonus' features will disappear. Only you can decide if you want to take that risk.

We now know so much about the MSO5000 that whatever Rigol does will be re-hacked in a few hours.

(and nobody is *forcing* you to install updates)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 07, 2019, 11:39:04 am
These annoying bug will force you to install further updates.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 11:44:52 am
These annoying bug will force you to install further updates.

The trick is not to install them two seconds after they're released.

Wait a few days until other people have done it.  :popcorn:

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 07, 2019, 11:50:13 am
These annoying bug will force you to install further updates.

Have you relocated from China to the USA rgwan?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 07, 2019, 02:11:20 pm
We now know so much about the MSO5000 that whatever Rigol does will be re-hacked in a hours.

(and nobody is *forcing* you to install updates)

And future-proof solutions already exist...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 02:23:58 pm
I'm not sure why Rigol changed the password. The new password was obviously weak and if they want to keep people out they could just disable shell access completely (there's no reason to enable it, it's not useful to anybody except hackers).

I think they just didn't want it to be root/root to avoid basic IOT malware scanners.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 07, 2019, 06:28:06 pm
I'm not sure why Rigol changed the password. The new password was obviously weak and if they want to keep people out they could just disable shell access completely (there's no reason to enable it, it's not useful to anybody except hackers).

I think they just didn't want it to be root/root to avoid basic IOT malware scanners.

I had an interesting chat ( face to face ) with another eevblog member last week ( who is well known and respected ) about the entire rigol thing.     He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly. Not suprizingly, so many 'devices' these days that are network attached, are just so insecure.. The IoT will be the finish of us all!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 08:04:50 pm
He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly.

Complete bollocks.

Even the cheapo DS1000Z line can't be hacked easily once you get above the base model (eg. the DS1074Z Plus (https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/4303/))

In the new 5000/7000 models? Xilinx secure boot is hardly a secret, they freely document it on their web site (https://www.xilinx.com/support/documentation/application_notes/xapp1175_zynq_secure_boot.pdf).

Whatever the reasons are, it's not incompetence.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 07, 2019, 09:31:04 pm
I'm not sure why Rigol changed the password. The new password was obviously weak and if they want to keep people out they could just disable shell access completely (there's no reason to enable it, it's not useful to anybody except hackers).

I think they just didn't want it to be root/root to avoid basic IOT malware scanners.

I had an interesting chat ( face to face ) with another eevblog member last week ( who is well known and respected ) about the entire rigol thing.     He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly. Not suprizingly, so many 'devices' these days that are network attached, are just so insecure.. The IoT will be the finish of us all!

I tend to agree; Though with the DS1054 and its predecessor I would have thought; maybe they did it on purpose, as it is being speculated for years now. But I have seen their firmware up close for the MSO5000 now; and what I see, makes me cry horribly.
and
He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly.

Complete bollocks.

Even the cheapo DS1000Z line can't be hacked easily once you get above the base model (eg. the DS1074Z Plus (https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/4303/))

In the new 5000/7000 models? Xilinx secure boot is hardly a secret, they freely document it on their web site (https://www.xilinx.com/support/documentation/application_notes/xapp1175_zynq_secure_boot.pdf).

Whatever the reasons are, it's not incompetence.
I beg to differ.
So maybe they have a mandate to make it easily hackable. Sure, I won't deny that.

But secure-boot is hard and expensive. Getting the fuses set is something (I guess) will have to be done by xilinx in the factory, which is an extra service, not cheap.

Understanding how it all works and comes together, is also; not for the fait of heart. So if you are 'basically skilled', this will be daunting. Also, they very much likely started from a devkit (which doesn't come with the fuses set for obvious reasons) and designed the scope around that as a reference. Half way down the development train; secureboot is long forgotten and you are just busy getting the damn thing to work reliably. Once you are that far, you'll be thinking twice making a major change like that (then again, if you are incompetent, you easily would do that ;) ...)

Finally, they started development around 2013, based on all the sources I've seen so far. Back then; a) you really had to know what you where looking at/for and b) I'm sure hacking was not their main issue while doing the bringup from the whole system. These are engineers, they care about a working system.

Again, this is just my 2 cents worth of speculation based on the extremely poor quality of software.

P.S. I wonder if these old libraries they are using will not have quite a few (remote) exploits lingering. 3.12 wasn't an LTS was it? Let alone in their application (appEntry) which runs as root and does have remote access (via lighthttp and rpc)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 08, 2019, 01:52:37 am
These annoying bug will force you to install further updates.

The trick is not to install them two seconds after they're released.

Wait a few days until other people have done it.  :popcorn:

In fact, Rigol actually have some solution to counterattack, Zynq itself has some security features, and I believe there are some hidden features (reverse engineering work by myself) in their ASICs as well. If they want to do some proper anti-hacking solution, it will be harder to hack. Btw, Rigol is a big customer of Xilinx, so...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 08, 2019, 02:06:21 am
He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly.

Complete bollocks.

Even the cheapo DS1000Z line can't be hacked easily once you get above the base model (eg. the DS1074Z Plus (https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/4303/))

In the new 5000/7000 models? Xilinx secure boot is hardly a secret, they freely document it on their web site (https://www.xilinx.com/support/documentation/application_notes/xapp1175_zynq_secure_boot.pdf).

Whatever the reasons are, it's not incompetence.

From some information I got from Rigol's distributor, It is not true at all. They're actually want to completely block these holes away. So, watch out guys.

Btw, the unofficial new firmware claims that it is released at 9, November 2018. We have started our reverse engineering at about 15, November 2018. I believe that they changed password is not related to hacking, but I think the next firmware they will totally disable the SSH.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on January 08, 2019, 04:10:56 am
But secure-boot is hard and expensive. Getting the fuses set is something (I guess) will have to be done by xilinx in the factory, which is an extra service, not cheap.
This is BS. No extra service is needed, everything can be done via JTAG just like regular programming/configuration.

Understanding how it all works and comes together, is also; not for the fait of heart.
Reading documentation is all it takes. But even if we suppose they are somehow too stupid to figure it out (yet somehow manage a several orders of magnitude more complicated task of designing an actual system in FPGAs), they could always enlist Xilinx FE to help them out.
I suggest you stop projecting. They clearly can read documentation, and I'm 99,(9)% sure they leave devices open on purpose.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 08, 2019, 06:55:50 am
But secure-boot is hard and expensive. Getting the fuses set is something (I guess) will have to be done by xilinx in the factory, which is an extra service, not cheap.
This is BS. No extra service is needed, everything can be done via JTAG just like regular programming/configuration.
There there no need to be cross.

But please lets remain civilized. For one, enabling the feature via the fuse is easy, sure yes. But I cannot find any indication in the manual about the secure vault (other then the graph) where the _private_ key is stored. Or how to set it. I'll agree I have not studied the manual in depth of course.

Now I know how this works a little on Texas Instruments HS parts (High Secure) and there it's simple. Encryption is a chain of trust, and TI says 'we will program the keys securely, nobody else has access to the keys, but you need to trust us'. Trusting some factory floor employ not to leak the key is of course, a risk.

So I would assume it works the same way here. But sure, maybe a user can program the fuses for the RSA key themselves, or maybe they can store the key in Battery Backed RAM themselves. Surely possible.

Just one problem I can imagine if the user can burn the RSA key fuses themselves, what stops you from burning ALL key fuses, effectively turning the fuse into 0xfffffff? Or worse, use jtag to read back the fuses? So again, it would surprise me that a user (developer) gets to write into the actual vault, and would imagine this to be left to xilinx only. Just like you do not have any access whatsoever to the BootROM (access is disabled after execution).

But please do point me to the page where they have this information; I'd love to read up on it, I do.

Understanding how it all works and comes together, is also; not for the faint of heart.
Reading documentation is all it takes. But even if we suppose they are somehow too stupid to figure it out (yet somehow manage a several orders of magnitude more complicated task of designing an actual system in FPGAs), they could always enlist Xilinx FE to help them out.
I suggest you stop projecting. They clearly can read documentation, and I'm 99,(9)% sure they leave devices open on purpose.
Different task, different people, different skill. They are a _hardware_ company, and while *I* feel that VHDL/Verilog programming is just a different skill of programming; it tends to be done by EE's. As such bringing up a secure linux with UI is not their problem.
But sure, this is only projecting and suggesting, I never claimed otherwise. But since you have inside details; please do share more. We can all learn from that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Daixiwen on January 08, 2019, 07:36:40 am
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on January 08, 2019, 09:09:48 am
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
I think it boils down to the Chinese mentality of making a product just good enough to ship.
Security is a very complex issue, and needs some imaginitive thinking (something that is very rare in China due to the educational system),  to consider and pre-empt possible entry points.
You can put the best lock in the world on the front door but that's no good if you can open a window with  screwdriver.
FPGA systems and tools are very complex, and so is Linux, and the designers need to have a far better grasp on it all to make it secure, than they do to ship a working product.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 08, 2019, 09:12:44 am
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
Of course; but the work I see is extremely sloppy and lazy and very unexperienced. Even if it is an engineer who does not dare to push back to the manager; There's quality, and there's ... well this :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 08, 2019, 09:15:17 am
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
I think it boils down to the Chinese mentality of making a product just good enough to ship.
Security is a very complex issue, and needs some imaginitive thinking (something that is very rare in China due to the educational system),  to consider and pre-empt possible entry points.
You can put the best lock in the world on the front door but that's no good if you can open a window with  screwdriver.
FPGA systems and tools are very complex, and so is Linux, and the designers need to have a far better grasp on it all to make it secure, than they do to ship a working product.

"working" being defined as mostly working with a few 'quirks'  :-)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 08, 2019, 11:32:49 am
I'm sure Rigol does as best as it can, and as time permits.

We must not forget that this is a tough market, and time to market is essential. If the product gains traction, they can later try to solve the problems but putting the system on the street must be one of their primary goals.

Sales can later compensate the investment needed do pay for the correction of the flaws.

So, stop bashing Rigol people. Let them do their job and we'll continue to do our explorations.

Now, let's go back on topic:

The system is already broken and, in my opinion, beyond repair. Licensing it is perfectly possible.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sparkv on January 08, 2019, 11:33:42 am
Maybe I misunderstood the topic of this thread. I thought we were trying to hack the MSO5000, not advise Rigol on how to make it unhackable

:-DD
Code: [Select]
Firmware 01.01.03.05 Patch Notes:
- Incorporated all security features/approaches discussed on eevblog forums (thnx u)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on January 08, 2019, 11:55:46 am
Maybe I misunderstood the topic of this thread. I thought we were trying to hack the MSO5000, not advise Rigol on how to make it unhackable

:-DD
Code: [Select]
Firmware 01.01.03.05 Patch Notes:
- Incorporated all security features/approaches discussed on eevblog forums (thnx u)
EEVBLOG hacker's moto: No challenge, no fun
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 08, 2019, 11:56:33 am
Somebody asked me to post a photo of my 'system information' screen.

Here it is:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 08, 2019, 12:09:00 pm
Somebody asked me to post a photo of my 'system information' screen.

Were you a beta tester???   :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 08, 2019, 12:18:56 pm
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.

I totally agree with you, but the risk still exists: Considering Rigol is a big customer of Xilinx, they maybe want official support from Xilinx FAE. If they choose to do this, things will be getting worse...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 08, 2019, 12:21:49 pm
Somebody asked me to post a photo of my 'system information' screen.

Were you a beta tester???   :-DD

I built it from kit form, after it had been totally dismantled and various IC's removed for 'QC' inspection  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 08, 2019, 08:56:47 pm
Back on page 10 was it? Vtech made an excellent post finding out a lot of the cool chips with Dave's video.

I figured, we need a pic and some more text to go with that. But not any ol'e pic. I took the front and back pictures from Dave's teardown, and overlayed them. Then made the bottom 50% transparant allowing us to see a little bit more what's going on :)

(https://gitlab.com/riglol/rigolee/wikis/uploads/df3fe65327a9cded968c152d7fc4928a/pcb_back_and_front.png)

For more information (what the colors mean etc) see https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown (https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown)

Edit: Also did the keyboard (https://gitlab.com/riglol/rigolee/wikis/uploads/3f80bbb74ead65cf2253c92fd995745a/keyboard_back_and_front.png)

For more information see https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown (https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: helmy on January 09, 2019, 09:55:05 am
Did anyone try to make their own (PLA2216) logic probe for cheap, considering it is priced at $400!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 09, 2019, 09:58:19 am
Did anyone try to make their own (PLA2216) logic probe for cheap, considering it is priced at $400!

https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/ (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on January 09, 2019, 09:58:25 am
Did anyone try to make their own (PLA2216) logic probe for cheap, considering it is priced at $400!
Should be easy enough as it's just a bunch of ECL comparators.  Probably just a matter of time before they show up on Aliexpress
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 09, 2019, 12:35:04 pm
What does this image show?

(It's a MSO5000 capture, with a 50-ohm termination.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thomil on January 09, 2019, 12:45:04 pm
What does this image show?

350ps fal time? 1GHz bandwidth?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 09, 2019, 12:51:54 pm
What does this image show?

350ps fal time? 1GHz bandwidth?

It's displaying a pulse that's approx. 1ns.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: johnmx on January 09, 2019, 01:23:24 pm
What does this image show?
What is your signal source?
It would be interesting to see the same response using a 50 Ohm terminator at the scope input.
E.g. something like this may prevent oscillations at higher frequencies:
https://www.picotech.com/accessories/bnc-terminators-leads/50r-terminator-bnc (https://www.picotech.com/accessories/bnc-terminators-leads/50r-terminator-bnc)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 09, 2019, 03:42:14 pm
It's a transistor catching fire?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 09, 2019, 04:19:12 pm
It's a transistor catching fire?

We are almost OT but I would like to see if you guys confirm that this can be used as proof of the claims that were made a few weeks ago...

BTW, Fungus, can you recreate this with your (any) scope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: imo on January 09, 2019, 04:21:41 pm
The rise time is important with that test, afaik.
BW=350/0.44=795MHz
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 09, 2019, 05:44:57 pm
It's a transistor catching fire?

We are almost OT but I would like to see if you guys confirm that this can be used as proof of the claims that were made a few weeks ago...

BTW, Fungus, can you recreate this with your (any) scope?

I haven't got a 90V DC supply. Mine only goes up to 30V.

(I assume that applying 90V to that transistor is bad, hence my comment)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on January 09, 2019, 06:27:38 pm
Fungus searching for "Avalanche Pulser" then you will know what it is.
And that 90V ist OK for an Avalanche Transistor...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TurboTom on January 09, 2019, 06:59:39 pm
Btw, that resistance in series with the power supply is MegOhm, not milliOhm as the schematic may suggest...  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: johnmx on January 09, 2019, 07:08:22 pm
I wonder if the oscillations are from the circuit itself instead of the impedance mismatch of the scope input stage
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on January 09, 2019, 07:15:16 pm
Fungus searching for "Avalanche Pulser" then you will know what it is.
And that 90V ist OK for an Avalanche Transistor...

http://www.eevblog.com/2012/07/06/eevblog-306-jim-williams-pulse-generator/ (http://www.eevblog.com/2012/07/06/eevblog-306-jim-williams-pulse-generator/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 10, 2019, 05:54:11 am
It's a transistor catching fire?

We are almost OT but I would like to see if you guys confirm that this can be used as proof of the claims that were made a few weeks ago...

BTW, Fungus, can you recreate this with your (any) scope?

The frontend of this scope has very poor S11 performance, measured by KC901 VNA. Although we added a 50-ohm terminator to its input, S11 curve above 350MHz still looks terrible. We have swept this scope by HP 8657 generator, usable bandwidth is around 380MHz. Maybe the internal match network on AFE's output line limited the bandwidth and the input circuit isn't capable of high-frequency usage (because of such high S11).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on January 10, 2019, 06:02:18 am
Did you calibrate the KC901V to remove the cable effects?
Have you checked the return loss of the terminator itself?
Can you run it with a lower max frequency as anything above 500 MHz/ 1 GHz is likely meaningless.

Lastly many scopes 50 ohm inputs are only rated to have an SWR of 1.5:1 or better - that is only 14 dB of return loss.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 10, 2019, 06:20:07 am
Did you calibrate the KC901V to remove the cable effects?
Have you checked the return loss of the terminator itself?
Can you run it with a lower max frequency as anything above 500 MHz/ 1 GHz is likely meaningless.

Lastly many scopes 50 ohm inputs are only rated to have an SWR of 1.5:1 or better - that is only 14 dB of return loss.

1、Yes.
2、Of course.
3、I have done it, it doesn't look good... Almost the same result as this. Below 350MHz it is fine though, but in 350MHz-1GHz, if you don't do some hardware modification, it is not as good as the calculated bandwidth that the pulse response result shown by tv84. I have returned home for winter vacation, about 1 month or so I can't do any measurement for this scope (because I haven't equipment to measure at home) ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on January 10, 2019, 06:41:40 am
I don't think you're seeing any problem with the scope, it is just the nature of trying to use a 50 ohm feed through connected to the 1 meg-ohm input of a scope. A scope with a 50 ohm internal path is optimized for such things. Using a feed-through will only match a proper 50 ohm input at very low frequencies.
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 10, 2019, 07:24:27 am
I don't think you're seeing any problem with the scope, it is just the nature of trying to use a 50 ohm feed through connected to the 1 meg-ohm input of a scope. A scope with a 50 ohm internal path is optimized for such things. Using a feed-through will only match a proper 50 ohm input at very low frequencies.
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.

