EEVblog Electronics Community Forum

Products => Test Equipment => Topic started by: Agne on December 02, 2018, 04:19:19 pm

Title: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 02, 2018, 04:19:19 pm
TL;DR This thread is only for hacking of the Rigol 5000 oscilloscope. I own a Rigol 5000 series oscilloscope and have tried the old (Rigol 1000z & 2000A series) trick of dumping the RAM using SCPI commands but unfortunate this does not appear to work on the 5000 series. Next step is trying the JTAG memory dumping method.

------------------------------------------------------------------------------------------------------------------
Since the previous thread about the Rigol 5000 series oscilloscope has been completely derailed from discussing the Rigol 5000 to arguing about A and B brands and if Lecroy and Tektronix are still A brands etc, I would like to start this new thread dedicated to hacking of the 5000 series.

To keep this thread clear from what made the previous thread unusable from a Rigol 5000 hackers perspective I would like to set some simple rules for it.

* This tread is only for hacking the Rigol 5000 series oscilloscope
* If you would like to discuss other things such as if you should buy the 5000 series or what is an A or B brand then please post that in a different thread.
-----------------------------------------------------------------------------------------------------------------------

With that over with lets discuss what hacking progress has been made so far.
I have tried on my 5000 series scope the SCPI memory dump command that was successfully used on the Rigol 1000z and 2000A series oscilloscopes. Unfortunately the command does not work on the 5000 series. When using the memory dump command with Netcat on my mac I get no reply from the scope and when using RigolBildschirmkopie I get “there was an error when sending the SCPI comand”. To verify that SCPI was working I tried the *IDN? , :SYSTEM:TIME? and the SYSTEM:DATE? commands and they worked with out issue.

Rigol appears to have either removed or changed the name of the SCPI command used to dump the memory on the older scopes. At this point I think using  JTAG to dump the memory is our best bet. I will post an update when I know more.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 02, 2018, 08:31:44 pm
I have now opened my Rigol 5000 series scope and looked for possible JTAG connectors. There appears to be spaces for two JTAG connectors on the board, one for the Zynq FPGA and one for the Spartan FPGA.

Unfortunately Rigol have not mounted the pin headers for the JTAG on the PCB.
This reduces there BOM cost by a few cents and makes connecting a JTAG programmer to the board more difficult.

I have attached below some images showing the inside of the scope and I have highlighted the possible location for the JTAG connectors. The connector that I am most interested in is small 9 pin one because it looks like the JTAG connector used to dump the memory on the Rigol 1000Z and 2000A series oscilloscopes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 02, 2018, 09:09:37 pm
I'd look at the unmarked 14 pin connector to the right.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 02, 2018, 11:25:59 pm
After looking for a simple solution to the problem of not having pin headers mounted on the JTAG connectors and not wanting to completely disassemble the scope to permanently solder in pin headers I found solderless press fit pin headers. I have ordered some and my hope is that I can push them in partially, just enough to make good contact while still being able to remove them when done.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 03, 2018, 07:35:34 am
I wouldn't use press-fit connectors. You'll need to put way too much force on the board which might damage it. Ceramic capacitors don't like being bend. Just take it apart and solder a connector in.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 03, 2018, 07:59:07 am
I wouldn't use press-fit connectors. You'll need to put way too much force on the board which might damage it. Ceramic capacitors don't like being bend. Just take it apart and solder a connector in.

Agreed, solder a normal header in.

Or you could use pogo pins, but you'd need to find a way to maintain pressure on the pins.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 09:12:46 am
If you don't want to solder headers in, get a long pin header  - 10mm or more, then bend alternate pins. It can then be inserted such that the bent pins exert pressure on the sides of the holes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 09:21:24 am
If you don't want to solder headers in, get a long pin header  - 10mm or more, then bend alternate pins. It can then be inserted such that the bent pins exert pressure on the sides of the holes.

If you get square pins they might exert enough pressure to make contact all by themselves.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 09:23:30 am
If you don't want to solder headers in, get a long pin header  - 10mm or more, then bend alternate pins. It can then be inserted such that the bent pins exert pressure on the sides of the holes.

If you get square pins they might exert enough pressure to make contact all by themselves.
You need bent pins so each pin is independently spruing
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 03, 2018, 09:42:20 am
is the upgrade licence file encypted?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: glenenglish on December 03, 2018, 10:01:39 am
how about I buy a 70 also and buy the upgrade to 100 in the same breath ? that should be useful.
I'll have mine in 2 weeks or so... am a Xilinx man...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 10:12:27 am
is the upgrade licence file encypted?

In the programming guide it shows this example of installing a license key:

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=586757;image)

The key's definitely a lot longer than a key for a DS1054Z.  :popcorn:

Does anybody have a license file? Can you look at it and see if the contents look like that?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 10:34:59 am
is the upgrade licence file encypted?

In the programming guide it shows this example of installing a license key:

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=586757;image)

The key's definitely a lot longer than a key for a DS1054Z.  :popcorn:

Does anybody have a license file? Can you look at it and see if the contents look like that?
Pretty sure Dave mentioned he had one
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EEVblog on December 03, 2018, 10:46:10 am
is the upgrade licence file encypted?

The license file is a single line of text as shown above.
"DS5000-2RL@" followed by 128 bytes of key data
Where 2RL seems to be the license type code
My license file didn't work though.
They need your serial number to generate the key.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 03, 2018, 12:27:55 pm
(128 bytes => 1024 bits)

It seems to me that we will be seeing asymmetric crypto  >:( . I think the MSO7000 will be the same.

As such, there won't be any licenses soon and the solution could be SW patches.

If the FW is signed, that is another ballgame (HW patch...  ::) ). 

Nonetheless, waiting for the memdump...  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 03, 2018, 12:52:42 pm
is the upgrade licence file encypted?

The license file is a single line of text as shown above.
"DS5000-2RL@" followed by 128 bytes of key data
Where 2RL seems to be the license type code

Then it seems the hex string is a 1024-bit digital signature of the license code.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 01:06:53 pm
Then it seems the hex string is a 1024-bit digital signature of the license code.

Most likely the license type+the serial number.

If somebody can find the hash code in the ROM then it's easy to make a key generator.

The bad news would be if it's a 1024-bit signature of the license type+serial number+a secret salt value that's written to the flash memory at the same time as the serial number.

It would mean you need to get the salt value out and that might only be possible by opening it up and using JTAG.

Finger crossed that they didn't do that.

If this thing runs Linux then step (1) would be to get access to the file system and dump all the files. See if there's anything interesting in there.

Step (2) would be to dump all the files before/after installing an option and see what changes.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 01:40:44 pm
Can anybody post all the RS232 logging messages from a bootup? Maybe there's useful info in there.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TNorthover on December 03, 2018, 03:04:58 pm
Most likely the license type+the serial number.

If somebody can find the hash code in the ROM then it's easy to make a key generator.

If it's an actual 1024-bit signature rather than a simple hash or something (as the size suggests) then no-one is going to be generating them any time soon. You also need Rigol's private key.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 03, 2018, 03:05:44 pm
Fungus,

With asym crypto involved and the boot signed, there's no salt reading or flash dumps that can help.

The most one can do is obtain the public key. But that is useless to create new software.

Let's wait for the next steps.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 04:38:38 pm
If I wanted to make a product like this with good security, I'd include a random number stored in the device as part of the production process, with a factory database of this number versus serial number, and use that rather than the serial no. for authenticating/decrypting license keys, so the actual serial number bears no useable relationship to the license key.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 03, 2018, 04:41:00 pm
Didn't the distributor generate the key though? I assume that means no asym crypto or the key isn't that safe.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 04:57:10 pm
Didn't the distributor generate the key though? I assume that means no asym crypto or the key isn't that safe.

They generate them on the Rigol web site.

Rigol could have a private key on there.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 03, 2018, 05:03:49 pm
Didn't the distributor generate the key though? I assume that means no asym crypto or the key isn't that safe.

They generate them on the Rigol web site.

Rigol could have a private key on there.


Oh right. The internet. I forgot about the internet.  :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 03, 2018, 05:04:46 pm
Dave posted the boot output in another thread (https://www.eevblog.com/forum/blog/new-rigol-scope/msg1954405/#msg1954405).

Code: [Select]
U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)

I2C:   ready
Memory: ECC disabled
DRAM:  448 MiB
DPU:   20170604
NAND:  OnDie ECC supported, 1024 MiB
zynq-In:    serial
zynq-Out:   serial
zynq-Err:   serial
Net:   Gem.e000b000
BootParam=0x0
Hit any key to stop autoboot:  0

NAND read: device 0 offset 0x4900000, size 0x3591fd
þ
NAND read: device 0 offset 0x4900000, size 0x8
 8 bytes read: OK

NAND read: device 0 offset 0x4500000, size 0x12c008
 1228808 bytes read: OK
Loading logo, x=310,y=247,width=404,height=89

NAND read: device 0 offset 0x5100000, size 0xd8ebf0
 14216176 bytes read: OK
## Loading kernel from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Kerstrel Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x030000f8
     Data Size:    3302448 Bytes = 3.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00100000
     Entry Point:  0x00100000
     Hash algo:    sha1
     Hash value:   bece162e8cad943c68714d8eb8020d68e1db896b
   Verifying Hash Integrity ... sha1+ OK
## Loading ramdisk from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  kerstrel-Update-Ramdisk
     Type:         RAMDisk Image
     Compression:  gzip compressed
     Data Start:   0x03328c5c
     Data Size:    10901113 Bytes = 10.4 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    sha1
     Hash value:   55bdcbebccba845da403130143793ee0135e53a1
   Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x0332661c
     Data Size:    9597 Bytes = 9.4 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   da2d17ba0d5a71b5897deec4cb026014f3132185
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x332661c
   Loading Kernel Image ... OK
   Loading Ramdisk to 1b099000, end 1bafe679 ... OK
   Loading Device Tree to 1b093000, end 1b09857c ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 3.12.0-xilinx (rigolee[member=167213]Jim[/member]) (gcc version 4.8.1 (Sourcery CodeBench Lite 2013.11-53) ) #43 SMP PREEMPT Sat Jul 28 12:14:01 CST 2018
CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
PERCPU: Embedded 8 pages/cpu @c09f1000 s8384 r8192 d16192 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 113792
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 437416K/458752K available (4197K kernel code, 255K rwdata, 1716K rodata, 176K init, 179K bss, 21336K reserved, 0K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xdc800000 - 0xff000000   ( 552 MB)
    lowmem  : 0xc0000000 - 0xdc000000   ( 448 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to dc802000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1725.23 BogoMIPS (lpj=8626176)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L310 cache controller enabled
l2x0: 8 ways, CACHE_ID 0x410000c8, AUX_CTRL 0x72360000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xdc84e000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xdc84e000
hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 4 bytes.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xdc880000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti[member=183778]linux[/member].it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (db099000 - dbafe000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 7 counters available
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 875
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
DPU:Map vRam to 0xdca00000
DPU:Map iReg to 0xdcc00000
DPU:Ver=0x20170711
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 6249999) is a xuartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 6249999) is a xuartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xDC858000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
xusbps-ehci xusbps-ehci.1: Xilinx PS USB EHCI Host Controller
xusbps-ehci xusbps-ehci.1: new USB bus registered, assigned bus number 1
xusbps-ehci xusbps-ehci.1: irq 76, io mem 0x00000000
xusbps-ehci xusbps-ehci.1: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Update timer was detected
rtc-rx8010sj 0-0032: rtc core: registered rtc-rx8010sj as rtc0
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ADADAH4), 1024MiB, page size: 2048, OOB size: 64
Bad block table found at page 524224, version 0x01
Bad block table found at page 524160, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
0x000010100000-0x000016500000 : "App2"
0x000016500000-0x00001a800000 : "Reserved"
0x00001a800000-0x000040000000 : "User"
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
rtc-rx8010sj 0-0032: setting system clock to 2018-11-10 12:15:08 UTC (1541852108)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
Starting rcS...
++ Mounting filesystem
++ Setting up mdev
++ Starting ftp daemon
rcS Complete
<root@rigol>rpcbind: cannot create socket for udp6
rpcbind: cannot create socket for tcp6
2018-11-10 12:15:21: (log.c.166) server started
7 2048 16 2 "/dev/fb0"
Mount user space to:/user
default setting by user set
Rigol Device gadget: Rigol Device ready
usbcore: registered new interface driver usbtmc


I don't know anything about that world, does anybody know if Xilinx do a complete secure boot process?

(and can you tell if they're using it from that output?)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 03, 2018, 05:42:12 pm
If I wanted to make a product like this with good security, I'd include a random number stored in the device as part of the production process, with a factory database of this number versus serial number, and use that rather than the serial no. for authenticating/decrypting license keys, so the actual serial number bears no useable relationship to the license key.
But that wouldn't stop patching the binaries just like the older Agilent DSO6000 / DSO7000 scopes. I don't think the licensing system is very complicated because it just costs time with very little return.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lukier on December 03, 2018, 05:47:30 pm
Dave posted the boot output in another thread (https://www.eevblog.com/forum/blog/new-rigol-scope/msg1954405/#msg1954405).

Code: [Select]
## Loading kernel from [b]FIT Image[/b] at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Kerstrel Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x030000f8
     Data Size:    3302448 Bytes = 3.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00100000
     Entry Point:  0x00100000
[b]     Hash algo:    sha1
     Hash value:   bece162e8cad943c68714d8eb8020d68e1db896b
   Verifying Hash Integrity ... sha1+ OK[/b]

Yup, looks like secure boot process, FIT images instead of straight kernel/initrd/dtb, SHA1 signatures. Smart.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 03, 2018, 05:53:08 pm
If I didn't miss something, I can see 128 hex characters, which should give only 512-bits. That should make it much easier.  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 03, 2018, 06:29:03 pm
If I wanted to make a product like this with good security, I'd include a random number stored in the device as part of the production process, with a factory database of this number versus serial number, and use that rather than the serial no. for authenticating/decrypting license keys, so the actual serial number bears no useable relationship to the license key.

That just becomes  obscurity rather than security.   The serial number is just a look up, so they know which public key to use to encrypt the data with.   If you were able to find the public key,  you can't do much useful with it.   I'm picking you want to target the Zync as it whats running linux.   Its certainly got secure boot

If implemented properlhy, this is hard.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 03, 2018, 06:48:59 pm
If I wanted to make a product like this with good security, I'd include a random number stored in the device as part of the production process, with a factory database of this number versus serial number, and use that rather than the serial no. for authenticating/decrypting license keys, so the actual serial number bears no useable relationship to the license key.

That just becomes  obscurity rather than security.   The serial number is just a look up, so they know which public key to use to encrypt the data with.   If you were able to find the public key,  you can't do much useful with it.   I'm picking you want to target the Zync as it whats running linux.   Its certainly got secure boot



It would prevent a keygen - AIUI the previous riglol hack duplicates Rigol's process for generating a license from the serial number. If the scope's internal process used a key derived from Rigol's serial->key database, then it would not be possible to generate compatible license keys.
Of course there are plenty of other hack avenues, but with a more expensive scope, people will be less likely to want to do anything potentially warranty-voiding.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: iMo on December 03, 2018, 06:56:23 pm
Hackers of all lands unite!  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TNorthover on December 03, 2018, 08:26:39 pm
Quote
That just becomes  obscurity rather than security.   The serial number is just a look up, so they know which public key to use to encrypt the data with.   If you were able to find the public key,  you can't do much useful with it.   I'm picking you want to target the Zync as it whats running linux.   Its certainly got secure boot



It would prevent a keygen - AIUI the previous riglol hack duplicates Rigol's process for generating a license from the serial number. If the scope's internal process used a key derived from Rigol's serial->key database, then it would not be possible to generate compatible license keys.

Except that the scope needs to know something about this super-secret key to verify they used the correct one at generation time. At best it's just another public/private layer which doesn't help.

And generating a secure license key is really not the hard part of this problem in the first place. There are a few pitfalls, but realistically just cryptographically signing the serial+feature with an off the shelf algorithm is likely impossible to duplicate. Rigol would hold the private key, and there'd be nothing we could do to replace or discover it.

The hard part is securing the entire boot chain to guarantee all running code has been signed by Rigol (to prevent people bypassing the license checks entirely). Mobile phones have been contending with that problem for the last decade, with limited success. I doubt Rigol will do any better, but on the other hand there are multiple orders of magnitude more people attacking phones so maybe they'll do just well enough.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 03, 2018, 08:40:23 pm
Let's not be paranoid. The only thing that could stop (meaning: make it sufficiently difficult) an attack is activating secure boot. All other things are within reach.

@lukier, SHA1 is an hash algorithm, not a digital signing algo! The fact that the NAND blocks are hashed doesn't mean much.

I don't think we have reached the secure boot point but, if we did, this is an electronics community forum so, something like this:
How to Break Secure Boot on FPGA SoCs through Malicious Hardware (https://eprint.iacr.org/2017/625.pdf) would be possible with the right guys... 

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 03, 2018, 08:46:57 pm
Some fun info:
"How to Break Secure Boot on FPGA SoCs through Malicious Hardware"
https://eprint.iacr.org/2017/625.pdf
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lukier on December 03, 2018, 09:14:44 pm
@lukier, SHA1 is an hash algorithm, not a digital signing algo! The fact that the NAND blocks are hashed doesn't mean much.

Sure, but if they bother to load via FIT then it is very likely that secure boot is enabled, this u-boot is signed and there is a chain of crypto there.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 03, 2018, 10:12:18 pm
I feel resonably confident that they would have used secure boot.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 03, 2018, 10:20:10 pm
I feel resonably confident that they would have used secure boot.

I don't. If that was the case, we would be seeing something like the attached pic.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: glenenglish on December 03, 2018, 10:21:01 pm
There are also a couple of fixed numbers in the system.
The ZYNQ and the Spartan 6 have a DNA number.

I use it to generate MAC addresses in my gear.

Bitstream reverse engineering is "Non trivial"...

If the JTAG pins are available, and the external clocks are stopped, that might be of use.

This is this MFRs 2nd go at this, so they probably have hardened it up.

The other thing is, they might be using  PARTIAL RECONFIGURATION in the FPGA. Would make sense for different bandwidths as the filter structures are quite different for really high bandwidths. Although if it were me, I'd probably leave the filter structures the same for all bandwidths and just change the taps, which could be loaded on the fly, or initialized at load time as initialized block rams. lots of options..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 03, 2018, 11:16:02 pm
I got some firmware from some undisclosed "Address" in the interwebs, please don't ask for binaries and don't tell :)

I can brief you on some interesting snippets I found after mounting UBIFS mount points and whatnot from the firmware, please notice which binaries are stripped of symbols:

Code: [Select]
tools $ file *
axi:       ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
axi_GP0:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
beeper:    ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
cfger:     ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, stripped                 <——— !!!
checkAXI:  ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
checkboot: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
dpuTest:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
fram:      ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
socket:    ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, stripped                <——— !!!
spi2cpld:  ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
spi2dev:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
spi2k7:    ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
spi2pll:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
ssd2543:   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped
touch:     ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped

Our encrypted targets, which might eventually give access to custom firmware flashing are: fw4linux.sh and fw4boot.sh. You read right, they are encrypted shell scripts.

But how do we decrypt them? Seems like cfger does play a role early in the boot process (and also later on in "application selection"):

Code: [Select]
############################################
#fetch system information from bootloader
############################################
$TOOLS/cfger -i /tmp/sysinfo.txt

Also cfger gets fed by some NAND data, also early in the boot process we can see this:

Code: [Select]
#Read Nand Block 0 data
nanddump -s 0 -l 0x40000 -f /tmp/env.bin /dev/mtd0

So if someone can get such a dump (from the lucky ones having the real device already on their benches), it will inform my analysis. I know this information is rather fragmented and incomplete, but I'm still putting the pieces together and have more juicy bits for future posts.

The application side is fairly huge (21MB), so I'm currently dissecting it section by section, fishing out the interesting regions. It might take some time but we'll get there.

I had a ton of fun last weekend so far and I'll keep digging in the near future, stay tuned ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 03, 2018, 11:38:14 pm
Thank you to all that provided feedback on the press fit pin headers. As a result of your feedback I am looking at alternative connector solutions.

While waiting for my new JTAG programmer to arrive I have been looking at alternative ways of hacking the oscilloscope. I decided to perform a port scan using Nmap to see if Rigol have let any vulnerable ports open. Results of the scan are below

Code: [Select]
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-03 23:44 W. Europe Standard Time

NSE: Loaded 148 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 23:44

Completed NSE at 23:44, 0.00s elapsed

Initiating NSE at 23:44

Completed NSE at 23:44, 0.00s elapsed

Initiating ARP Ping Scan at 23:44

Scanning 192.168.2.134 [1 port]

Completed ARP Ping Scan at 23:44, 0.66s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 23:44

Completed Parallel DNS resolution of 1 host. at 23:44, 5.51s elapsed

Initiating SYN Stealth Scan at 23:44

Scanning RIGOL_MS5A********* (192.168.2.134) [1000 ports]

Discovered open port 80/tcp on 192.168.2.134

Discovered open port 111/tcp on 192.168.2.134

Discovered open port 22/tcp on 192.168.2.134

Discovered open port 21/tcp on 192.168.2.134

Discovered open port 5555/tcp on 192.168.2.134

Completed SYN Stealth Scan at 23:44, 0.59s elapsed (1000 total ports)

Initiating Service scan at 23:44

Scanning 5 services on RIGOL_MS5A********* (192.168.2.134)

Completed Service scan at 23:46, 151.31s elapsed (5 services on 1 host)

Initiating OS detection (try #1) against RIGOL_MS5A********* (192.168.2.134)

NSE: Script scanning 192.168.2.134.

Initiating NSE at 23:46

Completed NSE at 23:46, 0.58s elapsed

Initiating NSE at 23:46

Completed NSE at 23:46, 1.04s elapsed

Nmap scan report for RIGOL_MS5A********* (192.168.2.134)

Host is up (0.0025s latency).

Not shown: 995 closed ports

PORT     STATE SERVICE  VERSION

21/tcp   open  ftp      BusyBox ftpd (D-Link DCS-932L IP-Cam camera)

22/tcp   open  ssh      OpenSSH 6.0 (protocol 2.0)

| ssh-hostkey:

|   1024 dc:eb:8b:b2:55:43:48:10:0c:7b:49:70:74:**:**:** (DSA)

|   2048 e4:02:cd:a8:fd:c7:68:54:f4:26:49:0a:50:**:**:** (RSA)

|_  256 6f:c4:43:18:a3:95:f1:88:4f:f1:73:28:39:**:**:** (ECDSA)

80/tcp   open  http     lighttpd 1.4.33

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: lighttpd/1.4.33

|_http-title: 400 - Bad Request

111/tcp  open  rpcbind  2-4 (RPC #100000)

| rpcinfo:

|   program version   port/proto  service

|   100000  2,3,4        111/tcp  rpcbind

|   100000  2,3,4        111/udp  rpcbind

|   395183  1            873/udp 

|   395183  1            877/tcp 

|   395184  1            873/udp 

|   395184  1            877/tcp 

|   395185  1            873/udp 

|_  395185  1            877/tcp 

5555/tcp open  freeciv?

MAC Address: **:**:**:**:**:** (Rigol Technologies)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Uptime guess: 0.015 days (since Mon Dec 03 23:25:16 2018)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=259 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: Device: webcam; CPE: cpe:/h:dlink:dcs-932l



TRACEROUTE

HOP RTT     ADDRESS

1   2.52 ms RIGOL_MS5A******** (192.168.2.134)



NSE: Script Post-scanning.

Initiating NSE at 23:46

Completed NSE at 23:46, 0.00s elapsed

Initiating NSE at 23:46

Completed NSE at 23:46, 0.00s elapsed

Read data files from: C:\Program Files (x86)\Nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 164.92 seconds

           Raw packets sent: 1026 (46.790KB) | Rcvd: 1016 (41.042KB)



Rigol have left the SSH interface open. I can connect to it but unfortunately I do not yet have the root password. Does anyone know of any root passwords that Rigol have used on there scopes in the past?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 12:41:33 am
I got some firmware from some undisclosed "Address" in the interwebs, please don't ask for binaries and don't tell :)

I can brief you on some interesting snippets I found after mounting UBIFS mount points and whatnot from the firmware, please notice which binaries are stripped of symbols:

Does the firmware file also contain the hashed root password in the /etc/password or /etc/shadow files? If the files are in the firmware could you post them?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 04, 2018, 12:49:34 am
Yep: root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 04, 2018, 01:40:00 am
Queue John the Ripper

btw, any other userid's in case they prevent direct root login(guess you could also check that if you have the filesystem).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 04, 2018, 03:08:08 am
Nope, there's only root under /etc/passwd and the sshd_config is all commented out except UsePrivilegeSeparation no directive. Shadow is empty.

Code: [Select]
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
#HostKey /etc/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/lib/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

[0x00000000]> cat /root/etc/passwd
root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh

[0x00000000]> cat /root/etc/shadow
[0x00000000]> cat /root/etc/ssh_config
# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 04, 2018, 05:03:45 am
I'm trying to work out who the 'newbie' accounts are.  Language comparisons are very interesting.   brainstorm started out well, but is quicky slipping back to their natural writing style.
All good and fun, untill you start selling pcbs
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Dwaine on December 04, 2018, 05:04:25 am
 :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: glenenglish on December 04, 2018, 06:47:38 am
The TAP access on the FPGA is fairly extensive. once the processor is stopped (but DRAM refresh allowed to run) that will enable loading an alternative bitstream for the PL, (while maintaining PS coherence) ... which would permit access via AXI transfers into the memory space .....and  rather personal inspection of memory, trace, all sorts of things, useful if you know something about  linux internals. I guess that would start with trapping where you fail when entering the incorrect feature code.

-glen
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 04, 2018, 07:59:27 am
@lukier, SHA1 is an hash algorithm, not a digital signing algo! The fact that the NAND blocks are hashed doesn't mean much.

Yep. It's probably just checking for file corruption, nothing to do with security/secrecy.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 04, 2018, 08:05:40 am
Yep: root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh ;)

I searched google for that string and got many hits, including this page: http://xilinx.wikidot.com/zynq-rootfs (http://xilinx.wikidot.com/zynq-rootfs)

Could it be a default password?  :popcorn:

Queue John the Ripper

No need.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lukier on December 04, 2018, 08:24:54 am
This all sounds so lame it must be intentional  :-DD Even pricing-wise the base 70 MHz model is more expensive than Keysight DSOX1000. Hackability as a marketing feature :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 04, 2018, 08:36:59 am

 root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh ;)

user: root
pass: root



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 10:27:11 am
This all sounds so lame it must be intentional  :-DD Even pricing-wise the base 70 MHz model is more expensive than Keysight DSOX1000. Hackability as a marketing feature :D

I wouldn't be surprised! That's where EEVBLOG does a wonderful (and totally free) job for these manufacturers.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lukier on December 04, 2018, 10:35:10 am
I wouldn't be surprised! That's where EEVBLOG does a wonderful (and totally free) job for these manufacturers.

:)

To be honest at first I wanted to pull the trigger on this Rigol, but the logic probe wasn't in stock anywhere (Batterfly/Batronix et al) and also I was worried the FW is crap, which we now know from Dave's video it is.

So without the hack I would end up with the most overpriced 70 MHz scope with crappy FW and even with the hack it would be crappy, probably even more bugs in the unlocked functionalities. Also lack of 50 Ohm kind of put me off.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 03:30:39 pm
Crosschecking with brainstorm "special" information, those who want a flavor of the MSO5000 files can look at this msg (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803).

They shouldn't be much different.  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 04, 2018, 03:52:35 pm
Don't take rigol for SuperSmart. 3 years ago my looking into the DS2000 revealed they are SuperDumb. Look up my "Project Yaigol" post for details. Stealing from each other and blind copying without understanding how it is supposed to work seems to be a norm in that"industry".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 04, 2018, 03:54:21 pm
Yada Yada... Look up my "Project Yaigol" post for details.

Oh, FFS. 

(https://i.pinimg.com/originals/20/5e/d1/205ed1d14618ca22a3471215c818cb82.jpg)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 05:31:50 pm

 root:$1$qC.CEbjC$SVJyqm.IG.gkElhaeM.FD0:0:0:root:/root:/bin/sh ;)

user: root
pass: root

I can now confirm that the super secret password for the Rigol 5000 series oscilloscope is: root

With an open SSH interface and the password for the root account getting access to the file system became very easy.

Code: [Select]
login as: root
root@192.168.2.134's password:
<root@rigol>cd /
<root@rigol>df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                31.0M     21.9M      9.1M  71% /
devtmpfs                213.6M         0    213.6M   0% /dev
none                    100.0M    284.0K     99.7M   0% /tmp
/dev/ubi6_0              85.1M     69.6M     15.6M  82% /rigol
/dev/ubi1_0              37.2M    276.0K     35.0M   1% /rigol/data
/dev/ubi12_0            516.6M     67.3M    444.6M  13% /user
<root@rigol>ls
bin         home        lost+found  proc        sys         usr
checkapp    lib         media       rigol       tmp         var
dev         licenses    mnt         root        ubifs-util
etc         linuxrc     opt         sbin        user
<root@rigol>
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 06:08:14 pm
I have now extracted the 66.7 MB firmware.gel file from the oscilloscope.


Can you get me a memdump?  /dev/mem

I will try to dump the memory
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 06:48:13 pm
I think I am going to need some help with the RAM dump since Linux have made copying the RAM more difficult in newer versions.

For those playing along at home the scope report the Linux version as “3.12.0-xilinx”

Any suggestions how to dump the RAM over SSH?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 06:54:19 pm
I think I am going to need some help with the RAM dump since Linux have made copying the RAM more difficult in newer versions.

For those playing along at home the scope report the Linux version as “3.12.0-xilinx”

Any suggestions how to dump the RAM over SSH?

Can't you insert the USB drive and execute "cp /dev/mem" to the USB drive? Don't worry if it gives you an error as long as it copies something "big".

BTW, what is the FW version of your scope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 07:08:08 pm
I completely forgot that the scope had a USB port. How nice of Rigol to give us an open SSH interface, simple password and a convenient USB port. It is almost like they have rolled out the red carpet for us.

The scope reports FW version 00.01.01.02.03
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 04, 2018, 07:22:31 pm
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Agne on December 04, 2018, 07:39:16 pm
With a little bit of work I got a 448 MB memory dump
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 07:40:53 pm
I completely forgot that the scope had a USB port.

It's the problem with these advanced equipments that should only be connected to the internet! They also have USB interface... beware SEC Consult!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 04, 2018, 08:40:13 pm
I completely forgot that the scope had a USB port.

It's the problem with these advanced equipments that should only be connected to the internet! They also have USB interface... beware SEC Consult!

LOL. Yeah another one security risk that will end the world... |O :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 04, 2018, 08:41:42 pm
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.

Why? A large part of their business is built on hacking.

I bet sales of the DS1054Z paid for a lot of the development of that ASIC.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 04, 2018, 10:02:11 pm
Indeed, there are a ton of similarities with that post against what I did a few days ago, thanks for sharing @tv84 :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 04, 2018, 10:06:37 pm
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.
Why are you surprised? According to Dave a lot of functionality needs at least some attention. Securing things usually is last on the list. Get the product out first. Rigol can always choose to plug holes in later firmware releases if necessary.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 04, 2018, 10:11:18 pm
Indeed, there are a ton of similarities with that post against what I did a few days ago, thanks for sharing @tv84 :)

So, cfger is indeed the encryptor/decryptor of the shell scripts. It uses AES encryption.

<root@rigol>./cfger -h
 -r name:read the value of name
 -i file:read model,version,date to file
 -c name value: compare bwtween the value of name with value
 -s name value: set the value of name
 -t file: remove the all zero of the file
 -d input output: decrypt the input to output by aes
 -e input output: crypt the input to output by aes
 -h : show this help information

Enjoy:   :popcorn:
Code: [Select]
.data:000196D4 AES_KEY         DCD 0xFECFD8BA          ; DATA XREF: sub_B174+34o
.data:000196D8 dword_196D8     DCD 0xC4B5AABB
.data:000196DC dword_196DC     DCD 0xBFD4D8C3
.data:000196E0 dword_196E0     DCD 0xDDBEFDCA
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 01:33:07 am
Any idea why  scripts are encrypted.  I'm assuming that they have to be decrypted before they are executed?







Indeed, there are a ton of similarities with that post against what I did a few days ago, thanks for sharing @tv84 :)

So, cfger is indeed the encryptor/decryptor of the shell scripts. It uses AES encryption.

<root@rigol>./cfger -h
 -r name:read the value of name
 -i file:read model,version,date to file
 -c name value: compare bwtween the value of name with value
 -s name value: set the value of name
 -t file: remove the all zero of the file
 -d input output: decrypt the input to output by aes
 -e input output: crypt the input to output by aes
 -h : show this help information

Enjoy:   :popcorn:
Code: [Select]
.data:000196D4 AES_KEY         DCD 0xFECFD8BA          ; DATA XREF: sub_B174+34o
.data:000196D8 dword_196D8     DCD 0xC4B5AABB
.data:000196DC dword_196DC     DCD 0xBFD4D8C3
.data:000196E0 dword_196E0     DCD 0xDDBEFDCA
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 05, 2018, 07:50:07 am
Here are the 2 scripts decrypted with AES-CBC.

AES_KEY: BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 07:57:04 am
What would be interesting to know, is if the AES_KEY is the same for all machines, or if each one is unique.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 05, 2018, 08:01:01 am
Here are the 2 scripts decrypted with AES-CBC.

AES_KEY: BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD

 :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 09:30:35 am
I'm curious as to why Rigol went to the effort of encrypting these scripts, but then left the AES key 'lying around'.   That is odd.
Looking at these scripts, they essentially just check that some files are valid, ( Checking a CRC ) and then copying them to an appropriate place..  Its useful perhaps to know where the files are copied to, but i'm wondering if theres anything else to learn from that...





Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EEVblog on December 05, 2018, 09:51:11 am
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.
Why? A large part of their business is built on hacking.
I bet sales of the DS1054Z paid for a lot of the development of that ASIC.

Majority of income comes from sales of units to education and large organisations don't care about the hack.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 05, 2018, 03:19:45 pm
So if someone can get such a dump (from the lucky ones having the real device already on their benches), it will inform my analysis. I know this information is rather fragmented and incomplete, but I'm still putting the pieces together and have more juicy bits for future posts.

Attached is the contents of the 256 kB  file env.bin. (It starts with a CRC32, the file attached, and the rest is 0x00...)

What would be interesting to know, is if the AES_KEY is the same for all machines, or if each one is unique.

It's the same since it's embedded in the cfger app. You can see the decrypted_scripts of the DS7000 using the same key in my updated DS7000 msg.


BTW, interesting that the memdump contains these references:

200MHz to 350MHz Bandwidth Upgrade Option
200MHz to 500MHz Bandwidth Upgrade Option
350MHz to 500MHz Bandwidth Upgrade Option
600MHz to 1GHz Bandwidth Upgrade Option
600MHz to 2GHz Bandwidth Upgrade Option
1GHz to 2GHz Bandwidth Upgrade Option
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 07:06:07 pm
I received an unsolicted Private message last night.  It was from a user with NO posts, and just registered yesterday.   I'm sure they are reading the thread.   Their github profile suggests they are in China. but who knows.    I checked the github repo, and i coud'nt find anything relevent.. Anyone else get this message.



Hello, I have cracked the MSO5074 into 350MHz model version, and I will publish it to my github (http://github.com/__deleted__ (http://github.com/__deleted__)) until all option unlocked. But I did a wrong thing: I erased my scope's option FRAM. So If you have buy a MSO5074, I can upgrade it's bandwidth, and I want a FRAM dump from your scope to reverse the option part for this scope. Thanks!

You can contact me by this mail:  deleted@gmail.com
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 05, 2018, 07:32:07 pm
I received an unsolicted Private message last night.  It was from a user with NO posts, and just registered yesterday.   I'm sure they are reading the thread.   Their github profile suggests they are in China. but who knows.    I checked the github repo, and i coud'nt find anything relevent.. Anyone else get this message.



Hello, I have cracked the MSO5074 into 350MHz model version, and I will publish it to my github (http://github.com/__deleted__ (http://github.com/__deleted__)) until all option unlocked. But I did a wrong thing: I erased my scope's option FRAM. So If you have buy a MSO5074, I can upgrade it's bandwidth, and I want a FRAM dump from your scope to reverse the option part for this scope. Thanks!

You can contact me by this mail:  deleted@gmail.com

Did you contact him? Did the github have anything relevant?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 05, 2018, 07:46:12 pm
The GitHub repo, didtn appear to have anything relevant in it, no and no i've not contacted him. 


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Carrington on December 05, 2018, 08:35:07 pm
LOL ... What a funny and weird situation.  :)
Title: Unconfirmed 'cracking' of Rigol 5000
Post by: mrpackethead on December 06, 2018, 07:14:59 am
A unconfirmed claim of of the MSO5000 has been made by a chinese student.   

Quote
"Well, I have patched the firmware, let it jump out license verify produce. But I can't make it public until next year March. Because Rigol sold out about less than 300 units now.

In fact I'm working on my friend's scope and I havent ordered yet (lack of money...Im just a ungraduated). I m wonder if I make it public prematurely, maybe they will fix it and it can't be cracked anymore.

Btw, there's no keygen for 5000 series oscilloscope because it cant be realize. The only way to crack it is to patch firmware.

The detail of crack this scope I will
publish it to my github when my scope is successfully cracked."

Sadly he does not want to provide the info, I think he is worried that Rigol will patch the issue before he has collected enough money to buy his own.      If he was able to crack it, i'm sure that others will be able to do it as well, pretty quickly.   if he wants the 'claim to fame' of being the guy who cracked it, he will need to publish it before anyone else does i guess.   though it seems he just wants the 350Mhz scope for the 70Mhz price.









Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EEVblog on December 06, 2018, 12:54:23 pm
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 06, 2018, 01:00:54 pm
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

I guess this mark the beginning of gigantic pages ahead for this thread.  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 06, 2018, 01:09:28 pm
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

Rigol is now one firmware update away from completely owning the non-pro 'scope market?  :popcorn:

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 06, 2018, 06:11:17 pm
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

If they aren't anonymous who was it? Or are they planning on sharing later?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 06, 2018, 07:19:31 pm
The problem with claims is that they are just claims untill there is something to substainate them.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JPortici on December 06, 2018, 07:38:46 pm
so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 06, 2018, 07:40:46 pm
The problem with claims is that they are just claims untill there is something to substainate them.

From what we've seen so far it doesn't look like it will be difficult for somebody who really knows the Xilinx system.

OTOH if it can be unlocked to 1GHz then Rigol has a real problem on its hands: How on earth are they going to manufacture enough of them?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 06, 2018, 07:41:42 pm
If the scopes can do 1 GHz and are reasonably flat I'd consider adding a 50 ohm termination internally on one channel. It would be permanently 50 ohms but could perform well. Pretty easy to power an HP 1152a active probe externally.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on December 06, 2018, 07:43:20 pm
so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?
Quite possibly, we've seen this happen before.  ::)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Monkeh on December 06, 2018, 07:44:32 pm
Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.
Why are you surprised? According to Dave a lot of functionality needs at least some attention. Securing things usually is last on the list. Get the product out first. Rigol can always choose to plug holes in later firmware releases if necessary.

Which is a bass ackwards way of developing and shipping an appliance with a network connection no matter how you look at it.

so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?
Quite possibly, we've seen this happen before.  ::)

And the next big Siglent release will probably come with a buttload of shilling and aggressive forum posts from people with a financial stake in their sales, what's new?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on December 06, 2018, 08:31:59 pm
so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?
Quite possibly, we've seen this happen before.  ::)

And the next big Siglent release will probably come with a buttload of shilling and aggressive forum posts from people with a financial stake in their sales, what's new?
Ok so you missed the member being banned for daring to question the capabilities of the forums favorite DSO.
Go have a look in the Supporters lounge for links that can point you to those events.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 06, 2018, 08:34:35 pm
Gentlemen, please discuss this in the generic MSO5000 thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 06, 2018, 09:30:18 pm
Gentlemen, please discuss this in the generic MSO5000 thread.

And leave moderation to the moderators.. Thats their job.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 06, 2018, 09:33:54 pm
The problem with claims is that they are just claims untill there is something to substainate them.

From what we've seen so far it doesn't look like it will be difficult for somebody who really knows the Xilinx system.

OTOH if it can be unlocked to 1GHz then Rigol has a real problem on its hands: How on earth are they going to manufacture enough of them?

But we have not 'seen' anything other than claims. 

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 06, 2018, 09:38:14 pm
The problem with claims is that they are just claims untill there is something to substainate them.
From what we've seen so far it doesn't look like it will be difficult for somebody who really knows the Xilinx system.

OTOH if it can be unlocked to 1GHz then Rigol has a real problem on its hands: How on earth are they going to manufacture enough of them?
Even at a low price having 1GHz of bandwidth without real 50 Ohm inputs is going to be a problem. Then again the same hack may work on the MSO7000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mr. Scram on December 06, 2018, 09:49:12 pm
Which is a bass ackwards way of developing and shipping an appliance with a network connection no matter how you look at it.

And the next big Siglent release will probably come with a buttload of shilling and aggressive forum posts from people with a financial stake in their sales, what's new?
It's always the same people singing the same song, isn't it?  ::)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Carrington on December 06, 2018, 09:54:20 pm
Obviously I'm not going to say who they are ...
I wonder if Banksy has anything to do with all this.  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 06, 2018, 10:49:33 pm
We actually plan to release it after the RIGOL fix their bugs...

I can not believe you're refusing to release the hack method.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 06, 2018, 10:50:13 pm
Screen shots are one thing.  However untill a method is published and is verified independently it's unconfirmed.   The first party to publish it, will be able to 'claim' it.. It seems there are several parties all claiming to have done it so far.   I would guess its only going to be a matter of days before the first hacks are published.   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 06, 2018, 11:17:23 pm
We actually plan to release it after the RIGOL fix their bugs...

I can not believe you're refusing to release the hack method.
Maybe better to wait til the firmware has improved, so there's a hack for a better FW in case future versions get locked down more effectively
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TurboTom on December 06, 2018, 11:28:05 pm
Hope the firmware update also addresses the font of the hardware frequency counter...I almost had to throw up. If not, the hack will have to fix this...  ::)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 07, 2018, 12:16:43 am
We actually plan to release it after the RIGOL fix their bugs...
Which means... NEVER  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 12:40:02 am
rgwan,

Your group is not the only ones who have claimed to have hacked the scope. Others have already made the same claims.  The methodology for hacking it, is to find where the firmware checks the features, and just return true.   the fact that you posted it first, really doesnt make much difference,  someone will have.

You can assume that multiple Rigol dealers have read this, and that this information is already in the hands of Rigol.    What rigol choose to do, will be interesting.  They historically have not made any attempts to stop so-called hacking.   they may see it as a way to actually improve their sales. its entirely possible that the archtiecture was designed so it coudl be hacked.

Your saying it was hacked to 350Mhz, however it seems that Hanxiao was saying 1Ghz? is that correct?

Even if this thread was removed, its still the internet and its gone. you can't make it go away.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 12:42:18 am
Here are their screen shots of a 100MHz square wave and the FFT
Obviously I'm not going to say who they are, but they are sending me something (not related to this) for a video, and went, "oh, BTW, we hacked the MSO5000". It was a friend on their design team who cracked it. They seem legit.

Could you reveal if they are a different team from the china team?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mr. Scram on December 07, 2018, 12:46:37 am
OK I admit it.... I am the anonymous who patched Hanxiao's oscillscope...Yesterday we made a successful crack to unlock all options and 350Mhz bandwidth.

So...It is pity to made this thing public early...I have to order one now and create a repository to publish our cracking produce...

I request to set this topic hidden in this forum, if RIGOL saw that thread, there would be no cracking at all! I recommend don't discuss this topic until half-year passed...
Taking things off the internet isn't really a thing that exists. It's out here, for better or worse.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 01:01:57 am
rgwan,

Your group is not the only ones who have claimed to have hacked the scope. Others have already made the same claims.  The methodology for hacking it, is to find where the firmware checks the features, and just return true.   the fact that you posted it first, really doesnt make much difference,  someone will have.

You can assume that multiple Rigol dealers have read this, and that this information is already in the hands of Rigol.    What rigol choose to do, will be interesting.  They historically have not made any attempts to stop so-called hacking.   they may see it as a way to actually improve their sales. its entirely possible that the archtiecture was designed so it coudl be hacked.

Your saying it was hacked to 350Mhz, however it seems that Hanxiao was saying 1Ghz? is that correct?

Even if this thread was removed, its still the internet and its gone. you can't make it go away.

First, No... I did not make any statement on the analog bandwidth of it. The test is based on an all license on MSO5074 Unit.
Second, the efforts put into hacking is much harder than you thought. They did a fairly good job on license protection (but not the system as a whole).
I wish to see posts from other team that reach this far :P

Right now, all you've got is an unverified claim of a hack. Just like the other teams.     Nobody can verify anybodys claims because nobody can independantly test it.   

Sorry i've confused you with the other team, who it seems have acheived 1Ghz bandwidth.

And from what it seems, the hack is not that hard.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 01:05:44 am
Is that MSA24xxxxx number  the one ending 00001, the serial number?   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 07, 2018, 01:26:49 am
I recommend don't discuss this topic until half-year passed...

Are you on a 6-month contract?   ::)

This story is stranger than the licensing protection!  :-DD


BTW, I think it's safe to say that Dave's pics have the same S/N...   

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=590110;image)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 07, 2018, 01:43:04 am
rgwan,

Your group is not the only ones who have claimed to have hacked the scope. Others have already made the same claims.  The methodology for hacking it, is to find where the firmware checks the features, and just return true.   the fact that you posted it first, really doesnt make much difference,  someone will have.

You can assume that multiple Rigol dealers have read this, and that this information is already in the hands of Rigol.    What rigol choose to do, will be interesting.  They historically have not made any attempts to stop so-called hacking.   they may see it as a way to actually improve their sales. its entirely possible that the archtiecture was designed so it coudl be hacked.

Your saying it was hacked to 350Mhz, however it seems that Hanxiao was saying 1Ghz? is that correct?

Even if this thread was removed, its still the internet and its gone. you can't make it go away.

Rigol has made some attempts to stop hacking. They changed the DSA815 spectrum analyzer keys so that the online tools no longer worked. If they went to the effort to create a reasonable license key system it seems odd they would leave ssh wide open. I have been on the fence trying to decide if they kind of want the 5000 hacked. In this case I think ssh being enabled was some sort of mistake and that we can expect it to be removed in a future release.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: vowstar on December 07, 2018, 02:36:26 am
:)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EEVblog on December 07, 2018, 03:10:56 am
I request to set this topic hidden in this forum, if RIGOL saw that thread, there would be no cracking at all! I recommend don't discuss this topic until half-year passed...

Sorry but we don't hide threads here.
I'll happily remove the images I got, but I'm not going to remove anyone else's images or posts, they'll have to do that themselves.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 03:47:21 am
Once again, I would like to recommend the administrator in this forum hide this thread. It is too dangerous. And Rigol's new 1000Z-S series seems can't be unlock any more. I don't want to see this happen again.

Rigols distributors have read this thread, i know that for a fact.  I would be very suprised if some Rigol people have not read it as well.     

It would not surprise me if in fact, Rigol is deliberately seeding this thread with bits of information to bolster interest, and potentially boost sales. 

Its an interesting Serial number.  Did you get the first one?


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 03:56:07 am
I request to set this topic hidden in this forum, if RIGOL saw that thread, there would be no cracking at all! I recommend don't discuss this topic until half-year passed...

Sorry but we don't hide threads here.
I'll happily remove the images I got, but I'm not going to remove anyone else's images or posts, they'll have to do that themselves.

Seems team rigol, ( rgwan and freinds ) have come and deleted their pics.. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 07, 2018, 04:17:29 am
Noone is going to wait my friend, life is too short. Magic things happened on this forum before, they will happen again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Hanxiao on December 07, 2018, 05:10:12 am
For those who are working hard to make this happened. We appreciate the work done by all the people who are taking their time to make this cheap and powerful instrument available to everybody.
However, we have to recognize that the amount of work to make progress on cracking will rise exponentially while RIGOL fixing each of the BUG we use to crack it. When we are talking about profiting the community as a whole, we not only need to consider how soon we could get the joy but more importantly how many people will benefit from it. We admit all the efforts, however, release the crack now is more like to kill the Goose That Laid the Golden Eggs, which sabotages the interests of the whole community.

If you already own one, that is great, now the firmware is patchable and we are able to get everything working, but based on our prediction, the amount of MSO5000 series on the market is just around hundreds of units, let's wait for others. Aside from the factory lead time, there are still tons of BUGs inside the current firmware, from FFT leakage to various BUG in LA. 

Thanks for RIGOL to provide such this relatively cheap instrument with such high performance.


8256485683450c0341861cd090fab646
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: vowstar on December 07, 2018, 05:19:17 am
Also thanks for RIGOL to provide such this relatively cheap instrument with such high performance.


8256485683450c0341861cd090fab646 YOU UNDERSTAND
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 07, 2018, 05:25:58 am
I feel like it is right time for  a sockpuppet accounts check.

Edit: How come you new hacker guys f..ked up so badly with the S/N ...001?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 07, 2018, 05:35:27 am
Also thanks for RIGOL to provide such this relatively cheap instrument with such high performance.


8256485683450c0341861cd090fab646 YOU UNDERSTAND

I think we all understand where you guys are coming from but even beyond hacking for other people to get use of it there is the aspect of just being able to do it. I am personally less interested in the scope as a piece of hardware as I already have something in the class. My interest is simply in seeing how much work it is this time. If I knew a hack were out and available I probably wouldn't buy one at all but knowing that even if it is hacked as of now it's a secret makes it even more interesting to me.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 07, 2018, 05:38:34 am
so does this mean that we're going to have another big wave of scopes where no complaints are allowed whiny complaints seem childish because shut up they're cheap and hackable and nobody's forcing you to use one?

FTFY.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 07, 2018, 05:49:41 am
The point is you can NOT realistically expect this internet crowd here to hold hand in hand singing the song ...

"Just wait ... wait .. till Rigol fix their firmware ...
Rigol is blind not knowing this thread ...
once they fixed it, we will release the hack...
and all will be living happily ever after ..."

... NOT.

Back to pure technical discussion please and refrain from politics , intrigue tactics and etc.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 07, 2018, 05:54:13 am
The other way o look at is is: If this is hackable then the bean counters at Rigol will see the sales figures of the base model and think, "Why would we try to stop that?"

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 06:06:37 am
The other way o look at is is: If this is hackable then the bean counters at Rigol will see the sales figures of the base model and think, "Why would we try to stop that?"

My gut feeling is that our new guests on this forum are actually from Rigol and are just doing some marketing to drum up some interest.  If that is the case, then its a new spin on what the PCB fabs were doing for a while. :-)

 I know of two groups, one in the US and one in Europe who are both working on this and one of them will post a hack as soon as they have it sorted, there is a few other users who are tinkering as well.   I dont' have a scope yet ( get it in Jan ), and when i do, i'll be keen to see how the hacks work, but if i use the features, i'll just be doign the boring thing and paying for it.  ( because thats the right thing to do ).

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: iMo on December 07, 2018, 07:55:08 am
Sure - Rigol, distributors, competitors, customers, hackers - all may read and contribute to this thread. You cannot avoid that. It has no sense to elaborate who is who here.. Let us wait on some real results we may test.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 07, 2018, 08:02:34 am
30A989AFC82C0A21139573591DE4E5FF37994F7D1506A9ACF2B5997005C2649F

Without any evidence of a hack, the people claiming it are losing face ( 丢脸 ) very quickly.     
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 07, 2018, 08:24:24 am
30A989AFC82C0A21139573591DE4E5FF37994F7D1506A9ACF2B5997005C2649F

Without any evidence of a hack, the people claiming it are losing face ( 丢脸 ) very quickly.   

Yes, it's been, what, a whole 12 hours now?

I agree that if you're not going to publish then just keep your mouth shut but they might just be in bed or something.

I dont' have a scope yet ( get it in Jan ), and when i do, i'll be keen to see how the hacks work, but if i use the features, i'll just be doign the boring thing and paying for it.  ( because thats the right thing to do ).

If you're going to spend that much you should probably buy the R&S, not Rigol.  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 07, 2018, 11:21:55 am
did you notice what seemed to be the Build date of the firmware (top right of the screen)?  December 6... very strange... maybe it was someone from Rigol or a rogue employee
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 07, 2018, 11:34:09 am
That's the current hour/date in the scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: timgiles on December 07, 2018, 11:46:07 am
Well anyone who has watched the latest episode of SouthPark can see there are some on this forum that have lost the ability to have patience - too much getting used to amazon next day ordering!

Let those working on it work. Rigol will do or not do - now and in the future. If they change their approach to all firmware, prehaps other workarounds will be found. Prehaps Rigol really is seeing this as a chance to capture several market slices - business with paid for licences and home hackers. We know it costs the same if it has a 200Mhz, 1Ghz (?) or 70Mhz label on it - so it can only be good for Riogl. Business, universities - are unlikely to hack.

Time will tell.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 07, 2018, 11:53:23 am
That's the current hour/date in the scope.

No, it said ‘Build date’ on the photo
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 07, 2018, 12:10:58 pm
That's the current hour/date in the scope.

No, it said ‘Build date’ on the photo

:) Good point.

But I went to "wayback machine" to have a look at the images from Dave's+chinese pics and they all have consecutives hours.

The "build" is the time when the "screen dump" was built.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: glenenglish on December 08, 2018, 07:56:29 pm
If indeed Rigol pursue the market this way, and they monitor these forums, then in the interests of getting these sort of "Expandable" products, I suggest readers posting here to be nice with their comments.

I have  bought a 100 MHz version,  waiting on delivery. I'd like them and the local rep to make some decent margin on this scope, I think having an entry at the low price of the  70 MHz scope that is "Expandable" is canabalizing  their market, IMO they don't really have to go that cheap , unless they really have the cost right down to peanuts. In the west we might think 3x to 4x cost is about the minimum sell price for pro gear, but these guys often work on maybe 1.2 to 1.5x and it is just a numbers game.

Rigol's competition  are responsible for bringing high performance low cost scopes from all the A class manufacturers. It's the reason I support AMD with their Ryzen , and have all my systems here now Ryzen. (even though I can afford any processor I want) - they are responsible for holding Intel to account and providing some innovation in that market segment.
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 08, 2018, 08:44:14 pm
If indeed Rigol pursue the market this way, and they monitor these forums...

They've been doing it that way for quite a while:

https://www.youtube.com/watch?v=LnhXfVYWYXE (https://www.youtube.com/watch?v=LnhXfVYWYXE)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 08, 2018, 08:51:36 pm
One question: If this thing runs Linux and has a shell account then can it run batch files, etc?

What's installed in the system? Is there a C compiler?

Can you upload executable files and get it to do new things that way?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 08, 2018, 09:30:06 pm
One question: If this thing runs Linux and has a shell account then can it run batch files, etc?

What's installed in the system? Is there a C compiler?

Can you upload executable files and get it to do new things that way?
Forum member RHB is having a long term plan for something like that. A lot of scopes run on the Zync platform nowadays so except for the ADCs and display size many oscilloscopes are practically identical. Don't get excited yet because writing firmware for an oscilloscope is a massive task but once there is a core feature set then it shouldn't be hard to port it to different hardware platforms.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 09, 2018, 09:39:27 pm
So “hypothetically” if a hack existed that took a 70mhz model to 350 what would the preference here be?  Share it? Hide it? Wait six months?

Another party ( not the rgwan lot ) has claimed they have enabled 350 and has said it’s reasonably trivial. They are unsure of what to do.  It’s entirely for educational purposes only and if you need 350m then you should buy the license.  This is however a very interesting thing if you are interested in the security of embedded systems
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 10, 2018, 06:42:50 am
Well thats really strange. They said that it is trival. So, how about you to ask them for the reason why they dont choose to release it now?

Btw, you have said that you re interested in embedded system security, why do you dont analyze firmware yourself? The process of analysing is more fun than the answer. So, dont hesitate to wait our answer anymore. Try to find your own! LOL

 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 10, 2018, 08:31:58 am
Well thats really strange. They said that it is trival. So, how about you to ask them for the reason why they dont choose to release it now?

Btw, you have said that you re interested in embedded system security, why do you dont analyze firmware yourself? The process of analysing is more fun than the answer. So, dont hesitate to wait our answer anymore. Try to find your own! LOL

They may have done something different than you from the sounds of it. No mention of unlocking the rest of the options just the bandwidth.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 10, 2018, 09:13:48 am
Walking through the firmware behind the devices can be an interesting way to spend a rainy afternoon, I never would have assumed my Siglent was full of unicorn's and pikachu's
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 10, 2018, 09:46:09 am
The Christmas gift for all Rigol fans out here:

Go to /rigol/shell/start.sh

and add the "-fullopt" to the command line that executes appEntry (before the &).

PS: And it's not an hack. It's a feature!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 10, 2018, 09:51:06 am
Do these things come with a text editor? Vim?  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 02:19:48 pm
The Christmas gift for all Rigol fans out here:

Go to /rigol/shell/start.sh

and add the "-fullopt" to the command line that executes appEntry (before the &).

PS: And it's not an hack. It's a feature!

How odd! That was remarkably easy to do...

No change to the 'Option list' but lots of options are now enabled...

Nice to have the 2 sig gens working, that's easy to test.
200M memory depth works
Power analysis is available

I'd be interested to know what the bandwidth was now... Off to find a decent signal generator under my desk...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 10, 2018, 02:48:25 pm
How odd! That was remarkably easy to do...

Disappointed? You wanted more of a fight...?  :popcorn:

If the bandwidth has changed to 350Mhz then nobody else is going to be selling oscilloscopes to hobbyists in the next few years.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobBarter on December 10, 2018, 03:30:36 pm
Would be interested to find out if this also turns a 2 channel into 4 channel.  I assume the same technique would work on a MSO7000?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: commongrounder on December 10, 2018, 03:37:16 pm
Would be interested to find out if this also turns a 2 channel into 4 channel.  I assume the same technique would work on a MSO7000?
Was also thinking the same thing, although, for the US$99.00 difference, you get the two additional 350 MHz probes. That’s assuming they perform well for the price.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 03:40:55 pm
Can’t say if it turns a 2 channel into a 4 channel, mine is the 5074. I paid the extra 90 euros for a 4 channel as that way I got warranty on all 4 channels and an extra couple of probes. I would imagine it enables 4 channels though, can’t see why it wouldn’t.

Anybody with  a 7000 series can give it a go, it’s a very simple process.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: commongrounder on December 10, 2018, 03:45:08 pm
Can’t say if it turns a 2 channel into a 4 channel, mine is the 5074. I paid the extra 90 euros for a 4 channel as that way I got warranty on all 4 channels and an extra couple of probes. I would imagine it enables 4 channels though, can’t see why it wouldn’t.

Anybody with  a 7000 series can give it a go, it’s a very simple process.
I don’t think there are any two-channel 7000 series scopes. The base model is the 7014 four channel.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 03:50:35 pm
The software options were of more interest, and the AWGs. Plus the extra bandwidth of course.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 05:07:09 pm
Ok, all I can find is a crappy 160MHz generator.

Two screen captures attached, one before 'enhancement', one after.  Note that the fastest timebase has changed from 5ns/div to 1ns/div - that must be a clue something is going on! Signal voltage shows less attenuation after 'enhancement'.

Also note the appearance of the 2 sig gen buttons on the bottom of the screen.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 10, 2018, 05:15:12 pm
The Christmas gift for all Rigol fans out here:

Go to /rigol/shell/start.sh

and add the "-fullopt" to the command line that executes appEntry (before the &).

PS: And it's not an hack. It's a feature!
Does the license screen show the options as PERMANENT or maybe it is a 30-day demo activation?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 05:18:35 pm
The Christmas gift for all Rigol fans out here:

Go to /rigol/shell/start.sh

and add the "-fullopt" to the command line that executes appEntry (before the &).

PS: And it's not an hack. It's a feature!
Does the license screen show the options as PERMANENT or maybe it is a 30-day demo activation?

On the scope I played with there was no change to the list of displayed options. Things like the AWG's and power analysis are shown as not enabled - BUT they work.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 10, 2018, 05:21:35 pm
Does the license screen show the options as PERMANENT or maybe it is a 30-day demo activation?

It's a feature so, I think, it's independent from the license scheme. But TopLoser may provide a license menu printscreen.

If I understood correctly, the 4CH option is not activated.

BTW, what is the BND option? Was it activated?

Things like the AWG's and power analysis are shown as not enabled - BUT they work.

If that's the case, then probably all is activated...   Can someone test each of the Options to see if they are active?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 10, 2018, 05:28:57 pm
Does the license screen show the options as PERMANENT or maybe it is a 30-day demo activation?

It's a feature so, I think, it's independent from the license scheme. But TopLoser may provide a license menu printscreen.

If I understood correctly, the 4CH option is not activated.

BTW, what is the BND option? Was it activated?

Things like the AWG's and power analysis are shown as not enabled - BUT they work.

If that's the case, then probably all is activated...   Can someone test each of the Options to see if they are active?

All that I tested is activated. The BND option is the 'Option Bundle'.

Options screen is absolutely unchanged, shows same as out of the box.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: casinada on December 10, 2018, 05:35:20 pm
Does it activate all the digital decoding options?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 10, 2018, 05:35:25 pm
All that I tested is activated.

Then I think all is active completely independent from what the license menu says.

I think the options are based on the type of equipment (MSO, DS, DS5000, DS7000, etc).

So, in the DS7000 you might imagine what are the options that the -fullopt" will enable...

Code: [Select]
00    "BW1T2"           DS7000
01    "BW1T3"           DS7000
02    "BW1T5"           DS7000
03    "BW2T3"           DS7000
04    "BW2T5"           DS7000
05    "BW3T5"           DS7000
06    "MSO"
07    "2RL"    MSO5000  DS7000
08    "5RL"             DS7000
09    "BND"    = COMP + EMBD + AUTO + FLEX + AUDIO + AERO + PWR + AWG
10    "COMP"   MSO5000  DS7000
11    "EMBD"   MSO5000  DS7000
12    "AUTO"   MSO5000  DS7000
13    "FLEX"   MSO5000  DS7000
14    "AUDIO   MSO5000  DS7000
15    "SENSOR
16    "AERO"   MSO5000  DS7000
17    "ARINC"
18    "AWG"    MSO5000
19    "JITTER"
20    "MASK"
21    "PWR"    MSO5000  DS7000
22    "DVM"
23    "CTR"
24    "EDK"
25    "4CH"
26    "BW07T1" MSO5000
27    "BW07T2" MSO5000
28    "BW07T3" MSO5000
29    "BW07T5"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 10, 2018, 07:06:47 pm
We have an interesting situation here now, and it will tell us what rigols intention is.

If they move to close this 'feature', then we coudl summize that they don't want to allow people to hack their scopes;
If they dont, then you can assume that they are deliberately doing this.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: iMo on December 10, 2018, 07:31:20 pm
That is an intention, sure. That is a clever way how to dump and not to be subject to anti-dumping.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thesgoat on December 11, 2018, 06:32:07 am
Can’t say if it turns a 2 channel into a 4 channel, mine is the 5074. I paid the extra 90 euros for a 4 channel as that way I got warranty on all 4 channels and an extra couple of probes. I would imagine it enables 4 channels though, can’t see why it wouldn’t.

Anybody with  a 7000 series can give it a go, it’s a very simple process.
I don’t think there are any two-channel 7000 series scopes. The base model is the 7014 four channel.

Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 11, 2018, 06:46:01 am
How odd! That was remarkably easy to do...

Disappointed? You wanted more of a fight...?  :popcorn:


To be honest, yes, I'm quite disappointed as this hack is so easy that is not even funny.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 11, 2018, 06:54:30 am
 Team China, apparently took a differnet approached and patched the firmware.

I'm not sure why but i am thinking that i read rumours of this thing running up to 1Ghz.    Was i just dreaming? 

EDIT. No dave posted that someone has claimed its running up to 1Ghz. THat is a bit of a different level of post.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 11, 2018, 06:57:56 am
Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory...

Any chance to see the verification of 500 MHz bandwidth ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 11, 2018, 07:07:16 am
Well thats really strange. They said that it is trival. So, how about you to ask them for the reason why they dont choose to release it now?

Btw, you have said that you re interested in embedded system security, why do you dont analyze firmware yourself? The process of analysing is more fun than the answer. So, dont hesitate to wait our answer anymore. Try to find your own! LOL

simply just wanting to make sure that posting it here was ok.   And once that was ok, well, just 3 hours later their answer was posted.   It also works on the 7000 series.      Sadly rgwan, if you did hack it first, you'll never get remembered as the guy who did it. That honor goes to tv84 who published a hack first..   Now your hack, may have been different.   My suspicion is that you patched the firmware?  This would be a different approach and potentially quite interesting as well, if you'd like to share it and save face ( 留面子 )





Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 11, 2018, 07:56:19 am
Has anyone got hands on a MSO pod yet - that would be the obvious next thing to investigate
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobBarter on December 11, 2018, 08:39:54 am
To keep Rigol happy, if it wasn't for this hack I would not be considering a Rigol as my next scope, more likely RTB2000 or RTM3000 (discounted the Keysight now) but with gritted teeth due to the ridiculous option pricing).  Now firmly back in my option list (just can't decide if 5000 or 7000).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 11, 2018, 09:16:05 am
If the "hack" worked after 1 or two more patches I'd definitely go 7000 over 5000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JPortici on December 11, 2018, 09:17:17 am
To keep Rigol happy, if it wasn't for this hack I would not be considering a Rigol as my next scope, more likely RTB2000 or RTM3000 (discounted the Keysight now) but with gritted teeth due to the ridiculous option pricing).  Now firmly back in my option list (just can't decide if 5000 or 7000).
you were considering a scope with a 10bit adc, now you are considering a scope that at the max amplification will be a 5-6 bit scope (1mV/div is 5mV/div digitally zoomed!) then look at how the decode and search is implemented
having options for free is tempting, but consider everything :) (maybe you don't care at all about small signals, or looking at data lines in a certain way)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MrW0lf on December 11, 2018, 10:21:59 am
you were considering a scope with a 10bit adc, now you are considering a scope that at the max amplification will be a 5-6 bit scope

Are you trying to steal the christmas? It is well established that cheap and hackable renders all other "nuances" irrelevant... :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 11, 2018, 11:10:06 am
Some people are able recognize that they actually spend most of their time in 1 or 2 volts/div and that presence/absence of a uV range is therefore moot.

Raw bandwidth, number of channels, etc.? That never goes out of fashion.

If you need uV and massive DC offset ability then that's fine, buy a 'scope that can do it. Just don't waste yout life hating on 'scopes that don't do it. Lots of people genuinely don't need it.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobBarter on December 11, 2018, 11:13:24 am
£970 vs £2500 (incl. the 50% PK1 pack) is quite persuasive but I appreciate that the R&S is the next level up.  And that comparison doesn't cover bandwidth.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 11, 2018, 11:20:20 am
£970 vs £2500 (incl. the 50% PK1 pack) is quite persuasive but I appreciate that the R&S is the next level up.  And that comparison doesn't cover bandwidth.

Yep. The next step up from this is now a huge difference in price. You'll pay dearly for those little extras.

(a bit like the next step up from the DS1054Z was huge until that Siglent came along)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 11, 2018, 11:25:59 am
£970 vs £2500 (incl. the 50% PK1 pack) is quite persuasive but I appreciate that the R&S is the next level up.  And that comparison doesn't cover bandwidth.
Yep. The next step up from this is now a huge difference in price. You'll pay dearly for those little extras.
I wouldn't call protocol decoding which is actually working a 'little extra' if you need this kind of functionality. It is kind off buying a car without windscreen whipers. If it never rains that will be OK but if you drive through rain regulary then such a car will become useless real quick.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 11, 2018, 11:45:58 am
I wouldn't call protocol decoding which is actually working a 'little extra' if you need this kind of functionality.

It's very easy to not buy one of these if those are your needs.

It is kind off buying a car without windscreen whipers. If it never rains that will be OK but if you drive through rain regulary then such a car will become useless real quick.

No it isn't. It's more like buying a car that can't fit a sofa in the back - useless if you're a removal man but fine for most people.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MrW0lf on December 11, 2018, 11:49:35 am
Lots of people genuinely don't need it.

Most people actually do not need new scope at all, but then suddenly something black with pink ring around female connector surfaces... Pretty dirty (https://www.eevblog.com/forum/blog/new-rigol-scope/msg1954405/#msg1954405) move!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 11, 2018, 12:20:51 pm
Note that channel 3 costs extra.  :popcorn:

(who says Rigol doesn't understand marketing?)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 11, 2018, 03:33:29 pm
Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory...

Could you upload a pic of your licensing menu? Just for comparison with 5000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pascal_sweden on December 11, 2018, 04:14:49 pm
Lots of people genuinely don't need it.

Most people actually do not need new scope at all, but then suddenly something black with pink ring around female connector surfaces... Pretty dirty (https://www.eevblog.com/forum/blog/new-rigol-scope/msg1954405/#msg1954405) move!

Channel 3 = Input channel or Pay-TV channel? :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jnz on December 11, 2018, 06:05:12 pm
If they patch the bugs, and don't fully close the hacking options, I'll replace both my older Teks with them without blinking.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 11, 2018, 06:35:39 pm
Channel 3 = Input channel or Pay-TV channel? :)

Pay-per-Use
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 11, 2018, 06:40:13 pm
If they patch the bugs, and don't fully close the hacking options, I'll replace both my older Teks with them without blinking.