I mean this scope is not designed for testing above 350MHz signal. It just not perform well and maybe it needs some hardware modification to make use of the high sample rate.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 10, 2019, 08:03:25 am
I don't think you're seeing any problem with the scope, it is just the nature of trying to use a 50 ohm feed through connected to the 1 meg-ohm input of a scope. A scope with a 50 ohm internal path is optimized for such things. Using a feed-through will only match a proper 50 ohm input at very low frequencies.
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.

I mean this scope is not designed for testing above 350MHz signal. It just not perform well and maybe it needs some hardware modification to make use of the high sample rate.

You cannot just hack it.. For higher frequencies you need to use 50 OHm path, and that has to exist in the scope from input connector to A/D converter. It has to be controlled impedance layout.
Basically, it has to exist as separate part of PCB made for just that purpose that is just not there on MSO5000 board.

Chipset and front end chip in MSO7000 and MSO5000 is identical and capable of same bandwidth (frontend chipset is capable of few GHz actually). It's just that your signal from input BNC cannot get to it without being destroyed.
For a scope of this class it is more important that it has good 300 MHz with good signal integrity(which is a miracle itself), that hacking it to 1GHz with distorted signal. You get worse scope actually, and much more noise...


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 10, 2019, 08:11:59 am
I don't think you're seeing any problem with the scope, it is just the nature of trying to use a 50 ohm feed through connected to the 1 meg-ohm input of a scope. A scope with a 50 ohm internal path is optimized for such things. Using a feed-through will only match a proper 50 ohm input at very low frequencies.
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.

I mean this scope is not designed for testing above 350MHz signal. It just not perform well and maybe it needs some hardware modification to make use of the high sample rate.

You cannot just hack it.. For higher frequencies you need to use 50 OHm path, and that has to exist in the scope from input connector to A/D converter. It has to be controlled impedance layout.
Basically, it has to exist as separate part of PCB made for just that purpose that is just not there on MSO5000 board.

Chipset and front end chip in MSO7000 and MSO5000 is identical and capable of same bandwidth (frontend chipset is capable of few GHz actually). It's just that your signal from input BNC cannot get to it without being destroyed.
For a scope of this class it is more important that it has good 300 MHz with good signal integrity(which is a miracle itself), that hacking it to 1GHz with distorted signal. You get worse scope actually, and much more noise...

Yes, that is actually what I mean. To make use of the high sample rate isn't easy.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on January 10, 2019, 08:31:19 am
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.

Can you explain why above 800MHz the feedthrough + scope seems better than the feedthrough alone? Is the feedthrough not made for frequencies above 500MHz or something like that?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on January 10, 2019, 08:42:28 am
I don't want to get too far off topic but to answer the question the feed-through is a very cheap model from banggood(7 dollars for two shipped). I wouldn't expect  decent performance past 500 MHz.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on January 10, 2019, 03:32:04 pm
Slightly off topic.  TEquipment has 2 MSO5074 in stock.  It was 3 before I bought one   :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 10, 2019, 11:05:18 pm
Slightly off topic.  TEquipment has 2 MSO5074 in stock.  It was 3 before I bought one   :P
wtf? I bought one and got my delivery bumped back and forth
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on January 11, 2019, 02:11:54 am
wtf? I bought one and got my delivery bumped back and forth
Yeah my confirmation e-mail indicates a shipping date of the 15th.  I suspect shenanigans
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 11, 2019, 05:36:56 am
so they have enough time to install new firmware perhaps??
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: diegogmx on January 11, 2019, 07:25:24 am
wtf? I bought one and got my delivery bumped back and forth
Yeah my confirmation e-mail indicates a shipping date of the 15th.  I suspect shenanigans

it seems there are many of us in that situation, they told me they have a backlog of orders, which is to be expected i guess
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 11, 2019, 04:59:40 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Thought maybe the update is only via online connection to the scope avaible and take it to home, connect LAN...
No, no firmare avaible.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 11, 2019, 05:33:54 pm
Chipset and front end chip in MSO7000 and MSO5000 is identical and capable of same bandwidth (frontend chipset is capable of few GHz actually). It's just that your signal from input BNC cannot get to it without being destroyed.
For a scope of this class it is more important that it has good 300 MHz with good signal integrity(which is a miracle itself), that hacking it to 1GHz with distorted signal. You get worse scope actually, and much more noise...

By looking at these FW strings (in the current models):
600MHz to 1GHz Bandwidth Upgrade Option
600MHz to 2GHz Bandwidth Upgrade Option
1GHz to 2GHz Bandwidth Upgrade Option

I would imagine that ds8000 (or ds9000) could be available in 600MHz or 1GHz base, with options to upgrade to 2GHz.

Let's hope that with another PCB as you say.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 11, 2019, 07:33:09 pm
Chipset and front end chip in MSO7000 and MSO5000 is identical and capable of same bandwidth (frontend chipset is capable of few GHz actually). It's just that your signal from input BNC cannot get to it without being destroyed.
For a scope of this class it is more important that it has good 300 MHz with good signal integrity(which is a miracle itself), that hacking it to 1GHz with distorted signal. You get worse scope actually, and much more noise...

By looking at these FW strings (in the current models):
600MHz to 1GHz Bandwidth Upgrade Option
600MHz to 2GHz Bandwidth Upgrade Option
1GHz to 2GHz Bandwidth Upgrade Option

I would imagine that ds8000 (or ds9000) could be available in 600MHz or 1GHz base, with options to upgrade to 2GHz.

Let's hope that with another PCB as you say.

No need for speculation. 8000 is up to 2GHz model.
9000 is yet to be released up to 4GHz model.
Spoke with Rigol on Electronica. 8000 was there, looks pretty much like black 7000....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hansibull on January 11, 2019, 07:51:09 pm

No need for speculation. 8000 is up to 2GHz model.
9000 is yet to be released up to 4GHz model.
Spoke with Rigol on Electronica. 8000 was there, looks pretty much like black 7000....

There where no DS/MSO8000 on the Electronica fair? IIRC the RSA5000 was the only black instrument at the Rigol stand apart from the MSO5000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pascal_sweden on January 11, 2019, 08:07:18 pm
I don't like these 45 degree corners at all, which they obviously have adopted from the R&S RTB2000 series.

Corner design of R&S RTB2000 series:
https://www.rohde-schwarz.com/us/product/rtb2000-productstartpage_63493-266306.html (https://www.rohde-schwarz.com/us/product/rtb2000-productstartpage_63493-266306.html)

Corner design of Rigol MSO5000 series:
https://www.rigol.eu/products/digital-oscilloscopes/MSO5000/ (https://www.rigol.eu/products/digital-oscilloscopes/MSO5000/)

Moreover the display seems not very bright and clear at all, plus the glossy level is way too much.


If anyone from Rigol USA is reading this:

1) Please don't use these 45 degree corners in future series!
These 45 degree corners are very ugly! It looks like Zorro was here with his sword to cut these corners in a swing! What's the point of this in the first place?

2) Also improve the display brightness and clarity!
Reduce the glossy or remove it completely as your oscilloscopes are Test&Measuremenet instruments for engineers and not Beauty Mirrors for women :)
As Dave Jones pointed out already in his review: The entry level DS1054Z series seems to have a better display than the MSO5000 series. How come? Did you change display vendor?

Don't adopt weird designs from the industry. Innovate with your own designs.
Don't try to be the "Apple-R&S" look a like! :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 11, 2019, 08:13:27 pm
As Dave Jones pointed out already in his review: The entry level DS1054Z series seems to have a better display than the MSO5000 series. How come? Did you change display vendor?

One is a touch screen. Matte touch screens show all the fingerprints much more.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 0xdeadbeef on January 11, 2019, 08:23:18 pm
One is a touch screen. Matte touch screens show all the fingerprints much more.
Actually, it's quite the opposite. I always use a matte screen protector on my smartphones and fingerprints are much less visible there compared to a glossy screen.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 11, 2019, 08:24:40 pm

No need for speculation. 8000 is up to 2GHz model.
9000 is yet to be released up to 4GHz model.
Spoke with Rigol on Electronica. 8000 was there, looks pretty much like black 7000....

There where no DS/MSO8000 on the Electronica fair? IIRC the RSA5000 was the only black instrument at the Rigol stand apart from the MSO5000.
I was on Friday, last day.. I might have been mistaken,it was a long day..
There was 7000 (beige) and small (5000) and bigger black scope with active probe interface. Looked exactly like 7000 just black.
It was on a desk in the back near the booth wall.
I didn't take photo but here it is on Rigol photo:


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on January 11, 2019, 11:08:00 pm
Hm, if they are building a unified bsp for all MSO series together it can be a problem for us in the future...
I think they will put much more effort in securing their high end MSO than now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joeyjoejoe on January 11, 2019, 11:08:57 pm
Let's hope not. I'm going to wait until an updated firmware drops to see if everything is still open, if so I'll buy one.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on January 12, 2019, 01:28:17 am
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Thought maybe the update is only via online connection to the scope avaible and take it to home, connect LAN...
No, no firmare avaible.

I think Quix went and cracked the hash didn't he? Was real tiny. Edit:Did it in about 20mins on some really old gpx hardware w/ hashcat.

As far as firmwares,  I thought I saw someone DL one from Rigol to tweak/dismantle, but it was the original 1.2.3 correct? Guess it seems they haven't put the new one up for us.
I was admittedly a little worried about auto-update surprises in the beginning. Or the scope phoning hope to rat you out...

I know for licenses they use a website key entry followed by DL a license file (that's basically your key in a .lic). The work 7k's got the free xmas decodes bundle.

Granted, given the unfettered access we have now and the number of people playing with IDA and the firmware, I doubt Rigol will be able to keep us out consistently. Money better spent making corporate customers happy and bug fixing.


For reference/dating purposes, my 5074 showed up from TEquipment last Monday the 7th. Came with 1.2.3

Box appeared unopened and appears drop shipped the moment they got it in their West Coast warehouse.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on January 12, 2019, 11:36:22 pm
I recently had a need to use the UART interface on an MSO5074 and found this to be a challenging exercise.
There were two issues:-
1.   The data out of the MSO5074 was corrupted from time to time.
2.   There was no response to commands sent to the unit.

The corrupted data out of the MSO5074 was found to be caused by varying widths of the Low going data bits in the serial data stream.
At 115200 bits/sec, the nominal bit width is 8.68us.  Some of the Low going bits from the UART interface were down to 3us width.
The over all packet timing was correct, just the width of the low going bits varied.
So depending on when the receiving equipment clocks the data in, it may see either a "0" or "1"

This was solved by feeding the data through an external Pulse stretching circuit to set the minimum bit width correctly.

The second issue of no response to commands was tracked down to an open circuit on the PCB trace from the UART interface connection point.
The Data IN to the MSO5074 goes via a series resistor. This resistor had been left off the circuit board.
Since the resistor is mounted on the back of the board, this meant completely dismantling the unit to bridge the gap on the trace.

After solving these issues, using the UART interface to talk to the MSO5074 was straight forward.
I found that "U Boot" can be easily interrupted by holding a keyboard key down from when the MSO5074 is powered ON.

**  Edit.  Added Pulse stretching Circuit. **
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 12, 2019, 11:39:15 pm
This resistor had been left off the circuit board.

Accidentally now of course  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: helmy on January 13, 2019, 04:51:43 am
The corrupted data out of the MSO5074 was found to be caused by varying widths of the Low going data bits in the serial data stream.
At 115200 bits/sec, the nominal bit width is 8.68us.  Some of the Low going bits from the UART interface were down to 3us width.
The over all packet timing was correct, just the width of the low going bits varied.
So depending on when the receiving equipment clocks the data in, it may see either a "0" or "1"

This was solved by feeding the data through an external Pulse stretching circuit to set the minimum bit width correctly.

could you share this external Pulse stretching circuit ?

The second issue of no response to commands was tracked down to an open circuit on the PCB trace from the UART interface connection point.
The Data IN to the MSO5074 goes via a series resistor. This resistor had been left off the circuit board.
In the video #1146 Dave wasn't able to send commands to it either, but then if you where following along on this thread others have tried the UART interface and where able to use it with no problem and no mention of a missing resistor, and if you let it boot completely you should get a root shell without being asked to login, right?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 13, 2019, 08:04:56 pm
Hm ?

I thought, new updates will be present on the regular rigol sites…..
You got a new update ? What does the "changes" say ?

Martin

Single file, no 'changelog'
https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0 (https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0)

Just a few seconds before, I download the file, transfer it to a usb stick, plug it in the rigol…..
Stick will be recognized but "local upgrade" isn´t avaible…

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 13, 2019, 08:09:48 pm
Hm ?

I thought, new updates will be present on the regular rigol sites…..
You got a new update ? What does the "changes" say ?

Martin

Single file, no 'changelog'
https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0 (https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0)

Just a few seconds before, I download the file, transfer it to a usb stick, plug it in the rigol…..
Stick will be recognized but "local upgrade" isn´t avaible…

Martin

Rename the file DS5000Update.GEL

The update process only seems to recognise that file name.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 13, 2019, 08:32:07 pm
Yes, this works and upgrading will be done very quick.
But I can´t see any remarkable changes except the version number.
Before:

(https://www.bilder-upload.eu/thumb/2d5208-1547413654.jpg) (https://www.bilder-upload.eu/bild-2d5208-1547413654.jpg.html)
After:

(https://www.bilder-upload.eu/thumb/397c5e-1547413731.jpg) (https://www.bilder-upload.eu/bild-397c5e-1547413731.jpg.html)

Maybe the update was only for changing the "root" password
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 13, 2019, 08:34:35 pm
Yes, this works and upgrading will be done very quick.
But I can´t see any remarkable changes except the version number.
Maybe the update was only for changing the "root" password

Somebody compared the GEL contents and almost every file was changed. But nothing significant is obvious except the password change.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 13, 2019, 08:42:10 pm
Hm....
OK, let´s wait for the first official update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jgmrequel on January 13, 2019, 08:52:59 pm
Has someone tried to verify if the "upgrade" enables also the other two channels on the MSO5XX2?  ^-^

No they haven’t, but tv84 thinks it won’t.  I’m not sure it’s worth saving 90 euros to find out the hard way. Buy the 4 channel model and you get 2 extra 350MHz probes and a warranty that covers all 4 channels.

But it would be interesting to have somebody verify it.

This does in fact work - I've a MSO 5072, FW 01.01.02.03, and channels 3 and 4 get enabled with the fullopt.

I'm catching up on this thread and working on the hardware/firmware myself.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on January 14, 2019, 12:54:40 pm
The corrupted data out of the MSO5074 was found to be caused by varying widths of the Low going data bits in the serial data stream.
At 115200 bits/sec, the nominal bit width is 8.68us.  Some of the Low going bits from the UART interface were down to 3us width.
The over all packet timing was correct, just the width of the low going bits varied.
So depending on when the receiving equipment clocks the data in, it may see either a "0" or "1"

This was solved by feeding the data through an external Pulse stretching circuit to set the minimum bit width correctly.

could you share this external Pulse stretching circuit ?

The second issue of no response to commands was tracked down to an open circuit on the PCB trace from the UART interface connection point.
The Data IN to the MSO5074 goes via a series resistor. This resistor had been left off the circuit board.
In the video #1146 Dave wasn't able to send commands to it either, but then if you where following along on this thread others have tried the UART interface and where able to use it with no problem and no mention of a missing resistor, and if you let it boot completely you should get a root shell without being asked to login, right?

@ helmy.
                Pulse stretching circuit added to original posting

Root access is available as soon as the operating system has been loaded.

If you follow the progress bar that appears on the display of your MSO5000 series when you first turn it ON, at approximately 1/4 of the way along is when the operating system has loaded and root access is available via the UART port.

Regards.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sprite_tm on January 19, 2019, 04:04:47 pm
Hi all! Long-time reader, first-time poster. When I read the MSO5000 had a trivially-accessible Linux shell, I pulled the trigger and now have a nice MSO5074 on my desk. Thought I would also add something to the hacking community, although it's quite trite.

So, there's an ancient rule on the Internet that whenever something runs Linux and is hacked, it shall be made to run Doom. I noticed that the fine community of MSO5000 hackers has up till now flagrantly disregarded this rule, so I decided to correct that. I present to you: Doom running on a MSO5000 oscilloscope:
https://www.youtube.com/watch?v=m2JOs0Aldq0 (https://www.youtube.com/watch?v=m2JOs0Aldq0)


If you want to try this yourself (or look at the sources), feel free to take a gander in the Github repo (https://github.com/Spritetm/prboom-mso5k/releases/tag/v1.0). It's more-or-less a straight port of prboom, with some hacks in order to support the weird framebuffer hardware the scope has, and to interface with the front panel.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 19, 2019, 04:47:54 pm
LOL  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on January 19, 2019, 05:51:03 pm
What is the actual state of the MSO5000 hack.