I sort of go the same way. IF they fix the bugs, I'll buy one for my garage replacing a fluke scopemeter.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 12, 2018, 05:24:38 pm
Any news on whether the hack upgrades the bandwidth?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 12, 2018, 05:29:27 pm
Any news on whether the hack upgrades the bandwidth?

Above someone showed the amplitude increased on a 160MHz sine after applying option so it seems like it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 12, 2018, 09:26:16 pm
Do you mean if it upgrades it past 350Mhz.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bson on December 13, 2018, 12:03:39 am
Nope, there's only root under /etc/passwd and the sshd_config is all commented out except UsePrivilegeSeparation no directive. Shadow is empty.
They don't seem to have disabled key based authentication, so it might be possible to drop a public key into ~root/.ssh/authorized_keys and used that to circumvent the password check for ssh.  Assuming you can write to ~root/.ssh.

Edit: oh, nvm I see now the secret password was much of a secret. :)  But this might be useful to keep in mind when dealing with other systems where you can write to ~root/.ssh but don't have the password to login.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 13, 2018, 01:14:50 pm
-“It appears Rigol’s engineers are designing their products to capitalize on the hacker’s proclivity to buy their tools to get the ‘free’ upgrade. This, of course, sounds just slightly insane, but no one seems to mind.”

It’s just an old marketing trick.

Suppose you want people to buy your products over a competitor’s. You add some bells and whistles to your product to offer more value and differentiate yourself on the market, but that also increases the price slightly and people don’t really need the extra features, so they won’t choose your product over simpler and cheaper competing products.

What then? Well, you pretend that the extra features are really really expensive high tech by locking them out and selling a “professional” version at many times the price. Then you let it slip that the features can be hacked into use on the “cheaper” models.     I am quite confident that the first 'claim' of the hack ( though unverified ) was exactly this. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 13, 2018, 02:43:46 pm
It’s just an old marketing trick.

Siglent has been using PRO_MODE all these years... Which is precisely the same thing.

I am quite confident that the first 'claim' of the hack ( though unverified ) was exactly this.

Don't agree. I believe it was a true "hack" and it came up, when it did, only because its authors had ruined the FRAM mem and were looking for someone who could provide a copy in exchange. If it were not for that detail, we would know about it only in a few months' time.

And, in no place I saw evidence that they were aware of the built-in feature.

Of course, having a equipment with a special S/N didn't help the cause...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 13, 2018, 02:51:15 pm
Wish Dave will do a video on hacking this new Rigol, and do the verification on the hack, like he did while ago on DS1052E.  :P

https://youtu.be/LnhXfVYWYXE
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 13, 2018, 02:54:47 pm
verification on the hack

It's a built-in feature. Not an hack!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 13, 2018, 02:58:05 pm
verification on the hack

It's a built-in feature. Not an hack!

Oh, ok, I stand corrected, actually this is even better, just apply the "fix" then verify if enabled features  are working, especially the bandwidth increase.  >:D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on December 13, 2018, 03:33:37 pm
-“It appears Rigol’s engineers are designing their products to capitalize on the hacker’s proclivity to buy their tools to get the ‘free’ upgrade. This, of course, sounds just slightly insane, but no one seems to mind.”

Write my words on the wall: no conspiracy marketing tricks here, all of this is just because the Chinese do mot know any better than copy each other whitout understanding how the code they copy works. I predict we will contunue see stupid things lke this one for the years ahead.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 13, 2018, 05:32:42 pm
Broad brush generalisations about one races abillitys are just that. Generalisations.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on December 13, 2018, 06:01:46 pm
Write my words on the wall: no conspiracy marketing tricks here, all of this is just because the Chinese do mot know any better than copy each other whitout understanding how the code they copy works. I predict we will contunue see stupid things lke this one for the years ahead.
I sense too much xenophobia in this post...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on December 13, 2018, 06:05:04 pm
Write my words on the wall: no conspiracy marketing tricks here, all of this is just because the Chinese do mot know any better than copy each other whitout understanding how the code they copy works. I predict we will contunue see stupid things lke this one for the years ahead.
I sense too much xenophobia in this post...

I don't think he's afraid of the chinese, that's ridiculous. That's a horribly stupid word people started over using. He's just racist against the chinese.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on December 13, 2018, 06:18:07 pm
I don't think he's afraid of the chinese, that's ridiculous. That's a horribly stupid word people started over using. He's just racist against the chinese.
No it is absolutely not ridiculous. But this is OT in this thread (and perhaps even on this forum altogether).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 13, 2018, 10:00:17 pm
Broad brush generalisations about one races abillitys are just that. Generalisations.
It is not about race but about how a country is being run. The Chinese educational system for example supresses critical and out-of-the-box thinking. Basically killing any creativity needed to come up with a novel product.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 14, 2018, 11:11:58 am
The Chinese educational system for example supresses critical and out-of-the-box thinking.

With 100% success rate, right?

(and I'm not sure the educational system in many other countries actively promotes critical thinking - look at the percentage of people in 'developed' countries who believe homeopathy works or that gods are real things).
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 14, 2018, 01:40:29 pm
The Chinese educational system for example supresses critical and out-of-the-box thinking. Basically killing any creativity needed to come up with a novel product.

Most educational systems in fact do this, its not just a chinese thing.   Fortunately out of the population there are always a few free minded individuals who say "MEH to that" and go and be creative anyway.   An above average number seem to lurk around here though.  :)

Some  interesting inventions that the chinese were responsible for included;

Paper, Movable type printing, GunPowder, The compass, Alcohol, Clocks, Tea Production, Silk, Umbrellas, Iron Smelthing, Bronze, Kites, Growing food in rows, Toothbrushes, and paper money.   


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: The Doktor on December 14, 2018, 02:01:52 pm
Some  interesting inventions that the chinese were responsible for included;

Paper, Movable type printing, GunPowder, The compass, Alcohol, Clocks, Tea Production, Silk, Umbrellas, Iron Smelthing, Bronze, Kites, Growing food in rows, Toothbrushes, and paper money.   

So nothing of any real value?  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 14, 2018, 02:03:42 pm
Certainly not in this thread. Take it elsewhere please?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 14, 2018, 02:53:26 pm
I think its helpful in the background information for working out why Rigol have released a product in the way they have. Understanding the motivation often will provide clues about implementation of a solution. 


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 14, 2018, 03:35:38 pm
Paper, Movable type printing, GunPowder, The compass, Alcohol, Clocks, Tea Production, Silk, Umbrellas, Iron Smelthing, Bronze, Kites, Growing food in rows, Toothbrushes, and paper money.   
:palm: The Egyptians build pyramids long before that. Look at them today. Roman empire: same story. You have to look at the more recent history to see why the Chinese need to catch up so much when it comes to engineering and producing a good product.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 14, 2018, 04:06:52 pm
Certainly not in this thread. Take it elsewhere please?

+1

C'mon guys, please, this is technical thread, please take your hate on the Rigol's product and also xenophobic stuffs  :palm: out of here, again, please.

Also for the Rigol competing parties, you know who you are, even you keep pretending to be casual end user, it isn't nice to keep bashing this product in this particular "technical" discussion if you don't have any interest on it.

Totally understand you feel really threatened by this Rigol's move, that probably may affect your sales on Rigol competing brand scope that you're selling, again, this is not the right place.

"Constantly" bashing this product and Rigol brand ? Please, again pretty please, vent it here at the official Dave's video blog thread ..

 -> EEVblog #1146 - New Low Cost Rigol MSO5000 Oscilloscope (https://www.eevblog.com/forum/blog/new-rigol-scope/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 14, 2018, 04:31:22 pm
Rigol needs to recover the $$$ from the custom ASIC R&D and using them in as many models as possible makes a lot of sense
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 14, 2018, 05:43:15 pm
I think its helpful in the background information for working out why Rigol have released a product in the way they have.

Simple: They've been allowing hacks for many years now and know the economics, numbers and demographics of the people doing it.

They know it makes business sense to sell oscilloscopes that way.

ie. They'd rather sell one of these to hacker and make $100 than watch that same hacker buy a Siglent.

PS: What would be the BOM on one of these? I bet they still make a couple of hundred bucks even if they sell one for $999.

(and most people will  pay $999 for a "four channel" model just to get four decent probes)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 14, 2018, 10:56:44 pm
Rigol needs to recover the $$$ from the custom ASIC R&D and using them in as many models as possible makes a lot of sense

Indeed, the FW has references and looks like it can be used for:

DS/MSO5000, DS/MSO7000, DS/MSO8000 and DS/MSO9000

The app can even be called with the parameter -ds8000 but I have no feedback on what are the consequences besides slightly changing the Info Version menu. If anyone discovers that, please share.

(https://i.ibb.co/ZgyNQ2h/Rigol-MSO5000-ds8000-fullopt.jpg)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 14, 2018, 11:06:28 pm
Is the same firmware used on the 5000 and 7000 models or do we need to wait for a 5000 version update to know that?

Keysight 2000 and 3000 series used same firmware so I guess it’s possible?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 14, 2018, 11:22:18 pm
Interesting times ahead... Rigol seem to have their future planned round this chipset so frequent updates should be assured.

I’m hoping to get access to a 3 GHz signal generator soon, have the ‘fully featured’ 5074 sweep it with the enabled AFG and see what the response is.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on December 15, 2018, 12:08:53 am
Confirming the rather funny ssh root/root situation.

Couple DS7000s we got at work today. Walked right in. SCP'd some nice screen saver images over while I was in there. Being they're work machines, I didn't want to run right into using --fullopt. Instead, prolly spend Monday picking through what that touches.

Eyeballing a DS5000 right now. Dim screen reports have me a little worried though. It's a different screen than the 7k, so can't use it for reference (which, in person, is fairly decent screen wise).

Those BW strcpy's are a little funny. 4G.....Rigol seems pretty optimistic in the future it seems :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 15, 2018, 08:52:23 am
Couple DS7000s we got at work today. Walked right in. SCP'd some nice screen saver images over while I was in there. Being they're work machines, I didn't want to run right into using --fullopt. Instead, prolly spend Monday picking through what that touches.

You don't need to make any change. Just get in, kill the app and launch it with the parameter. It's "safe", it's a feature.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 15, 2018, 10:46:32 am

the root/root is the default user/pass that Xilinx use in their linux distributions.    It appears Rigol did'nt bother to change it.


Confirming the rather funny ssh root/root situation.

Couple DS7000s we got at work today. Walked right in. SCP'd some nice screen saver images over while I was in there. Being they're work machines, I didn't want to run right into using --fullopt. Instead, prolly spend Monday picking through what that touches.

Eyeballing a DS5000 right now. Dim screen reports have me a little worried though. It's a different screen than the 7k, so can't use it for reference (which, in person, is fairly decent screen wise).

Those BW strcpy's are a little funny. 4G.....Rigol seems pretty optimistic in the future it seems :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: martin.hoeer on December 16, 2018, 09:42:10 pm
@TV84

Please let me know where to enter /rigol/shell/start.sh and the other stuff. I tried ultrasigma and Putty but was not successfull.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 16, 2018, 10:30:05 pm
I downloaded PUTTY and connected to the IP address that my MSO5000 displayed on the interface info page. Use SSH on default port 22.

Enter the ‘root’, ‘root’ as username and password.

Usual linux ‘cd /rigol/shell’ command to get to the correct directory

Then ‘vi start.sh’ to edit the file

Google VI to find out how to edit the file, it’s not that bad.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: orion242 on December 17, 2018, 01:59:52 am
Somewhat of a disappointment.  Was hoping to hear the long story on breaking this guy.

Now with info at hand, I'm left wondering do I go MSO7x or MSO5x.  I had the original 1054 and when the 'Z' came out, quickly swapped out.  So 5x or 7x has me ready to again upgrade in the Rigol path.  Would be nice to see Dave address current state of things.

Sells scopes, IMO.   I may not need it at the hobby level, but I want it at the price....  Bigger screens, big plus alone.  Should be able to get a few bucks for what I have currently.  Its an interesting path to market.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MrW0lf on December 17, 2018, 09:53:05 am
Now with info at hand, I'm left wondering do I go MSO7x or MSO5x.

Note that 7 has just as slow FFT as 5 looking ad random demo videos. Far slower than Zynq based or PC scopes. At price point they sell 5 it is more less understandable but for 7 bit weird. Dunno if it can be made better with firmware tweaks or processing power is just not there.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 17, 2018, 10:51:52 am
The GEL file format for this interation may be differnet from previous versions;    ( https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg982910/#msg982910 (https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg982910/#msg982910)  ).     The python scripts that were used previously dont' seem to make much sense.

Anyone got any tips. 


C:\Users\OEM\Downloads>python unpack.py rigolfirmware\firmware.gel.tar
instrument series:      fw4linux.sh
firmware version:
updateType:     0x00000000
found 0 files

writing /header  (40 bytes)

original filesize:      70021120
bytes processed:        40

C:\Users\OEM\Downloads>

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: martin.hoeer on December 17, 2018, 02:03:12 pm
@TopLoser

Thank you for your description. With Putty, I can successfully connect to my MSO5104. It answers the command *IDN? correctly. But I have not been able to gain 'root' access to proceed with the other steps. Can you help me?

Thank you.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on December 17, 2018, 02:08:05 pm
@TopLoser

Thank you for your description. With Putty, I can successfully connect to my MSO5104. It answers the command *IDN? correctly. But I have not been able to gain 'root' access to proceed with the other steps. Can you help me?

Thank you.

Martin

Are you connecting with SSH on port 22?  Sounds like you may be using port 5555.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 17, 2018, 02:33:23 pm
Thank you for your description. With Putty, I can successfully connect to my MSO5104. It answers the command *IDN? correctly.

You're on the wrong port. That's not command shell access, it's SCPI access.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 17, 2018, 03:59:57 pm
Yes, use SSH on port 22.

Missed that info out as my scope is 5000 miles away at the moment. I’ve updated the post I made.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: riccardo.pittini on December 17, 2018, 05:52:11 pm
Has someone tried to verify if the "upgrade" enables also the other two channels on the MSO5XX2?  ^-^
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: martin.hoeer on December 17, 2018, 05:53:07 pm
Guys,

thank you for your speedy replies.

With  Putty set to SSH and port 22, I get the reply 'login as:'.
When I enter 'admin', I get the following request: 'admin@'IP address of my scope' password:'.
When I enter 'rigol' I get the reply 'Access denied.'

I thought this was the standard user name and password to be used.

I appreciate your patience with me and look forward to your replies.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: darthcloud on December 17, 2018, 05:54:09 pm
Come on read the thread..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 17, 2018, 05:58:23 pm
when it says login as:   use root
when it asks for password:  use root

 

Guys,

thank you for your speedy replies.

With  Putty set to SSH and port 22, I get the reply 'login as:'.
When I enter 'admin', I get the following request: 'admin@'IP address of my scope' password:'.
When I enter 'rigol' I get the reply 'Access denied.'

I thought this was the standard user name and password to be used.

I appreciate your patience with me and look forward to your replies.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 17, 2018, 06:24:25 pm
Has someone tried to verify if the "upgrade" enables also the other two channels on the MSO5XX2?  ^-^

No they haven’t, but tv84 thinks it won’t.  I’m not sure it’s worth saving 90 euros to find out the hard way. Buy the 4 channel model and you get 2 extra 350MHz probes and a warranty that covers all 4 channels.

But it would be interesting to have somebody verify it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: iMo on December 17, 2018, 07:10:40 pm
when it says login as:   use root
when it asks for password:  use root
when it says "login as" use: root
when it asks for "password" use: root
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 17, 2018, 07:59:38 pm
when it says login as:   use root
when it asks for password:  use root
when it says "login as" use: root
when it asks for "password" use: root

Dunno why, seeing this thread title with the word "hacking" and reading these replies, made me chuckle.  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on December 17, 2018, 08:23:15 pm
when it says login as:   use root
when it asks for password:  use root
when it says "login as" use: root
when it asks for "password" use: root

Dunno why, seeing this thread title with the word "hacking" and reading these replies, made me chuckle.  :-DD

Yes, for now it should be titled "Logging into the MSO5000", no real hacking going on, yet...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 17, 2018, 08:59:52 pm
I’m not sure it’s worth saving 90 euros to find out the hard way. Buy the 4 channel model and you get 2 extra 350MHz probes and a warranty that covers all 4 channels.

I'm sure that's what Rigol was thinking when they planned this - get an extra 100 bucks out of everybody (I'm sure their probes don't cost even 10 bucks to manufacture).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on December 17, 2018, 11:24:42 pm
Confirmed on a MSO7k. Removed with no apparent I'll effects. Being slightly more legal and taking the "free decodes package" thing Rigol is doing right now since it's not mine, and I'd rather not get wrapped up in a debacle of enterprise machines with "grey zone" licenses. Good to know this DOES work though, even if it's hilariously easy and involved no true hacking. I would think that's what Rigol is banking on. Enterprise won't do it (much), but hobbyists will make a run on every tech store they can for ones to hack up.

Sadly, the MSO5074 I ordered from TEquip wasn't quite as in stock as I may have been lead to believe (or one of you buggers gigged me in the few hours between the quote and hitting buy  |O :palm: ). Ah well, working for uncle sam has taught me extreme patience :P

I am a little concerned about all this "MSO5k is dim" stuff though. The DS7k screen I can say is rather nice, enough so my boss, who has a rather 'spense MDO4k, has made jokes of swapping them when I'm not looking. Here's hoping Rigol didn't go mega cheap on the panel. A crappy display would color the entire experience.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 17, 2018, 11:50:55 pm
I am a little concerned about all this "MSO5k is dim" stuff though.
It looks like everybody wants a more challenging hack... Make the LCD LED backlight adjustable, it might be an interesting hack project
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Dwaine on December 18, 2018, 12:41:32 am
I had the same thought about the LCD screen.  It's great that their scope can be hacked.  Too bad you can't see the wiggly lines.  Question is....  How did that get out of the door like that?   Someone at Rigol must of said to themselves "Geezzz that display is kinda dark is it not?"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 18, 2018, 08:25:48 am
I had the same thought about the LCD screen.  It's great that their scope can be hacked.  Too bad you can't see the wiggly lines.  Question is....  How did that get out of the door like that?   Someone at Rigol must of said to themselves "Geezzz that display is kinda dark is it not?"

Think how noisy the fans are, someone at Rigol must of said to themselves "Geezzz that fan is kinda noisy is it not?"

But yeah, should be easy to mod. Maybe just change a resistor.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 18, 2018, 08:32:04 am
How many people who are complaining about the screen being dim have actually seen one?

The one I’ve got seems just fine, I wouldn’t have made any comment about it at all. Some of the buttons are a bit too small and ‘squishy’ for my liking but the screen is fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 18, 2018, 10:46:28 am
Hi,

The Display is not too dark :

https://www.eevblog.com/forum/blog/new-rigol-scope/440/ (https://www.eevblog.com/forum/blog/new-rigol-scope/440/)
(post #440)

Increase a little bit the grid intensity and it looks alright.
Not the brightest thing but alright, otherwise you can plug in a ext. display via the hdmi port.
Or a beamer... ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 18, 2018, 10:56:50 am
Hi,

The Display is not too dark :

https://www.eevblog.com/forum/blog/new-rigol-scope/440/ (https://www.eevblog.com/forum/blog/new-rigol-scope/440/)
(post #440)

ie. This one: https://www.eevblog.com/forum/blog/new-rigol-scope/msg2047141/#msg2047141 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2047141/#msg2047141)

(https://s15.directupload.net/images/181217/rdizjnmz.jpg)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on December 19, 2018, 12:57:23 am
Hmm, doesn't seem too bad!

Sort of hard to tell with all the different exposures :P But next to a Lecroy gives some reference.

So long as it's usable outside (maaaybe not direct sunlight though). If it's anything like a less glossy DS7k, it'll be fine.

Then we'll get to see side by side at the lab how they compare....soon....ish....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on December 19, 2018, 01:07:23 am
Hmm, doesn't seem too bad!

Sort of hard to tell with all the different exposures :P But next to a Lecroy gives some reference.
LeCroy WS3000 = Siglent SDS3000.......now quite old model, both versions updated to X versions with faster WFMS and greater mem depth.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 20, 2018, 06:48:20 am
eevblog is famous. Again. 

https://hackaday.com/2018/12/19/rigol-mso5000-hacked-features-unlocked/

In other news, most distributors of Rigol are out of stock of the MSO5074.   :-) what a suprise.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 20, 2018, 04:33:06 pm
Yep,

Only the 200 and 350Mhz models are on stock, i.e. by batronix.
With all options "for free" you can save a little bit more and buy the 5072 instead the 5074.
I think rigol won´t care about this, schools and other public institutions won´t buy the cheapest and hack it.
If they need 200Mhz they´ll buy it.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 20, 2018, 04:40:43 pm
With all options "for free" you can save a little bit more and buy the 5072 instead the 5074.

...if you've got some spare 350Mhz probes for the other two channels.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JDubU on December 20, 2018, 05:59:48 pm
...if you've got some spare 350Mhz probes for the other two channels.

The difference in cost between the 5074 and the 5072 is about the same as the cost of the two extra Rigol PVP2350 probes ($90 vs $94 USD).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Harjit on December 20, 2018, 06:03:16 pm
The Siglent SDS1104X-E seems sufficient for my needs. Any reason to buy the Rigol MSO5074 and then unlock features?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 20, 2018, 06:17:25 pm
The Siglent SDS1104X-E seems sufficient for my needs. Any reason to buy the Rigol MSO5074 and then unlock features?

More bandwidth? More memory? Built-in signal generator?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Romain on December 20, 2018, 06:20:10 pm
With all options "for free" you can save a little bit more and buy the 5072 instead the 5074.
Is that guaranteed?
Here in the UK the 5074 is about 130 USD more expensive than the 5072. Would love to have confirmation that the "upgrade" works for 2ch to 4ch!  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 06:22:18 pm
Only the 200 and 350Mhz models are on stock, i.e. by batronix.

With all options "for free" you can save a little bit more and buy the 5072 instead the 5074.

Telonic in the UK have plenty of the 5074 in stock.

Has anybody confirmed that you can enable the extra 2 channels of a 5072 with the 'feature'? If not then you have to spend a lot more than 90 euro at a later date to enable them if you want them.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 08:02:33 pm
Ok... time to get the thread back on the topic of hacking...

Couple of xrays of the MSO pod. It's not just a fancy bit of wire, it is active and has IC's in it at the probe end. Doesn't look like it's 'intelligent' active like the R&S one which had a PIC in it if I remember correctly.

Anybody fancy guessing what these 8 (identical I assume) IC's might be? Or do I have to get all medieval on it, no screws or clips unfortunately...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:11:45 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 08:13:43 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 20, 2018, 08:14:08 pm
Quote
Is that guaranteed?

It was just my thoughts because of "all options free" - If the bandwith is up to 350Mhz, the Memory up to 200M.....why shouldn´t be the 2 channels unlocked as well.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:15:34 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.

LMH7322 matches the package - hard to see if the pinouts are right from the x-ray
http://www.ti.com/lit/ds/symlink/lmh7322.pdf (http://www.ti.com/lit/ds/symlink/lmh7322.pdf)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:17:23 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.
ADCMP567 has 32 pins , x-ray shows 24
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 08:19:37 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.
ADCMP567 has 32 pins , x-ray shows 24

I Can't count, sorry.

Closer xray attached. I can get closer and tweak settings if it help.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:24:59 pm
As there's no processor or eeprom in there, the functionality is likely to me enabled by a pullup or pulldown on the connector - shouldn't be hard to find with some poking around with a 100R resistor to avoid smoke.
Power outs should be easy to find.
If you get the digital menus working, you can then tweak thresholds and see which pin(s) set this.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on December 20, 2018, 08:28:25 pm
They'll be dual differential output (LVDS or ECL) comparators. Shouldn't be too hard to find

ADCMP567 a possibility? 2 channel, right number of pins.
ADCMP567 has 32 pins , x-ray shows 24

I Can't count, sorry.

Closer xray attached. I can get closer and tweak settings if it help.
All the pinouts I can see are consistent with LMH7322
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 20, 2018, 08:29:29 pm
Functionality is enabled in the scope even without it plugged in, just hit the LA button and you get all the options available.

Looks like it's an easy enough design to knock together for cheap then, if anybody can be arsed.

I'll have another look at what's holding the case together, it's not responded to force so far.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joeyjoejoe on December 20, 2018, 10:41:17 pm
Is it simple enough to DIY the logic analyzer header? A few hundred bucks from RIGOL otherwise!  :o
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tinhead on December 20, 2018, 11:03:27 pm
The Christmas gift for all Rigol fans out here:
...
PS: And it's not an hack. It's a feature!

great, i have read this thread a bit, but oversaw your post, and ordered day later SDS1204X-E instead of Rigol (due to 4 vs 2 channels).
Anyway, will do it as eastern gift ^^
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 21, 2018, 11:16:16 am
Anybody fancy guessing what these 8 (identical I assume) IC's might be? Or do I have to get all medieval on it, no screws or clips unfortunately...

Normally they're comparators with selectable references for all the different voltages in the menu:

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=601918;image)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 21, 2018, 11:18:19 am
I concur with mikelectricstuff about the https://www.ti.com/lit/ds/symlink/lmh7322.pdf, (https://www.ti.com/lit/ds/symlink/lmh7322.pdf,) good catch!... not entirely sure on the shorted latch pins though (LEA, (not LEA) and VCCOA) since not all QFN footprints have the 3 "shorted" legs on the same pins, perhaps some of the parts have different orientations on the board? Other intended functions or just routed differently on the PCB?

I also wonder if TopLoser could get some of the values of the passives by probing the pins of the probe and get some cap/resistance values out of it so that we can compare it with the typical applications on the aforementioned datasheet?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainstorm on December 21, 2018, 11:20:16 am
For the people wondering about the MSO5072 being "upgradeable" to 4ch via the magic flag... all that needs to be said is: yep ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: madmac on December 21, 2018, 11:52:52 am
Had a quick look at the 50 way logic connector while having coffee

0V     X    X    D7P
D7N   X    X    D6P
D6N   X    X    D15P
D15N  X    X    D14P
D14N  X    X    D0V

0V     X    X    D5P
D5N   X    X    D4P
D4N   X    X    D13P
D13N  X    X    D12P
D12N  X    X    0V

0V     X    X    D3P
D3N   X    X    D2P
D2N   X    X    D11P
D11N  X    X    D10P
D10N  X    X    0V

0V     X    X    D1P
D1N   X    X    D0P
D0N   X    X    D9P
D9N   X    X    D8P
D8N   X    X    0V

4V0    X    X    0V
4V0    X    X    2V4
D0-7V X    X    D8-15 VREF   10:1 INPUT  +/- 1V5
-2V5   X    X    0V
0V     X    X    DETECT  LOW FOR PROBE ATTACHED


Input range is +/- 15 volts.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: madmac on December 21, 2018, 11:54:47 am
Should have added top of table is power on off side   and  lower pin  X   X  upper pin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 21, 2018, 11:57:01 am
Had a quick look at the 50 way logic connector while having coffee

...
D0-7V X    X    D8-15 VREF   10:1 INPUT  +/- 1V5
...


If the reference voltages com from the 'scope then that makes it a lot easier.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joeyjoejoe on December 21, 2018, 05:41:13 pm
For the people wondering about the MSO5072 being "upgradeable" to 4ch via the magic flag... all that needs to be said is: yep ;)

Started to see the 4 chan out of stock in Canada, I suspect the 2 channel will follow suit now.

Genius marketing move. I'm not even in the market for a scope and I'm considering one...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 21, 2018, 06:13:12 pm
Anybody who thinks the hackers are getting something for free has it all ass-backwards.

The hackers are paying the regular price, it's all the businesses and educational institutions that are paying extra.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 21, 2018, 06:43:44 pm
Quote from: Fungus link=topic=154682.msg2058286#msg2058286
The hackers are paying the regular price, it's all the businesses and educational institutions that are paying extra.

I"m not so sure. Let's wait until the real hacking begins.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 21, 2018, 07:08:37 pm
Quote from: Fungus link=topic=154682.msg2058286#msg2058286
The hackers are paying the regular price, it's all the businesses and educational institutions that are paying extra.

I"m not so sure. Let's wait until the real hacking begins.

OK, maybe not all.  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 21, 2018, 07:36:54 pm
The hackers are paying the regular price, it's all the businesses and educational institutions that are paying extra.
I'm pretty sure sane businesses and educational institutes are going to wait until the hobbyists bought enough units so Rigol finishes the firmware. It also depends on whether Rigol blocks the extremely simple workaround (it isn't even a hack) to enable all features in a future firmware update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joeyjoejoe on December 21, 2018, 07:48:38 pm
I feel like removing the firmware hack would tank potential hobbyist sales? This might not be much, but again, in a world where hobbyists aren't buying the high end features, and institutions are, it's just icing on the cake to attract that market.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 21, 2018, 07:55:18 pm
I feel like removing the firmware hack would tank potential hobbyist sales? This might not be much, but again, in a world where hobbyists aren't buying the high end features, and institutions are, it's just icing on the cake to attract that market.
When I read the posts in the test equipment section I get the feeling there are quite a few hobbyists out there which spend several $k on a single piece test equipment. This market isn't big but it does seem to exist.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 21, 2018, 07:59:18 pm
Simply removing the feature is not a show stopper. We now know it can be done.  :popcorn:

What I would like to know is: how similar is the HW in the 5000 and 7000 models? Can someone please elaborate?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 21, 2018, 08:12:54 pm
I guess Rigol and it's big distributors are watching the market, observing and going to conclude whether next move will be to lock or keep it open.

For sure they will at least get the free marketing and gathered accurately on the market reaction on this price level.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 22, 2018, 04:59:25 pm
I guess Rigol and it's big distributors are watching the market, observing and going to conclude whether next move will be to lock or keep it open.

They've had ten years to make that decision before launching this one.

I'm guessing DS1054Z sales already showed the economics work just fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 22, 2018, 11:03:41 pm
I am between two chairs…

Buying the option bundle which costs about 700€ incl. tax don´t worry me.
The memory upgrade.... I´m not interested in - 100M standard is more than enough.
But the bandwith upgrades..
The price killing me as an owner of a 5074.
Buying the options but hacking the bandwith, this is in my mind, weird… ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 22, 2018, 11:10:37 pm
Maybe an ‘extended trial’ would be an acceptable option for you  ;)

Bear in mind that Rigol will offer a ‘free option bundle’ for these scopes at some time in the future. That would make you pretty upset if you paid for the bundle already...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 23, 2018, 10:21:52 am
I am between two chairs…

Buying the option bundle which costs about 700€ incl. tax don´t worry me.
The memory upgrade.... I´m not interested in - 100M standard is more than enough.
But the bandwith upgrades..
The price killing me as an owner of a 5074.
Buying the options but hacking the bandwith, this is in my mind, weird… ;)

Don't understand your dilemma.  ??? The fullopt provides max BW and options simultaneously. If you have extra cash, go for the 7000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 23, 2018, 11:43:02 am
I am between two chairs…

Buying the option bundle which costs about 700€ incl. tax don´t worry me.
The memory upgrade.... I´m not interested in - 100M standard is more than enough.
But the bandwith upgrades..
The price killing me as an owner of a 5074.
Buying the options but hacking the bandwith, this is in my mind, weird… ;)
I don't get it. You bought this for private use didn't you? If yes, then hack it and be done with it.

I also understand that you aren't very happy with the current state of the firmware. Don't make the mistake I made in trusting firmware issues will be fixed soon. If you are going to spend more cash then buy a scope which works out of the box right now. When I was in your situation I didn't listen to this advice and I wish I did. I ended up buying a different scope and the cheaper Chinese scope ended up to be a total waste of money.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 23, 2018, 01:49:22 pm
Hey all,

I'm very curious about the inside of these (both the 5k and 7k) and am curious if some of you can post further details other then the bootlog dave has already posted earlier.

I'm particularly interested in the output of

Code: [Select]
dmesg
cat /proc/cpuinfo
lspci
lsusb
df
cat /proc/mtd

Are the first things I can think of. Further more, in one of the MSO7000 video's, dave mentioned that the TX uart wasn't working, but in a MSO5000 video he was sending commands to the shell (He typed things like help which printed the busbox help screen for example) I don't think at that point the root password was yet known, so I am thinking this was done over the serial TX line. So can someone confirm/deny that the TX works normally as expected on both MSO's?

Fear not, this is not a thread de-rail-ment :) I am curious as, while we have found how to start the application with all options enabled, the actual keys not changed, and thus a firmware upgrade can quite happily drop the option. We best be prepared for that right? So in my opinion the scope is not yet hacked and there's still some work left for us.

Finally, what's with the secrecy of the GEL files for the scopes? Before forking over, quite a substantial amount and then brick it, I'm thinking of getting a Zynq development board and see if I can 'install' the firmware onto it. As such, I'd need the actual GEL file (the more versions of the different scopes, the beter). So is anybody able to share me any GEL file they have gotten yet? Meanwhile I'll try to request a firmware file from Rigol the good old manual way.
Turns out, when going to https://www.rigol.eu/products/digital-oscilloscopes/7000/ (https://www.rigol.eu/products/digital-oscilloscopes/7000/) the file is right there in the download section ...

Still, if anybody has other versions, beta or whatnot for the 5k and 7k it may still help with further analysis.

Thanks for listening :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 23, 2018, 01:58:52 pm
No derailment. That's precisely the goal of this thread.

I can get you the 5000 GEL.

You can always look at this msg:

https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803 (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 23, 2018, 02:21:46 pm

I'm particularly interested in the output of

Code: [Select]
dmesg
cat /proc/cpuinfo
lspci
lsusb
df
cat /proc/mtd




Code: [Select]
<root@rigol>dmesg
CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
On node 0 totalpages: 114688
free_area_init_node: node 0, pgdat c0631c80, node_mem_map c0669000
  Normal zone: 896 pages used for memmap
  Normal zone: 0 pages reserved
  Normal zone: 114688 pages, LIFO batch:31
PERCPU: Embedded 8 pages/cpu @c09f1000 s8384 r8192 d16192 u32768
pcpu-alloc: s8384 r8192 d16192 u32768 alloc=8*4096
pcpu-alloc: [0] 0 [0] 1
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 113792
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 437416K/458752K available (4197K kernel code, 255K rwdata, 1716K rodata, 176K init, 179K bss, 21336K reserved, 0K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xdc800000 - 0xff000000   ( 552 MB)
    lowmem  : 0xc0000000 - 0xdc000000   ( 448 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to dc802000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1725.23 BogoMIPS (lpj=8626176)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L310 cache controller enabled
l2x0: 8 ways, CACHE_ID 0x410000c8, AUX_CTRL 0x72360000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xdc84e000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xdc84e000
hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 4 bytes.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xdc880000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
PCI: CLS 0 bytes, default 64
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (db099000 - dbafe000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 7 counters available
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 875
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
DPU:Map vRam to 0xdca00000
DPU:Map iReg to 0xdcc00000
DPU:Ver=0x20170711
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 6249999) is a xuartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 6249999) is a xuartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xDC858000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
xusbps-ehci xusbps-ehci.1: Xilinx PS USB EHCI Host Controller
xusbps-ehci xusbps-ehci.1: new USB bus registered, assigned bus number 1
xusbps-ehci xusbps-ehci.1: irq 76, io mem 0x00000000
xusbps-ehci xusbps-ehci.1: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Update timer was detected
rtc-rx8010sj 0-0032: rtc core: registered rtc-rx8010sj as rtc0
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ADADAH4), 1024MiB, page size: 2048, OOB size: 64
Bad block table found at page 524224, version 0x01
Bad block table found at page 524160, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
0x000010100000-0x000016500000 : "App2"
0x000016500000-0x00001a800000 : "Reserved"
0x00001a800000-0x000040000000 : "User"
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
rtc-rx8010sj 0-0032: setting system clock to 2018-12-23 22:14:55 UTC (1545603295)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
UBI: attaching mtd6 to ubi6
UBI: scanning is finished
UBI warning: print_rsvd_warning: cannot reserve enough PEBs for bad PEB handling, reserved 19, need 160
UBI: attached mtd6 (name "App1", size 100 MiB) to ubi6
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 800, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 137759694
UBI: available PEBs: 0, total reserved PEBs: 800, PEBs reserved for bad PEB handling: 19
UBI: background thread "ubi_bgt6d" started, PID 655
UBIFS: background thread "ubifs_bgt6_0" started, PID 658
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 6, volume 0, name "app"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 97263616 bytes (92 MiB, 766 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
UBIFS: reserved for root: 0 bytes (0 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 29D18BC9-40D5-47EB-8093-D75BB394A334, small LPT model
UBI: attaching mtd1 to ubi1
UBI: scanning is finished
UBI: attached mtd1 (name "DATA", size 64 MiB) to ubi1
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 512, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 1383059050
UBI: available PEBs: 0, total reserved PEBs: 512, PEBs reserved for bad PEB handling: 160
UBI: background thread "ubi_bgt1d" started, PID 687
UBIFS: background thread "ubifs_bgt1_0" started, PID 691
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 1, volume 0, name "DATA"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 42917888 bytes (40 MiB, 338 LEBs), journal size 2158592 bytes (2 MiB, 17 LEBs)
UBIFS: reserved for root: 2027117 bytes (1979 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 678F0810-83AE-49F3-AD8C-BB561AFDEDBD, small LPT model
UBI: attaching mtd12 to ubi12
UBI: scanning is finished
UBI: attached mtd12 (name "User", size 600 MiB) to ubi12
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 4796, bad PEBs: 4, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 1737885595
UBI: available PEBs: 0, total reserved PEBs: 4796, PEBs reserved for bad PEB handling: 156
UBI: background thread "ubi_bgt12d" started, PID 728
UBIFS: background thread "ubifs_bgt12_0" started, PID 732
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 12, volume 0, name "USER"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 586502144 bytes (559 MiB, 4619 LEBs), journal size 29331456 bytes (27 MiB, 231 LEBs)
UBIFS: reserved for root: 4952683 bytes (4836 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 7C7DEB0E-5611-4D11-9900-4290138ACF6B, small LPT model
xemacps e000b000.ps7-ethernet: Set clk to 24999999 Hz
xemacps e000b000.ps7-ethernet: link up (100/FULL)
Rigol Device gadget: Rigol Device ready
usbcore: registered new interface driver usbtmc
<root@rigol>cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 0 (v7l)
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

processor       : 1
model name      : ARMv7 Processor rev 0 (v7l)
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

Hardware        : Xilinx Zynq Platform
Revision        : 0000
Serial          : 0000000000000000
<root@rigol>lspci
<root@rigol>lsusb
Bus 001 Device 001: ID 1d6b:0002
<root@rigol>df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                31729     22410      9319  71% /
devtmpfs                218708         0    218708   0% /dev
none                    102400       284    102116   0% /tmp
/dev/ubi6_0              87160     71224     15936  82% /rigol
/dev/ubi1_0              38072       256     35836   1% /rigol/data
/dev/ubi12_0            529048       408    523804   0% /user
<root@rigol>cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00020000 "Env"
mtd1: 04000000 00020000 "DATA"
mtd2: 00400000 00020000 "Bmp"
mtd3: 00400000 00020000 "Bmp1"
mtd4: 00800000 00020000 "Bit1"
mtd5: 02000000 00020000 "Sys1"
mtd6: 06400000 00020000 "App1"
mtd7: 00400000 00020000 "Bmp2"
mtd8: 00800000 00020000 "Bit2"
mtd9: 02000000 00020000 "Sys2"
mtd10: 06400000 00020000 "App2"
mtd11: 04300000 00020000 "Reserved"
mtd12: 25800000 00020000 "User"
<root@rigol>

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 23, 2018, 07:17:44 pm

I don't get it. You bought this for private use didn't you? If yes, then hack it and be done with it.

I also understand that you aren't very happy with the current state of the firmware. Don't make the mistake I made in trusting firmware issues will be fixed soon. If you are going to spend more cash then buy a scope which works out of the box right now. When I was in your situation I didn't listen to this advice and I wish I did. I ended up buying a different scope and the cheaper Chinese scope ended up to be a total waste of money.


You´re right.
Two times…
It´s for private use only so why I´m afraid - Maybe because I´ve done this never before except hacking my 1054Z which was easy enough for me to do.

Quote
Don't make the mistake I made in trusting firmware issues will be fixed soon.


They´re two models I like to have, one is the R&S RTM 2/3000 series or a DSO 3000 from keysight.

Serial decoding will become more important for me so I had to buy the options also.
And then comes the MSO5000 along…
Not bad at all, "only" the firmware must be fixed on various points and this is my hope instead of spending an enormous amount of money for the above mentioned scopes.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 23, 2018, 07:36:43 pm
Another option is to lower the requirements a little bit. In the end I bought a scope from GW Instek which just works. The highest bandwidth model of the MSO2000E version will still set you back around 2000 euro so it is not particulary cheap. OTOH it does have a few features the other oscilloscopes don't have: input filtering and you can change the decoding settings afterwards. There isn't such a thing as a perfect oscilloscope.

The hackability of the Rigol scopes may seem like a lot of fun and getting things 'for free' but in the end that doesn't help you if the features don't work the way you need them to work. Let alone if you are going to pay for the options.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 23, 2018, 08:22:00 pm
Another option is to lower the requirements a little bit. In the end I bought a scope from GW Instek which just works. The highest bandwidth model of the MSO2000E version will still set you back around 2000 euro so it is not particulary cheap. OTOH it does have a few features the other oscilloscopes don't have: input filtering and you can change the decoding settings afterwards. There isn't such a thing as a perfect oscilloscope.

The hackability of the Rigol scopes may seem like a lot of fun and getting things 'for free' but in the end that doesn't help you if the features don't work the way you need them to work. Let alone if you are going to pay for the options.

C'mon, this is a pure technical thread, not just a general discussion for this scope, yet you're still keep pushing & pushing GW Instek here, while constantly keep bashing Rigol, sound really desperate, aren't you ?

Hows your GW Instek sales achievement this 2018 ? Wish its beyond the committed target.  :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 23, 2018, 09:06:26 pm
Another option is to lower the requirements a little bit. In the end I bought a scope from GW Instek which just works. The highest bandwidth model of the MSO2000E version will still set you back around 2000 euro so it is not particulary cheap. OTOH it does have a few features the other oscilloscopes don't have: input filtering and you can change the decoding settings afterwards. There isn't such a thing as a perfect oscilloscope.

The hackability of the Rigol scopes may seem like a lot of fun and getting things 'for free' but in the end that doesn't help you if the features don't work the way you need them to work. Let alone if you are going to pay for the options.

C'mon, this is a pure technical thread, not just a general discussion for this scope, yet you're still keep pushing & pushing GW Instek here, while constantly keep bashing Rigol, sound really desperate, aren't you ?
You've got it all wrong. Martin72 is on exactly the same path I was a couple of years ago. Looking for a good oscilloscope which does a lot except breaking the bank. As I wrote before: I wish I had listened to the advice I was given on this forum back then. And I also like to share what has been my solution in the end. I can't help it if that doesn't sit right with you but the facts are the facts.

BTW: I have nothing to gain by pushing any brand. I'm just a demanding test equipment user sharing what works for me and what doesn't.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 23, 2018, 09:15:12 pm
It’s a good answer nctnico but it’s the same one you post in every thread about every scope on sale!

Can we try and keep the clutter out of this thread please otherwise we end up with 500 pages of off-topic posts.

Can the 3 wise men stay away please  ;) You know who you are!!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 23, 2018, 09:55:50 pm
Back to Topic...

Unfortunately I left my rigol at work, nevertheless I want to try it out with the "hack" when I got it back.
Hacking the Rigol 1054Z was even for a noob as me easy.
This time it wouldn´t I guess.
I did just measurements all the years, don´t have experience with network things... :palm:  :-\
A little help is required to get the bee on the flower...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 23, 2018, 10:13:14 pm
A little talk about the the consequences of the "feature" is acceptable but we should do our best to keep this at the tech level.

BTW, if anyone could post true bandwidth sweeps, with/without fullopt, would be great.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 23, 2018, 10:20:25 pm
Is there somewhere a description how to modify the boot logo already? If not, I can provide one.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 23, 2018, 10:20:36 pm
It’s stupidly easy... (even I did it)

Download and install PuTTY on your PC
On your scope find its IP address by UTILITY, IO, LAN
Run PuTTY and connect using that IP address and SSH with port 22
Login as ‘root’ password ‘root’
Enter ‘cd /rigol/shell’
Enter ‘vi start.sh’

Change line 82 to read:
‘/rigol/appEntry  $PowerOn -run -fullopt &’

Google vi commands to find out how to insert text into the file
Basically press ‘i’ to enter edit mode then move cursor, insert text and then ESC to exit edit mode.

Save the file and quit ‘:wq’

Reboot.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 23, 2018, 10:26:09 pm
You've got it all wrong. Martin72 is on exactly the same path I was a couple of years ago. Looking for a good oscilloscope which does a lot except breaking the bank. As I wrote before: I wish I had listened to the advice I was given on this forum back then. And I also like to share what has been my solution in the end. I can't help it if that doesn't sit right with you but the facts are the facts.

BTW: I have nothing to gain by pushing any brand. I'm just a demanding test equipment user sharing what works for me and what doesn't.

Problem: You never see anything positive in anything made by Rigol. Ever. You're not seeing that you get a four-channel, 250Mhz 'scope, with siggen. It's a damn useful tool for diagnosing circuits even if some niggling little feature (or even three!) isn't perfectly to your liking. For $999? It's a steal.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 23, 2018, 11:03:33 pm
In 2015, I brought a DS1054Z to work.
Now we got 4 DS1054Z for our developement team, nuff said about rigol.


Quote
It’s stupidly easy... (even I did it)


Thanks for your explanation in your post  :)


Quote
BTW, if anyone could post true bandwidth sweeps, with/without fullopt, would be great.


I´m working on it.
Full mem/function generator wouldn´t be a problem, power analysis too.
But Bandwith.....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sparky on December 23, 2018, 11:42:29 pm
@nctnico, @Fungus

Just as this thread was getting itself back on track (thanks to TopLoser for nice x-ray images of the MSO pod!) it has again plunged into irrelevance -- speculation over the marketing tactics of some Chinese test equipment manufacturers!?!?  I even read something about Egyptians and pyramids some pages back!  WTH?  Seriously guys, it's as simple as this thread not the right place.  Stop it -- for the remainder of this thread.  Please, for all of us!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Frex on December 24, 2018, 07:40:28 am
Hello all,

I already have a MSO2072A hacked with full bandwidth and features, and very happy with.
Anyway, i look about the newest 5000 and 7000 series and they seems greats...
Even if a 7000 il a little out of budget with the MSO option  ;D
It's a great news too see there is a hack for the 5000.

I would like now is anybody have done some bandwidth measurement after the hack
to check it ? (using avalanche pulse generator).
Many tanks,

Frex
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 09:49:55 am
MSO5000 FW v01.01.02.03 (https://cld.pt/dl/download/7d02db7b-5669-43ba-a3d3-0636fc04753d/Firmware_01.01.02.03.GEL.tar)

(link will expire after 24h)

Thanks for that! This is the original GEL, as in the version that comes shipped on the scopes yeah? Do you have this for the 7000 as well? For that I only have 00.01.01.07.01 so far ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 09:55:37 am

I'm particularly interested in the output of

Code: [Select]
dmesg
cat /proc/cpuinfo
lspci
lsusb
df
cat /proc/mtd




Code: [Select]
<root@rigol>dmesg
CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
On node 0 totalpages: 114688
free_area_init_node: node 0, pgdat c0631c80, node_mem_map c0669000
  Normal zone: 896 pages used for memmap
  Normal zone: 0 pages reserved
  Normal zone: 114688 pages, LIFO batch:31
PERCPU: Embedded 8 pages/cpu @c09f1000 s8384 r8192 d16192 u32768
pcpu-alloc: s8384 r8192 d16192 u32768 alloc=8*4096
pcpu-alloc: [0] 0 [0] 1
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 113792
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 437416K/458752K available (4197K kernel code, 255K rwdata, 1716K rodata, 176K init, 179K bss, 21336K reserved, 0K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xdc800000 - 0xff000000   ( 552 MB)
    lowmem  : 0xc0000000 - 0xdc000000   ( 448 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to dc802000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1725.23 BogoMIPS (lpj=8626176)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L310 cache controller enabled
l2x0: 8 ways, CACHE_ID 0x410000c8, AUX_CTRL 0x72360000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xdc84e000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xdc84e000
hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 4 bytes.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xdc880000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
PCI: CLS 0 bytes, default 64
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (db099000 - dbafe000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 7 counters available
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 875
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
DPU:Map vRam to 0xdca00000
DPU:Map iReg to 0xdcc00000
DPU:Ver=0x20170711
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 6249999) is a xuartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 6249999) is a xuartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xDC858000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
xusbps-ehci xusbps-ehci.1: Xilinx PS USB EHCI Host Controller
xusbps-ehci xusbps-ehci.1: new USB bus registered, assigned bus number 1
xusbps-ehci xusbps-ehci.1: irq 76, io mem 0x00000000
xusbps-ehci xusbps-ehci.1: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Update timer was detected
rtc-rx8010sj 0-0032: rtc core: registered rtc-rx8010sj as rtc0
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ADADAH4), 1024MiB, page size: 2048, OOB size: 64
Bad block table found at page 524224, version 0x01
Bad block table found at page 524160, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
0x000010100000-0x000016500000 : "App2"
0x000016500000-0x00001a800000 : "Reserved"
0x00001a800000-0x000040000000 : "User"
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
rtc-rx8010sj 0-0032: setting system clock to 2018-12-23 22:14:55 UTC (1545603295)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
UBI: attaching mtd6 to ubi6
UBI: scanning is finished
UBI warning: print_rsvd_warning: cannot reserve enough PEBs for bad PEB handling, reserved 19, need 160
UBI: attached mtd6 (name "App1", size 100 MiB) to ubi6
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 800, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 137759694
UBI: available PEBs: 0, total reserved PEBs: 800, PEBs reserved for bad PEB handling: 19
UBI: background thread "ubi_bgt6d" started, PID 655
UBIFS: background thread "ubifs_bgt6_0" started, PID 658
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 6, volume 0, name "app"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 97263616 bytes (92 MiB, 766 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
UBIFS: reserved for root: 0 bytes (0 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 29D18BC9-40D5-47EB-8093-D75BB394A334, small LPT model
UBI: attaching mtd1 to ubi1
UBI: scanning is finished
UBI: attached mtd1 (name "DATA", size 64 MiB) to ubi1
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 512, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 1383059050
UBI: available PEBs: 0, total reserved PEBs: 512, PEBs reserved for bad PEB handling: 160
UBI: background thread "ubi_bgt1d" started, PID 687
UBIFS: background thread "ubifs_bgt1_0" started, PID 691
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 1, volume 0, name "DATA"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 42917888 bytes (40 MiB, 338 LEBs), journal size 2158592 bytes (2 MiB, 17 LEBs)
UBIFS: reserved for root: 2027117 bytes (1979 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 678F0810-83AE-49F3-AD8C-BB561AFDEDBD, small LPT model
UBI: attaching mtd12 to ubi12
UBI: scanning is finished
UBI: attached mtd12 (name "User", size 600 MiB) to ubi12
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 4796, bad PEBs: 4, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 1737885595
UBI: available PEBs: 0, total reserved PEBs: 4796, PEBs reserved for bad PEB handling: 156
UBI: background thread "ubi_bgt12d" started, PID 728
UBIFS: background thread "ubifs_bgt12_0" started, PID 732
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 12, volume 0, name "USER"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 586502144 bytes (559 MiB, 4619 LEBs), journal size 29331456 bytes (27 MiB, 231 LEBs)
UBIFS: reserved for root: 4952683 bytes (4836 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 7C7DEB0E-5611-4D11-9900-4290138ACF6B, small LPT model
xemacps e000b000.ps7-ethernet: Set clk to 24999999 Hz
xemacps e000b000.ps7-ethernet: link up (100/FULL)
Rigol Device gadget: Rigol Device ready
usbcore: registered new interface driver usbtmc
<root@rigol>cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 0 (v7l)
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

processor       : 1
model name      : ARMv7 Processor rev 0 (v7l)
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

Hardware        : Xilinx Zynq Platform
Revision        : 0000
Serial          : 0000000000000000
<root@rigol>lspci
<root@rigol>lsusb
Bus 001 Device 001: ID 1d6b:0002
<root@rigol>df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                31729     22410      9319  71% /
devtmpfs                218708         0    218708   0% /dev
none                    102400       284    102116   0% /tmp
/dev/ubi6_0              87160     71224     15936  82% /rigol
/dev/ubi1_0              38072       256     35836   1% /rigol/data
/dev/ubi12_0            529048       408    523804   0% /user
<root@rigol>cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00020000 "Env"
mtd1: 04000000 00020000 "DATA"
mtd2: 00400000 00020000 "Bmp"
mtd3: 00400000 00020000 "Bmp1"
mtd4: 00800000 00020000 "Bit1"
mtd5: 02000000 00020000 "Sys1"
mtd6: 06400000 00020000 "App1"
mtd7: 00400000 00020000 "Bmp2"
mtd8: 00800000 00020000 "Bit2"
mtd9: 02000000 00020000 "Sys2"
mtd10: 06400000 00020000 "App2"
mtd11: 04300000 00020000 "Reserved"
mtd12: 25800000 00020000 "User"
<root@rigol>


Many thanks for that. Sadly, this _still_ does not show me which zynq they are using. I think someone mentioned somewhere that it's a 7020, at least we know it's a dual-core. So that leaves out a few of them and we know it runs about 800 MHz based on the bogomips.

Also newly learned is that the 'DATA' partition holds /rigol/data, which I think is where keys and calibration data is stored.

Someone also mentioned somewhere we have a 16Mb eeprom for configuration data. I think it's mostly u-boot (haven't found that in the NAND list yet) and _maybe_ some often changing data.

They also mirror their system data, to ensure safe upgrades.

Has anybody been able to 'interrupt' u-boot yet with the any-key press? Normally if you press it a few times (space works great) just before the message appears (keyboard buffer an all that) it should pick it up, IF the tx is not disabled ... But I guess very few have it opened and a debug header connected other then dave ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 24, 2018, 10:05:35 am
What do you do with this gel file.   I can untar it, and get four .img.gz files, plus the encrypted shell scripts.    Futher untarring and and i get some .img files.. 
What do you do with those?


MSO5000 FW v01.01.02.03 (https://cld.pt/dl/download/7d02db7b-5669-43ba-a3d3-0636fc04753d/Firmware_01.01.02.03.GEL.tar)

(link will expire after 24h)

Thanks for that! This is the original GEL, as in the version that comes shipped on the scopes yeah? Do you have this for the 7000 as well? For that I only have 00.01.01.07.01 so far ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 10:10:58 am
Many thanks for that. Sadly, this _still_ does not show me which zynq they are using. I think someone mentioned somewhere that it's a 7020, at least we know it's a dual-core. So that leaves out a few of them and we know it runs about 800 MHz based on the bogomips.

You can see the Zynq model in my DS7000 FPGAs parsing. (see the DS7000 thread (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803))

I assume the Zynq is the same (7015). But I can parse the 5000 .bit file and verify that for you.

The 5000 .GEL version is the one that is currently being shipped.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 10:14:21 am
What do you do with those?

Massage them a bit (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803)...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 10:25:17 am
Many thanks for that. Sadly, this _still_ does not show me which zynq they are using. I think someone mentioned somewhere that it's a 7020, at least we know it's a dual-core. So that leaves out a few of them and we know it runs about 800 MHz based on the bogomips.

You can see the Zynq model in my DS7000 FPGAs parsing. (see the DS7000 thread (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1761803/#msg1761803))

I assume the Zynq is the same (7015). But I can parse the 5000 .bit file and verify that for you.

Ah see that's where I saw it (lots of threads about the 5k and 7k. With the similarities between the two platform, the OP statement about this being only about the 5k should be redacted to be about 5k and 7k. Having the information in one thread is always easier :) I believe we have 3 threads now with information scattered...

But thanks. The 7010, 7015 and 7020 are similar enough that any dev board with these chips should be accurate enough. I think it's mostly CPU speed and maybe FPGA gate count that's different, so I guess they couldn't fit their bitstream into the 7010 and went one up ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 10:33:08 am
What do you do with this gel file.   I can untar it, and get four .img.gz files, plus the encrypted shell scripts.    Futher untarring and and i get some .img files.. 
What do you do with those?


MSO5000 FW v01.01.02.03 (https://cld.pt/dl/download/7d02db7b-5669-43ba-a3d3-0636fc04753d/Firmware_01.01.02.03.GEL.tar)

(link will expire after 24h)

Thanks for that! This is the original GEL, as in the version that comes shipped on the scopes yeah? Do you have this for the 7000 as well? For that I only have 00.01.01.07.01 so far ...

Well mostly compare between the different versions, as for the image files, they are regular linux filesystem images.

So the system.img file, is a FIT image that you can extract the kernel and initrd from. The kernel shouldn't be important, as we should be getting the sources from RIGOL on request (GPLv2). The initrd is interesting as that is the 'boot OS'. I'm not sure yet if this is their entire rootfs (likely) or just their first stage OS (which then in turn mounts the correct disks to continue booting). But since the other image is the 'app' image, my guess is that its the actual rootfs.

The final file in the system.img file is the ftd, flattened device tree, which contains the system configuration, such as all the various busses, gpios, LED's etc etc etc. Think ACPI tables for ARM if anything.

As for the app.img, well that contains the UI only as far as I can tell. It's based off of qt5, so replacing the shipped qt5 libraries with unstripped libraries may be an interesting thing to do (if they are stripped even), making gdb work a little easier if we'd want to gdb their main application.

The two script files are interesting, as it actually shows two potential upgrade paths. One is from within linux, the other from within u-boot. My guess is that if the upgrade fails via linux, if you have the usb stick with GEL inserted during boot, u-boot will parse the update file and perform the update. Why they did this I am not sure yet.

Further more, having the images, allows us to install them onto a zynq dev board (which can be had for about 100 USD) reducing the bricking risk of the scope immensely. As there is one way you can brick it, it seems. If one would wipe the 'env' partition, then we'd have an environment-less u-boot and without serial access, we don't know what the u-boot fallback would be.

Of course, the final goal is to blink a few LED's on the scope :D (and to RE the keys of course, where more information is always better)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 10:33:48 am
Ah see that's where I saw it (lots of threads about the 5k and 7k. With the similarities between the two platform, the OP statement about this being only about the 5k should be redacted to be about 5k and 7k. Having the information in one thread is always easier :) I believe we have 3 threads now with information scattered...

Makes some sense since they are so similar (or "too much similar"...). I'll ask OP to change the thread name.

BTW, what is the 3rd thread?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 10:38:42 am
Ah see that's where I saw it (lots of threads about the 5k and 7k. With the similarities between the two platform, the OP statement about this being only about the 5k should be redacted to be about 5k and 7k. Having the information in one thread is always easier :) I believe we have 3 threads now with information scattered...

Makes some sense since they are so similar (or "too much similar"...). I'll ask OP to change the thread name.

BTW, what is the 3rd thread?

You are right, it is only 2; i thought there was the 7000 'hacking-ish' thread and the original thread from dave about the new scope. I stand corrected :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 10:42:33 am
The two script files are interesting, as it actually shows two potential upgrade paths. One is from within linux, the other from within u-boot. My guess is that if the upgrade fails via linux, if you have the usb stick with GEL inserted during boot, u-boot will parse the update file and perform the update. Why they did this I am not sure yet.

The scope accepts the usual ultra-special Rigol vendor USB flashdrive (with the special boot sector).

Don't know yet what that allows but...  ;)

Tell me what zynq dev board do you have in mind for 100USD?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: A Hellene on December 24, 2018, 11:00:03 am
I am sorry for the following request, regarding DS1000Z in a thread about MSO5000... I am also sorry if that has already been answered and I have missed it.

The problem I face is that I have updated DS1000Z firmware to the buggy (and revoked) 04.04.03.05, which mangles long memory data while navigating through it; so I would like to downgrade to the last good known firmware version (04.04.03.02) or even to an older one I may have.

I remember having read in the past that DS1000Z firmware downgrade is a matter of writing a special signature on the flash drive that carries the downgrade firmware. Is there any chance I can have that special signature or any other help to downgrade the DS1000Z firmware, please?

-George
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 11:17:54 am
I remember having read in the past that DS1000Z firmware downgrade is a matter of writing a special signature on the flash drive that carries the downgrade firmware. Is there any chance I can have that special signature or any other help to downgrade the DS1000Z firmware, please?

George,

Don't hijack with such a OT. It's better to send a PM. Contact janekivi as he may be able to help. I think you have 2 ways: using the special Rigol USB vendor disk and patching the version number in the previous FW. I think Janekivi can help with both. I would have to do some development to replicate it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 24, 2018, 11:33:24 am
Re. logo screen: as there wasn’t any reply, I guess there isn’t such an information available yet. Or nobody is interested. :) Anyway…

First of all, you need to create a picture with your preferred image editing program with a maximum size of 1024 x 600 (full screen) and save it as a bitmap. I’ve programmed and uploaded (http://firebird.tms-taps.net/Rigol/MSO5000Logo.zip) a little Windows conversion tool that converts pictures (.bmp, .png or .jpg) to .hex logo format and also the other way around. If you don’t trust my exe or want to create a conversion tool for a different system, here’s the format of logo file:

LE dword  imageWidth;
LE dword  imageHeight;
LE word pixel[imageWidth * imageHeight];

The pixel format is rrrr rggg gggb bbbb;

After the .hex file has been created, copy it to a thumb drive and connect the drive to the scope. Open putty or any other ssh terminal and log in to the MSO (port 22, root/root, you know ;) ). First verify that the thumb drive has been mounted to /media/sda1:

Code: [Select]
<root@rigol> mount

rootfs on / type rootfs (rw)
/dev/root on / type ext2 (rw,relatime,errors=continue)
devtmpfs on /dev type devtmpfs (rw,relatime,size=218708k,nr_inodes=54677,mode=755)
none on /proc type proc (rw,relatime)
none on /sys type sysfs (rw,relatime)
none on /tmp type tmpfs (rw,relatime,size=102400k)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
/dev/ubi6_0 on /rigol type ubifs (rw,relatime)
/dev/ubi1_0 on /rigol/data type ubifs (rw,sync,relatime)
/dev/ubi12_0 on /user type ubifs (rw,sync,relatime)
>>> /dev/sda1 on /media/sda1 type vfat (rw,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=936,iocharset=utf8,shortname=mixed,errors=remount-ro)

If this is the first time you’re doing this, backup the original Rigol logo:
Code: [Select]
<root@rigol> dd if=/dev/mtd7 of=/media/sda1/logo_orig.hex

8192+0 records in
8192+0 records out
4194304 bytes (4.0MB) copied, 1.070000 seconds, 3.7MB/s

Now install your logo. Of course you need to enter the file name of your logo and this must be case sensitive:

Code: [Select]
<root@rigol> flash_eraseall /dev/mtd7

Erasing 128 Kibyte @ 400000 - 100% complete.

<root@rigol> nandwrite -p /dev/mtd7 /media/sda1/Logo_FireBird.hex

Writing at 0x00000000
Writing at 0x00020000
Writing at 0x00040000
Writing at 0x00060000
Writing at 0x00080000
Writing at 0x000a0000
Writing at 0x000c0000
Writing at 0x000e0000
Writing at 0x00100000
Writing at 0x00120000

Reboot and have fun. :)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: A Hellene on December 24, 2018, 11:39:00 am
George,

Don't hijack with such a OT. It's better to send a PM. Contact janekivi as he may be able to help. I think you have 2 ways: using the special Rigol USB vendor disk and patching the version number in the previous FW. I think Janekivi can help with both. I would have to do some development to replicate it.

Thank you for the reply.
Once more, I am sorry for the off-topic; yet, reading about MSO5000 hacking reminded me of my DS1000Z issue...


-George
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 11:47:00 am
Re. logo screen: as there wasn’t any reply, I guess there isn’t such an information available yet. Or nobody is interested. :) Anyway…

People are shy... :)  Keep those contributions! If everyone does a bit, it costs less.

What about MTD3? What is the BMP there?

BTW, dump both original BMP from the NAND and attach them here (as .PNGs). People like to look at some images.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 24, 2018, 11:53:14 am
Rigol is talking in their update script about app A and B. All app A blocks are empty.

Code: [Select]
dev:    size   erasesize  name
mtd0:  00040000 00020000 "Env"          ; Environment as a NULL terminated list and a dword at the beginning
mtd1:  04000000 00020000 "DATA"         ; UBI FS -> /rigol/data
mtd2:  00400000 00020000 "Bmp"          ; unused FF
mtd3:  00400000 00020000 "Bmp1"         ; App A unused FF
mtd4:  00800000 00020000 "Bit1"         ; App A unused FF
mtd5:  02000000 00020000 "Sys1"         ; App A unused FF
mtd6:  06400000 00020000 "App1"         ; App A unused FF
mtd7:  00400000 00020000 "Bmp2"         ; App B Boot Logo        <- logo.hex
mtd8:  00800000 00020000 "Bit2"         ; App B Zynq Bitstream   <- zynq.bit
mtd9:  02000000 00020000 "Sys2"         ; App B Linux Kernel     <- system.img
mtd10: 06400000 00020000 "App2"         ; App B UBI FS -> /rigol <- app.img
mtd11: 04300000 00020000 "Reserved"     ; unused FF
mtd12: 25800000 00020000 "User"         ; UBI FS -> /user
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 24, 2018, 11:54:33 am
BTW, dump both original BMP from the NAND and attach them here (as .PNGs). People like to look at some images.

Yep, might be handy someday, when someone yells ... "I want the original logo back, where can I find one ..."  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 12:07:20 pm
Yep, might be handy someday, when someone yells ... "I want the original logo back, where can I find one ..."  :-DD

Better yet: "I would love to have my brick with the original logo, please help!!"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 12:10:53 pm
Rigol is talking in their update script about app A and B. All app A blocks are empty.

Interesting... We can have 2 different environments loaded in the machine...

Anyone with 7000 can check if it's the same scheme?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 24, 2018, 01:32:58 pm
What do you do with this gel file.   I can untar it, and get four .img.gz files, plus the encrypted shell scripts.    Futher untarring and and i get some .img files.. 
What do you do with those?


MSO5000 FW v01.01.02.03 (https://cld.pt/dl/download/7d02db7b-5669-43ba-a3d3-0636fc04753d/Firmware_01.01.02.03.GEL.tar)

(link will expire after 24h)

Thanks for that! This is the original GEL, as in the version that comes shipped on the scopes yeah? Do you have this for the 7000 as well? For that I only have 00.01.01.07.01 so far ...

Well mostly compare between the different versions, as for the image files, they are regular linux filesystem images.
.....

Thanks for the background infomation. Its really helpful.  I have a very generic debian vm on my laptop. Am i am able to mount these images somehow, so i can start to have a poke around?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 02:00:37 pm
The two script files are interesting, as it actually shows two potential upgrade paths. One is from within linux, the other from within u-boot. My guess is that if the upgrade fails via linux, if you have the usb stick with GEL inserted during boot, u-boot will parse the update file and perform the update. Why they did this I am not sure yet.

The scope accepts the usual ultra-special Rigol vendor USB flashdrive (with the special boot sector).

Don't know yet what that allows but...  ;)

Tell me what zynq dev board do you have in mind for 100USD?
I'm curious about this special 'vendor' usb stick. Is it something we can obtain/download/create?
I guess dumping the environment from /dev/mtd0 (and attaching it here) yields us all the scripts etc, if anybody could be so kind :)

As for the zynq dev board, there's the mini Zed for 89 USD, but is a 7007s (single core) so I feel too far from the scope. The Pynq however looks promising with a 7020, there seems to be a few flavors however, like https://nl.farnell.com/tul-corporation/1m4-m000127000/dev-kit-32bit-arm-cortex-a9-mpu/dp/2913031?st=pynq for example is only 101 Euro. But then i can't buy privately at farnell. So will have to do some more digging, but even so; it still sounds very reasonable :)

I find pricing for these boards can very, not sure why. (Same board, different sites, double the price). If I find a nice vendor where i can buy stuff; i'll post a link
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 02:01:50 pm
Re. logo screen: as there wasn’t any reply, I guess there isn’t such an information available yet. Or nobody is interested. :) Anyway…

People are shy... :)  Keep those contributions! If everyone does a bit, it costs less.

What about MTD3? What is the BMP there?
That's probably u-boot's splash screen. I'd be suprised if it is initially different from the other two to keep a 'smooth' logo experience.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 02:04:38 pm
Rigol is talking in their update script about app A and B. All app A blocks are empty.