What  I will get if I buy a MSO 5072 and hack it.

I assume 4 chanelss 350 Mhz and all options, Is that True?

Have any one post only guideline on do the Hack ?



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on January 19, 2019, 06:34:24 pm
Hi all! Long-time reader, first-time poster. When I read the MSO5000 had a trivially-accessible Linux shell, I pulled the trigger and now have a nice MSO5074 on my desk. Thought I would also add something to the hacking community, although it's quite trite.

So, there's an ancient rule on the Internet that whenever something runs Linux and is hacked, it shall be made to run Doom. I noticed that the fine community of MSO5000 hackers has up till now flagrantly disregarded this rule, so I decided to correct that. I present to you: Doom running on a MSO5000 oscilloscope:
https://www.youtube.com/watch?v=m2JOs0Aldq0 (https://www.youtube.com/watch?v=m2JOs0Aldq0)


If you want to try this yourself (or look at the sources), feel free to take a gander in the Github repo (https://github.com/Spritetm/prboom-mso5k/releases/tag/v1.0). It's more-or-less a straight port of prboom, with some hacks in order to support the weird framebuffer hardware the scope has, and to interface with the front panel.

Sound via the wavegen perhaps?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TurboTom on January 19, 2019, 07:40:36 pm
...
So, there's an ancient rule on the Internet that whenever something runs Linux and is hacked, it shall be made to run Doom. I noticed that the fine community of MSO5000 hackers has up till now flagrantly disregarded this rule, so I decided to correct that. I present to you: Doom running on a MSO5000 oscilloscope:
...

...Delicious!  :-+ ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 19, 2019, 08:27:51 pm
What is the actual state of the MSO5000 hack.

What  I will get if I buy a MSO 5072 and hack it.

I assume 4 chanelss 350 Mhz and all options, Is that True?

Have any one post only guideline on do the Hack ?

Yes, you can go from a 5072 --> 4 channel, 350Mhz and all options.     There is a single post in this thread that details how to do it.    But you'll have to go and find it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on January 19, 2019, 08:28:52 pm
What is the actual state of the MSO5000 hack.

What  I will get if I buy a MSO 5072 and hack it.

I assume 4 chanelss 350 Mhz and all options, Is that True?

Have any one post only guideline on do the Hack ?

Just received a 5072.....  You get all channels, full bandwidth(350M), all decoding and the AWGs.  At least with the firmware released to date....
See: Reply 404...
Password is ether root or Rigol201... (dependent on the firmware version)...

FYI...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 19, 2019, 09:53:53 pm
Are the full options "correct" displayed, meaning the installed options table or the before greyed out functions like power analyzing ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on January 20, 2019, 01:22:10 am
The option table does not change.  However, everything I have tried - works.  I.E the AWG buttons prior to the change brought up a screen saying a license was required - and the function did not come up.  For me with a 5072 - the same occurred when I selected channel 3 or 4.  Now, with the change - all function without any license notification....

FYI...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on January 20, 2019, 04:21:39 am
Hi,

here is a sweep and roll from 0Mhz to 2Ghz(FFT),  source R&S SMT06, -10dbm, sweep 9khz to 2ghz for sweep and 9khz to 1ghz for roll, 50ohm hp feed through.

Before the "update" the cut off was at about 120Mhz, then at around 450Mhz



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 20, 2019, 05:59:32 am
thanks thats great to see.  I can't make out any units on the pics..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on January 20, 2019, 06:33:42 am
Have some inscription inserted into the picture.

Does the Rigol at FFT work somehow peak hold? (this works for the Siglent SDS2kX)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 20, 2019, 10:52:43 am
The option table does not change.  However, everything I have tried - works.  I.E the AWG buttons prior to the change brought up a screen saying a license was required - and the function did not come up.  For me with a 5072 - the same occurred when I selected channel 3 or 4.  Now, with the change - all function without any license notification....

FYI...

Hmpf, it would be nice (and not so irritating) to have "the official touch" too.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 20, 2019, 01:03:19 pm
What is the actual state of the MSO5000 hack.

What  I will get if I buy a MSO 5072 and hack it.

I assume 4 chanelss 350 Mhz and all options, Is that True?

Yes.

Have any one post only guideline on do the Hack ?

This thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 20, 2019, 11:31:33 pm
Hmpf, it would be nice (and not so irritating) to have "the official touch" too.

How could this be going….

All options enabled is no problem but obviously it takes more changes to display it correct.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 21, 2019, 12:09:52 am
So, what else do we need to do to hack this.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on January 21, 2019, 03:12:49 am
So, what else do we need to do to hack this.

Find out after the next update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ShortBuss on January 22, 2019, 10:46:34 pm
Rigol MSO5074 Ordered from Tequipment (U.S.A.) Delivered today. Shipped with build date of 2018-10-15 and firmware 00.01.01.02.03. Called Rigol support and asked for a firmware upgrade. Technician stated that 00.01.01.02.03 is the Current firmware in the USA. Expected new firmware in 30 days. root/root login still worked.  >:D FYI
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tequipment on January 22, 2019, 10:50:52 pm
TEquipment now has over 80 MSO5074 units on order. We are working our best to fulfill orders on a first come, first serve basis. We would suggest placing your pre-order now to get in line, as they will be shipped on a first come, first serve basis.
We currently have the following models in stock if anyone wants something more immediate, please see here: https://www.screencast.com/t/huJDkWJKtIk (https://www.screencast.com/t/huJDkWJKtIk)
If we can help to answer any more detailed questions, please do not hesitate to contact us: salesteam@tequipment.net or direct by phone: 1-877-571-7901

Thank you for all of your patronage and support,

The TEquipment Team


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on January 22, 2019, 10:51:50 pm
Rigol MSO5074 Ordered from Tequipment (U.S.A.) Delivered today. Shipped with build date of 2018-10-15 and firmware 00.01.01.02.03. Called Rigol support and asked for a firmware upgrade. Technician stated that 00.01.01.02.03 is the Current firmware in the USA. Expected new firmware in 30 days. root/root login still worked.  >:D FYI

Just received mine.  Tequipment order, direct ship from Rigol (Beaverton, OR) Same as above.  Last self cal date is 12/27
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 22, 2019, 11:00:01 pm
Official update will be launched mid/end of february.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 22, 2019, 11:35:50 pm
So, other than playing doom, and upgrading to 350Mhz, what else is there to do.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on January 23, 2019, 02:43:42 am
Probably digging into it and finding undocumented stuff. E.g. how have they implemented the protocol decoders. As they are done in the screen buffer it likely means others can be added.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on January 23, 2019, 07:15:26 am
Add a Bode Plot function...  8)

Find out how the "original" licence management works, maybe we can add "own" licences.

If the -fullopt will be closed with the next update...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 23, 2019, 07:35:10 am
It would be interesting to be able to develop new software features for it.  Maybe even fix the bugs.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 23, 2019, 07:36:23 am
If the -fullopt will be closed with the next update...

Then it will be interesting again (for a few hours).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 23, 2019, 07:44:08 am
Probably digging into it and finding undocumented stuff. E.g. how have they implemented the protocol decoders. As they are done in the screen buffer it likely means others can be added.
They are not done in screen buffer. They are decoded mostly in FPGA over whole acquisition buffer.
And as it is, it has more decodes than  R&S 2000 series, Keysight 2000 series,  Lecroy Wavesurfer 3000 series...
They are missing CAN FD from what I can see and decode I could think of as being useful that it doesn't have would be parametric Manchester/NRZ decode.
That would put them in a class with some 10000 USD scopes as far as decoding goes.
One more thing that would be nice would be FRA, it has siggen built in. I thing Rigol might even make that one eventually, since everybody else seem to have one..

New Rigol 5000/7000 series is not missing any significant features. And aside it being new and in need of debugging (which they will eventually do and it will be fine), I don't like how they missed opportunity to make new U/I that would be more like Lecroy or R/S, to better utilize screen.  Despite all analog scope nostalgia, new digital scopes are computers, and need to have proper computer U/I to be able to handle vast complexity of it's analytic functions they have. For instance, instead of splitting screen for decode function, they slap small window in the middle of the screen with decoded packets. Zoom windows cannot be resized... Stuff like that.  You really need to try to use R/S 2000/3000/4000 to see how much better they use the screen. Even old Keysight 3000 series manages to put more info on 8.5" screen than Rigol on 10".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 23, 2019, 10:16:44 am
If the -fullopt will be closed with the next update...

Then it will be interesting again (for a few hours).

12-18 at most?   You might be able to use the hack that rgwan  claimed to have found. ( still nothing to verify ).. I think they did a modificaiton of the binarys, which returns the licence status.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 23, 2019, 11:37:46 am
rgwan claimed a KG. With a KG you don't need to do anything more (regarding future updates). Unless it's not a true KG...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 23, 2019, 10:01:21 pm
New Rigol 5000/7000 series is not missing any significant features. And aside it being new and in need of debugging (which they will eventually do and it will be fine)

I know they do it..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 26, 2019, 12:28:06 pm
Hi all! Long-time reader, first-time poster. When I read the MSO5000 had a trivially-accessible Linux shell, I pulled the trigger and now have a nice MSO5074 on my desk. Thought I would also add something to the hacking community, although it's quite trite.

So, there's an ancient rule on the Internet that whenever something runs Linux and is hacked, it shall be made to run Doom. I noticed that the fine community of MSO5000 hackers has up till now flagrantly disregarded this rule, so I decided to correct that. I present to you: Doom running on a MSO5000 oscilloscope:
https://www.youtube.com/watch?v=m2JOs0Aldq0 (https://www.youtube.com/watch?v=m2JOs0Aldq0)


If you want to try this yourself (or look at the sources), feel free to take a gander in the Github repo (https://github.com/Spritetm/prboom-mso5k/releases/tag/v1.0). It's more-or-less a straight port of prboom, with some hacks in order to support the weird framebuffer hardware the scope has, and to interface with the front panel.
Aww, you took that slice of cheese from my sandwitch :p
I'm supprised that you managed to get a MSo5074 allready, they are sold out everywhere; so while I have bits and pieces ready, couldn't do this just yet :( and it's kinda hard without a scope :p

But you are absolutly right; and it runs doom as it should!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 26, 2019, 12:39:41 pm
But you are absolutly right; and it runs doom as it should!

Good frame rate, too.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 26, 2019, 03:18:26 pm
I've mentioned it before but nobody answered: Why does this thing take so long to boot? A whole minute seems ridiculous.

a) Is this time typical of this sort of Xilinx/Linux system or just somebody at Rigol being lazy?
b) Could it be improved?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on January 26, 2019, 04:38:52 pm
I've mentioned it before but nobody answered: Why does this thing take so long to boot? A whole minute seems ridiculous.

a) Is this time typical of this sort of Xilinx/Linux system or just somebody at Rigol being lazy?
b) Could it be improved?
I doubt Rigol have enough knowledge of the OS to be able to optimise boot time, or at least were prioritising the scope functionality
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 26, 2019, 05:13:47 pm
Quote
A whole minute seems ridiculous.

Owner of a lecroy ws-422/4 would be happy if they have only one minute to wait... 8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: filssavi on January 26, 2019, 06:31:01 pm
I've mentioned it before but nobody answered: Why does this thing take so long to boot? A whole minute seems ridiculous.

a) Is this time typical of this sort of Xilinx/Linux system or just somebody at Rigol being lazy?
b) Could it be improved?

A) probably yes
B) of course

The standard yocto/petalinux is quite slow to boot since it is not optimised for boot speed you can cut down the boot time to shell from ~10s  to  ~2 by just turning off delaying dhcp initialization, Ubuntu (so a full blown desktop gui distro) boots in 5/10~ from a typical sad and it can be optimised further
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 26, 2019, 07:26:33 pm
My 2 cents..
15000 USD Keysight MSOX3104 boots in 58 seconds....

Also why is everybody talking how fast it takes Linux to boot?
Linux is only part of equation. You need comprehensive self test of all other stuff that is in scope (as opposed to just OS boot on a computer), and you need to also load code in FPGA-s and self test that too.

Fast boot time is nice but not an issue... You switch it on, and by the time you grab probes and connect you're there.
If they manage to optimize it later, fine, if not it is not a problem. There are real bugs and usability improvements that need to addressed first.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bitwelder on January 26, 2019, 10:26:40 pm
I doubt Rigol have enough knowledge of the OS to be able to optimise boot time, or at least were prioritising the scope functionality
Sometimes I wonder if Rigol let the 'hack' leak so that somebody else can improve their scope at no R&D cost.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 26, 2019, 11:48:21 pm
I doubt Rigol have enough knowledge of the OS to be able to optimise boot time, or at least were prioritising the scope functionality
Sometimes I wonder if Rigol let the 'hack' leak so that somebody else can improve their scope at no R&D cost.

If you got the 'scope for $999 then you aren't being ripped off even if you do a little bit of work for Rigol.  :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on January 27, 2019, 05:22:20 am
I doubt Rigol have enough knowledge of the OS to be able to optimise boot time, or at least were prioritising the scope functionality
Sometimes I wonder if Rigol let the 'hack' leak so that somebody else can improve their scope at no R&D cost.
The idea of an intended hack or leak is fundamentally stupid. How do you think it is practically implemented? This is a fair size company with directors, top and mid managers, bunch of departments, documentation, legal, development, marketing, etc. I imagine the board of directors in a meeting and Mr.Woo saying why don't we create a hack or leak. You Mr. Boo take care of communicating the hackable instrument strategy to the engineering department and make sure every engineer follows it. You Mr. Noo make sure proper documentation gets build on the hack feature. You Mr. Doo get your sockpuppet team deployed to the major electronics forums to strategically leak information according to the plan Mr.Zoo will create.  And make goddamn sure our hole dont accidentally become patched with the next firmware update. You Mr.Foo is responsible for regression testing to make sure this is not happen.

Is this how hack leaks are operationalized at rigol?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 27, 2019, 09:14:20 am
TEquipment now has over 80 MSO5074 units on order. We are working our best to fulfill orders on a first come, first serve basis. We would suggest placing your pre-order now to get in line, as they will be shipped on a first come, first serve basis.
We currently have the following models in stock if anyone wants something more immediate, please see here: https://www.screencast.com/t/huJDkWJKtIk (https://www.screencast.com/t/huJDkWJKtIk)
If we can help to answer any more detailed questions, please do not hesitate to contact us: salesteam@tequipment.net or direct by phone: 1-877-571-7901

Thank you for all of your patronage and support,

The TEquipment Team

Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Romain on January 27, 2019, 09:18:50 am
TEquipment now has over 80 MSO5074 units on order. We are working our best to fulfill orders on a first come, first serve basis. We would suggest placing your pre-order now to get in line, as they will be shipped on a first come, first serve basis.
We currently have the following models in stock if anyone wants something more immediate, please see here: https://www.screencast.com/t/huJDkWJKtIk (https://www.screencast.com/t/huJDkWJKtIk)
If we can help to answer any more detailed questions, please do not hesitate to contact us: salesteam@tequipment.net or direct by phone: 1-877-571-7901

Thank you for all of your patronage and support,

The TEquipment Team

Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?
Asking the question would satiate our curiosity (if we ever get a response from Rigol) but it may lead them to think that it's not just a bunch of geeks in their garage hacking their scopes anymore...
They may start tackling this if they  consider that it hinders the sales of their more expensive models...

Sent from my SM-G930F using Tapatalk

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 27, 2019, 11:53:21 am
Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?

What do you want? A definitive statement from the head of Rigol?  :-//

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 27, 2019, 12:44:26 pm
People are unhappy that they can buy scope for very little money (compared to what it used to be) that can be hacked to full specs.
And also feel a need to insult people who are making it.....  :-//

There are many wrong statements here used by those unhappy people.

Making a secure scope (OS, device, whatever) takes effort.

If you just take Linux distro and load it to a scope (like they did) it will not be secure. 
So it's not that they are stupid, they are not, and being a rather big company by now, they could have hired ANY security consultant for anywhere in the world if they didn't have a staff on board.

Securing things is expensive and not only once, but whole platform needs to be maintained in different workflow once you go that route.
Also they know that even top notch protection is breakable once there is enough will to spend time on it.

So they make it such that you have some basic licensing mechanism and that's it. Companies will buy legal options (they are exposed to all kinds of auditing, liability and traceability) and hobbyists will buy it for hackability and unlock it. It generates sales. 
It is not that they are stupid, or don't know how to do it. Or they do this as some elaborate plan. They simply didn't want to spend more money to develop something that will generate less sales later.

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
For a hobbyist no need to think much...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 27, 2019, 01:38:38 pm
If you just take Linux distro and load it to a scope (like they did) it will not be secure. 

Securing Linux isn't difficult. If it was then half the web servers in the world would be hacked.

So it's not that they are stupid, they are not, and being a rather big company by now, they could have hired ANY security consultant for anywhere in the world if they didn't have a staff on board.

Or .... maybe it's deliberate!

They're probably still making $250+ on each one and they're flying off the shelves. Most places have no stock.

If it wasn't hackable then those naughty hackers would probably be buying Siglents instead (the SDS1204X-E is cheaper than a Rigol MSO5072 and is better, a hacked 1104X-E even more so!) so it will be difficult to make a case that the hacking is bad for Rigol. $250 is infinitely better than nothing at all.

PS: Has anybody done a BOM on one of these? Case, screen and knobs is probably $125, PSU $25, PCB $10, How much do those Xilinx and RAM chips cost? Can the thing be built for $300?

Securing things is expensive and not only once, but whole platform needs to be maintained in different workflow once you go that route.
Also they know that even top notch protection is breakable once there is enough will to spend time on it.

They don't have to make it 100% secure, they just have to make it so you have to at least open it up and solder JTAG wires to the PCB to reprogram it (or whatever). That would reduce hacking massively and could probably be done with a couple of morning's work.

Problem? Hackers would buy easily-hackable Siglents instead.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: voltsandjolts on January 27, 2019, 01:43:55 pm
Securing Linux isn't difficult. If it was then half the web servers in the world would be hacked.

That's not a valid comparision.
With the scope you have full fw binary and hardware access.
In comparison, securing a remote web server is a walk in the park.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: supercilious on January 27, 2019, 01:46:06 pm
Securing Linux isn't difficult. If it was then half the web servers in the world would be hacked.
Securing Linux (or anything) against physical access to the machine is HARD - to the point of being damn near impossible.

The best one can hope for is that the "cost" of hacking it is high enough that its not worth doing.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on January 27, 2019, 02:19:17 pm
physical access is literally impossible to secure against, as if you deal with any external device or interface, you expose yourself, and all it takes is 1 corner case the designers didn't think of out of millions of possible attacks, and they are in, even if they are still trapped in userland, once there in, they have a wider attack surface and can keep driving the wedge forward.

E.g. a router I just got from a certain ISP will default into the root account of the UI if you give it a username of unicode zero width spaces. Its not null, and its not ascii whitespace, but later it gets stripped back to be an empty string, so it ends up getting into a part of the code that it wasn't meant to and I get access to more than I should.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 27, 2019, 02:29:58 pm
That is the old adage in security business. There is no security without physical security. Once you have access to physical box ....

What I want to say is that this whole "why is it hackable" is overthinked.
It is expensive to secure it and it would mean loss of sales. So they don't.

I spoke with people from big T&M manufacturers. They admit they sell mostly low end models with not much options. Also they make money on high end devices, maintenance contracts and such.
These companies are run by classic western businessman, that only look at profit margins. They could release basic software options for free and have minimum negative impact on option sales and probably increased sale of units, because they would be better value. But it is against their "religion".

Chinese seem to grasp this a bit better. Those who can and need to buy will buy options. Others will either buy nothing or buy cheapest version if they can unlock it.
And it might be that MSO5000 is not much more expensive to make than DS1000Z, and it's triple the price.
And they are happy with that profit margin.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 27, 2019, 08:27:38 pm
They don't have to make it 100% secure, they just have to make it so you have to at least open it up and solder JTAG wires to the PCB to reprogram it (or whatever). That would reduce hacking massively and could probably be done with a couple of morning's work.

Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen ;)  could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 27, 2019, 10:32:28 pm
Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen ;)  could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.

They could start shipping them with a firmware that will only install signed firmware updates. That would prevent users from simply loading a modified firmware (at least for the first time).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 27, 2019, 10:47:07 pm
Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen ;)  could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.

They could start shipping them with a firmware that will only install signed firmware updates. That would prevent users from simply loading a modified firmware (at least for the first time).

I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

But let’s see what happens next.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 28, 2019, 02:22:49 am
I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sprite_tm on January 28, 2019, 01:05:55 pm

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

To be fair, in theory root-of-trust and signed firmware should indeed stop all software-based attacks from happening when implemented 100% correctly, so you're right there. On the other hand, in practice it never seems to be implemented 100% well: there's data loaded from unsecured sources (e.g. the user partition) using insecure parsers, network connectivity is implemented badly, there's a bug in partition checking code, you name it. I'll not go into the personal-attack-y bits of the conversation between you two, but I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 28, 2019, 01:21:32 pm
I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.

Sure, my point was only that it's a lot less difficult to require people to at least open up the case and solder wires to the board if they want to hack it, thus voiding the warranty (or at least creating fear of loss of warranty, depending on local laws).

Checking the digital signature of an update file before installing it isn't difficult. Disabling the command shell access on the Ethernet port isn't difficult either.

Just those two things would reduce hacking by a significant amount.

(and increase Siglent sales proportionally)


nb. I didn't say "prevent" hacking.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on January 28, 2019, 03:18:44 pm
If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 28, 2019, 06:38:04 pm
If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?

Actually i think the opposite. Understanding the rationale behind why they have taken a particular approach is critial to being able to keep ahead of them.    Knowing how your opponent thinks and behaves is critical in a war. 90%+ of 'hacking' is possible becuase Humans have taken a particular course of action. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Romain on January 28, 2019, 06:55:21 pm
If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?

Actually i think the opposite. Understanding the rationale behind why they have taken a particular approach is critial to being able to keep ahead of them.    Knowing how your opponent thinks and behaves is critical in a war. 90%+ of 'hacking' is possible becuase Humans have taken a particular course of action.
"Your opponent"? are you serious??
Rigol is actually on *our* side by not putting the effort into securing their scopes (and yes it is INTENTIONAL, whether it is by lack of care, or to voluntary help the community. We will never know for sure, but it makes no difference anyway).
As many pointed out, it is not hard to put a first level of dissuasion...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 28, 2019, 06:58:11 pm
Rigol is actually on *our* side by not putting the effort into securing their scopes (and yes it is INTENTIONAL, whether it is by lack of care, or to voluntary help the community. We will never know for sure, but it makes no difference anyway).

I agree. It's completely intentional, and not by "lack of care".

There is no "battle", it's just a puzzle for us to figure out how to do it.

(while keeping up the pretense of us being naughty people so they can still sell at full price to big companies, etc.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 28, 2019, 07:00:11 pm
Quote
"Your opponent"? are you serious??

The orignal quote was

Quote
Knowing how your opponent thinks and behaves is critical in a war.

I did not say Rigol was my opponent, however i'm sorry if you read it that way.   It was more a figure of speech.   The point i was trying to make is that in many cases security measures are 'got around' by understanding both technical and non-technical aspects of the person/company/organisation that implemented then.   Understanding why Rigol has choosen to take a certain path, is as important as knowing what they did.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 28, 2019, 11:20:32 pm
I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

It wouldn’t be appropriate to discuss that here.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 29, 2019, 05:07:30 pm
While we're waiting for Rigol to release a firmware update I stitched together some xray images of the keyboard and main board. Better than the previous ones, I tweaked a few settings. Large images, you can zoom in quite a way...

keyboard
https://www.dropbox.com/s/tjjrnx9i91khw7n/rigol%20kb.png?dl=0 (https://www.dropbox.com/s/tjjrnx9i91khw7n/rigol%20kb.png?dl=0)

Main board
https://www.dropbox.com/s/asoofgz8equzzc1/rigol%20mb.png?dl=0 (https://www.dropbox.com/s/asoofgz8equzzc1/rigol%20mb.png?dl=0)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: voltsandjolts on January 31, 2019, 05:28:24 pm

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

To be fair, in theory root-of-trust and signed firmware should indeed stop all software-based attacks from happening when implemented 100% correctly, so you're right there. On the other hand, in practice it never seems to be implemented 100% well: there's data loaded from unsecured sources (e.g. the user partition) using insecure parsers, network connectivity is implemented badly, there's a bug in partition checking code, you name it. I'll not go into the personal-attack-y bits of the conversation between you two, but I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.

Sprite is right.
If the Microsoft budget couldn't prevent the XBox being hacked, what hope have Rigol of securing a scope.
https://arstechnica.com/gaming/2007/03/8954/ (https://arstechnica.com/gaming/2007/03/8954/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 31, 2019, 06:11:23 pm
If the Microsoft budget couldn't prevent the XBox being hacked...

a) The Xbox hacker's budget was proportionally higher, too.  :popcorn:
b) The Xbox was designed to load and execute 3rd party software.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 31, 2019, 10:02:33 pm
Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?

What do you want? A definitive statement from the head of Rigol?  :-//

I´d just ask them, together with other questions.
These questions were answered, the "special one" was ignored.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JohnT on February 01, 2019, 12:08:11 am
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?
>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on February 01, 2019, 12:28:29 am
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?
>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.

It's entirely possible it's broken later. Don't buy it NOW for a guarantee you can keep it hacked once the larger bugs are worked out.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 01, 2019, 01:00:43 am
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?

99.999% yes. "Hackability" is a Rigol sales technique and has been for many years. They've never made the slightest effort to prevent it..

>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.

What you do is wait a few hours  for somebody to patch the new firmware so it won't lock up your 'scope.

But it's not going to happen. If Rigol ever does that their sales will die off overnight.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JohnT on February 01, 2019, 01:25:25 am
Fungus, I like your optimism and outlook but $1000 is a lot of money for me to not be certain. I am a little concerned that Rigol are displeased with all the goings on as they attempted a fix by updating the password recently. I was hoping that the username/password would remain unchanged on a given scope regardless of later firmware updates but that seems not to be the case based on Maginnovision's inputs. Another concern is denial of being able to roll back the firmware to an older version should a newer firmware prove a pain to hack. I guess all bets are off when you tinker.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on February 01, 2019, 02:15:50 am
If you are worried, about an update, just dont' update it untill the collective borg has dealt to it.  Seriously its only goign to be a matter of a few days at worse.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: The Doktor on February 01, 2019, 02:53:04 am
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?

99.999% yes. "Hacability" is a Rigol sales technique and has been for many years. They've never made the slightest effort to prevent it..



They stopped the hack on 1 of their spectrum analyzers a while back.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JohnT on February 01, 2019, 03:21:23 am
If you are worried, about an update, just dont' update it untill the collective borg has dealt to it.  Seriously its only goign to be a matter of a few days at worse.
So true. I was feeling a little rushed to buy a potentially buggy (manufacturing maturity, hardware and software) product that I believe was released only two months ago. I think now I'll be waiting on this purchase to see how it's hackability evolves over time. 'The Donktor' just commented that they stopped a hack on a spectrum analyzer a while back, so I may be taking a gamble waiting.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: The Doktor on February 01, 2019, 03:54:51 am
There was still a hack for the SA after they patched it, but instead of a keygen you had to actually open the box and modify the hardware. It was cut a lead on some chip, or maybe ground a lead?  Doing this caused the trial timer for the extra features to reset when the SA was turned off. So you still got the features, but more work/risk.

Ed
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on February 01, 2019, 09:05:21 am
I am a little concerned that Rigol are displeased with all the goings on as they attempted a fix by updating the password recently.
The firmware with the new password is rather old and has been released before the hacking started. But I agree that there is no 100% guarantee that future firmwares will be hackable. The current ETA for the next release is sometime this month.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on February 01, 2019, 09:46:14 am
would you return to the actual topic, but make up its own thread, there you can discuss about it
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 01, 2019, 09:47:29 am
The firmware with the new password is rather old and has been released before the hacking started. But I agree that there is no 100% guarantee that future firmwares will be hackable. The current ETA for the next release is sometime this month.

For this model, will be hackable. Confidence greater than "six nines".

They stopped the hack on 1 of their spectrum analyzers a while back.

They did? Which one?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 01, 2019, 10:13:17 am
Rigol are displeased with all the goings on as they attempted a fix by updating the password recently.

a) You don't know why they did that.

It might simply have been to protect against all the botnets out there that are busy sending "root"/"root" to every single IP address on the internet.

It would have been just as easy (and much more sensible from a security point of view) for them to disable shell access altogether.

All you do is change one line in a text file and no more shell access. Google it.

b) What are the chances of somebody at Rigol thinking, "You know, we're selling too many of these oscilloscopes to hackers. I think we should give our friends at Siglent a chance to sell to them instead..."

and,

C) What else are you going to buy for $1000? Have you made a list? How long is it, and how do the devices on it compare to a hacked MSO5000?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on February 01, 2019, 01:10:06 pm
The firmware with the new password is rather old and has been released before the hacking started. But I agree that there is no 100% guarantee that future firmwares will be hackable. The current ETA for the next release is sometime this month.

For this model, will be hackable. Confidence greater than "six nines".

They stopped the hack on 1 of their spectrum analyzers a while back.

They did? Which one?
The DSA815
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 01, 2019, 01:39:53 pm
They did? Which one?
The DSA815

So ... if they know hacks happen then why aren't they at war with the hackers? Why was the DS1054Z left open even though it had 11 firmware updates?

The only answer the that is that there is no "war". It's deliberate policy to have some devices hackable and some not (eg. The DS1054Z is hackable, the DS1054Z with signal generator isn't).

I don't know much about the DSA815 or why they might change it but locking up the MSO5000 would be suicide, it isn't competitive with the lower priced SDS1204E-X!

The only way the MSO5000 can sell is if it's hackable (and pressure from other vendors will only increase!)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JohnT on February 01, 2019, 03:54:52 pm
Rigol are displeased with all the goings on as they attempted a fix by updating the password recently.

a) You don't know why they did that.

It might simply have been to protect against all the botnets out there that are busy sending "root"/"root" to every single IP address on the internet.

It would have been just as easy (and much more sensible from a security point of view) for them to disable shell access altogether.

All you do is change one line in a text file and no more shell access. Google it.

b) What are the chances of somebody at Rigol thinking, "You know, we're selling too many of these oscilloscopes to hackers. I think we should give our friends at Siglent a chance to sell to them instead..."

and,

C) What else are you going to buy for $1000? Have you made a list? How long is it, and how do the devices on it compare to a hacked MSO5000?
All sound points that contradict my knee jerk assumptions. The MSO5000 series has that hobbyist feel to it; support for only passive probes, no 50ohm termination, all in one functionality, 0.1 inch spacing header digital signal access and hardware changes to reduce cost (ex. crapped-on capacitors...). I suspect that sales for their top end versions of this series will stagnate in industry as the pricing just isn't competitive, but provided the workarounds remain, the low-end versions of the scopes are going to be flying off the shelves.  Rigol is going to foster brand recognition in a new generation of soon to be professionals, so staying the course makes sound business sense. Regarding point C, the MSO5000 is at the top of the list by a long shot, I've wanted a scope like this for many years.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ur63 on February 01, 2019, 04:48:47 pm
People are unhappy that they can buy scope for very little money (compared to what it used to be) that can be hacked to full specs.

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
.

Would you have any link or reference where to get the MSO5074 including the PLA2216 Logic Probe for € 1190.- ?

Thanks in advance
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 01, 2019, 04:51:48 pm
Hi,

Quote
Option bundle for RTB2000 costs € 1,190.- net (no VAT).

 ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ur63 on February 01, 2019, 05:06:14 pm
Quote

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
.

Hi, see above...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 01, 2019, 05:12:45 pm
Quote

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
.

Hi, see above...

this thread is already trashed with OT nonsense now so no harm me adding some more...

Batterfly 1198 Euro (no VAT) for both items. If you wait then sometimes they have a 10% off everything offer
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 09:59:46 am
So lets get back on track :)

We've been digging around the scope and the software, and found that next to the Zynq (Artix-7) FGPA, Spartan-6 FPGA and ASIC FPGA (for the keyboard) there seems to be 2 more programmable devices, a CPLD and a Kintex 7.

The Spartan 6 has an eeprom with a very basic and simple bin (stripped bit more or less) in it. My edudcated guess is that the spartan stems from the DS1000Z design and 'controls' the frontend (Voltage Scale, timebase etc etc) through simple commands. The eeprom serves two purposes, to store the bitstream and to store the settings, so that when you boot up the scope, it can go into the mode it was in before. Sadly I do not have the scope myself (yet, it's sold out everywhere for the 4chan unit) so haven't confirmed this. There seems to go a bus between the eeprom .

The Spartan-6 has about 4 wires going to the Zynq (spi-ish bus?) 4 tot he eeprom on different pins and some 4 wire bus to the TOP BIG heatsinked chips.

Further more we found that the Zynq has a big wide 8 bits differential bus between the TOP BIG heatsinked chip and it self. So that's probably their main high-speed data path.

Now, the software seems to have 4 tools related to these parts. spi2*. where spi2k7 is the 'upload' tool for 2 fpga's it seems. Looking at that tool there seems to be a new spidev IOCTL which appears to switch between 'chip 0 and chip 1'. whatever that may be. The bitstream gets uploaded to chip1, but chip 0 serves as sort of arbitrarer. spi2cpld seems to interact only with chip 0. Not sure yet what this tool can do other then poke and change registers.