Code: [Select]
dev:    size   erasesize  name
mtd0:  00040000 00020000 "Env"          ; Environment as a NULL terminated list and a dword at the beginning
Standard u-boot environment created from a text file and 'compiled' with mkimage. The dword in front is the header.
Code: [Select]
mtd1:  04000000 00020000 "DATA"         ; UBI FS -> /rigol/data
As I mentioned earlier, probably configuration data and the like
Code: [Select]
mtd2:  00400000 00020000 "Bmp"          ; unused FF
Hmm strange that it is unused, I would have expected the logo for u-boot to use.
Code: [Select]
mtd3:  00400000 00020000 "Bmp1"         ; App A unused FF
mtd4:  00800000 00020000 "Bit1"         ; App A unused FF
mtd5:  02000000 00020000 "Sys1"         ; App A unused FF
mtd6:  06400000 00020000 "App1"         ; App A unused FF
This will be populated the first time an update is performed, the update script updates the 'backup', and boots from that next time.
Code: [Select]
mtd7:  00400000 00020000 "Bmp2"         ; App B Boot Logo        <- logo.hex
mtd8:  00800000 00020000 "Bit2"         ; App B Zynq Bitstream   <- zynq.bit
mtd9:  02000000 00020000 "Sys2"         ; App B Linux Kernel     <- system.img
mtd10: 06400000 00020000 "App2"         ; App B UBI FS -> /rigol <- app.img
mtd11: 04300000 00020000 "Reserved"     ; unused FF
mtd12: 25800000 00020000 "User"         ; UBI FS -> /user
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 02:11:17 pm
I'm curious about this special 'vendor' usb stick. Is it something we can obtain/download/create?
I guess dumping the environment from /dev/mtd0 (and attaching it here) yields us all the scripts etc, if anybody could be so kind :)

It can be created, sure. I'll rewind a liitle my efforts with the DS1054Z and then I'll tell you how to create a vendor disk.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TillMundy on December 24, 2018, 03:45:00 pm
I have tested out the bandwidth with the MSO5000 "hack". I have attached some photos below. The amplitude of my signal generator is not linear so be wary of the changes in amplitude between images.
On the topic of screen brightness; At first when I opened the scope I thought it seemed dim. After using it for a day I didn't notice or care. Then I had to do some other measurements using two scopes. I put my Siglent SDS1104 next to it and boy is there a difference. The Siglent's small display is incredibly bright and clear. On the MSO5000 it is not only a dim screen but also bad diffusion of the back lights. All the edges of the MSO5000 are brighter than the rest of the display. I think they may have reduced the back-light brightness to reduce this effect. Comparing the display to a DSA815 the MSO5000 is still much dimmer and lower resolution.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 04:02:42 pm
and boy is there a difference. The Siglent's small display is incredibly bright and clear. On the MSO5000 it is not only a dim screen but also bad diffusion of the back lights. All the edges of the MSO5000 are brighter than the rest of the display. I think they may have reduced the back-light brightness to reduce this effect. Comparing the display to a DSA815 the MSO5000 is still much dimmer and lower resolution.

Once we know how the backlight is connected to linux, we can see if they purposely lowered the brightness. Since this is a device that is intended to be in use for years to come (10 years is not super unreasonable, considering I had my DS1052 for about 10 years now and would still had it if I didn't sell it cause I wanted the MSO5000 :))

Given that, it could very well that Rigol actually did a lifetime analysis (I know we did at our work) taking LED degradation into account when in use 24/7 and have set the brightness to 50% or something. Or, it's just shit :) we don't know yet.

You can always check /sys/class/led to see if there's a backlight there, or do a `find /sys -iname '*backlight*'`to see if the backlight is controllable. I'll dig into the decompiled device tree soon and see if I can find something.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 24, 2018, 05:01:43 pm
Is all options != 350mhz?  It almost seems like it’s 500mhz ?

I had seen rumors of making it run at 1ghz?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 24, 2018, 05:19:32 pm

Has anybody been able to 'interrupt' u-boot yet with the any-key press? Normally if you press it a few times (space works great) just before the message appears (keyboard buffer an all that) it should pick it up, IF the tx is not disabled ... But I guess very few have it opened and a debug header connected other then dave ...

Yes you can halt the boot process

Code: [Select]
[12/24 17:12:56.0]
[12/24 17:12:56.0]U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)
[12/24 17:12:56.0]
[12/24 17:12:56.0]I2C:   ready
[12/24 17:12:56.0]Memory: ECC disabled
[12/24 17:12:56.0]DRAM:  448 MiB
[12/24 17:12:56.1]DPU:   20170604
[12/24 17:12:56.1]NAND:  OnDie ECC supported, 1024 MiB
[12/24 17:12:57.1]zynq-In:    serial
[12/24 17:12:57.1]zynq-Out:   serial
[12/24 17:12:57.1]zynq-Err:   serial
[12/24 17:12:57.1]Net:   Gem.e000b000
[12/24 17:12:57.1]BootParam=0x0
[12/24 17:12:57.1]Hit any key to stop autoboot:  0
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)
[12/24 17:12:57.1]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.3](
[12/24 17:12:57.3]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.3]rigol-uboot>
[12/24 17:12:57.3]  aesTest base bdinfo beeper boot bootd bootm bootp bootz checkGTP checkVer
[12/24 17:12:57.3]  clk cmp coninfo cp cpldver crc32 dcache ...
[12/24 17:12:57.3]rigol-uboot>

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TillMundy on December 24, 2018, 05:28:02 pm
Is all options != 350mhz?  It almost seems like it’s 500mhz ?

I had seen rumors of making it run at 1ghz?
Some features stop working after 350Mhz. For example the counter option does not work after 350Mhz. Also the frequency measurement gets iffy after 500Mhz. It will show the correct frequency 50% of the time.

It will measure and show waveforms at 1Ghz but the quality is poor and I would not consider this "hack" to unlock a 1Ghz scope.

Sent from my LM-Q910 using Tapatalk

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tinhead on December 24, 2018, 05:51:20 pm

It will measure and show waveforms at 1Ghz but the quality is poor and I would not consider this "hack" to unlock a 1Ghz scope.


ehm, on your picture, you do sample with 2GSa/s, i though it can get up to 8GSa/s?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 24, 2018, 06:03:03 pm

It will measure and show waveforms at 1Ghz but the quality is poor and I would not consider this "hack" to unlock a 1Ghz scope.


ehm, on your picture, you do sample with 2GSa/s, i though it can get up to 8GSa/s?

Only at the 500MHz.

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=604624;image)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TillMundy on December 24, 2018, 06:45:13 pm
Sorry I was just on the wrong time scale.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 07:00:31 pm

Has anybody been able to 'interrupt' u-boot yet with the any-key press? Normally if you press it a few times (space works great) just before the message appears (keyboard buffer an all that) it should pick it up, IF the tx is not disabled ... But I guess very few have it opened and a debug header connected other then dave ...

Yes you can halt the boot process

Code: [Select]
[12/24 17:12:56.0]
[12/24 17:12:56.0]U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)
[12/24 17:12:56.0]
[12/24 17:12:56.0]I2C:   ready
[12/24 17:12:56.0]Memory: ECC disabled
[12/24 17:12:56.0]DRAM:  448 MiB
[12/24 17:12:56.1]DPU:   20170604
[12/24 17:12:56.1]NAND:  OnDie ECC supported, 1024 MiB
[12/24 17:12:57.1]zynq-In:    serial
[12/24 17:12:57.1]zynq-Out:   serial
[12/24 17:12:57.1]zynq-Err:   serial
[12/24 17:12:57.1]Net:   Gem.e000b000
[12/24 17:12:57.1]BootParam=0x0
[12/24 17:12:57.1]Hit any key to stop autoboot:  0
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]rigol-uboot>U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)
[12/24 17:12:57.1]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.1]rigol-uboot>
[12/24 17:12:57.1]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.3](
[12/24 17:12:57.3]Unknown command 'U-Boot' - try 'help'
[12/24 17:12:57.3]rigol-uboot>
[12/24 17:12:57.3]  aesTest base bdinfo beeper boot bootd bootm bootp bootz checkGTP checkVer
[12/24 17:12:57.3]  clk cmp coninfo cp cpldver crc32 dcache ...
[12/24 17:12:57.3]rigol-uboot>
That, is awesome :) While they can still fix this trivially (by editing the environment and disabling it) I was afraid that TX would not work. I guess Dave just made a booboo somewhere where it did not work (in the video). Probably tried to late. (one of those things that need an edit in the video with a text overlay saying it does work.

But if the u-boot allows tftp or USB access (which I think it does) we can boot from tftp or via USB images.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 07:16:38 pm
If someone could be so kind as to get me a mtd0 dump, I can poke there a little.
cat /dev/mtd0 > /tmp/mtd0.dump
Not sure if this is 'the way' to do nanddumps though I think if it's an mtd we can just do this.
(or directly to usb) would be great; while at it, compare it to /tmp/env.bin; rigol seems to be saving the env there every boot so if they are different, if you could get me both files; that'd be even better :)

(rigol dumps their nand like this: nanddump -s 0 -l 0x40000 -f /tmp/env.bin /dev/mtd0 )

I'm quite certain that the content of these files should be identical (except maybe some padding at the end).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 24, 2018, 07:22:24 pm
If someone could be so kind as to get me a mtd0 dump, I can poke there a little.

By your command.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 24, 2018, 07:31:41 pm
From what I can gather so far, the buildroot base is identical for both firmware images (5000 and 7000 I have so far).

I have not dug too deep yet into the filesystem, just some early poking around, but I'm quite sure that the major differences will be if device = 5000 ... if device = 7000 ... kind of logic.

heck, the keyword 'flamingo' (MSO7000) lights up like a christmas tree when grepping in the extracted image filesystem, where kerstrel (MSO5000) can't be found anywhere.

The update (which is newer of course) for the MSO7000 did have a few changes. startEntry is now called flamingo_console. There is a new script called 'bw.sh' that opens/closes 20 MHz bandwith to something over SPI.

So it could be that these are separately developed binaries, only name changes or .. just a bit messy development ...

We'll know more in a few updates when they synchronize their update files. Until then, every update is worth poking around in :)

Comparing kernels between the two, I found so far that they are build from the exact same source, but the touchscreen drivers seem to differ:
Code: [Select]
-TOUCHSCREEN_Goodix_TS y
 TOUCHSCREEN_SSD2543 n -> y
The MSO5000 has the SD2543 touchscreen, and I think the MSO7000 has a Goodix ts.

So because of that, for now, the firmwares are unique between the two and they can't be interchanged. But who knows, the app may very well run on either scope. E.g. what happens if we run flamingo_console on a MSO5000; (safer is to try the other way around of course). Will that yield us a MSO7000 in a MSO5000 box >: ) For those playing along at home, remember to add extra cooling when trying that :p
Title: GPL Violations?
Post by: oliv3r on December 24, 2018, 07:37:08 pm
I do have a worry ...
I cannot seem to find anything GPL related to rigol. There is https://github.com/rigol but that seems all very much work in progress/abandoned/

So far, I see that:

They used buildroot to compile their OS -> GPLv2+
(and they have a -dirty tree, meaning uncommitted changes, so the hash may not point to anything public)
They use u-boot -> GPLv2+
They use Linux -> GPLv2+
They use busybox -> GPLv2

They've added some drivers from later kernels (app/drivers) which are NOT their own (strings shows they are GPL licensed)

CUPS is actually not viral licensed anymore, but I doubt they compiled it themselves ... it may not be part of build-root and so they just compiled it from source is my guess

some dbus stuff
some other libs and stuff

So clearly, currently they could be violating the GPL. While I don't think it's important yet to start bugging them about it (I doubt they have (m)any changes from upstream and the only code they wrote is in flamingo_console/appEntry) I am curious how they will deal with this ... I think this is their first-ish Linux offering ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on December 24, 2018, 08:41:40 pm
But thanks. The 7010, 7015 and 7020 are similar enough that any dev board with these chips should be accurate enough. I think it's mostly CPU speed and maybe FPGA gate count that's different, so I guess they couldn't fit their bitstream into the 7010 and went one up ...
Not exactly. 7015 is fundamentally different from 10/20 in that its' fabric has 4 MGTs (GTPs) which support up to 6.6 Gbps per channel. I suspect they use these transceivers to talk to their ASICs.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 25, 2018, 11:47:01 am
If someone could be so kind as to get me a mtd0 dump, I can poke there a little.

By your command.

Super thanks! So the positive is that apparently their default data contains tftp boot/NFS mounts. So during dev they probably where booting over the network, and so can we :)

Sadly, their stored environment is a little light on the details, it's missing quite a few environment variables. I think they manually generated their initial 'stored' environment which supplements their built-in environment. So we probably need that as well.

So yet another request to get some more data. In the u-boot console, the output of 'printenv' would be great. While in the u-boot console, i'm curious about 'sf probe' as well, it should list the SPI flash that's used to boot the device from. If that returns something useful, we can read (and dump) the spi flash via u-boot!

Not sure if we can dump the spi flash content to file, but tftp is easy. We do need to know the details of the flash-chip (size) but then it's
sf read 0x4900000 0 <size of flash>
tftp 0x4900000 spiflash.dump <size of flash>

(that does assume a working tftp setup, e.g. proper ip's etc)

To return the fruits of your labor however, here's the decompiled env.bin into env.cmd
Code: [Select]
backpart=B
baudrate=115200
bootdelay=1
bootver=2018.06.27
ethact=Gem.e000b000
ethaddr=00:0a:35:00:01:2a
gatewayip=172.16.3.1
ipaddr=172.16.3.254
modeboot=qspiboot
nandboot=loadzynq;ledoff;run bootlogo; nand read 0x3000000 0x1100000 0x1000000;bootm 0x3000000
netmask=255.255.255.0
nfsboot=nfs 0x3000000 172.16.3.38:/home/rigolee/workspace/nfs/system.img && bootm 0x3000000
serverip=172.16.3.252
stderr=serial
stdin=serial
stdout=serial
update=if tar 0x4000000 0x2000000 fw4uboot.sh; then  aesTest 0x2000000 ${temp_file_size} 0x2100000if exec 0x2100000; then echo update success!; else echo update failed!; fi;else echo can not find update shell!;fi;
upnet=nfs 0x4000000 172.16.3.38:/home/rigolee/workspace/nfs/FlamingoUpdate.GEL && run update
usbboot=if usb start; then echo Copying Linux from USB to RAM... && fatload usb 0 0x3000000 uImage && fatload usb 0 0x2A00000 devicetree.dtb && fatload usb 0 0x2000000 uramdisk.gz && bootm 0x3000000 0x2000000 0x2A00000; fi;
usbupdate=upgradeFromUSB
vendor=RIGOL TECHNOLOGIES
nandbootA=checkGTP;loadzynq 0x4900000;ledoff;loadlogo 0x4500000;nand read 0x3000000 0x5100000 0xd8ebf0;bootm 0x3000000
nandbootB=checkGTP;loadzynq 0xd900000;ledoff;loadlogo 0xd500000;nand read 0x3000000 0xe100000 0xd8ebf0;bootm 0x3000000
bootlogo=loadlogo 0xd500000
builddate=2018-10-11 16:45:53
softver=00.01.01.02.03
bootpart=B
bootcmd=if run nandbootB; then echo 'ok'; else setenv bootpart A;save;run nandbootA; fi

Note that the ordering is not alphabetical. U-Boot itself always saves the environment alphabetically (or printenv does at least) so it's likely that the out-of-order entries are entries rigol 'adds' to the end of the file.

I wonder if that mac address is unique or identical for all devices. MAC's shouldn't be stored in envs (u-boot will export them to the env of course).
Further more, there are a few commands that are interesting (aesTest for example) which of course is a wrapper around the u-boot zynq-only aes command. But where is it stored? (Hopefully in the aforementioned printenv) otherwise, it's part of the GPL sources, and then, we have to start pressing Rigol to share them as per GPL.

Also I'm not sure yet if they have a distr_bootcmd as part of their printenv. Otherwise the env entry will be bootcmd, which will boot from either of the nand-flashes.

Why that matters is because that way we cannot 'break into' the boot sequence externally. E.g. the USB stick won't be accessed as it will boot from NAND first. And while changing the environment is trivial; it's invasive :( Booting noninvasive from USB is of course much cooler :) But for that we need to full printenv (and potentially their u-boot compiled version).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 25, 2018, 12:03:22 pm
The two script files are interesting, as it actually shows two potential upgrade paths. One is from within linux, the other from within u-boot. My guess is that if the upgrade fails via linux, if you have the usb stick with GEL inserted during boot, u-boot will parse the update file and perform the update. Why they did this I am not sure yet.

The scope accepts the usual ultra-special Rigol vendor USB flashdrive (with the special boot sector).

Don't know yet what that allows but...  ;)

Tell me what zynq dev board do you have in mind for 100USD?
<snip>
I find pricing for these boards can very, not sure why. (Same board, different sites, double the price). If I find a nice vendor where i can buy stuff; i'll post a link

I was going to come back on that, it turns out, xilinx has a site which lists tons of boards.
https://www.xilinx.com/products/boards-and-kits/device-family/nav-zynq-7000.html (https://www.xilinx.com/products/boards-and-kits/device-family/nav-zynq-7000.html)

You have to sort prices from high-to low and start at about page 3; as there is a lot of 'contact vendor for price' that gits listed first otherwise.

The cheapest is 69 USD, but that's a single-core zynq-7007s. But for 75 USD we can start with a nice 7010 dual-core; https://www.xilinx.com/products/boards-and-kits/1-pcz4k3.html (https://www.xilinx.com/products/boards-and-kits/1-pcz4k3.html) though as noted by asmi
Not exactly. 7015 is fundamentally different from 10/20 in that its' fabric has 4 MGTs (GTPs) which support up to 6.6 Gbps per channel. I suspect they use these transceivers to talk to their ASICs.

So I went digging into that a little; the low-budge (single and dual cores upto including the 7020) are the same, albeit GPIO and FPGA size difference, with indeed the 7012s and 7015 have the 4 MGT's, which I agree is probably how they are talking to their ASIC. So Ideally, we should find a 7015 based board, even if just to get the identical SoC.

The main reason to get a zynq based board is to avoid bricking the device; but if we can extract the SPI flash rom; worst case, we need to jtag back the SPI flash; the rest of the software is fully recoverable, though the /rigol/data (/dev/mtd1) partition will be critical to backup (calibration data, serial number etc are likely stored there).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 25, 2018, 01:41:01 pm
I wonder if that mac address is unique or identical for all devices.
I have the same MAC in my environment but 00:0a:35 is a Xilinx MAC and I haven't captured it during a normal boot. During normal operation, the packets have Rigol MACs (00:19:af).
Title: Re: GPL Violations?
Post by: bitwelder on December 26, 2018, 08:30:03 am
So clearly, currently they could be violating the GPL. While I don't think it's important yet to start bugging them about it (I doubt they have (m)any changes from upstream and the only code they wrote is in flamingo_console/appEntry) I am curious how they will deal with this ... I think this is their first-ish Linux offering ...
Just for starters, do the 'scope comes with the usual leaflet (or pages at the end of the manual) about notes on GPL licensed components and how to request the source code?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Karel on December 26, 2018, 10:26:17 am
They only have to provide the sourcecode (of the GPL'ed parts) if they modified it.
Maybe they use unmodified GPL'ed software.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 11:12:51 am
They only have to provide the sourcecode (of the GPL'ed parts) if they modified it.
Maybe they use unmodified GPL'ed software.

They modified it :) trust me. Not sure yet about u-boot (as I wasn't able to dig into that, but they very likely changed the default environment (visible with printenv) which is a code change; so it starts there. Also they added the 'localversion=RIGOLEE' so that's a modification in itself. Granted. these are modifications that don't matter so I hope they left it at that.

Then they modified the linux kernel (they modified the xilinixfb driver, and at the least added a compatible devDPU). They added a devIRQ (probably because their ancient kernel didn't support /sys/class/gpio properly) They backported some other drivers, (/rigol/app/drivers) some, of which they are not the copyright holders.

I'm not familiar enough with buildroot to know what they changed their, but I doubt they left it unchanged (as they'd need to commit their own changes for the whole build-system that they need; so it's very likely it is modified.

Then of course we have some userspace tools; but I do agree they probably didn't touch these (busybox, cups, oprofile).

As for their own application; yes, that is their own and they can do with it as they wish of course :)

Now what I'd be interesting is, is the HDL that runs in the zynq. Not to RE or even to analyze, but to improve and replace. The video bit comes to mind. As they are using a QT stack, the video drivers are actually part of QT (linuxfb) so that are changes that are even in the realm of possibilities. But I think you need partial reconfiguration of the FPGA for that, and need to know _what_ to partially reconfigure, so you need at least some information of the bitstream blob I recon.

TL;DR
They could have the written offer for the code, but barring that, they would be in violation. Also, for both (us and them) it would be just so much easier to just push the repo's in question to somewhere public and be done with it.

Just for starters, do the 'scope comes with the usual leaflet (or pages at the end of the manual) about notes on GPL licensed components and how to request the source code?
Anybody who has the box and manuals already took a peak with regards to a software offer? I do know it must be somewhere on the scope, as there is /license/ on the device with the licenses of some of the parts in it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 11:49:52 am
Dump of MSO5074 NAND for anybody that's interested...

https://www.dropbox.com/s/zb9ay97a0df00cb/Rigol%20MSO5074%20NAND.zip?dl=0 (https://www.dropbox.com/s/zb9ay97a0df00cb/Rigol%20MSO5074%20NAND.zip?dl=0)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 12:05:12 pm
Anybody who has the box and manuals already took a peak with regards to a software offer? I do know it must be somewhere on the scope, as there is /license/ on the device with the licenses of some of the parts in it.

No mention on the box or in any of the documents that came with it, nothing on the outside of the scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 12:26:53 pm
Dump of MSO5074 NAND for anybody that's interested...

https://www.dropbox.com/s/zb9ay97a0df00cb/Rigol%20MSO5074%20NAND.zip?dl=0 (https://www.dropbox.com/s/zb9ay97a0df00cb/Rigol%20MSO5074%20NAND.zip?dl=0)

While this is super appreciated! I think you should at least remove mtd1 from there, as that contains scope specific parameters is my guess (If not, its okay, i think it is mapped to /rigol/data if you want to check), such as serial numbers and licenses.

EDIT Yes this does indeed contain your license keys, MAC address and other info, so do please remove mtd1 from the download. I am grateful for it as it allows me to poke more into the firmware's inner workings, so thanks for that :)

Now all we need is a way to dump the u-boot binary from the SPI flash and I have everything to replicate a scope :p
So if we can get the output of 'sf probe' we know u-boot can talk to it, and if so, we can use sf read to read it into memory. Getting it from memory into a file (without TFTP) I don't know yet ... So if anyone is willing to do this via serial console and u-boot, I can figure out if/how it's possible (TFTP, maybe xmodem?) worst case, we just do a md (memory dump) and capture the output of the serial line and write a simple script to convert the memory dump back into code.

Which then would be:
Code: [Select]
sf probe
sf read 0x4900000 0 <size of flash> (assuming its 16 Mbit, sf probe prints it) that will be 0x1000000)
md 0x4900000 0x1000000
becuase the serial console is quite slow, that will run for a few minutes, so logging of the serial output is required. (When using screen for example you can make it log everything into a file. Not sure if putty has that capability but https://www.viktorious.nl/2013/01/14/putty-log-all-session-output/ (https://www.viktorious.nl/2013/01/14/putty-log-all-session-output/) seems to suggest it is so.

While here, also do a printenv :)

I have ordered the MYIR z-turn lite 7010 so we'll see when it arrives here. Not to bad for 95 Euro's (I got the GPIO breakout board). Probably will take 6 weeks to get here though :(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 12:30:13 pm

While this is super appreciated! I think you should at least remove mtd1 from there, as that contains scope specific parameters is my guess (If not, its okay, i think it is mapped to /rigol/data if you want to check), such as serial numbers and licenses.


This scope is a sacrificial lamb off to slaughter, warranty is already void and I suspect it will suffer all sorts of abuse before it finally dies...

Bring it on!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 26, 2018, 12:37:25 pm
I have ordered the MYIR z-turn lite 7010 so we'll see when it arrives here. Not to bad for 95 Euro's (I got the GPIO breakout board). Probably will take 6 weeks to get here though :(

I also bought the 7020... :)

Do you read PMs?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 01:40:29 pm

So if we can get the output of 'sf probe' we know u-boot can talk to it, and if so, we can use sf read to read it into memory.

While here, also do a printenv :)


Ok... breaking into u-boot is a right pain so far. There is the 'Hit any key' message but the countdown timer starts at zero so no time to hit a key. I tried holding SPACE down continuously during the boot process and never managed to break in.

But... if I spew a stream of data at the scope during boot I can break in...

rigol-uboot>sf probe
zynq_qspi_setup_slave: No QSPI device detected based on MIO settings
SF: Failed to set up slave
Failed to initialize SPI flash at 0:0

rigol-uboot>printenv
Invalid input(hxh)

Not very promising so far...


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 01:50:39 pm
I have ordered the MYIR z-turn lite 7010 so we'll see when it arrives here. Not to bad for 95 Euro's (I got the GPIO breakout board). Probably will take 6 weeks to get here though :(

I also bought the 7020... :)

Do you read PMs?
I do now :D

what do you mean 'also' :p the z-turn lite? I don't think that exists in a 7020 flavor :p Which board did you order? :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 01:59:21 pm

So if we can get the output of 'sf probe' we know u-boot can talk to it, and if so, we can use sf read to read it into memory.

While here, also do a printenv :)


Ok... breaking into u-boot is a right pain so far. There is the 'Hit any key' message but the countdown timer starts at zero so no time to hit a key. I tried holding SPACE down continuously during the boot process and never managed to break in.

But... if I spew a stream of data at the scope during boot I can break in...

rigol-uboot>sf probe
zynq_qspi_setup_slave: No QSPI device detected based on MIO settings
SF: Failed to set up slave
Failed to initialize SPI flash at 0:0

rigol-uboot>printenv
Invalid input(hxh)

Not very promising so far...

Huh? hxh is weird, it's almost as it doesn't like your command ... you can always do a 'help' to see if the command is different, I recall that in very old u-boots it may be env print for example. If you do not mind editing your environment, you can very easily increase the timeout :)

from the u-boot console, you can do
Code: [Select]
rigol-uboot> setenv bootdelay 2
for example, followed by either a `saveenv` or just `save`<enter>. These days it is saveenv, but i see rigol use in the scripts (to modify the bootpart parameter) use save instead.
Code: [Select]
rigol-uboot> save

Alternativly, you can do all this from linux (which we learned from the fw4linux.sh script :)
This requires /tmp/env.bin to be available (which it always is as several scripts extract it using "nanddump -s 0 -l 0x40000 -f /tmp/env.bin /dev/mtd0" via rc.S) So double check if the file exists:
Code: [Select]
ls -laF /tmp/env.bin
and then modify the env :)
Code: [Select]
/rigol/tools/cfger -s "bootdelay 2"
flash_eraseall /dev/mtd0
nandwrite -p /dev/mtd0 /tmp/env.bin

edit: clarified changing bootdelay from the u-boot shell
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 02:02:31 pm
Help? Been there done that....

rigol-uboot>bollocks
Unknown command 'bollocks' - try 'help'
rigol-uboot>help
Invalid input(hxh)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 02:06:39 pm
Ok....
rigol-uboot>setenv bootdelay=3 save
## Error: illegal character '='in variable name "bootdelay=3"

Leave out the '=' and no error messages (or otherwise)
rigol-uboot>setenv bootdelay 3 save

Scared to have to reboot and see if it worked!


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 02:18:52 pm
I'm sorry I wasn't clear, but they are two commands
so
Code: [Select]
setenv bootdelay 3
followed by
Code: [Select]
save
without the save, nothing happens. You basically just set the bootdelay variable to read '3 save' and after a reboot it's gone (reset, without the save)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 02:24:14 pm
I'm sorry I wasn't clear, but they are two commands
so
Code: [Select]
setenv bootdelay 3
followed by
Code: [Select]
save
without the save, nothing happens. You basically just set the bootdelay variable to read '3 save' and after a reboot it's gone (reset, without the save)

Ok cool... well it made no difference so I tried the Linux way:

Code: [Select]
/rigol/tools/cfger -s "bootdelay 5"
flash_eraseall /dev/mtd0
nandwrite -p /dev/mtd0 /tmp/env.bin

That made no difference either, countdown is still instantaneous.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 02:29:06 pm
Help? Been there done that....

rigol-uboot>bollocks
Unknown command 'bollocks' - try 'help'
rigol-uboot>help
Invalid input(hxh)

LOL they removed the 'help' command to make the binary smaller (or remove it to please the user lol)

ok, so then i'll just have to get the info from an older u-boot manual.
until now, i had to do all this from memory :p
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 26, 2018, 05:22:47 pm
Would it be possible to hack it so it boots faster?

I mean, what's it doing for a whole minute? That's an eternity.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 05:28:35 pm
Help? Been there done that....

rigol-uboot>bollocks
Unknown command 'bollocks' - try 'help'
rigol-uboot>help
Invalid input(hxh)

LOL they removed the 'help' command to make the binary smaller (or remove it to please the user lol)

ok, so then i'll just have to get the info from an older u-boot manual.
until now, i had to do all this from memory :p

I just went though a list of 'standard uboot commands and quite a few work as expected. BDINFO and VERSION churn out some info, but HELP and PRINTENV are very much absent.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 26, 2018, 07:17:41 pm
So, the zynq.bit parsing is below:

Code: [Select]
00000000 - FFFFFFFF             Padding
00000004 - FFFFFFFF             Padding
00000008 - FFFFFFFF             Padding
0000000C - FFFFFFFF             Padding
00000010 - FFFFFFFF             Padding
00000014 - FFFFFFFF             Padding
00000018 - FFFFFFFF             Padding
0000001C - FFFFFFFF             Padding
00000020 - 000000BB             Bus width auto detect, word 1
00000024 - 11220044             Bus width auto detect, word 2
00000028 - FFFFFFFF             Padding
0000002C - FFFFFFFF             Padding
00000030 - AA995566             Sync Word (BPI/SPI Mode)
00000034 - 20000000             T1 - 00000000  NOP      (1x)
00000038 - 30022001 00000000    T1 W 00000001  TIMER
00000040 - 30020001 00000000    T1 W 00000001  WBSTAR
00000048 - 30008001 00000000    T1 W 00000001  CMD      NULL - No Operation
00000050 - 20000000             T1 - 00000000  NOP      (1x)
00000054 - 30008001 00000007    T1 W 00000001  CMD      RCRC - Reset CRC
0000005C - 20000000             T1 - 00000000  NOP      (2x)
00000064 - 30026001 00000000    T1 W 00000001  FALL_EDGE
0000006C - 30012001 02003FE5    T1 W 00000001  COR0
00000074 - 3001C001 00000000    T1 W 00000001  COR1
0000007C - 30018001 0373B093    T1 W 00000001  IDCODE
00000084 - 30008001 00000009    T1 W 00000001  CMD      SWITCH - Switch CCLK Frequency
0000008C - 20000000             T1 - 00000000  NOP      (1x)
00000090 - 3000C001 00000401    T1 W 00000001  MASK
00000098 - 3000A001 00000501    T1 W 00000001  CTL0
000000A0 - 3000C001 00000000    T1 W 00000001  MASK
000000A8 - 30030001 00000000    T1 W 00000001  CTL1
000000B0 - 20000000             T1 - 00000000  NOP      (8x)
000000D0 - 30002001 00000000    T1 W 00000001  FAR
000000D8 - 30008001 00000001    T1 W 00000001  CMD      WCFG - Write Config Data
000000E0 - 20000000             T1 - 00000000  NOP      (1x)
000000E4 - 30004000             T1 W 00000000  FDRI
000000E8 - 500D621C             T2 W 000D621C
00358964 - 20000000             T1 - 00000000  NOP      (2x)
0035896C - 30008001 0000000A    T1 W 00000001  CMD      GRESTORE - Pulse GRESTORE Signal
00358974 - 20000000             T1 - 00000000  NOP      (1x)
00358978 - 30008001 00000003    T1 W 00000001  CMD      DGHIGH/LFRM - Last Frame Write
00358980 - 20000000             T1 - 00000000  NOP      (100x)
00358B10 - 30008001 00000005    T1 W 00000001  CMD      START - Begin Startup Sequence
00358B18 - 20000000             T1 - 00000000  NOP      (1x)
00358B1C - 30002001 03BE0000    T1 W 00000001  FAR
00358B24 - 3000C001 00000501    T1 W 00000001  MASK
00358B2C - 3000A001 00000501    T1 W 00000001  CTL0
00358B34 - 30000001 E3AD7EA5    T1 W 00000001  CRC
00358B3C - 20000000             T1 - 00000000  NOP      (2x)
00358B44 - 30008001 0000000D    T1 W 00000001  CMD      DESYNC - Reset DALIGN Signal
00358B4C - 20000000             T1 - 00000000  NOP      (400x)

The IDCODE = 0373B093 corresponds to the Xilinx Zynq-7015. The same as in the DS7000.

The decrypted scripts (CORRECTED) are attached. In order to correctly decrypt them, we must set the IV = AES_KEY.

Code: [Select]
<root@rigol>./cfger -h
 -r name:read the value of name
 -i file:read model,version,date to file
 -c name value: compare bwtween the value of name with value
 -s name value: set the value of name
 -t file: remove the all zero of the file
 -d input output: decrypt the input to output by aes
 -e input output: crypt the input to output by aes
 -h : show this help information

The file /tmp/env.bin is protected by a CRC-32 (ISO-HDLC) in it's first 4 bytes. cfger tests this CRC before doing anything.

PS: To those who already downloaded the scripts, sorry. Must download again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: photon on December 26, 2018, 09:27:49 pm
For the record, this scope is not being hacked. It is currently open as Rigol currently wishes. Change the title from "Hacking" to "EEVblog Promoting". Nothing is free.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 09:33:33 pm
I'm sorry I wasn't clear, but they are two commands
so
Code: [Select]
setenv bootdelay 3
followed by
Code: [Select]
save
without the save, nothing happens. You basically just set the bootdelay variable to read '3 save' and after a reboot it's gone (reset, without the save)

Ok cool... well it made no difference so I tried the Linux way:

Code: [Select]
/rigol/tools/cfger -s "bootdelay 5"
flash_eraseall /dev/mtd0
nandwrite -p /dev/mtd0 /tmp/env.bin

That made no difference either, countdown is still instantaneous.

Hmm, I doubt cfgver is checking anything in that file, like filtering bootdelay, so it could be, that they removed it from the binary.

In any case, we _can_ get in if needed, so that's a win. I am curious that, next time your in u-boot, what "echo $bootdelay" will say. It should yield the 5 you saved, if not, we did something wrong with the cfgver tool (or whatever it was, I forget)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 09:34:53 pm
Would it be possible to hack it so it boots faster?

I mean, what's it doing for a whole minute? That's an eternity.

At some point, I do see a few 'useless' things that can be sped up if done in parallel (some tasks in the scripts say cost 8s for example)

That said, they are using a QT stack on a relative slow CPU, so that won't go much faster, and any init the application (the GUI) does, well we can't speed that up without the source code :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 09:39:02 pm
Help? Been there done that....

rigol-uboot>bollocks
Unknown command 'bollocks' - try 'help'
rigol-uboot>help
Invalid input(hxh)
LOL they removed the 'help' command to make the binary smaller (or remove it to please the user lol)

ok, so then i'll just have to get the info from an older u-boot manual.
until now, i had to do all this from memory :p

I just went though a list of 'standard uboot commands and quite a few work as expected. BDINFO and VERSION churn out some info, but HELP and PRINTENV are very much absent.

Its just bizare that they disabled printenv ... or help. It may be that in old u-boot versions it was a subcommand of 'env' so 'env print' but even so ... it just makes our job a little harder, not impossible :) The first thing I need to do is cook up a new dtb that exposes the SPI flash memory to linux :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 26, 2018, 09:45:43 pm
So, the zynq.bit parsing is below:

Code: [Select]
00000000 - FFFFFFFF             Padding
00000004 - FFFFFFFF             Padding
00000008 - FFFFFFFF             Padding
0000000C - FFFFFFFF             Padding
00000010 - FFFFFFFF             Padding
00000014 - FFFFFFFF             Padding
00000018 - FFFFFFFF             Padding
0000001C - FFFFFFFF             Padding
00000020 - 000000BB             Bus width auto detect, word 1
00000024 - 11220044             Bus width auto detect, word 2
00000028 - FFFFFFFF             Padding
0000002C - FFFFFFFF             Padding
00000030 - AA995566             Sync Word (BPI/SPI Mode)
00000034 - 20000000             T1 - 00000000  NOP      (1x)
00000038 - 30022001 00000000    T1 W 00000001  TIMER
00000040 - 30020001 00000000    T1 W 00000001  WBSTAR
00000048 - 30008001 00000000    T1 W 00000001  CMD      NULL - No Operation
00000050 - 20000000             T1 - 00000000  NOP      (1x)
00000054 - 30008001 00000007    T1 W 00000001  CMD      RCRC - Reset CRC
0000005C - 20000000             T1 - 00000000  NOP      (2x)
00000064 - 30026001 00000000    T1 W 00000001  FALL_EDGE
0000006C - 30012001 02003FE5    T1 W 00000001  COR0
00000074 - 3001C001 00000000    T1 W 00000001  COR1
0000007C - 30018001 0373B093    T1 W 00000001  IDCODE
00000084 - 30008001 00000009    T1 W 00000001  CMD      SWITCH - Switch CCLK Frequency
0000008C - 20000000             T1 - 00000000  NOP      (1x)
00000090 - 3000C001 00000401    T1 W 00000001  MASK
00000098 - 3000A001 00000501    T1 W 00000001  CTL0
000000A0 - 3000C001 00000000    T1 W 00000001  MASK
000000A8 - 30030001 00000000    T1 W 00000001  CTL1
000000B0 - 20000000             T1 - 00000000  NOP      (8x)
000000D0 - 30002001 00000000    T1 W 00000001  FAR
000000D8 - 30008001 00000001    T1 W 00000001  CMD      WCFG - Write Config Data
000000E0 - 20000000             T1 - 00000000  NOP      (1x)
000000E4 - 30004000             T1 W 00000000  FDRI
000000E8 - 500D621C             T2 W 000D621C
00358964 - 20000000             T1 - 00000000  NOP      (2x)
0035896C - 30008001 0000000A    T1 W 00000001  CMD      GRESTORE - Pulse GRESTORE Signal
00358974 - 20000000             T1 - 00000000  NOP      (1x)
00358978 - 30008001 00000003    T1 W 00000001  CMD      DGHIGH/LFRM - Last Frame Write
00358980 - 20000000             T1 - 00000000  NOP      (100x)
00358B10 - 30008001 00000005    T1 W 00000001  CMD      START - Begin Startup Sequence
00358B18 - 20000000             T1 - 00000000  NOP      (1x)
00358B1C - 30002001 03BE0000    T1 W 00000001  FAR
00358B24 - 3000C001 00000501    T1 W 00000001  MASK
00358B2C - 3000A001 00000501    T1 W 00000001  CTL0
00358B34 - 30000001 E3AD7EA5    T1 W 00000001  CRC
00358B3C - 20000000             T1 - 00000000  NOP      (2x)
00358B44 - 30008001 0000000D    T1 W 00000001  CMD      DESYNC - Reset DALIGN Signal
00358B4C - 20000000             T1 - 00000000  NOP      (400x)

The IDCODE = 0373B093 corresponds to the Xilinx Zynq-7015. The same as in the DS7000.

The decrypted scripts (full) are attached.

The file /tmp/env.bin is protected by a CRC-32 (ISO-HDLC) in it's first 4 bytes. cfger tests this CRC before doing anything.

That's the same bit as from the MSO7000 thread right? Nice to have it all in one place :) Not sure what I'm seeing in the zynq bit file, more curious as to whether its possible to do any partial reconfiguration. I know FPGA's support it, just need to know what's needed, as I desperately want to overwrite some bits (like the display unit).

As for the env.bin; a u-boot environment is a \n separated text file, usually with the .cmd extension. It's just a lit of environment variables per line. mkimage will turn this into a .bin file, where the \n's are more or less replaced with \0's and a header is prepended. Part of the header is indeed a checksum (Don't recall if the header is only the checksum).

Anyhow, they basically re-invented the wheel with their cfger, as the fw_printenv and fw_setenv tools do exactly this :) I think fw_printenv can even do it directly on /dev/mtd0 rather then dumping it locally and modifying it locally. Besides, they should have kept the env in the spi flash; as having it on raw nand storage (as they do now) and writing it (hopefully only during updates) is error prone. Raw flash access (via write) is not wear-leveled, no bit correction preformed etc (but u-boot can't access it otherwise, well not their ancient u-boot version).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 26, 2018, 09:46:50 pm
I'm sorry I wasn't clear, but they are two commands
so
Code: [Select]
setenv bootdelay 3
followed by
Code: [Select]
save
without the save, nothing happens. You basically just set the bootdelay variable to read '3 save' and after a reboot it's gone (reset, without the save)

Ok cool... well it made no difference so I tried the Linux way:

Code: [Select]
/rigol/tools/cfger -s "bootdelay 5"
flash_eraseall /dev/mtd0
nandwrite -p /dev/mtd0 /tmp/env.bin

That made no difference either, countdown is still instantaneous.

Hmm, I doubt cfgver is checking anything in that file, like filtering bootdelay, so it could be, that they removed it from the binary.

In any case, we _can_ get in if needed, so that's a win. I am curious that, next time your in u-boot, what "echo $bootdelay" will say. It should yield the 5 you saved, if not, we did something wrong with the cfgver tool (or whatever it was, I forget)

Seems to be stuck at 1. But I can reliably get into uboot now by streaming crap at the scope at boot time.

rigol-uboot>echo $bootdelay
1
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 26, 2018, 10:05:29 pm
That's the same bit as from the MSO7000 thread right? Nice to have it all in one place :)

No it isn't. This one is from the MSO5000.

That means the 2 bit files should be the same in 5000 and 7000 !!!! :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 27, 2018, 06:46:22 am
Seems to be stuck at 1. But I can reliably get into uboot now by streaming crap at the scope at boot time.

rigol-uboot>echo $bootdelay
1
that's interesting; as initially it is set to 0. Well I'll dig into this at some point.

Meanwhile, what do you mean with a stream of crap? I know you can set keys to allow interrupts, space is or 'c' are common. CTRL-c also tends to work to interrupt a running bootscript. Is it just random keyboard mashing; is it isolated to an area of button mashing?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 27, 2018, 06:48:44 am
That's the same bit as from the MSO7000 thread right? Nice to have it all in one place :)

No it isn't. This one is from the MSO5000.

That means the 2 bit files should be the same in 5000 and 7000 !!!! :)
I'm not surprised at that at all. I think MS07000 and MSO5000 are more or less the same platform. Not sure I understand the difference in PCB yet however ... I doubt they are using different ASIC's though; maybe yield differences for now; but then, that means if yields get better, there will be even less differences ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 27, 2018, 07:19:35 am
<decrypted files>
They are more or less identical, except hashes and so, to the MSO7000 files. No suprise there :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 27, 2018, 08:23:36 am
Meanwhile, what do you mean with a stream of crap? I know you can set keys to allow interrupts, space is or 'c' are common. CTRL-c also tends to work to interrupt a running bootscript. Is it just random keyboard mashing; is it isolated to an area of button mashing?

I just loop output back to input, that does it!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 27, 2018, 01:24:50 pm
Meanwhile, what do you mean with a stream of crap? I know you can set keys to allow interrupts, space is or 'c' are common. CTRL-c also tends to work to interrupt a running bootscript. Is it just random keyboard mashing; is it isolated to an area of button mashing?

I just loop output back to input, that does it!

like shortening RX to TX? that's bizare :D It must be one of the character (combinations) in there. It IS possible they have set a 'password' as the any-key and it happens to be part of the input lol, like rigolee or dirty :p
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 27, 2018, 01:59:38 pm
Meanwhile, what do you mean with a stream of crap? I know you can set keys to allow interrupts, space is or 'c' are common. CTRL-c also tends to work to interrupt a running bootscript. Is it just random keyboard mashing; is it isolated to an area of button mashing?

I just loop output back to input, that does it!

like shortening RX to TX? that's bizare :D It must be one of the character (combinations) in there. It IS possible they have set a 'password' as the any-key and it happens to be part of the input lol, like rigolee or dirty :p

Scope hacked its own password, how cool is that lol
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on December 27, 2018, 02:20:31 pm
That's the same bit as from the MSO7000 thread right? Nice to have it all in one place :) Not sure what I'm seeing in the zynq bit file, more curious as to whether its possible to do any partial reconfiguration. I know FPGA's support it, just need to know what's needed, as I desperately want to overwrite some bits (like the display unit).
There seems to be a lot of myths regarding partial reconfiguration floating around, so please watch this video from Xilinx explaining what PR actually is and how it works: https://www.xilinx.com/video/hardware/partial-reconfiguration-in-vivado.html (https://www.xilinx.com/video/hardware/partial-reconfiguration-in-vivado.html)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 02:31:26 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 27, 2018, 02:58:57 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

What did you do to "log in"?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 03:02:51 pm
IO -> lan settings -> IP
enter that ip into putty, ssh, port 22, entering root and root when asked

Code: [Select]
login as: root
root@192.168.1.109's password:
Access denied

it's connected to my home network. the webinterface of the rigol is working.

also tried termius on the iphone, same error.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 27, 2018, 03:11:06 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

I think now the title of the thread is going to start making sense...  ::)

Gentlemen, start your engines!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 03:17:22 pm
Here's version 00.01.01.02.03 (http://firebird.tms-taps.net/Rigol/DS5000Update.GEL). You could put it on a thumb drive and try to downgrade. But maybe someone else would like to try something with 1.2.4 first.

P.S.: Upload will be finished in about 10 minutes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: wulfman on December 27, 2018, 03:17:39 pm
Can an older version of firmware be loaded ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 03:20:30 pm
Here's version 00.01.01.02.03 (http://firebird.tms-taps.net/Rigol/DS5000Update.GEL). You could put it on a thumb drive and try to downgrade. But maybe someone else would like to try something with 1.2.4 first.

P.S.: Upload will be finished in about 10 minutes.
thank you! will try and report

Nope, doesnt work. "Failed to upgrade! Check the upgrade file."
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 27, 2018, 03:24:21 pm
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 27, 2018, 03:27:10 pm
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!

Can you replace /etc/passwd?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 27, 2018, 03:35:44 pm
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!

Can you replace /etc/passwd?

I'll leave that to tv84 and oliv3r. It's encypted and probably can't be transferred to another scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 27, 2018, 03:47:00 pm
Here's version 00.01.01.02.03 (http://firebird.tms-taps.net/Rigol/DS5000Update.GEL). You could put it on a thumb drive and try to downgrade. But maybe someone else would like to try something with 1.2.4 first.

P.S.: Upload will be finished in about 10 minutes.
thank you! will try and report

It most probably won't let you downgrade. That should be where the USB vendor disk comes into play.

Let's first try to reset the password and then we'll deal with the downgrade thing. It would be interesting to recover the new GEL that should be inside that scope. Working on it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 03:51:58 pm
Can we patch the update script so that it thinks that it is at least the same version?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 27, 2018, 03:57:00 pm
I'll leave that to tv84 and oliv3r. It's encypted and probably can't be transferred to another scope.

Nah, it's just a hash of the word "root".

Can you post the contents of your new "/etc/passwd"? Maybe we can crack it.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on December 27, 2018, 06:03:48 pm
Got an update from Tequip....updated Jan 31 ship date (site says 15 in stock  |O )

When it DOES show up....eventually lol....I'm treating this as a hobby project of hacking first (that happens to spit out a nice scope at the end). Edit:: Called. Stock system error. Should go out Friday or early next week.

Nearly guaranteed to have the "fixed" firmware with a no longer obvious root password. Guess we can safely assume that wasn't intentional  ::).

~Let the fun begin!~
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on December 27, 2018, 06:05:44 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Same here. The distributor thought it was a nice thing to update the firmware before shipping.  |O
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 27, 2018, 06:46:30 pm
Just took a look at current user manual for MSO5000 and compared it to the old mso/ds7000 manual. In a new MSO5000 manual, you can apply math on math !!
You can have previous math channels as sources. In initial DS7000 manual that wasn't the case.
It is implemented pretty much very similar to how R&S did it in 2000/3000....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 06:51:30 pm
Can we patch the update script so that it thinks that it is at least the same version?
It took a bit longer but let’s see if we can fool that little bastard. :) If I didn't mess things up, here’s a file (http://firebird.tms-taps.net/Rigol/DS5000UpdateX.GEL) that should change the environment to make the scope think that it has the older firmware installed and that this is a installation of the same version.

After you’ve downloaded the file, rename it to “DS5000Update.GEL” before you put it on the thumb drive. Good luck!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Swap_File on December 27, 2018, 07:02:06 pm
Got an update from Tequip....updated Jan 31 ship date (site says 15 in stock  |O )

I just got done talking with someone from Tequipment, there was a mix up on the updated ship date and all the back ordered scopes (or my one at least :P) is supposed to be going out early next week.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 27, 2018, 07:45:00 pm
Distributor of rigol 'suggested' they ahve received instructions from rigol that they need to upgrade any exisiting units they have before they ship, and that they should be contacting customers who have already got theirs to arrange an upgrade.

Since my distirbutor ( whos siting on mine, pending pickup  has already been paid for this one, he contacted me to ask if i wanted it upgraded.  ( smart cookie ).

Read between the lines. Rigol does not want these being hacked. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: orion242 on December 27, 2018, 08:40:42 pm
Hmm.  Maybe we should refuse delivery...sorry return to sender.  lol.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 27, 2018, 08:46:53 pm
Read between the lines. Rigol does not want these being hacked.

Too late. We have a ton of info now.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 09:26:42 pm
Can we patch the update script so that it thinks that it is at least the same version?
It took a bit longer but let’s see if we can fool that little bastard. :) If I didn't mess things up, here’s a file (http://firebird.tms-taps.net/Rigol/DS5000UpdateX.GEL) that should change the environment to make the scope think that it has the older firmware installed and that this is a installation of the same version.

After you’ve downloaded the file, rename it to “DS5000Update.GEL” before you put it on the thumb drive. Good luck!
Wow! that was quick and WORKING!! i can login now
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 09:45:43 pm
You just flashed 1.2.3... No use.
During my tests, the firmware were flashed into the app A space (mtd3, 4, 5 and 6). Dumping mtds 7 to 10 might provide the new f/w.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 27, 2018, 09:46:25 pm
New Firmware ?
But official there´s no update avaible(rigolna, rigol eu)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 27, 2018, 09:48:49 pm
But, nonetheless. Tell us what you see in the /user/download/
empty
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 27, 2018, 09:56:46 pm
New Firmware ?
It has a higher version number but we do not know if the login lock out is the only change.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 27, 2018, 10:10:42 pm
By the way, it seems on the rigol HK site you could download the former version.

Relase Note :

Quote
[Supported Model]    All the MSO5000 Series Digital Oscilloscopes
[Latest Revision Date]  2018/10/15

[Updated Contents]
--------------------

v00.01.01.02.03  2018/10/15

     - Release the production version

edit:

http://www.rigol.com/File/ProductSoftWare/20181017/DS5000(ARM)Update.rar (http://www.rigol.com/File/ProductSoftWare/20181017/DS5000(ARM)Update.rar)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 27, 2018, 11:23:25 pm
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on December 27, 2018, 11:39:16 pm
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
That is an encrypted password.  Unix/Linux does not decrypt passwords in /etc/passwd, it only encrypts user typed password using the same key and compares it to the string stored in /etc/passwd
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 27, 2018, 11:45:46 pm
I think he was asking for someone to have a go at cracking it as it seems like a very small hash.

Its not something stupid like root as the password?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quix on December 28, 2018, 01:31:19 am
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
20 minutes with hashcat on a radeon hd7900 -> Rigol201  :-DD

for those interested. researching this took longer then 20mins ;-) linux seems to use DES by default for encrypting passwords. 13 chars and no $-signs point to using that default. i copied the hash part into a file (rigol.hash) and here's the command i used for hashcat:
Code: [Select]
hashcat64.exe -a 3 -m 1500 rigol.hash
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: djnz on December 28, 2018, 05:28:48 am
Have you guys thought of a way to side-load an authorized_keys file into .ssh if rigol decides to change the password again?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 07:46:34 am
Just for kicks I connected my scope using just the serial interface.

Let it boot all the way and then I seem to have access to all the Linux commands without having to enter a username or password.

Looks like I can copy the start.sh file to USB, edit it and then copy it back into the scope.

Trying to use VI in single line mode is a nightmare!!!

Can you replace /etc/passwd?
The password is stored in the ramdisk, which is part of the FIT image, so while you can change it, it is never saved to disk. Also even if we changed it, the hash of the initrd wouldn't mach of the FIT image anymore, so we'd have to update as well. Not impossible, not trivial either.

What is rather easy is modify the start.sh script once in, to change/wipe the password after startup :) the start.sh is part of the app partition, which is a regular r/w mounted filesystem.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 07:49:03 am
Can we patch the update script so that it thinks that it is at least the same version?
I would assume so; we can re-crypt it with cfger I believe and they can't/shouldn't change the keys easily, as they'd want the 'new' keys to still be accepted by old scopes
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 07:49:43 am
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Same here. The distributor thought it was a nice thing to update the firmware before shipping.  |O
I wonder where they are getting it from ... Or even more importantly, if they are telling their users to upgrade; where should we get it from?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 28, 2018, 08:17:01 am
Same here. The distributor thought it was a nice thing to update the firmware before shipping.  |O
I wonder where they are getting it from ...

Same place they get the 'scopes they're selling....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TrickTronic on December 28, 2018, 08:32:46 am
CONFIRMATION

Hey Guys! Thx a million times you crafty geniuses!!  ;D :-+ :-+ :-+

Type: MSO5074
Firmware: 00.01.01.02.04

Successful SSH Login via Putty:
USR: root
PWD: Rigol201


I followed the instructions from @TopLoser:
##################################
Download and install PuTTY on your PC
On your scope find its IP address by UTILITY, IO, LAN
Run PuTTY and connect using that IP address and SSH with port 22
Login as ‘root’ password ‘root’
Enter ‘cd /rigol/shell’
Enter ‘vi start.sh’

Change line 82 to read:
‘/rigol/appEntry  $PowerOn -run -fullopt &’

Google vi commands to find out how to insert text into the file
Basically press ‘i’ to enter edit mode then move cursor, insert text and then ESC to exit edit mode.

Save the file and quit ‘:wq’

Reboot.
##################################

Rock on guys! Great work!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 28, 2018, 09:09:53 am
What's "wifi.sh"?  :popcorn:

(and "send_mail.sh"...do these things send email?)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 28, 2018, 09:29:44 am
Noob question, assuming Rigol does not want to screw up existing early buyers/adopters for future firmware upgrades, also with assumption there will be no major hardware change/revision for newly produced scopes.

With current state of hacks done, will they able to lock this opening permanently if they want to thru newer firmware "only"  ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 09:43:22 am
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
20 minutes with hashcat on a radeon hd7900 -> Rigol201  :-DD

for those interested. researching this took longer then 20mins ;-) linux seems to use DES by default for encrypting passwords. 13 chars and no $-signs point to using that default. i copied the hash part into a file (rigol.hash) and here's the command i used for hashcat:
Code: [Select]
hashcat64.exe -a 3 -m 1500 rigol.hash

I'm surprised that it took you that long; this looks like a very weak password :) I wonder how long it would have taken john the ripper without GPU acceleration...
So john automatically detects the password type and everything and starts to go right away. The 8 chars from the password do just happen to fit inside johns default 8 chars, so that's lucky :). Now on a single threaded i7 its taking its sweet time. After 1h30 I am not waiting on it anymore (but will let it runs it course out of curiosity).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on December 28, 2018, 09:55:23 am
With current state of hacks done, will they able to lock this opening permanently if they want to thru newer firmware "only"  ?
It’s hard to say if it is impossible to open future firmware updates but a lot of knowledge has been collected in the meantime which makes it easier for us. But as we learn from their changes, they will learn from our hacks and there is a possibility that a future version is not hackable and you’re stuck at a specific version if you don’t want to give up fullopt.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 09:59:23 am
What's "wifi.sh"?  :popcorn:

(and "send_mail.sh"...do these things send email?)
Yes, there are a few supported wifi modules (not sure if there is a UI element to configure them however)
The following drivers + firmwares are installed:
rtl8192cufw_A.bin  rtl8192cufw_B.bin  rtl8192cufw.bin  rtl8192cufw_TMSC.bin  rtl8812aufw.bin
So those wifi modules should work out of the box.

And yes, these can in theory send e-mails :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 10:00:59 am
Noob question, assuming Rigol does not want to screw up existing early buyers/adopters for future firmware upgrades, also with assumption there will be no major hardware change/revision for newly produced scopes.

With current state of hacks done, will they able to lock this opening permanently if they want to thru newer firmware "only"  ?
Yes, remote access they can. But best keep quiet so we don't give them idea's.

Ultimately however, with a screwdriver and other tools you can still bypass that; but even that's lockable.

In the end however, they will need to be able to do firmware updates themselves as well ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 28, 2018, 11:50:43 am
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 28, 2018, 11:54:17 am
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 28, 2018, 12:30:09 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??
Some oscilloscopes can send an e-mail as part of a data logging feature. If a trigger occured an e-mail notice will be send (and in some cases it is also possible to have a screendump or data send as an attachement).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: cybernet on December 28, 2018, 01:17:15 pm
 :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 01:56:26 pm
:-+
I wonder if you'd notice this thread :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 28, 2018, 02:14:35 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

Keysight 3000T can E-mail anything that it can save to USB file....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 28, 2018, 02:42:22 pm
it will be placed on a isolated vlan, with no internet access, and not attached to anything thats important.   given the poor security posture that Rigol takes,  these become a real possiblity for a security breech.   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 28, 2018, 02:49:16 pm
you can run an email server on a vlan if you needed the functionality....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on December 28, 2018, 02:55:49 pm
it will be placed on a isolated vlan, with no internet access, and not attached to anything thats important.   given the poor security posture that Rigol takes,  these become a real possiblity for a security breech.   

Maybe that's the reason they changed the password, not to stop hacking.

If they were after security they'd have used a longer hash function.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 28, 2018, 03:04:13 pm
Some oscilloscopes can send an e-mail as part of a data logging feature. If a trigger occured an e-mail notice will be send (and in some cases it is also possible to have a screendump or data send as an attachement).

Sorry for my ignorance in these modern features.  :-[

But, in the other day, I saw so much worries about the fact that the Siglent WIFI key wouldn't allow 63 chars and now I see scopes having the explicit capability of sending mails.... and everyone think that's a normal thing.

Well, life is good.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 28, 2018, 03:14:45 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....

"The system will COLLECT and JUDGE the following information"
"The working state of the key components and user defined function"

 :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2018, 05:51:42 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....

"The system will COLLECT and JUDGE the following information"
"The working state of the key components and user defined function"

 :-DD

So that's why I need that touchscreen! :p

While I would not trust them to connect to the internet, it is so easy and happens before you know it; plug-in bam; problems. So if you are not tech-savvy, and do want to locally connect to your scope (ds-remote, lsi tools etc) but don't want it to poke on the internet ... without firewalling or network isolation, the scope just became a ... god knows what.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 28, 2018, 05:56:55 pm
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....

"The system will COLLECT and JUDGE the following information"
"The working state of the key components and user defined function"

 :-DD

So that's why I need that touchscreen! :p

While I would not trust them to connect to the internet, it is so easy and happens before you know it; plug-in bam; problems. So if you are not tech-savvy, and do want to locally connect to your scope (ds-remote, lsi tools etc) but don't want it to poke on the internet ... without firewalling or network isolation, the scope just became a ... god knows what.

Yes they can check any installed licence keys (if a keygen becomes available) and check them against a list of official paid for keys... and disable them! Owner can obviously reinstall them unless Rigol nuke your scope remotely for being a bad boy!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 28, 2018, 06:02:48 pm
We'll have to add "remove email client" to the to-do list...

BTW, does it have a camera?   :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: orion242 on December 28, 2018, 06:38:46 pm
While I would not trust them to connect to the internet, it is so easy and happens before you know it; plug-in bam; problems. So if you are not tech-savvy, and do want to locally connect to your scope (ds-remote, lsi tools etc) but don't want it to poke on the internet ... without firewalling or network isolation, the scope just became a ... god knows what.

Next batch of zombies in the mirai botnet with root/root as the login.  Vlan it off with the rest of the untrusted crap in its own little safe space.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on December 28, 2018, 06:54:53 pm
Give it a manual IP and leave the gateway IP blank, it can't call home that way.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 28, 2018, 09:12:10 pm
firewall log files will be interesting to look at and see what is coming and going.   You've got a device thats esssneitally open with a linux stack on it, on the inside of your network..  could be used for any number of things..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on December 28, 2018, 09:23:16 pm
Give it a manual IP and leave the gateway IP blank, it can't call home that way.
You might think that but there are several ways to generate network traffic and get the gateway anyway.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 28, 2018, 10:52:16 pm
Just for reference.

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=607480)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 29, 2018, 08:27:26 am
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

I would like to post some other hack on appEntry. BTW, we have a u-boot dump without tear it down, analyzing it is little troublesome. Althrough we know how to interrupt autoboot, but how to check in u-boot it still remains a mystery.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 29, 2018, 08:55:59 am
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

I would like to post an SPI Flash dump on this thread and some other hack on appEntry. BTW, we have a u-boot dump without tear it down (In fact, the u-boot itself contains a command to switch between NOR and NAND Flash, because they share several pins), analyzing it is little troublesome. Althrough we know the u-boot passphrase, but how to check in u-boot it still remains a mystery.

I would suggest that you dont' post that here,   posting that probably will get you banned, however its ok, to post it somewhere else and post a link to it.     
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 29, 2018, 09:03:32 am
Or better yet, rely on PM's to share it,
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 29, 2018, 10:08:57 am
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

I would like to post an SPI Flash dump on this thread and some other hack on appEntry. BTW, we have a u-boot dump without tear it down (In fact, the u-boot itself contains a command to switch between NOR and NAND Flash, because they share several pins), analyzing it is little troublesome. Althrough we know the u-boot passphrase, but how to check in u-boot it still remains a mystery.
Not sure why this information would get you banned. U-Boot is GPL software for one. Secondly the software is already being shared via the forum.

Now, what are you talking about with NAND flash and NOR flash being shared via the same pins? So lets first assume this is possible, now, u-boot SPL (or the FSBL; calling it only FSBL for now) is being read via the bootrom. The bootrom uses the BOOT_MODE pins to configure the BootROM to boot from qspi SPI NOR flash. It happily reads the FSBL into the OCM (or via XIP even) and starts to execute the FSBL. U-boot is then loaded, but has no knowledge of the QSPI flash and only has the NAND pinmux set and loads the files from NAND.

What is special here, and I'm sure they can hack this into their u-boot, is that the SPL does have QSPI support, but u-boot regular does not. Because of that, I think they are using the vivado FSBL, as doing this with plain u-boot requires some hacks, as it does not support this.

Now, looking at Table 2-4, MIO-at-a-Glance; page 52 of the Zynq-7000 TRM (UG585) we see that the QSPI pins are part of pins 2 through 13, and the nand flash is 24 through 40. So there is no overlap. Now you also speak of SRAM and NOR. Yes, the zynq can boot via NOR flash, like nand, but not SPI, parallel NOR flash. Also confusingly the zynq supports SRAM, now I know the difference between the two, but some of the texts I found make it sound like there is also NOR based SRAM, which confuses me. So I think, for now, that it's either/or.

Reason I bring this up is because there are 2 SRAM chips connected to the zynq (top 2 chips via snake-trace). So it could be that these are connected to the PS via these pins 40 - 53 or they are part of the FPGA. Can't see that yet ... and don't know what the purpose would be of this yet. I don't see any linux configuration for it (but I may have glanced over it). I strongly believe it is part of the FPGA and is used as some sort of buffering mechanism for the big data stream.

As for the extracted data, please do feel free to send it to me in a PM :)

Edit: I was wrong. The NAND pins are indeed shared. I was looking at, what turns to be out, just the text field which was put RIGHT of the pins. Super annoying.

This does make things more interesting.

So, while we cannot touch u-boot, but it's quite likely, that neither can rigol. As they cannot access it from linux nor u-boot due to the pin-sharing with nand.

Well partially true; if you disable NAND, you can freely access SPI Flash again. As linux is running from nand, re-muxing it runtime; impossible

So in u-boot; there is sf probe, which could free the nand mux and force the spi mux, but that requires patches to u-boot, which are probably complex.

That said, loading a u-boot that does have SPI Flash support (and disables nand) is also possible. I don't know if we can do a switcheroo however :) So my guess, is they intended the SPI flash to be written at the factory once, and never be updated.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 29, 2018, 11:58:18 am
I can 100% sure that the SPI Flash contains FSBL, a Zynq bit (will be overridden by the boot progress) and a U-Boot image because there's no any Zynq boot image in the NAND Flash.

So far I know the boot progress (by analyzing SPI image) is: Zynq bootrom->QSPI FSBL(XIP)->load U-boot image from SPI Flash into 0x01000000->jump to U-boot->U-boot switch the pinmux to NAND Flash->U-Boot reads env->U-boot executes env->Linux.

About the QDR SRAM controlled by Zynq, I think it is used to handle the phosphor process. Because the phosphor process needs huge random access to the framebuffer, it is reasonable to use QDR SRAM.

So, our team thinks that acquire and some DSP function is processed by K7, and plotting is processed by Zynq PL.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 29, 2018, 12:07:41 pm
Our team got two MSO5072, one MSO5074. But none of them shipped with 1.1.2.4 version firmware.

My scope is on the way to my college. Estimated arrival time is around Jan.1 2018. If my scope shipped with 1.1.2.4 version firmware and it solves all issues I have mentioned before, I would like to share all my research.

BTW, Rigol have replied me about the crash issue, fft issue, and high resolution issue. They said that they are solved in the latest firmware, about two or three days we can get the final result.

To mrpackethead: you have successfully forced me to buy one prematurely, my hack will be available soon. Since you're so energetic, why not ask Rigol for the source of Linux, U-Boot, and some kernel module! In fact, their proprietary driver is also said GPL in the module descriptor. I don't see any contribution in this thread by you, you have said that you just want the principle of the hack, but even a tarball troubles you, so don't make yourself like a sage anymore. Do you know an old saying "The brave man attacks the braver man"?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BravoV on December 29, 2018, 01:09:43 pm
rgwan, you have too much inbox stuff, get me some space. :)

Rgwan just passed the post count (above me at 5) limit to be able to use forum's PM feature.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: wulfman on December 29, 2018, 01:48:51 pm
My new scope will be here on the 3rd.  :scared: :scared: :scared:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 29, 2018, 03:21:39 pm
I can 100% sure that the SPI Flash contains FSBL, a Zynq bit (will be overridden by the boot progress) and a U-Boot image because there's no any Zynq boot image in the NAND Flash.

So far I know the boot progress (by analyzing SPI image) is: Zynq bootrom->QSPI FSBL(XIP)->load U-boot image from SPI Flash into 0x01000000->jump to U-boot->U-boot switch the pinmux to NAND Flash->U-Boot reads env->U-boot executes env->Linux.

About the QDR SRAM controlled by Zynq, I think it is used to handle the phosphor process. Because the phosphor process needs huge random access to the framebuffer, it is reasonable to use QDR SRAM.

So, our team thinks that acquire and some DSP function is processed by K7, and plotting is processed by Zynq PL.

Yes, you are right; I was wrong :)
So i haven't anaylized their FSBL; but I'm curious as to the setting of the boot_mode register, as that will answer the XIP question. I am not sure why they'd use XIP, it would make far more sense to use the normal OCM method. Especially when they change there mux.

So what I think they did:

BootROM loads FSBL into OCM and jumps to FSBL that is compiled with SPI flash support
FSBL enables DRAM, loads u-boot from QSPI flash into DRAM and jumps to u-boot

U-Boot knows nothing of SPI flash, but enables NAND flash as it does not know anything about SPI flash.

Hopefully there are no GPIO's to enable/disable pins ... (CS, power enable etc)

However QPSI CS0 pin is 'pin 1' and NAND CS0 pin is at 'pin 0' so at least those should not overlap ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 29, 2018, 05:20:28 pm
Not sure why this information would get you banned. U-Boot is GPL software for one. Secondly the software is already being shared via the forum.

Quote from: EEVblog
As long as people don't attach hacked firmware files or keys onto my server I don't care what they publish.

Cause dave said so?   No problems with the thread or discussion though ( or links )
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 29, 2018, 10:13:14 pm
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

It´s not the only issue got to be fixed and also I wonder why this "update" isn´t avaible for download anywhere on their sites.
The "new" firmware seems to be a preliminary one, comes with "newer" 5000s out of stock, but isn´t the "final" version worth to be uploaded as an upgrade.
Maybe it is avaible when you choose online upgrade on scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 29, 2018, 10:15:27 pm
I've heard that Rigol adds High-Resolution to Acquire Mode for new firmware version. If this feature is available on your scope, Then congratulations!

It´s not the only issue got to be fixed and also I wonder why this "update" isn´t avaible for download anywhere on their sites.
The "new" Firmware seems to be preliminary, comes with "newer" 5000s out of stock, but isn´t the "final" version worth to be uploaded as an upgrade.

Just ask your dealer, they will give you a link to it. I got one very quickly.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 29, 2018, 10:26:01 pm
Hm ?

I thought, new updates will be present on the regular rigol sites…..
You got a new update ? What does the "changes" say ?

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 29, 2018, 10:29:06 pm
Hm ?

I thought, new updates will be present on the regular rigol sites…..
You got a new update ? What does the "changes" say ?

Martin

Single file, no 'changelog'
https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0 (https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 30, 2018, 12:09:21 am
so does anyone tested out the three issues I mentioned before on scope shipped with new firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 30, 2018, 12:12:11 am
Also can someone confirm you can do math on math?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on December 30, 2018, 05:37:20 am
so far, rough diff is:

app.img:

shell/start.sh          # add -average_filter option to appEntry
shell/send_mail.sh  # finally! add model/version/serial/date to the body  :clap:
resource/scpi/MEAsure.xml # cmd id + 1??
bunch of other xml, hlp or hex files
appEntry (of course)
default/precision.hex
K160_TOP.bin

(edit) many many changes in appEntry, hard to diff, but so far, no change about our prefered start option.

system.img:

/etc/passwd                 #we already knew that
/etc/init.d/rcS              # remove echo ++ Starting ftp daemon
/etc/inittab                  # swap shell on ttyPS0 from /bin/ash to /bin/login, huh?
+/etc/passwd.root       # this is the old one
- /lib/firmware/rtfwifi/rtl{8812,8192}*.bin # bye bye

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on December 30, 2018, 07:53:18 am
Also can someone confirm you can do math on math?

Math on math
Math on math on math
Math on math on math on math
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on December 30, 2018, 08:16:54 am
should it be:
/rigol/appEntry $PowerOn  -run -fullopt &
or
/rigol/appEntry $PowerOn  -run -average_filter -fullopt &
?

I tried with -average_filter but can't find any difference. Anyway, I can't find the hi-res mode, there is a "fine" switch in the channel settings, but without any effect on the signal.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on December 30, 2018, 08:32:19 am
I tried with -average_filter but can't find any difference. Anyway, I can't find the hi-res mode, there is a "fine" switch in the channel settings, but without any effect on the signal.

I think they added this option to put the average filter by default since it's really ugly without averaging. Look at all their videos, it's always averaging, with color gradient.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on December 30, 2018, 08:44:04 am
I tried with -average_filter but can't find any difference. Anyway, I can't find the hi-res mode, there is a "fine" switch in the channel settings, but without any effect on the signal.

I think they added this option to put the average filter by default since it's really ugly without averaging. Look at all their videos, it's always averaging, with color gradient.

Well, averaging is disabled after startup, even with this option in the shell script.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 30, 2018, 09:23:55 am
Not sure why this information would get you banned. U-Boot is GPL software for one. Secondly the software is already being shared via the forum.

Quote from: EEVblog
As long as people don't attach hacked firmware files or keys onto my server I don't care what they publish.

Cause dave said so?   No problems with the thread or discussion though ( or links )
Righ, so a link is fine; still sharing the file, which I was after.

However, what if it is NOT a hacked firmware, but the actual firmware from the device. Just extracted from. Like in this case u-boot. I don't see how that would be wrong?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 30, 2018, 09:25:28 am
so far, rough diff is:

app.img:

shell/start.sh          # add -average_filter option to appEntry
shell/send_mail.sh  # finally! add model/version/serial/date to the body  :clap:
resource/scpi/MEAsure.xml # cmd id + 1??
bunch of other xml, hlp or hex files
appEntry (of course)
default/precision.hex
K160_TOP.bin

(edit) many many changes in appEntry, hard to diff, but so far, no change about our prefered start option.

system.img:

/etc/passwd                 #we already knew that
/etc/init.d/rcS              # remove echo ++ Starting ftp daemon
/etc/inittab                  # swap shell on ttyPS0 from /bin/ash to /bin/login, huh?
+/etc/passwd.root       # this is the old one
- /lib/firmware/rtfwifi/rtl{8812,8192}*.bin # bye bye

I wonder how it compares to the MS07000 firmware :)

The change from ash to login is so that you have to log in using the serial shell. While it makes sense, it's annoying :p

as for the wifi; I don't think they had the kernel module; so the firmware's didn't do much anyway.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 30, 2018, 09:28:17 am
Well, that proved that the 1.1.2.4 version firmware isn't the new firmware that Rigol solved this three issues.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 30, 2018, 09:31:14 am
But one interesting thing is they haven't disabled sshd yet. Although my worries come true, I still don't know why they don't disable it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 30, 2018, 09:37:28 am
However, what if it is NOT a hacked firmware, but the actual firmware from the device. Just extracted from. Like in this case u-boot. I don't see how that would be wrong?

That's something I would like clarification on as well, my guess is no, because "copyright" but I'm curious because over on the siglent side of the fence I have been typo patching. does nothing to bypassing features, just fixes typos that where present that broke a few existing commands.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 30, 2018, 10:25:54 am
I did a search for all types of start options and here is a list:

Code: [Select]
-notrace_ch     servtrace.cpp
-notrace_digi   servtrace.cpp
-notrace_eye    servtrace.cpp
-notrace_dx     servtrace.cpp
-notrace_la     servtrace.cpp
-log_trace      servtrace.cpp
-log_ch         servtrace.cpp
-log_la         servtrace.cpp
-log_eye        servtrace.cpp
-no_trace       tracethread.cpp  (trace not running)
-debug
-fullopt
-novcal             (calibration??)
-no_cfg         cdsophy.cpp
-noprivacy      servdso_session.cpp
-default        servdso_session.cpp (default settings)
-nonv
-ds8000         
-log_id         dsoengine_trace.cpp
-no_horiplay    dsoengine_playback.cpp
-log_engine     dsoengine_playback.cpp
-log_adc_cal    cdsorecengine_adc.cpp
-log_hori       cdsorecengine_hori.cpp
-noinit         cplatform.cpp
-no_autoplay    cdsoautostopengine.cpp
-log_afe        chcal.cpp
-average_filter cdsorecengine_ch.cpp
-peak_compress  horiunit.cpp
-wait_assert    iphyccu.cpp

On the right is the source code module that (I think) relates to it.

If anyone wants to do experiments and share their discoveries...


ATTENTION: use at your own risk; you may brick your scope!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on December 30, 2018, 10:45:47 am
 -DS8000 ??? :scared:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 30, 2018, 01:08:54 pm
-DS8000 ??? :scared:
But what about DS9000! That would be over 9000 easy!
Code: [Select]
USB device disconnected
DS7000Update.GEL
MSO8
DS8000Update.GEL
MSO5
DS5000Update.GEL
MSO9
DS9000Update.GEL
media
RIGOL TECHNOLOGIES,DS1000Z,SPARROW,201212

Looks like appEntry even borrows some code from the faithful sparrow line of devices!

For me, that's the trigger to get a MSO5000 now :)

There will be others based on the zynq platform; but there won't be a cheaper variant. Rigol may 'upgrade' the ancient DS1000Z series (DS3000?) or whatever but I doub't they'll do anything cheaper then the MSO5k. So I think Rigol wants the hacker/cheap market with the good old DS1000Z and the MSO5000 series is the first one up after that.

(I was thinking of getting a DS1000Z last year after being quite happy with my really old DS1052E, and a DS1054Z at work. I was in the 'hmm they are quite old platforms, I wonder when rigol will release an upgrade to these aging platforms. So it turns out to be the MSO5k series. And while I'd prefer to wait for a v2 hardware version (who knows what bugs linger in the current one) I think this is as good as it'll get for the next 10 years anyway in the low-budget end).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EddyCurrent on December 30, 2018, 01:29:38 pm
Luckily, the MSO5000 is not the first platform, which operates their Phoenix chip. I guess, they already made improvements in the first issue of MSO5000 (improved cooling of analog frontend e.g.) compared to MSO7000. This lowers risk of purchasing a buggy hardware. By the way, my first post on EEVblog plus I ordered a MSO5000 as well  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 30, 2018, 10:50:59 pm
Interesting piece of code:

Code: [Select]
    deb_msg(&v7, "servrecord_spy.cpp", 120, "void servRecord::disable_xxx(servRecord::RecordState)");
    QMessageLogger::debug(&v6);
    v3 = sub_43774(&v6, "servrecord_spy.cpp");
    v4 = sub_4F428(v3);
    v5 = sub_43774(v4, "stat:");
    sub_4F428(v5);
    result = QDebug::~QDebug(&v6);
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 30, 2018, 11:04:05 pm
Spy as in spy on what you are doing and send it somewhere?


Interesting piece of code:

Code: [Select]
    deb_msg(&v7, "servrecord_spy.cpp", 120, "void servRecord::disable_xxx(servRecord::RecordState)");
    QMessageLogger::debug(&v6);
    v3 = sub_43774(&v6, "servrecord_spy.cpp");
    v4 = sub_4F428(v3);
    v5 = sub_43774(v4, "stat:");
    sub_4F428(v5);
    result = QDebug::~QDebug(&v6);
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on December 30, 2018, 11:13:50 pm
doesn't quite read that way to me unless it ties into a much larger function, looks more like a thread hook to request a status string??

sub_43774 looks to be what pushes out a message and returns the value.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on December 30, 2018, 11:37:54 pm
Any guess's as to what -ds8000 does?  I'll give this a whirl in a few weeks, but curious to kno...


I did a search for all types of start options and here is a list:

Code: [Select]
-notrace_ch     servtrace.cpp
-notrace_digi   servtrace.cpp
-notrace_eye    servtrace.cpp
-notrace_dx     servtrace.cpp
-notrace_la     servtrace.cpp
-log_trace      servtrace.cpp
-log_ch         servtrace.cpp
-log_la         servtrace.cpp
-log_eye        servtrace.cpp
-no_trace       tracethread.cpp  (trace not running)
-debug
-fullopt
-novcal             (calibration??)
-no_cfg         cdsophy.cpp
-noprivacy      servdso_session.cpp
-default        servdso_session.cpp (default settings)
-nonv
-ds8000         
-log_id         dsoengine_trace.cpp
-no_horiplay    dsoengine_playback.cpp
-log_engine     dsoengine_playback.cpp
-log_adc_cal    cdsorecengine_adc.cpp
-log_hori       cdsorecengine_hori.cpp
-noinit         cplatform.cpp
-no_autoplay    cdsoautostopengine.cpp
-log_afe        chcal.cpp
-average_filter cdsorecengine_ch.cpp
-peak_compress  horiunit.cpp
-wait_assert    iphyccu.cpp

On the right is the source code module that (I think) relates to it.

If anyone wants to do experiments and share their discoveries...


ATTENTION: use at your own risk; you may brick your scope!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 31, 2018, 11:02:52 am
Finally, I got the scope. Its firmware version is 1.1.2.3. So, I have to wait for new firmware...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Swap_File on December 31, 2018, 03:53:44 pm
This won't help rgwan, but if anyone is looking for specific versions of the firmware:

Reply #396 has a copy of 1.1.2.3
Reply #445 has a copy of 1.1.2.4
Reply #386 has a modified copy of 1.1.2.3 that you can apparently downgrade to from 1.1.2.4
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on December 31, 2018, 06:40:20 pm
New bug found, signal generator frequency rounding off error. It causes non-synchronous between two channels.

For example, you can't output 1MHz and 12MHz by this scope and get a stable display on a scope, because the frequency of "12MHz output" / 12 does not exactly equal "1MHz output", in some scenario it will cause low-frequency oscillation.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 12:01:00 am
Happy New Year all,

and with the new year I present to you the GEL unpacker and firmware analysis repo :)

https://gitlab.com/riglol/rigolee
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 12:23:27 am
Nice work Oliver.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 01, 2019, 03:44:00 pm
@Oliv3r, thanks for the qspi push, but could you fix the missing / at col2 line 1 in qspi_unpack.sh and remove the -eu also?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 07:00:52 pm
Has anyone done a bandwidth sweep with -fullopt and -ds8000 simultaneously?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 07:07:07 pm
Has anyone done a bandwidth sweep with -fullopt and -ds8000 simultaneously?

What are you thinking might happen?     I need some high speed signal generators it seems.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 07:10:46 pm
I need some high speed signal generators it seems.

Precisely that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 07:44:04 pm
I need some high speed signal generators it seems.

Precisely that.

I'll get my scope mid next week,  though i'll not be in teh lab. ( picking it up in teh US, on my way home )..
Can we restore the scope if we brick it yet?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 07:58:48 pm
I need some high speed signal generators it seems.

Precisely that.

I'll get my scope mid next week,  though i'll not be in teh lab. ( picking it up in teh US, on my way home )..
Can we restore the scope if we brick it yet?

You have to do it with uboot, via serial port (requires open the box). Or JTAG...

First thing is do a NAND dump.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 08:34:29 pm
I need some high speed signal generators it seems.

Precisely that.

I'll get my scope mid next week,  though i'll not be in teh lab. ( picking it up in teh US, on my way home )..
Can we restore the scope if we brick it yet?

You have to do it with uboot, via serial port (requires open the box). Or JTAG...

First thing is do a NAND dump.

I'm ok, with opening the box.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 08:59:33 pm
Anyone played around with trying to make the fullopt stuff permanent? Tried Radare2 but I am not that great with it and appEntry is huge.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 09:16:29 pm
i beleive that rgwan has done this.  They have hand edited some of the code. The function that checks for the various licenses has been modifyed so that it always returns true.   A old school hack, but none the less very effective.

For some reason hes not wanting to share his hack
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 09:38:15 pm
that is classic binary patching a good but complicated solution. Will it survive a firmware upgrade?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 01, 2019, 09:41:28 pm
Only a license file will survive an upgrade.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 01, 2019, 09:47:52 pm
Only a license file will survive an upgrade.

Yes, you'd need to go and 'hack' the new binarys. ( assuming they have changed ).    This is of course is unverified as nobody has seen his hack yet, and they seem unwillling to share it. ( I think they feel that Rigol will close the hack if they release it ).    It is very hard to know, who is who, Part of me thinks that Rigol itself might be feeding part of the info in this thread.  The change of password in teh latest fw, was extremely weak. There were lots of things that could have been done ( and simply )...  They theory that they want to be hacked has merit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 09:53:34 pm
Only a license file will survive an upgrade.

Yes, you'd need to go and 'hack' the new binarys. ( assuming they have changed ).    This is of course is unverified as nobody has seen his hack yet, and they seem unwillling to share it. ( I think they feel that Rigol will close the hack if they release it ).    It is very hard to know, who is who, Part of me thinks that Rigol itself might be feeding part of the info in this thread.  The change of password in teh latest fw, was extremely weak. There were lots of things that could have been done ( and simply )...  They theory that they want to be hacked has merit.

If it is what you say then the "hack" would simply be to share a patched binary. Not worth it if the "-fullopt" trick still works. If it won't survive an upgrade it's a lot of work each time + clearly needs more patching to pass the firmware upgrade unscathed. I don't blame them. I managed to find some interesting functions but a) radare2 is complicated b) i don't have the time to spelunk more :)


Perhaps more useful would be to dump the Rigol public keys.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 01, 2019, 09:57:25 pm
Only a license file will survive an upgrade.

Hm-hm....
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 01, 2019, 09:59:16 pm
The change of password in teh latest fw, was extremely weak.
Remember that this firmware has been created before the release of Dave’s teardown video. It was not a reaction to our hacks.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 01, 2019, 10:01:42 pm
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
There are license files for the demo mode of the decoders. Location and format of the files are known.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 01, 2019, 10:05:46 pm
OK, so only the difference between demo/installed is important for a hack who could "survive" FW updates..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:09:20 pm
Just updated https://gitlab.com/riglol/rigolee but be warned, as things are being developed, they are not always tested.

SO USE WITH CAUTION AND WARNING. You break stuff, it is your own responsibility.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:19:58 pm
@Oliv3r, thanks for the qspi push, but could you fix the missing / at col2 line 1 in qspi_unpack.sh and remove the -eu also?

Sorry; fixed in both scripts :(

I tested my scripts by running them as sh -x <script> so I did miss it

also, been on the clock really and only doing it inbetween jobs (vacation time is just differnt work :D)

As for set -eu; I rather not, I prefer the scripts to fail rather then burn. I am thinking of whether its worth it to add a few tests to catch these things; but they also take .. time.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:23:36 pm
I need some high speed signal generators it seems.

Precisely that.

I'll get my scope mid next week,  though i'll not be in teh lab. ( picking it up in teh US, on my way home )..
Can we restore the scope if we brick it yet?

You have to do it with uboot, via serial port (requires open the box). Or JTAG...

First thing is do a NAND dump.

The nand dump is not that important; I think we have enough to re-create it now.

What we do not have, is each users individual /rigol/data directory. I think we best create a script that backs that up.

Secondly, we do not have reliably what's in the SPI flash yet. We have 1 dump and we do not know yet how accurate or reliable it is yet.

So technically; because we have u-boot access via SPI flash we cannot brick anything that's not fixable via UART (IF we have the /rigol/data backup) and until we know what exactly lives there (MAC address for example) that we can restore otherwise (so in the case of the MAC address; DHCP server logs, sticker on the box etc). For other items that are unique to each scope (factory calibration?) we can't restore these.

TL;DR as long as we do not brick the SPI flash, we can always restore via UART.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:24:39 pm
Anyone played around with trying to make the fullopt stuff permanent? Tried Radare2 but I am not that great with it and appEntry is huge.
That's because appEntry is a statically compiled binary with everything in it; well almost everything. There's tons of XML output even compiled into the app. Crazy.

The only think I think they are loading externally via dlopen is Qt5.5 ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 01, 2019, 10:26:08 pm
Only a license file will survive an upgrade.

Hm-hm....
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
That of course helps a great deal, even if indirectly. And I think it's basically files from /rigol/data ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 10:27:28 pm
Anyone played around with trying to make the fullopt stuff permanent? Tried Radare2 but I am not that great with it and appEntry is huge.
That's because appEntry is a statically compiled binary with everything in it; well almost everything. There's tons of XML output even compiled into the app. Crazy.

The only think I think they are loading externally via dlopen is Qt5.5 ...
Yeah it has a bunch of crap in it.  Some tantalizing bits including their scpi parser as well. I think they are using ecdsa for key digests which is smart, makes the short keys make more sense.


Sent from my iPhone using Tapatalk
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 10:34:31 pm
A byte pacthing solution is the most easy and obvious one, besides the -fullopt feature.

From what I've seen it could be done in a couple of days. Easy for me to believe that rgwan & friends have done it already. Don't discredit them.

A future-proof solution can also be done, it's just a matter of tuning other factors. Probably just as easy.

Discovering how to go beyond the stated features is the hard part (hoping that the HW is able to physically handle it...)

BTW, I'm not buying the theory that Rigol is making things easy on purpose. I believe that we'll see more evidences of that in future updates. Give them time.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on January 01, 2019, 10:42:15 pm
Hah, how much time would it take to remove sshd?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sparkv on January 01, 2019, 10:44:09 pm
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
There are license files for the demo mode of the decoders. Location and format of the files are known.

I don't have my instrument yet (mid/late January based on what TE told me), but the DATA partition (mtd1) contains some licensing and calibration information. Someone posted a dump of their NAND partitions so I am working off of that and extracted firmware. They silence the kernel while mounting this partition so it doesn't show up in kernel logs (it is UBIFS). I guess they were going for "out of sight out of mind" approach with that and user partitions.

Code: [Select]
############################################
#Mount key data partition. cost:1s
############################################
/rigol/shell/mount_user_space.sh 0
$TOOLS/beeper

#Don't allow the kernel to output
echo 0 > /proc/sys/kernel/printk


if [ $YourInput -eq '0' ]; then
#########################################################
# mount data partition for Calibration and License data
#########################################################
mount_mtd $SPACE_DATA $SPACE_DATA $DATA_PATH "DATA"
Result=$?
if [ $Result -ne 0 ]; then
if [ $Result -ne 1 ]; then
echo 'mounting DATA partition failed'
/rigol/tools/beeper 1
else
cp /rigol/default/*  $DATA_PATH
fi
fi
fi

The files that seem to be interesting there are not calibration files (.hex), but Key.data, sysvendor.bin and various .lic files. Key.data is read from and written to it seems based on options installed. sysvendor.bin is also read from/written to. Various .lic files are of format <OPTION>;<KEY>. There are also references to ECC cryptography in appEntry, which is what was used before for licensing. I looked at some old code for generating licenses that used ecc crypto and the hash of choice was SHA1 (20 bytes/40 hex characters). New keys seems to be SHA512 (64 bytes/128 hex characters). I could be completely wrong though as I have no way to test any of the stuff until my scope arrives. My Zynq board is in use elsewhere currently.

Did anyone try dumping the core to obtain memory dump of appEntry? If busybox was modified to disallow core dumps, there is a version for ARMv7 that is used for Siglent scopes (Zynq platform) that one can drop into /tmp and spawn from there. Should be fairly straight forward. Assuming busybox wasn't modified to disallow the core dumps:
Code: [Select]
cd /tmp
ps -ef | grep appEntry
ulimit -c unlimited
kill -ABRT <appEntry PID>
Core should be dumped and can be copied over to USB jumpdrive for analysis on PC. I'd try this myself if my scope was here.

Another option is to tap into AXI and see if DRAM can be read directly if the full DRAM dump is desired. Their AXI driver API seems fairly simple.

Been lurking around the forums and reading for a long time now, figured I'd register and see if I can contribute to hacking this thing, so Hello is in order.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 10:48:13 pm
Hah, how much time would it take to remove sshd?

"Roads? Where we're going, we don't need roads."

They can't take away the sshd from the .GEL that I have! And, there are other ways...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 01, 2019, 10:56:11 pm
The files that seem to be interesting there are not calibration files (.hex), but Key.data, sysvendor.bin and various .lic files. Key.data is read from and written to it seems based on options installed. sysvendor.bin is also read from/written to. Various .lic files are of format <OPTION>;<KEY>. There are also references to ECC cryptography in appEntry, which is what was used before for licensing. I looked at some old code for generating licenses that used ecc crypto and the hash of choice was SHA1 (20 bytes/40 hex characters). New keys seems to be SHA512 (64 bytes/128 hex characters). I could be completely wrong though as I have no way to test any of the stuff until my scope arrives. My Zynq board is in use elsewhere currently.

The .hex files have smple CRC32 protecting them but, of course, are of no use.

The key.dat has a ECC Curve + PubKey inside. It's XXTEA encrypted.
The sysvendor.bin is also XXTEA encrypted with another key. Contains info about the scope inside (SN, MAC, etc)

The LICs are related to the key in key.dat.

In hash terms I see evidences only of SHA256 use but may be incomplete.

The memdumps from zynq are not helpful. At least, worse that I expected.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 01, 2019, 11:00:22 pm
The files that seem to be interesting there are not calibration files (.hex), but Key.data, sysvendor.bin and various .lic files. Key.data is read from and written to it seems based on options installed. sysvendor.bin is also read from/written to. Various .lic files are of format <OPTION>;<KEY>. There are also references to ECC cryptography in appEntry, which is what was used before for licensing. I looked at some old code for generating licenses that used ecc crypto and the hash of choice was SHA1 (20 bytes/40 hex characters). New keys seems to be SHA512 (64 bytes/128 hex characters). I could be completely wrong though as I have no way to test any of the stuff until my scope arrives. My Zynq board is in use elsewhere currently.

The .hex files have smple CRC32 protecting them but, of course, are of no use.

The key.dat has a ECC Curve + PubKey inside. It's XXTEA encrypted.
The sysvendor.bin is also XXTEA encrypted with another key. Contains info about the scope inside (SN, MAC, etc)

The LICs are related to the key in key.dat.

In hash terms I see evidences only of SHA256 use but may be incomplete.

The memdumps from zynq are not helpful. At least, worse that I expected.

Yes they finally wised up and just have signed licenses -- however:

1. replace pub key with own pubkey
2. sign own license
3. ? ? ? ?
4. profit

:)


A byte pacthing solution is the most easy and obvious one, besides the -fullopt feature.

From what I've seen it could be done in a couple of days. Easy for me to believe that rgwan & friends have done it already. Don't discredit them.

A future-proof solution can also be done, it's just a matter of tuning other factors. Probably just as easy.

Discovering how to go beyond the stated features is the hard part (hoping that the HW is able to physically handle it...)

BTW, I'm not buying the theory that Rigol is making things easy on purpose. I believe that we'll see more evidences of that in future updates. Give them time.

Yes someone who is competent like rgwan could easily do it--he posted IDA screenshots so he has the right tools. Not all that different from changing the startup shell script to pass "-fullopt" -- both basically bytepatching ;)

Anyway, my scope is going to take a month to arrive (according to Tequipment) so I have plenty of time to try exploring.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 01:29:21 am
Well, does anyone noticed that the CH1 and CH3 has overshoot on measuring calibration square wave? And you can't remove it by adjust the probe.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 01:37:04 am
Btw, We already have our license generator, But patch the application is necessary, at least this application will send a report contains Sn and license state to Rigol server on power up. If you want your scope keep on the Internet, you have to patch it, otherwise you may lose your warranty.

So, we're waiting for new firmware. When it is ready, then We will ready to release.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 02, 2019, 03:29:06 am
Btw, We already have our license generator, But patch the application is necessary, at least this application will send a report contains Sn and license state to Rigol server on power up. If you want your scope keep on the Internet, you have to patch it, otherwise you may lose your warranty.

So, we're waiting for new firmware. When it is ready, then We will ready to release.

Wow, that's impressive. How did you guys do it? Did they mess up in the key validation/generation and leave the priv key exposed somehow? Or, knowing Rigol, something dumber :D I wouldn't put these scopes on the internet, given that they have SSH exposed. Best to keep them isolated!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on January 02, 2019, 09:16:10 am
Well, does anyone noticed that the CH1 and CH3 has overshoot on measuring calibration square wave? And you can't remove it by adjust the probe.

Sorry but I cannot confirm this.
If you want to see something funny, try this:
Connect generator 1 to CH1, enable and change to square. Manually enter 999kHz as frequency then observe the waveform change when increasing to 1MHz.
Not worth 269$.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 02, 2019, 09:36:15 am
Wow, that's impressive. How did you guys do it? Did they mess up in the key validation/generation and leave the priv key exposed somehow? Or, knowing Rigol, something dumber :D I wouldn't put these scopes on the internet, given that they have SSH exposed. Best to keep them isolated!
It would be impressive if it was verified.  What is impressive is olivers repo,  and tv84s infomation. This is the internet, been around way too long and am probably very cynical, but seen lots of claims of things, and have learned until you can actually verify things,  you can't put much weight on them.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 02, 2019, 09:47:33 am
Wow, that's impressive. How did you guys do it? Did they mess up in the key validation/generation and leave the priv key exposed somehow? Or, knowing Rigol, something dumber :D I wouldn't put these scopes on the internet, given that they have SSH exposed. Best to keep them isolated!
It would be impressive if it was verified.  What is impressive is olivers repo,  and tv84s infomation. This is the internet, been around way too long and am probably very cynical, but seen lots of claims of things, and have learned until you can actually verify things,  you can't put much weight on them.
Thanks :) Just dropping a nother note here however, it is all WiP and any damages to your scope are not my responsibility nor fault. Can't iterate this often enough, as I have not tested everything very well yet (the scripts on the scope) as I do not have one yet :)

What I really want at some point however is (broken scope anyone :D) is to desolder all parts and 'sand down' the PCB with pictures, as I want to know where all the ZYNQ pins connect too :p
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 02, 2019, 10:01:26 am
What I really want at some point however is (broken scope anyone :D) is to desolder all parts and 'sand down' the PCB with pictures, as I want to know where all the ZYNQ pins connect too :p

This might be a job for an Xray inspection?   Not sure how many layers the PCB is of course.. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 02, 2019, 10:12:15 am
If you want to see something funny, try this:
Connect generator 1 to CH1, enable and change to square. Manually enter 999kHz as frequency then observe the waveform change when increasing to 1MHz.
Not worth 269$.

Interesting watch.... changed the frequency halfway through and some nasty jitter disappeared
https://www.dropbox.com/s/93mhrk51i9q0ubh/IMG_7637.MOV?dl=0 (https://www.dropbox.com/s/93mhrk51i9q0ubh/IMG_7637.MOV?dl=0)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 10:56:57 am
We should start a new thread for those numerous bugs.

I have quite a few:
- Generator, the knob to change the frequency: turn left -> -10 , turn right +1

and some severe ones
- CH1, probe to ground: never read 0V, but depends on vertical scale:
acquisition Normal
  10V  ~10V
   5V   ~ 8V
   2V   ~ 5V
   1V   ~ 1V
500mV ~ 1.3V
200mV ~ 280mV
100mV ~ 320mV
 50mV  ~ -20mV
 20mV  ~ 4mV
 10mV  ~ 12mV
  5mV   ~ 15mV
  2mV   ~ out of scale
  1mV   ~ out of scale

- CH1: the thickness of the trace is almost 1 scale large
  CH1+CH2: the thickness is divided by 2
that's almost impossible to read a value.

And I have a lot more.  :-BROKE
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on January 02, 2019, 11:10:35 am

- Generator, the knob to change the frequency: turn left -> -10 , turn right +1

- CH1, probe to ground: never read 0V, but depends on vertical scale:


Generator Knob behaves like this only when decrasing from like 1MHz to sub 1Mhz (or 1kHz to Hz).
This is because the increments above 1Mhz are in 10kHz steps and the first decrement therefore is as well. If you are then in the kHz-range the decrements are 1kHz. I don't think this is a bug.

For your CH1 problem, this does not happen on my scope, probe to GND always reads 0V (more or less).

Also you have to adjust the scale of the math channel, this normally would be the larger scale setting of the two channels (when operation A+B is chosen).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 02, 2019, 12:14:49 pm
What I really want at some point however is (broken scope anyone :D) is to desolder all parts and 'sand down' the PCB with pictures, as I want to know where all the ZYNQ pins connect too :p

This might be a job for an Xray inspection?   Not sure how many layers the PCB is of course..
Well its worth a try sure; but it's a 4 or probably 6 layer board, with chips ontop. So it can give you an indication, very roughly. Best way is to just the PCB down layer for layer and scan the PCB.

But first a scope needs to break  >:D  or we raid the PCB factory's trash-bin where they dump broken PCB's  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TurboTom on January 02, 2019, 12:37:28 pm
Well its worth a try sure; but it's a 4 or probably 6 layer board, with chips ontop. So it can give you an indication, very roughly. Best way is to just the PCB down layer for layer and scan the PCB.

But first a scope needs to break  >:D  or we raid the PCB factory's trash-bin where they dump broken PCB's  :-DD

Access to an industrial X-ray tomography machine anyone? That should do the trick non-destructively.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 01:04:30 pm

- Generator, the knob to change the frequency: turn left -> -10 , turn right +1

- CH1, probe to ground: never read 0V, but depends on vertical scale:


Generator Knob behaves like this only when decrasing from like 1MHz to sub 1Mhz (or 1kHz to Hz).
This is because the increments above 1Mhz are in 10kHz steps and the first decrement therefore is as well. If you are then in the kHz-range the decrements are 1kHz. I don't think this is a bug.

For your CH1 problem, this does not happen on my scope, probe to GND always reads 0V (more or less).

Also you have to adjust the scale of the math channel, this normally would be the larger scale setting of the two channels (when operation A+B is chosen).

I took my old trusted DS1052E, connected MSO5.CH1 to DS1052E.TestSignal:
 (RigolDS1.png)
1V offset from ground.
(exact same behaviour as the MSO5.TestSignal)

I then plugged DS1052E.CH1 to MSO5.TestSignal:
 (NewFile0.bmp)
The test signal is perfect, ground aligned.

When I unplug every channel on the MSO, no one goes to gnd.
 (RigolDS0.png)

And with the math(A+B), it just confirms the numbers, the crap B is reading.
 (rigolDS2.png)

I really don't understand what's going on, bad scope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on January 02, 2019, 01:09:10 pm
Did you use the same probe in both scopes?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 01:13:05 pm
yes, even swapped every probes (2x100MHz, 4x350MHz), always the same result.

[edit] I'm now running the self cal procedure (manual didn't ask that, but meh, let's see)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on January 02, 2019, 01:23:05 pm
I'm now running the self cal procedure
Please record how long it takes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 01:49:37 pm
Much better after a self cal.

All channels properly aligned on gnd now.

It took almost one hour.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 02:03:49 pm
That's pretty embarrassing, self-cal won't work, it still produces that overshoot on measuring the 1khz square wave signal. Not only my scope like that, but we also have about four scopes have the same problem, this 4 scope contains one scope that is currently not patched. The not patched scope has the same behavior.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 02, 2019, 02:21:51 pm
Are you using the probe in x1 oder x10 config? I can see a little overshoot in x1 mode but it can be perfectly flattened in x10.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on January 02, 2019, 02:38:16 pm
That's pretty embarrassing, self-cal won't work
Have you disconnected all probes from the inputs before running self-cal?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 02:55:02 pm
I disconnected all input, absolutely.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 02, 2019, 02:57:11 pm
That is no difference between x10 and x1. No matter how you adjust the probe, the little overshoot won't disappear.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on January 02, 2019, 03:19:08 pm
And now, average(64) + fine + aliasing does something : a very fine trace (1px). To All: Do run a self cal.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Vtech on January 02, 2019, 04:38:55 pm
Coming back to the logic probe pod, I've created separate thread with teardown photos of RPL1116 pod for MSO1000Z series. It seems to be very similar to PLA2216  for MSO5000.
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451 (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451)

Not too difficult to replicate.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 02, 2019, 04:55:42 pm
TopLoser is playing with Photoshop...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 02, 2019, 04:58:58 pm
We should start a new thread for those numerous bugs.

So we did.  Here you go.  Bugs away!

https://www.eevblog.com/forum/testgear/rigol-5000-bugs/ (https://www.eevblog.com/forum/testgear/rigol-5000-bugs/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 02, 2019, 05:10:11 pm
TopLoser is playing with Photoshop...

That's a 4 or 6 layer board with the big heatsink still attached to the zynq.

Just for laughs I stitched 9 images together, some detail gets lost where they overlap, but it's better than nothing.

https://www.dropbox.com/s/aq11wb21pueidod/MSO5074%20big%20xray.zip?dl=0 (https://www.dropbox.com/s/aq11wb21pueidod/MSO5074%20big%20xray.zip?dl=0)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 02, 2019, 06:32:27 pm
Coming back to the logic probe pod, I've created separate thread with teardown photos of RPL1116 pod for MSO1000Z series. It seems to be very similar to PLA2216  for MSO5000.
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451 (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451)

Not too difficult to replicate.
Considering they also use the LMH7322 I think they are identical (in the schematic form) on page 6? TopLoser took some xray foto's. But yes, lets keep the conversation focused in your thread instead.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 02, 2019, 06:33:41 pm
We should start a new thread for those numerous bugs.

So we did.  Here you go.  Bugs away!

https://www.eevblog.com/forum/testgear/rigol-5000-bugs/ (https://www.eevblog.com/forum/testgear/rigol-5000-bugs/)
awesome great idea; we can talk about hacking here then :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 02, 2019, 06:48:48 pm
"Offtopic", last time...we should use the existing threads for it indeed...

And now, average(64) + fine + aliasing does something : a very fine trace (1px). To All: Do run a self cal.

Instead of using averaging, you could decrease the memory depth to make the trace thinner.
See also Daves video why digital scopes appear noisy (https://www.youtube.com/watch?v=Znwp0pK8Tzk&t=758s)

Quote
That is no difference between x10 and x1. No matter how you adjust the probe, the little overshoot won't disappear.

Although I don´t have the issue with my 5074, it sounds like a mismatch problem - we bought a couple of probes cause the originals were mostly "vanished"...
On some scopes there was no problem to adjust them.
Other scopes showed exactly your problem - we couldn´t compensate the overshoots completely, it´s a matter oft the Input capacity.
Only with their original probes everything was fine.
Either the input capacity on your rigol was different (tolerance) or the probes are defective.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on January 02, 2019, 09:32:18 pm

Quote
That is no difference between x10 and x1. No matter how you adjust the probe, the little overshoot won't disappear.

Although I don´t have the issue with my 5074, it sounds like a mismatch problem - we bought a couple of probes cause the originals were mostly "vanished"...
On some scopes there was no problem to adjust them.
Other scopes showed exactly your problem - we couldn´t compensate the overshoots completely, it´s a matter oft the Input capacity.
Only with their original probes everything was fine.
Either the input capacity on your rigol was different (tolerance) or the probes are defective.

A little to my dismay, I found the same result on the MSO7k we have at work. Tried different probes with slightly different loading, square waves from a few different sources. Same exact overshoot in every case at 1kHz, which seemed a bit odd :/
I'll try the other 7k in the office that came in from the same batch tomorrow as well.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 02, 2019, 09:36:15 pm
Quote
Same exact overshoot in every case at 1kHz

Oh.... :(

Only at 1Khz ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 03, 2019, 05:47:38 am
We should start a new thread for those numerous bugs.

So we did.  Here you go.  Bugs away!

https://www.eevblog.com/forum/testgear/rigol-5000-bugs/ (https://www.eevblog.com/forum/testgear/rigol-5000-bugs/)

Is there really any point at this stage? It will be 100% noise until there's been a firmware update or two,
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nctnico on January 03, 2019, 07:50:00 am

Quote
That is no difference between x10 and x1. No matter how you adjust the probe, the little overshoot won't disappear.

Although I don´t have the issue with my 5074, it sounds like a mismatch problem - we bought a couple of probes cause the originals were mostly "vanished"...
On some scopes there was no problem to adjust them.
Other scopes showed exactly your problem - we couldn´t compensate the overshoots completely, it´s a matter oft the Input capacity.
Only with their original probes everything was fine.
Either the input capacity on your rigol was different (tolerance) or the probes are defective.
A little to my dismay, I found the same result on the MSO7k we have at work. Tried different probes with slightly different loading, square waves from a few different sources. Same exact overshoot in every case at 1kHz, which seemed a bit odd :/
I'll try the other 7k in the office that came in from the same batch tomorrow as well.
The overshoot is likely due to a factory adjustment of the input circuit. Is there some way to run a self-calibration or adjustment procedure? I don't recall whether there is a trim capacitor in the input circuit or not.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: knotapun on January 03, 2019, 02:56:23 pm
I'm curious, it's been mentioned that the serial number and keys are stored in a location that is not overwritten when the firmware is updated, doesn't that mean that you can just copy a real licence over as long as you copy the serial number along with it?

After reading the whole thread of comments, I'm under the impression that it's entirely possible to do so.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 03, 2019, 09:17:04 pm
From what i understand the license file is encrypted.    It is highly probable that it requires the key that is hardware coded into the Zync.  Copying another licence file, wont' help you in this case.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on January 03, 2019, 11:18:04 pm

The overshoot is likely due to a factory adjustment of the input circuit. Is there some way to run a self-calibration or adjustment procedure? I don't recall whether there is a trim capacitor in the input circuit or not.

Tried it at a few other Hz today, ran the self cal as well. Still present. Solid 500mV over/undershoot on a 10v square. Looked about a 25uS RC constant around 63% of the way down from the spike. First time I saw it I thought it was the sig gen, but realized this was at 200uS/div....

No go on checking the other 7k. Was being used to debug some SPI to TFT screen stuff (which it does rather well).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 04, 2019, 10:11:31 am
Gentlemen,

Is it so difficult to take all this OT to another thread?   >:(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 04, 2019, 02:57:16 pm
Gentlemen,

Is it so difficult to take all this OT to another thread?   >:(

Like

https://www.eevblog.com/forum/testgear/rigol-5000-bugs (https://www.eevblog.com/forum/testgear/rigol-5000-bugs)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sparkv on January 04, 2019, 11:42:11 pm
So the image can boot on Xilinx QEMU it seems, and gets pretty far. I expected it to kernel panic early on, but it doesn't. I haven't gotten it to a point where it starts the appEntry, but it gets to a point where it's trying to mount UBIFS partitions and fails because I haven't provided the emulator with NAND image/options. Won't have my scope for another 2-3 weeks probably according to TE, but if it's possible to get some of it running on QEMU to "debug" and test, I'll take it  :-DD

Another problem is probably lack of certain devices (it just complains but proceeds with boot). I'm using BSP provided by Xilinx and not creating custom hardware definition. I might do that tonight/over the weekend just to speed up the boot.

If it can boot on QEMU and run appEntry that will make RE a whole lot easier, at least until I get the real hardware. But even then, having no fear or bricking/destroying instrument while testing stuff will make some things easier. I'll share steps once I have things working in a stable manner.

Code: [Select]
qemu-system-aarch64: -serial mon:pty: char device redirected to /dev/pts/19 (label serial0-base)
qemu-system-aarch64: -serial mon:pty: char device redirected to /dev/pts/20 (label serial2-base)
qemu-system-aarch64: warning: nic ethernet@e000c000 has no peer
rom: requested regions overlap (rom bootloader. free=0x000000000000ed70, addr=0x0000000000000000)


U-Boot 2018.01 (Jan 04 2019 - 11:47:57 -0800) Xilinx Zynq ZC702

Model: Zynq ZC702 Development Board
Board: Xilinx Zynq
Silicon: v0.0
I2C:   ready
DRAM:  ECC disabled 1 GiB
MMC:   Card did not respond to voltage select!
mmc_init: -95, time 12
sdhci@e0100000 - probe failed: -95
Card did not respond to voltage select!
mmc_init: -95, time 11

SF: Detected n25q512 with page size 256 Bytes, erase size 4 KiB, total 64 MiB
*** Warning - bad CRC, using default environment

In:    serial@e0001000
Out:   serial@e0001000
Err:   serial@e0001000
Model: Zynq ZC702 Development Board
Board: Xilinx Zynq
Silicon: v0.0
Net:   ZYNQ GEM: e000b000, phyaddr 7, interface rgmii-id
eth0: ethernet@e000b000
U-BOOT for xilinx-zc702-2018_2

BOOTP broadcast 1
DHCP client bound to address 192.168.76.9 (2 ms)
Hit any key to stop autoboot:  0
Zynq> tftpboot 0x03000000 image.ub
Using ethernet@e000b000 device
TFTP from server 10.5.3.218; our IP address is 192.168.76.9; sending through gateway 192.168.76.2
Filename 'image.ub'.
Load address: 0x3000000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
###########
15 MiB/s
done
Bytes transferred = 33554432 (2000000 hex)
Zynq> printenv baudrate
baudrate=115200
Zynq> bootm
## Loading kernel from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Verifying Hash Integrity ... OK
   Trying 'kernel@1' kernel subimage
     Description:  Kerstrel Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x030000f8
     Data Size:    3302448 Bytes = 3.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00100000
     Entry Point:  0x00100000
     Hash algo:    sha1
     Hash value:   bece162e8cad943c68714d8eb8020d68e1db896b
   Verifying Hash Integrity ... sha1+ OK
## Loading ramdisk from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  kerstrel-Update-Ramdisk
     Type:         RAMDisk Image
     Compression:  gzip compressed
     Data Start:   0x03328c5c
     Data Size:    10901113 Bytes = 10.4 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    sha1
     Hash value:   55bdcbebccba845da403130143793ee0135e53a1
   Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x0332661c
     Data Size:    9597 Bytes = 9.4 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   da2d17ba0d5a71b5897deec4cb026014f3132185
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x332661c
   Loading Kernel Image ... OK
   Loading Ramdisk to 0759a000, end 07fff679 ... OK
   Loading Device Tree to 07594000, end 0759957c ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 3.12.0-xilinx (rigolee@Jim) (gcc version 4.8.1 (Sourcery CodeBench                                                       Lite 2013.11-53) ) #43 SMP PREEMPT Sat Jul 28 12:14:01 CST 2018
CPU: ARMv7 Processor [410fc090] revision 0 (ARMv7), cr=10c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
PERCPU: Embedded 8 pages/cpu @c0e74000 s8384 r8192 d16192 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 260624
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 4096 (order: 2, 16384 bytes)
Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
Memory: 1022228K/1048576K available (4197K kernel code, 255K rwdata, 1716K rodat                                                      a, 176K init, 179K bss, 26348K reserved, 270336K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xf0000000 - 0xff000000   ( 240 MB)
    lowmem  : 0xc0000000 - 0xef800000   ( 760 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to f0004000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1454.89 BogoMIPS (lpj=7274496)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L2x0 series cache controller enabled
l2x0: 8 ways, CACHE_ID 0x00000000, AUX_CTRL 0x00000000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 0
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xf0050000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xf0050000
hw-breakpoint: debug architecture 0x4 unsupported.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xf0080000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@l                                                      inux.it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 4, 65536 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
TCP: reno registered
UDP hash table entries: 512 (order: 2, 16384 bytes)
UDP-Lite hash table entries: 512 (order: 2, 16384 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (c759a000 - c7fff000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 1 counters available
Boot process: fb dev not inited, boot process not start!
bounce pool size: 64 pages
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 1489
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
bg request_mem_region failed!
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at arch/arm/mm/ioremap.c:301 __arm_ioremap_pfn_caller+0xf                                                      c/0x17c()
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.12.0-xilinx #43
[<c0015074>] (unwind_backtrace+0x0/0x11c) from [<c0011568>] (show_stack+0x10/0x1                                                      4)
[<c0011568>] (show_stack+0x10/0x14) from [<c03f5c08>] (dump_stack+0x8c/0xd4)
[<c03f5c08>] (dump_stack+0x8c/0xd4) from [<c00218a4>] (warn_slowpath_common+0x60                                                      /0x84)
[<c00218a4>] (warn_slowpath_common+0x60/0x84) from [<c0021958>] (warn_slowpath_n                                                      ull+0x18/0x20)
[<c0021958>] (warn_slowpath_null+0x18/0x20) from [<c001a484>] (__arm_ioremap_pfn                                                      _caller+0xfc/0x17c)
[<c001a484>] (__arm_ioremap_pfn_caller+0xfc/0x17c) from [<c001a550>] (__arm_iore                                                      map_caller+0x4c/0x54)
[<c001a550>] (__arm_ioremap_caller+0x4c/0x54) from [<c001a25c>] (__arm_ioremap+0                                                      x14/0x1c)
[<c001a25c>] (__arm_ioremap+0x14/0x1c) from [<c02321b0>] (xilinxfb_of_probe+0x74                                                      /0x3d8)
[<c02321b0>] (xilinxfb_of_probe+0x74/0x3d8) from [<c02684a0>] (platform_drv_prob                                                      e+0x14/0x18)
[<c02684a0>] (platform_drv_probe+0x14/0x18) from [<c0267208>] (driver_probe_devi                                                      ce+0x11c/0x324)
[<c0267208>] (driver_probe_device+0x11c/0x324) from [<c02674bc>] (__driver_attac                                                      h+0x68/0x8c)
[<c02674bc>] (__driver_attach+0x68/0x8c) from [<c02656a8>] (bus_for_each_dev+0x7                                                      0/0x84)
[<c02656a8>] (bus_for_each_dev+0x70/0x84) from [<c02667f0>] (bus_add_driver+0xfc                                                      /0x268)
[<c02667f0>] (bus_add_driver+0xfc/0x268) from [<c0267ab8>] (driver_register+0x9c                                                      /0xe0)
[<c0267ab8>] (driver_register+0x9c/0xe0) from [<c00087ac>] (do_one_initcall+0xb8                                                      /0x15c)
[<c00087ac>] (do_one_initcall+0xb8/0x15c) from [<c05cfb9c>] (kernel_init_freeabl                                                      e+0x108/0x1cc)
[<c05cfb9c>] (kernel_init_freeable+0x108/0x1cc) from [<c03f1e50>] (kernel_init+0                                                      x8/0xe4)
[<c03f1e50>] (kernel_init+0x8/0xe4) from [<c000e5b8>] (ret_from_fork+0x14/0x3c)
---[ end trace ca10809752213256 ]---
DPU:Map vRam to 0x0
DPU:Map iReg to 0xf0200000
DPU:Ver=0x0
Could not allocate frame buffer memory
devDPU: probe of 40000000.ps7-fb failed with error -12
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-256x8bytes Num_Chans-8 Num_Peri-4 Num_Even                                                      ts-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 992063) is a x                                                      uartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 992063) is a x                                                      uartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xF005A000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0000/0x0000
ULPI integrity check: failed!
xusbps-dr e0002000.ps7-usb: Unable to init USB phy, missing?
ULPI transceiver vendor/product ID 0x0000/0x0000
ULPI integrity check: failed!
xusbps-dr e0003000.ps7-usb: Unable to init USB phy, missing?
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Unable to write register #23
i2c i2c-0: probing for rx8010 failed
rtc-rx8010sj: probe of 0-0032 failed with error -110
Retry another address of GTP
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
NAND device: Manufacturer ID: 0x20, Chip ID: 0xaa (ST Micro NAND 256MiB 1,8V 8-bit), 256MiB, page size: 2048, OOB size: 64
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
Bad block table not found for chip 0
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
pl353_nand_calculate_hwecc status failed
Bad block table not found for chip 0
Scanning device for bad blocks
pl353_nand_calculate_hwecc status failed
Bad block table written to 0x00000ffe0000, version 0x01
pl353_nand_calculate_hwecc status failed
Bad block table written to 0x00000ffc0000, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
mtd: partition "Sys2" extends beyond the end of device "pl353-nand" -- size truncated to 0x1f00000
0x000010100000-0x000016500000 : "App2"
mtd: partition "App2" is out of reach -- disabled
0x000016500000-0x00001a800000 : "Reserved"
mtd: partition "Reserved" is out of reach -- disabled
0x00001a800000-0x000040000000 : "User"
mtd: partition "User" is out of reach -- disabled
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
Starting rcS...
++ Mounting filesystem
++ Setting up mdev
++ Starting ftp daemon
rcS Complete
pl353_nand_calculate_hwecc status failed

<snip>

Segmentation fault
mount: mounting /dev/ubi6_0 on /rigol failed: Invalid argument
**********Mount App partition failed.Check Nandflash********



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: wulfman on January 05, 2019, 03:08:19 pm
Scope arrived yesterday.  :)  old version of firmware installed but calibrated at the end of December. Seems that everything works as expected.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Swap_File on January 05, 2019, 05:28:16 pm
Scope arrived yesterday.  :)  old version of firmware installed but calibrated at the end of December. Seems that everything works as expected.

Same here, arrived from tequipment yesterday, currently on 1.1.2.3.  For now I'm keeping the scope on an isolated network, I let it warm up, ran a self cal, looked at some signals, and now am starting to poke around in it. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dren.dk on January 05, 2019, 07:03:40 pm
Does anybody know where the scope stores configuration settings?

I've tried altering stuff like the email configuration and then looked for modified files using: find / -type f -mmin -1 but I did not find any files with interesting content, so it seems there's no simple config file that stores the settings.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skip on January 06, 2019, 12:44:26 am
Scope arrived yesterday.  :)  old version of firmware installed but calibrated at the end of December. Seems that everything works as expected.

Likewise here. 

Neither the probe calibration signal nor a 1 Khz signal from the function generator (after "hacking" it of course) result in a stable waveform, there's lots of jitter!  This is a bit worrisome, is that expected?

I've been sniffing my scope on an isolated network for 3 hours now and so far the only network traffic was the initial DHCP address assignment.  If it's phoning home it's not doing it very aggressively.

Skip

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Swap_File on January 06, 2019, 01:28:42 am
Seems to be working OK for me, but maybe I haven't tried anything advanced enough yet?  Right now I'm mostly waiting a day for the trial clock to run down.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 06, 2019, 07:32:30 pm
When I tried to get http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx (http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx) from my browser I got a "Something went wrong."
I've tried it with 3 different serial numbers and it always starts to download the firmware GEL.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skip on January 06, 2019, 07:50:02 pm
When I tried to get http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx (http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx) from my browser I got a "Something went wrong."
I've tried it with 3 different serial numbers and it always starts to download the firmware GEL.

That's interesting.  I guess I spoofed myself!  I cleared my DNS cache and then I was able to download it once.  Trying again with a bogus SN failed and then I went back to my real SN and it failed again.  I tried clearing my DNS cached again and it didn't help.  Weird.

Did you try a bogus serial number?

Skip
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skip on January 06, 2019, 07:54:06 pm
On topic first:

I've set up a DNS spoofer and captured what happens when I try to do an "online upgrade".  After an DNS lookup of www.rigol.com (http://www.rigol.com) the scope does a regular http (not https) get of "/Support/ProductUpgradeFile?sn=MS5xxxxxxxxxx&hardware=1.0&behaviour=soft&software=00.01.01.02.03 HTTP/1.1". 

This returns an xml file that looks like this:
<?xml version="1.0" encoding="utf-8"?>
<meta>
  <firmware>
    <series>MSO5000</series>
    <version>00.01.01.02.03</version>
    <url>http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx (http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx)</url>
    <comment_cn>2.3????</comment_cn>
    <comment_en>2.3formalverison</comment_en>
    <filesize>66.78MB</filesize>
  </firmware>
</meta>

When I tried to get http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx (http://www.rigol.com/Support/ProductUpgradePackage?sn=MS5xxxxxxxxxx) from my browser I got a "Something went wrong.
The page you requested does not exist, or the page has an error" error in Chinese.

Now offtopic:

The jitter is most apparent when you set the memory depth to 1k, you can just see it at 10k and it goes away at longer memory settings.  A screen shot is attached... (or inline??  How do you insert inline if this doesn't work??)

Skip
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on January 06, 2019, 08:01:21 pm
Did you try a bogus serial number?
I've tried some and they didn't work and lead to the error page. But I've captured an upload from the scope to the server.

http://www.rigol.com/up.aspx?act=up&filename=MS5A204700xxx.dat (http://www.rigol.com/up.aspx?act=up&filename=MS5A204700xxx.dat)

The "file" contained the scope's type and the current firmware, nothing else. Maybe it needs to register itself before it can download a firmware? I didn't have the time to repeat the tests to see if these uploads happen regularly.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FriedMule on January 07, 2019, 12:30:14 am
So if I bought a rigol mso5000 in next week, can it then be hacked?
Sorry I am asking, it's because I am a noob and all those 22 pages of informations and comments confuse me.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 07, 2019, 12:32:48 am
So if I bought a rigol mso5000 in next week, can it then be hacked?
Sorry I am asking, it's because I am a noob and all those 22 pages of informations and comments confuse me.

Right now yes it can have all the options and 350MHz bandwidth enabled.

After the next software upgrade... who knows.

Watch this space.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FriedMule on January 07, 2019, 12:37:46 am
Thanks for you wary fast answer!! :-)
Is there anything that I shall think about, except for the guaranty being void?
I mean before jumping out and buy.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 07, 2019, 12:51:23 am
Thanks for you wary fast answer!! :-)
Is there anything that I shall think about, except for the guaranty being void?
I mean before jumping out and buy.

You won't void the warranty unless you do something crazy stupid.

There is the very real risk that in future software updates all the 'bonus' features will disappear. Only you can decide if you want to take that risk.

A better place to discuss this is:
https://www.eevblog.com/forum/blog/new-rigol-scope/ (https://www.eevblog.com/forum/blog/new-rigol-scope/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 07, 2019, 07:13:37 am
Does anybody know where the scope stores configuration settings?

I've tried altering stuff like the email configuration and then looked for modified files using: find / -type f -mmin -1 but I did not find any files with interesting content, so it seems there's no simple config file that stores the settings.

There are two 16 MB QSPI flashes and an 8 KB I2C FRAM EEPROM. There are likely some (unique) configuration options in one of these.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 07, 2019, 08:16:29 am


There is the very real risk that in future software updates all the 'bonus' features will disappear. Only you can decide if you want to take that risk.


For about 24-48 hours while rigolhack does its work no doubt.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 11:32:12 am
So if I bought a rigol mso5000 in next week, can it then be hacked?
Sorry I am asking, it's because I am a noob and all those 22 pages of informations and comments confuse me.

Don't worry, people are still asking this about the DS1054Z.

Answer: Yes!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 11:35:33 am
There is the very real risk that in future software updates all the 'bonus' features will disappear. Only you can decide if you want to take that risk.

We now know so much about the MSO5000 that whatever Rigol does will be re-hacked in a few hours.

(and nobody is *forcing* you to install updates)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 07, 2019, 11:39:04 am
These annoying bug will force you to install further updates.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 11:44:52 am
These annoying bug will force you to install further updates.

The trick is not to install them two seconds after they're released.

Wait a few days until other people have done it.  :popcorn:

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 07, 2019, 11:50:13 am
These annoying bug will force you to install further updates.

Have you relocated from China to the USA rgwan?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 07, 2019, 02:11:20 pm
We now know so much about the MSO5000 that whatever Rigol does will be re-hacked in a hours.

(and nobody is *forcing* you to install updates)

And future-proof solutions already exist...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 02:23:58 pm
I'm not sure why Rigol changed the password. The new password was obviously weak and if they want to keep people out they could just disable shell access completely (there's no reason to enable it, it's not useful to anybody except hackers).

I think they just didn't want it to be root/root to avoid basic IOT malware scanners.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 07, 2019, 06:28:06 pm
I'm not sure why Rigol changed the password. The new password was obviously weak and if they want to keep people out they could just disable shell access completely (there's no reason to enable it, it's not useful to anybody except hackers).

I think they just didn't want it to be root/root to avoid basic IOT malware scanners.

I had an interesting chat ( face to face ) with another eevblog member last week ( who is well known and respected ) about the entire rigol thing.     He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly. Not suprizingly, so many 'devices' these days that are network attached, are just so insecure.. The IoT will be the finish of us all!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 07, 2019, 08:04:50 pm
He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly.

Complete bollocks.

Even the cheapo DS1000Z line can't be hacked easily once you get above the base model (eg. the DS1074Z Plus (https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/4303/))

In the new 5000/7000 models? Xilinx secure boot is hardly a secret, they freely document it on their web site (https://www.xilinx.com/support/documentation/application_notes/xapp1175_zynq_secure_boot.pdf).

Whatever the reasons are, it's not incompetence.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 07, 2019, 09:31:04 pm
I'm not sure why Rigol changed the password. The new password was obviously weak and if they want to keep people out they could just disable shell access completely (there's no reason to enable it, it's not useful to anybody except hackers).

I think they just didn't want it to be root/root to avoid basic IOT malware scanners.

I had an interesting chat ( face to face ) with another eevblog member last week ( who is well known and respected ) about the entire rigol thing.     He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly. Not suprizingly, so many 'devices' these days that are network attached, are just so insecure.. The IoT will be the finish of us all!

I tend to agree; Though with the DS1054 and its predecessor I would have thought; maybe they did it on purpose, as it is being speculated for years now. But I have seen their firmware up close for the MSO5000 now; and what I see, makes me cry horribly.
and
He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly.

Complete bollocks.

Even the cheapo DS1000Z line can't be hacked easily once you get above the base model (eg. the DS1074Z Plus (https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/4303/))

In the new 5000/7000 models? Xilinx secure boot is hardly a secret, they freely document it on their web site (https://www.xilinx.com/support/documentation/application_notes/xapp1175_zynq_secure_boot.pdf).

Whatever the reasons are, it's not incompetence.
I beg to differ.
So maybe they have a mandate to make it easily hackable. Sure, I won't deny that.

But secure-boot is hard and expensive. Getting the fuses set is something (I guess) will have to be done by xilinx in the factory, which is an extra service, not cheap.

Understanding how it all works and comes together, is also; not for the fait of heart. So if you are 'basically skilled', this will be daunting. Also, they very much likely started from a devkit (which doesn't come with the fuses set for obvious reasons) and designed the scope around that as a reference. Half way down the development train; secureboot is long forgotten and you are just busy getting the damn thing to work reliably. Once you are that far, you'll be thinking twice making a major change like that (then again, if you are incompetent, you easily would do that ;) ...)

Finally, they started development around 2013, based on all the sources I've seen so far. Back then; a) you really had to know what you where looking at/for and b) I'm sure hacking was not their main issue while doing the bringup from the whole system. These are engineers, they care about a working system.

Again, this is just my 2 cents worth of speculation based on the extremely poor quality of software.

P.S. I wonder if these old libraries they are using will not have quite a few (remote) exploits lingering. 3.12 wasn't an LTS was it? Let alone in their application (appEntry) which runs as root and does have remote access (via lighthttp and rpc)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 08, 2019, 01:52:37 am
These annoying bug will force you to install further updates.

The trick is not to install them two seconds after they're released.

Wait a few days until other people have done it.  :popcorn:

In fact, Rigol actually have some solution to counterattack, Zynq itself has some security features, and I believe there are some hidden features (reverse engineering work by myself) in their ASICs as well. If they want to do some proper anti-hacking solution, it will be harder to hack. Btw, Rigol is a big customer of Xilinx, so...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 08, 2019, 02:06:21 am
He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly.

Complete bollocks.

Even the cheapo DS1000Z line can't be hacked easily once you get above the base model (eg. the DS1074Z Plus (https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/4303/))

In the new 5000/7000 models? Xilinx secure boot is hardly a secret, they freely document it on their web site (https://www.xilinx.com/support/documentation/application_notes/xapp1175_zynq_secure_boot.pdf).

Whatever the reasons are, it's not incompetence.

From some information I got from Rigol's distributor, It is not true at all. They're actually want to completely block these holes away. So, watch out guys.

Btw, the unofficial new firmware claims that it is released at 9, November 2018. We have started our reverse engineering at about 15, November 2018. I believe that they changed password is not related to hacking, but I think the next firmware they will totally disable the SSH.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: asmi on January 08, 2019, 04:10:56 am
But secure-boot is hard and expensive. Getting the fuses set is something (I guess) will have to be done by xilinx in the factory, which is an extra service, not cheap.
This is BS. No extra service is needed, everything can be done via JTAG just like regular programming/configuration.

Understanding how it all works and comes together, is also; not for the fait of heart.
Reading documentation is all it takes. But even if we suppose they are somehow too stupid to figure it out (yet somehow manage a several orders of magnitude more complicated task of designing an actual system in FPGAs), they could always enlist Xilinx FE to help them out.
I suggest you stop projecting. They clearly can read documentation, and I'm 99,(9)% sure they leave devices open on purpose.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 08, 2019, 06:55:50 am
But secure-boot is hard and expensive. Getting the fuses set is something (I guess) will have to be done by xilinx in the factory, which is an extra service, not cheap.
This is BS. No extra service is needed, everything can be done via JTAG just like regular programming/configuration.
There there no need to be cross.

But please lets remain civilized. For one, enabling the feature via the fuse is easy, sure yes. But I cannot find any indication in the manual about the secure vault (other then the graph) where the _private_ key is stored. Or how to set it. I'll agree I have not studied the manual in depth of course.

Now I know how this works a little on Texas Instruments HS parts (High Secure) and there it's simple. Encryption is a chain of trust, and TI says 'we will program the keys securely, nobody else has access to the keys, but you need to trust us'. Trusting some factory floor employ not to leak the key is of course, a risk.

So I would assume it works the same way here. But sure, maybe a user can program the fuses for the RSA key themselves, or maybe they can store the key in Battery Backed RAM themselves. Surely possible.

Just one problem I can imagine if the user can burn the RSA key fuses themselves, what stops you from burning ALL key fuses, effectively turning the fuse into 0xfffffff? Or worse, use jtag to read back the fuses? So again, it would surprise me that a user (developer) gets to write into the actual vault, and would imagine this to be left to xilinx only. Just like you do not have any access whatsoever to the BootROM (access is disabled after execution).

But please do point me to the page where they have this information; I'd love to read up on it, I do.

Understanding how it all works and comes together, is also; not for the faint of heart.
Reading documentation is all it takes. But even if we suppose they are somehow too stupid to figure it out (yet somehow manage a several orders of magnitude more complicated task of designing an actual system in FPGAs), they could always enlist Xilinx FE to help them out.
I suggest you stop projecting. They clearly can read documentation, and I'm 99,(9)% sure they leave devices open on purpose.
Different task, different people, different skill. They are a _hardware_ company, and while *I* feel that VHDL/Verilog programming is just a different skill of programming; it tends to be done by EE's. As such bringing up a secure linux with UI is not their problem.
But sure, this is only projecting and suggesting, I never claimed otherwise. But since you have inside details; please do share more. We can all learn from that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Daixiwen on January 08, 2019, 07:36:40 am
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on January 08, 2019, 09:09:48 am
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
I think it boils down to the Chinese mentality of making a product just good enough to ship.
Security is a very complex issue, and needs some imaginitive thinking (something that is very rare in China due to the educational system),  to consider and pre-empt possible entry points.
You can put the best lock in the world on the front door but that's no good if you can open a window with  screwdriver.
FPGA systems and tools are very complex, and so is Linux, and the designers need to have a far better grasp on it all to make it secure, than they do to ship a working product.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 08, 2019, 09:12:44 am
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
Of course; but the work I see is extremely sloppy and lazy and very unexperienced. Even if it is an engineer who does not dare to push back to the manager; There's quality, and there's ... well this :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 08, 2019, 09:15:17 am
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
I think it boils down to the Chinese mentality of making a product just good enough to ship.
Security is a very complex issue, and needs some imaginitive thinking (something that is very rare in China due to the educational system),  to consider and pre-empt possible entry points.
You can put the best lock in the world on the front door but that's no good if you can open a window with  screwdriver.
FPGA systems and tools are very complex, and so is Linux, and the designers need to have a far better grasp on it all to make it secure, than they do to ship a working product.

"working" being defined as mostly working with a few 'quirks'  :-)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 08, 2019, 11:32:49 am
I'm sure Rigol does as best as it can, and as time permits.

We must not forget that this is a tough market, and time to market is essential. If the product gains traction, they can later try to solve the problems but putting the system on the street must be one of their primary goals.

Sales can later compensate the investment needed do pay for the correction of the flaws.

So, stop bashing Rigol people. Let them do their job and we'll continue to do our explorations.

Now, let's go back on topic:

The system is already broken and, in my opinion, beyond repair. Licensing it is perfectly possible.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sparkv on January 08, 2019, 11:33:42 am
Maybe I misunderstood the topic of this thread. I thought we were trying to hack the MSO5000, not advise Rigol on how to make it unhackable

:-DD
Code: [Select]
Firmware 01.01.03.05 Patch Notes:
- Incorporated all security features/approaches discussed on eevblog forums (thnx u)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on January 08, 2019, 11:55:46 am
Maybe I misunderstood the topic of this thread. I thought we were trying to hack the MSO5000, not advise Rigol on how to make it unhackable

:-DD
Code: [Select]
Firmware 01.01.03.05 Patch Notes:
- Incorporated all security features/approaches discussed on eevblog forums (thnx u)
EEVBLOG hacker's moto: No challenge, no fun
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 08, 2019, 11:56:33 am
Somebody asked me to post a photo of my 'system information' screen.

Here it is:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 08, 2019, 12:09:00 pm
Somebody asked me to post a photo of my 'system information' screen.

Were you a beta tester???   :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 08, 2019, 12:18:56 pm
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.

I totally agree with you, but the risk still exists: Considering Rigol is a big customer of Xilinx, they maybe want official support from Xilinx FAE. If they choose to do this, things will be getting worse...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 08, 2019, 12:21:49 pm
Somebody asked me to post a photo of my 'system information' screen.

Were you a beta tester???   :-DD

I built it from kit form, after it had been totally dismantled and various IC's removed for 'QC' inspection  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 08, 2019, 08:56:47 pm
Back on page 10 was it? Vtech made an excellent post finding out a lot of the cool chips with Dave's video.

I figured, we need a pic and some more text to go with that. But not any ol'e pic. I took the front and back pictures from Dave's teardown, and overlayed them. Then made the bottom 50% transparant allowing us to see a little bit more what's going on :)

(https://gitlab.com/riglol/rigolee/wikis/uploads/df3fe65327a9cded968c152d7fc4928a/pcb_back_and_front.png)

For more information (what the colors mean etc) see https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown (https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown)

Edit: Also did the keyboard (https://gitlab.com/riglol/rigolee/wikis/uploads/3f80bbb74ead65cf2253c92fd995745a/keyboard_back_and_front.png)

For more information see https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown (https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: helmy on January 09, 2019, 09:55:05 am
Did anyone try to make their own (PLA2216) logic probe for cheap, considering it is priced at $400!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 09, 2019, 09:58:19 am
Did anyone try to make their own (PLA2216) logic probe for cheap, considering it is priced at $400!

https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/ (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on January 09, 2019, 09:58:25 am
Did anyone try to make their own (PLA2216) logic probe for cheap, considering it is priced at $400!
Should be easy enough as it's just a bunch of ECL comparators.  Probably just a matter of time before they show up on Aliexpress
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 09, 2019, 12:35:04 pm
What does this image show?

(It's a MSO5000 capture, with a 50-ohm termination.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thomil on January 09, 2019, 12:45:04 pm
What does this image show?

350ps fal time? 1GHz bandwidth?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 09, 2019, 12:51:54 pm
What does this image show?

350ps fal time? 1GHz bandwidth?

It's displaying a pulse that's approx. 1ns.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: johnmx on January 09, 2019, 01:23:24 pm
What does this image show?
What is your signal source?
It would be interesting to see the same response using a 50 Ohm terminator at the scope input.
E.g. something like this may prevent oscillations at higher frequencies:
https://www.picotech.com/accessories/bnc-terminators-leads/50r-terminator-bnc (https://www.picotech.com/accessories/bnc-terminators-leads/50r-terminator-bnc)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 09, 2019, 03:42:14 pm
It's a transistor catching fire?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 09, 2019, 04:19:12 pm
It's a transistor catching fire?

We are almost OT but I would like to see if you guys confirm that this can be used as proof of the claims that were made a few weeks ago...

BTW, Fungus, can you recreate this with your (any) scope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: iMo on January 09, 2019, 04:21:41 pm
The rise time is important with that test, afaik.
BW=350/0.44=795MHz
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 09, 2019, 05:44:57 pm
It's a transistor catching fire?

We are almost OT but I would like to see if you guys confirm that this can be used as proof of the claims that were made a few weeks ago...

BTW, Fungus, can you recreate this with your (any) scope?

I haven't got a 90V DC supply. Mine only goes up to 30V.