So rigol seems to have added a chipselect through a new IOCTl because ... of reasons. My educated guess is, they did not have enough general purpose GPIO pins, and used some of the zynq pins. Rather then to convert those to general purpose IO pins and connect them to linux, they manually hacked around a bit in the spidev driver. Very sad, but that's how it seems to be. More on that later I guess :)

Anyway, all pictures do not show any of this information due to the big heatsinks.

We do know that we have 4 rigol front end 'controllers' but those are fully analog chips. Those 4 differential analog traces go into the LOWER BIG chip, which we all expect to be the adc. From the ADC, we see balanced traces going to the TOP chip. Those are probably digital signals.

The going theory for now is, that their 'aquisition' chip does not exist (yet) and actually is a Kintex-7 FGPA, which takes those ADC signals, and puts them on a high-speed 8 bits datapath to the zynq. But where is this CPLD then? Is the spartan the CPLD and have they named it as such as it has a dedicated eeprom and should be treated as such? Or do we have more chips under those heatsinks.

So to anyone listening, especially who have a broken scope already (or are experts at removing and re-adding those big phat heatsinks); anybody out there that can remove those heatsinks (under their own accord, nobody here will be responsible of course) and take some high-res foto's of what's underneat?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 02, 2019, 10:49:04 am
If people are taking them apart then another thing to look for the manufacturer/model of the screen.

Some people are complaining it's too dark, it would be good to find out if it's being under-driven or not and how the brightness is controlled. Maybe it's possible to make it brighter by swapping a resistor or something like that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 02, 2019, 11:23:15 am
Rigol chipset consists of 3 chips:
"the Analog Front End Chip (named Beta Phoenicis) will allow for front end bandwidth of 4GHz with highly integrated capability allowing for simplified and highly reliable front end design.
The Signal Processing Chip (named Ankaa) supports 10GSa/s sampling with bandwidth up to 6GHz.
Also there is the Probe Amplifier Chip (named Gamma Phoenicis) will support a 6GHz Active Differential probe. "

for 5000:
The core of RIGOL's UltraVision II architecture is its Phoenix chip-set. Two custom ASICs provide analog front end and signal processing performance. These chips are surrounded by a high performance hardware design including Xilinx Zync-7000 SoC, Dual Core ARM-9 Processors, a Linux +Qt Operating System, High Speed DDR System Memory and QDRII Display memory.

Signal Processing Chip (named Ankaa) is A/D and first level of DSP. It connects to FPGA that has Ultravision II architecture implemented in it.
Unlike Keysight, they separated first level A/D and waveform engine. That approach is more modular, and  is more flexible and makes it easy to modify and grow. That is also how it is easy for them to add huge memory and such.

They will also have a handful of smaller support chips..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 12:25:54 pm
I've attached pictures of what is visible from the side of the 2 big heatsinks. That adhesive is really strong, there's no way I'm going to risk trying to break those heatsinks off...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 02, 2019, 01:57:42 pm
If people are taking them apart then another thing to look for the manufacturer/model of the screen.

Some people are complaining it's too dark, it would be good to find out if it's being under-driven or not and how the brightness is controlled. Maybe it's possible to make it brighter by swapping a resistor or something like that.

Here.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 02:10:00 pm
LED backlight voltage is a standard 3 x 3.3v LED string so 9.9v - it's not modulated in any way.

Datasheets seem to indicate 10.2v max is allowed (with reduced life) but it's already plenty bright enough for me anyway.

But young kids do seem to like their phone screens set to 'stun/blind' brightness these days...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 02:14:17 pm
This is the backlight panel. I guess you could replace it with something a bit more 'exciting' if it bothered you at all...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 02:33:25 pm
If people are taking them apart then another thing to look for the manufacturer/model of the screen.

Some people are complaining it's too dark, it would be good to find out if it's being under-driven or not and how the brightness is controlled. Maybe it's possible to make it brighter by swapping a resistor or something like that.

I'll update the wiki with pics and text about the display. So far, we know it's a 4 bit + 1 clock differentially driven display, so very likely a MIPI display. The numbers didn't yield any results so far.Signal traces look very simple.

As for the brightness/backlight, So far, I haven't seen wether it's driven via a pin of the SoC, or the 'always on' kind :(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 02:35:06 pm
I wonder if we could find an OLED that's the right size >: )
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 02:39:06 pm
Rigol chipset consists of 3 chips:
"the Analog Front End Chip (named Beta Phoenicis) will allow for front end bandwidth of 4GHz with highly integrated capability allowing for simplified and highly reliable front end design.
The Signal Processing Chip (named Ankaa) supports 10GSa/s sampling with bandwidth up to 6GHz.
Also there is the Probe Amplifier Chip (named Gamma Phoenicis) will support a 6GHz Active Differential probe. "

for 5000:
The core of RIGOL's UltraVision II architecture is its Phoenix chip-set. Two custom ASICs provide analog front end and signal processing performance. These chips are surrounded by a high performance hardware design including Xilinx Zync-7000 SoC, Dual Core ARM-9 Processors, a Linux +Qt Operating System, High Speed DDR System Memory and QDRII Display memory.

Signal Processing Chip (named Ankaa) is A/D and first level of DSP. It connects to FPGA that has Ultravision II architecture implemented in it.
Unlike Keysight, they separated first level A/D and waveform engine. That approach is more modular, and  is more flexible and makes it easy to modify and grow. That is also how it is easy for them to add huge memory and such.

They will also have a handful of smaller support chips..
Thanks, but that's mostly the marketing speak :)

Here's the wiki page with all the chips: https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown

Missing is indeed, the 4x analog frontends; so that would map to Beta Phoenicis chip?

We then have the first BOTTOM BIG heatsinked chip. This is the ADC. So what's that, is that anka? Is that a standard ADC? The TOP BIG heatsinked chip is very likely a Kintex-7; Not something rigol designed. Unless they put an FPGA in there of course.
Finally, again, the spartan-6 is probably is their 'ultravision' platform if anything...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 02:39:30 pm
I wonder if we could find an OLED that's the right size >: )

Well the touchscreen is a separate item so it's just the display needs replacing
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 02:47:07 pm
The TOP BIG heatsinked chip is very likely a Kintex-7; Not something rigol designed. Unless they put an FPGA in there of course.

The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 02, 2019, 03:01:50 pm
The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...

So, 2 kyntex?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 02, 2019, 03:31:49 pm
Missing is indeed, the 4x analog frontends; so that would map to Beta Phoenicis chip?
Yes.

We then have the first BOTTOM BIG heatsinked chip. This is the ADC. So what's that, is that anka? Is that a standard ADC?
No, it is not standard A/D. It is Rigol designed ADC with first level of signal processing that is tailored for scopes, as opposed to general purpose ADC.

Rest of chips are different from DS7000 which revolves arround  Zync-7000
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 07:21:42 pm
I've attached pictures of what is visible from the side of the 2 big heatsinks. That adhesive is really strong, there's no way I'm going to risk trying to break those heatsinks off...
Haha, you've done more then enough already!! :) But if someone gets his hands on a broken one ... send it to TopLoser, I'm sure he'll <dave voice> take it apart</dave voice> and take nice PCB X-rays :D

As for the photos. The analog part looks like a single chip, probably the ADC as we all expect.
The kintex 7 probably looks like this (http://ww1.prweb.com/prfiles/2014/05/27/11886156/xem7350-720x648.jpg) is my guess :)
You mentioned a few times that you saw several parts, so this kinda confirms it, it's the main die (nakid) with some resistor networks etc next to it.

The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...
I should have looked at that (and at the picture before)... busy mind busy mind :(

So I think we more or less 'confirmed' that is indeed, a kintex-7. And until someone proves us wrong (by the only means possible, a heatsinkless foto' that's how it is :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 07:25:45 pm
Missing is indeed, the 4x analog frontends; so that would map to Beta Phoenicis chip?
Yes.

We then have the first BOTTOM BIG heatsinked chip. This is the ADC. So what's that, is that anka? Is that a standard ADC?
No, it is not standard A/D. It is Rigol designed ADC with first level of signal processing that is tailored for scopes, as opposed to general purpose ADC.

Rest of chips are different from DS7000 which revolves arround  Zync-7000

While I'm not familiar with the DS7000; so this confirms my suspicion at least, that the scope is a whole bunch of FPGA's :) but credits where credits are do; they did do their own analog front end chip + ADC chip. The rest is all FPGA work.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 07:26:48 pm
The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...

So, 2 kyntex?
No, One Kyntex-7, One artix-7 (in the Zynq-7015), one spartan 6 and one tiny Asic for the keyboard.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 02, 2019, 07:36:49 pm
The kintex 7 K160 seems to have different neighborhood than what is shown in Toploser's pictures.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 07:42:09 pm
I think it’s available in hundreds of possible packaging options with different sets of pins bonded out.

Your picture shows a different layout to the picture oliv3r posted.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 10:48:14 pm
The kintex 7 K160 seems to have different neighborhood than what is shown in Toploser's pictures.
That's the one, looks identical just 90-ish degree's rotated.

You can see those two capacitor networks very nicely in TopLosers pictures. I did just google a random Kintex-7 of course. No clue which exact model it is. There are a few with a heatspreader on top as well ...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on February 03, 2019, 11:37:46 am
Has anybody figured or worked around the new mso5k wfm file format?

so far,
A short header followed by 53 fairly short zflated blocks, separated by varying junk.
Then a huge blank of around ~5,000,000 x'00s
Then an assortment of ~17,000,000 x'c7 or x'c8 or x'c9 (with some interludes). Maybe data per chan.

datafile as binary: 17Mb
datafile as wfm : 22 Mb
datafile as csv: 278Mb, 17,420,000 lines, CH2 only

here is the list of inflated data with *obvious* strings:

Code: [Select]
zlib @002c:

00000000: 0000 0000 0001 0000 0000 001e 0000 0024  ...............$
00000010: 0b00 0000 5200 4900 4700 4f00 4c00 2000  ....R.I.G.O.L. .
00000020: 5300 6300 6f00 7000 6500 241a 0000 003a  S.c.o.p.e.$....:
00000030: 002f 0070 0069 0063 0074 0075 0072 0065  ./.p.i.c.t.u.r.e
00000040: 0073 002f 0075 0074 0069 006c 0069 0074  .s./.u.t.i.l.i.t
00000050: 0079 002f 0073 0063 0072 002e 006a 0070  .y./.s.c.r...j.p
00000060: 0067 0001 0000 00                        .g.....

zlib @00a8:

00000000: 00a0 8601 0000 0000 0000 0000 0000 0100  ................
00000010: 0000 0000 0000 0000 0000 0000 0000 0003  ................
00000020: 0000 0024 0300 0000 4300 4800 3400 0006  ...$....C.H.4...
00000030: 0000 0000 0000 0000 0000 00              ...........

zlib @00e4:

00000000: 00a0 8601 0000 0000 0000 0000 0000 0100  ................
00000010: 0000 0000 0000 0000 0000 0000 0000 0003  ................
00000020: 0000 0024 0300 0000 4300 4800 3300 0006  ...$....C.H.3...
00000030: 0000 0000 0000 0000 0000 00              ...........


zlib @0120:

00000000: 0140 420f 0040 2bfe ff00 0000 0000 0100  .@B..@+.........
00000010: 0000 0000 0000 0000 0000 0000 0000 0003  ................
00000020: 0000 0024 0300 0000 4300 4800 3200 0006  ...$....C.H.2...
00000030: 0000 0000 0000 0000 0000 00              ...........

zlib @015c:
00000000: 0088 1300 00d8 2700 0000 0000 0000 0100  ......'.........
00000010: 0000 0000 0000 0000 0000 0000 0000 0003  ................
00000020: 0000 0024 0300 0000 4300 4800 3100 0006  ...$....C.H.1...
00000030: 0000 0000 0000 0000 0000 0000 0000 00    ...............

zlib @0198:
00000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000010: 0000 0000 00f0 ff1f 0000 0000 0001 0000  ................
00000020: 00c0 5c15 00c0 5c15 0001 0000 0000 0000  ..\...\.........
00000030: 0000 0005 0000 0000 0000 0024 0200 0000  ...........$....
00000040: 4400 3000 0100 0000 2402 0000 0044 0031  D.0.....$....D.1
00000050: 0002 0000 0024 0200 0000 4400 3200 0300  .....$....D.2...
00000060: 0000 2402 0000 0044 0033 0004 0000 0024  ..$....D.3.....$
00000070: 0200 0000 4400 3400 0500 0000 2402 0000  ....D.4.....$...
00000080: 0044 0035 0006 0000 0024 0200 0000 4400  .D.5.....$....D.
00000090: 3600 0700 0000 2402 0000 0044 0037 0008  6.....$....D.7..
000000a0: 0000 0024 0200 0000 4400 3800 0900 0000  ...$....D.8.....
000000b0: 2402 0000 0044 0039 000a 0000 0024 0300  $....D.9.....$..
000000c0: 0000 4400 3100 3000 0b00 0000 2403 0000  ..D.1.0.....$...
000000d0: 0044 0031 0031 000c 0000 0024 0300 0000  .D.1.1.....$....
000000e0: 4400 3100 3200 0d00 0000 2403 0000 0044  D.1.2.....$....D
000000f0: 0031 0033 000e 0000 0024 0300 0000 4400  .1.3.....$....D.
00000100: 3100 3400 0f00 0000 2403 0000 0044 0031  1.4.....$....D.1
00000110: 0035 0000 0000 0001 0000 0002 0000 00    .5.............

zlib @0270:
00000000: 0800 0000 8013 8119 0000 0000 2403 0000  ............$...
00000010: 0041 0044 0044 0000 0202 0202 0270 a28d  .A.D.D.......p..
00000020: 0a00 0000 0000 1827 fa04 0000 0000 e40b  .......'........
00000030: 5402 0000 0000 0000 0000 0000 0000 10a5  T...............
00000040: d4e8 0000 0000 d098 d4af 7100 0000 a031  ..........q....1
00000050: a95f e300 0000 0057 d347 0100 0000 00d2  ._.....W.G......
00000060: 496b 0000 0000 0005 0000 0000 0000 0005  Ik..............
00000070: 0000 0001 0102 0101 0000 0000 0000 0000  ................
00000080: 0000 0000 0103 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000       ..............

zlib @02ec:

00000000: 0000 0000 0000 0000 0000 0000 2403 0000  ............$...
00000010: 0041 0044 0044 0000 0202 0202 0200 65cd  .A.D.D........e.
00000020: 1d00 0000 0000 9435 7700 0000 0000 e40b  .......5w.......
00000030: 5402 0000 0000 0000 0000 0000 0000 10a5  T...............
00000040: d4e8 0000 0000 5039 278c 0400 0000 a072  ......P9'......r
00000050: 4e18 0900 0000 0057 d347 0100 0000 00d2  N......W.G......
00000060: 496b 0000 0000 0005 0000 0000 0000 0005  Ik..............
00000070: 0000 0001 0102 0101 0000 0000 0000 0000  ................
00000080: 0000 0000 0103 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000       ..............

zlib @0358:
00000000: 0000 0000 0000 0000 0000 0000 2403 0000  ............$...
00000010: 0041 0044 0044 0000 0202 0202 0200 65cd  .A.D.D........e.
00000020: 1d00 0000 0000 9435 7700 0000 0000 e40b  .......5w.......
00000030: 5402 0000 0000 0000 0000 0000 0000 10a5  T...............
00000040: d4e8 0000 0000 5039 278c 0400 0000 a072  ......P9'......r
00000050: 4e18 0900 0000 0057 d347 0100 0000 00d2  N......W.G......
00000060: 496b 0000 0000 0005 0000 0000 0000 0005  Ik..............
00000070: 0000 0001 0102 0101 0000 0000 0000 0000  ................
00000080: 0000 0000 0103 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000       ..............

zlib @03c4:

00000000: 0000 0000 0000 0000 0000 0000 2403 0000  ............$...
00000010: 0041 0044 0044 0000 0202 0202 0200 65cd  .A.D.D........e.
00000020: 1d00 0000 0000 9435 7700 0000 0000 e40b  .......5w.......
00000030: 5402 0000 0000 0000 0000 0000 0000 10a5  T...............
00000040: d4e8 0000 0000 5039 278c 0400 0000 a072  ......P9'......r
00000050: 4e18 0900 0000 0057 d347 0100 0000 00d2  N......W.G......
00000060: 496b 0000 0000 0005 0000 0000 0000 0005  Ik..............
00000070: 0000 0001 0102 0101 0000 0000 0000 0000  ................
00000080: 0000 0000 0103 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000       ..............