(I assume that applying 90V to that transistor is bad, hence my comment)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on January 09, 2019, 06:27:38 pm
Fungus searching for "Avalanche Pulser" then you will know what it is.
And that 90V ist OK for an Avalanche Transistor...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TurboTom on January 09, 2019, 06:59:39 pm
Btw, that resistance in series with the power supply is MegOhm, not milliOhm as the schematic may suggest...  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: johnmx on January 09, 2019, 07:08:22 pm
I wonder if the oscillations are from the circuit itself instead of the impedance mismatch of the scope input stage
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on January 09, 2019, 07:15:16 pm
Fungus searching for "Avalanche Pulser" then you will know what it is.
And that 90V ist OK for an Avalanche Transistor...

http://www.eevblog.com/2012/07/06/eevblog-306-jim-williams-pulse-generator/ (http://www.eevblog.com/2012/07/06/eevblog-306-jim-williams-pulse-generator/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 10, 2019, 05:54:11 am
It's a transistor catching fire?

We are almost OT but I would like to see if you guys confirm that this can be used as proof of the claims that were made a few weeks ago...

BTW, Fungus, can you recreate this with your (any) scope?

The frontend of this scope has very poor S11 performance, measured by KC901 VNA. Although we added a 50-ohm terminator to its input, S11 curve above 350MHz still looks terrible. We have swept this scope by HP 8657 generator, usable bandwidth is around 380MHz. Maybe the internal match network on AFE's output line limited the bandwidth and the input circuit isn't capable of high-frequency usage (because of such high S11).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on January 10, 2019, 06:02:18 am
Did you calibrate the KC901V to remove the cable effects?
Have you checked the return loss of the terminator itself?
Can you run it with a lower max frequency as anything above 500 MHz/ 1 GHz is likely meaningless.

Lastly many scopes 50 ohm inputs are only rated to have an SWR of 1.5:1 or better - that is only 14 dB of return loss.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 10, 2019, 06:20:07 am
Did you calibrate the KC901V to remove the cable effects?
Have you checked the return loss of the terminator itself?
Can you run it with a lower max frequency as anything above 500 MHz/ 1 GHz is likely meaningless.

Lastly many scopes 50 ohm inputs are only rated to have an SWR of 1.5:1 or better - that is only 14 dB of return loss.

1、Yes.
2、Of course.
3、I have done it, it doesn't look good... Almost the same result as this. Below 350MHz it is fine though, but in 350MHz-1GHz, if you don't do some hardware modification, it is not as good as the calculated bandwidth that the pulse response result shown by tv84. I have returned home for winter vacation, about 1 month or so I can't do any measurement for this scope (because I haven't equipment to measure at home) ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on January 10, 2019, 06:41:40 am
I don't think you're seeing any problem with the scope, it is just the nature of trying to use a 50 ohm feed through connected to the 1 meg-ohm input of a scope. A scope with a 50 ohm internal path is optimized for such things. Using a feed-through will only match a proper 50 ohm input at very low frequencies.
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 10, 2019, 07:24:27 am
I don't think you're seeing any problem with the scope, it is just the nature of trying to use a 50 ohm feed through connected to the 1 meg-ohm input of a scope. A scope with a 50 ohm internal path is optimized for such things. Using a feed-through will only match a proper 50 ohm input at very low frequencies.
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.

I mean this scope is not designed for testing above 350MHz signal. It just not perform well and maybe it needs some hardware modification to make use of the high sample rate.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 10, 2019, 08:03:25 am
I don't think you're seeing any problem with the scope, it is just the nature of trying to use a 50 ohm feed through connected to the 1 meg-ohm input of a scope. A scope with a 50 ohm internal path is optimized for such things. Using a feed-through will only match a proper 50 ohm input at very low frequencies.
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.

I mean this scope is not designed for testing above 350MHz signal. It just not perform well and maybe it needs some hardware modification to make use of the high sample rate.

You cannot just hack it.. For higher frequencies you need to use 50 OHm path, and that has to exist in the scope from input connector to A/D converter. It has to be controlled impedance layout.
Basically, it has to exist as separate part of PCB made for just that purpose that is just not there on MSO5000 board.

Chipset and front end chip in MSO7000 and MSO5000 is identical and capable of same bandwidth (frontend chipset is capable of few GHz actually). It's just that your signal from input BNC cannot get to it without being destroyed.
For a scope of this class it is more important that it has good 300 MHz with good signal integrity(which is a miracle itself), that hacking it to 1GHz with distorted signal. You get worse scope actually, and much more noise...


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on January 10, 2019, 08:11:59 am
I don't think you're seeing any problem with the scope, it is just the nature of trying to use a 50 ohm feed through connected to the 1 meg-ohm input of a scope. A scope with a 50 ohm internal path is optimized for such things. Using a feed-through will only match a proper 50 ohm input at very low frequencies.
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.

I mean this scope is not designed for testing above 350MHz signal. It just not perform well and maybe it needs some hardware modification to make use of the high sample rate.

You cannot just hack it.. For higher frequencies you need to use 50 OHm path, and that has to exist in the scope from input connector to A/D converter. It has to be controlled impedance layout.
Basically, it has to exist as separate part of PCB made for just that purpose that is just not there on MSO5000 board.

Chipset and front end chip in MSO7000 and MSO5000 is identical and capable of same bandwidth (frontend chipset is capable of few GHz actually). It's just that your signal from input BNC cannot get to it without being destroyed.
For a scope of this class it is more important that it has good 300 MHz with good signal integrity(which is a miracle itself), that hacking it to 1GHz with distorted signal. You get worse scope actually, and much more noise...

Yes, that is actually what I mean. To make use of the high sample rate isn't easy.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on January 10, 2019, 08:31:19 am
Here is an example of what my Keysight scope looks like with its native 50 ohm input, and then using a 50 ohm feed-through with the scope input back at 1 meg-ohm. It looks absolutely horrible using the feed-through. The third shot is the 50 ohm feed-through on its own just for reference.

Can you explain why above 800MHz the feedthrough + scope seems better than the feedthrough alone? Is the feedthrough not made for frequencies above 500MHz or something like that?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TheSteve on January 10, 2019, 08:42:28 am
I don't want to get too far off topic but to answer the question the feed-through is a very cheap model from banggood(7 dollars for two shipped). I wouldn't expect  decent performance past 500 MHz.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on January 10, 2019, 03:32:04 pm
Slightly off topic.  TEquipment has 2 MSO5074 in stock.  It was 3 before I bought one   :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on January 10, 2019, 11:05:18 pm
Slightly off topic.  TEquipment has 2 MSO5074 in stock.  It was 3 before I bought one   :P
wtf? I bought one and got my delivery bumped back and forth
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on January 11, 2019, 02:11:54 am
wtf? I bought one and got my delivery bumped back and forth
Yeah my confirmation e-mail indicates a shipping date of the 15th.  I suspect shenanigans
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 11, 2019, 05:36:56 am
so they have enough time to install new firmware perhaps??
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: diegogmx on January 11, 2019, 07:25:24 am
wtf? I bought one and got my delivery bumped back and forth
Yeah my confirmation e-mail indicates a shipping date of the 15th.  I suspect shenanigans

it seems there are many of us in that situation, they told me they have a backlog of orders, which is to be expected i guess
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 11, 2019, 04:59:40 pm
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Thought maybe the update is only via online connection to the scope avaible and take it to home, connect LAN...
No, no firmare avaible.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 11, 2019, 05:33:54 pm
Chipset and front end chip in MSO7000 and MSO5000 is identical and capable of same bandwidth (frontend chipset is capable of few GHz actually). It's just that your signal from input BNC cannot get to it without being destroyed.
For a scope of this class it is more important that it has good 300 MHz with good signal integrity(which is a miracle itself), that hacking it to 1GHz with distorted signal. You get worse scope actually, and much more noise...

By looking at these FW strings (in the current models):
600MHz to 1GHz Bandwidth Upgrade Option
600MHz to 2GHz Bandwidth Upgrade Option
1GHz to 2GHz Bandwidth Upgrade Option

I would imagine that ds8000 (or ds9000) could be available in 600MHz or 1GHz base, with options to upgrade to 2GHz.

Let's hope that with another PCB as you say.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 11, 2019, 07:33:09 pm
Chipset and front end chip in MSO7000 and MSO5000 is identical and capable of same bandwidth (frontend chipset is capable of few GHz actually). It's just that your signal from input BNC cannot get to it without being destroyed.
For a scope of this class it is more important that it has good 300 MHz with good signal integrity(which is a miracle itself), that hacking it to 1GHz with distorted signal. You get worse scope actually, and much more noise...

By looking at these FW strings (in the current models):
600MHz to 1GHz Bandwidth Upgrade Option
600MHz to 2GHz Bandwidth Upgrade Option
1GHz to 2GHz Bandwidth Upgrade Option

I would imagine that ds8000 (or ds9000) could be available in 600MHz or 1GHz base, with options to upgrade to 2GHz.

Let's hope that with another PCB as you say.

No need for speculation. 8000 is up to 2GHz model.
9000 is yet to be released up to 4GHz model.
Spoke with Rigol on Electronica. 8000 was there, looks pretty much like black 7000....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hansibull on January 11, 2019, 07:51:09 pm

No need for speculation. 8000 is up to 2GHz model.
9000 is yet to be released up to 4GHz model.
Spoke with Rigol on Electronica. 8000 was there, looks pretty much like black 7000....

There where no DS/MSO8000 on the Electronica fair? IIRC the RSA5000 was the only black instrument at the Rigol stand apart from the MSO5000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pascal_sweden on January 11, 2019, 08:07:18 pm
I don't like these 45 degree corners at all, which they obviously have adopted from the R&S RTB2000 series.

Corner design of R&S RTB2000 series:
https://www.rohde-schwarz.com/us/product/rtb2000-productstartpage_63493-266306.html (https://www.rohde-schwarz.com/us/product/rtb2000-productstartpage_63493-266306.html)

Corner design of Rigol MSO5000 series:
https://www.rigol.eu/products/digital-oscilloscopes/MSO5000/ (https://www.rigol.eu/products/digital-oscilloscopes/MSO5000/)

Moreover the display seems not very bright and clear at all, plus the glossy level is way too much.


If anyone from Rigol USA is reading this:

1) Please don't use these 45 degree corners in future series!
These 45 degree corners are very ugly! It looks like Zorro was here with his sword to cut these corners in a swing! What's the point of this in the first place?

2) Also improve the display brightness and clarity!
Reduce the glossy or remove it completely as your oscilloscopes are Test&Measuremenet instruments for engineers and not Beauty Mirrors for women :)
As Dave Jones pointed out already in his review: The entry level DS1054Z series seems to have a better display than the MSO5000 series. How come? Did you change display vendor?

Don't adopt weird designs from the industry. Innovate with your own designs.
Don't try to be the "Apple-R&S" look a like! :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 11, 2019, 08:13:27 pm
As Dave Jones pointed out already in his review: The entry level DS1054Z series seems to have a better display than the MSO5000 series. How come? Did you change display vendor?

One is a touch screen. Matte touch screens show all the fingerprints much more.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 0xdeadbeef on January 11, 2019, 08:23:18 pm
One is a touch screen. Matte touch screens show all the fingerprints much more.
Actually, it's quite the opposite. I always use a matte screen protector on my smartphones and fingerprints are much less visible there compared to a glossy screen.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 11, 2019, 08:24:40 pm

No need for speculation. 8000 is up to 2GHz model.
9000 is yet to be released up to 4GHz model.
Spoke with Rigol on Electronica. 8000 was there, looks pretty much like black 7000....

There where no DS/MSO8000 on the Electronica fair? IIRC the RSA5000 was the only black instrument at the Rigol stand apart from the MSO5000.
I was on Friday, last day.. I might have been mistaken,it was a long day..
There was 7000 (beige) and small (5000) and bigger black scope with active probe interface. Looked exactly like 7000 just black.
It was on a desk in the back near the booth wall.
I didn't take photo but here it is on Rigol photo:


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on January 11, 2019, 11:08:00 pm
Hm, if they are building a unified bsp for all MSO series together it can be a problem for us in the future...
I think they will put much more effort in securing their high end MSO than now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joeyjoejoe on January 11, 2019, 11:08:57 pm
Let's hope not. I'm going to wait until an updated firmware drops to see if everything is still open, if so I'll buy one.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on January 12, 2019, 01:28:17 am
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Thought maybe the update is only via online connection to the scope avaible and take it to home, connect LAN...
No, no firmare avaible.

I think Quix went and cracked the hash didn't he? Was real tiny. Edit:Did it in about 20mins on some really old gpx hardware w/ hashcat.

As far as firmwares,  I thought I saw someone DL one from Rigol to tweak/dismantle, but it was the original 1.2.3 correct? Guess it seems they haven't put the new one up for us.
I was admittedly a little worried about auto-update surprises in the beginning. Or the scope phoning hope to rat you out...

I know for licenses they use a website key entry followed by DL a license file (that's basically your key in a .lic). The work 7k's got the free xmas decodes bundle.

Granted, given the unfettered access we have now and the number of people playing with IDA and the firmware, I doubt Rigol will be able to keep us out consistently. Money better spent making corporate customers happy and bug fixing.


For reference/dating purposes, my 5074 showed up from TEquipment last Monday the 7th. Came with 1.2.3

Box appeared unopened and appears drop shipped the moment they got it in their West Coast warehouse.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on January 12, 2019, 11:36:22 pm
I recently had a need to use the UART interface on an MSO5074 and found this to be a challenging exercise.
There were two issues:-
1.   The data out of the MSO5074 was corrupted from time to time.
2.   There was no response to commands sent to the unit.

The corrupted data out of the MSO5074 was found to be caused by varying widths of the Low going data bits in the serial data stream.
At 115200 bits/sec, the nominal bit width is 8.68us.  Some of the Low going bits from the UART interface were down to 3us width.
The over all packet timing was correct, just the width of the low going bits varied.
So depending on when the receiving equipment clocks the data in, it may see either a "0" or "1"

This was solved by feeding the data through an external Pulse stretching circuit to set the minimum bit width correctly.

The second issue of no response to commands was tracked down to an open circuit on the PCB trace from the UART interface connection point.
The Data IN to the MSO5074 goes via a series resistor. This resistor had been left off the circuit board.
Since the resistor is mounted on the back of the board, this meant completely dismantling the unit to bridge the gap on the trace.

After solving these issues, using the UART interface to talk to the MSO5074 was straight forward.
I found that "U Boot" can be easily interrupted by holding a keyboard key down from when the MSO5074 is powered ON.

**  Edit.  Added Pulse stretching Circuit. **
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 12, 2019, 11:39:15 pm
This resistor had been left off the circuit board.

Accidentally now of course  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: helmy on January 13, 2019, 04:51:43 am
The corrupted data out of the MSO5074 was found to be caused by varying widths of the Low going data bits in the serial data stream.
At 115200 bits/sec, the nominal bit width is 8.68us.  Some of the Low going bits from the UART interface were down to 3us width.
The over all packet timing was correct, just the width of the low going bits varied.
So depending on when the receiving equipment clocks the data in, it may see either a "0" or "1"

This was solved by feeding the data through an external Pulse stretching circuit to set the minimum bit width correctly.

could you share this external Pulse stretching circuit ?

The second issue of no response to commands was tracked down to an open circuit on the PCB trace from the UART interface connection point.
The Data IN to the MSO5074 goes via a series resistor. This resistor had been left off the circuit board.
In the video #1146 Dave wasn't able to send commands to it either, but then if you where following along on this thread others have tried the UART interface and where able to use it with no problem and no mention of a missing resistor, and if you let it boot completely you should get a root shell without being asked to login, right?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 13, 2019, 08:04:56 pm
Hm ?

I thought, new updates will be present on the regular rigol sites…..
You got a new update ? What does the "changes" say ?

Martin

Single file, no 'changelog'
https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0 (https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0)

Just a few seconds before, I download the file, transfer it to a usb stick, plug it in the rigol…..
Stick will be recognized but "local upgrade" isn´t avaible…

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 13, 2019, 08:09:48 pm
Hm ?

I thought, new updates will be present on the regular rigol sites…..
You got a new update ? What does the "changes" say ?

Martin

Single file, no 'changelog'
https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0 (https://www.dropbox.com/s/7xhvif1n0ayrzju/DS5000Update%20prelim.GEL?dl=0)

Just a few seconds before, I download the file, transfer it to a usb stick, plug it in the rigol…..
Stick will be recognized but "local upgrade" isn´t avaible…

Martin

Rename the file DS5000Update.GEL

The update process only seems to recognise that file name.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 13, 2019, 08:32:07 pm
Yes, this works and upgrading will be done very quick.
But I can´t see any remarkable changes except the version number.
Before:

(https://www.bilder-upload.eu/thumb/2d5208-1547413654.jpg) (https://www.bilder-upload.eu/bild-2d5208-1547413654.jpg.html)
After:

(https://www.bilder-upload.eu/thumb/397c5e-1547413731.jpg) (https://www.bilder-upload.eu/bild-397c5e-1547413731.jpg.html)

Maybe the update was only for changing the "root" password
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 13, 2019, 08:34:35 pm
Yes, this works and upgrading will be done very quick.
But I can´t see any remarkable changes except the version number.
Maybe the update was only for changing the "root" password

Somebody compared the GEL contents and almost every file was changed. But nothing significant is obvious except the password change.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 13, 2019, 08:42:10 pm
Hm....
OK, let´s wait for the first official update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jgmrequel on January 13, 2019, 08:52:59 pm
Has someone tried to verify if the "upgrade" enables also the other two channels on the MSO5XX2?  ^-^

No they haven’t, but tv84 thinks it won’t.  I’m not sure it’s worth saving 90 euros to find out the hard way. Buy the 4 channel model and you get 2 extra 350MHz probes and a warranty that covers all 4 channels.

But it would be interesting to have somebody verify it.

This does in fact work - I've a MSO 5072, FW 01.01.02.03, and channels 3 and 4 get enabled with the fullopt.

I'm catching up on this thread and working on the hardware/firmware myself.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on January 14, 2019, 12:54:40 pm
The corrupted data out of the MSO5074 was found to be caused by varying widths of the Low going data bits in the serial data stream.
At 115200 bits/sec, the nominal bit width is 8.68us.  Some of the Low going bits from the UART interface were down to 3us width.
The over all packet timing was correct, just the width of the low going bits varied.
So depending on when the receiving equipment clocks the data in, it may see either a "0" or "1"

This was solved by feeding the data through an external Pulse stretching circuit to set the minimum bit width correctly.

could you share this external Pulse stretching circuit ?

The second issue of no response to commands was tracked down to an open circuit on the PCB trace from the UART interface connection point.
The Data IN to the MSO5074 goes via a series resistor. This resistor had been left off the circuit board.
In the video #1146 Dave wasn't able to send commands to it either, but then if you where following along on this thread others have tried the UART interface and where able to use it with no problem and no mention of a missing resistor, and if you let it boot completely you should get a root shell without being asked to login, right?

@ helmy.
                Pulse stretching circuit added to original posting

Root access is available as soon as the operating system has been loaded.

If you follow the progress bar that appears on the display of your MSO5000 series when you first turn it ON, at approximately 1/4 of the way along is when the operating system has loaded and root access is available via the UART port.

Regards.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sprite_tm on January 19, 2019, 04:04:47 pm
Hi all! Long-time reader, first-time poster. When I read the MSO5000 had a trivially-accessible Linux shell, I pulled the trigger and now have a nice MSO5074 on my desk. Thought I would also add something to the hacking community, although it's quite trite.

So, there's an ancient rule on the Internet that whenever something runs Linux and is hacked, it shall be made to run Doom. I noticed that the fine community of MSO5000 hackers has up till now flagrantly disregarded this rule, so I decided to correct that. I present to you: Doom running on a MSO5000 oscilloscope:
https://www.youtube.com/watch?v=m2JOs0Aldq0 (https://www.youtube.com/watch?v=m2JOs0Aldq0)


If you want to try this yourself (or look at the sources), feel free to take a gander in the Github repo (https://github.com/Spritetm/prboom-mso5k/releases/tag/v1.0). It's more-or-less a straight port of prboom, with some hacks in order to support the weird framebuffer hardware the scope has, and to interface with the front panel.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 19, 2019, 04:47:54 pm
LOL  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on January 19, 2019, 05:51:03 pm
What is the actual state of the MSO5000 hack.

What  I will get if I buy a MSO 5072 and hack it.

I assume 4 chanelss 350 Mhz and all options, Is that True?

Have any one post only guideline on do the Hack ?



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on January 19, 2019, 06:34:24 pm
Hi all! Long-time reader, first-time poster. When I read the MSO5000 had a trivially-accessible Linux shell, I pulled the trigger and now have a nice MSO5074 on my desk. Thought I would also add something to the hacking community, although it's quite trite.

So, there's an ancient rule on the Internet that whenever something runs Linux and is hacked, it shall be made to run Doom. I noticed that the fine community of MSO5000 hackers has up till now flagrantly disregarded this rule, so I decided to correct that. I present to you: Doom running on a MSO5000 oscilloscope:
https://www.youtube.com/watch?v=m2JOs0Aldq0 (https://www.youtube.com/watch?v=m2JOs0Aldq0)


If you want to try this yourself (or look at the sources), feel free to take a gander in the Github repo (https://github.com/Spritetm/prboom-mso5k/releases/tag/v1.0). It's more-or-less a straight port of prboom, with some hacks in order to support the weird framebuffer hardware the scope has, and to interface with the front panel.

Sound via the wavegen perhaps?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TurboTom on January 19, 2019, 07:40:36 pm
...
So, there's an ancient rule on the Internet that whenever something runs Linux and is hacked, it shall be made to run Doom. I noticed that the fine community of MSO5000 hackers has up till now flagrantly disregarded this rule, so I decided to correct that. I present to you: Doom running on a MSO5000 oscilloscope:
...

...Delicious!  :-+ ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 19, 2019, 08:27:51 pm
What is the actual state of the MSO5000 hack.

What  I will get if I buy a MSO 5072 and hack it.

I assume 4 chanelss 350 Mhz and all options, Is that True?

Have any one post only guideline on do the Hack ?

Yes, you can go from a 5072 --> 4 channel, 350Mhz and all options.     There is a single post in this thread that details how to do it.    But you'll have to go and find it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on January 19, 2019, 08:28:52 pm
What is the actual state of the MSO5000 hack.

What  I will get if I buy a MSO 5072 and hack it.

I assume 4 chanelss 350 Mhz and all options, Is that True?

Have any one post only guideline on do the Hack ?

Just received a 5072.....  You get all channels, full bandwidth(350M), all decoding and the AWGs.  At least with the firmware released to date....
See: Reply 404...
Password is ether root or Rigol201... (dependent on the firmware version)...

FYI...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 19, 2019, 09:53:53 pm
Are the full options "correct" displayed, meaning the installed options table or the before greyed out functions like power analyzing ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on January 20, 2019, 01:22:10 am
The option table does not change.  However, everything I have tried - works.  I.E the AWG buttons prior to the change brought up a screen saying a license was required - and the function did not come up.  For me with a 5072 - the same occurred when I selected channel 3 or 4.  Now, with the change - all function without any license notification....

FYI...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on January 20, 2019, 04:21:39 am
Hi,

here is a sweep and roll from 0Mhz to 2Ghz(FFT),  source R&S SMT06, -10dbm, sweep 9khz to 2ghz for sweep and 9khz to 1ghz for roll, 50ohm hp feed through.

Before the "update" the cut off was at about 120Mhz, then at around 450Mhz



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 20, 2019, 05:59:32 am
thanks thats great to see.  I can't make out any units on the pics..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on January 20, 2019, 06:33:42 am
Have some inscription inserted into the picture.

Does the Rigol at FFT work somehow peak hold? (this works for the Siglent SDS2kX)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 20, 2019, 10:52:43 am
The option table does not change.  However, everything I have tried - works.  I.E the AWG buttons prior to the change brought up a screen saying a license was required - and the function did not come up.  For me with a 5072 - the same occurred when I selected channel 3 or 4.  Now, with the change - all function without any license notification....

FYI...

Hmpf, it would be nice (and not so irritating) to have "the official touch" too.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 20, 2019, 01:03:19 pm
What is the actual state of the MSO5000 hack.

What  I will get if I buy a MSO 5072 and hack it.

I assume 4 chanelss 350 Mhz and all options, Is that True?

Yes.

Have any one post only guideline on do the Hack ?

This thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 20, 2019, 11:31:33 pm
Hmpf, it would be nice (and not so irritating) to have "the official touch" too.

How could this be going….

All options enabled is no problem but obviously it takes more changes to display it correct.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 21, 2019, 12:09:52 am
So, what else do we need to do to hack this.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on January 21, 2019, 03:12:49 am
So, what else do we need to do to hack this.

Find out after the next update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ShortBuss on January 22, 2019, 10:46:34 pm
Rigol MSO5074 Ordered from Tequipment (U.S.A.) Delivered today. Shipped with build date of 2018-10-15 and firmware 00.01.01.02.03. Called Rigol support and asked for a firmware upgrade. Technician stated that 00.01.01.02.03 is the Current firmware in the USA. Expected new firmware in 30 days. root/root login still worked.  >:D FYI
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tequipment on January 22, 2019, 10:50:52 pm
TEquipment now has over 80 MSO5074 units on order. We are working our best to fulfill orders on a first come, first serve basis. We would suggest placing your pre-order now to get in line, as they will be shipped on a first come, first serve basis.
We currently have the following models in stock if anyone wants something more immediate, please see here: https://www.screencast.com/t/huJDkWJKtIk (https://www.screencast.com/t/huJDkWJKtIk)
If we can help to answer any more detailed questions, please do not hesitate to contact us: salesteam@tequipment.net or direct by phone: 1-877-571-7901

Thank you for all of your patronage and support,

The TEquipment Team


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on January 22, 2019, 10:51:50 pm
Rigol MSO5074 Ordered from Tequipment (U.S.A.) Delivered today. Shipped with build date of 2018-10-15 and firmware 00.01.01.02.03. Called Rigol support and asked for a firmware upgrade. Technician stated that 00.01.01.02.03 is the Current firmware in the USA. Expected new firmware in 30 days. root/root login still worked.  >:D FYI

Just received mine.  Tequipment order, direct ship from Rigol (Beaverton, OR) Same as above.  Last self cal date is 12/27
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 22, 2019, 11:00:01 pm
Official update will be launched mid/end of february.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 22, 2019, 11:35:50 pm
So, other than playing doom, and upgrading to 350Mhz, what else is there to do.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on January 23, 2019, 02:43:42 am
Probably digging into it and finding undocumented stuff. E.g. how have they implemented the protocol decoders. As they are done in the screen buffer it likely means others can be added.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on January 23, 2019, 07:15:26 am
Add a Bode Plot function...  8)

Find out how the "original" licence management works, maybe we can add "own" licences.

If the -fullopt will be closed with the next update...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 23, 2019, 07:35:10 am
It would be interesting to be able to develop new software features for it.  Maybe even fix the bugs.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 23, 2019, 07:36:23 am
If the -fullopt will be closed with the next update...

Then it will be interesting again (for a few hours).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 23, 2019, 07:44:08 am
Probably digging into it and finding undocumented stuff. E.g. how have they implemented the protocol decoders. As they are done in the screen buffer it likely means others can be added.
They are not done in screen buffer. They are decoded mostly in FPGA over whole acquisition buffer.
And as it is, it has more decodes than  R&S 2000 series, Keysight 2000 series,  Lecroy Wavesurfer 3000 series...
They are missing CAN FD from what I can see and decode I could think of as being useful that it doesn't have would be parametric Manchester/NRZ decode.
That would put them in a class with some 10000 USD scopes as far as decoding goes.
One more thing that would be nice would be FRA, it has siggen built in. I thing Rigol might even make that one eventually, since everybody else seem to have one..

New Rigol 5000/7000 series is not missing any significant features. And aside it being new and in need of debugging (which they will eventually do and it will be fine), I don't like how they missed opportunity to make new U/I that would be more like Lecroy or R/S, to better utilize screen.  Despite all analog scope nostalgia, new digital scopes are computers, and need to have proper computer U/I to be able to handle vast complexity of it's analytic functions they have. For instance, instead of splitting screen for decode function, they slap small window in the middle of the screen with decoded packets. Zoom windows cannot be resized... Stuff like that.  You really need to try to use R/S 2000/3000/4000 to see how much better they use the screen. Even old Keysight 3000 series manages to put more info on 8.5" screen than Rigol on 10".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 23, 2019, 10:16:44 am
If the -fullopt will be closed with the next update...

Then it will be interesting again (for a few hours).

12-18 at most?   You might be able to use the hack that rgwan  claimed to have found. ( still nothing to verify ).. I think they did a modificaiton of the binarys, which returns the licence status.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 23, 2019, 11:37:46 am
rgwan claimed a KG. With a KG you don't need to do anything more (regarding future updates). Unless it's not a true KG...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 23, 2019, 10:01:21 pm
New Rigol 5000/7000 series is not missing any significant features. And aside it being new and in need of debugging (which they will eventually do and it will be fine)

I know they do it..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 26, 2019, 12:28:06 pm
Hi all! Long-time reader, first-time poster. When I read the MSO5000 had a trivially-accessible Linux shell, I pulled the trigger and now have a nice MSO5074 on my desk. Thought I would also add something to the hacking community, although it's quite trite.

So, there's an ancient rule on the Internet that whenever something runs Linux and is hacked, it shall be made to run Doom. I noticed that the fine community of MSO5000 hackers has up till now flagrantly disregarded this rule, so I decided to correct that. I present to you: Doom running on a MSO5000 oscilloscope:
https://www.youtube.com/watch?v=m2JOs0Aldq0 (https://www.youtube.com/watch?v=m2JOs0Aldq0)


If you want to try this yourself (or look at the sources), feel free to take a gander in the Github repo (https://github.com/Spritetm/prboom-mso5k/releases/tag/v1.0). It's more-or-less a straight port of prboom, with some hacks in order to support the weird framebuffer hardware the scope has, and to interface with the front panel.
Aww, you took that slice of cheese from my sandwitch :p
I'm supprised that you managed to get a MSo5074 allready, they are sold out everywhere; so while I have bits and pieces ready, couldn't do this just yet :( and it's kinda hard without a scope :p

But you are absolutly right; and it runs doom as it should!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 26, 2019, 12:39:41 pm
But you are absolutly right; and it runs doom as it should!

Good frame rate, too.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 26, 2019, 03:18:26 pm
I've mentioned it before but nobody answered: Why does this thing take so long to boot? A whole minute seems ridiculous.

a) Is this time typical of this sort of Xilinx/Linux system or just somebody at Rigol being lazy?
b) Could it be improved?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on January 26, 2019, 04:38:52 pm
I've mentioned it before but nobody answered: Why does this thing take so long to boot? A whole minute seems ridiculous.

a) Is this time typical of this sort of Xilinx/Linux system or just somebody at Rigol being lazy?
b) Could it be improved?
I doubt Rigol have enough knowledge of the OS to be able to optimise boot time, or at least were prioritising the scope functionality
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 26, 2019, 05:13:47 pm
Quote
A whole minute seems ridiculous.

Owner of a lecroy ws-422/4 would be happy if they have only one minute to wait... 8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: filssavi on January 26, 2019, 06:31:01 pm
I've mentioned it before but nobody answered: Why does this thing take so long to boot? A whole minute seems ridiculous.

a) Is this time typical of this sort of Xilinx/Linux system or just somebody at Rigol being lazy?
b) Could it be improved?

A) probably yes
B) of course

The standard yocto/petalinux is quite slow to boot since it is not optimised for boot speed you can cut down the boot time to shell from ~10s  to  ~2 by just turning off delaying dhcp initialization, Ubuntu (so a full blown desktop gui distro) boots in 5/10~ from a typical sad and it can be optimised further
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 26, 2019, 07:26:33 pm
My 2 cents..
15000 USD Keysight MSOX3104 boots in 58 seconds....

Also why is everybody talking how fast it takes Linux to boot?
Linux is only part of equation. You need comprehensive self test of all other stuff that is in scope (as opposed to just OS boot on a computer), and you need to also load code in FPGA-s and self test that too.

Fast boot time is nice but not an issue... You switch it on, and by the time you grab probes and connect you're there.
If they manage to optimize it later, fine, if not it is not a problem. There are real bugs and usability improvements that need to addressed first.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bitwelder on January 26, 2019, 10:26:40 pm
I doubt Rigol have enough knowledge of the OS to be able to optimise boot time, or at least were prioritising the scope functionality
Sometimes I wonder if Rigol let the 'hack' leak so that somebody else can improve their scope at no R&D cost.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 26, 2019, 11:48:21 pm
I doubt Rigol have enough knowledge of the OS to be able to optimise boot time, or at least were prioritising the scope functionality
Sometimes I wonder if Rigol let the 'hack' leak so that somebody else can improve their scope at no R&D cost.

If you got the 'scope for $999 then you aren't being ripped off even if you do a little bit of work for Rigol.  :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bud on January 27, 2019, 05:22:20 am
I doubt Rigol have enough knowledge of the OS to be able to optimise boot time, or at least were prioritising the scope functionality
Sometimes I wonder if Rigol let the 'hack' leak so that somebody else can improve their scope at no R&D cost.
The idea of an intended hack or leak is fundamentally stupid. How do you think it is practically implemented? This is a fair size company with directors, top and mid managers, bunch of departments, documentation, legal, development, marketing, etc. I imagine the board of directors in a meeting and Mr.Woo saying why don't we create a hack or leak. You Mr. Boo take care of communicating the hackable instrument strategy to the engineering department and make sure every engineer follows it. You Mr. Noo make sure proper documentation gets build on the hack feature. You Mr. Doo get your sockpuppet team deployed to the major electronics forums to strategically leak information according to the plan Mr.Zoo will create.  And make goddamn sure our hole dont accidentally become patched with the next firmware update. You Mr.Foo is responsible for regression testing to make sure this is not happen.

Is this how hack leaks are operationalized at rigol?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 27, 2019, 09:14:20 am
TEquipment now has over 80 MSO5074 units on order. We are working our best to fulfill orders on a first come, first serve basis. We would suggest placing your pre-order now to get in line, as they will be shipped on a first come, first serve basis.
We currently have the following models in stock if anyone wants something more immediate, please see here: https://www.screencast.com/t/huJDkWJKtIk (https://www.screencast.com/t/huJDkWJKtIk)
If we can help to answer any more detailed questions, please do not hesitate to contact us: salesteam@tequipment.net or direct by phone: 1-877-571-7901

Thank you for all of your patronage and support,

The TEquipment Team

Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Romain on January 27, 2019, 09:18:50 am
TEquipment now has over 80 MSO5074 units on order. We are working our best to fulfill orders on a first come, first serve basis. We would suggest placing your pre-order now to get in line, as they will be shipped on a first come, first serve basis.
We currently have the following models in stock if anyone wants something more immediate, please see here: https://www.screencast.com/t/huJDkWJKtIk (https://www.screencast.com/t/huJDkWJKtIk)
If we can help to answer any more detailed questions, please do not hesitate to contact us: salesteam@tequipment.net or direct by phone: 1-877-571-7901

Thank you for all of your patronage and support,

The TEquipment Team

Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?
Asking the question would satiate our curiosity (if we ever get a response from Rigol) but it may lead them to think that it's not just a bunch of geeks in their garage hacking their scopes anymore...
They may start tackling this if they  consider that it hinders the sales of their more expensive models...

Sent from my SM-G930F using Tapatalk

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 27, 2019, 11:53:21 am
Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?

What do you want? A definitive statement from the head of Rigol?  :-//

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 27, 2019, 12:44:26 pm
People are unhappy that they can buy scope for very little money (compared to what it used to be) that can be hacked to full specs.
And also feel a need to insult people who are making it.....  :-//

There are many wrong statements here used by those unhappy people.

Making a secure scope (OS, device, whatever) takes effort.

If you just take Linux distro and load it to a scope (like they did) it will not be secure. 
So it's not that they are stupid, they are not, and being a rather big company by now, they could have hired ANY security consultant for anywhere in the world if they didn't have a staff on board.

Securing things is expensive and not only once, but whole platform needs to be maintained in different workflow once you go that route.
Also they know that even top notch protection is breakable once there is enough will to spend time on it.

So they make it such that you have some basic licensing mechanism and that's it. Companies will buy legal options (they are exposed to all kinds of auditing, liability and traceability) and hobbyists will buy it for hackability and unlock it. It generates sales. 
It is not that they are stupid, or don't know how to do it. Or they do this as some elaborate plan. They simply didn't want to spend more money to develop something that will generate less sales later.

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
For a hobbyist no need to think much...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 27, 2019, 01:38:38 pm
If you just take Linux distro and load it to a scope (like they did) it will not be secure. 

Securing Linux isn't difficult. If it was then half the web servers in the world would be hacked.

So it's not that they are stupid, they are not, and being a rather big company by now, they could have hired ANY security consultant for anywhere in the world if they didn't have a staff on board.

Or .... maybe it's deliberate!

They're probably still making $250+ on each one and they're flying off the shelves. Most places have no stock.

If it wasn't hackable then those naughty hackers would probably be buying Siglents instead (the SDS1204X-E is cheaper than a Rigol MSO5072 and is better, a hacked 1104X-E even more so!) so it will be difficult to make a case that the hacking is bad for Rigol. $250 is infinitely better than nothing at all.

PS: Has anybody done a BOM on one of these? Case, screen and knobs is probably $125, PSU $25, PCB $10, How much do those Xilinx and RAM chips cost? Can the thing be built for $300?

Securing things is expensive and not only once, but whole platform needs to be maintained in different workflow once you go that route.
Also they know that even top notch protection is breakable once there is enough will to spend time on it.

They don't have to make it 100% secure, they just have to make it so you have to at least open it up and solder JTAG wires to the PCB to reprogram it (or whatever). That would reduce hacking massively and could probably be done with a couple of morning's work.

Problem? Hackers would buy easily-hackable Siglents instead.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: voltsandjolts on January 27, 2019, 01:43:55 pm
Securing Linux isn't difficult. If it was then half the web servers in the world would be hacked.

That's not a valid comparision.
With the scope you have full fw binary and hardware access.
In comparison, securing a remote web server is a walk in the park.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: supercilious on January 27, 2019, 01:46:06 pm
Securing Linux isn't difficult. If it was then half the web servers in the world would be hacked.
Securing Linux (or anything) against physical access to the machine is HARD - to the point of being damn near impossible.

The best one can hope for is that the "cost" of hacking it is high enough that its not worth doing.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on January 27, 2019, 02:19:17 pm
physical access is literally impossible to secure against, as if you deal with any external device or interface, you expose yourself, and all it takes is 1 corner case the designers didn't think of out of millions of possible attacks, and they are in, even if they are still trapped in userland, once there in, they have a wider attack surface and can keep driving the wedge forward.

E.g. a router I just got from a certain ISP will default into the root account of the UI if you give it a username of unicode zero width spaces. Its not null, and its not ascii whitespace, but later it gets stripped back to be an empty string, so it ends up getting into a part of the code that it wasn't meant to and I get access to more than I should.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on January 27, 2019, 02:29:58 pm
That is the old adage in security business. There is no security without physical security. Once you have access to physical box ....

What I want to say is that this whole "why is it hackable" is overthinked.
It is expensive to secure it and it would mean loss of sales. So they don't.

I spoke with people from big T&M manufacturers. They admit they sell mostly low end models with not much options. Also they make money on high end devices, maintenance contracts and such.
These companies are run by classic western businessman, that only look at profit margins. They could release basic software options for free and have minimum negative impact on option sales and probably increased sale of units, because they would be better value. But it is against their "religion".

Chinese seem to grasp this a bit better. Those who can and need to buy will buy options. Others will either buy nothing or buy cheapest version if they can unlock it.
And it might be that MSO5000 is not much more expensive to make than DS1000Z, and it's triple the price.
And they are happy with that profit margin.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 27, 2019, 08:27:38 pm
They don't have to make it 100% secure, they just have to make it so you have to at least open it up and solder JTAG wires to the PCB to reprogram it (or whatever). That would reduce hacking massively and could probably be done with a couple of morning's work.

Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen ;)  could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 27, 2019, 10:32:28 pm
Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen ;)  could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.

They could start shipping them with a firmware that will only install signed firmware updates. That would prevent users from simply loading a modified firmware (at least for the first time).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 27, 2019, 10:47:07 pm
Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen ;)  could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.

They could start shipping them with a firmware that will only install signed firmware updates. That would prevent users from simply loading a modified firmware (at least for the first time).

I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

But let’s see what happens next.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 28, 2019, 02:22:49 am
I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sprite_tm on January 28, 2019, 01:05:55 pm

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

To be fair, in theory root-of-trust and signed firmware should indeed stop all software-based attacks from happening when implemented 100% correctly, so you're right there. On the other hand, in practice it never seems to be implemented 100% well: there's data loaded from unsecured sources (e.g. the user partition) using insecure parsers, network connectivity is implemented badly, there's a bug in partition checking code, you name it. I'll not go into the personal-attack-y bits of the conversation between you two, but I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 28, 2019, 01:21:32 pm
I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.

Sure, my point was only that it's a lot less difficult to require people to at least open up the case and solder wires to the board if they want to hack it, thus voiding the warranty (or at least creating fear of loss of warranty, depending on local laws).

Checking the digital signature of an update file before installing it isn't difficult. Disabling the command shell access on the Ethernet port isn't difficult either.

Just those two things would reduce hacking by a significant amount.

(and increase Siglent sales proportionally)


nb. I didn't say "prevent" hacking.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on January 28, 2019, 03:18:44 pm
If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 28, 2019, 06:38:04 pm
If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?

Actually i think the opposite. Understanding the rationale behind why they have taken a particular approach is critial to being able to keep ahead of them.    Knowing how your opponent thinks and behaves is critical in a war. 90%+ of 'hacking' is possible becuase Humans have taken a particular course of action. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Romain on January 28, 2019, 06:55:21 pm
If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?

Actually i think the opposite. Understanding the rationale behind why they have taken a particular approach is critial to being able to keep ahead of them.    Knowing how your opponent thinks and behaves is critical in a war. 90%+ of 'hacking' is possible becuase Humans have taken a particular course of action.
"Your opponent"? are you serious??
Rigol is actually on *our* side by not putting the effort into securing their scopes (and yes it is INTENTIONAL, whether it is by lack of care, or to voluntary help the community. We will never know for sure, but it makes no difference anyway).
As many pointed out, it is not hard to put a first level of dissuasion...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 28, 2019, 06:58:11 pm
Rigol is actually on *our* side by not putting the effort into securing their scopes (and yes it is INTENTIONAL, whether it is by lack of care, or to voluntary help the community. We will never know for sure, but it makes no difference anyway).

I agree. It's completely intentional, and not by "lack of care".

There is no "battle", it's just a puzzle for us to figure out how to do it.

(while keeping up the pretense of us being naughty people so they can still sell at full price to big companies, etc.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on January 28, 2019, 07:00:11 pm
Quote
"Your opponent"? are you serious??

The orignal quote was

Quote
Knowing how your opponent thinks and behaves is critical in a war.

I did not say Rigol was my opponent, however i'm sorry if you read it that way.   It was more a figure of speech.   The point i was trying to make is that in many cases security measures are 'got around' by understanding both technical and non-technical aspects of the person/company/organisation that implemented then.   Understanding why Rigol has choosen to take a certain path, is as important as knowing what they did.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 28, 2019, 11:20:32 pm
I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

It wouldn’t be appropriate to discuss that here.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on January 29, 2019, 05:07:30 pm
While we're waiting for Rigol to release a firmware update I stitched together some xray images of the keyboard and main board. Better than the previous ones, I tweaked a few settings. Large images, you can zoom in quite a way...

keyboard
https://www.dropbox.com/s/tjjrnx9i91khw7n/rigol%20kb.png?dl=0 (https://www.dropbox.com/s/tjjrnx9i91khw7n/rigol%20kb.png?dl=0)

Main board
https://www.dropbox.com/s/asoofgz8equzzc1/rigol%20mb.png?dl=0 (https://www.dropbox.com/s/asoofgz8equzzc1/rigol%20mb.png?dl=0)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: voltsandjolts on January 31, 2019, 05:28:24 pm

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

To be fair, in theory root-of-trust and signed firmware should indeed stop all software-based attacks from happening when implemented 100% correctly, so you're right there. On the other hand, in practice it never seems to be implemented 100% well: there's data loaded from unsecured sources (e.g. the user partition) using insecure parsers, network connectivity is implemented badly, there's a bug in partition checking code, you name it. I'll not go into the personal-attack-y bits of the conversation between you two, but I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.

Sprite is right.
If the Microsoft budget couldn't prevent the XBox being hacked, what hope have Rigol of securing a scope.
https://arstechnica.com/gaming/2007/03/8954/ (https://arstechnica.com/gaming/2007/03/8954/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 31, 2019, 06:11:23 pm
If the Microsoft budget couldn't prevent the XBox being hacked...

a) The Xbox hacker's budget was proportionally higher, too.  :popcorn:
b) The Xbox was designed to load and execute 3rd party software.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 31, 2019, 10:02:33 pm
Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?

What do you want? A definitive statement from the head of Rigol?  :-//

I´d just ask them, together with other questions.
These questions were answered, the "special one" was ignored.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JohnT on February 01, 2019, 12:08:11 am
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?
>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on February 01, 2019, 12:28:29 am
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?
>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.

It's entirely possible it's broken later. Don't buy it NOW for a guarantee you can keep it hacked once the larger bugs are worked out.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 01, 2019, 01:00:43 am
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?

99.999% yes. "Hackability" is a Rigol sales technique and has been for many years. They've never made the slightest effort to prevent it..

>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.

What you do is wait a few hours  for somebody to patch the new firmware so it won't lock up your 'scope.

But it's not going to happen. If Rigol ever does that their sales will die off overnight.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JohnT on February 01, 2019, 01:25:25 am
Fungus, I like your optimism and outlook but $1000 is a lot of money for me to not be certain. I am a little concerned that Rigol are displeased with all the goings on as they attempted a fix by updating the password recently. I was hoping that the username/password would remain unchanged on a given scope regardless of later firmware updates but that seems not to be the case based on Maginnovision's inputs. Another concern is denial of being able to roll back the firmware to an older version should a newer firmware prove a pain to hack. I guess all bets are off when you tinker.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on February 01, 2019, 02:15:50 am
If you are worried, about an update, just dont' update it untill the collective borg has dealt to it.  Seriously its only goign to be a matter of a few days at worse.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: The Doktor on February 01, 2019, 02:53:04 am
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?

99.999% yes. "Hacability" is a Rigol sales technique and has been for many years. They've never made the slightest effort to prevent it..



They stopped the hack on 1 of their spectrum analyzers a while back.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JohnT on February 01, 2019, 03:21:23 am
If you are worried, about an update, just dont' update it untill the collective borg has dealt to it.  Seriously its only goign to be a matter of a few days at worse.
So true. I was feeling a little rushed to buy a potentially buggy (manufacturing maturity, hardware and software) product that I believe was released only two months ago. I think now I'll be waiting on this purchase to see how it's hackability evolves over time. 'The Donktor' just commented that they stopped a hack on a spectrum analyzer a while back, so I may be taking a gamble waiting.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: The Doktor on February 01, 2019, 03:54:51 am
There was still a hack for the SA after they patched it, but instead of a keygen you had to actually open the box and modify the hardware. It was cut a lead on some chip, or maybe ground a lead?  Doing this caused the trial timer for the extra features to reset when the SA was turned off. So you still got the features, but more work/risk.

Ed
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on February 01, 2019, 09:05:21 am
I am a little concerned that Rigol are displeased with all the goings on as they attempted a fix by updating the password recently.
The firmware with the new password is rather old and has been released before the hacking started. But I agree that there is no 100% guarantee that future firmwares will be hackable. The current ETA for the next release is sometime this month.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on February 01, 2019, 09:46:14 am
would you return to the actual topic, but make up its own thread, there you can discuss about it
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 01, 2019, 09:47:29 am
The firmware with the new password is rather old and has been released before the hacking started. But I agree that there is no 100% guarantee that future firmwares will be hackable. The current ETA for the next release is sometime this month.

For this model, will be hackable. Confidence greater than "six nines".

They stopped the hack on 1 of their spectrum analyzers a while back.

They did? Which one?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 01, 2019, 10:13:17 am
Rigol are displeased with all the goings on as they attempted a fix by updating the password recently.

a) You don't know why they did that.

It might simply have been to protect against all the botnets out there that are busy sending "root"/"root" to every single IP address on the internet.

It would have been just as easy (and much more sensible from a security point of view) for them to disable shell access altogether.

All you do is change one line in a text file and no more shell access. Google it.

b) What are the chances of somebody at Rigol thinking, "You know, we're selling too many of these oscilloscopes to hackers. I think we should give our friends at Siglent a chance to sell to them instead..."

and,

C) What else are you going to buy for $1000? Have you made a list? How long is it, and how do the devices on it compare to a hacked MSO5000?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on February 01, 2019, 01:10:06 pm
The firmware with the new password is rather old and has been released before the hacking started. But I agree that there is no 100% guarantee that future firmwares will be hackable. The current ETA for the next release is sometime this month.

For this model, will be hackable. Confidence greater than "six nines".

They stopped the hack on 1 of their spectrum analyzers a while back.

They did? Which one?
The DSA815
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 01, 2019, 01:39:53 pm
They did? Which one?
The DSA815

So ... if they know hacks happen then why aren't they at war with the hackers? Why was the DS1054Z left open even though it had 11 firmware updates?

The only answer the that is that there is no "war". It's deliberate policy to have some devices hackable and some not (eg. The DS1054Z is hackable, the DS1054Z with signal generator isn't).

I don't know much about the DSA815 or why they might change it but locking up the MSO5000 would be suicide, it isn't competitive with the lower priced SDS1204E-X!

The only way the MSO5000 can sell is if it's hackable (and pressure from other vendors will only increase!)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JohnT on February 01, 2019, 03:54:52 pm
Rigol are displeased with all the goings on as they attempted a fix by updating the password recently.

a) You don't know why they did that.

It might simply have been to protect against all the botnets out there that are busy sending "root"/"root" to every single IP address on the internet.

It would have been just as easy (and much more sensible from a security point of view) for them to disable shell access altogether.

All you do is change one line in a text file and no more shell access. Google it.

b) What are the chances of somebody at Rigol thinking, "You know, we're selling too many of these oscilloscopes to hackers. I think we should give our friends at Siglent a chance to sell to them instead..."

and,

C) What else are you going to buy for $1000? Have you made a list? How long is it, and how do the devices on it compare to a hacked MSO5000?
All sound points that contradict my knee jerk assumptions. The MSO5000 series has that hobbyist feel to it; support for only passive probes, no 50ohm termination, all in one functionality, 0.1 inch spacing header digital signal access and hardware changes to reduce cost (ex. crapped-on capacitors...). I suspect that sales for their top end versions of this series will stagnate in industry as the pricing just isn't competitive, but provided the workarounds remain, the low-end versions of the scopes are going to be flying off the shelves.  Rigol is going to foster brand recognition in a new generation of soon to be professionals, so staying the course makes sound business sense. Regarding point C, the MSO5000 is at the top of the list by a long shot, I've wanted a scope like this for many years.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ur63 on February 01, 2019, 04:48:47 pm
People are unhappy that they can buy scope for very little money (compared to what it used to be) that can be hacked to full specs.

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
.

Would you have any link or reference where to get the MSO5074 including the PLA2216 Logic Probe for € 1190.- ?

Thanks in advance
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 01, 2019, 04:51:48 pm
Hi,

Quote
Option bundle for RTB2000 costs € 1,190.- net (no VAT).

 ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ur63 on February 01, 2019, 05:06:14 pm
Quote

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
.

Hi, see above...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 01, 2019, 05:12:45 pm
Quote

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
.

Hi, see above...

this thread is already trashed with OT nonsense now so no harm me adding some more...

Batterfly 1198 Euro (no VAT) for both items. If you wait then sometimes they have a 10% off everything offer
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 09:59:46 am
So lets get back on track :)

We've been digging around the scope and the software, and found that next to the Zynq (Artix-7) FGPA, Spartan-6 FPGA and ASIC FPGA (for the keyboard) there seems to be 2 more programmable devices, a CPLD and a Kintex 7.

The Spartan 6 has an eeprom with a very basic and simple bin (stripped bit more or less) in it. My edudcated guess is that the spartan stems from the DS1000Z design and 'controls' the frontend (Voltage Scale, timebase etc etc) through simple commands. The eeprom serves two purposes, to store the bitstream and to store the settings, so that when you boot up the scope, it can go into the mode it was in before. Sadly I do not have the scope myself (yet, it's sold out everywhere for the 4chan unit) so haven't confirmed this. There seems to go a bus between the eeprom .

The Spartan-6 has about 4 wires going to the Zynq (spi-ish bus?) 4 tot he eeprom on different pins and some 4 wire bus to the TOP BIG heatsinked chips.

Further more we found that the Zynq has a big wide 8 bits differential bus between the TOP BIG heatsinked chip and it self. So that's probably their main high-speed data path.

Now, the software seems to have 4 tools related to these parts. spi2*. where spi2k7 is the 'upload' tool for 2 fpga's it seems. Looking at that tool there seems to be a new spidev IOCTL which appears to switch between 'chip 0 and chip 1'. whatever that may be. The bitstream gets uploaded to chip1, but chip 0 serves as sort of arbitrarer. spi2cpld seems to interact only with chip 0. Not sure yet what this tool can do other then poke and change registers.

So rigol seems to have added a chipselect through a new IOCTl because ... of reasons. My educated guess is, they did not have enough general purpose GPIO pins, and used some of the zynq pins. Rather then to convert those to general purpose IO pins and connect them to linux, they manually hacked around a bit in the spidev driver. Very sad, but that's how it seems to be. More on that later I guess :)

Anyway, all pictures do not show any of this information due to the big heatsinks.

We do know that we have 4 rigol front end 'controllers' but those are fully analog chips. Those 4 differential analog traces go into the LOWER BIG chip, which we all expect to be the adc. From the ADC, we see balanced traces going to the TOP chip. Those are probably digital signals.

The going theory for now is, that their 'aquisition' chip does not exist (yet) and actually is a Kintex-7 FGPA, which takes those ADC signals, and puts them on a high-speed 8 bits datapath to the zynq. But where is this CPLD then? Is the spartan the CPLD and have they named it as such as it has a dedicated eeprom and should be treated as such? Or do we have more chips under those heatsinks.

So to anyone listening, especially who have a broken scope already (or are experts at removing and re-adding those big phat heatsinks); anybody out there that can remove those heatsinks (under their own accord, nobody here will be responsible of course) and take some high-res foto's of what's underneat?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 02, 2019, 10:49:04 am
If people are taking them apart then another thing to look for the manufacturer/model of the screen.

Some people are complaining it's too dark, it would be good to find out if it's being under-driven or not and how the brightness is controlled. Maybe it's possible to make it brighter by swapping a resistor or something like that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 02, 2019, 11:23:15 am
Rigol chipset consists of 3 chips:
"the Analog Front End Chip (named Beta Phoenicis) will allow for front end bandwidth of 4GHz with highly integrated capability allowing for simplified and highly reliable front end design.
The Signal Processing Chip (named Ankaa) supports 10GSa/s sampling with bandwidth up to 6GHz.
Also there is the Probe Amplifier Chip (named Gamma Phoenicis) will support a 6GHz Active Differential probe. "

for 5000:
The core of RIGOL's UltraVision II architecture is its Phoenix chip-set. Two custom ASICs provide analog front end and signal processing performance. These chips are surrounded by a high performance hardware design including Xilinx Zync-7000 SoC, Dual Core ARM-9 Processors, a Linux +Qt Operating System, High Speed DDR System Memory and QDRII Display memory.

Signal Processing Chip (named Ankaa) is A/D and first level of DSP. It connects to FPGA that has Ultravision II architecture implemented in it.
Unlike Keysight, they separated first level A/D and waveform engine. That approach is more modular, and  is more flexible and makes it easy to modify and grow. That is also how it is easy for them to add huge memory and such.

They will also have a handful of smaller support chips..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 12:25:54 pm
I've attached pictures of what is visible from the side of the 2 big heatsinks. That adhesive is really strong, there's no way I'm going to risk trying to break those heatsinks off...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 02, 2019, 01:57:42 pm
If people are taking them apart then another thing to look for the manufacturer/model of the screen.

Some people are complaining it's too dark, it would be good to find out if it's being under-driven or not and how the brightness is controlled. Maybe it's possible to make it brighter by swapping a resistor or something like that.

Here.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 02:10:00 pm
LED backlight voltage is a standard 3 x 3.3v LED string so 9.9v - it's not modulated in any way.

Datasheets seem to indicate 10.2v max is allowed (with reduced life) but it's already plenty bright enough for me anyway.

But young kids do seem to like their phone screens set to 'stun/blind' brightness these days...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 02:14:17 pm
This is the backlight panel. I guess you could replace it with something a bit more 'exciting' if it bothered you at all...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 02:33:25 pm
If people are taking them apart then another thing to look for the manufacturer/model of the screen.

Some people are complaining it's too dark, it would be good to find out if it's being under-driven or not and how the brightness is controlled. Maybe it's possible to make it brighter by swapping a resistor or something like that.

I'll update the wiki with pics and text about the display. So far, we know it's a 4 bit + 1 clock differentially driven display, so very likely a MIPI display. The numbers didn't yield any results so far.Signal traces look very simple.

As for the brightness/backlight, So far, I haven't seen wether it's driven via a pin of the SoC, or the 'always on' kind :(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 02:35:06 pm
I wonder if we could find an OLED that's the right size >: )
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 02:39:06 pm
Rigol chipset consists of 3 chips:
"the Analog Front End Chip (named Beta Phoenicis) will allow for front end bandwidth of 4GHz with highly integrated capability allowing for simplified and highly reliable front end design.
The Signal Processing Chip (named Ankaa) supports 10GSa/s sampling with bandwidth up to 6GHz.
Also there is the Probe Amplifier Chip (named Gamma Phoenicis) will support a 6GHz Active Differential probe. "

for 5000:
The core of RIGOL's UltraVision II architecture is its Phoenix chip-set. Two custom ASICs provide analog front end and signal processing performance. These chips are surrounded by a high performance hardware design including Xilinx Zync-7000 SoC, Dual Core ARM-9 Processors, a Linux +Qt Operating System, High Speed DDR System Memory and QDRII Display memory.

Signal Processing Chip (named Ankaa) is A/D and first level of DSP. It connects to FPGA that has Ultravision II architecture implemented in it.
Unlike Keysight, they separated first level A/D and waveform engine. That approach is more modular, and  is more flexible and makes it easy to modify and grow. That is also how it is easy for them to add huge memory and such.

They will also have a handful of smaller support chips..
Thanks, but that's mostly the marketing speak :)

Here's the wiki page with all the chips: https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown

Missing is indeed, the 4x analog frontends; so that would map to Beta Phoenicis chip?

We then have the first BOTTOM BIG heatsinked chip. This is the ADC. So what's that, is that anka? Is that a standard ADC? The TOP BIG heatsinked chip is very likely a Kintex-7; Not something rigol designed. Unless they put an FPGA in there of course.
Finally, again, the spartan-6 is probably is their 'ultravision' platform if anything...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 02:39:30 pm
I wonder if we could find an OLED that's the right size >: )

Well the touchscreen is a separate item so it's just the display needs replacing
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 02:47:07 pm
The TOP BIG heatsinked chip is very likely a Kintex-7; Not something rigol designed. Unless they put an FPGA in there of course.

The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 02, 2019, 03:01:50 pm
The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...

So, 2 kyntex?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 02, 2019, 03:31:49 pm
Missing is indeed, the 4x analog frontends; so that would map to Beta Phoenicis chip?
Yes.

We then have the first BOTTOM BIG heatsinked chip. This is the ADC. So what's that, is that anka? Is that a standard ADC?
No, it is not standard A/D. It is Rigol designed ADC with first level of signal processing that is tailored for scopes, as opposed to general purpose ADC.

Rest of chips are different from DS7000 which revolves arround  Zync-7000
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 07:21:42 pm
I've attached pictures of what is visible from the side of the 2 big heatsinks. That adhesive is really strong, there's no way I'm going to risk trying to break those heatsinks off...
Haha, you've done more then enough already!! :) But if someone gets his hands on a broken one ... send it to TopLoser, I'm sure he'll <dave voice> take it apart</dave voice> and take nice PCB X-rays :D

As for the photos. The analog part looks like a single chip, probably the ADC as we all expect.
The kintex 7 probably looks like this (http://ww1.prweb.com/prfiles/2014/05/27/11886156/xem7350-720x648.jpg) is my guess :)
You mentioned a few times that you saw several parts, so this kinda confirms it, it's the main die (nakid) with some resistor networks etc next to it.

The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...
I should have looked at that (and at the picture before)... busy mind busy mind :(

So I think we more or less 'confirmed' that is indeed, a kintex-7. And until someone proves us wrong (by the only means possible, a heatsinkless foto' that's how it is :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 07:25:45 pm
Missing is indeed, the 4x analog frontends; so that would map to Beta Phoenicis chip?
Yes.

We then have the first BOTTOM BIG heatsinked chip. This is the ADC. So what's that, is that anka? Is that a standard ADC?
No, it is not standard A/D. It is Rigol designed ADC with first level of signal processing that is tailored for scopes, as opposed to general purpose ADC.

Rest of chips are different from DS7000 which revolves arround  Zync-7000

While I'm not familiar with the DS7000; so this confirms my suspicion at least, that the scope is a whole bunch of FPGA's :) but credits where credits are do; they did do their own analog front end chip + ADC chip. The rest is all FPGA work.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 07:26:48 pm
The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...

So, 2 kyntex?
No, One Kyntex-7, One artix-7 (in the Zynq-7015), one spartan 6 and one tiny Asic for the keyboard.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 02, 2019, 07:36:49 pm
The kintex 7 K160 seems to have different neighborhood than what is shown in Toploser's pictures.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 02, 2019, 07:42:09 pm
I think it’s available in hundreds of possible packaging options with different sets of pins bonded out.

Your picture shows a different layout to the picture oliv3r posted.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 02, 2019, 10:48:14 pm
The kintex 7 K160 seems to have different neighborhood than what is shown in Toploser's pictures.
That's the one, looks identical just 90-ish degree's rotated.

You can see those two capacitor networks very nicely in TopLosers pictures. I did just google a random Kintex-7 of course. No clue which exact model it is. There are a few with a heatspreader on top as well ...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on February 03, 2019, 11:37:46 am
Has anybody figured or worked around the new mso5k wfm file format?

so far,
A short header followed by 53 fairly short zflated blocks, separated by varying junk.
Then a huge blank of around ~5,000,000 x'00s
Then an assortment of ~17,000,000 x'c7 or x'c8 or x'c9 (with some interludes). Maybe data per chan.

datafile as binary: 17Mb
datafile as wfm : 22 Mb
datafile as csv: 278Mb, 17,420,000 lines, CH2 only

here is the list of inflated data with *obvious* strings:

Code: [Select]
zlib @002c:

00000000: 0000 0000 0001 0000 0000 001e 0000 0024  ...............$
00000010: 0b00 0000 5200 4900 4700 4f00 4c00 2000  ....R.I.G.O.L. .
00000020: 5300 6300 6f00 7000 6500 241a 0000 003a  S.c.o.p.e.$....:
00000030: 002f 0070 0069 0063 0074 0075 0072 0065  ./.p.i.c.t.u.r.e
00000040: 0073 002f 0075 0074 0069 006c 0069 0074  .s./.u.t.i.l.i.t
00000050: 0079 002f 0073 0063 0072 002e 006a 0070  .y./.s.c.r...j.p
00000060: 0067 0001 0000 00                        .g.....

zlib @00a8:

00000000: 00a0 8601 0000 0000 0000 0000 0000 0100  ................
00000010: 0000 0000 0000 0000 0000 0000 0000 0003  ................
00000020: 0000 0024 0300 0000 4300 4800 3400 0006  ...$....C.H.4...
00000030: 0000 0000 0000 0000 0000 00              ...........

zlib @00e4:

00000000: 00a0 8601 0000 0000 0000 0000 0000 0100  ................
00000010: 0000 0000 0000 0000 0000 0000 0000 0003  ................
00000020: 0000 0024 0300 0000 4300 4800 3300 0006  ...$....C.H.3...
00000030: 0000 0000 0000 0000 0000 00              ...........


zlib @0120:

00000000: 0140 420f 0040 2bfe ff00 0000 0000 0100  .@B..@+.........
00000010: 0000 0000 0000 0000 0000 0000 0000 0003  ................
00000020: 0000 0024 0300 0000 4300 4800 3200 0006  ...$....C.H.2...
00000030: 0000 0000 0000 0000 0000 00              ...........

zlib @015c:
00000000: 0088 1300 00d8 2700 0000 0000 0000 0100  ......'.........
00000010: 0000 0000 0000 0000 0000 0000 0000 0003  ................
00000020: 0000 0024 0300 0000 4300 4800 3100 0006  ...$....C.H.1...
00000030: 0000 0000 0000 0000 0000 0000 0000 00    ...............

zlib @0198:
00000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000010: 0000 0000 00f0 ff1f 0000 0000 0001 0000  ................
00000020: 00c0 5c15 00c0 5c15 0001 0000 0000 0000  ..\...\.........
00000030: 0000 0005 0000 0000 0000 0024 0200 0000  ...........$....
00000040: 4400 3000 0100 0000 2402 0000 0044 0031  D.0.....$....D.1
00000050: 0002 0000 0024 0200 0000 4400 3200 0300  .....$....D.2...
00000060: 0000 2402 0000 0044 0033 0004 0000 0024  ..$....D.3.....$
00000070: 0200 0000 4400 3400 0500 0000 2402 0000  ....D.4.....$...
00000080: 0044 0035 0006 0000 0024 0200 0000 4400  .D.5.....$....D.
00000090: 3600 0700 0000 2402 0000 0044 0037 0008  6.....$....D.7..
000000a0: 0000 0024 0200 0000 4400 3800 0900 0000  ...$....D.8.....
000000b0: 2402 0000 0044 0039 000a 0000 0024 0300  $....D.9.....$..
000000c0: 0000 4400 3100 3000 0b00 0000 2403 0000  ..D.1.0.....$...
000000d0: 0044 0031 0031 000c 0000 0024 0300 0000  .D.1.1.....$....
000000e0: 4400 3100 3200 0d00 0000 2403 0000 0044  D.1.2.....$....D
000000f0: 0031 0033 000e 0000 0024 0300 0000 4400  .1.3.....$....D.
00000100: 3100 3400 0f00 0000 2403 0000 0044 0031  1.4.....$....D.1
00000110: 0035 0000 0000 0001 0000 0002 0000 00    .5.............

zlib @0270:
00000000: 0800 0000 8013 8119 0000 0000 2403 0000  ............$...
00000010: 0041 0044 0044 0000 0202 0202 0270 a28d  .A.D.D.......p..
00000020: 0a00 0000 0000 1827 fa04 0000 0000 e40b  .......'........
00000030: 5402 0000 0000 0000 0000 0000 0000 10a5  T...............
00000040: d4e8 0000 0000 d098 d4af 7100 0000 a031  ..........q....1
00000050: a95f e300 0000 0057 d347 0100 0000 00d2  ._.....W.G......
00000060: 496b 0000 0000 0005 0000 0000 0000 0005  Ik..............
00000070: 0000 0001 0102 0101 0000 0000 0000 0000  ................
00000080: 0000 0000 0103 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000       ..............

zlib @02ec:

00000000: 0000 0000 0000 0000 0000 0000 2403 0000  ............$...
00000010: 0041 0044 0044 0000 0202 0202 0200 65cd  .A.D.D........e.
00000020: 1d00 0000 0000 9435 7700 0000 0000 e40b  .......5w.......
00000030: 5402 0000 0000 0000 0000 0000 0000 10a5  T...............
00000040: d4e8 0000 0000 5039 278c 0400 0000 a072  ......P9'......r
00000050: 4e18 0900 0000 0057 d347 0100 0000 00d2  N......W.G......
00000060: 496b 0000 0000 0005 0000 0000 0000 0005  Ik..............
00000070: 0000 0001 0102 0101 0000 0000 0000 0000  ................
00000080: 0000 0000 0103 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000       ..............

zlib @0358:
00000000: 0000 0000 0000 0000 0000 0000 2403 0000  ............$...
00000010: 0041 0044 0044 0000 0202 0202 0200 65cd  .A.D.D........e.
00000020: 1d00 0000 0000 9435 7700 0000 0000 e40b  .......5w.......
00000030: 5402 0000 0000 0000 0000 0000 0000 10a5  T...............
00000040: d4e8 0000 0000 5039 278c 0400 0000 a072  ......P9'......r
00000050: 4e18 0900 0000 0057 d347 0100 0000 00d2  N......W.G......
00000060: 496b 0000 0000 0005 0000 0000 0000 0005  Ik..............
00000070: 0000 0001 0102 0101 0000 0000 0000 0000  ................
00000080: 0000 0000 0103 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000       ..............

zlib @03c4:

00000000: 0000 0000 0000 0000 0000 0000 2403 0000  ............$...
00000010: 0041 0044 0044 0000 0202 0202 0200 65cd  .A.D.D........e.
00000020: 1d00 0000 0000 9435 7700 0000 0000 e40b  .......5w.......
00000030: 5402 0000 0000 0000 0000 0000 0000 10a5  T...............
00000040: d4e8 0000 0000 5039 278c 0400 0000 a072  ......P9'......r
00000050: 4e18 0900 0000 0057 d347 0100 0000 00d2  N......W.G......
00000060: 496b 0000 0000 0005 0000 0000 0000 0005  Ik..............
00000070: 0000 0001 0102 0101 0000 0000 0000 0000  ................
00000080: 0000 0000 0103 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000       ..............

zlib @049c:
00000000: 0000 0000 0000 0000 0000 0004 0000 0024  ...............$
00000010: 0400 0000 5200 4500 4600 3100 0000 0000  ....R.E.F.1.....
00000020: 0300 0000 2404 0000 0052 0045 0046 0032  ....$....R.E.F.2
00000030: 0000 0000 0002 0000 0024 0400 0000 5200  .........$....R.
00000040: 4500 4600 3300 0000 0000 0100 0000 2404  E.F.3.........$.
00000050: 0000 0052 0045 0046 0034 0000 0000 0000  ...R.E.F.4......
00000060: 0000 0024 0400 0000 5200 4500 4600 3500  ...$....R.E.F.5.
00000070: 0000 0000 0400 0000 2404 0000 0052 0045  ........$....R.E
00000080: 0046 0036 0000 0000 0003 0000 0024 0400  .F.6.........$..
00000090: 0000 5200 4500 4600 3700 0000 0000 0200  ..R.E.F.7.......
000000a0: 0000 2404 0000 0052 0045 0046 0038 0000  ..$....R.E.F.8..
000000b0: 0000 0001 0000 0024 0400 0000 5200 4500  .......$....R.E.
000000c0: 4600 3900 0000 0000 0000 0000 2405 0000  F.9.........$...
000000d0: 0052 0045 0046 0031 0030 00              .R.E.F.1.0.


zlib @0bf1:
00000000: 240c 0000 0031 0039 0032 002e 0031 0036  $....1.9.2...1.6
00000010: 0038 002e 0031 002e 0031 0030 0024 0d00  .8...1...1.0.$..
00000020: 0000 3200 3500 3500 2e00 3200 3500 3500  ..2.5.5...2.5.5.
00000030: 2e00 3200 3500 3500 2e00 3000 240b 0000  ..2.5.5...0.$...
00000040: 0031 0039 0032 002e 0031 0036 0038 002e  .1.9.2...1.6.8..
00000050: 0031 002e 0031 0024 0b00 0000 3100 3900  .1...1.$....1.9.
00000060: 3200 2e00 3100 3600 3800 2e00 3100 2e00  2...1.6.8...1...
00000070: 3100 0300 0000                           1.....

zlib @0c5d:
00000000: 240e 0000 006d 0061 0069 006c 002e 0072  $....m.a.i.l...r
00000010: 0069 0067 006f 006c 002e 0063 006f 006d  .i.g.o.l...c.o.m
00000020: 0019 0000 0024 1200 0000 7200 6900 6700  .....$....r.i.g.
00000030: 6f00 6c00 5f00 6400 7300 4000 7200 6900  o.l._.d.s.@.r.i.
00000040: 6700 6f00 6c00 2e00 6300 6f00 6d00 2409  g.o.l...c.o.m.$.
00000050: 0000 0052 0069 0067 006f 006c 0030 0036  ...R.i.g.o.l.0.6
00000060: 0031 0034 0024 1200 0000 7200 6900 6700  .1.4.$....r.i.g.
00000070: 6f00 6c00 6d00 6100 6900 6c00 4000 7300  o.l.m.a.i.l.@.s.
00000080: 6900 6e00 6100 2e00 6300 6f00 6d00 0000  i.n.a...c.o.m...
00000090: 0000 2400 0000 00                        ..$....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 03, 2019, 08:53:18 pm
Has anybody figured or worked around the new mso5k wfm file format?

I can't imagine it's very different to DS1054Z/DS2000Z format.

so far,
A short header followed by 53 fairly short zflated blocks, separated by varying junk.
Then a huge blank of around ~5,000,000 x'00s
Then an assortment of ~17,000,000 x'c7 or x'c8 or x'c9 (with some interludes). Maybe data per chan.

The channel data in a DS1054Z file is saved in screen pixel positions.

The screen has 400 pixels vertically and it only uses 200 values from the data to draw the trace, ie. no scaling is done and vertical resolution is in two-pixel steps.

IIRC the bottom pixel on screen is mapped to 0x18 and the top pixel is mapped to 0xe0, ie. there's 0x18 unused values below the screen and 0x20 values above.

Somewhere in the header there's floating point voltage offset+scale values. These are used to convert the screen positions into voltage values.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 03, 2019, 08:59:06 pm
LED backlight voltage is a standard 3 x 3.3v LED string so 9.9v - it's not modulated in any way.

Datasheets seem to indicate 10.2v max is allowed (with reduced life) but it's already plenty bright enough for me anyway.

I would have thought it would be in mA, not volts.  :popcorn:

Whatever ... if datasheet says 10.2V and it's measured as 9.9V then there's not much room for boosting it. People will have to look elsewhere for an upgrade.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: texaspyro on February 03, 2019, 09:12:11 pm
Whatever ... if datasheet says 10.2V and it's measured as 9.9V then there's not much room for boosting it. People will have to look elsewhere for an upgrade.

Once above threshold, the current in a LED driven by a voltage source goes up sort-of exponentially.  So the current (and brightness) difference between 9.9 and 10.2V into a string of 3 LEDs can be quite a bit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jrs45 on February 05, 2019, 09:23:41 pm
I'm having trouble with mine.  It's firmware 00.01.01.02.03 (Boot 2018.06.27 Build 2018-10-11:16:45:53), and I login as root/root, make the change below, verify that it saved correctly, but when I reboot nothing has unlocked, and it's reverting back to the original unedited file.

Any idea what's wrong?  Do I need to upgrade to .04 first?

So disappointed!  Thanks for any help.

CONFIRMATION

Hey Guys! Thx a million times you crafty geniuses!!  ;D :-+ :-+ :-+

Type: MSO5074
Firmware: 00.01.01.02.04

Successful SSH Login via Putty:
USR: root
PWD: Rigol201


I followed the instructions from @TopLoser:
##################################
Download and install PuTTY on your PC
On your scope find its IP address by UTILITY, IO, LAN
Run PuTTY and connect using that IP address and SSH with port 22
Login as ‘root’ password ‘root’
Enter ‘cd /rigol/shell’
Enter ‘vi start.sh’

Change line 82 to read:
‘/rigol/appEntry  $PowerOn -run -fullopt &’

Google vi commands to find out how to insert text into the file
Basically press ‘i’ to enter edit mode then move cursor, insert text and then ESC to exit edit mode.

Save the file and quit ‘:wq’

Reboot.
##################################

Rock on guys! Great work!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 05, 2019, 09:29:02 pm
Try typing ‘sync’ when you’ve finished editing the file.

Linux is a bit lazy updating files on this scope...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jrs45 on February 05, 2019, 09:59:55 pm
Thanks!  I think that did it - the change was retained but the option list doesn't show anything, and the license countdown for some demo options is still running (~2000minutes).   

BUT the waveform generators are working to 25MHz, and I can access the power quality analysis, so does that mean it unlocked successfully? w00t!

(I'll have to go find a source to check the 350MHz BW!)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 05, 2019, 10:23:07 pm
Option list won’t show any change at all. You’re good.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 19, 2019, 09:15:11 pm
https://www.youtube.com/watch?v=xxxyWUVwPgk (https://www.youtube.com/watch?v=xxxyWUVwPgk)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on February 20, 2019, 02:35:48 am
I think we're all still waiting for the backordered scopes to arrive :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 20, 2019, 01:46:16 pm
I think we're all still waiting for the backordered scopes to arrive :D

Gotta fix that firmware!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bax on February 20, 2019, 06:41:44 pm
I received an MSO5074 in mid February. Another larger shipment into North America is expected at the end of February.

As was mentioned, the current firmware of the units being delivered is 00.01.01.02.03. I was told that the next revision is being tested.

_________________

If anyone is looking for a soft padded carrying case for the MSO5074, take a look at the G-MIXERBAG-1515 from Gator Cases. It's bigger than the scope, leaving 7"X15" of space for other storage.

https://gatorcases.com/products/mixer/mixer-bags/g-mixerbag/15-x-15-x-5-5-mixergear-bag-g-mixerbag-1515/

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 21, 2019, 02:23:16 pm
I received an MSO5074 in mid February. Another larger shipment into North America is expected at the end of February.

Can you check and confirm if you have a perfectly aligned compensation square wave or get similar as discussed here please ?
https://www.eevblog.com/forum/blog/new-rigol-scope/msg2215035/#msg2215035 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2215035/#msg2215035)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bax on February 21, 2019, 04:46:12 pm
I received an MSO5074 in mid February. Another larger shipment into North America is expected at the end of February.

Can you check and confirm if you have a perfectly aligned compensation square wave or get similar as discussed here please ?
https://www.eevblog.com/forum/blog/new-rigol-scope/msg2215035/#msg2215035 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2215035/#msg2215035)

It is the same as yours, slight overcompensation on all channels that can't be dialed out. Swapping through the Rigol probes doesn't change anything. 

I tried an old set of probes from a Hameg scope, the amount of overcompensation that couldn't be dialed out was worse. I then tried a P6109 Tektronix 10X probe (from a Tek 2235A scope) and it compensated to a better square wave on all channels of the MSO5074 but still slightly overcompensated.

The question is, do the Rigol PVP2350 probes meet their intended specs.




Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: offmar on February 22, 2019, 09:04:55 pm
The question is, do the Rigol PVP2350 probes meet their intended specs.

What's the result if the probes are set at 1x? On my 'scope the signal has the same overshoot as with 10x compensated. Both times getting signal from the 1kHz compensation generator.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 22, 2019, 09:15:33 pm
Hi,

Today I did a test, posted in there:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2217990/#msg2217990 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2217990/#msg2217990)



This thread here is about hacking the rigol…..

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 22, 2019, 10:23:36 pm
After hack I would presume that Auto Calibration would need to performed. Maybe it does some kind of signal path verification/calibration in front end chip?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 22, 2019, 10:27:50 pm
It could be, when I did firmware upgrades on the scopes, Lecroy, Siglent and Rigol got it in their upgrade instructions, to do a auto-calibration after the upgrade.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 22, 2019, 10:33:06 pm
Well, Rigol says that front end analog chip has full bandwidth and attenuator control inside. And since chip is supposed to good to 4GHz, it would stand to reason that it would have some kind of equalization built in for board layout and channel difference tuning. Self calibration could use it to compensate and equalize channels.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bax on February 23, 2019, 03:41:01 am
The question is, do the Rigol PVP2350 probes meet their intended specs.

What's the result if the probes are set at 1x? On my 'scope the signal has the same overshoot as with 10x compensated. Both times getting signal from the 1kHz compensation generator.

Posted a reply here:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2219100/#msg2219100 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2219100/#msg2219100)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 27, 2019, 01:27:49 pm
A new Firmware is now available for MSO5000!

http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar (http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 27, 2019, 04:46:50 pm
A new Firmware is now available for MSO5000!

http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar (http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar)

Only a .GEL file, no release notes.  ???

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on February 27, 2019, 05:39:06 pm
softver=00.01.01.04.04
builddate="2019-02-20 16:27:49"


Code: [Select]
        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        modified:   firmware/rootfs/rigol/K160M_TOP.bit
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/default/cal.hex
        modified:   firmware/rootfs/rigol/resource/appmeta.xml
        modified:   firmware/rootfs/rigol/resource/boardmeta.xml
        modified:   firmware/rootfs/rigol/resource/dsometa.xml
        modified:   firmware/rootfs/rigol/resource/help/b/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/histogram.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/histogram.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/menu/b.hex
        modified:   firmware/rootfs/rigol/resource/menu/c.hex
        modified:   firmware/rootfs/rigol/resource/menu/d.hex
        modified:   firmware/rootfs/rigol/resource/menu/desc.hex
        modified:   firmware/rootfs/rigol/resource/menu/h.hex
        modified:   firmware/rootfs/rigol/resource/menu/i.hex
        modified:   firmware/rootfs/rigol/resource/menu/j.hex
        modified:   firmware/rootfs/rigol/resource/menu/k.hex
        modified:   firmware/rootfs/rigol/resource/menu/l.hex
        modified:   firmware/rootfs/rigol/resource/menu/m.hex
        modified:   firmware/rootfs/rigol/resource/menu/menu.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ch.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ext.hex
        modified:   firmware/rootfs/rigol/resource/menu/msg.h
        modified:   firmware/rootfs/rigol/resource/menu/n.hex
        modified:   firmware/rootfs/rigol/resource/menu/o.hex
        modified:   firmware/rootfs/rigol/resource/menu/pic.hex
        modified:   firmware/rootfs/rigol/resource/menu/res.hex
        modified:   firmware/rootfs/rigol/resource/menu/t.hex
        modified:   firmware/rootfs/rigol/resource/menu/u.hex
        modified:   firmware/rootfs/rigol/resource/res.qrc
        modified:   firmware/rootfs/rigol/resource/scpi/CALibration.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/DISPlay.xml
        modified:   firmware/rootfs/rigol/resource/scpi/HISTogram.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MASK.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MEASure.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/WAVeform.xml
        modified:   firmware/rootfs/rigol/shell/start.sh
        modified:   firmware/rootfs/rigol/webcontrol/webpages/PrintScreen.html
        modified:   firmware/zImage
        modified:   firmware/zynq.bit


EDIT: fullopt cannot be found in latest appEntry

EDIT2: Interestingly, this coincides with Batronix today mailing me they are shipping my unit....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 27, 2019, 06:12:01 pm
Quote
Only a .GEL file, no release notes.

On the "official homepages"(rigol.com and other) there´s no firmware update avaible ( like the fw for 7000).
I think, if it´s there, it will have release notes too.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on February 27, 2019, 06:14:53 pm
Also shipped  my order...

I  saw the mso8000  today. But got no Information / pricing anywhere...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 27, 2019, 07:15:38 pm
It seems the root password is.................. again...................  Rigol201   

The fullopt checking and also the USB vendor disk checking were removed. But any of them can be easily "emulated"...   ::)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on February 27, 2019, 07:38:41 pm
Proceed with caution!

Uboot access might prove impossible over the serial interface and SSH access probably won’t work anymore.

Just a hunch. An informed one though...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 27, 2019, 07:58:04 pm
Uboot access might prove impossible over the serial interface and SSH access probably won’t work anymore.

It's suicide if they don't work... :popcorn:

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 27, 2019, 08:56:36 pm
softver=00.01.01.04.04
builddate="2019-02-20 16:27:49"


Code: [Select]
        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        modified:   firmware/rootfs/rigol/K160M_TOP.bit
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/default/cal.hex
        modified:   firmware/rootfs/rigol/resource/appmeta.xml
        modified:   firmware/rootfs/rigol/resource/boardmeta.xml
        modified:   firmware/rootfs/rigol/resource/dsometa.xml
        modified:   firmware/rootfs/rigol/resource/help/b/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/histogram.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/histogram.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/menu/b.hex
        modified:   firmware/rootfs/rigol/resource/menu/c.hex
        modified:   firmware/rootfs/rigol/resource/menu/d.hex
        modified:   firmware/rootfs/rigol/resource/menu/desc.hex
        modified:   firmware/rootfs/rigol/resource/menu/h.hex
        modified:   firmware/rootfs/rigol/resource/menu/i.hex
        modified:   firmware/rootfs/rigol/resource/menu/j.hex
        modified:   firmware/rootfs/rigol/resource/menu/k.hex
        modified:   firmware/rootfs/rigol/resource/menu/l.hex
        modified:   firmware/rootfs/rigol/resource/menu/m.hex
        modified:   firmware/rootfs/rigol/resource/menu/menu.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ch.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ext.hex
        modified:   firmware/rootfs/rigol/resource/menu/msg.h
        modified:   firmware/rootfs/rigol/resource/menu/n.hex
        modified:   firmware/rootfs/rigol/resource/menu/o.hex
        modified:   firmware/rootfs/rigol/resource/menu/pic.hex
        modified:   firmware/rootfs/rigol/resource/menu/res.hex
        modified:   firmware/rootfs/rigol/resource/menu/t.hex
        modified:   firmware/rootfs/rigol/resource/menu/u.hex
        modified:   firmware/rootfs/rigol/resource/res.qrc
        modified:   firmware/rootfs/rigol/resource/scpi/CALibration.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/DISPlay.xml
        modified:   firmware/rootfs/rigol/resource/scpi/HISTogram.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MASK.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MEASure.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/WAVeform.xml
        modified:   firmware/rootfs/rigol/shell/start.sh
        modified:   firmware/rootfs/rigol/webcontrol/webpages/PrintScreen.html
        modified:   firmware/zImage
        modified:   firmware/zynq.bit
You skipped one:    new file:   rootfs/rigol/webcontrol/webpages/remote.html
:)

I generated the firmware using the repo again here https://gitlab.com/riglol/rigolee/ so differences are more visible.

Also, I noticed I have a few typo's in my readme :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 27, 2019, 09:16:34 pm
By the way,

Quote
no release notes.

Hi-Res mode added, that will be sure, I´m curious if this will work now..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on February 27, 2019, 10:32:20 pm
EDIT: fullopt cannot be found in latest appEntry[/size]
It means hack was disabled?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on February 28, 2019, 05:37:39 am
I did the update, there is High Res Mode.
SSH does not work anymore, so no hack on this path.


one more question, how does the device know which version it is, ie 70Mhz or 350Mhz, 2-channel or 4-channel?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on February 28, 2019, 06:44:21 am
SSH does not work anymore, so no hack on this path.

I believe appEntry will kill sshd, there is no obvious change otherwise which limits sshd, and appEntry contains a string pointing to sshd (it was not there in previous revisions). You should be able to ssh in during boot and potentially prevent appEntry from killing sshd.

Alternatively, we could probably just patch the string in appEntry?

EDIT: With the right timing, something like
Code: [Select]
ssh -p Rigol201 root@host "nohup /usr/bin/sshd -p 22"

Should give you ssh on port 22  >:D Haven't tried it though.

EDIT2: I was wrong. firmware/rootfs/etc/init.d/rcS was changed such that sshd does not run.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 28, 2019, 07:38:53 am
More information on the latest Firmware ;)

v00.01.01.04.04  2019/02/20

     - Optimized the operating experience of the local upgrade.
     
     - Added the 12-bit high resolution mode.
     - Added 500uV/div in vertical scale.
     - Added the SCPI command :MEASure:STATistic:ITEM CNT,<item>[,<src>[,<src>]]
       to reading the count of measure statistics.
     - The waveform can zoom out by drawing a rectangle. If you draw a rectangle
       from the top left to the bottom right, the waveform will zoom in. If you
       draw it from the bottom right to the top left(the opposite direction),
       the waveform will zoom out.
     - Added the GND coupling in channel.
     - Enriched the color options of the LA channels.
     - If the newest version is detected, a red dot will display in the Online
       upgrade menu.
       
     - Modified the waveform freeze problem in slow scan mode.
     - The boot time is reduced to less than 1 minute.
     - Improve the touch experience in the lower half of the touch screen.
     - Reduced the noise amplitude of the waveform.
     - Modified the problem of decode vanishing after moving signals.
     - Modified the error of digital waveform when adjusting the timebase after
       stop the sampling.
     - The :SYSTEM:SETUP command can successfully save and upload setting
       information in remote.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pascal_sweden on February 28, 2019, 08:54:53 am
Does it mean now that you have a real 12-bit oscilloscope, and that it beats the R&S RTB series 10-bit oscilloscope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on February 28, 2019, 10:48:30 am
Does it mean now that you have a real 12-bit oscilloscope, and that it beats the R&S RTB series 10-bit oscilloscope?

Yes, the firmware ZIP file contains a physical 12-bit ADC which is uploaded into the scope via USB.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Daixiwen on February 28, 2019, 10:55:49 am
but make sure you are using an audiophile grade USB cable for the upload
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Rerouter on February 28, 2019, 11:10:26 am
Its likely just enhanced resolution mode by adding samples, Add up 16x 8 bit values, and you can get a not very reliable 12 bit value. You will likely find the sample rate it cut down by an equivalent amount.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 12:22:32 pm
hello today
i got my new mso5074 and immediately started playing with it After playing with it for a few hours I would open a few extra functions
and therefore I added a little to this line

/ rigol / appEntry $ PowerOn -run -fullopt&

with the result that now can not scopet boot
'
it comes to the boot screen and the bar counts up completely and then it freezes

lan is not up and running so how do i get in and remove my addition ??

the software version is 00.01.01.02.03
compiled 2018-10-11

all help will be received with pleasure
Best regards, satlars
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 28, 2019, 12:31:57 pm
"fullopt&" should have been "fullopt &"

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 12:34:13 pm
yes i can understand that a space has slipped

but how do i get hold of the file system now?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 28, 2019, 12:34:31 pm
the firmware ZIP file contains a physical 12-bit ADC

Please explain what you mean by this.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dpenev on February 28, 2019, 12:40:00 pm
the firmware ZIP file contains a physical 12-bit ADC

Please explain what you mean by this.

The guy was in a funny mood today and was joking I think :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gedong on February 28, 2019, 12:46:17 pm
does MSO5000 have bode plot  features ? can't seems to find any info about this.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on February 28, 2019, 12:46:30 pm
the firmware ZIP file contains a physical 12-bit ADC
Please explain what you mean by this.

Just kidding. I don't know where to find the smiley icons when posting from my mobile's "Tapatalk" client...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 28, 2019, 01:02:49 pm
Its likely just enhanced resolution mode by adding samples, Add up 16x 8 bit values, and you can get a not very reliable 12 bit value. You will likely find the sample rate it cut down by an equivalent amount.

You can do stuff like that when you have 8Gigasamples/sec.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on February 28, 2019, 01:17:04 pm
/ rigol / appEntry $ PowerOn -run -fullopt&

The space after fullopt shouldn't matter.  The ampersand '&' is indicating the shell that we want the command to be executed in the background.

What is wrong is all the spaces after the slash '/'.  It is probably taking the line as an invalid command and failling to execute the appEntry application.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 01:34:23 pm
sorry translate error

this is the line from the file

/rigol/appEntry $PowerOn  -run -fullopt&


is ther not at factor  default switch ?? or key combination

satlars
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 28, 2019, 01:45:11 pm
sorry translate error
this is the line from the file
/rigol/appEntry $PowerOn  -run -fullopt&
is ther not at factor  default switch ?? or key combination

Most likely you put something wrong on startup.sh file and now it terminates at the main app startup line.
The problem is that network services are started only after the main app is completely started. But as it terminates just before it, it never gets executed.

Your best bet right now is to push a new firmware (can be the same version you have already, or the latest one available).
Put an update file on USB drive, formatted as Fat32 and boot up your device.
Hope UBoot picks up your Update & starts an upgrade process.

if that does not help your next bet is on Serial Connection, but will require opening your device.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 01:49:15 pm
thanks sounds like a good idea but where can i download it ??
I can't find the hosa rigol.
does anyone know where it is?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 28, 2019, 01:50:49 pm
thanks sounds like a good idea but where can i download it ??
I can't find the hosa rigol.
does anyone know where it is?

Unofficial place works better ;)
https://gitlab.com/riglol/rigolee/tree/MSO5000/GEL

Just don't forget to rename Update file to the following: "DS5000Update.GEL"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 02:10:57 pm
it does not seem to work

I have formatted a 16gb stick for fat32

and tried with both my old firmware version 01.01.02.04
and with the new 01.01.04.04 but there really doesn't happen any boot bar just drive up to 100% and there is not really any more

you have to tap something special to make it look at usb
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: drieg on February 28, 2019, 02:16:28 pm
A new Firmware is now available for MSO5000!

http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar (http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar)
Release notes for FW v00.01.01.04.04:

[Latest Revision Date]  2019/02/27

[Updated Contents]
--------------------

v00.01.01.04.04  2019/02/20

     - Optimized the operating experience of the local upgrade.
     
     - Added the 12-bit high resolution mode.
     - Added 500uV/div in vertical scale.
     - Added the SCPI command :MEASure:STATistic:ITEM CNT,<item>[,<src>[,<src>]]
       to reading the count of measure statistics.
     - The waveform can zoom out by drawing a rectangle. If you draw a rectangle
       from the top left to the bottom right, the waveform will zoom in. If you
       draw it from the bottom right to the top left(the opposite direction),
       the waveform will zoom out.
     - Added the GND coupling in channel.
     - Enriched the color options of the LA channels.
     - If the newest version is detected, a red dot will display in the Online
       upgrade menu.
       
     - Modified the waveform freeze problem in slow scan mode.
     - The boot time is reduced to less than 1 minute.
     - Improve the touch experience in the lower half of the touch screen.
     - Reduced the noise amplitude of the waveform.
     - Modified the problem of decode vanishing after moving signals.
     - Modified the error of digital waveform when adjusting the timebase after
       stop the sampling.
     - The :SYSTEM:SETUP command can successfully save and upload setting
       information in remote.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 02:39:02 pm
I have tried both the files that mindy linked to and the rar file that drieg had linked to

with the same result the scop comes with the boot bar again and no more happens.

on the old scopes I can see you have to press the help button to activate usb upload but it does not appear to be 5000 ?? It may be another button
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 03:29:33 pm
what about serial connection.
 s that a way to fix the file on the way maybe ?? and where should it be soldered on the motherboard ?? if there is one
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on February 28, 2019, 03:36:56 pm
@satlars, did you do this?

Just don't forget to rename Update file to the following: "DS5000Update.GEL"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 03:44:00 pm
hi eblaster

yes i dit just what DS5000Update.GEL
 
but nothing happens :-(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 0xdeadbeef on February 28, 2019, 04:28:38 pm
You could try formatting the USB stick with a dedicated USB stick formatting tool or use a smaller stick (<=4GB). Since Win7 or so, the Windows formatter chooses rather large block sizes for USB sticks (depedend on size) and most simple implementations of FAT32 systems are limited to 4k block size. At least I had issues like this with several non-Windows scopes in the past.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: satlars on February 28, 2019, 04:41:43 pm
just tried to format a 2gb stick

and put the .gel file on that

it flashes just twice and otherwise the same result
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 28, 2019, 05:00:13 pm
The uboot won't do the update automatically. It needs human intervention.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on February 28, 2019, 06:16:25 pm
yes i dit just what DS5000Update.GEL
but nothing happens :-(

You can try one more thing:
If you are lucky & network is actually initialised you could try to connect your scope to the router (or switch) which have DHCP service running and issues IP automatically.
Check if you can see what IP address is issued and try to SSH.

Another way is to use "nmap" script & scan your subnet for active IP addresses.
It could be that by default network interface sets to an IP address to something like "169.254.123.123" with a subnet "255.255.0.0", so you could set your laptop / pc IP to a static one and than run "NMAP" to scan for your scope one.
Edit1: In this case scope should be connected directly with your PC and NOT via Router.

Code: [Select]
nmap -sn 169.254.0.0/16
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 28, 2019, 07:14:11 pm

Release notes for FW v00.01.01.04.04:

[Latest Revision Date]  2019/02/27

[Updated Contents]


Tested some of the changes here:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2231781/#msg2231781 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2231781/#msg2231781)

( To get this Topic "clean" )

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: velikigrizli on February 28, 2019, 08:37:51 pm
So whats the conclusion? Seems that new firmware can't be hacked? :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on February 28, 2019, 11:07:32 pm
@ satlars,
   You will need to use the UART serial interface at 115200 bits/sec, to access the file system.

I have done this to solve a similar issue on an MSO5074  when there was a power failure at the exact time the modified start.sh file was being saved .  This resulted in the file being corrupted .

Read this message.  https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2114902/#msg2114902 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2114902/#msg2114902)

Good Luck.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sparkv on March 01, 2019, 05:08:55 am
So whats the conclusion? Seems that new firmware can't be hacked? :)

 ??? I didn't see anybody make a claim that it can't be hacked. We only know they removed -fullopt from appEntry and put in the code to kill sshd, which is trivial to bypass if they're looking for it by process name, and it seems they do based on what others have said. I didn't look at the new executable yet. As for a proper hack, maybe the mystery keygen will finally grace us with its appearance :-DD

It will be hacked, it just may require binary patching as a quick-fix way to bring -fullopt back in and disable sshd nuker.

Personally, I would have spent a lot more time working on it if I had the actual device. I stopped RE work because I hit a point where I would have to ask others to run my tests on their scopes, or wait for my own scope to arrive. I chose the latter. My scope shipped today, next week when it arrives should be fun  >:D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 06:23:40 am
So whats the conclusion? Seems that new firmware can't be hacked? :)

Where do you get that idea from? Not one person here has said that.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 09:17:44 am
With the right timing, something like
Code: [Select]
ssh -p Rigol201 root@host "nohup /usr/bin/sshd -p 22"

Should give you ssh on port 22  >:D Haven't tried it though.

Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.
I'm not sure how to start it though. The start command is close to other UI stuff, and the string "Enter Project mode" is used close to it. I could imagine there is something like a maintanance menu we don't know about yet.

I can't test anything yet either because I'm also still waiting for my scope to arrive..
Good news is that it looks like the "-fullopt" checking instructions can easily be merged into the new appEntry version.

This is my first post btw, so a big hello to everybody here!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 09:49:43 am
Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.

I believe you are right. I did not notice earlier, but rootfs/etc/init.d/rcS was modified such that sshd is not run.

Code: [Select]
diff --git a/firmware/rootfs/etc/init.d/rcS b/firmware/rootfs/etc/init.d/rcS
index f3559f1..a8f3117 100755
--- a/firmware/rootfs/etc/init.d/rcS
+++ b/firmware/rootfs/etc/init.d/rcS
@@ -30,10 +30,10 @@ mount -t devpts devpts /dev/pts
 #httpd -h /var/www
 
 #echo "++ Starting ftp daemon"
-tcpsvd 0:21 ftpd ftpd -w /&
+#tcpsvd 0:21 ftpd ftpd -w /&
 
 #echo "++ Starting ssh daemon"
-/usr/sbin/sshd
+#/usr/sbin/sshd
 
 echo "rcS Complete"

Can we still flash firmware traditionally? If so ssh is easily brought back.

Good news is that it looks like the "-fullopt" checking instructions can easily be merged into the new appEntry version.

That's fantastic news!

This is my first post btw, so a big hello to everybody here!
Welcome! May I ask what tools you use for disassembly?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 01, 2019, 10:00:27 am
Yes, you should reenable the daemon via the config file.

Yes, it's easily patchable (from here to eternity...). Just recreate the GEL and fire away.

I assume that anyone doing  this kind of task uses IDA.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 10:02:45 am
I'm not sure how to start it though. The start command is close to other UI stuff, and the string "Enter Project mode" is used close to it. I could imagine there is something like a maintanance menu we don't know about yet.

Notice, that rigol/resource/menu/msg.h defines a rather complete set of command messages. Say for example

Code: [Select]
#define MSG_HISTO_STATISEN      17670


For example rigol/resource/scpi/HISTogram.xml
Code: [Select]
<TotalItem>
<head>^(:?HISTogram|:?HIST)(:STATic|:STAT)\?$</head>
<service>histo</service>
<cmd>17670</cmd>
<minSize>-1</minSize>
<indexes>
<i>1</i>
</indexes>
<unit>
</unit>
</TotalItem>

One of these codes is
Code: [Select]
#define MSG_APP_UTILITY_PROJECT               12073
which is unfortunately not mapped, but might be somewhere in appEntry.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 10:27:58 am
I believe you are right. I did not notice earlier, but rootfs/etc/init.d/rcS was modified such that sshd is not run.

Code: [Select]
-/usr/sbin/sshd
+#/usr/sbin/sshd


So we just unpack the GEL, edit that file, repack it, back to business as usual?  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 10:50:28 am
I would guess so. Still waiting for the scope to be delivered. You can also use oliv3r's packer I think: https://gitlab.com/riglol/rigolee/#gel-packer
But I'm not sure if this is tested at all.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 11:06:39 am
Welcome! May I ask what tools you use for disassembly?
Thank you! I'm using Binary Ninja right now.

I believe the license checking function is at 0x0041801c. It seems to set r0 to #0x1 if the user owns the requested license.
At least that's what the -fullopt flag did in the previous versions.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 11:16:00 am
I believe the license checking function is at 0x0041801c. It seems to set r0 to #0x1 if the user owns the requested license.
At least that's what the -fullopt flag did in the previous versions.

It should be easy to mod that to "ld r0,#1; ret;" (or whatever the local assembly language is) to get all options.

Hacking an MSO5000 would then be as easy as inserting a USB stick and pressing "OK".

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 01, 2019, 11:34:17 am
I would guess so. Still waiting for the scope to be delivered. You can also use oliv3r's packer I think: https://gitlab.com/riglol/rigolee/#gel-packer
But I'm not sure if this is tested at all.

If there is any packer that works, it's this one! Older ones will not work because this .GEL is completely different.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 12:24:36 pm
Thank you! I'm using Binary Ninja right now.

I believe the license checking function is at 0x0041801c. It seems to set r0 to #0x1 if the user owns the requested license.
At least that's what the -fullopt flag did in the previous versions.

Thanks for the hint, that is indeed a nice tool! I believe you are right and it makes it is super easy to patch it such that it only ever returns 1.  :-+

Patch for 01.01.04.04 to always return 1

Code: [Select]
Superseeded by later work.

EDIT: Just got my scope from Batronix. Comes with firmware 00.01.01.02.03. I would have expected them to ship with the new "unhackable" firmware. However, ,aybe they did not want everyone to return them directly.  :-//

EDIT2:  I tried an intermediate update to 00.01.01.02.06, and now ssh is gone?! Strange....
EDIT3: Darn, that firmware also already kills sshd, even though it is from December last year! So I effectively shut myself out for now. BTW, the build script is not far enought to repackage the modified file system.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 02:26:25 pm
I tried an intermediate update to 00.01.01.02.06, and now ssh is gone?! Strange....

Yes, 00.01.01.02.06 was the first version having the the start of the ssh daemon commited away in /etc/init.d/rcS
You could try an earlier version or be the first person to try oliv3r's packer  :D
Or did someone already test the packaging function?

EDIT: Oh okay, I guess downgrading is not possible?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 02:31:26 pm
Yes, 00.01.01.02.06 was the first version having the the start of the ssh daemon commited away in /etc/init.d/rcS
You could try an earlier version or be the first person to try oliv3r's packer  :D
Or did someone already test the packaging function?

 |O Anyways. I don't know if downgrading is a good idea with calibration data and such. I think i also saw a check against it in fw4linux.sh.

oliv3r's packer will only do the firmware flash encryption (so i could batch out the downgrade stop). It will not generate the image files etc.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 01, 2019, 03:00:18 pm
Why downgrade??? Don't you want to upgrade with a hacked version?

Worry about repacking the new GEL and your problems will be over.

Since none of these versions change the bootloader, you can do all the harm that you want and there will always be a safe exit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 03:08:08 pm
I wanted to first backup the calibration data. I have patched 01.01.02.04 such that it will downgrade now. I'm back in  :scared:

@Oliv3r, I had to add --owner=rigolee --group=rigolee to the tar commands.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 03:16:13 pm
I'm back in  :scared:
congratulation  :D
So next step is to pack the rootfs/rigol folder as an UBIFS image
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 03:22:59 pm
I'm back in  :scared:
congratulation  :D
So next step is to pack the rootfs/rigol folder as an UBIFS image

In fact I just did the quivalent patch to the old appEntry as mentioned before  - and behold, all features are there without -fullopt  :popcorn: :-DD  Many thanks go to piskers for finding the function and pointing me to the right direction.

EDIT2:
Now it looks alright too  :-DD See attached image.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 03:41:47 pm
Very nice job!!  :-DD :-DD :popcorn:
Did you change anything else for the licenses to also appear in the options list?

Btw, the appEntry also seems to have support for (jitter) eye diagrams..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 03:48:43 pm
I just changed the option list view  to always show forever ;D. Easy to find when looking for "Forever". So its just a visual thingy. I also noticed eye diagrams, but I thought it is just that different color scheme.

A patch for the current version, which makes it look and feel like full options. Obviously untested until we can pack the GEL files:

Code: [Select]
superseded by later work

EDIT: Note, that there is also a BW07T5 option in the file, while the highest option shown is BW07T3....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 04:16:32 pm
|O Anyways. I don't know if downgrading is a good idea with calibration data and such.

I wanted to first backup the calibration data.

Ummm... isn't that what self-cal is for - to generate some new data?  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 01, 2019, 04:20:06 pm
In fact I just did the quivalent patch to the old appEntry as mentioned before  - and behold, all features are there without -fullopt  :popcorn: :-DD  Many thanks go to piskers for finding the function and pointing me to the right direction.

 :-+

This means hacking is now as easy as inserting a USB key and pressing "Go!" (or whatever it says on screen).

No need to mess around with SSH or Vi.

Since none of these versions change the bootloader, you can do all the harm that you want and there will always be a safe exit.

And an easy way to de-hack it if it ever has to go back under warranty.  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 05:39:51 pm
This means hacking is now as easy as inserting a USB key and pressing "Go!" (or whatever it says on screen).

No need to mess around with SSH or Vi.

Once we can create the update files. I'm not the best in shell scripts, so somebody else might be faster. Oliv3r?

Since none of these versions change the bootloader, you can do all the harm that you want and there will always be a safe exit.
And an easy way to de-hack it if it ever has to go back under warranty.  :)

That actually true? I was not aware we can run the u-boot flash script without soldering, can we? Also, it flashes the current version numbers into u-boot configuration, which we can obviously disable for our package.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 06:03:47 pm
Could someone run
Code: [Select]
mtdinfo /dev/mtd0 on the device so that we know the parameters for packing of the UBI image?

EDIT: Actually /dev/mtd6 and /dev/mtd10 just to be sure
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 06:39:46 pm
Could someone run
Code: [Select]
mtdinfo /dev/mtd0 on the device so that we know the parameters for packing of the UBI image?

EDIT: Actually /dev/mtd6 and /dev/mtd10 just to be sure

Sure, if it existed... Need to find some binary first....

EDIT:
Used an arml library from debian.

Code: [Select]
<root@rigol>/user/mtdinfo  --all --ubi-info
Count of MTD devices:           13
Present MTD devices:            mtd0, mtd1, mtd2, mtd3, mtd4, mtd5, mtd6, mtd7, mtd8, mtd9, mtd10, mtd11, mtd12
Sysfs interface supported:      yes

mtd0
Name:                           Env
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          2 (262144 bytes, 256.0 KiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:0
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd1
Name:                           DATA
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          512 (67108864 bytes, 64.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:2
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd2
Name:                           Bmp
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          32 (4194304 bytes, 4.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:4
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd3
Name:                           Bmp1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          32 (4194304 bytes, 4.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:6
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd4
Name:                           Bit1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          64 (8388608 bytes, 8.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:8
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd5
Name:                           Sys1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          256 (33554432 bytes, 32.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:10
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd6
Name:                           App1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          800 (104857600 bytes, 100.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:12
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd7
Name:                           Bmp2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          32 (4194304 bytes, 4.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:14
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd8
Name:                           Bit2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          64 (8388608 bytes, 8.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:16
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd9
Name:                           Sys2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          256 (33554432 bytes, 32.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:18
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd10
Name:                           App2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          800 (104857600 bytes, 100.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:20
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd11
Name:                           Reserved
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          536 (70254592 bytes, 67.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:22
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128

mtd12
Name:                           User
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          4800 (629145600 bytes, 600.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:24
Bad blocks are allowed:         true
Device is writable:             true
Default UBI VID header offset:  2048
Default UBI data offset:        4096
Default UBI LEB size:           126976 bytes, 124.0 KiB
Maximum UBI volumes count:      128



EDIT2: Rerun with --ubi-info
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 01, 2019, 07:20:51 pm
Thank you!
So packaging should be possible with:
Code: [Select]
mkfs.ubifs -m 2048 -e 128KiB -c 800 -r /rootfs/rigol app.imgNot sure about the compression type (-x param)..
Then gzip it and run oliv3r's script. Can't try it till tomorrow though..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 07:33:35 pm
Thanks! There is also https://github.com/jrspruitt/ubi_reader which claims to be able to provide the proper information based on the image.

This results in:

Code: [Select]
ubireader_utils_info app.img

Volume app
        alignment       -a 1
        default_compr   -x lzo
        fanout          -f 8
        image_seq       -Q 329026723
        key_hash        -k r5
        leb_size        -e 126976
        log_lebs        -l 5
        max_bud_bytes   -j 8388608
        max_leb_cnt     -c 825
        min_io_size     -m 2048
        name            -N app
        orph_lebs       -p 1
        peb_size        -p 131072
        sub_page_size   -s 2048
        version         -x 1
        vid_hdr_offset  -O 2048
        vol_id          -n 0

        #ubinize.ini#
        [app]
        vol_name=app
        vol_size=98660352
        vol_flags=autoresize
        vol_type=dynamic
        vol_alignment=1
        vol_id=0


Which they claim maps to
Code: [Select]
/usr/sbin/mkfs.ubifs -m 2048 -e 126976 -c 825 -x lzo -f 8 -k r5 -p 1 -l 5 -r $1 img-329026723_0.ubifs
/usr/sbin/ubinize -p 131072 -m 2048 -O 2048 -s 2048 -x 1 -Q 329026723 -o img-329026723.ubi img-329026723.ini

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 08:31:24 pm
The attached fill looks like an update but just executes sshd  :scared:

So it will enable SSH on all scopes, but will never break anything.
Forum does not allow GEL, so remove the .txt file ending.

EDIT: Note, it will look like the upgrade failed, but no worries you will have ssh. The change is not permanent and ssh will be gone after reboot.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 08:45:25 pm
My previous patch works for the latest firmware  :-DD :scared:

So we could even build a small upgrade script, which checks for the currently installed version, and applies a binary patch to appEntry.  8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 01, 2019, 09:11:02 pm
Wow  :o

I understand nothing about, but.....wow  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 10:05:14 pm
I understand nothing about, but.....wow  ;D

Ok, so the scope basically has two file systems. The root file system is created in memory upon each boot, so it is hard to change. That is one of the reasons Rigol added a special additional partition of the /rigol/ folder. Changes here will be permanent.

We had three problems:

The SSH problem, we can solve with a neat trick: Just run a fake upgrade, which actually does nothing but execute the SSH daemon. And we are in.

The last problem was solved by piskers who pointed me to the right direction. So I did my very first binary assembler patch in my life, and here we are.


Now, what we can finally do is generate  a small upgrade file which will only patch appEntry. I would like to be as legally correct as possible, hence only provide a binary patch instead of the full file. Unfortunately, I cannot get a binary patcher to run on the scope.... So that is stalled for now. Hence it's not convenient yet.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 01, 2019, 10:16:28 pm
Now, what we can finally do is generate  a small upgrade file which will only patch appEntry. I would like to be as legally correct as possible, hence only provide a binary patch instead of the full file. Unfortunately, I cannot get a binary patcher to run on the scope.... So that is stalled for now. Hence it's not convenient yet.

Please continue. That's a chicken-egg problem. So you better change tactics. Do the patch in GEL and flash the whole thing.

If you go that way, there's no urgent need for the ssh daemon...

BTW, another important/alternative feature was dropped: the ability to insert the USB Vendor Disk and enable all Options automatically (no need for fullopt). ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 01, 2019, 10:22:37 pm
You misunderstood me.

I propose the user flashes the original firmware upgrade, and we just flash a small additional patch-GEL over it. I basically have it running right now, but it contains the full >20MB appEntry program, instead of just 172B of binary patches. I don't feel confident in sharing such a file. Others might want to create it though.

Once I find a patcher which runs, the user just needs to plug in the USB stick and he is done. Easiest hack ever. We even check if the versions match our patch.  ^-^
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on March 01, 2019, 10:53:29 pm
Does anybody know if something "critical" has been changed in system.img? I've created a gel with the system.img.gz of 00.01.01.02.04 to have the usual access and have currently running a patched version of 00.01.01.04.04 appEntry and everything looks fine at first glance.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on March 01, 2019, 10:57:25 pm
Once I find a patcher which runs, the user just needs to plug in the USB stick and he is done. Easiest hack ever. We even check if the versions match our patch.  ^-^

Is dd available?  Would something like this (https://unix.stackexchange.com/questions/214820/patching-a-binary-with-dd) work?

edit: looks like it is (https://gitlab.com/riglol/rigolee/tree/MSO5000/firmware/rootfs/bin).  With some leg work you should be able to convert a patch file into a bash script using dd to manually write each byte.  Not pretty (and not fun), but it seems like it should do the trick.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on March 02, 2019, 06:52:34 am

Hello,

the SSH patch works, but the "-fullopt" in start.sh does not bring any extension
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 08:31:46 am
You misunderstood me.

I propose the user flashes the original firmware upgrade, and we just flash a small additional patch-GEL over it. I basically have it running right now, but it contains the full >20MB appEntry program, instead of just 172B of binary patches. I don't feel confident in sharing such a file. Others might want to create it though.

Once I find a patcher which runs, the user just needs to plug in the USB stick and he is done. Easiest hack ever. We even check if the versions match our patch.  ^-^

I'm missing something... how do you plan to patch the app file that is currently running?? The system allows it?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 09:22:51 am
edit: looks like it is (https://gitlab.com/riglol/rigolee/tree/MSO5000/firmware/rootfs/bin).  With some leg work you should be able to convert a patch file into a bash script using dd to manually write each byte.  Not pretty (and not fun), but it seems like it should do the trick.

In order to patch, dd seems ok. You only have 1st kill the appEntry process and then do the patch. I'm currently in voyeur mode...

This patching process is prone to errors because someone may run the script with another version of the app file in the system.

I think it's safer to copy the full file.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dren.dk on March 02, 2019, 09:38:22 am
The safest bet would be to hash the entire binary before modifying it, having a hash would also allow selection of the correct patch if one wanted to support several versions with the same update file.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 02, 2019, 09:46:22 am
Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.

So it's actualy interesting then how this is triggered :) Who'll take ont hat challange?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 09:58:31 am
Dear all,

please find a patching upgrade attached to this post. It does not contain the actual appEntry, but only patches it. So no copyrighted data here ;).
You first need to upgrade to 00.01.01.04.04 (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.04.GEL). After that, apply the update attached to this file.


Care has been taken to make sure to make it fails as early as possible if any errors occur. Checksums and version checks are applied all the time, before and after patching. A backup copy of the appEntry is made into the usb drive. Only if all checks apply, the actual appEntry gets replaced. You will have ssh access whenever you start the patch (until the next reboot). The patching process is very inefficient, but reliable. Do not worry, it takes around 5 minutes to apply all the patches.

Afterwards, you can just reboot the scope (you will be asked to do so) and you are done. (Files are synced to nand, so do not worry about corruption).  Since GEL is not an allowed forum extension, just rename the file.


I'm missing something... how do you plan to patch the app file that is currently running?? The system allows it?
Sure, an upgrade is just a shell script like any other. Under linux you can modify used files. No issue here.

the SSH patch works, but the "-fullopt" in start.sh does not bring any extension
That is because you need to additionally patch the scope. See this post.

EDIT2: File has been changed to use the usb drive for intermediate storage of the patched files. Makes it faster also. My slow usb drive gives around 2 minutes update time.
EDIT3: It currently looks like the rigol firmware upgrade (not the patch) can damage your calibration data, and self-calibration will not fix this. So for now, I recommand you ssh into your scope and backup the /rigol/data/*.hex files. If you have issues afterwards, just copy them back. Self-calibration should work then.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 10:08:49 am
Do not worry, it takes around 5 minutes to apply all the patches.

5 mins???? Are you mining in between???  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 10:11:21 am
Do not worry, it takes around 5 minutes to apply all the patches.

5 mins???? Are you mining in between???  :-DD

Good idea :-D, but no. The easiest solution i found was to just convert the binary file to hexadecimal representation, patch it as text, and reverse the process. It looks like the busybox patch command is very slow though. But as an advantage you get the context sensitivity of patch, so it will also fail if the "surroundings" of the binary do not exactly match.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 02, 2019, 10:13:02 am
Very nicely done! Thank you so much for your work!   :D

One more thing that we should look for is whether the device contacts rigol when it's connected to the internet and possibly transfers the S/N and licenses. I didn't find anything yet in the appEntry.
At least when checking for an update it doesn't transmit anything else.

Again, nice work!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 10:16:28 am
One more thing that we should look for is whether the device contacts rigol when it's connected to the internet and possibly transfers the S/N and licenses. I didn't find anything yet in the appEntry.
At least when checking for an update it doesn't transmit anything else.

Thanks you! You are the reason I did my first binary patch.  :popcorn:

I also looked for that, and did not see anything. As you said, the update procedure looks rather sane, and I did not see any other obvious strings. We could probably add a host entry to prevent it from contacting rigol...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 10:17:56 am
Patch the domain string.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 02, 2019, 10:18:07 am
I would guess so. Still waiting for the scope to be delivered. You can also use oliv3r's packer I think: https://gitlab.com/riglol/rigolee/#gel-packer
But I'm not sure if this is tested at all.
It was only tested to generate small GEL files that do, for example, backup the calibration partition etc. using the scripts here; https://gitlab.com/riglol/rigolee/tree/MSO5000/target
You simple build a GEL file by using one of the scripts as the update scripts. They have been tried and used, but not tested and validated :)

Yes, 00.01.01.02.06 was the first version having the the start of the ssh daemon commited away in /etc/init.d/rcS
You could try an earlier version or be the first person to try oliv3r's packer  :D
Or did someone already test the packaging function?

EDIT: Oh okay, I guess downgrading is not possible?

You can downgrade, but you have to fake the version number.

|O Anyways. I don't know if downgrading is a good idea with calibration data and such. I think i also saw a check against it in fw4linux.sh.

oliv3r's packer will only do the firmware flash encryption (so i could batch out the downgrade stop). It will not generate the image files etc.

No, it will generate GEL update files. It will not however, generate filesystem images (such as initramfs and ubifs). It is afterall only a packer :)

@Oliv3r, I had to add --owner=rigolee --group=rigolee to the tar commands.
Sure, but why? Then again, I've only run the scripts so far, so the change does seem sensible of course.

So next step is to pack the rootfs/rigol folder as an UBIFS image
Yeah, but that's a little trickier with the permissions, git doesn't like the users much. I do add them with the proper permissions I think (root:root 600 for example) but haven't check what happens to this on check-out.

So generating an accurate ubifs would be harder (but far from impossible :)

This means hacking is now as easy as inserting a USB key and pressing "Go!" (or whatever it says on screen).

No need to mess around with SSH or Vi.

Once we can create the update files. I'm not the best in shell scripts, so somebody else might be faster. Oliv3r?

I've written the packer a few months ago :p and posted links here; nobody took up to challange to write scripts to do these things :) (such as adding the -fullopt for example, and now patching the appEntry).

I hadn't gotten around to do doing it myself yet; and probably not going to yet. I probably will add a 'start ssh' update :)

Thank you!
So packaging should be possible with:
Code: [Select]
mkfs.ubifs -m 2048 -e 128KiB -c 800 -r /rootfs/rigol app.imgNot sure about the compression type (-x param)..
Then gzip it and run oliv3r's script. Can't try it till tomorrow though..

Sure, but why would you want to? You can also just add the patched appEntry; and write a simple update script that does 'cp appEntry /rigol/appEntry' no? :)

With regards to ubifs, i did use one of those python ubi unpackers. So repacking it with the same tool should be possible. A version check should be added though (md5sum of the original file) as you otherwise overwrite 'any' version.

I'm missing something... how do you plan to patch the app file that is currently running?? The system allows it?
Should work just fine, the file is read into memory and executed from there. App-entry should never try to rewrite itself anyway. So copy file, reboot scope, profit :)

Good idea :-D, but no. The easiest solution i found was to just convert the binary file to hexadecimal representation, patch it as text, and reverse the process. It looks like the busybox patch command is very slow though. But as an advantage you get the context sensitivity of patch, so it will also fail if the "surroundings" of the binary do not exactly match.
Little sledge-hammer method. Just be sure not to write the HEX file to the NAND filesystem. NAND is already super sensitive to wear and tear. Writing so much data just for the patch, just wears the NAND unessaserly. Write to tmpfs/ramfs instead. (/ and probably /tmp should be ramfs).

BUT monday/tuesday I should finally receive my own scope. Now if someone can free up some time on my calander :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 10:20:57 am
The easiest solution i found was to just convert the binary file to hexadecimal representation, patch it as text, and reverse the process. It looks like the busybox patch command is very slow though. But as an advantage you get the context sensitivity of patch, so it will also fail if the "surroundings" of the binary do not exactly match.

Use dd as luma suggested. It should work beautifully and cleanly.

Nonetheless, "it will cut!".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 10:28:40 am
BUT monday/tuesday I should finally receive my own scope. Now if someone can free up some time on my calander :D

How I missed an Olliver's analysis...   :popcorn:

Good point about NAND wearout!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 10:40:43 am
Good idea :-D, but no. The easiest solution i found was to just convert the binary file to hexadecimal representation, patch it as text, and reverse the process. It looks like the busybox patch command is very slow though. But as an advantage you get the context sensitivity of patch, so it will also fail if the "surroundings" of the binary do not exactly match.
Little sledge-hammer method. Just be sure not to write the HEX file to the NAND filesystem. NAND is already super sensitive to wear and tear. Writing so much data just for the patch, just wears the NAND unessaserly. Write to tmpfs/ramfs instead. (/ and probably /tmp should be ramfs).

I indeed wrote to /user/ NAND, since the file is very big. I did not assume it to be *that* sensitive. But to alleviate your fear, i moved it to the USB drive now. Thanks for the hint!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 02, 2019, 10:44:33 am
Write to tmpfs/ramfs instead. (/ and probably /tmp should be ramfs).

Question: How much free 'disk' and RAM have these things got?

I'd have thought it would be just enough for the firmware plus a bit extra, but here we are using up megabytes of space for temporary files, etc., as if it has no limit.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 10:47:42 am
Question: How much free 'disk' and RAM have these things got?


Code: [Select]
<root@rigol>df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                31.0M     21.8M      9.2M  70% /
devtmpfs                213.6M         0    213.6M   0% /dev
none                    100.0M    292.0K     99.7M   0% /tmp
/dev/ubi6_0              85.1M     71.1M     14.1M  83% /rigol
/dev/ubi1_0              37.2M    244.0K     35.0M   1% /rigol/data
/dev/ubi12_0            516.6M      1.6M    510.4M   0% /user


<root@rigol>free -m
             total         used         free       shared      buffers
Mem:           437          154          283            0            0
-/+ buffers:                153          283
Swap:            0            0            0
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 10:53:42 am
NAND map
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 12:27:28 pm
Btw, the appEntry also seems to have support for (jitter) eye diagrams..

The patch enables "Power analyzer", "Eye trigger" and "jitter" in the measurement analyze menu. Previously -fullopt still had one additional check, which I bypassed too. Would be interesting if these also exist with the old fullopt command.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 01:36:30 pm
The patch enables "Power analyzer", "Eye trigger" and "jitter" in the measurement analyze menu. Previously -fullopt still had one additional check, which I bypassed too.

That isn't correct. fullopt had no further checks. It enabled all the Options.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2019, 02:07:48 pm
The patch enables "Power analyzer", "Eye trigger" and "jitter" in the measurement analyze menu. Previously -fullopt still had one additional check, which I bypassed too.

That isn't correct. fullopt had no further checks. It enabled all the Options.

I meant the previous ifs surrounding it, which I did not know what they did. Nice decompiled code btw. Is that IDA then? I'm still learning here. Btw. The function at 0x3d898c looks interesting too, exports readable calibration data to the usb drive. No idea how to call into it though...

EDIT: Looks to me like the addition codes for option 6 & 18 check for hardware features like LA and WG. So bypassing them should not matter since currently all scopes have all features.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 02, 2019, 02:38:14 pm
Code: [Select]
<root@rigol>df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                31.0M     21.8M      9.2M  70% /
devtmpfs                213.6M         0    213.6M   0% /dev
none                    100.0M    292.0K     99.7M   0% /tmp
/dev/ubi6_0              85.1M     71.1M     14.1M  83% /rigol
/dev/ubi1_0              37.2M    244.0K     35.0M   1% /rigol/data
/dev/ubi12_0            516.6M      1.6M    510.4M   0% /user


<root@rigol>free -m
             total         used         free       shared      buffers
Mem:           437          154          283            0            0
-/+ buffers:                153          283
Swap:            0            0            0

Much more free space/RAM than is in use!  :D  :-+

(...although a single 400Mb memory dump could use up most of that /user partition)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: orion242 on March 02, 2019, 03:47:30 pm
Thanks to all the guys that keep making this a great buy!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on March 02, 2019, 03:52:50 pm
For when people brick their scopes there is an easy way to recover them...

Serial port is disabled in the latest version so no playing about with Uboot now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: offmar on March 02, 2019, 04:40:49 pm
For when people brick their scopes there is an easy way to recover them...

Serial port is disabled in the latest version so no playing about with Uboot now.

How do you enter into that menu?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 05:05:08 pm
How do you enter into that menu?

"Not married" key while ubooting.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justanothername on March 02, 2019, 05:24:17 pm
After that, apply the update attached to this file.

Has anyone done this already without the need of re-calibration? I seem to be one of the lucky ones with no overcompensation on any channel and I've read that after re-calibration overcompensation will occur.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on March 02, 2019, 06:05:28 pm
Did they a U-Boot Update from inside Linux? Or why is serial disabled?
This is Bad.. If you Brick anything you can't recover it even with opening the case 😔 we should try to reenable serial with our "inofficial" update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 02, 2019, 06:07:58 pm
Quote
I seem to be one of the lucky ones with no overcompensation on any channel and I've read that after re-calibration overcompensation will occur.

In my case, I´m a lucky one too, I did the firmware upgrade, after this a selfcal - And everything went fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2019, 06:25:22 pm
Uboot commands.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on March 02, 2019, 06:56:23 pm
I'm not common with uboot, more with barebox.
What ist boot from Gold-Finger? Is it a common uboot command or rigol specific?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on March 02, 2019, 08:47:46 pm
Did they a U-Boot Update from inside Linux? Or why is serial disabled?
This is Bad.. If you Brick anything you can't recover it even with opening the case 😔 we should try to reenable serial with our "inofficial" update.

Serial is disabled immediately after the 'Hit any key' prompt, so you can still enter uboot at that point. Not available when the scope is up and running though.

You can always use the secret menu to reinstall scope firmware. That secret menu allows you to downgrade as well.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on March 02, 2019, 08:52:32 pm
Ah okay. I interpreted your Post Like they disabled serial completly (muxing Not done or so on)
Which one is the "Not married" Key?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on March 02, 2019, 09:09:17 pm
LOL  man, when you are not married that means you are SINGLE....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on March 02, 2019, 09:12:14 pm
Okay got it. I read it in english and thought in German... Sometimes its hard...  :palm: |O


I even googled for "not married key" and was confused of the results. Thought it is a english name for any special sign on a key...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on March 02, 2019, 09:24:17 pm
Okay got it. I read it in english and thought in German... Sometimes its hard...  :palm: |O

Yep foreign language to me too...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: helmy on March 03, 2019, 04:17:03 am
The patch enables "Power analyzer", "Eye trigger" and "jitter" in the measurement analyze menu. Previously -fullopt still had one additional check, which I bypassed too.

That isn't correct. fullopt had no further checks. It enabled all the Options.
Would you please share how have you arrived to this nicely decompiled code? I tried using IDA pro v7 didn't get that nice result!
what does get_IsUsbKey_Ready() do?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 03, 2019, 08:46:27 am
Would you please share how have you arrived to this nicely decompiled code? I tried using IDA pro v7 didn't get that nice result!
what does get_IsUsbKey_Ready() do?

As a matter of fact, it's IDA 6 but you should get it with IDA 7 also.

That check is precisely where they verify the insertion of the USB Rigol's Vendor Disk. If it's detected they would automatically license all the Options 6 to 25, while the Disk is inserted. This feature has been removed in the new FW.

Code: [Select]
00    "BW1T2"           DS7000
01    "BW1T3"           DS7000
02    "BW1T5"           DS7000
03    "BW2T3"           DS7000
04    "BW2T5"           DS7000
05    "BW3T5"           DS7000
06    "MSO"   (LA)
07    "2RL"    MSO5000  DS7000
08    "5RL"             DS7000
09    "BND"    = COMP + EMBD + AUTO + FLEX + AUDIO + AERO + PWR + AWG
10    "COMP"   MSO5000  DS7000
11    "EMBD"   MSO5000  DS7000
12    "AUTO"   MSO5000  DS7000
13    "FLEX"   MSO5000  DS7000
14    "AUDIO   MSO5000  DS7000
15    "SENSOR
16    "AERO"   MSO5000  DS7000
17    "ARINC"
18    "AWG"    MSO5000  (DG)
19    "JITTER"
20    "MASK"
21    "PWR"    MSO5000  DS7000
22    "DVM"
23    "CTR"
24    "EDK"
25    "4CH"
26    "BW07T1" MSO5000
27    "BW07T2" MSO5000
28    "BW07T3" MSO5000
29    "BW07T5"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 03, 2019, 12:13:01 pm
How do you enter into that menu?

"Not married" key while ubooting.

So ... the 'scope keeps a copy of the factory-installed firmware somewhere, and you can restore it by pressing a button at startup?

That's awesome if true. It means hacking new firmwares is risk-free.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on March 03, 2019, 12:16:13 pm

So ... the 'scope keeps a copy of the factory-installed firmware somewhere, and you can restore it by pressing a button at startup?

That's awesome if true. It means hacking new firmwares is risk-free.

No. It just restores default scope settings.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 03, 2019, 06:34:49 pm
|O Anyways. I don't know if downgrading is a good idea with calibration data and such.

I wanted to first backup the calibration data.

Ummm... isn't that what self-cal is for - to generate some new data?  :popcorn:

It turns out that the new firmware has troubles with auto-calibration. Using my backuped calibration files the spikes also reported by others are gone  :popcorn:

EDIT: See also here (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2238324/#msg2238324)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 03, 2019, 08:04:53 pm
Ummm... isn't that what self-cal is for - to generate some new data?  :popcorn:

It turns out that the new firmware has troubles with auto-calibration. Using my backuped calibration files the spikes also reported by others are gone  :popcorn:

EDIT: See also here (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2238324/#msg2238324)

Let's hope our friend with contacts at Rigol can pass that information along to them...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on March 03, 2019, 11:47:30 pm
Anyone have a negative experience with the patch?  If not I’ll try it in a couple of hrs...

-Stan
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on March 04, 2019, 05:51:13 am
OK,

My experience.

I have a 5072 - so I had a lot to loose by upgrading...  I put a FAT32 formatted flash drive in and copied the calibration data.  Just in case...

Just a note - moving the drive between the Rigol and the PC was not a happy thing.  Win10 almost always has an issue with the drive after being in the scope.

I put the 01.01.04.04 firmware on the drive and the scope said it was corrupted....  Reformatted the drive, reloaded the firmware - all was well and it updated to 01.01.04.04.

As reported - I lost 2 channels, the AWGs....  Interestingly enough, in the acquisition menu it still showed 200M, but when changed - the 200M option disappeared.

I played with the SSH enable .GEL.  Upon installing - my scope always says its corrupt.  Tried and re-tried many times.  I did finally checked, after it failed - and sure enough - it was working.  So maybe the corrupt file warning is normal for this patch?  I have not tried to go in and make it permanent - it appears that the patch just turns it on for this boot...

The patch for the license...  I reformatted the drive again, Put the file on the USB drive, and selected it on the scope.  No errors - it updated perfectly.  Then it asked me to reboot - which I did......

My scope is back...!!!!  All 4 channels, the 2 AWGs, 200M samples.  I went to the license page - looks just as shown -- all enabled and permanent.

So bottom line - it worked here although I have some more work to do to make SSH on permanently.

FYI...

-Stan
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 04, 2019, 06:00:28 am
As reported - I lost 2 channels, the AWGs....  Interestingly enough, in the acquisition menu it still showed 200M, but when changed - the 200M option disappeared.

Yes, I also noted that my license files were gone after upgrade. But who cares, truely  >:D

I played with the SSH enable .GEL.  Upon installing - my scope always says its corrupt.  Tried and re-tried many times.  I did finally checked, after it failed - and sure enough - it was working.  So maybe the corrupt file warning is normal for this patch?  I have not tried to go in and make it permanent - it appears that the patch just turns it on for this boot...

True, this is by design. I've added a warning to the post. I somehow like how ssh is only there if I truly need it. I find no need to make it permanent.

The patch for the license...  I reformatted the drive again, Put the file on the USB drive, and selected it on the scope.  No errors - it updated perfectly.  Then it asked me to reboot - which I did......

My scope is back...!!!!  All 4 channels, the 2 AWGs, 200M samples.  I went to the license page - looks just as shown -- all enabled and permanent.
:phew: First confirmed successful patch after my scope. Nice!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KeBeNe on March 04, 2019, 06:15:13 am
The patch from Mable works here without problems :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: The Doktor on March 04, 2019, 07:53:17 am
I'm not much of a Linux guru. How do I back up my calibration data, and how do I restore it after upgrade/patch?

Ed
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 04, 2019, 09:26:20 am
I'm not much of a Linux guru. How do I back up my calibration data, and how do I restore it after upgrade/patch?

Creating a backup (copying all files including licences to be sure)
Code: [Select]
mkdir /media/sda1/calib_backup
cp -v /rigol/data/* /media/sda1/calib_backup
sync

Copying back the calibration (Only the calibration files)
Code: [Select]
cp -v /media/sda1/calib_backup/*.hex /rigol/data/
sync
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ttt on March 04, 2019, 10:00:18 pm
Another success story here using mabl's patches with a MSO5074 fresh out of the box, delivered today by UPS. Firmware I got out of the box is 00.01.01.04.04.

To be on the safe side I first made a backup of the entire /rigol folder using the SSH only .GEL patch:

> scp -r root@mso5000.local.lan:/rigol ./

SSH password is 'Rigol201' in case this got lost again, had a hard time finding this in all the posts...

After that I applied the second patch. Of note is that I had to rename 'DS5000Update_patch_01_01_04_04_usb.GEL' to 'DS5000Update.GEL', otherwise it would not detect the upgrade file.

Scope is now fully unlocked. No issues with calibration.

Awesome work!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on March 04, 2019, 11:00:58 pm
An interesting note regarding the overshoots with help from Mabl.

 https://www.eevblog.com/forum/blog/new-rigol-scope/msg2241315/#msg2241315 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2241315/#msg2241315)

TLDR, copied known working cal from Mabl, tried on scope with bad overshoots running 02.03 firmware. Overshoots gone. "Magic"  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 04, 2019, 11:25:42 pm
mabl,

Please include in your script before the

linux_checkPackage;
linux_checkHeader;

the command:

cp -vrf /rigol/data  /media/sda1/data/

so that everybody gets a backup of their /data directory without further troubles.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: guypayeur on March 05, 2019, 05:45:39 am
Another MSO5074 patched OK (from 01.01.02.03)
Perfect first time, no problem with usb drive using SanDisk 4Go.
Did a backup of my calibration files as suggested, but not sure what to do with them beside a downgrading if needed.
Currently running a selfcal for the first time.
Should I see some diff between calibration files after selfcal?

Here is the steps I did:
ssh local_ip_address using user=root password=root

mkdir /media/sda1/calib_backup
cp -v /rigol/data/* /media/sda1/calib_backup
sync

copy DS5000Update_01.01.04.04.GEL to usb drive (official update)
rename DS5000Update_01.01.04.04.GEL to DS5000Update.GEL
perform a scope local upgrade from the usb drive
scope hard restart

delete DS5000Update.GEL from usb drive
copy DS5000Update_patch_01_01_04_04_usb.GEL to usb drive (patch update)
rename DS5000Update_patch_01_01_04_04_usb.GEL to DS5000Update.GEL
perform a scope local upgrade from the usb drive
scope hard restart

delete DS5000Update.GEL from usb drive (so you be ready for the next upgrade/patch  :popcorn:)

Your are done

Thanks for all the hard work doing this patch
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: el_man on March 05, 2019, 02:39:14 pm
Hello to Everyone!

First a Big Thank you to mabl! for his excellent job and great contribution to the community.
My scope came with 01.01.02.03 firmware. Fortunately mine (from batterfly.com) was without any overshoots or what so ever on all 4 channels even after selfcal procedure.

After upgrading the firmware (prior to that I’ve made a backup) to 01.01.04.04, I found that the calibration files didn’t change at all and everything remains perfect. Even though I’ve made a calibration with the new firmware and notice that in the window (before starting the calibaration) was displayed the date of my previous calibration. Lucky for me this calibration went flawlessly and didn’t change any of the 4 channels - everything remains as flat as it was.

These are my “lfcal.hex” before and after - which interestingly enough in my case are the SAME. May be they are something unit specific.

- some screenshots 1) before, 2) after upgrade with previous calibration and 3) after upgrade with new calibration.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on March 05, 2019, 02:42:47 pm
Followed guypayeur steps this morning and the upgrade went through without problems.  :-+  My scope exhibits a slight overshoot on a 10x probe and it is still there after.