zlib @049c:
00000000: 0000 0000 0000 0000 0000 0004 0000 0024  ...............$
00000010: 0400 0000 5200 4500 4600 3100 0000 0000  ....R.E.F.1.....
00000020: 0300 0000 2404 0000 0052 0045 0046 0032  ....$....R.E.F.2
00000030: 0000 0000 0002 0000 0024 0400 0000 5200  .........$....R.
00000040: 4500 4600 3300 0000 0000 0100 0000 2404  E.F.3.........$.
00000050: 0000 0052 0045 0046 0034 0000 0000 0000  ...R.E.F.4......
00000060: 0000 0024 0400 0000 5200 4500 4600 3500  ...$....R.E.F.5.
00000070: 0000 0000 0400 0000 2404 0000 0052 0045  ........$....R.E
00000080: 0046 0036 0000 0000 0003 0000 0024 0400  .F.6.........$..
00000090: 0000 5200 4500 4600 3700 0000 0000 0200  ..R.E.F.7.......
000000a0: 0000 2404 0000 0052 0045 0046 0038 0000  ..$....R.E.F.8..
000000b0: 0000 0001 0000 0024 0400 0000 5200 4500  .......$....R.E.
000000c0: 4600 3900 0000 0000 0000 0000 2405 0000  F.9.........$...
000000d0: 0052 0045 0046 0031 0030 00              .R.E.F.1.0.


zlib @0bf1:
00000000: 240c 0000 0031 0039 0032 002e 0031 0036  $....1.9.2...1.6
00000010: 0038 002e 0031 002e 0031 0030 0024 0d00  .8...1...1.0.$..
00000020: 0000 3200 3500 3500 2e00 3200 3500 3500  ..2.5.5...2.5.5.
00000030: 2e00 3200 3500 3500 2e00 3000 240b 0000  ..2.5.5...0.$...
00000040: 0031 0039 0032 002e 0031 0036 0038 002e  .1.9.2...1.6.8..
00000050: 0031 002e 0031 0024 0b00 0000 3100 3900  .1...1.$....1.9.
00000060: 3200 2e00 3100 3600 3800 2e00 3100 2e00  2...1.6.8...1...
00000070: 3100 0300 0000                           1.....

zlib @0c5d:
00000000: 240e 0000 006d 0061 0069 006c 002e 0072  $....m.a.i.l...r
00000010: 0069 0067 006f 006c 002e 0063 006f 006d  .i.g.o.l...c.o.m
00000020: 0019 0000 0024 1200 0000 7200 6900 6700  .....$....r.i.g.
00000030: 6f00 6c00 5f00 6400 7300 4000 7200 6900  o.l._.d.s.@.r.i.
00000040: 6700 6f00 6c00 2e00 6300 6f00 6d00 2409  g.o.l...c.o.m.$.
00000050: 0000 0052 0069 0067 006f 006c 0030 0036  ...R.i.g.o.l.0.6
00000060: 0031 0034 0024 1200 0000 7200 6900 6700  .1.4.$....r.i.g.
00000070: 6f00 6c00 6d00 6100 6900 6c00 4000 7300  o.l.m.a.i.l.@.s.
00000080: 6900 6e00 6100 2e00 6300 6f00 6d00 0000  i.n.a...c.o.m...
00000090: 0000 2400 0000 00                        ..$....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 03, 2019, 08:53:18 pm
Has anybody figured or worked around the new mso5k wfm file format?

I can't imagine it's very different to DS1054Z/DS2000Z format.

so far,
A short header followed by 53 fairly short zflated blocks, separated by varying junk.
Then a huge blank of around ~5,000,000 x'00s
Then an assortment of ~17,000,000 x'c7 or x'c8 or x'c9 (with some interludes). Maybe data per chan.

The channel data in a DS1054Z file is saved in screen pixel positions.

The screen has 400 pixels vertically and it only uses 200 values from the data to draw the trace, ie. no scaling is done and vertical resolution is in two-pixel steps.

IIRC the bottom pixel on screen is mapped to 0x18 and the top pixel is mapped to 0xe0, ie. there's 0x18 unused values below the screen and 0x20 values above.

Somewhere in the header there's floating point voltage offset+scale values. These are used to convert the screen positions into voltage values.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 03, 2019, 08:59:06 pm
LED backlight voltage is a standard 3 x 3.3v LED string so 9.9v - it's not modulated in any way.

Datasheets seem to indicate 10.2v max is allowed (with reduced life) but it's already plenty bright enough for me anyway.

I would have thought it would be in mA, not volts.  :popcorn:

Whatever ... if datasheet says 10.2V and it's measured as 9.9V then there's not much room for boosting it. People will have to look elsewhere for an upgrade.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: texaspyro on February 03, 2019, 09:12:11 pm
Whatever ... if datasheet says 10.2V and it's measured as 9.9V then there's not much room for boosting it. People will have to look elsewhere for an upgrade.

Once above threshold, the current in a LED driven by a voltage source goes up sort-of exponentially.  So the current (and brightness) difference between 9.9 and 10.2V into a string of 3 LEDs can be quite a bit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jrs45 on February 05, 2019, 09:23:41 pm
I'm having trouble with mine.  It's firmware 00.01.01.02.03 (Boot 2018.06.27 Build 2018-10-11:16:45:53), and I login as root/root, make the change below, verify that it saved correctly, but when I reboot nothing has unlocked, and it's reverting back to the original unedited file.

Any idea what's wrong?  Do I need to upgrade to .04 first?

So disappointed!  Thanks for any help.

CONFIRMATION

Hey Guys! Thx a million times you crafty geniuses!!  ;D :-+ :-+ :-+

Type: MSO5074
Firmware: 00.01.01.02.04

Successful SSH Login via Putty:
USR: root
PWD: Rigol201


I followed the instructions from @TopLoser:
 ##################################
Download and install PuTTY on your PC
On your scope find its IP address by UTILITY, IO, LAN
Run PuTTY and connect using that IP address and SSH with port 22
Login as ‘root’ password ‘root’
Enter ‘cd /rigol/shell’
Enter ‘vi start.sh’

Change line 82 to read:
‘/rigol/appEntry  $PowerOn -run -fullopt &’

Google vi commands to find out how to insert text into the file
Basically press ‘i’ to enter edit mode then move cursor, insert text and then ESC to exit edit mode.

Save the file and quit ‘:wq’

Reboot.
 ##################################

Rock on guys! Great work!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 05, 2019, 09:29:02 pm
Try typing ‘sync’ when you’ve finished editing the file.

Linux is a bit lazy updating files on this scope...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jrs45 on February 05, 2019, 09:59:55 pm
Thanks!  I think that did it - the change was retained but the option list doesn't show anything, and the license countdown for some demo options is still running (~2000minutes).   

BUT the waveform generators are working to 25MHz, and I can access the power quality analysis, so does that mean it unlocked successfully? w00t!

(I'll have to go find a source to check the 350MHz BW!)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 05, 2019, 10:23:07 pm
Option list won’t show any change at all. You’re good.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 19, 2019, 09:15:11 pm
https://www.youtube.com/watch?v=xxxyWUVwPgk (https://www.youtube.com/watch?v=xxxyWUVwPgk)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on February 20, 2019, 02:35:48 am
I think we're all still waiting for the backordered scopes to arrive :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 20, 2019, 01:46:16 pm
I think we're all still waiting for the backordered scopes to arrive :D

Gotta fix that firmware!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bax on February 20, 2019, 06:41:44 pm
I received an MSO5074 in mid February. Another larger shipment into North America is expected at the end of February.

As was mentioned, the current firmware of the units being delivered is 00.01.01.02.03. I was told that the next revision is being tested.

_________________

If anyone is looking for a soft padded carrying case for the MSO5074, take a look at the G-MIXERBAG-1515 from Gator Cases. It's bigger than the scope, leaving 7"X15" of space for other storage.

https://gatorcases.com/products/mixer/mixer-bags/g-mixerbag/15-x-15-x-5-5-mixergear-bag-g-mixerbag-1515/

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 21, 2019, 02:23:16 pm
I received an MSO5074 in mid February. Another larger shipment into North America is expected at the end of February.

Can you check and confirm if you have a perfectly aligned compensation square wave or get similar as discussed here please ?
https://www.eevblog.com/forum/blog/new-rigol-scope/msg2215035/#msg2215035 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2215035/#msg2215035)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bax on February 21, 2019, 04:46:12 pm
I received an MSO5074 in mid February. Another larger shipment into North America is expected at the end of February.

Can you check and confirm if you have a perfectly aligned compensation square wave or get similar as discussed here please ?
https://www.eevblog.com/forum/blog/new-rigol-scope/msg2215035/#msg2215035 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2215035/#msg2215035)

It is the same as yours, slight overcompensation on all channels that can't be dialed out. Swapping through the Rigol probes doesn't change anything. 

I tried an old set of probes from a Hameg scope, the amount of overcompensation that couldn't be dialed out was worse. I then tried a P6109 Tektronix 10X probe (from a Tek 2235A scope) and it compensated to a better square wave on all channels of the MSO5074 but still slightly overcompensated.

The question is, do the Rigol PVP2350 probes meet their intended specs.




Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: offmar on February 22, 2019, 09:04:55 pm
The question is, do the Rigol PVP2350 probes meet their intended specs.

What's the result if the probes are set at 1x? On my 'scope the signal has the same overshoot as with 10x compensated. Both times getting signal from the 1kHz compensation generator.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 22, 2019, 09:15:33 pm
Hi,

Today I did a test, posted in there:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2217990/#msg2217990 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2217990/#msg2217990)



This thread here is about hacking the rigol…..

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 22, 2019, 10:23:36 pm
After hack I would presume that Auto Calibration would need to performed. Maybe it does some kind of signal path verification/calibration in front end chip?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 22, 2019, 10:27:50 pm
It could be, when I did firmware upgrades on the scopes, Lecroy, Siglent and Rigol got it in their upgrade instructions, to do a auto-calibration after the upgrade.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 22, 2019, 10:33:06 pm
Well, Rigol says that front end analog chip has full bandwidth and attenuator control inside. And since chip is supposed to good to 4GHz, it would stand to reason that it would have some kind of equalization built in for board layout and channel difference tuning. Self calibration could use it to compensate and equalize channels.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bax on February 23, 2019, 03:41:01 am
The question is, do the Rigol PVP2350 probes meet their intended specs.

What's the result if the probes are set at 1x? On my 'scope the signal has the same overshoot as with 10x compensated. Both times getting signal from the 1kHz compensation generator.

Posted a reply here:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2219100/#msg2219100 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2219100/#msg2219100)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 27, 2019, 01:27:49 pm
A new Firmware is now available for MSO5000!

http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar (http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 27, 2019, 04:46:50 pm
A new Firmware is now available for MSO5000!

http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar (http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar)

Only a .GEL file, no release notes.  ???

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on February 27, 2019, 05:39:06 pm
softver=00.01.01.04.04
builddate="2019-02-20 16:27:49"


Code: [Select]
        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        modified:   firmware/rootfs/rigol/K160M_TOP.bit
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/default/cal.hex
        modified:   firmware/rootfs/rigol/resource/appmeta.xml
        modified:   firmware/rootfs/rigol/resource/boardmeta.xml
        modified:   firmware/rootfs/rigol/resource/dsometa.xml
        modified:   firmware/rootfs/rigol/resource/help/b/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/histogram.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/histogram.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/menu/b.hex
        modified:   firmware/rootfs/rigol/resource/menu/c.hex
        modified:   firmware/rootfs/rigol/resource/menu/d.hex
        modified:   firmware/rootfs/rigol/resource/menu/desc.hex
        modified:   firmware/rootfs/rigol/resource/menu/h.hex
        modified:   firmware/rootfs/rigol/resource/menu/i.hex
        modified:   firmware/rootfs/rigol/resource/menu/j.hex
        modified:   firmware/rootfs/rigol/resource/menu/k.hex
        modified:   firmware/rootfs/rigol/resource/menu/l.hex
        modified:   firmware/rootfs/rigol/resource/menu/m.hex
        modified:   firmware/rootfs/rigol/resource/menu/menu.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ch.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ext.hex
        modified:   firmware/rootfs/rigol/resource/menu/msg.h
        modified:   firmware/rootfs/rigol/resource/menu/n.hex
        modified:   firmware/rootfs/rigol/resource/menu/o.hex
        modified:   firmware/rootfs/rigol/resource/menu/pic.hex
        modified:   firmware/rootfs/rigol/resource/menu/res.hex
        modified:   firmware/rootfs/rigol/resource/menu/t.hex
        modified:   firmware/rootfs/rigol/resource/menu/u.hex
        modified:   firmware/rootfs/rigol/resource/res.qrc
        modified:   firmware/rootfs/rigol/resource/scpi/CALibration.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/DISPlay.xml
        modified:   firmware/rootfs/rigol/resource/scpi/HISTogram.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MASK.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MEASure.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/WAVeform.xml
        modified:   firmware/rootfs/rigol/shell/start.sh
        modified:   firmware/rootfs/rigol/webcontrol/webpages/PrintScreen.html
        modified:   firmware/zImage
        modified:   firmware/zynq.bit


EDIT: fullopt cannot be found in latest appEntry

EDIT2: Interestingly, this coincides with Batronix today mailing me they are shipping my unit....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 27, 2019, 06:12:01 pm
Quote
Only a .GEL file, no release notes.

On the "official homepages"(rigol.com and other) there´s no firmware update avaible ( like the fw for 7000).
I think, if it´s there, it will have release notes too.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on February 27, 2019, 06:14:53 pm
Also shipped  my order...

I  saw the mso8000  today. But got no Information / pricing anywhere...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 27, 2019, 07:15:38 pm
It seems the root password is.................. again...................  Rigol201   

The fullopt checking and also the USB vendor disk checking were removed. But any of them can be easily "emulated"...   ::)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 27, 2019, 07:38:41 pm
Proceed with caution!

Uboot access might prove impossible over the serial interface and SSH access probably won’t work anymore.

Just a hunch. An informed one though...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 27, 2019, 07:58:04 pm
Uboot access might prove impossible over the serial interface and SSH access probably won’t work anymore.

It's suicide if they don't work... :popcorn:

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 27, 2019, 08:56:36 pm
softver=00.01.01.04.04
builddate="2019-02-20 16:27:49"


Code: [Select]
        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        modified:   firmware/rootfs/rigol/K160M_TOP.bit
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/default/cal.hex
        modified:   firmware/rootfs/rigol/resource/appmeta.xml
        modified:   firmware/rootfs/rigol/resource/boardmeta.xml
        modified:   firmware/rootfs/rigol/resource/dsometa.xml
        modified:   firmware/rootfs/rigol/resource/help/b/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/histogram.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/histogram.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/menu/b.hex
        modified:   firmware/rootfs/rigol/resource/menu/c.hex
        modified:   firmware/rootfs/rigol/resource/menu/d.hex
        modified:   firmware/rootfs/rigol/resource/menu/desc.hex
        modified:   firmware/rootfs/rigol/resource/menu/h.hex
        modified:   firmware/rootfs/rigol/resource/menu/i.hex
        modified:   firmware/rootfs/rigol/resource/menu/j.hex
        modified:   firmware/rootfs/rigol/resource/menu/k.hex
        modified:   firmware/rootfs/rigol/resource/menu/l.hex
        modified:   firmware/rootfs/rigol/resource/menu/m.hex
        modified:   firmware/rootfs/rigol/resource/menu/menu.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ch.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ext.hex
        modified:   firmware/rootfs/rigol/resource/menu/msg.h
        modified:   firmware/rootfs/rigol/resource/menu/n.hex
        modified:   firmware/rootfs/rigol/resource/menu/o.hex
        modified:   firmware/rootfs/rigol/resource/menu/pic.hex
        modified:   firmware/rootfs/rigol/resource/menu/res.hex
        modified:   firmware/rootfs/rigol/resource/menu/t.hex
        modified:   firmware/rootfs/rigol/resource/menu/u.hex
        modified:   firmware/rootfs/rigol/resource/res.qrc
        modified:   firmware/rootfs/rigol/resource/scpi/CALibration.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/DISPlay.xml
        modified:   firmware/rootfs/rigol/resource/scpi/HISTogram.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MASK.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MEASure.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/WAVeform.xml
        modified:   firmware/rootfs/rigol/shell/start.sh
        modified:   firmware/rootfs/rigol/webcontrol/webpages/PrintScreen.html
        modified:   firmware/zImage
        modified:   firmware/zynq.bit
You skipped one:    new file:   rootfs/rigol/webcontrol/webpages/remote.html
:)

I generated the firmware using the repo again here https://gitlab.com/riglol/rigolee/ so differences are more visible.

Also, I noticed I have a few typo's in my readme :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 27, 2019, 09:16:34 pm
By the way,

Quote
no release notes.

Hi-Res mode added, that will be sure, I´m curious if this will work now..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on February 27, 2019, 10:32:20 pm
EDIT: fullopt cannot be found in latest appEntry[/size]
It means hack was disabled?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on February 28, 2019, 05:37:39 am
I did the update, there is High Res Mode.
SSH does not work anymore, so no hack on this path.


one more question, how does the device know which version it is, ie 70Mhz or 350Mhz, 2-channel or 4-channel?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on February 28, 2019, 06:44:21 am
SSH does not work anymore, so no hack on this path.

I believe appEntry will kill sshd, there is no obvious change otherwise which limits sshd, and appEntry contains a string pointing to sshd (it was not there in previous revisions). You should be able to ssh in during boot and potentially prevent appEntry from killing sshd.