The readme on the v00.01.01.04.04 firmware has this entry " - Reduced the noise amplitude of the waveform. "   A definite improvement on my scope.  Before the upgrade my scope show 2.5 minor divisions of noise even with the persistence set to min and intensity to 1.  With the new firmware it is about 1 minor division.  Super happy with the change

After the update patch I rebooted and then went to adjust the Persistence and and Intensity.  The Intensity button was grayed out and unresponsive(!)  I pressed the Default button and the Intensity button function is restored.  Whew

Thanks again to all who worked on this and especially to Mabl for the patch!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kwinz on March 05, 2019, 03:29:37 pm
I ordered an MSO5074, beginning on Februrary from my distributor supposed to be delivered End of February.
Now they say they won't be restocked by Rigol until end of March.

I am afraid when they are restocked it will be with patched firmware scopes....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: el_man on March 05, 2019, 04:13:11 pm
I ordered an MSO5074, beginning on Februrary from my distributor supposed to be delivered End of February.
Now they say they won't be restocked by Rigol until end of March.

I am afraid when they are restocked it will be with patched firmware scopes....

If you can cancel your order batterfly . com have them in stock right now, I've bought mine from there and was sent on the next day with free shipping
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: eddiea6987 on March 05, 2019, 07:15:44 pm
would this enable the logic analyzer? so i can pick up some probes?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on March 05, 2019, 07:27:33 pm
would this enable the logic analyzer? so i can pick up some probes?

It doesn’t need a licence or a hack to enable it, just the probes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 05, 2019, 07:29:37 pm
So bottom line - it worked here although I have some more work to do to make SSH on permanently.
SSH is enabled/disabled via /etc/init.d/rcS which is stored in the initramfs of the linux system. So every change there will be non-permanent.

You can best however add it to /rigol/shell/start.sh somewhere at the top (before appEntry starts). I'm fairly certain that you don't need to background it; so all that is needed:
Code: [Select]
#!/bin/sh

/usr/sbin/sshd

export QTDIR=/rigol/Qt5.5

is what you'd need to do. Note, that if you make a mistake here, will have to re-install the firmware to undo this change :) (but i'm 99.9% certain that this will be fine)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dren.dk on March 05, 2019, 07:49:26 pm
The Rigol LA probe is a bit spendy, so I designed my own: https://gitlab.com/dren.dk/mso5k-la-pod (https://gitlab.com/dren.dk/mso5k-la-pod)

Actually others have done the same in this thread:
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/new/?topicseen#new (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/new/?topicseen#new)

My parts just shipped from Mouser, so I expect to have three working LA probe sets done next week or so.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: eddiea6987 on March 05, 2019, 09:01:47 pm
The Rigol LA probe is a bit spendy, so I designed my own: https://gitlab.com/dren.dk/mso5k-la-pod (https://gitlab.com/dren.dk/mso5k-la-pod)

Actually others have done the same in this thread:
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/new/?topicseen#new (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/new/?topicseen#new)

My parts just shipped from Mouser, so I expect to have three working LA probe sets done next week or so.

Now that is good!! The question is what are the chances that if I order a scope right now , this hack will work. I get a student  discount on Tequipment and I was thinking of ordering an MSO5000 70  MHz 2 channels, comes out to 798 , but they do not have any in stock I would definately begetting something fresh from the factory which again poses the questions what are the odds of this working? I personally always believed it was a marketing ploy , because the other Rigol never got patched. I also have Rohde and Shwarz selling me an RTB2004 upgraded to 100Mhz and 4 channels for $1700 . That thing is sexy and im sure has bugs worked out by now. what to do what to do...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Old Printer on March 05, 2019, 10:01:15 pm


Thought is to pay the extra $100 and get the 4 channels from the factory to have the second 2 channels under warranty.

 R&S vs Rigol, your on your own.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 05, 2019, 10:13:11 pm
We should discuss this not in the hacking thread, better there:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2245224/#msg2245224 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2245224/#msg2245224)

I´m already confused enough to follow the guys here what the hacking concerns.. ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on March 05, 2019, 10:50:55 pm
....
After upgrading the firmware (prior to that I’ve made a backup) to 01.01.04.04, I found that the calibration files didn’t change at all and everything remains perfect. Even though I’ve made a calibration with the new firmware and notice that in the window (before starting the calibaration) was displayed the date of my previous calibration. Lucky for me this calibration went flawlessly and didn’t change any of the 4 channels - everything remains as flat as it was.

These are my “lfcal.hex” before and after - which interestingly enough in my case are the SAME. May be they are something unit specific.

- some screenshots 1) before, 2) after upgrade with previous calibration and 3) after upgrade with new calibration.

Beginning to think we're dealing with a low freq factory cal file done on a Friday afternoon, and this pretty much seals it for me (short of looking at the disassembly) that it's not something auto cal touches.

The thing I'd wonder, is if there's a factory menu or tool that can be used hidden on the scope somewhere, or if it's some special firmware we'll never get. Calibration references are no problem to get a hold of, so it's especially frustrating that it's seemingly a cal file behind all of it.....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on March 05, 2019, 11:26:29 pm
Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: eddiea6987 on March 06, 2019, 04:51:28 am
Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.

I was just wondering how far back I would have to go to find a link to the files mentioned and what are the proper steps.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 06, 2019, 05:00:54 am
Beginning to think we're dealing with a low freq factory cal file done on a Friday afternoon, and this pretty much seals it for me (short of looking at the disassembly) that it's not something auto cal touches.

The thing I'd wonder, is if there's a factory menu or tool that can be used hidden on the scope somewhere, or if it's some special firmware we'll never get. Calibration references are no problem to get a hold of, so it's especially frustrating that it's seemingly a cal file behind all of it.....

a) It might be done by characterizing the front end using test points on the PCB before assembly/firmware even enters into it.
b) They can't write firmware based on a user-supplied test signal with unknown characteristics
c) They can't add a menu item that could potentially mess up the 'scope (and cause idiots send it back under "warranty")
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joeyjoejoe on March 06, 2019, 05:28:17 pm
Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.

Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 06, 2019, 06:06:20 pm
Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.

Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.

I don't think the hack is finished yet.

When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".

I'm sure a new thread can be started for that so that people can endlessly post "Does this still work?"


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: iMo on March 06, 2019, 06:26:04 pm
Is this great effort somehow applicable to the DS7000 as well??
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on March 06, 2019, 06:38:58 pm
Is this great effort somehow applicable to the DS7000 as well??

Google says:

"Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory..."

From earlier in this thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 06, 2019, 07:13:31 pm
"Tried this with our DS7014, now has full 500MHz bandwidth and 500M memory..."

I'm pretty sure the sshd hack would also work on these scopes, once they have ssh disabled. Patching them should also not be an issue. I looked already, but could not find a GEL of the DS7000...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 06, 2019, 07:28:10 pm
Hey mabl and other members,

Thanks for all the great information shared, one question I have is for whatever reason if I need to back out the patch to restore to official firmware state, is there a tested process to do that?  Is is just to reapply the official update, or is there more?

I read the serial number could be lost after the patch, if I restore to official firmware state, then is the serial number restored? 

Thanks in advance for your help.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 06, 2019, 07:32:45 pm
I read the serial number could be lost after the patch, if I restore to official firmware state, then is the serial number restored? 
Serial number is saved in /rigol/data together with the calibration data. Once you loose that, you loos it, I think.

If I have is for whatever reason if I need to back out the patch to restore to official firmware state, is there a tested process to do that?  Is is just to reapply the official update, or is there more?

Either manually copy back appEntry over ssh, or flash the original firmware. I'm not sure if there is a patch against same-version flashing though. Could potentially be patched out, though.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on March 06, 2019, 07:36:53 pm
Secret menu allows installing any version, even previous ones.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 06, 2019, 07:37:02 pm
It would be really nice if in the same process, the script also provides an option to backup the calibration data, and optionally the entire scope data to the USB. 

Then followed by another option to restore calibration data only, or the entire scope data before the patch.

This will allow flexibility for a full rollback in case something went wrong in the patch process.

I know that is a lot of extra work in scripting, but as a solution architect for 30 years, such capability has always been invaluable when disaster strikes on numerous upgrades I have been involved in.  Sorry if it is too much to ask  ;D as I am not a developer.

Thanks in advance for all the great work done by the members of this wonderful community.

Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.

Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.

I don't think the hack is finished yet.

When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".

I'm sure a new thread can be started for that so that people can endlessly post "Does this still work?"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 06, 2019, 11:21:06 pm
Using a the matching antique toolchain https://github.com/qiupq/Xilinx-Compile-Tools-Sourcery-CodeBench, I now have bspatch, lua and an adapted version of fbpad running on my scope.

This is rather convenient, since now we can output info messages onto the screen while being able to use a "proper" programming language (instead of /bin/ash)  :scared:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 12:30:59 am
Dear all, I have prepared a generic launcher, which will run another script on the flash drived, called run.sh. From this environment, one has access to bspatch and lua. The output of the script will be redirected to a virtual terminal on the framebuffer. So you will be able to see the output of the script. I envision, that additional lua code will enable reading  the keys of the oscilloscope, such that one can interact and say select which type of patch one wants.

I have attached an example which just outputs text from inside lua to this file. Its not spectacular, but it gives one a place to start working without generating the binaries etc.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jackbob on March 07, 2019, 04:20:43 am
I don't think the hack is finished yet.

When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".

I don't think the hack is completely finished, there are still so many bugs even in the latest firmware that a new firmware release is bound to come out and may need to be re-hacked.

However, I did receive my 5074 today and it was as easy as downloading the file and inserting into the scope. It took about 45 minutes of reading through posts though. I purchased this scope over a month ago and it has been on back order. When I purchased the scope and checked the forum, the hack was as simple as SSH and editing a line in the start file. After reading through tons of off topic posts and stories I found the solution, at least as of now.

All I did to unlock the scope was
a)download and copy the file onto my fat32 formatted usb drive.
I got the file from this post https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282)
(I also had to rename the file to DS5000Update.GEL)

b) plug the flash drive into the scope and run a local upgrade

c) enjoy the unlocked scope

I did not bother backing up the calibration data as my scope came with firmware version 01.01.04.04 and had a messed up calibration out of the box consistent with how others have described the calibration with the new firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 07, 2019, 05:23:13 am
That is the same procedure that I plan to follow.  Just curious, did you lose your license file after the patch update? 


I don't think the hack is finished yet.

When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".

I don't think the hack is completely finished, there are still so many bugs even in the latest firmware that a new firmware release is bound to come out and may need to be re-hacked.

However, I did receive my 5074 today and it was as easy as downloading the file and inserting into the scope. It took about 45 minutes of reading through posts though. I purchased this scope over a month ago and it has been on back order. When I purchased the scope and checked the forum, the hack was as simple as SSH and editing a line in the start file. After reading through tons of off topic posts and stories I found the solution, at least as of now.

All I did to unlock the scope was
a)download and copy the file onto my fat32 formatted usb drive.
I got the file from this post https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282)
(I also had to rename the file to DS5000Update.GEL)

b) plug the flash drive into the scope and run a local upgrade

c) enjoy the unlocked scope

I did not bother backing up the calibration data as my scope came with firmware version 01.01.04.04 and had a messed up calibration out of the box consistent with how others have described the calibration with the new firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jackbob on March 07, 2019, 05:48:42 am
I did lose my license files but that doesn't bother me. I suppose if you are concerned with warranty issues you could copy them over before upgrading the firmware and restore them with an official firmware version if needed. I really doubt Rigol would refuse to work on a hacked scope. I have heard of DS1054z's coming from Rigol pre-hacked. They know what they are doing and rely on forums like this for sales. They wouldn't want a thread with the topic "Rigol refuses to service hacked scope" that would kill sales. Although Rigol's warranty service is a whole other topic.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 07, 2019, 07:29:05 am
Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.

Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.
Not wanting to toot my own horn much, but we have a wiki already :) (well not on the eevblog wiki, which we could also do) but https://gitlab.com/riglol/rigolee/firmware/ has an extensive README already on some of the things, and there's also a wiki (which lacks all the hacking details so far) https://gitlab.com/riglol/rigolee/firmware/-/wikis/home
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 07, 2019, 07:31:34 am
It would be really nice if in the same process, the script also provides an option to backup the calibration data, and optionally the entire scope data to the USB. 

Then followed by another option to restore calibration data only, or the entire scope data before the patch.

This will allow flexibility for a full rollback in case something went wrong in the patch process.

I know that is a lot of extra work in scripting, but as a solution architect for 30 years, such capability has always been invaluable when disaster strikes on numerous upgrades I have been involved in.  Sorry if it is too much to ask  ;D as I am not a developer.

Thanks in advance for all the great work done by the members of this wonderful community.

Anybody else thinking that a wiki of some sort with some instructions on what to do with this would be a good thing?  The forum is great, but finding the right bits now has got kind of hard.

Definitely. This thread is about 70% non-hacking discussion. They asked for it to be moved but that never took hold.

I don't think the hack is finished yet.

When it is it will just be "a) Download this file onto a USB stick, b) Insert stick into 'scope".

I'm sure a new thread can be started for that so that people can endlessly post "Does this still work?"

https://gitlab.com/riglol/rigolee/blob/MSO5000/target/data_backup.sh this script backs your cal data etc up. If you generate a GEL file with it using GEL Packer, you have an 'update' that does a backup.

I'll create a few gel files and upload them for general consumption soon-ish.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 08:18:33 am
Secret menu allows installing any version, even previous ones.

I did not manage to enter that secret menu using the SINGLE key. It might only work for scopes with more recent boot loader? :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on March 07, 2019, 08:20:44 am
Initially it did not worked for me from the first time as well.
Keep pressing "SINGLE" key at the same time as you Power On.
You should see two options at the top right corner.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 08:22:55 am
Initially it did not worked for me from the first time as well.
Keep pressing "SINGLE" key at the same time as you Power On.
You should see two options at the top right corner.
Worked first try! Thank you!


I'm not common with uboot, more with barebox.
What ist boot from Gold-Finger? Is it a common uboot command or rigol specific?

Not sure, but there is a header called GoldFinger on the scopes PCB.

EDIT: I just realized we could play the same trick again and use the secrete u-boot menu to execute arbitrary u-boot commands with a fake update. Interesting  :popcorn:
EDIT2: That actually works. Nice! We can definitely unbrick any scope and even clone scopes if we liked. Very nice.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 07, 2019, 11:05:28 am
EDIT2: That actually works. Nice! We can definitely unbrick any scope and even clone scopes if we liked. Very nice.

We can make a similar replica but not a full clone...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: iMo on March 07, 2019, 11:46:09 am
Not sure, but there is a header called GoldFinger on the scopes PCB.
The GoldFinger enables the 10bit ADCs  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 07, 2019, 11:57:51 am
GoldenEye enables 12-bit...  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 12:21:07 pm

So ... the 'scope keeps a copy of the factory-installed firmware somewhere, and you can restore it by pressing a button at startup?

That's awesome if true. It means hacking new firmwares is risk-free.

No. It just restores default scope settings.

The method here seems to be setting the uboot variable bootparam to 0x44454654, this is then checked by /rigol/checkboot (returns 2 if set, 0 if not, 1 on failure to read); called from /rigol/shell/start.sh. If 2 was returned, it sets the -nonv flag for appEntry.

Note, this flag will also be set on u-boot secret menu firmware downgrade. So backup your calibration files.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on March 07, 2019, 12:24:33 pm
The method here seems to be setting the uboot variable bootparam to 0x44454654

AKA "DEFT" as in default  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 07, 2019, 12:26:57 pm
There is one thing important that you should remember:

Everytime there is a flash to the NAND, the system switches between NAND Area-A and NAND Area-B. So, the 2 last flashes are always present in the NAND.  (look at my NAND map, some msgs earlier)

And one can even force it to switch from one to the other, manually.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 12:30:46 pm
True, I have yet to try out switching the boot system. But /rigol/data only exists once, doesn't it?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FireBird on March 07, 2019, 01:53:42 pm
But /rigol/data only exists once, doesn't it?
Yepp.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nerdineer on March 07, 2019, 03:34:51 pm
Thanks to everyone one whos worked on hacking this scope! Been a long time lurker on this forum and this is my first post.

Got my MSO5074 scope yesterday from Lambdaphoto and had it hacked in ~30mins. Super simple!  :)

Interestingly when you use the web interface the options list shows many with the demo time.

Cheers again!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: el_man on March 07, 2019, 03:56:47 pm
Initially it did not worked for me from the first time as well.
Keep pressing "SINGLE" key at the same time as you Power On.
You should see two options at the top right corner.

How long did you hold pressed the SINGLE key?  At what time the menu popup ? Do I need to release it at particular moment.

It doesn't work for me, I tried several times - my Boot: 2018.06.27

   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on March 07, 2019, 04:03:40 pm
Initially it did not worked for me from the first time as well.
Keep pressing "SINGLE" key at the same time as you Power On.
You should see two options at the top right corner.
How long did you hold pressed the SINGLE key?  At what time the menu popup ? Do I need to release it at particular moment.
It doesn't work for me - my Boot: 2018.06.27

Press "SINGLE" button multiple times until you see additional menu items.
If progress bar is in the middle this indicates that you missed it - start over again (turn off & on).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: el_man on March 07, 2019, 04:11:34 pm
Initially it did not worked for me from the first time as well.
Keep pressing "SINGLE" key at the same time as you Power On.
You should see two options at the top right corner.
How long did you hold pressed the SINGLE key?  At what time the menu popup ? Do I need to release it at particular moment.
It doesn't work for me - my Boot: 2018.06.27


The trick is to
Press "SINGLE" button multiple times until you see additional menu items.
If progress bar is in the middle this indicates that you missed it - start over again (turn off & on).



It works from first time  :D

The trick is to pressed it Multiple times rapidly - I was just holding it

A Big thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 05:17:26 pm
Interestingly when you use the web interface the options list shows many with the demo time.

Haha I was waiting for somebody to notice this. The check function exists twice, and I missed it back when I did the patch. Better luck next time  ;D
For now I  don't want to change the patch anymore, since it is well tested by now. Maybe I or somebody else will do one based on my lua package?   :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 07, 2019, 08:13:23 pm
Hi,
It seems, that the trial time for the options at my 5074 was running out - no decoder functions avaible, except parallel-bus ( hm? )…
So I want to try the hack.
There´s so much written here in the last days ( and so much I don´t understand), so a little summary would be nice.
What must I do to get the options, actual ?
Are there any risks, like this overshoot Thing ( which I don´t have ) ?

A short explanation would be fine .  :)

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 08:35:51 pm
Please find a script for automatic backup of the /rigol/data directory attached. It is based on oliv3r's work, but adds status output to know things work.

EDIT: Fix to backup script to make it more reliable.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 08:48:46 pm
Current best practice:

First: You will perform a series of upgrades. These have to be done using the help menu and the DS5000Update.GEL filename. The files you download here have a .txt extension. Remove it and rename it to the proper name. Attention, Windows might just hide the .txt extension! Make sure to properly unmount your USB drive, and that there is free space left on it (<50MB).

Now:

You can get temporary SSH access by executing this upgrade (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076). The upgrade will "fail", but you will have ssh until reboot. You can use this to fix your calibration data, if truly required.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 08:54:10 pm
Are there any risks, like this overshoot Thing ( which I don´t have ) ?

The risks are minimal. As long as you have done the backup, there is always a way to get back to where you are.  The most important things is probably to use a clean USB drive and unmount it properly in your computer. Even then, most actions are with checksums and will fail before doing damage.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 07, 2019, 09:01:44 pm
Thank You !  :)

I already got the 01.01.04.04 Version (and wonder, why it isn´t on the webpages of rigol U.S. or europe), will try it tomorrow.
When a new FW is there and upgraded to the scope, the hack will be gone, I guess ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 09:03:37 pm
When a new FW is there and upgraded to the scope, the hack will be gone, I guess ?
Yes. with no trace left. Somebody will need to create a new patch then.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 07, 2019, 09:20:03 pm
So it is a difference between installing the options buying - which stays forever.
It would be helpful I guess, when someone buy the option-bundle (or even one) and let the cracks having a look on it.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 07, 2019, 09:45:10 pm
So it is a difference between installing the options buying - which stays forever.
It would be helpful I guess, when someone buy the option-bundle (or even one) and let the cracks having a look on it.

Of course, real licenses are the only thing that will be future-proof...

The trial licenses that everybody has are sufficient to see how they are done. The .LIC files are basically ECDSA Signatures.

Those signatures are verified with the PubKey in KEY.DATA file.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on March 07, 2019, 09:51:20 pm
Is there a good solution to have SSH enabled on each boot?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 07, 2019, 09:53:33 pm
Is there a good solution to have SSH enabled on each boot?

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 07, 2019, 09:55:26 pm
Quote
Of course, real licenses are the only thing that will be future-proof...

If I buy the option-bundle, having you or other a look on it - I will get the 350Mhz and 200 Mpts for free and "ever" from you/them.

Deal ?  ;)

Seriously, I´m thinking long time about to do this and bandwith-upgrades are too expensive....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 07, 2019, 09:59:30 pm
Hi mabl,

Thank you so much for the concise summary, much appreciated (I am sure numerous others feel the same).

One quick question, does the DS5000Update_backup.GEL also backup other data other than the calibration data?  I understand some files could be lost as part of the patch (I believe the license file being one of them, is there others?), it would be nice if this backs up all the files that could be lost so we can do a full rollback/restore if needed.

Thanks in advance.

Current best practice:

  • Note your current software version down. If it is older than 01.01.04.04 you will need to upgrade.
  • Backup your scope specific data such as calibration values. Get the DS5000Update_backup.GEL.txt from here. (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380) Rename to DS5000Update.GEL and put it on a USB drive. Execute an upgrade. You will see the scope doing a backup. Unplug the stick and make sure you have a backup in the data_backup folder on the stick.
  • If you have an older version of the firmware, download 01.01.04.04 from here (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.04.GEL). Also rename it to DS5000Update.GEL, put it on your usb drive, and upgrade.
  • Make sure you are on the 01.01.04.04 firmware in the about dialog.
  • Patch the scope to have all licenses. For that download the patch from here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282). Again rename and copy to usb drive. This time the upgrade might take a bit longer, it should ask you to reboot, if not something failed, but it is probably not fatal for your scope, no worries. Reboot.
  • Check that all licences are activated.
  • If you want, do an auto calibration and check that everything is still okay.

You can get temporary SSH access by executing this upgrade (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076). The upgrade will "fail", but you will have ssh until reboot. You can use this to fix your calibration data, if truly required.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on March 07, 2019, 10:04:58 pm
So it is a difference between installing the options buying - which stays forever.
It would be helpful I guess, when someone buy the option-bundle (or even one) and let the cracks having a look on it.

Of course, real licenses are the only thing that will be future-proof...

The trial licenses that everybody has are sufficient to see how they are done. The .LIC files are basically ECDSA Signatures.

Those signatures are verified with the PubKey in KEY.DATA file.

OK, then just patch the KEY.DATA PubKey to whatever?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 07, 2019, 10:09:44 pm
One quick question, does the DS5000Update_backup.GEL also backup other data other than the calibration data?  I understand some files could be lost as part of the patch (I believe the license file being one of them, is there others?), it would be nice if this backs up all the files that could be lost so we can do a full rollback/restore if needed.

Yes it backs everything scope specific up, including licenses. Regarding loosing things, only the actual firmware upgrade has been observed messing with it, not the license patch.

OK, then just patch the KEY.DATA PubKey to whatever?

Sure, could do. "All Roads Lead to Rome". But you will loose compatibility to original keys, and that is what you initially wanted.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on March 07, 2019, 10:10:55 pm
One quick question, does the DS5000Update_backup.GEL also backup other data other than the calibration data?  I understand some files could be lost as part of the patch (I believe the license file being one of them, is there others?), it would be nice if this backs up all the files that could be lost so we can do a full rollback/restore if needed.

Yes it backs everything scope specific up, including licenses. Regarding loosing things, only the actual firmware upgrade has been observed messing with it, not the license patch.

OK, then just patch the KEY.DATA PubKey to whatever?

Sure, could do. "All Roads Lead to Rome". But you will loose compatibility to original keys, and that is what you initially wanted.

If we get full access do we care if KEY.DATA is replaced with a bogus pubkey that we know the privkey to? As long as you can patch it back to Rigol's keypair, all's good
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 07, 2019, 10:13:56 pm
OK, then just patch the KEY.DATA PubKey to whatever?

A "special" whatever... ;)

it would be nice if this backs up all the files that could be lost so we can do a full rollback/restore if needed.

I've said this before:

The only thing that is necessary to backup is the /rigol/data directory. With that you can erase everything in the scope and recreate it from scratch.


Edit: This thread is so full of OT BS that people forget the essential. Remember:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2083927/#msg2083927 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2083927/#msg2083927)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on March 07, 2019, 10:26:14 pm
OK, then just patch the KEY.DATA PubKey to whatever?

A "special" whatever... ;)

Of course. Does anyone know the key algo that Rigol uses? Might be easier to just generate our own licenses after patching the firmware
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: peppy88 on March 08, 2019, 04:31:42 am
Current best practice:

  • Note your current software version down. If it is older than 01.01.04.04 you will need to upgrade.
  • Backup your scope specific data such as calibration values. Get the DS5000Update_backup.GEL.txt from here. (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380) Rename to DS5000Update.GEL and put it on a USB drive. Execute an upgrade. You will see the scope doing a backup. Unplug the stick and make sure you have a backup in the data_backup folder on the stick.
  • If you have an older version of the firmware, download 01.01.04.04 from here (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.04.GEL). Also rename it to DS5000Update.GEL, put it on your usb drive, and upgrade.
  • Make sure you are on the 01.01.04.04 firmware in the about dialog.
  • Patch the scope to have all licenses. For that download the patch from here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282). Again rename and copy to usb drive. This time the upgrade might take a bit longer, it should ask you to reboot, if not something failed, but it is probably not fatal for your scope, no worries. Reboot.
  • Check that all licences are activated.
  • If you want, do an auto calibration and check that everything is still okay.

You can get temporary SSH access by executing this upgrade (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076). The upgrade will "fail", but you will have ssh until reboot. You can use this to fix your calibration data, if truly required.

Ive upgraded to the newest firmware but when I upload the patch (with renaming) scope says fail to update please check package
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on March 08, 2019, 04:36:07 am
Current best practice:

  • Note your current software version down. If it is older than 01.01.04.04 you will need to upgrade.
  • Backup your scope specific data such as calibration values. Get the DS5000Update_backup.GEL.txt from here. (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380) Rename to DS5000Update.GEL and put it on a USB drive. Execute an upgrade. You will see the scope doing a backup. Unplug the stick and make sure you have a backup in the data_backup folder on the stick.
  • If you have an older version of the firmware, download 01.01.04.04 from here (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.04.GEL). Also rename it to DS5000Update.GEL, put it on your usb drive, and upgrade.
  • Make sure you are on the 01.01.04.04 firmware in the about dialog.
  • Patch the scope to have all licenses. For that download the patch from here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282). Again rename and copy to usb drive. This time the upgrade might take a bit longer, it should ask you to reboot, if not something failed, but it is probably not fatal for your scope, no worries. Reboot.
  • Check that all licences are activated.
  • If you want, do an auto calibration and check that everything is still okay.

You can get temporary SSH access by executing this upgrade (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076). The upgrade will "fail", but you will have ssh until reboot. You can use this to fix your calibration data, if truly required.

Ive upgraded to the newest firmware but when I upload the patch (with renaming) scope says fail to update please check package

Did you read the last sentence? (highlighted)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 08, 2019, 06:29:19 am
Ive upgraded to the newest firmware but when I upload the patch (with renaming) scope says fail to update please check package

If you are talking about the license patch. This is strange. It is the first observed failure. I could only recommend trying again with a freshly FAT32 formatted usb drive. (It uses the drive as space for intermediate patching results, so there should be space.) If this does not work, you either have to wait for a new patch with better debug output on the screen, or ssh in and execute "/rigol/shell/update.sh /media/sda1/DS5000Update.GEL" and report back any failures you see.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 08, 2019, 02:07:12 pm
I already got the 01.01.04.04 Version (and wonder, why it isn´t on the webpages of rigol U.S. or europe)

Now it´s launched:

https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/ (https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/)

Including upgrade instructions and release notes.
Fun fact : At rigol europe page you must "register" (Name, Email, Model, Serialnumber) before you can download it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 08, 2019, 02:38:49 pm
It is no different in the U.S., we have to register before download as well.  It is not uncommon due to our strict anti-spam law, it allows them to reach out to you via email for marketing and other purposes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JDubU on March 08, 2019, 02:44:11 pm
No registration required at the Chinese Rigol site:

http://cn.rigol.com/Support/SoftDownload/3 (http://cn.rigol.com/Support/SoftDownload/3)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 08, 2019, 02:59:19 pm
Quote
It is no different in the U.S., we have to register before download as well.

Ah, after I was on the europe site (and registered me), I went to the U.S. site and could directly go to the firmware.
Maybe once only registration is needed.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: peppy88 on March 08, 2019, 03:53:58 pm
Current best practice:

  • Note your current software version down. If it is older than 01.01.04.04 you will need to upgrade.
  • Backup your scope specific data such as calibration values. Get the DS5000Update_backup.GEL.txt from here. (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380) Rename to DS5000Update.GEL and put it on a USB drive. Execute an upgrade. You will see the scope doing a backup. Unplug the stick and make sure you have a backup in the data_backup folder on the stick.
  • If you have an older version of the firmware, download 01.01.04.04 from here (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.04.GEL). Also rename it to DS5000Update.GEL, put it on your usb drive, and upgrade.
  • Make sure you are on the 01.01.04.04 firmware in the about dialog.
  • Patch the scope to have all licenses. For that download the patch from here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282). Again rename and copy to usb drive. This time the upgrade might take a bit longer, it should ask you to reboot, if not something failed, but it is probably not fatal for your scope, no worries. Reboot.
  • Check that all licences are activated.
  • If you want, do an auto calibration and check that everything is still okay.

You can get temporary SSH access by executing this upgrade (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076). The upgrade will "fail", but you will have ssh until reboot. You can use this to fix your calibration data, if truly required.

Ive upgraded to the newest firmware but when I upload the patch (with renaming) scope says fail to update please check package

Did you read the last sentence? (highlighted)

Yes this is not for the ssh update I'm doing the actual patch.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: peppy88 on March 08, 2019, 03:55:06 pm
Ive upgraded to the newest firmware but when I upload the patch (with renaming) scope says fail to update please check package

If you are talking about the license patch. This is strange. It is the first observed failure. I could only recommend trying again with a freshly FAT32 formatted usb drive. (It uses the drive as space for intermediate patching results, so there should be space.) If this does not work, you either have to wait for a new patch with better debug output on the screen, or ssh in and execute "/rigol/shell/update.sh /media/sda1/DS5000Update.GEL" and report back any failures you see.

Thanks I will try this. I think it's just not detecting my usb for some reason. Maybe because I formatted using my Mac? Are you guys formatting the drives on a windows machine? I'll keep you posted with my results.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Elandril on March 08, 2019, 05:20:59 pm
Thanks for the link. I hate those forced registrations for a simple firmware download.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Old Printer on March 08, 2019, 05:35:33 pm
Ive upgraded to the newest firmware but when I upload the patch (with renaming) scope says fail to update please check package

If you are talking about the license patch. This is strange. It is the first observed failure. I could only recommend trying again with a freshly FAT32 formatted usb drive. (It uses the drive as space for intermediate patching results, so there should be space.) If this does not work, you either have to wait for a new patch with better debug output on the screen, or ssh in and execute "/rigol/shell/update.sh /media/sda1/DS5000Update.GEL" and report back any failures you see.

Thanks I will try this. I think it's just not detecting my usb for some reason. Maybe because I formatted using my Mac? Are you guys formatting the drives on a windows machine? I'll keep you posted with my results.
Try a third party dedicated usb formatting tool. It has been said that the one built into Windows 7 and on is problematic. May be the same for Mac, I think Apple is worse than Microsoft about tweaking things to suite themselves.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: offmar on March 08, 2019, 08:11:35 pm
Ive upgraded to the newest firmware but when I upload the patch (with renaming) scope says fail to update please check package

If you are talking about the license patch. This is strange. It is the first observed failure. I could only recommend trying again with a freshly FAT32 formatted usb drive. (It uses the drive as space for intermediate patching results, so there should be space.) If this does not work, you either have to wait for a new patch with better debug output on the screen, or ssh in and execute "/rigol/shell/update.sh /media/sda1/DS5000Update.GEL" and report back any failures you see.

Thanks I will try this. I think it's just not detecting my usb for some reason. Maybe because I formatted using my Mac? Are you guys formatting the drives on a windows machine? I'll keep you posted with my results.


I'm doing it using DiskUtility in MacOS. I set the filesystem to FAT and Scheme to "Master Boot Record".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kwinz on March 08, 2019, 09:03:55 pm
If you can cancel your order batterfly . com have them in stock right now, I've bought mine from there and was sent on the next day with free shipping

Great advice! As you suggested I ordered with batterfly (just 2days ago). Same day free shipping. I just now got the scope delivered with FW 00.01.01.02.03. Fully recommended!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: peppy88 on March 08, 2019, 11:43:16 pm
Ok upgrade worked.

I have a MSO5072 it would not update on the start menu where you press the single button.

It works by doing Utility->System->Help Local upgrade
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NED88 on March 09, 2019, 01:09:34 am
Hi all.

I'm new to this forum and have been following this thread for about two weeks. 

A week or so ago, I decided purchased a Rigol MSO5104 (which came with F/W v02.03) and then added the -fullopt to a line on the start.sh file.

Two days ago, I decided to upgrade the F/W to v04.04 and used the various .GEL files produced by mabl (a big thanks to you) and I too can confirm that update patch works  :-+

Afterwards, I edited the start.sh file as suggest by oliv3r (see https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083)) instead of having to insert a USB stick with the 10kB .GEL file on it (see https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076)) in order to enable SSH.

Fellow members, I have a few questions for you:

Q1:  I tried editing two commented-out lines in /etc/init.d/rcS to enable SSH and FTP, but would like to know why/how it reverts back to the commented-out lines after a reboot?

Q2:  Also, is the power button/switch the only way to reboot (other than connecting via SSH and running the command reboot) ?

Q3:  I backed-up my .hex calibration files (using mabl's .GEL file) before upgrading the F/W and then manually copied them back afterwards.  Is it safe to do a self-calibration with the current F/W version or should one stick to the backed up calibration files (as I have done)?


Thanks again to all those who have contributed to this forum.  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on March 09, 2019, 03:07:27 am
Hi all.

I'm new to this forum and have been following this thread for about two weeks. 

A week or so ago, I decided purchased a Rigol MSO5104 (which came with F/W v02.03) and then added the -fullopt to a line on the start.sh file.

Two days ago, I decided to upgrade the F/W to v04.04 and used the various .GEL files produced by mabl (a big thanks to you) and I too can confirm that update patch works  :-+

Afterwards, I edited the start.sh file as suggest by oliv3r (see https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083)) instead of having to insert a USB stick with the 10kB .GEL file on it (see https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076)) in order to enable SSH.

Fellow members, I have a few questions for you:

Q1:  I tried editing two commented-out lines in /etc/init.d/rcS to enable SSH and FTP, but would like to know why/how it reverts back to the commented-out lines after a reboot?

Q2:  Also, is the power button/switch the only way to reboot (other than connecting via SSH and running the command reboot ?

Q3:  I backed-up my .hex calibration files (using mabl's .GEL file) before upgrading the F/W and then manually copied them back afterwards.  Is it safe to do a self-calibration with the current F/W version or should one stick to the backed up calibration files (as I have done)?


Thanks again to all those who have contributed to this forum.  :)

1. The entire root filesystem is an initramfs, so whatever changes you made to / will revert back to initial state, unless your change system.img and flash it to a specific MTD partition.

2. You can use reboot command.

3. Yes
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on March 09, 2019, 03:09:32 am
Has anyone poked around in the web server files?  If you go to http://<scopeip>/DataControl.html (http://<scopeip>/DataControl.html) you get a simple file manager and remote commands via SCPI (page source (https://gitlab.com/riglol/rigolee/blob/MSO5000/firmware/rootfs/rigol/webcontrol/webpages/DataControl.html)).

(https://i.imgur.com/5vx5szc.png)

The server is lighthttpd (https://www.lighttpd.net/) with the config at /rigol/webcontrol/config/lighttpd.conf (https://gitlab.com/riglol/rigolee/blob/MSO5000/firmware/rootfs/rigol/webcontrol/config/lighttpd.conf) and docroot at /rigol/webcontrol/webpages.  This is pretty stripped down, no scripting environment so everything is CGI.  Still, seems like the web front end could get some custom love with client side js if one were so inclined. Keystrokes (https://gitlab.com/riglol/rigolee/blob/MSO5000/firmware/rootfs/rigol/webcontrol/webpages/js/WebControl.js) and wave data (https://gitlab.com/riglol/rigolee/blob/MSO5000/firmware/rootfs/rigol/webcontrol/webpages/remote.html) are all sent over websockets. It also appears one could enable SSL with a custom cert as the openssl binaries are available (https://gitlab.com/riglol/rigolee/tree/MSO5000/firmware/rootfs/rigol/webcontrol/bin).

The http://<scopeip>/img (http://<scopeip>/img) folder symlinks to /tmp so you can poke at files there, or drop files there from shell/boot scripts to be viewed remotely if you don't want to be writing anything to flash.

There are some weird things in there too.  This file (https://gitlab.com/riglol/rigolee/blob/MSO5000/firmware/rootfs/rigol/webcontrol/webpages/3.html) has a link to this site (http://51windows.net/) which appears to offer web tutorials and sample code which visually date from the late 90s. It does explain the look of the web UI...  This page has a simple waveviewer (that doesn't work) and some test info. (https://gitlab.com/riglol/rigolee/blob/MSO5000/firmware/rootfs/rigol/webcontrol/webpages/1.html)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 09, 2019, 10:26:12 am
Yes, I also looked into these. However, I do think all interaction is via SCPI commands and there is hence no secret there, which is not also in the SCPI definitions in /rigol/resources.

It looks to me, that there is a message passing system, which is also partially used to define the SCPI commands. However not all messages are also exposed via SCPI commands. I believe the production version of the firmware is not shipped with a full set of SCPI command definitions, hence giving no way to access all possible messages.  (until we define our own SCPI commands to access them :popcorn:. I failed in my first quick attempt tough.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on March 12, 2019, 03:46:09 am
mabl's process works like a charm. Could probably combine the patcher + backup into one easy to use "upgrade" but that's nit picking.

I wasn't able to get the boot menu accessed by hitting "SINGLE" while booting to upgrade correctly, but the in-app upgrade works. Maybe b/c my USB stick is USB3?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 12, 2019, 08:44:43 pm
Hi all.

I'm new to this forum and have been following this thread for about two weeks. 

A week or so ago, I decided purchased a Rigol MSO5104 (which came with F/W v02.03) and then added the -fullopt to a line on the start.sh file.

Two days ago, I decided to upgrade the F/W to v04.04 and used the various .GEL files produced by mabl (a big thanks to you) and I too can confirm that update patch works  :-+

Afterwards, I edited the start.sh file as suggest by oliv3r (see https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083)) instead of having to insert a USB stick with the 10kB .GEL file on it (see https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076)) in order to enable SSH.

Fellow members, I have a few questions for you:

Q1:  I tried editing two commented-out lines in /etc/init.d/rcS to enable SSH and FTP, but would like to know why/how it reverts back to the commented-out lines after a reboot?

Q2:  Also, is the power button/switch the only way to reboot (other than connecting via SSH and running the command reboot) ?

Q3:  I backed-up my .hex calibration files (using mabl's .GEL file) before upgrading the F/W and then manually copied them back afterwards.  Is it safe to do a self-calibration with the current F/W version or should one stick to the backed up calibration files (as I have done)?


Thanks again to all those who have contributed to this forum.  :)

I just realized, you may also want to start udhcpc -i eth0 & somewhere :) probably before your ssh line. If your appEntry fails to start or crashes or whatever, the devices will be without an IP, so ssh will be up and running, but you won't be able to access it.

appEntry does its own network management (wtf much?) but that doesn't conflict.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 12, 2019, 09:24:32 pm
Hi mabl,

After rereading all the posts after page 30, I believe I made a mistake in saying that the serial number may be lost.  Looks like what could be lost are the "licenses", are we only referring to losing the 2160 min of trial serial decoder licenses?

Thanks again.

I read the serial number could be lost after the patch, if I restore to official firmware state, then is the serial number restored? 
Serial number is saved in /rigol/data together with the calibration data. Once you loose that, you loos it, I think.

If I have is for whatever reason if I need to back out the patch to restore to official firmware state, is there a tested process to do that?  Is is just to reapply the official update, or is there more?

Either manually copy back appEntry over ssh, or flash the original firmware. I'm not sure if there is a patch against same-version flashing though. Could potentially be patched out, though.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NED88 on March 13, 2019, 01:31:48 am
I just realized, you may also want to start udhcpc -i eth0 & somewhere :) probably before your ssh line. If your appEntry fails to start or crashes or whatever, the devices will be without an IP, so ssh will be up and running, but you won't be able to access it.

appEntry does its own network management (wtf much?) but that doesn't conflict.

Hi oliv3r.

Thanks for the suggestion above - I'll try it out and see if it works... :)  Would I expect udhcpc in the list of processes by running ps -al  in the terminal?


I have a few additional questions for this thread/forum  ;)

1) Regarding the ssh command (I'm using Terminal on the Mac), it keeps saying "Warning: Permanently added '<IP address>' (ECDSA) to the list of known hosts." - is this anything to worry about?

2) Does anyone know if there a terminal command (on the scope) that can check the FAT-formatted partition on a USB memory stick (I usually use fsck but can't see the msdos version)?

3) I'm not sure if this is the correct Rigol MSO5000-related thread to post this question...  So, I decided to use the Measure menu to add Frequency, Period, Undershoot and Overshoot measurements in order to calibrate the four passive probes supplied with my MSO5104.  I managed to get both the Under/Overshoot down to ~0.6060% for channels 1, 2 and 4 using the 1KHz square wave (from the probe compensation terminal) and those three channels now show a good flat square wave.  However, channel 3 is showing a bit of overshoot (0.6711%) that I can't get rid of - is this normal and/or is it possible to rectify it??  Not sure if it's a software or hardware problem either.  I have attached, below, a screenshot of the measurements and I did run the SelfCal function beforehand.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 13, 2019, 07:01:26 am
First of all, I have updated the backup script (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380), and it should be more reliable now. Do use it, really  ;D

I read the serial number could be lost after the patch, if I restore to official firmware state, then is the serial number restored? 
Serial number is saved in /rigol/data together with the calibration data. Once you loose that, you loos it, I think.
After rereading all the posts after page 30, I believe I made a mistake in saying that the serial number may be lost.  Looks like what could be lost are the "licenses", are we only referring to losing the 2160 min of trial serial decoder licenses?

All scope specific data is in one folder. When and what can and is usually lost is not very clear. There is a reset to default thing, which copies the scope default data and hence overwrites these files. I have personally lost the all .LIC files during upgrade. But I went a more convoluted way with a partial downgrade. So it might have been my fault. Anyways. Make a backup and you are fine.

1) Regarding the ssh command (I'm using Terminal on the Mac), it keeps saying "Warning: Permanently added '<IP address>' (ECDSA) to the list of known hosts." - is this anything to worry about?

2) Does anyone know if there a terminal command (on the scope) that can check the FAT-formatted partition on a USB memory stick (I usually use fsck but can't see the msdos version)?

1. That is normal, everytime your scopes IP is different. Usually your router should give it a more or less stable address though. It will not hurt you.
2. There is none. I do really not like how there is no way of unmounting the usb drive.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: el_man on March 13, 2019, 09:37:00 am
If you can cancel your order batterfly . com have them in stock right now, I've bought mine from there and was sent on the next day with free shipping

Great advice! As you suggested I ordered with batterfly (just 2days ago). Same day free shipping. I just now got the scope delivered with FW 00.01.01.02.03. Fully recommended!

I'm glad to hear it. Wish you a Happy scoping  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NED88 on March 13, 2019, 03:52:51 pm
First of all, I have updated the backup script (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380), and it should be more reliable now. Do use it, really  ;D

Q: Is this updated .GEL file for running from a USB memory stick and/or via a terminal command, as it says "Press any key to continue..." ?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 13, 2019, 04:16:48 pm
I saw that too, I just push one of the red key on the right of the screen, the screen will then go black for about 10 sec, then the scope screen will return.

After that, you will get a backup file on the USB with an extension of .tar.bz3 (if I recall correctly).  I don't believe the extra bz3 extension was there before in the old script.  I just delete the extra .bz3, and I was able to untar it into its own directory on a Windows 10 PC.

I also noticed that Windows will report the USB drive needs to be repaired when it comes back from the scope.  I wonder if it has to do with me not doing a proper eject on the scope.  On that note, is there even an eject USB drive option on the scope? 

In any event, I did not repair the USB drive and ignored the message on the Windows 10 machine, Windows was able to retrieve the file without any problem.

A big shoutout to mabl for making all this possible, thank you!

First of all, I have updated the backup script (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380), and it should be more reliable now. Do use it, really  ;D

Q: Is this updated .GEL file for running from a USB memory stick and/or via a terminal command, as it says "Press any key to continue..." ?
[/quote]
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 13, 2019, 05:34:20 pm
Q: Is this updated .GEL file for running from a USB memory stick and/or via a terminal command, as it says "Press any key to continue..." ?

I saw that too, I just push one of the red key on the right of the screen, the screen will then go black for about 10 sec, then the scope screen will return.

It really means any key on the scope. Restarting the main application takes some time.

After that, you will get a backup file on the USB with an extension of .tar.bz3 (if I recall correctly).  I don't believe the extra bz3 extension was there before in the old script.  I just delete the extra .bz3, and I was able to untar it into its own directory on a Windows 10 PC.
It tried to do it previously too, but failed due to timing during this process. The new system will make sure everything is written first and adds the user interaction.

I also noticed that Windows will report the USB drive needs to be repaired when it comes back from the scope.  I wonder if it has to do with me not doing a proper eject on the scope.  On that note, is there even an eject USB drive option on the scope? 

In any event, I did not repair the USB drive and ignored the message on the Windows 10 machine, Windows was able to retrieve the file without any problem.

A big shoutout to mabl for making all this possible, thank you!

You are very welcome! There is unfortunately no eject. However, I make sure to sync all data to the stick, so it should be save to just pull it. The file system dirty flag will still be set, since Windows has now way of knowing that i synced it properly. It should not find any file system errors due to this process.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NED88 on March 13, 2019, 05:54:16 pm
Hi mabl, NoisyBoy

After ssh-ing into the scope, I executed: /rigol/shell/update.sh  /media/sda1/DS5000Update.GEL (as suggested in https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2252349/#msg2252349 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2252349/#msg2252349)) and have attached a screenshot of the terminal output.  I pressed one of the red buttons to the right of the screen when asked.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 13, 2019, 05:56:32 pm
That is how the backup script should look like. Did your patch succeed now? You can run it from the command line too, but it will not give as much output.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 13, 2019, 05:59:53 pm
Hi,

Current best practice:

  • Patch the scope to have all licenses. For that download the patch from here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282). Again rename and copy to usb drive. This time the upgrade might take a bit longer, it should ask you to reboot, if not something failed, but it is probably not fatal for your scope, no worries. Reboot.


I renamed it to DSO5000Update.GEL put it to the stick, do local upgrade....Message "No package found" appears.

For windows it´s still a txt format while the "original" GEL file will be displayed as a GEL.file .
Maybe that´s the reason it doesn´t work on the scope too ?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 13, 2019, 06:02:42 pm
I renamed it to DSO5000Update.GEL put it to the stick, do local upgrade....Message "No package found" appears.

For windows it´s still a txt format while the "original" GEL file will be displayed as a GEL.file .
Maybe that´s the reason it doesn´t work on the scope too ?

Ah the poor souls using Windows. Sure it should have the .GEL extension. Under windows folder options you can prevent it from hiding file extensions somehow.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 13, 2019, 06:20:39 pm
Thanks !
Now I got a GEL. file…... 8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NED88 on March 13, 2019, 08:50:36 pm
That is how the backup script should look like. Did your patch succeed now? You can run it from the command line too, but it will not give as much output.

Yes, it did :-)

I've attached another screenshot of the terminal output but for DS5000Update_patch_01_01_04_04_usb.GEL (renamed of course).

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 13, 2019, 09:59:03 pm
I just realized, you may also want to start udhcpc -i eth0 & somewhere :) probably before your ssh line. If your appEntry fails to start or crashes or whatever, the devices will be without an IP, so ssh will be up and running, but you won't be able to access it.

appEntry does its own network management (wtf much?) but that doesn't conflict.

Hi oliv3r.

Thanks for the suggestion above - I'll try it out and see if it works... :)  Would I expect udhcpc in the list of processes by running ps -al  in the terminal?


I have a few additional questions for this thread/forum  ;)

1) Regarding the ssh command (I'm using Terminal on the Mac), it keeps saying "Warning: Permanently added '<IP address>' (ECDSA) to the list of known hosts." - is this anything to worry about?

2) Does anyone know if there a terminal command (on the scope) that can check the FAT-formatted partition on a USB memory stick (I usually use fsck but can't see the msdos version)?

3) I'm not sure if this is the correct Rigol MSO5000-related thread to post this question...  So, I decided to use the Measure menu to add Frequency, Period, Undershoot and Overshoot measurements in order to calibrate the four passive probes supplied with my MSO5104.  I managed to get both the Under/Overshoot down to ~0.6060% for channels 1, 2 and 4 using the 1KHz square wave (from the probe compensation terminal) and those three channels now show a good flat square wave.  However, channel 3 is showing a bit of overshoot (0.6711%) that I can't get rid of - is this normal and/or is it possible to rectify it??  Not sure if it's a software or hardware problem either.  I have attached, below, a screenshot of the measurements and I did run the SelfCal function beforehand.

0) Rigol do not use udhcpc, but it is part of busybox, so you can use it if you want. appEntry does its own network thing (maybe using qt, but not they may have rewritten it (reused from DS1074z) codebase
1) I think your system is not saving the signature locally, so everything you connect, it's asking you to do this. Also, the signature matches an IP, so everytime the IP changes, you will be asked (until you've used all available IPs :D
2) umount /dev/sda1 && fsck -a -f /dev/sda1 you mean?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NED88 on March 14, 2019, 01:21:11 am

2) umount /dev/sda1 && fsck -a -f /dev/sda1 you mean?

Yes exactly that - but I get the error message as shown at the bottom of the attached image.  |O
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 14, 2019, 06:23:43 pm
Thanks !
Now I got a GEL. file…... 8)

And now I got all options.... :D
Everything works fine, still no overshoot issues, good.
Before, the 40ps risetime pulsegenerator on 70Mhz BW:

(https://s16.directupload.net/images/190314/temp/vgkfg26w.png) (https://www.directupload.net/file/d/5391/vgkfg26w_png.htm)

After, with 350Mhz BW:

(https://s17.directupload.net/images/190314/temp/amyzsbgo.png) (https://www.directupload.net/file/d/5391/amyzsbgo_png.htm)

(tomorrow a shot with the same voltage resolution (forgot it) )

Big thanks for such an easy thing to do.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 15, 2019, 05:12:27 pm
Quote
(tomorrow a shot with the same voltage resolution (forgot it) )

Done, posted there to keep this thread clean:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2270838/#msg2270838 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2270838/#msg2270838)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 15, 2019, 06:03:22 pm
Quote
(tomorrow a shot with the same voltage resolution (forgot it) )

Done, posted there to keep this thread clean:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2270838/#msg2270838 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2270838/#msg2270838)

Cleaning is deleting!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BitBug on March 15, 2019, 07:16:48 pm
It amazes me how these companies will rush a basically good piece of hardware to market with this many firmware bugs... and with only half-assed beta testing (if any)... This is generally where the community decides to take matters into their own hands, and makes it a fully open-source project. Can anyone say, "OpenWRT"?

You've dumped all the firmware... Clearly, some people are using IDA Pro to reverse engineer some of that code. You could amp-this-up by using FLIRT signatures in IDA for code pattern recognition of known libraries (I did this for an STM-based Set-Top-Box using all their code libraries). Once all the "canned" code is identified, what's left is custom-written code/drivers - and you can figure-out what they're doing with some work... I'm sure this was the same basic process that resulted in the OpenWrt Project (maybe we should call it the "OpenScope Project"?)

It's only a matter of time before we, as a community, pick a relatively inexpensive "base" piece of DSO hardware and make it our own (as in, we maintain the firmware/software - they just compete on the best hardware). What DSO engineering company wouldn't want to be "chosen" by our community as the first hardware "base"? ...Certainly not Rigol - they just want to sell their hardware... and I'm half thinking (at least, in part) this is Rigol's modus operandi when it comes to the ease of hacking their scopes. I'm actually really surprised that a entire source code tree hasn't mysteriously "appeared" on the web to force some companies' sales into the stratosphere... and it would!

Once you force the issue, these DSO engineering companies will work/compete on making a better hardware platforms for our "OpenScope" software...

It's only a matter of time... and the first DSO engineering company that adopts this marketing strategy, will win all the marbles... and it will be a paradigm shift for the entire O-scope industry. Sure, they'll all still continue making expensive +500MHz scopes (IBM still makes mainframes) for universities and fortune 500 companies, but they'll relinquish the entire sub-500MHz market to Open Source software... kind of like your generic PC hardware is now.

...All it will take is for it to happen just once on a "chosen" platform... kinda like this one...  ;)

BB
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 15, 2019, 09:38:27 pm
Quote
Cleaning is deleting!

Therefore you post my post again.

Quote
Big thanks for such an easy thing to do.

When the next firmware update will be released, the hack will be gone - then we could patch it again with the same file….perhaps.
When this can be done, it´s an evidence that rigol doesn´t want to stop hacking seriously.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 15, 2019, 10:26:03 pm
When the next firmware update will be released, the hack will be gone - then we could patch it again with the same file….perhaps.
When this can be done, it´s an evidence that rigol doesn´t want to stop hacking seriously.

The firmware release notes states that it 'Boots in less than a minute'" so obviously some boss gave the order to "Make it boot in less than a minute!"

It used to boot in 1:15 and now it takes 0:59 so they shaved off just enough to comply with the order. As soon as it was less than 60s they stopped work.

Switching off SSL might have been one of the things they did to reach that goal, ie. it wasn't switched off for security reasons but purely for boot-timing reasons.  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quakeman on March 16, 2019, 05:05:03 pm
My MSO5074 was delivered yesterday with firmware 01.01.04.04.
I did a backup and after that applied the patch. It worked out of the box and now i have all options activated.
Thanks to all who made this possible. :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 20, 2019, 07:31:23 pm

2) umount /dev/sda1 && fsck -a -f /dev/sda1 you mean?

Yes exactly that - but I get the error message as shown at the bottom of the attached image.  |O
fsck.minix is the only fsck version available :( so sad. So you'd have to do it locally on a desktop system
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 20, 2019, 07:39:08 pm
It amazes me how these companies will rush a basically good piece of hardware to market with this many firmware bugs... and with only half-assed beta testing (if any)... This is generally where the community decides to take matters into their own hands, and makes it a fully open-source project. Can anyone say, "OpenWRT"?
Absolutly, as long as you realize, it's a massive amount of work of course.

First, we need to fully _understand_ the scope. I'm slowly working on that via https://www.gitlab.com/riglol/rigolee (https://www.gitlab.com/riglol/rigolee) but not (m)any contributions yet :)

You've dumped all the firmware... Clearly, some people are using IDA Pro to reverse engineer some of that code. You could amp-this-up by using FLIRT signatures in IDA for code pattern recognition of known libraries (I did this for an STM-based Set-Top-Box using all their code libraries). Once all the "canned" code is identified, what's left is custom-written code/drivers - and you can figure-out what they're doing with some work... I'm sure this was the same basic process that resulted in the OpenWrt Project (maybe we should call it the "OpenScope Project"?)
Cute :) but you understatimate the effort :)
In any case, what we know so far, is that the UI is built ontop of QT, but sadly, that's all they use, the rest is all custom code they've written internally. Copyright/IP fear from the chinese naturally. Write it yourself, however so badly, and atleast you can't get sued is the general thought. That said, they also modified the kernel and u-boot.

As for the openwrt port, remember that they only started after they have received the GPL-ed kernel code. They used the propriatery blobs for the wifi drivers, and that got them a linux system. It took them YEARS to get where they are now, and what we had with the initial openwrt port was just very basic (but super powerfull and 100x beter than what the vendor had). Mind you, i've been running openwrt since the first release on a WRT54G :) and only buy routers that support openwrt.

So if you want to help, an open task is to bugger Rigol about releasing their GPL-ed work. The bootloader and Kernel most importantly. The application, well, we don't care too much about that yet :)

It's only a matter of time before we, as a community, pick a relatively inexpensive "base" piece of DSO hardware and make it our own (as in, we maintain the firmware/software - they just compete on the best hardware). What DSO engineering company wouldn't want to be "chosen" by our community as the first hardware "base"? ...Certainly not Rigol - they just want to sell their hardware... and I'm half thinking (at least, in part) this is Rigol's modus operandi when it comes to the ease of hacking their scopes. I'm actually really surprised that a entire source code tree hasn't mysteriously "appeared" on the web to force some companies' sales into the stratosphere... and it would!
I love your enthousiasm, but so far, mostly hardware guys in this thread (which we also badly need). Step one, with any project, is understanding the hardware. We have some good resources though, but at least I haven't documented all my findings yet :) In time, in time. The wiki also has some knowledge of the chips used for example. We ain't sleepin' ya know.

Once you force the issue, these DSO engineering companies will work/compete on making a better hardware platforms for our "OpenScope" software...

It's only a matter of time... and the first DSO engineering company that adopts this marketing strategy, will win all the marbles... and it will be a paradigm shift for the entire O-scope industry. Sure, they'll all still continue making expensive +500MHz scopes (IBM still makes mainframes) for universities and fortune 500 companies, but they'll relinquish the entire sub-500MHz market to Open Source software... kind of like your generic PC hardware is now.

...All it will take is for it to happen just once on a "chosen" platform... kinda like this one...  ;)

BB
I welcome you to help! Please :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 20, 2019, 07:41:01 pm
When the next firmware update will be released, the hack will be gone - then we could patch it again with the same file….perhaps.
When this can be done, it´s an evidence that rigol doesn´t want to stop hacking seriously.

The firmware release notes states that it 'Boots in less than a minute'" so obviously some boss gave the order to "Make it boot in less than a minute!"

It used to boot in 1:15 and now it takes 0:59 so they shaved off just enough to comply with the order. As soon as it was less than 60s they stopped work.

Switching off SSL might have been one of the things they did to reach that goal, ie. it wasn't switched off for security reasons but purely for boot-timing reasons.  :popcorn:
Well I know that after the double beep you hear during boot, 'appEntry' starts (their main application). That's where the scope spends most its time. Even the 8 seconds it takes to load the FPGA (which is needed anyway) is insignificant compared to the bloated QT app to load. So they must have reduces some sleeps/waits in some loops during startup to shave those 16 seconds off, and pray that everything still works :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 20, 2019, 07:49:27 pm
.... the bloated QT app to load.

QT? Say it ain't so.  :palm:

Title: Serial console help
Post by: oliv3r on March 20, 2019, 08:13:05 pm
So first some background; I have been using serial consoles at home and professionally for years, so I would have thought I knew what I was doing :)

but I'm quite baffled, as to why I can't get decent text out of my console on the scope. Lets start with a screenshot :) (see attachment)

The serial port is connected as 115200 8n1 as expected and I tried 4 different USB uart adapters. But they all produce similar garbage.

Now, it's important to know, that I have not soldered on the connector. I took a jumper wire, and thickened it with solder and thickened the pin until it took some effort to squeeze it in (3x). So granted, the connection could be poor. But would that result in this kind of poor reception?

I do see quite a few of you manage to talk to the scope over serial; but I'm a little hestitant to solder a connector on (for now, warranty claims and all that).

But other then an unreliable connection, I'm puzzled as to why I cannot talk to the scope ... any tips/pointers? I am about to order some of these http://microcontrollershop.com/advanced_search_result.php?keywords=press-fit&x=0&y=0 (http://microcontrollershop.com/advanced_search_result.php?keywords=press-fit&x=0&y=0) but they'll take a while to arrive here ...

Edit: So having the scope probe itself I got this screenshot. Here the scope is doing an "echo "Hello World" > /dev/ttyPS0" (with the serial debugger connected).
Edit2: The third image is what the scope 'see's' comming from the serial converter, but nothing actually is arriving on the serial port (I think firmware 1.1.2.3 started do disable the RX part of the serial port.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 20, 2019, 08:14:22 pm
.... the bloated QT app to load.

QT? Say it ain't so.  :palm:
It aint so!
But of course, we know it is :( what do you think https://gitlab.com/riglol/rigolee/tree/MSO5000/firmware/rootfs/rigol/Qt5.5 is for :)
Title: Re: Serial console help
Post by: egonotto on March 20, 2019, 08:40:07 pm

but I'm quite baffled, as to why I can't get decent text out of my console on the scope. Lets start with a screenshot :) (see attachment)


Hello,

look at Reply #619 from seronday (page 25)

he has a solution to your problem.

Best regards
egonotto
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 21, 2019, 05:36:52 pm
I recently had a need to use the UART interface on an MSO5074 and found this to be a challenging exercise.
There were two issues:-
1.   The data out of the MSO5074 was corrupted from time to time.
2.   There was no response to commands sent to the unit.

The corrupted data out of the MSO5074 was found to be caused by varying widths of the Low going data bits in the serial data stream.
At 115200 bits/sec, the nominal bit width is 8.68us.  Some of the Low going bits from the UART interface were down to 3us width.
The over all packet timing was correct, just the width of the low going bits varied.
So depending on when the receiving equipment clocks the data in, it may see either a "0" or "1"

This was solved by feeding the data through an external Pulse stretching circuit to set the minimum bit width correctly.

The second issue of no response to commands was tracked down to an open circuit on the PCB trace from the UART interface connection point.
The Data IN to the MSO5074 goes via a series resistor. This resistor had been left off the circuit board.
Since the resistor is mounted on the back of the board, this meant completely dismantling the unit to bridge the gap on the trace.

After solving these issues, using the UART interface to talk to the MSO5074 was straight forward.
I found that "U Boot" can be easily interrupted by holding a keyboard key down from when the MSO5074 is powered ON.

**  Edit.  Added Pulse stretching Circuit. **

Accidentally now of course  ;)

Lets hope this is not a new manufacturing technique; But I'll check if it is missing on mine as well. For the moment, I mostly care about getting data out of the scope. I'll do some measuring. I wonder though what the cause of this would be. The serial driver is from xilinx and is 'bog standard'. and should be fully functional. They may have hacked the serial ports however to work better with their HMI.

We also noticed that they changed something to make serial not work with more recent kernels, but I can't remember if this was already done with 1.2.3, or if that came after. I thought it was part of the Rigo201  change. I'm still on 'root' :)

@TopLoser, you are using serial extensively as is Dave; how come your scope is not suffering from this clock stretching need?

Right, so I did some more investigation herein, and I don't think it's a clock stretching thing. If it where, the results would be consistent. So I ran a few experiments; very simply after logging in with ssh to the scope; while true; do printf "\x<hex>" > /dev/ttyPS0; done
for <hex> i used a various number of characters.

So I can repeatedly print a whole bunch of characters, no problem at all. And some, are just offset/weird. Looking at the traces however, se even see the pattern actually change while looking at it.
I mean, the nice thing about sending repetitively the same character, is that you can see it really nicely 'standing still' on the scope. Not so much.
So looking at RigolDS6, we see two characters going over the line, Data:" and Data:G<S>; however I was sending " and #. Looking at my output from the USB-uart adapter, I do indeed see " followed by an unknown character. I had chosen this character range (\x21\x22) as I already noticed # was going wonky.

Looking at DS7, i was sending \x74, or the letter 't'. Perfectly fine, the serial console shows it as a repeating t. Everything is butts and butter. (I'll do some math and counting to see if those timings are actually right).

Now, when I changed to \x75, as can be seen in DS10, I actually get ] on the serial console. And only ]. _almost_ always perfectly repeating. Matter of fact, whenever I find a character that is wonky, it is constantly wonky. But not all characters are wonky. Make sense?

Looking at DS9 and DS8 though this is what the scope shows in combination with DS10. So a few ms it's u, a few ms it's } and a few ms it's _.

What's worse, which I couldn't capture on the scope (can't record gifs) is that the sent characters are actually heavily fluctuating. So if anything, it looks like dropped bits maybe?
Now looking at the characters that we see, 0x5f 0x75 and 0x7d.
So in binary that's:
0101 1111
0111 0101
0111 1101

So it's not an obvious shift happening, but we do see some bit flipping AND a shift happening?
like 0101 1111 shifted by a few would be 1111 0101 and flipping the sign bit, maybe forced somehow?) we see then what we would expect? It is really really far fetched though? A nibble shift + correction for the sign bit on a char?
But the last one shows even more signs of the shifting, as this is only shifted by 3 bits.

So this doesn't look very much like a pulse that's not wide enough, but bits being shuffled ....

Reading up a bit, it could be that somewhere some part gets confused about the start/stop of the signal, so that would explain the random shiftness. But it's quite 'reliably' reproducable. Power on, send \x75, perfect crap.

Measuring the signal, I geta  bit time of 3.4 microseconds for 'a' bit, and 5 microseconds for the next bit. (DS11).

Fun fact, while poking, probing and proding, the ] switch to a ] on my console. Restarting the spam of \x75 makes it appear as a ] again though. So i'll go re-read post https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2114902/#msg2114902 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2114902/#msg2114902) (#619)

So I have re-read the post, and he does indeed also claim 'varying bits' and bit times that are too small. I wonder what they messed with to cause this? I'll try installing an older version to see if this is a software 'fix' or not. Also I'm thinking it is related to the HMI. They had a problem with it likely, where not happy with signals and just hacked the serial driver to work with their HMI. That it broke serial input didn't matter too much to them, as all they care about is the HMI, UARt is not officially supported.

HOWEVER, if that would be true, why is it broken at the u-boot console, and why do some serial converters not care? And how is the hardware serial peripheral spitting out such junk?! I'll go read the manual to see what the hardware is even capable of doing and see if I can build one of this bit extenders ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 21, 2019, 06:55:59 pm
So this doesn't look very much like a pulse that's not wide enough, but bits being shuffled ....

So, is it serial port obfuscation (by port driver modding)?

If so, a custom terminal is needed.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 22, 2019, 09:42:53 am
So this doesn't look very much like a pulse that's not wide enough, but bits being shuffled ....

So, is it serial port obfuscation (by port driver modding)?

If so, a custom terminal is needed.

I'm not really sure whats going on, and more strangely, what they changed. Even if they hacked the smithereens out of the serial driver, it doesn't matter, u-boot is 'broken' ... they could of course added the same modifications to u-boot, but that's super unlikely. What could be the case though, is that they are initializing the port wrong. They are using the xilinx serial peripherial, so it's all in all, a hardware based serial port. I'll go read the manual and start reading the registers to see wtf they are doing there.

Meanwhile, I can read 'just about enough' to debug stuff. I do have to take appart the scope to see if I'm missing the 0? oHm resistor.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 22, 2019, 10:59:25 am
Meanwhile, I can read 'just about enough' to debug stuff. I do have to take appart the scope to see if I'm missing the 0? oHm resistor.

Or, as I've hinted in the past, maybe the serial passes through the FPGA and something went bad in the latest programming.

If it was unintented, a bad recovery serial port is not something very pleasant to have...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on March 22, 2019, 11:13:15 am

@TopLoser, you are using serial extensively as is Dave; how come your scope is not suffering from this clock stretching need?


Well mine was a VERY early one (I bought it the day it was released), maybe there has been a small hardware or FPGA change in later models?

I imagine you can tell if the 0R resistor is missing by measuring the resistance of the RX line pin going into the scope? If the 0R resistor is fitted then you should be able to measure something?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on March 22, 2019, 03:12:47 pm
I do not have my scope open, but is it possible that there is a termination resistor missing in the design?  If they were using a open drain output without a pull up, the leakage current from the receiving gate might make it appear to sort of work....

Just a thought...

-Stan
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 22, 2019, 05:22:29 pm
I do not have my scope open, but is it possible that there is a termination resistor missing in the design?  If they were using a open drain output without a pull up, the leakage current from the receiving gate might make it appear to sort of work....

Just a thought...

Seems much more likely than a change in timing in the low bits.

Maybe somebody at Rigol has been Muntzing, try adding a 2k pullup to the line and see what happens (or maybe a pulldown...)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 22, 2019, 05:34:11 pm
Seems much more likely than a change in timing in the low bits.

Maybe somebody at Rigol has been Muntzing, try adding a 2k pullup to the line and see what happens (or maybe a pulldown...)

Indeed it makes sense but just because Rigol must have wanted to make it unaccessible...

Olliver, what can you see in TopLoser's PCB images?

Edit: Oopsss! The photo is from TopLoser and he has the RES...  Must disassemble yours.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 22, 2019, 05:48:49 pm
Indeed it makes sense but just because Rigol must have wanted to make it unaccessible...

Why assume it's a deliberate anti-hacking thing?

Their diagnostic/repair tools might have a pullup resistor in them so they figured they could save a couple of cents by Muntzing that.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 22, 2019, 05:50:03 pm
Serial is disabled immediately after the 'Hit any key' prompt, so you can still enter uboot at that point. Not available when the scope is up and running though.

TopLoser, can you confirm that while on uboot you have serial output and it just disappears when the app is called?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 22, 2019, 05:53:45 pm
Their diagnostic/repair tools might have a pullup resistor in them so they figured they could save a couple of cents by Muntzing that.