Alternatively, we could probably just patch the string in appEntry?

EDIT: With the right timing, something like
Code: [Select]
ssh -p Rigol201 root@host "nohup /usr/bin/sshd -p 22"

Should give you ssh on port 22  >:D Haven't tried it though.

EDIT2: I was wrong. firmware/rootfs/etc/init.d/rcS was changed such that sshd does not run.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 28, 2019, 07:38:53 am
More information on the latest Firmware ;)

v00.01.01.04.04  2019/02/20

     - Optimized the operating experience of the local upgrade.
     
     - Added the 12-bit high resolution mode.
     - Added 500uV/div in vertical scale.
     - Added the SCPI command :MEASure:STATistic:ITEM CNT,<item>[,<src>[,<src>]]
       to reading the count of measure statistics.
     - The waveform can zoom out by drawing a rectangle. If you draw a rectangle
       from the top left to the bottom right, the waveform will zoom in. If you
       draw it from the bottom right to the top left(the opposite direction),
       the waveform will zoom out.
     - Added the GND coupling in channel.
     - Enriched the color options of the LA channels.
     - If the newest version is detected, a red dot will display in the Online
       upgrade menu.
       
     - Modified the waveform freeze problem in slow scan mode.
     - The boot time is reduced to less than 1 minute.
     - Improve the touch experience in the lower half of the touch screen.
     - Reduced the noise amplitude of the waveform.
     - Modified the problem of decode vanishing after moving signals.
     - Modified the error of digital waveform when adjusting the timebase after
       stop the sampling.
     - The :SYSTEM:SETUP command can successfully save and upload setting
       information in remote.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pascal_sweden on February 28, 2019, 08:54:53 am
Does it mean now that you have a real 12-bit oscilloscope, and that it beats the R&S RTB series 10-bit oscilloscope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on February 28, 2019, 10:48:30 am
Does it mean now that you have a real 12-bit oscilloscope, and that it beats the R&S RTB series 10-bit oscilloscope?

Yes, the firmware ZIP file contains a physical 12-bit ADC which is uploaded into the scope via USB.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Daixiwen on February 28, 2019, 10:55:49 am
but make sure you are using an audiophile grade USB cable for the upload
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on February 28, 2019, 11:10:26 am
Its likely just enhanced resolution mode by adding samples, Add up 16x 8 bit values, and you can get a not very reliable 12 bit value. You will likely find the sample rate it cut down by an equivalent amount.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 12:22:32 pm
hello today
i got my new mso5074 and immediately started playing with it After playing with it for a few hours I would open a few extra functions
and therefore I added a little to this line

/ rigol / appEntry $ PowerOn -run -fullopt&

with the result that now can not scopet boot
'
it comes to the boot screen and the bar counts up completely and then it freezes

lan is not up and running so how do i get in and remove my addition ??

the software version is 00.01.01.02.03
compiled 2018-10-11

all help will be received with pleasure
Best regards, satlars
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 28, 2019, 12:31:57 pm
"fullopt&" should have been "fullopt &"

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 12:34:13 pm
yes i can understand that a space has slipped

but how do i get hold of the file system now?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 28, 2019, 12:34:31 pm
the firmware ZIP file contains a physical 12-bit ADC

Please explain what you mean by this.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dpenev on February 28, 2019, 12:40:00 pm
the firmware ZIP file contains a physical 12-bit ADC

Please explain what you mean by this.

The guy was in a funny mood today and was joking I think :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gedong on February 28, 2019, 12:46:17 pm
does MSO5000 have bode plot  features ? can't seems to find any info about this.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on February 28, 2019, 12:46:30 pm
the firmware ZIP file contains a physical 12-bit ADC
Please explain what you mean by this.

Just kidding. I don't know where to find the smiley icons when posting from my mobile's "Tapatalk" client...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 28, 2019, 01:02:49 pm
Its likely just enhanced resolution mode by adding samples, Add up 16x 8 bit values, and you can get a not very reliable 12 bit value. You will likely find the sample rate it cut down by an equivalent amount.

You can do stuff like that when you have 8Gigasamples/sec.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on February 28, 2019, 01:17:04 pm
/ rigol / appEntry $ PowerOn -run -fullopt&

The space after fullopt shouldn't matter.  The ampersand '&' is indicating the shell that we want the command to be executed in the background.

What is wrong is all the spaces after the slash '/'.  It is probably taking the line as an invalid command and failling to execute the appEntry application.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 01:34:23 pm
sorry translate error

this is the line from the file

/rigol/appEntry $PowerOn  -run -fullopt&


is ther not at factor  default switch ?? or key combination

satlars
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 28, 2019, 01:45:11 pm
sorry translate error
this is the line from the file
/rigol/appEntry $PowerOn  -run -fullopt&
is ther not at factor  default switch ?? or key combination

Most likely you put something wrong on startup.sh file and now it terminates at the main app startup line.
The problem is that network services are started only after the main app is completely started. But as it terminates just before it, it never gets executed.

Your best bet right now is to push a new firmware (can be the same version you have already, or the latest one available).
Put an update file on USB drive, formatted as Fat32 and boot up your device.
Hope UBoot picks up your Update & starts an upgrade process.

if that does not help your next bet is on Serial Connection, but will require opening your device.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 01:49:15 pm
thanks sounds like a good idea but where can i download it ??
I can't find the hosa rigol.
does anyone know where it is?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 28, 2019, 01:50:49 pm
thanks sounds like a good idea but where can i download it ??
I can't find the hosa rigol.
does anyone know where it is?

Unofficial place works better ;)
https://gitlab.com/riglol/rigolee/tree/MSO5000/GEL

Just don't forget to rename Update file to the following: "DS5000Update.GEL"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 02:10:57 pm
it does not seem to work

I have formatted a 16gb stick for fat32

and tried with both my old firmware version 01.01.02.04
and with the new 01.01.04.04 but there really doesn't happen any boot bar just drive up to 100% and there is not really any more

you have to tap something special to make it look at usb
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: drieg on February 28, 2019, 02:16:28 pm
A new Firmware is now available for MSO5000!

http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar (http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar)
Release notes for FW v00.01.01.04.04:

[Latest Revision Date]  2019/02/27

[Updated Contents]
--------------------

v00.01.01.04.04  2019/02/20

     - Optimized the operating experience of the local upgrade.
     
     - Added the 12-bit high resolution mode.
     - Added 500uV/div in vertical scale.
     - Added the SCPI command :MEASure:STATistic:ITEM CNT,<item>[,<src>[,<src>]]
       to reading the count of measure statistics.
     - The waveform can zoom out by drawing a rectangle. If you draw a rectangle
       from the top left to the bottom right, the waveform will zoom in. If you
       draw it from the bottom right to the top left(the opposite direction),
       the waveform will zoom out.
     - Added the GND coupling in channel.
     - Enriched the color options of the LA channels.
     - If the newest version is detected, a red dot will display in the Online
       upgrade menu.
       
     - Modified the waveform freeze problem in slow scan mode.
     - The boot time is reduced to less than 1 minute.
     - Improve the touch experience in the lower half of the touch screen.
     - Reduced the noise amplitude of the waveform.
     - Modified the problem of decode vanishing after moving signals.
     - Modified the error of digital waveform when adjusting the timebase after
       stop the sampling.
     - The :SYSTEM:SETUP command can successfully save and upload setting
       information in remote.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 02:39:02 pm
I have tried both the files that mindy linked to and the rar file that drieg had linked to

with the same result the scop comes with the boot bar again and no more happens.

on the old scopes I can see you have to press the help button to activate usb upload but it does not appear to be 5000 ?? It may be another button
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 03:29:33 pm
what about serial connection.
 s that a way to fix the file on the way maybe ?? and where should it be soldered on the motherboard ?? if there is one
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on February 28, 2019, 03:36:56 pm
@satlars, did you do this?

Just don't forget to rename Update file to the following: "DS5000Update.GEL"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 03:44:00 pm
hi eblaster

yes i dit just what DS5000Update.GEL
 
but nothing happens :-(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 0xdeadbeef on February 28, 2019, 04:28:38 pm
You could try formatting the USB stick with a dedicated USB stick formatting tool or use a smaller stick (<=4GB). Since Win7 or so, the Windows formatter chooses rather large block sizes for USB sticks (depedend on size) and most simple implementations of FAT32 systems are limited to 4k block size. At least I had issues like this with several non-Windows scopes in the past.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 04:41:43 pm
just tried to format a 2gb stick

and put the .gel file on that

it flashes just twice and otherwise the same result
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 28, 2019, 05:00:13 pm
The uboot won't do the update automatically. It needs human intervention.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 28, 2019, 06:16:25 pm
yes i dit just what DS5000Update.GEL
but nothing happens :-(

You can try one more thing:
If you are lucky & network is actually initialised you could try to connect your scope to the router (or switch) which have DHCP service running and issues IP automatically.
Check if you can see what IP address is issued and try to SSH.

Another way is to use "nmap" script & scan your subnet for active IP addresses.
It could be that by default network interface sets to an IP address to something like "169.254.123.123" with a subnet "255.255.0.0", so you could set your laptop / pc IP to a static one and than run "NMAP" to scan for your scope one.
Edit1: In this case scope should be connected directly with your PC and NOT via Router.

Code: [Select]
nmap -sn 169.254.0.0/16
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 28, 2019, 07:14:11 pm

Release notes for FW v00.01.01.04.04:

[Latest Revision Date]  2019/02/27

[Updated Contents]


Tested some of the changes here:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2231781/#msg2231781 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2231781/#msg2231781)

( To get this Topic "clean" )

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: velikigrizli on February 28, 2019, 08:37:51 pm
So whats the conclusion? Seems that new firmware can't be hacked? :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on February 28, 2019, 11:07:32 pm
@ satlars,
   You will need to use the UART serial interface at 115200 bits/sec, to access the file system.

I have done this to solve a similar issue on an MSO5074  when there was a power failure at the exact time the modified start.sh file was being saved .  This resulted in the file being corrupted .

Read this message.  https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2114902/#msg2114902 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2114902/#msg2114902)

Good Luck.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sparkv on March 01, 2019, 05:08:55 am
So whats the conclusion? Seems that new firmware can't be hacked? :)

 ??? I didn't see anybody make a claim that it can't be hacked. We only know they removed -fullopt from appEntry and put in the code to kill sshd, which is trivial to bypass if they're looking for it by process name, and it seems they do based on what others have said. I didn't look at the new executable yet. As for a proper hack, maybe the mystery keygen will finally grace us with its appearance :-DD

It will be hacked, it just may require binary patching as a quick-fix way to bring -fullopt back in and disable sshd nuker.

Personally, I would have spent a lot more time working on it if I had the actual device. I stopped RE work because I hit a point where I would have to ask others to run my tests on their scopes, or wait for my own scope to arrive. I chose the latter. My scope shipped today, next week when it arrives should be fun  >:D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 06:23:40 am
So whats the conclusion? Seems that new firmware can't be hacked? :)

Where do you get that idea from? Not one person here has said that.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 09:17:44 am
With the right timing, something like
Code: [Select]
ssh -p Rigol201 root@host "nohup /usr/bin/sshd -p 22"

Should give you ssh on port 22  >:D Haven't tried it though.

Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.
I'm not sure how to start it though. The start command is close to other UI stuff, and the string "Enter Project mode" is used close to it. I could imagine there is something like a maintanance menu we don't know about yet.

I can't test anything yet either because I'm also still waiting for my scope to arrive..
Good news is that it looks like the "-fullopt" checking instructions can easily be merged into the new appEntry version.

This is my first post btw, so a big hello to everybody here!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 09:49:43 am
Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.

I believe you are right. I did not notice earlier, but rootfs/etc/init.d/rcS was modified such that sshd is not run.

Code: [Select]
diff --git a/firmware/rootfs/etc/init.d/rcS b/firmware/rootfs/etc/init.d/rcS
index f3559f1..a8f3117 100755
--- a/firmware/rootfs/etc/init.d/rcS
+++ b/firmware/rootfs/etc/init.d/rcS
@@ -30,10 +30,10 @@ mount -t devpts devpts /dev/pts
 #httpd -h /var/www
 
 #echo "++ Starting ftp daemon"
-tcpsvd 0:21 ftpd ftpd -w /&
+#tcpsvd 0:21 ftpd ftpd -w /&
 
 #echo "++ Starting ssh daemon"
-/usr/sbin/sshd
+#/usr/sbin/sshd
 
 echo "rcS Complete"

Can we still flash firmware traditionally? If so ssh is easily brought back.

Good news is that it looks like the "-fullopt" checking instructions can easily be merged into the new appEntry version.

That's fantastic news!

This is my first post btw, so a big hello to everybody here!
Welcome! May I ask what tools you use for disassembly?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 01, 2019, 10:00:27 am
Yes, you should reenable the daemon via the config file.

Yes, it's easily patchable (from here to eternity...). Just recreate the GEL and fire away.

I assume that anyone doing  this kind of task uses IDA.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 10:02:45 am
I'm not sure how to start it though. The start command is close to other UI stuff, and the string "Enter Project mode" is used close to it. I could imagine there is something like a maintanance menu we don't know about yet.

Notice, that rigol/resource/menu/msg.h defines a rather complete set of command messages. Say for example

Code: [Select]
#define MSG_HISTO_STATISEN      17670


For example rigol/resource/scpi/HISTogram.xml
Code: [Select]
<TotalItem>
<head>^(:?HISTogram|:?HIST)(:STATic|:STAT)\?$</head>
<service>histo</service>
<cmd>17670</cmd>
<minSize>-1</minSize>
<indexes>
<i>1</i>
</indexes>
<unit>
</unit>
</TotalItem>

One of these codes is
Code: [Select]
#define MSG_APP_UTILITY_PROJECT               12073
which is unfortunately not mapped, but might be somewhere in appEntry.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 10:27:58 am
I believe you are right. I did not notice earlier, but rootfs/etc/init.d/rcS was modified such that sshd is not run.

Code: [Select]
-/usr/sbin/sshd
+#/usr/sbin/sshd


So we just unpack the GEL, edit that file, repack it, back to business as usual?  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 10:50:28 am
I would guess so. Still waiting for the scope to be delivered. You can also use oliv3r's packer I think: https://gitlab.com/riglol/rigolee/#gel-packer
But I'm not sure if this is tested at all.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 11:06:39 am
Welcome! May I ask what tools you use for disassembly?
Thank you! I'm using Binary Ninja right now.

I believe the license checking function is at 0x0041801c. It seems to set r0 to #0x1 if the user owns the requested license.
At least that's what the -fullopt flag did in the previous versions.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 11:16:00 am
I believe the license checking function is at 0x0041801c. It seems to set r0 to #0x1 if the user owns the requested license.
At least that's what the -fullopt flag did in the previous versions.

It should be easy to mod that to "ld r0,#1; ret;" (or whatever the local assembly language is) to get all options.

Hacking an MSO5000 would then be as easy as inserting a USB stick and pressing "OK".

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 01, 2019, 11:34:17 am
I would guess so. Still waiting for the scope to be delivered. You can also use oliv3r's packer I think: https://gitlab.com/riglol/rigolee/#gel-packer
But I'm not sure if this is tested at all.

If there is any packer that works, it's this one! Older ones will not work because this .GEL is completely different.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 12:24:36 pm
Thank you! I'm using Binary Ninja right now.

I believe the license checking function is at 0x0041801c. It seems to set r0 to #0x1 if the user owns the requested license.
At least that's what the -fullopt flag did in the previous versions.

Thanks for the hint, that is indeed a nice tool! I believe you are right and it makes it is super easy to patch it such that it only ever returns 1.  :-+

Patch for 01.01.04.04 to always return 1

Code: [Select]
Superseeded by later work.

EDIT: Just got my scope from Batronix. Comes with firmware 00.01.01.02.03. I would have expected them to ship with the new "unhackable" firmware. However, ,aybe they did not want everyone to return them directly.  :-//

EDIT2:  I tried an intermediate update to 00.01.01.02.06, and now ssh is gone?! Strange....
EDIT3: Darn, that firmware also already kills sshd, even though it is from December last year! So I effectively shut myself out for now. BTW, the build script is not far enought to repackage the modified file system.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 02:26:25 pm
I tried an intermediate update to 00.01.01.02.06, and now ssh is gone?! Strange....

Yes, 00.01.01.02.06 was the first version having the the start of the ssh daemon commited away in /etc/init.d/rcS
You could try an earlier version or be the first person to try oliv3r's packer  :D
Or did someone already test the packaging function?

EDIT: Oh okay, I guess downgrading is not possible?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 02:31:26 pm
Yes, 00.01.01.02.06 was the first version having the the start of the ssh daemon commited away in /etc/init.d/rcS
You could try an earlier version or be the first person to try oliv3r's packer  :D
Or did someone already test the packaging function?

 |O Anyways. I don't know if downgrading is a good idea with calibration data and such. I think i also saw a check against it in fw4linux.sh.

oliv3r's packer will only do the firmware flash encryption (so i could batch out the downgrade stop). It will not generate the image files etc.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 01, 2019, 03:00:18 pm
Why downgrade??? Don't you want to upgrade with a hacked version?

Worry about repacking the new GEL and your problems will be over.

Since none of these versions change the bootloader, you can do all the harm that you want and there will always be a safe exit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 03:08:08 pm
I wanted to first backup the calibration data. I have patched 01.01.02.04 such that it will downgrade now. I'm back in  :scared:

@Oliv3r, I had to add --owner=rigolee --group=rigolee to the tar commands.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 03:16:13 pm
I'm back in  :scared:
congratulation  :D
So next step is to pack the rootfs/rigol folder as an UBIFS image
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 03:22:59 pm
I'm back in  :scared:
congratulation  :D
So next step is to pack the rootfs/rigol folder as an UBIFS image

In fact I just did the quivalent patch to the old appEntry as mentioned before  - and behold, all features are there without -fullopt  :popcorn: :-DD  Many thanks go to piskers for finding the function and pointing me to the right direction.

EDIT2:
Now it looks alright too  :-DD See attached image.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 03:41:47 pm
Very nice job!!  :-DD :-DD :popcorn:
Did you change anything else for the licenses to also appear in the options list?

Btw, the appEntry also seems to have support for (jitter) eye diagrams..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 03:48:43 pm
I just changed the option list view  to always show forever ;D. Easy to find when looking for "Forever". So its just a visual thingy. I also noticed eye diagrams, but I thought it is just that different color scheme.

A patch for the current version, which makes it look and feel like full options. Obviously untested until we can pack the GEL files:

Code: [Select]
superseded by later work

EDIT: Note, that there is also a BW07T5 option in the file, while the highest option shown is BW07T3....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 04:16:32 pm
|O Anyways. I don't know if downgrading is a good idea with calibration data and such.

I wanted to first backup the calibration data.

Ummm... isn't that what self-cal is for - to generate some new data?  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 04:20:06 pm
In fact I just did the quivalent patch to the old appEntry as mentioned before  - and behold, all features are there without -fullopt  :popcorn: :-DD  Many thanks go to piskers for finding the function and pointing me to the right direction.

 :-+

This means hacking is now as easy as inserting a USB key and pressing "Go!" (or whatever it says on screen).

No need to mess around with SSH or Vi.

Since none of these versions change the bootloader, you can do all the harm that you want and there will always be a safe exit.

And an easy way to de-hack it if it ever has to go back under warranty.  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 05:39:51 pm
This means hacking is now as easy as inserting a USB key and pressing "Go!" (or whatever it says on screen).

No need to mess around with SSH or Vi.

Once we can create the update files. I'm not the best in shell scripts, so somebody else might be faster. Oliv3r?

Since none of these versions change the bootloader, you can do all the harm that you want and there will always be a safe exit.
And an easy way to de-hack it if it ever has to go back under warranty.  :)

That actually true? I was not aware we can run the u-boot flash script without soldering, can we? Also, it flashes the current version numbers into u-boot configuration, which we can obviously disable for our package.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 06:03:47 pm
Could someone run
Code: [Select]
mtdinfo /dev/mtd0 on the device so that we know the parameters for packing of the UBI image?

EDIT: Actually /dev/mtd6 and /dev/mtd10 just to be sure
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 06:39:46 pm
Could someone run
Code: [Select]
mtdinfo /dev/mtd0 on the device so that we know the parameters for packing of the UBI image?

EDIT: Actually /dev/mtd6 and /dev/mtd10 just to be sure

Sure, if it existed... Need to find some binary first....

EDIT:
Used an arml library from debian.

Code: [Select]
<root@rigol>/user/mtdinfo  --all --ubi-info
Count of MTD devices:           13
Present MTD devices:            mtd0, mtd1, mtd2, mtd3, mtd4, mtd5, mtd6, mtd7, mtd8, mtd9, mtd10, mtd11, mtd12
Sysfs interface supported:      yes

mtd0
Name:                           Env
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          2 (262144 bytes, 256.0 KiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:0
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd1
Name:                           DATA
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          512 (67108864 bytes, 64.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:2
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd2
Name:                           Bmp
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          32 (4194304 bytes, 4.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:4
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd3
Name:                           Bmp1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          32 (4194304 bytes, 4.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:6
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd4
Name:                           Bit1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          64 (8388608 bytes, 8.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:8
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd5
Name:                           Sys1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          256 (33554432 bytes, 32.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:10
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd6
Name:                           App1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          800 (104857600 bytes, 100.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:12
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd7
Name:                           Bmp2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          32 (4194304 bytes, 4.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:14
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd8
Name:                           Bit2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          64 (8388608 bytes, 8.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:16
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd9
Name:                           Sys2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          256 (33554432 bytes, 32.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:18
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd10
Name:                           App2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          800 (104857600 bytes, 100.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:20
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd11
Name:                           Reserved
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          536 (70254592 bytes, 67.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:22
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd12
Name:                           User
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          4800 (629145600 bytes, 600.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:24
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128



EDIT2: Rerun with --ubi-info
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 07:20:51 pm
Thank you!
So packaging should be possible with:
Code: [Select]
mkfs.ubifs -m 2048 -e 128KiB -c 800 -r /rootfs/rigol app.imgNot sure about the compression type (-x param)..
Then gzip it and run oliv3r's script. Can't try it till tomorrow though..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 07:33:35 pm
Thanks! There is also https://github.com/jrspruitt/ubi_reader which claims to be able to provide the proper information based on the image.

This results in:

Code: [Select]
ubireader_utils_info app.img

Volume app
        alignment       -a 1
        default_compr   -x lzo
        fanout          -f 8
        image_seq       -Q 329026723
        key_hash        -k r5
        leb_size        -e 126976
        log_lebs        -l 5
        max_bud_bytes   -j 8388608
        max_leb_cnt     -c 825
        min_io_size     -m 2048
        name            -N app
        orph_lebs       -p 1
        peb_size        -p 131072
        sub_page_size   -s 2048
        version         -x 1
        vid_hdr_offset  -O 2048
        vol_id          -n 0

        #ubinize.ini#
        [app]
        vol_name=app
        vol_size=98660352
        vol_flags=autoresize
        vol_type=dynamic
        vol_alignment=1
        vol_id=0


Which they claim maps to
Code: [Select]
/usr/sbin/mkfs.ubifs -m 2048 -e 126976 -c 825 -x lzo -f 8 -k r5 -p 1 -l 5 -r $1 img-329026723_0.ubifs
/usr/sbin/ubinize -p 131072 -m 2048 -O 2048 -s 2048 -x 1 -Q 329026723 -o img-329026723.ubi img-329026723.ini

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 08:31:24 pm
The attached fill looks like an update but just executes sshd  :scared:

So it will enable SSH on all scopes, but will never break anything.
Forum does not allow GEL, so remove the .txt file ending.

EDIT: Note, it will look like the upgrade failed, but no worries you will have ssh. The change is not permanent and ssh will be gone after reboot.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 08:45:25 pm
My previous patch works for the latest firmware  :-DD :scared:

So we could even build a small upgrade script, which checks for the currently installed version, and applies a binary patch to appEntry.  8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 01, 2019, 09:11:02 pm
Wow  :o

I understand nothing about, but.....wow  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 10:05:14 pm
I understand nothing about, but.....wow  ;D

Ok, so the scope basically has two file systems. The root file system is created in memory upon each boot, so it is hard to change. That is one of the reasons Rigol added a special additional partition of the /rigol/ folder. Changes here will be permanent.

We had three problems:

The SSH problem, we can solve with a neat trick: Just run a fake upgrade, which actually does nothing but execute the SSH daemon. And we are in.

The last problem was solved by piskers who pointed me to the right direction. So I did my very first binary assembler patch in my life, and here we are.


Now, what we can finally do is generate  a small upgrade file which will only patch appEntry. I would like to be as legally correct as possible, hence only provide a binary patch instead of the full file. Unfortunately, I cannot get a binary patcher to run on the scope.... So that is stalled for now. Hence it's not convenient yet.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 01, 2019, 10:16:28 pm
Now, what we can finally do is generate  a small upgrade file which will only patch appEntry. I would like to be as legally correct as possible, hence only provide a binary patch instead of the full file. Unfortunately, I cannot get a binary patcher to run on the scope.... So that is stalled for now. Hence it's not convenient yet.

Please continue. That's a chicken-egg problem. So you better change tactics. Do the patch in GEL and flash the whole thing.

If you go that way, there's no urgent need for the ssh daemon...

BTW, another important/alternative feature was dropped: the ability to insert the USB Vendor Disk and enable all Options automatically (no need for fullopt). ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 10:22:37 pm
You misunderstood me.

I propose the user flashes the original firmware upgrade, and we just flash a small additional patch-GEL over it. I basically have it running right now, but it contains the full >20MB appEntry program, instead of just 172B of binary patches. I don't feel confident in sharing such a file. Others might want to create it though.

Once I find a patcher which runs, the user just needs to plug in the USB stick and he is done. Easiest hack ever. We even check if the versions match our patch.  ^-^
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on March 01, 2019, 10:53:29 pm
Does anybody know if something "critical" has been changed in system.img? I've created a gel with the system.img.gz of 00.01.01.02.04 to have the usual access and have currently running a patched version of 00.01.01.04.04 appEntry and everything looks fine at first glance.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on March 01, 2019, 10:57:25 pm
Once I find a patcher which runs, the user just needs to plug in the USB stick and he is done. Easiest hack ever. We even check if the versions match our patch.  ^-^

Is dd available?  Would something like this (https://unix.stackexchange.com/questions/214820/patching-a-binary-with-dd) work?

edit: looks like it is (https://gitlab.com/riglol/rigolee/tree/MSO5000/firmware/rootfs/bin).  With some leg work you should be able to convert a patch file into a bash script using dd to manually write each byte.  Not pretty (and not fun), but it seems like it should do the trick.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on March 02, 2019, 06:52:34 am

Hello,

the SSH patch works, but the "-fullopt" in start.sh does not bring any extension
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 08:31:46 am
You misunderstood me.

I propose the user flashes the original firmware upgrade, and we just flash a small additional patch-GEL over it. I basically have it running right now, but it contains the full >20MB appEntry program, instead of just 172B of binary patches. I don't feel confident in sharing such a file. Others might want to create it though.

Once I find a patcher which runs, the user just needs to plug in the USB stick and he is done. Easiest hack ever. We even check if the versions match our patch.  ^-^

I'm missing something... how do you plan to patch the app file that is currently running?? The system allows it?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 09:22:51 am
edit: looks like it is (https://gitlab.com/riglol/rigolee/tree/MSO5000/firmware/rootfs/bin).  With some leg work you should be able to convert a patch file into a bash script using dd to manually write each byte.  Not pretty (and not fun), but it seems like it should do the trick.

In order to patch, dd seems ok. You only have 1st kill the appEntry process and then do the patch. I'm currently in voyeur mode...

This patching process is prone to errors because someone may run the script with another version of the app file in the system.

I think it's safer to copy the full file.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dren.dk on March 02, 2019, 09:38:22 am
The safest bet would be to hash the entire binary before modifying it, having a hash would also allow selection of the correct patch if one wanted to support several versions with the same update file.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 02, 2019, 09:46:22 am
Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.

So it's actualy interesting then how this is triggered :) Who'll take ont hat challange?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 09:58:31 am
Dear all,

please find a patching upgrade attached to this post. It does not contain the actual appEntry, but only patches it. So no copyrighted data here ;).
You first need to upgrade to 00.01.01.04.04 (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.04.GEL). After that, apply the update attached to this file.


Care has been taken to make sure to make it fails as early as possible if any errors occur. Checksums and version checks are applied all the time, before and after patching. A backup copy of the appEntry is made into the usb drive. Only if all checks apply, the actual appEntry gets replaced. You will have ssh access whenever you start the patch (until the next reboot). The patching process is very inefficient, but reliable. Do not worry, it takes around 5 minutes to apply all the patches.

Afterwards, you can just reboot the scope (you will be asked to do so) and you are done. (Files are synced to nand, so do not worry about corruption).  Since GEL is not an allowed forum extension, just rename the file.


I'm missing something... how do you plan to patch the app file that is currently running?? The system allows it?
Sure, an upgrade is just a shell script like any other. Under linux you can modify used files. No issue here.

the SSH patch works, but the "-fullopt" in start.sh does not bring any extension
That is because you need to additionally patch the scope. See this post.

EDIT2: File has been changed to use the usb drive for intermediate storage of the patched files. Makes it faster also. My slow usb drive gives around 2 minutes update time.
EDIT3: It currently looks like the rigol firmware upgrade (not the patch) can damage your calibration data, and self-calibration will not fix this. So for now, I recommand you ssh into your scope and backup the /rigol/data/*.hex files. If you have issues afterwards, just copy them back. Self-calibration should work then.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 10:08:49 am
Do not worry, it takes around 5 minutes to apply all the patches.

5 mins???? Are you mining in between???  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 10:11:21 am
Do not worry, it takes around 5 minutes to apply all the patches.

5 mins???? Are you mining in between???  :-DD

Good idea :-D, but no. The easiest solution i found was to just convert the binary file to hexadecimal representation, patch it as text, and reverse the process. It looks like the busybox patch command is very slow though. But as an advantage you get the context sensitivity of patch, so it will also fail if the "surroundings" of the binary do not exactly match.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 02, 2019, 10:13:02 am
Very nicely done! Thank you so much for your work!   :D

One more thing that we should look for is whether the device contacts rigol when it's connected to the internet and possibly transfers the S/N and licenses. I didn't find anything yet in the appEntry.
At least when checking for an update it doesn't transmit anything else.

Again, nice work!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 10:16:28 am
One more thing that we should look for is whether the device contacts rigol when it's connected to the internet and possibly transfers the S/N and licenses. I didn't find anything yet in the appEntry.
At least when checking for an update it doesn't transmit anything else.

Thanks you! You are the reason I did my first binary patch.  :popcorn:

I also looked for that, and did not see anything. As you said, the update procedure looks rather sane, and I did not see any other obvious strings. We could probably add a host entry to prevent it from contacting rigol...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 10:17:56 am
Patch the domain string.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 02, 2019, 10:18:07 am
I would guess so. Still waiting for the scope to be delivered. You can also use oliv3r's packer I think: https://gitlab.com/riglol/rigolee/#gel-packer
But I'm not sure if this is tested at all.
It was only tested to generate small GEL files that do, for example, backup the calibration partition etc. using the scripts here; https://gitlab.com/riglol/rigolee/tree/MSO5000/target
You simple build a GEL file by using one of the scripts as the update scripts. They have been tried and used, but not tested and validated :)

Yes, 00.01.01.02.06 was the first version having the the start of the ssh daemon commited away in /etc/init.d/rcS
You could try an earlier version or be the first person to try oliv3r's packer  :D
Or did someone already test the packaging function?

EDIT: Oh okay, I guess downgrading is not possible?

You can downgrade, but you have to fake the version number.

|O Anyways. I don't know if downgrading is a good idea with calibration data and such. I think i also saw a check against it in fw4linux.sh.

oliv3r's packer will only do the firmware flash encryption (so i could batch out the downgrade stop). It will not generate the image files etc.

No, it will generate GEL update files. It will not however, generate filesystem images (such as initramfs and ubifs). It is afterall only a packer :)

@Oliv3r, I had to add --owner=rigolee --group=rigolee to the tar commands.
Sure, but why? Then again, I've only run the scripts so far, so the change does seem sensible of course.

So next step is to pack the rootfs/rigol folder as an UBIFS image
Yeah, but that's a little trickier with the permissions, git doesn't like the users much. I do add them with the proper permissions I think (root:root 600 for example) but haven't check what happens to this on check-out.

So generating an accurate ubifs would be harder (but far from impossible :)

This means hacking is now as easy as inserting a USB key and pressing "Go!" (or whatever it says on screen).

No need to mess around with SSH or Vi.

Once we can create the update files. I'm not the best in shell scripts, so somebody else might be faster. Oliv3r?

I've written the packer a few months ago :p and posted links here; nobody took up to challange to write scripts to do these things :) (such as adding the -fullopt for example, and now patching the appEntry).

I hadn't gotten around to do doing it myself yet; and probably not going to yet. I probably will add a 'start ssh' update :)

Thank you!
So packaging should be possible with:
Code: [Select]
mkfs.ubifs -m 2048 -e 128KiB -c 800 -r /rootfs/rigol app.imgNot sure about the compression type (-x param)..
Then gzip it and run oliv3r's script. Can't try it till tomorrow though..

Sure, but why would you want to? You can also just add the patched appEntry; and write a simple update script that does 'cp appEntry /rigol/appEntry' no? :)

With regards to ubifs, i did use one of those python ubi unpackers. So repacking it with the same tool should be possible. A version check should be added though (md5sum of the original file) as you otherwise overwrite 'any' version.

I'm missing something... how do you plan to patch the app file that is currently running?? The system allows it?
Should work just fine, the file is read into memory and executed from there. App-entry should never try to rewrite itself anyway. So copy file, reboot scope, profit :)