Take that specific 0R to reduce a couple cents????   :wtf:

I think it was to reduced the booting time...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on March 22, 2019, 05:59:54 pm
Serial is disabled immediately after the 'Hit any key' prompt, so you can still enter uboot at that point. Not available when the scope is up and running though.

TopLoser, can you confirm that while on uboot you have serial output and it just disappears when the app is called?

This where it stops:

Code: [Select]
U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)

I2C:   ready
Memory: ECC disabled
DRAM:  448 MiB
DPU:   20170604
NAND:  OnDie ECC supported, 1024 MiB
zynq-In:    serial
zynq-Out:   serial
zynq-Err:   serial
Net:   Gem.e000b000
BootParam=0x0
Hit any key to stop autoboot:  0

NAND read: device 0 offset 0xd900000, size 0x3591fd
Ÿ


Disabled before the kernel is loaded - compared to previous versions:

Code: [Select]
U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)

I2C:   ready
Memory: ECC disabled
DRAM:  448 MiB
DPU:   20170604
NAND:  OnDie ECC supported, 1024 MiB
zynq-In:    serial
zynq-Out:   serial
zynq-Err:   serial
Net:   Gem.e000b000
BootParam=0x0
Hit any key to stop autoboot:  0

NAND read: device 0 offset 0x4900000, size 0x3591fd
þ
NAND read: device 0 offset 0x4900000, size 0x8
 8 bytes read: OK

NAND read: device 0 offset 0x4500000, size 0x12c008
 1228808 bytes read: OK
Loading logo, x=310,y=247,width=404,height=89

NAND read: device 0 offset 0x5100000, size 0xd8ebf0
 14216176 bytes read: OK
## Loading kernel from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Kerstrel Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x030000f8
     Data Size:    3302448 Bytes = 3.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00100000
     Entry Point:  0x00100000
     Hash algo:    sha1
     Hash value:   bece162e8cad943c68714d8eb8020d68e1db896b
   Verifying Hash Integrity ... sha1+ OK
## Loading ramdisk from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  kerstrel-Update-Ramdisk
     Type:         RAMDisk Image
     Compression:  gzip compressed
     Data Start:   0x03328c5c
     Data Size:    10901113 Bytes = 10.4 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    sha1
     Hash value:   55bdcbebccba845da403130143793ee0135e53a1
   Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x0332661c
     Data Size:    9597 Bytes = 9.4 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   da2d17ba0d5a71b5897deec4cb026014f3132185
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x332661c
   Loading Kernel Image ... OK
   Loading Ramdisk to 1b099000, end 1bafe679 ... OK
   Loading Device Tree to 1b093000, end 1b09857c ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 3.12.0-xilinx (rigolee[member=167213]Jim[/member]) (gcc version 4.8.1 (Sourcery CodeBench Lite 2013.11-53) ) #43 SMP PREEMPT Sat Jul 28 12:14:01 CST 2018
CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
PERCPU: Embedded 8 pages/cpu @c09f1000 s8384 r8192 d16192 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 113792
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 437416K/458752K available (4197K kernel code, 255K rwdata, 1716K rodata, 176K init, 179K bss, 21336K reserved, 0K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xdc800000 - 0xff000000   ( 552 MB)
    lowmem  : 0xc0000000 - 0xdc000000   ( 448 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to dc802000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1725.23 BogoMIPS (lpj=8626176)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L310 cache controller enabled
l2x0: 8 ways, CACHE_ID 0x410000c8, AUX_CTRL 0x72360000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xdc84e000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xdc84e000
hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 4 bytes.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xdc880000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti[member=183778]linux[/member].it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (db099000 - dbafe000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 7 counters available
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 875
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
DPU:Map vRam to 0xdca00000
DPU:Map iReg to 0xdcc00000
DPU:Ver=0x20170711
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 6249999) is a xuartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 6249999) is a xuartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xDC858000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
xusbps-ehci xusbps-ehci.1: Xilinx PS USB EHCI Host Controller
xusbps-ehci xusbps-ehci.1: new USB bus registered, assigned bus number 1
xusbps-ehci xusbps-ehci.1: irq 76, io mem 0x00000000
xusbps-ehci xusbps-ehci.1: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Update timer was detected
rtc-rx8010sj 0-0032: rtc core: registered rtc-rx8010sj as rtc0
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ADADAH4), 1024MiB, page size: 2048, OOB size: 64
Bad block table found at page 524224, version 0x01
Bad block table found at page 524160, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
0x000010100000-0x000016500000 : "App2"
0x000016500000-0x00001a800000 : "Reserved"
0x00001a800000-0x000040000000 : "User"
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
rtc-rx8010sj 0-0032: setting system clock to 2018-11-10 12:15:08 UTC (1541852108)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
Starting rcS...
++ Mounting filesystem
++ Setting up mdev
++ Starting ftp daemon
rcS Complete
<root@rigol>rpcbind: cannot create socket for udp6
rpcbind: cannot create socket for tcp6
2018-11-10 12:15:21: (log.c.166) server started
7 2048 16 2 "/dev/fb0"
Mount user space to:/user
default setting by user set
Rigol Device gadget: Rigol Device ready
usbcore: registered new interface driver usbtmc
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DeKu on March 22, 2019, 11:19:23 pm
Hi,

just wanted to thank every1 who has contributed. Got my Scope a day ago and its already fully upgraded thx to all of you work. So TY ppl.

I'm sorry, i got no Idea of this Stuff but:

NAND read: device 0 offset 0x4900000, size 0x3591fd
þ


NAND read: device 0 offset 0xd900000, size 0x3591fd
Ÿ


That's normal right?

Regards AND BigTHX from Hamburg

DeKu
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on March 22, 2019, 11:35:10 pm
Yes quite normal. The scope has two areas A and B where it stores the previous version of firmware and alternates between them each time you upgrade.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DeKu on March 22, 2019, 11:42:24 pm
Ah OK,

can't upgrade a system which is running!

THX again

P.S. But there is a "Hardware" Serial Terminal?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgwan on March 23, 2019, 03:06:47 am
 |O
Serial is disabled immediately after the 'Hit any key' prompt, so you can still enter uboot at that point. Not available when the scope is up and running though.

TopLoser, can you confirm that while on uboot you have serial output and it just disappears when the app is called?

This where it stops:

Code: [Select]
U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)

I2C:   ready
Memory: ECC disabled
DRAM:  448 MiB
DPU:   20170604
NAND:  OnDie ECC supported, 1024 MiB
zynq-In:    serial
zynq-Out:   serial
zynq-Err:   serial
Net:   Gem.e000b000
BootParam=0x0
Hit any key to stop autoboot:  0

NAND read: device 0 offset 0xd900000, size 0x3591fd
Ÿ


Disabled before the kernel is loaded - compared to previous versions:

Code: [Select]
U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)

I2C:   ready
Memory: ECC disabled
DRAM:  448 MiB
DPU:   20170604
NAND:  OnDie ECC supported, 1024 MiB
zynq-In:    serial
zynq-Out:   serial
zynq-Err:   serial
Net:   Gem.e000b000
BootParam=0x0
Hit any key to stop autoboot:  0

NAND read: device 0 offset 0x4900000, size 0x3591fd
þ
NAND read: device 0 offset 0x4900000, size 0x8
 8 bytes read: OK

NAND read: device 0 offset 0x4500000, size 0x12c008
 1228808 bytes read: OK
Loading logo, x=310,y=247,width=404,height=89

NAND read: device 0 offset 0x5100000, size 0xd8ebf0
 14216176 bytes read: OK
## Loading kernel from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Kerstrel Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x030000f8
     Data Size:    3302448 Bytes = 3.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00100000
     Entry Point:  0x00100000
     Hash algo:    sha1
     Hash value:   bece162e8cad943c68714d8eb8020d68e1db896b
   Verifying Hash Integrity ... sha1+ OK
## Loading ramdisk from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  kerstrel-Update-Ramdisk
     Type:         RAMDisk Image
     Compression:  gzip compressed
     Data Start:   0x03328c5c
     Data Size:    10901113 Bytes = 10.4 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    sha1
     Hash value:   55bdcbebccba845da403130143793ee0135e53a1
   Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x0332661c
     Data Size:    9597 Bytes = 9.4 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   da2d17ba0d5a71b5897deec4cb026014f3132185
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x332661c
   Loading Kernel Image ... OK
   Loading Ramdisk to 1b099000, end 1bafe679 ... OK
   Loading Device Tree to 1b093000, end 1b09857c ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 3.12.0-xilinx (rigolee[member=167213]Jim[/member]) (gcc version 4.8.1 (Sourcery CodeBench Lite 2013.11-53) ) #43 SMP PREEMPT Sat Jul 28 12:14:01 CST 2018
CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
PERCPU: Embedded 8 pages/cpu @c09f1000 s8384 r8192 d16192 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 113792
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 437416K/458752K available (4197K kernel code, 255K rwdata, 1716K rodata, 176K init, 179K bss, 21336K reserved, 0K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xdc800000 - 0xff000000   ( 552 MB)
    lowmem  : 0xc0000000 - 0xdc000000   ( 448 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to dc802000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1725.23 BogoMIPS (lpj=8626176)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L310 cache controller enabled
l2x0: 8 ways, CACHE_ID 0x410000c8, AUX_CTRL 0x72360000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xdc84e000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xdc84e000
hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 4 bytes.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xdc880000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti[member=183778]linux[/member].it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (db099000 - dbafe000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 7 counters available
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 875
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
DPU:Map vRam to 0xdca00000
DPU:Map iReg to 0xdcc00000
DPU:Ver=0x20170711
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 6249999) is a xuartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 6249999) is a xuartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xDC858000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
xusbps-ehci xusbps-ehci.1: Xilinx PS USB EHCI Host Controller
xusbps-ehci xusbps-ehci.1: new USB bus registered, assigned bus number 1
xusbps-ehci xusbps-ehci.1: irq 76, io mem 0x00000000
xusbps-ehci xusbps-ehci.1: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Update timer was detected
rtc-rx8010sj 0-0032: rtc core: registered rtc-rx8010sj as rtc0
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ADADAH4), 1024MiB, page size: 2048, OOB size: 64
Bad block table found at page 524224, version 0x01
Bad block table found at page 524160, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
0x000010100000-0x000016500000 : "App2"
0x000016500000-0x00001a800000 : "Reserved"
0x00001a800000-0x000040000000 : "User"
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
rtc-rx8010sj 0-0032: setting system clock to 2018-11-10 12:15:08 UTC (1541852108)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
Starting rcS...
++ Mounting filesystem
++ Setting up mdev
++ Starting ftp daemon
rcS Complete
<root@rigol>rpcbind: cannot create socket for udp6
rpcbind: cannot create socket for tcp6
2018-11-10 12:15:21: (log.c.166) server started
7 2048 16 2 "/dev/fb0"
Mount user space to:/user
default setting by user set
Rigol Device gadget: Rigol Device ready
usbcore: registered new interface driver usbtmc


They already set the PS0's pinmux configuration to PL and assign it to zero by Zynq bitstream in the new firmware. It is easy to work around, just an ordinary anti-hack trick.

Btw, there's still lots of bugs exist in the new firmware, like trigger level is not inverted when channel invert switch is on...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 24, 2019, 02:50:51 pm
Meanwhile, I can read 'just about enough' to debug stuff. I do have to take appart the scope to see if I'm missing the 0? oHm resistor.

Or, as I've hinted in the past, maybe the serial passes through the FPGA and something went bad in the latest programming.

If it was unintented, a bad recovery serial port is not something very pleasant to have...

You may not be completly wrong.

Looking atleast at one of the traces on the PCB, we see it going near/under the spartan6. But I'd be supprised (rigol shouldn't suprise us anymore) that they take the serial output, route it through the FPGA, andt hen to a pinheader.

Also, it's the spartan6, which I don't think they are actually upgarding (boot from SPI flash).

Seems much more likely than a change in timing in the low bits.

Maybe somebody at Rigol has been Muntzing, try adding a 2k pullup to the line and see what happens (or maybe a pulldown...)

Indeed it makes sense but just because Rigol must have wanted to make it unaccessible...

Olliver, what can you see in TopLoser's PCB images?

Edit: Oopsss! The photo is from TopLoser and he has the RES...  Must disassemble yours.
So ... yes, I spend an hour taking it apart (I didn't realize it was such a painfull job TopLoser. Thank you for all your dissasemblies!!

And indeed, the resistor for RX on the scope side is indeed missing, as pointed out in the earlier post. Bastards. If you have your scope open again, could you measure the resistor value? My guess is, it's something super low, like 0 or 33 oHms. Maybe a protection diode-ish?

The length seems to be 1 mm; So 1005, i'll check my parts bin to get one of these ...

Serial is disabled immediately after the 'Hit any key' prompt, so you can still enter uboot at that point. Not available when the scope is up and running though.

TopLoser, can you confirm that while on uboot you have serial output and it just disappears when the app is called?

This where it stops:

Code: [Select]
U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)

I2C:   ready
Memory: ECC disabled
DRAM:  448 MiB
DPU:   20170604
NAND:  OnDie ECC supported, 1024 MiB
zynq-In:    serial
zynq-Out:   serial
zynq-Err:   serial
Net:   Gem.e000b000
BootParam=0x0
Hit any key to stop autoboot:  0

NAND read: device 0 offset 0xd900000, size 0x3591fd
Ÿ


Disabled before the kernel is loaded - compared to previous versions:

Code: [Select]
U-Boot 2014.01.Rigolee.dirty (2018.06.12 - 12:12:01)

I2C:   ready
Memory: ECC disabled
DRAM:  448 MiB
DPU:   20170604
NAND:  OnDie ECC supported, 1024 MiB
zynq-In:    serial
zynq-Out:   serial
zynq-Err:   serial
Net:   Gem.e000b000
BootParam=0x0
Hit any key to stop autoboot:  0

NAND read: device 0 offset 0x4900000, size 0x3591fd
þ
NAND read: device 0 offset 0x4900000, size 0x8
 8 bytes read: OK

NAND read: device 0 offset 0x4500000, size 0x12c008
 1228808 bytes read: OK
Loading logo, x=310,y=247,width=404,height=89

NAND read: device 0 offset 0x5100000, size 0xd8ebf0
 14216176 bytes read: OK
## Loading kernel from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Kerstrel Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x030000f8
     Data Size:    3302448 Bytes = 3.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00100000
     Entry Point:  0x00100000
     Hash algo:    sha1
     Hash value:   bece162e8cad943c68714d8eb8020d68e1db896b
   Verifying Hash Integrity ... sha1+ OK
## Loading ramdisk from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  kerstrel-Update-Ramdisk
     Type:         RAMDisk Image
     Compression:  gzip compressed
     Data Start:   0x03328c5c
     Data Size:    10901113 Bytes = 10.4 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    sha1
     Hash value:   55bdcbebccba845da403130143793ee0135e53a1
   Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 03000000 ...
   Using 'rootfs@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x0332661c
     Data Size:    9597 Bytes = 9.4 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   da2d17ba0d5a71b5897deec4cb026014f3132185
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x332661c
   Loading Kernel Image ... OK
   Loading Ramdisk to 1b099000, end 1bafe679 ... OK
   Loading Device Tree to 1b093000, end 1b09857c ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 3.12.0-xilinx (rigolee[member=167213]Jim[/member]) (gcc version 4.8.1 (Sourcery CodeBench Lite 2013.11-53) ) #43 SMP PREEMPT Sat Jul 28 12:14:01 CST 2018
CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Xilinx Zynq Platform, model: Xilinx Zynq
Memory policy: Data cache writealloc
PERCPU: Embedded 8 pages/cpu @c09f1000 s8384 r8192 d16192 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 113792
Kernel command line: console=ttyPS0,115200 no_console_suspend, root=/dev/ram rw
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 437416K/458752K available (4197K kernel code, 255K rwdata, 1716K rodata, 176K init, 179K bss, 21336K reserved, 0K highmem)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xdc800000 - 0xff000000   ( 552 MB)
    lowmem  : 0xc0000000 - 0xdc000000   ( 448 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc05ce880   (5915 kB)
      .init : 0xc05cf000 - 0xc05fb0c0   ( 177 kB)
      .data : 0xc05fc000 - 0xc063bd78   ( 256 kB)
       .bss : 0xc063bd84 - 0xc06689a4   ( 180 kB)
Preemptible hierarchical RCU implementation.
        Dump stacks of tasks blocking RCU-preempt GP.
        RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
NR_IRQS:16 nr_irqs:16 16
ps7-slcr mapped to dc802000
Zynq clock init
sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
Console: colour dummy device 80x30
Calibrating delay loop... 1725.23 BogoMIPS (lpj=8626176)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0xc03fa6b8 - 0xc03fa710
L310 cache controller enabled
l2x0: 8 ways, CACHE_ID 0x410000c8, AUX_CTRL 0x72360000, Cache size: 512 kB
CPU1: Booted secondary processor
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
gpio->base_addr is:0xdc84e000
The gpio irq num is:52
zynq_gpio e000a000.ps7-gpio: gpio at 0xe000a000 mapped to 0xdc84e000
hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 4 bytes.
zynq_ocm f800c000.ps7-ocmc: ZYNQ OCM pool: 256 KiB @ 0xdc880000
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti[member=183778]linux[/member].it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 10644K (db099000 - dbafe000)
hw perfevents: enabled with ARMv7 Cortex-A9 PMU driver, 7 counters available
NTFS driver 2.1.30 [Flags: R/W].
msgmni has been set to 875
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
DPU:Map vRam to 0xdca00000
DPU:Map iReg to 0xdcc00000
DPU:Ver=0x20170711
dma-pl330 f8003000.ps7-dma: unable to set the seg size
dma-pl330 f8003000.ps7-dma: Loaded driver for PL330 DMAC-2364208
dma-pl330 f8003000.ps7-dma:     DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
e0000000.serial: ttyPS0 at MMIO 0xe0000000 (irq = 59, base_baud = 6249999) is a xuartps
console [ttyPS0] enabled
xuartps e0001000.serial: failed to get alias id, errno -19
e0001000.serial: ttyPS1 at MMIO 0xe0001000 (irq = 82, base_baud = 6249999) is a xuartps
brd: module loaded
loop: module loaded
xspips e0006000.ps7-spi: master is unqueued, this is deprecated
xspips e0006000.ps7-spi: at 0xE0006000 mapped to 0xDC858000, irq=58
libphy: XEMACPS mii bus: probed
xemacps e000b000.ps7-ethernet: pdev->id -1, baseaddr 0xe000b000, irq 54
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-pci: EHCI PCI platform driver
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
ULPI transceiver vendor/product ID 0x0424/0x0009
ULPI integrity check: passed.
xusbps-ehci xusbps-ehci.1: Xilinx PS USB EHCI Host Controller
xusbps-ehci xusbps-ehci.1: new USB bus registered, assigned bus number 1
xusbps-ehci xusbps-ehci.1: irq 76, io mem 0x00000000
xusbps-ehci xusbps-ehci.1: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-rx8010sj 0-0032: Update timer was detected
rtc-rx8010sj 0-0032: rtc core: registered rtc-rx8010sj as rtc0
input: Goodix-TS as /devices/virtual/input/input0
xi2cps e0004000.ps7-i2c: 90 kHz mmio e0004000 irq 57
zynq-edac f8006000.ps7-ddrc: ecc not enabled
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ADADAH4), 1024MiB, page size: 2048, OOB size: 64
Bad block table found at page 524224, version 0x01
Bad block table found at page 524160, version 0x01
13 ofpart partitions found on MTD device pl353-nand
Creating 13 MTD partitions on "pl353-nand":
0x000000000000-0x000000040000 : "Env"
0x000000100000-0x000004100000 : "DATA"
0x000004100000-0x000004500000 : "Bmp"
0x000004500000-0x000004900000 : "Bmp1"
0x000004900000-0x000005100000 : "Bit1"
0x000005100000-0x000007100000 : "Sys1"
0x000007100000-0x00000d500000 : "App1"
0x00000d500000-0x00000d900000 : "Bmp2"
0x00000d900000-0x00000e100000 : "Bit2"
0x00000e100000-0x000010100000 : "Sys2"
0x000010100000-0x000016500000 : "App2"
0x000016500000-0x00001a800000 : "Reserved"
0x00001a800000-0x000040000000 : "User"
TCP: cubic registered
NET: Registered protocol family 17
Registering SWP/SWPB emulation handler
rtc-rx8010sj 0-0032: setting system clock to 2018-11-10 12:15:08 UTC (1541852108)
RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 176K (c05cf000 - c05fb000)
Starting rcS...
++ Mounting filesystem
++ Setting up mdev
++ Starting ftp daemon
rcS Complete
<root@rigol>rpcbind: cannot create socket for udp6
rpcbind: cannot create socket for tcp6
2018-11-10 12:15:21: (log.c.166) server started
7 2048 16 2 "/dev/fb0"
Mount user space to:/user
default setting by user set
Rigol Device gadget: Rigol Device ready
usbcore: registered new interface driver usbtmc

Ok this is way way way before the kernel is even informed, and we already checked the environment. BUT

They already set the PS0's pinmux configuration to PL and assign it to zero by Zynq bitstream in the new firmware. It is easy to work around, just an ordinary anti-hack trick.

They probably did not want, or where not able to use the actually PS pins, so they are probably indeed are rerouting the pins though the zynq's FPGA. And in turn, most likely are not forwarding the pins in the bit stream anymore. And this does coinside with the NAND read bit, d900000 and 4900000 are the locations of the FPGA bitstream, so it reads that, executes that, and after that it dies.

btw, how is it easy to work around? When making a new bitstream, sure it's easy, but we can't easily modify the existing bitstream can we? If we could, the solution is of course easy, just pass the bits 1-on-1 forward.

What is curious btw, is that the serial port does work before the bitstream is being loaded. Maybe that's why they have such a big flash for the u-boot. Maybe they have a very small FPGA bitstream in it, which initializes the FPGA's serial ports and the display unit?

Also that explains why the serial console is so messed up, the FPGA's timing may not be competently in sync with the 115200 baudrate. That still doesn't explain to me why it's working 'fine' on toplosers scope, so maybe it is just some resistor magic going better?

What would the suggested pull-up on the TX do? I doubt it would 'stretch' the bit by that much? Or is TopLosers USB Uart convert just so much better?

I went over the math, and they have a 0.0006% error rate on the 115200 baud rate. So the linux driver is calculating the baudrate near perfectly.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 24, 2019, 03:19:30 pm
Solder the RES and that part will be solved.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on March 24, 2019, 10:41:44 pm
oliv3r.
    I put a solder bridge across the PCB traces where the resistor is missing and then used an external 560 ohm resistor in series with the data line as a precaution.

This value of resistor had no effect on the amplitude or shape of the data bits going into the MSO5000.

Regards.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 25, 2019, 01:26:13 pm
Solder the RES and that part will be solved.
For the data going into the scope; but getting data out of the scope still requires some magic :(

oliv3r.
    I put a solder bridge across the PCB traces where the resistor is missing and then used an external 560 ohm resistor in series with the data line as a precaution.

This value of resistor had no effect on the amplitude or shape of the data bits going into the MSO5000.

Regards.

Yeah but I want to make the 'repair' look as genuine as possible, so that no repair tech will say 'this doesn't belong' :)

So 560 oHm sounds good, but using a resistor that matches what was in the early scopes would be even more transparrant :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on March 25, 2019, 11:03:54 pm
Solder the RES and that part will be solved.
For the data going into the scope; but getting data out of the scope still requires some magic :(


To fix the corrupted data coming out of the MSO500, you can always use something similar to my solution for correcting the low going data bit width, until you work out how to solve the issue in firmware.

As an alternative, you could try to find a UART interface adaptor that clocks the data bits in near the start of the data bit instead of what should be the center of the bit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ChRobin on March 27, 2019, 05:13:26 pm
Hello! I do not understand - any Rigol mso 5xxx is unlocked. Or is it necessary to buy a four channel? (5074/72)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on March 27, 2019, 05:19:07 pm
Hello! I do not understand - any Rigol mso 5xxx is unlocked. Or is it necessary to buy a four channel? (5074/72)

All MSO5k models are unlocked, including 2ch models.
If you'll buy 5072 you'll benefit of nice channel covers with a title "Optional". :)
Other than that is just a matter of if you need a warranty for all 4 channels and 4 probes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ChRobin on March 27, 2019, 05:27:59 pm
Thanks for the quick response. Now it is clear. 4 probes - there is something to think about.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: joesmith on March 29, 2019, 06:24:38 am
Current best practice:

First: You will perform a series of upgrades. These have to be done using the help menu and the DS5000Update.GEL filename. The files you download here have a .txt extension. Remove it and rename it to the proper name. Attention, Windows might just hide the .txt extension! Make sure to properly unmount your USB drive, and that there is free space left on it (<50MB).

Now:
  • Note your current software version down. If it is older than 01.01.04.04 you will need to upgrade.
  • Backup your scope specific data such as calibration values. Get the DS5000Update_backup.GEL.txt from here. (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380) Rename to DS5000Update.GEL and put it on a USB drive. Execute an upgrade using the help menu in your scope, NOT the secret menu. You will see the scope doing a backup. Unplug the stick and make sure you have a backup in the data_backup folder on the stick.
  • If you have an older version of the firmware, download 01.01.04.04 from here (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.04.GEL). Also rename it to DS5000Update.GEL, put it on your usb drive, and upgrade.
  • Make sure you are on the 01.01.04.04 firmware in the about dialog.
  • Patch the scope to have all licenses. For that download the patch from here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2235282/#msg2235282). Again rename and copy to usb drive. This time the upgrade might take a bit longer, it should ask you to reboot, if not something failed, but it is probably not fatal for your scope, no worries. Reboot.
  • Check that all licences are activated.
  • If you want, do an auto calibration and check that everything is still okay.

You can get temporary SSH access by executing this upgrade (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076). The upgrade will "fail", but you will have ssh until reboot. You can use this to fix your calibration data, if truly required.

I ran this one on 3/27/19 and it worked flawlessly.  Mine shipped with the 01.01.04.04FW.    :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: angelo on April 17, 2019, 05:16:21 pm
Just received mine from Teq on Tuesday 01.01.04.04 and the backup/upgrade worked perfectly. All options appear as licensed forever.

Thanks to those who have contributed.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jack_d on April 18, 2019, 11:22:50 am
Hi to all !

My MSO5074 comes with FW 00.01.01.04.04 - followed backup/upgrade instructions and it works like a charm - all options activated forever  :-+

Is there a simple way to deactivate this hack ?

Best regards and thanks a lot for your effort,

jack_d
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Menen on April 18, 2019, 06:54:30 pm
This is what I watch over the LAN.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 18, 2019, 07:15:15 pm
Is there a simple way to deactivate this hack ?

Reflashing stock FW.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on April 18, 2019, 07:23:52 pm
Is there a USB stick to automatically switch between the two firmwares in the machine?

That would be cool for testing things.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 18, 2019, 10:23:30 pm
Is there a USB stick to automatically switch between the two firmwares in the machine?

That would be cool for testing things.

See Olliver's repo.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: timber23 on April 19, 2019, 11:43:12 pm
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
20 minutes with hashcat on a radeon hd7900 -> Rigol201  :-DD

for those interested. researching this took longer then 20mins ;-) linux seems to use DES by default for encrypting passwords. 13 chars and no $-signs point to using that default. i copied the hash part into a file (rigol.hash) and here's the command i used for hashcat:
Code: [Select]
hashcat64.exe -a 3 -m 1500 rigol.hash
Thank you very much for your explenation how to crack the password from hash. I downloaded hashcat and tryed it on my machine:
Code: [Select]

qkiAP.hEBSnSY:Rigol201

Session..........: hashcat
Status...........: Cracked
Hash.Type........: descrypt, DES (Unix), Traditional DES
Hash.Target......: qkiAP.hEBSnSY
Time.Started.....: Sat Apr 20 01:34:19 2019 (2 mins, 38 secs)
Time.Estimated...: Sat Apr 20 01:36:57 2019 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2?2?3 [8]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 8/8 (100.00%)
Speed.#1.........:   876.7 MH/s (11.41ms) @ Accel:2 Loops:1024 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 139148328960/5533380698112 (2.51%)
Rejected.........: 0/139148328960 (0.00%)
Restore.Point....: 1730560/68864256 (2.51%)
Restore.Sub.#1...: Salt:0 Amplifier:8192-9216 Iteration:0-1024
Candidates.#1....: lnitsorl -> Lurghbou
Hardware.Mon.#1..: Temp: 77c Fan: 60% Util: 97% Core:1898MHz Mem:4513MHz Bus:16

Started: Sat Apr 20 01:31:31 2019
Stopped: Sat Apr 20 01:36:58 2019
It took only 5 minutes on an i7-8700K with GTX 1080.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on May 02, 2019, 07:35:18 am
Changes for the beta firmware 03.01.01.04.04

Code: [Select]
        deleted:    firmware/env.cmd
        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        modified:   firmware/kerstrel.dts
        deleted:    firmware/kerstrel.its
        modified:   firmware/rootfs/rigol/K160M_TOP.bit
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/mail/etc/Muttrc
        modified:   firmware/rootfs/rigol/mail/etc/msmtprc
        modified:   firmware/rootfs/rigol/resource/appmeta.xml
        modified:   firmware/rootfs/rigol/resource/dsometa.xml
        modified:   firmware/rootfs/rigol/resource/help/b/cursor.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/display.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/la.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/quick.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/ref.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/storage.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/trigger.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/utility.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/vdecode.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/quick.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/trigger.hlp
        modified:   firmware/rootfs/rigol/resource/menu/b.hex
        modified:   firmware/rootfs/rigol/resource/menu/c.hex
        modified:   firmware/rootfs/rigol/resource/menu/d.hex
        modified:   firmware/rootfs/rigol/resource/menu/desc.hex
        modified:   firmware/rootfs/rigol/resource/menu/h.hex
        modified:   firmware/rootfs/rigol/resource/menu/i.hex
        modified:   firmware/rootfs/rigol/resource/menu/j.hex
        modified:   firmware/rootfs/rigol/resource/menu/k.hex
        modified:   firmware/rootfs/rigol/resource/menu/l.hex
        modified:   firmware/rootfs/rigol/resource/menu/m.hex
        modified:   firmware/rootfs/rigol/resource/menu/menu.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ch.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ext.hex
        modified:   firmware/rootfs/rigol/resource/menu/msg.h
        modified:   firmware/rootfs/rigol/resource/menu/n.hex
        modified:   firmware/rootfs/rigol/resource/menu/o.hex
        modified:   firmware/rootfs/rigol/resource/menu/res.hex
        modified:   firmware/rootfs/rigol/resource/menu/t.hex
        modified:   firmware/rootfs/rigol/resource/menu/u.hex
        modified:   firmware/rootfs/rigol/resource/scpi/ACQuire.xml
        modified:   firmware/rootfs/rigol/resource/scpi/BUS1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/BUS2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/BUS3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/BUS4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CALibration.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/JITTer.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SEARch.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/TIMebase.xml
        modified:   firmware/rootfs/rigol/resource/scpi/TRIGger.xml
        modified:   firmware/rootfs/rigol/resource/scpi/scpiConfig.xml
        modified:   firmware/rootfs/rigol/shell/send_mail.sh
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcre.so.0.0.1
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcrecpp.so.0.0.0
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcreposix.so.0.0.0
        modified:   firmware/rootfs/rigol/webcontrol/lib/libz.so.1.2.7
        modified:   firmware/rootfs/rigol/webcontrol/sbin/lighttpd
        modified:   firmware/rootfs/rigol/webcontrol/sbin/lighttpd-angel
        modified:   firmware/zImage
        modified:   firmware/zynq.bit


Looking at just the text based changes,
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on May 02, 2019, 01:50:04 pm
Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.
I'm not sure how to start it though. The start command is close to other UI stuff, and the string "Enter Project mode" is used close to it. I could imagine there is something like a maintenance menu we don't know about yet.

The corresponding function (0x275c30 in 4.4 stable firmware) has a single branch. Only in one branch does it go and print "Enter Project Mode". I have experimentally patched the branch to always branch here.

The message "Enter Project Mode" is subsequently shown when the Default button is pressed and the scope becomes available over SSH.

I still need to figure out how to trigger that branch manually though. Other Rigol scopes also have a project mode. See e.g. https://assets.tequipment.net/assets/1/26/Documents/Rigol/DS6064/ds6064_doc_7.pdf

EDIT: In the experimental beta firmware, the function is at 00272d0c. It is called by 00272f1c which toggels the state in the passed data structure with 220 bytes offset.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 02, 2019, 01:55:22 pm
It's should be easily reproducible with the "specific" USB vendor disk inserted.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on May 02, 2019, 02:24:53 pm
Do you have more info on that vendor disk? I have found references to /user/data and "#*@RIGOL*#" but have yet to find how to put it together.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 02, 2019, 02:35:30 pm
Do you have more info on that vendor disk?

I'm not sure yet if this is the case in this specific functionality but what I'm talking is here:

https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517 (https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on May 02, 2019, 02:40:34 pm
 :wtf:

Wow indeed. I came across this magic. I even named function 001de418 in the beta as mount_usb. And this is exactly where that string comes up and magic is done. Cool!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 02, 2019, 02:54:22 pm
:D  You didn't complete your homework...

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2064766/#msg2064766 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2064766/#msg2064766)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on May 02, 2019, 03:04:39 pm
:D  You didn't complete your homework...

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2064766/#msg2064766 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2064766/#msg2064766)

Ok thanks. I cannot wrap my head around how exactly this disk must look like. But anyways  ;D

The project mode is pretty close to other gui stuff and on older scopes it was just some random key combination. I guess it is the same here. I'll give up for now though  :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KC0PPH on May 03, 2019, 03:06:21 am
UPS dropped mine off today. I got a 5072. Within about 5 minutes of opening it, I had all options.

Thanks Mabl and company for the hard work to make hacking this thing easy.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bdunham7 on May 03, 2019, 05:04:04 pm
UPS dropped mine off today. I got a 5072. Within about 5 minutes of opening it, I had all options.

Thanks Mabl and company for the hard work to make hacking this thing easy.

Does that include a bandwidth upgrade?  If so, to what level?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on May 03, 2019, 05:10:14 pm
Does that include a bandwidth upgrade?  If so, to what level?
Full (350 MHz)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on May 03, 2019, 05:33:28 pm
UPS dropped mine off today. I got a 5072. Within about 5 minutes of opening it, I had all options.

Thanks Mabl and company for the hard work to make hacking this thing easy.

Are they still shipping with the 00.01.04.04 firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: KC0PPH on May 03, 2019, 07:27:07 pm
Yes they are still shipping (or at least mine arrived with .04.04 FW.)

As far as upgrading, steps were simple and easy (thanks to the talented individuals here)

1) Put Backup GEL file on Thumb Drive (Rename it to correct name)
2) Put in Scope and do FW upgrade
3) Save files Off of Thumb Drive to PC, and Put Hack FW on ThumbDrive
4) Put in Scope and do FW upgrade

I can confirm that the CHEAPEST model 5072 can be hacked to 350Mhz 4 Channels, all Options Perm with the hack FW. I just wish they would give more of those "Optional" BNC covers for the AWG.

It should take you longer to Format the USB drive to FAT32 than it does to hack the scope :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: alank2 on May 03, 2019, 08:46:06 pm
Has anyone tested the rise/fall time in 350 Mhz mode with the Leo Bodnar pulser?  I'd like to see what those numbers are...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on May 03, 2019, 09:27:26 pm
I did…. ;)

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2270838/#msg2270838 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2270838/#msg2270838)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: alank2 on May 03, 2019, 09:39:10 pm
750ps average, very nice.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: angelo on May 06, 2019, 04:31:21 pm
If I go to measurement, analysis, and jitter analysis. In PLL mode with a 1MHz FM modulated 10MHz carrier my scope freezes.

I emailed rigol support and they said this feature is not available to North America. I don't understand why this would be the case.

Can anyone else replicate, confirm, or offer advice?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on May 06, 2019, 05:51:07 pm
 :wtf: :clap:

Because it is an unofficial feature which is not yet released and only available because you hacked your scope... Don't complain to rigol about stuff which you should not even have...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: iMo on May 06, 2019, 06:32:47 pm
I emailed rigol support and they said this feature is not available to North America. I don't understand why this would be the case.
Tariffs war? :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on May 06, 2019, 06:37:34 pm
If I go to measurement, analysis, and jitter analysis. In PLL mode with a 1MHz FM modulated 10MHz carrier my scope freezes.

I emailed rigol support and they said this feature is not available to North America. I don't understand why this would be the case.

Did they ask for your serial number so they could blacklist your 'scope's warranty?  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: angelo on May 06, 2019, 08:07:11 pm
Didn't realize that was one of the unlocked features.

For sake of completeness is there a list of unlocked features that are not the typically advertised features?

Then if there is trouble with them I can suspect them being unsupported rather than malfunctioning.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on May 06, 2019, 08:12:31 pm
BW > 70MHz
Serial Decode (all of them)
Waveform Generators
MSO
200Mpts
Power analysis
Channels 3 & 4 if you have MSO5072
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: angelo on May 06, 2019, 08:41:33 pm
These are the stated unlockable features. I'm curious about the u published features unlocked from other models.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on May 06, 2019, 08:44:25 pm
If it's not in the (your country here) user manual but it is on the scope, it's an unpublished hacked feature.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: angelo on May 06, 2019, 08:48:41 pm
Reasonable, anyone care to investigate if TIE in jitter menu is non-functional as well?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on May 06, 2019, 09:01:38 pm
Isn't Jitter measurement part of the power analysis feature, opened by the hack? 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on May 06, 2019, 09:11:49 pm
Isn't Jitter measurement part of the power analysis feature, opened by the hack?

Best to ask somebody who has purchased the power analysis feature, not hacked to enable all options.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: angelo on May 06, 2019, 09:48:40 pm
Isn't Jitter measurement part of the power analysis feature, opened by the hack?

Not according to Rigol, I thought the same though. Seems like it's a holdover from the code locked out on lower model numbers but available on the 7000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: timber23 on May 06, 2019, 09:54:19 pm
This is how it looks like over here:
(https://i.imgur.com/2IYvDkY.png)

I don't have this jitter analysis.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Frex on May 07, 2019, 04:24:27 pm
Hello,

I think as for the DS7000 series], jitter measurement is done with histogram analysis (that you show on right side menu).


Frex


https://www.youtube.com/watch?v=bKbI2XjRhfY (https://www.youtube.com/watch?v=bKbI2XjRhfY)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: timber23 on May 07, 2019, 07:47:14 pm
This is how histogram looks like:
(https://i.imgur.com/LmhrL1P.png)

There are two modes in Power-analysis: Ripple and Power-Quality.
(https://i.imgur.com/LZ1x5c3.png)

I don't have the necessary current probe, hence the results are bogus:
(https://i.imgur.com/8GSUccI.png)

Best regards
timber23
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on May 07, 2019, 08:19:25 pm
Why would jitter measurements be in power analysis?
Jitter measurements are clock/ timing related, for digital clocks and serial communications and such.
Not much to do with power measurements.
It makes sense to be connected with histograms though.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on May 07, 2019, 09:03:58 pm
Why would jitter measurements be in power analysis?
Jitter measurements are clock/ timing related, for digital clocks and serial communications and such.
Not much to do with power measurements.
It makes sense to be connected with histograms though.
Maybe to analyze switching power supplies?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on May 07, 2019, 09:18:15 pm
In power applications you analyse PWM modulation and call it modulation analysis.
You can do it with built in measurements + stats.

Jitter analysis implies measurement of clock/edge stability of something that has to be very stable. It is basically noise analysis in time domain..
Both are timing analysis, but using different methods and for different purpose.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on May 08, 2019, 11:29:16 am
If I go to measurement, analysis, and jitter analysis. In PLL mode with a 1MHz FM modulated 10MHz carrier my scope freezes.

I emailed rigol support and they said this feature is not available to North America. I don't understand why this would be the case.

Can anyone else replicate, confirm, or offer advice?

Hi Angelo

Mine to, however I am located in the UK, also purchased  power analysis option with the scope.

The hack worked fine thank you chaps  8)

Every time I use the jitter feature (tie mode) and switch in jitter spectrum it freezes, also when using the jitter trend mode it runs for around a couple of minutes then locks up

The scope locks up in normal and high res modes as well

All other features are fine more than likely a firmware issue that has missed the beta testers at Rigol?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: angelo on May 08, 2019, 11:55:37 am
If I go to measurement, analysis, and jitter analysis. In PLL mode with a 1MHz FM modulated 10MHz carrier my scope freezes.

I emailed rigol support and they said this feature is not available to North America. I don't understand why this would be the case.

Can anyone else replicate, confirm, or offer advice?

Hi Angelo

Mine to, however I am located in the UK, also purchased  power analysis option with the scope.

The hack worked fine thank you chaps  8)

Every time I use the jitter feature (tie mode) and switch in jitter spectrum it freezes, also when using the jitter trend mode it runs for around a couple of minutes then locks up

The scope locks up in normal and high res modes as well

All other features are fine more than likely a firmware issue that has missed the beta testers at Rigol?

Thanks for the confirmation Sig.

To those above, the option is not under histogram but has a separate option in the analyze window after those in the unhacked option. I don't have access to the scope at the moment to screenshot.

I'd be interested to hear if anyone does get this feature operational, or can confirm that it is bugged, or that it is non functional but option is just enabled in the 5000 hack.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on May 08, 2019, 12:11:13 pm
I'd be interested to hear if anyone does get this feature operational, or can confirm that it is bugged, or that it is non functional but option is just enabled in the 5000 hack.
You can just remove the hack and verify it yourself
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: angelo on May 08, 2019, 12:30:23 pm
I'd be interested to hear if anyone does get this feature operational, or can confirm that it is bugged, or that it is non functional but option is just enabled in the 5000 hack.
You can just remove the hack and verify it yourself

I'm sure that it will go away if disable the hack.

What I meant was, perhaps my settings/test is bugged and the feature works. Or, perhaps it just shows up but will never work.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on May 08, 2019, 12:56:56 pm
I'd be interested to hear if anyone does get this feature operational, or can confirm that it is bugged, or that it is non functional but option is just enabled in the 5000 hack.
You can just remove the hack and verify it yourself

I'm sure that it will go away if disable the hack.

What I meant was, perhaps my settings/test is bugged and the feature works. Or, perhaps it just shows up but will never work.
You are correct.  I misunderstood your question.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on May 08, 2019, 02:47:29 pm
Hi Angelo

I also have a 'feature disabled' notice when I press the histogram function in the jitter measure menu which maybe a clue that TK was eluding to possibly?

A couple of images below of the 'new features'




Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stenbror on May 12, 2019, 03:15:45 pm
Hi. Got my Rigol MSO5074 may, 8th and by May 12th it is "upgraded" with all options. Thank you very much to everyone made this possible...... Smiling big!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrpackethead on May 13, 2019, 02:45:07 am
Loving your work everyine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: swansonbroth on May 16, 2019, 05:58:51 am
Good Morning everyone,

I got mine yesterday - MSO5354.
FW is 00.01.01.04.04.

Where I can find the file to get all the possible options?
And what are the right steps? only Upgrade the FW with the file from here?

Best regards


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on May 16, 2019, 07:20:04 am
Hi,

Yesterday my MSO5074 has arrived. Factory installed firmware 00.01.01.04.04.  Hardware 01.00.000.

I've read the instructions and now is full option  :box:
It took about 5 minutes, I appreciate your work here  :clap:

Indeed, it's the best option to buy, and not only for a hobby work.

I was very close to order a Siglent because of somehow better included features (bode plot was one of them) and a better analog input stage for low signal but I really don't need 1mV/div, a true 4mV/div is fine.
I hope that bode plot will be included in the end, the sooner the better  :)

8GSamples, 200M deep memory, 9 inch display, included dual channel signal generator, etc. No competition for the price, of course with 'patch' applied.
Also, the mechanical power switch is way better than the "soft" one. Not only for environment friendly, but also for a long term power supply reliability.

The airflow noise it's there but it's not a big problem. The noise from the sleeve or ball bearing is more important.
Fan noise is like an old style PC power supply. For the moment is ok. In the future I will see if it worth to replace it.

Best regards !
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on May 16, 2019, 07:59:45 am
@ swansonbroth

You can find all the informations here :

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401)

It seems that you have the latest firmware (00.01.01.04.04), so just apply the backup and the 'update patch'

Succes !
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on May 16, 2019, 06:24:01 pm
I got mine yesterday - MSO5354.

Why, when you already got the DS7014 (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg2414466/#msg2414466) ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 16, 2019, 08:38:23 pm
Why, when you already got the DS7014 (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg2414466/#msg2414466) ?

Hack benchmarking...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on May 17, 2019, 04:43:03 pm
I installed this and it seems to have worked perfectly, with one exception. I cannot get the probe to compensate correctly on channel 1. On the other 3 channels I can get the probe compensated, but Channel 1 has a hump above the peak of the square wave regardless of the probe I use. Is this something wrong with the scope, or something wrong with the hack? Should I roll back to the non-hacked version? I'm not entirely sure how to resolve this.

Thanks,
Steven
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on May 17, 2019, 08:55:45 pm
I installed this and it seems to have worked perfectly, with one exception. I cannot get the probe to compensate correctly on channel 1. On the other 3 channels I can get the probe compensated, but Channel 1 has a hump above the peak of the square wave regardless of the probe I use. Is this something wrong with the scope, or something wrong with the hack? Should I roll back to the non-hacked version? I'm not entirely sure how to resolve this.

Thanks,
Steven

It should be fixed in the next firmware version: https://www.eevblog.com/forum/blog/new-rigol-scope/msg2366808/#msg2366808 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2366808/#msg2366808)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on May 17, 2019, 09:11:13 pm
Quote
It should be fixed in the next firmware version: https://www.eevblog.com/forum/blog/new-rigol-scope/msg2366808/#msg2366808 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2366808/#msg2366808)

Thanks so much! Guess I missed that part reading through the long thread. Thanks so much for this work, guys and/or gals!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on May 18, 2019, 12:00:10 pm
Can confirm, there's new cal routines in the coming firmware. Myself and a few others have been in contact with Rigol and ran the beta firmware. Goofy over/undershoot was fixed.

Currently working that same problem out on 7k series. New FW fixed a couple, but not all our 7ks.....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rowifi on May 23, 2019, 06:32:07 pm
Have heard that there is a revised hardware for the MSO5000 to fix the screen brightness.
Just resistor changes apparently. New devices being shipped with this change - make sure you check before buying today.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on May 23, 2019, 10:48:02 pm
If Rigol is changing only some resistors, there might not be a way to identify the new scopes from the old ones... just purchase and pray?  Will they allow users change the resistors and honor the factory warranty, like what Siglent did with the missing capacitor in the SDS1202X-E front end?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rowifi on May 24, 2019, 08:58:58 am
Will they allow users change the resistors and honor the factory warranty?

Apparently not. Scopes at distributors need to go back to Germany to be fixed - so I'm told.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on May 24, 2019, 02:42:17 pm
Any word on how they intend to handle existing units with what appears to be a manufacturing/design fault?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ivonenand on May 24, 2019, 03:59:05 pm
Damn  :(
Just last week I got my MSO5074 from Batronix. The Hardware version reported is 1.01.000. I suppose you guys have the same (meaning my unit hasn't been fixed yet)?

Ivo
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: FRR on May 24, 2019, 05:07:05 pm
Do we have any idea of what serial number this LCD fix starts with? I am considering picking one of these up as an extra scope for the lab but prefer to have an updated unit from the start rather than having to mail it back.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Magnum on May 24, 2019, 06:14:25 pm
Batronix told me today that the display fix was already introduced a couple of months ago. Don't know if that is true.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on May 24, 2019, 08:50:40 pm
Couldn´t believe it, in several ways.

Quote
Any word on how they intend to handle existing units with what appears to be a manufacturing/design fault?

I´ve asked them(if the resistor-fix is true and how to handle it), answer should be given next week.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pmnxis on May 25, 2019, 05:51:24 am
I got one MSO5074.
I though I can dump many times with high bandwidth for data aquctation.
but it's not possible.

Hope someone analysis this system. and make me code some custom programming with it's own component.
I looked some program binary but too huge lol
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on May 25, 2019, 08:21:53 am
I got one MSO5074.
I though I can dump many times with high bandwidth for data aquctation.
but it's not possible.

What were you expecting? What did you get?

400Mb of memory is a lot of data to transmit, even at perfect one gigabit Ethernet speeds it will take 4 seconds. In real life it's going to take a lot longer than that.

Dumping the memory in real time is a completely unrealistic expectation.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pmnxis on May 28, 2019, 03:12:15 am
yes i know that's unrealistic issue with this stuff.
But I hoped continuous data logging with a short time (a second with high-time-divid resolution).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pmnxis on May 29, 2019, 03:09:19 pm
I guess how control external memory area(not directed connected 512MB, 1.25GB area and FPGA near the ADC frontend) and grabbing them.

implementing custom "dirty" "short-term" DAQ system.

guess Rigol MSO5k is developed for graph showing machine and s/w application is specific to graph purpose.

But I think it's possible for customizing to simple DAQ.

I am not good at reverse engineering. though I am trying to see appentry and zynq datasheet for is that possible and what can I do.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nukecat on May 31, 2019, 09:21:18 am
Got the 5072 about a month ago. Thanks to everyone for making the hack possible, I'm very grateful!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on June 09, 2019, 10:52:59 am
After all the confirmations that the hack work, today I can confirm that the way back is also no problem…. ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on June 09, 2019, 02:08:14 pm
^True.

You can flash pretty much whatever through the recovery menu on boot.

Patiently waiting to hear about the "resistor change" with regards to screen brightness though.
You sent yours in for service, right Martin? Did Rigol EU ever give you an answer about it? I'm going to probe the USA div and see what they say.
Worst case Rigol USA says "tough" and I pop mine open and swap it :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on June 09, 2019, 05:20:17 pm
They told me to send it in the mid of june, next week, for fixing the noisy fan - And as I asked them what about the dim display, will it be fixed too, they said "probably"... ;)
Maybe a service report will be attached when they send it back, that would be great to know what they did exactly.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: texaspyro on June 09, 2019, 06:13:49 pm
If you send it in, it might come back with some new firmware that is not hackable... 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on June 09, 2019, 06:48:45 pm
I´ll take the risk and let you know what will happen.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on June 09, 2019, 07:48:39 pm
If you send it in, it might come back with some new firmware that is not hackable...


Yeah, the whole dim screen/recall thing is just a trap for to catch evil oscilloscope hackers.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on June 09, 2019, 08:57:03 pm
 :-DD

I´m pretty sure nothing will happen...
Much more important, what will they do...
Ah, in this case I probably find another bug:
Power On State....Choosable are last and default.
But whatever you choose, it´s always "last".



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on June 09, 2019, 09:56:05 pm
Maybe last is default, they just know they'd be ridiculed if they didn't give you an option.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Alex18 on June 10, 2019, 06:09:51 pm
Dear All,
a little help to a novice: I flashed 01.01.04.04 on my MSO5074 and while I can ping the scope, ssh gives me "connection refused"... anyone has experienced this?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on June 10, 2019, 10:22:59 pm
Dear All,
a little help to a novice: I flashed 01.01.04.04 on my MSO5074 and while I can ping the scope, ssh gives me "connection refused"... anyone has experienced this?

Its mentioned in this thread, SSH is disabled in that FW. You can either patch to enable it, or directly patch the FW for the options and avoid SSH altogether:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w_m0zart@eevblog on June 13, 2019, 09:34:58 am
Two weeks ago I ordered at the company batronix an mso5074, which software version 01.01.04.04 on it. After reading through pages 20 to 47 I was confident enough to install the patched firmware. With that the oscilloscope has now all features enabled.

On general remark though about this oscilloscpe, which has nothing to do with the patch, is that the input impedance cannot be switched to 50Ohms. The option is greyed out. Standard is 1MOhm. And we would need to use external feed through terminators to realize this. If someone would need this, the option would be to go for the MSO7000 Series. I have not seen anywhere if someone was able to patch that oscilloscope as well with success.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on June 13, 2019, 09:43:50 am
You could wait for the DSO 8000 or just use some genuine 50 Ohm terminated BNC adapters that way you would know that the consistency of the measurement you are making will be accurate. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on June 13, 2019, 05:16:20 pm
Just for the record, mine is HW 01.01.000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on June 13, 2019, 05:21:13 pm
Interesting you only have one bandwidth upgrade installed tv84.

How could that have happened?!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on June 13, 2019, 05:27:35 pm
Interesting you only have one bandwidth upgrade installed tv84.

How could that have happened?!

"One option to rule them all..."  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on June 13, 2019, 05:53:26 pm
Interesting you only have one bandwidth upgrade installed tv84.

How could that have happened?!

"One option to rule them all..."  ;)

Not a ‘feature’ now then!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Frex on June 29, 2019, 01:49:52 pm
Hello all,

First thank to all they have contributed to make the hack possible (then Rigol first of all !  :) ).
I'm a little bit confused in the large amount of pages/posts in the thread and not shure to have found latest right info.
I there a way to have a link on a post with step by step procedure to hack the scope ?
I don't have already order the scope, but plane to do it soon, so i would be ready ! :)
Thanks all.

Frex

(Maybe majors posts about the hack could be linked in the first post of the thread for an easiest acces ? ).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on June 29, 2019, 02:39:28 pm
Hi,

Everyone have to search for, there´s nobody who have all the posts in mind by numbers.. ;)
Except me  8)

Procedure (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401)

(Joke, have to search for, too)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Frex on July 01, 2019, 03:51:30 pm

Thank you ! :)

So i have another question,  is there any MSO5000  owners that had played with histogram analysis ?
It  would be great to look how it perform for measuring phase RMS noise...
I somebody want to try  :D

Frex
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: texaspyro on July 07, 2019, 02:41:58 am
I got in my MSO5000.   Seems to work well.   Mfg date was 20 Feb 2019.  HW 01.00.000  FW 00.01.01.04.04    Screen is nice and bright.  Fan is nice and quiet.

Only complaint is the rubber boots on the probe BNCs.  They like to rotate without turning the BNC shell... makes it a pain to attach / remove the probes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on July 07, 2019, 03:27:29 am
That's the first thing I replaced, they are very tight and a pain to pull off. 

I went with this: https://www.ebay.com/itm/25-BNC-Female-Cap-Plug-Caplugs-Black-Easy-EZ-Pull-New-Protection-Caps-Dust-Cover/121430968091?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649 (https://www.ebay.com/itm/25-BNC-Female-Cap-Plug-Caplugs-Black-Easy-EZ-Pull-New-Protection-Caps-Dust-Cover/121430968091?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649)

A little loose, but very easy to put on and take off.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: texaspyro on July 07, 2019, 03:35:33 am
That's the first thing I replaced, they are very tight and a pain to pull off. 

No, I'm talking about the black rubber boots/insulators on the end of the scope probe cables...  not the dust covers on the scope BNC connectors.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on July 07, 2019, 01:11:29 pm
I got in my MSO5000.   Seems to work well.   Mfg date was 20 Feb 2019.  HW 01.00.000  FW 00.01.01.04.04    Screen is nice and bright.  Fan is nice and quiet.

Only complaint is the rubber boots on the probe BNCs.  They like to rotate without turning the BNC shell... makes it a pain to attach / remove the probes.
I think you are not handling them correctly... if you push the probe BNC in (it has a spring mechanism), then rotates very easily.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: texaspyro on July 07, 2019, 05:20:24 pm
I think you are not handling them correctly... if you push the probe BNC in (it has a spring mechanism), then rotates very easily.

Possibly,  I've only been using scope probes for around 50 years...  :-DD

Removing the probes seems to be the most problematic.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on July 07, 2019, 05:48:32 pm
Hi,
This thread here is for questions about hacking the 5000, common questions would fit here (https://www.eevblog.com/forum/blog/new-rigol-scope/msg1952305/#msg1952305).
Thankyou !  :)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: adras on July 10, 2019, 12:10:21 am
Just to make sure I understand correctly. I can upgrade the MSO 5072 to a MSO 5354 with the procedure mentioned in this thread?

Do I also unlock the function generator?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on July 10, 2019, 02:22:07 am
Just to make sure I understand correctly. I can upgrade the MSO 5072 to a MSO 5354 with the procedure mentioned in this thread?

Do I also unlock the function generator?

Yes, you'll just be lacking some probes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: N2tl on July 13, 2019, 12:21:39 am
mabl's summary of best practices, with helpful links, worked a treat on a 5074 scope just received from TEquipment. No test signal overshoot noticed, before or after. Hardware shown as 1.0. After patch applied, all options shown as "forever." :-+ 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on July 13, 2019, 07:33:03 am
mabl's summary of best practices, with helpful links, worked a treat

You are referring to this post, right?
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: adras on July 13, 2019, 10:48:55 am
Thanks for that reply. Got a fully unlocked scope as well now. Gotta make some tests now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: adras on July 13, 2019, 10:50:18 am
Looking at the questions from myself and others. How about we add some information into the starting post of this thread? Then we have a central place. Of course it takes some time to keep it up to date, but on the other hands, people wouldn't need to search through the whole thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on July 23, 2019, 07:22:26 pm
Interesting you only have one bandwidth upgrade installed tv84.

How could that have happened?!

"One option to rule them all..."  ;)
Ahh I'm so envious. I so wonder what the differences are between the two hardware revisions. DAAaavveeee tear another one down and compare it for us :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on July 23, 2019, 07:24:43 pm
Looking at the questions from myself and others. How about we add some information into the starting post of this thread? Then we have a central place. Of course it takes some time to keep it up to date, but on the other hands, people wouldn't need to search through the whole thread.
Wish it where so easy, the original author is long gone and awol, and I yet have to receive a pull request on https://gitlab.com/riglol/rigolee or an update on the wiki https://gitlab.com/riglol/rigolee/wikis/home

While I admit I have been tardy (not, just super busy :p) I'll pick up on the subject again once I have more time.

I'm still waiting for someone to share the exact value of the resistor of the uart TX line, so I can solder that :) and I've almost started playing with my FPGA board again, trying to write some code helping to identify the pin used by the uart's RX.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: adras on July 29, 2019, 12:56:47 pm
Looking at the questions from myself and others. How about we add some information into the starting post of this thread? Then we have a central place. Of course it takes some time to keep it up to date, but on the other hands, people wouldn't need to search through the whole thread.
Wish it where so easy, the original author is long gone and awol, and I yet have to receive a pull request on https://gitlab.com/riglol/rigolee or an update on the wiki https://gitlab.com/riglol/rigolee/wikis/home

While I admit I have been tardy (not, just super busy :p) I'll pick up on the subject again once I have more time.

I'm still waiting for someone to share the exact value of the resistor of the uart TX line, so I can solder that :) and I've almost started playing with my FPGA board again, trying to write some code helping to identify the pin used by the uart's RX.
I was hoping a moderator could add the stuff with a notification like "Added by moderator" or something.

Besides that, I just ran into a problem.

Starting from today, as soon as I connect the LAN cable and boot up the oscilloscope it stops reacting to any input after around 7 seconds.


I'm using the DS5000Update_01.01.04.04.GEL firmware

Did anybody else notice that?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on July 29, 2019, 02:47:02 pm
Starting from today, as soon as I connect the LAN cable and boot up the oscilloscope it stops reacting to any input after around 7 seconds.

  • I tried it a couple of times, without LAN(with internet) connected, the oscilloscope works fine.
  • But WITH LAN connected, it stops reacting to the touch screen, buttons and knobs after around 5-7 seconds.
  • It seems like the oscilloscope is deactivating itself because it checks with a server and figures out it got hacked.
  • It worked fine yesterday.

I'm using the DS5000Update_01.01.04.04.GEL firmware

Did anybody else notice that?

Hard to believe... but a packet sniffer will confirm it one way or another.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on July 29, 2019, 03:08:51 pm
Hi,

Quote
But WITH LAN connected, it stops reacting to the touch screen, buttons and knobs after around 5-7 seconds.

Have a look:

https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2518821/#msg2518821 (https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2518821/#msg2518821)

https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2521134/#msg2521134 (https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2521134/#msg2521134)

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: adras on July 29, 2019, 08:46:43 pm
Hi,

Quote
But WITH LAN connected, it stops reacting to the touch screen, buttons and knobs after around 5-7 seconds.

Have a look:

https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2518821/#msg2518821 (https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2518821/#msg2518821)

https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2521134/#msg2521134 (https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2521134/#msg2521134)

Martin
Ah, ok, thanks for the relief
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: serg_77 on August 12, 2019, 10:15:36 pm
Hi people. The site https://cn.rigol.com/Support/SoftDownload/3 (https://cn.rigol.com/Support/SoftDownload/3) has a new firmware MSO5000_00.01.01.04.08. Good luck to all.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on August 12, 2019, 11:55:18 pm
Hi people. The site https://cn.rigol.com/Support/SoftDownload/3 (https://cn.rigol.com/Support/SoftDownload/3) has a new firmware MSO5000_00.01.01.04.08. Good luck to all.

Quote
v00.01.01.04.08 2019/08/02

      -Fixed system crashed when clicking Default.
      -Fixed 4CH option bug.
      -Fixed noise signal captured.
      -Improved the measure result updating rate.
      -Fixed accurate measurements not updated in ROLL

Not a big upgrade from the notes, no bode plot or high-res fixes.
"4CH option bug" sounds like if you buy the 4-CH option it doesn't work properly? Which could be what I noticed, but it was resolved with a simple self-cal. Surprised someone actually bought it.
The chinese translation version is worded differently: "Fix version 2.3 of the 4CH option, not activated on version 4.4 and later".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 13, 2019, 12:03:10 am
Well, it would be interesting to see if the "enhancements" still work with this version of the firmware.

Agreed on it being a fairly short list given it takes 5 months to develop, likely all focus was on the MSO8000 scope launch.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stmcore on August 13, 2019, 12:12:07 am
Enhancements "patch" not working with 04.08  but you can downgrade back to 04.04 using the secret menu.  while powering on
keep hitting  single button  :horse:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 13, 2019, 12:39:13 am
Good to know, as the install instruction doc states that firmware cannot be downgraded.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 13, 2019, 05:11:12 am
Not a big upgrade from the notes, no bode plot or high-res fixes.

Don't forget this should fix the overswings on self-cal for every one.

Enhancements "patch" not working with 04.08

Sure. Somebody will need to patch it again and provide a  updated patch to the general public.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 13, 2019, 10:14:52 am
Good to know, as the install instruction doc states that firmware cannot be downgraded.

It has stated that since the beginning. That will only happen when they change the bootloader.

And, of course, if you have a NAND dump backup, you can always restore it fully to a previous version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 13, 2019, 07:10:40 pm
MSO5000_00.01.01.04.08:

Code: [Select]
#echo "++ Starting telnet daemon"
#telnetd -l /bin/sh

#echo "++ Starting http daemon"
#httpd -h /var/www

#echo "++ Starting ftp daemon"
#tcpsvd 0:21 ftpd ftpd -w /&

#echo "++ Starting ssh daemon"
#/usr/sbin/sshd

Interesting that the K160 FPGA programming is the same as in the MSO8000 FW released a few days ago.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stmcore on August 13, 2019, 09:56:35 pm
Downgrading from 04.08 back to 04.04 is safe . Tested 100% .

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on August 13, 2019, 10:10:09 pm
Interesting that the K160 FPGA programming is the same as in the MSO8000 FW released a few days ago.

This makes me think again that 10GS/s is available or actually used on the MSO5000. Not that it would make a huge difference vs 8GS/s, but its interesting thought.
Sort of what I measured in the other rigol thread (https://www.eevblog.com/forum/blog/new-rigol-scope/), but it could just be software weirdness..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 15, 2019, 03:36:20 pm
Just a heads up. On a hacked latest firmware the Jitter analysis works  :popcorn: (Did not get eye to work though.)

I leave it to others to prepare a general auto patcher this time, though. >:D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 15, 2019, 04:06:20 pm
MSO5000_00.01.01.04.08:
Interesting that the K160 FPGA programming is the same as in the MSO8000 FW released a few days ago.

Interestingly, the differences to latest MSO5000 firmware are really pretty minimal:

Code: [Select]
Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        deleted:    firmware/kerstrel.config
        deleted:    firmware/kerstrel.dts
        modified:   firmware/logo.png
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/default/cal.hex
        modified:   firmware/rootfs/rigol/drivers/usbtmc_dev.ko
        modified:   firmware/rootfs/rigol/resource/appmeta.xml
        modified:   firmware/rootfs/rigol/resource/boardmeta.xml
        modified:   firmware/rootfs/rigol/resource/dsometa.xml
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/100K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/10K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/10M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/1K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/1M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/25M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/50M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/AUTO
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/100K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/100M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/10K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/10M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/1K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/1M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/25M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/50M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/AUTO
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/100K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/100M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/10K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/10M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/1K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/1M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/200M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/25M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/50M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/AUTO
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/shell/start.sh
        modified:   firmware/rootfs/rigol/tools/spi2cpld
        modified:   firmware/rootfs/rigol/tools/spi2dev
        modified:   firmware/rootfs/rigol/tools/spi2k7
        modified:   firmware/rootfs/rigol/tools/spi2pll
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcre.a
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcrecpp.a
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcreposix.a
        modified:   firmware/rootfs/rigol/webcontrol/lib/libz.a
        modified:   firmware/rootfs/rigol/webcontrol/webpages/Help.html
        modified:   firmware/rootfs/rigol/webcontrol/webpages/images/1.jpg
        modified:   firmware/zImage
        modified:   firmware/zynq.bit

Untracked files:
  (use "git add <file>..." to include in what will be committed)

        GEL/DS8000Update_00.01.01.00.00.GEL
        firmware/rootfs/rigol/cups/testPage.bmp
        firmware/rootfs/rigol/resource/satable/hori_10g/
        firmware/rootfs/rigol/resource/satable/hori_20g/
        firmware/rootfs/rigol/resource/satable/hori_2_5g/
        firmware/rootfs/rigol/resource/satable/hori_5g/
        firmware/rootfs/rigol/resource/satable/hori_5g_100m/
        firmware/unknown.config
        firmware/unknown.dts
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on August 15, 2019, 04:57:07 pm
Just a heads up. On a hacked latest firmware the Jitter analysis works  :popcorn: (Did not get eye to work though.)

I leave it to others to prepare a general auto patcher this time, though. >:D

Hi mabl

Would you mind posting some images for this in actual operation, mine always crashes after 60 or so seconds then freezes requiring a hard reset.

I have several work colleagues with an opened up 5000 and they all have the same issue.

Firmware is the 04.04 version unit was purchased in April this year and has the build date on Feb 2019, all of the other MSO 5000 exhibit the same issues with the Jitter measurements (also try and engage the histogram) and the eye pattern will not work due to BW limitations I suspect.

The <SO8000 uses 10G/s and 10Mpts for eye pattern measurements I believe.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 15, 2019, 05:17:37 pm
Remember, that jitter feature is not officially part of the MSO5000. The patch just blindly enables all features there are, I rigged up a simple test with the internal wave generator and firmware 01.01.04.08. See attached file. It feels stable. I guess they invested some effort for the MSO8000 launch and we just profit from that . Also auto baud rate detection works rather well.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 15, 2019, 09:09:37 pm
Remember, that jitter feature is not officially part of the MSO5000.

I somewhat disagree. If that was the case, the option wouldn't be in the available options for MSO5000 (inside the code).

Maybe they decided to cut it off when deciding the BW versions of the 5000...

Would you mind posting some images for this in actual operation, mine always crashes after 60 or so seconds then freezes requiring a hard reset.

Maybe temperature comes into play... And that's why they decided to lower the sample rate...

alexvg has been investing hard in improving the temps.

Anyone knows if the DS7000 / MSO8000 has better thermal architecture than the one described by alexvg?

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2552004/#msg2552004 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2552004/#msg2552004)


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on August 16, 2019, 02:39:59 am
So the previous patch for SSH should work on the new firmware.  Can anyone confirm that?

Following mabl's lead, all that would be necessary to update the .GEL patch with a new appEntry_01_01_04_04.patch.gz file which locates the same code fragment in the updated appEntry.  Then repack...

Correct?

-Stan
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 16, 2019, 08:39:14 am
So the previous patch for SSH should work on the new firmware.  Can anyone confirm that?

Confirmed.

Following mabl's lead, all that would be necessary to update the .GEL patch with a new appEntry_01_01_04_04.patch.gz file which locates the same code fragment in the updated appEntry.  Then repack...

You first need a patched appEntry. The license code has changed a bit in wake of the MSO8000 launch I guess. I'm not sure the bit sequences are identical. I just identified the relevant function again and patch it to always return 1. I then copied it over to the scope to /tmp via ssh; marked it executable and then run it. All worked, so I copied it over to /rigol/ on my scope and saved everything with a call to sync.

The patcher is required if others want to have a USB install method. Some pages pack I already provided bspatch/bsdiff compiled with that ancient Xilinx toolchain. That will be a far preferred option than doing that base64 encoding/text patch/decode thingy of my initial patch script. I'm sure based on this others will be able to create a nice solution. I just don't want to commit mass copy right infringements anymore  :-\  For now rest assured that hacking the scope is still possible.

On a side node, the self calibration is now absolutely perfect and I can trim the provided probes to a perfectly flat response. Feels even a bit better than the calibration with the (hacked) beta firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: phips on August 16, 2019, 09:20:02 am
Hello community,

just signed up to reply to this amazing thread.
I'm a beginner in hardware hacking and want to understand the hack deeply.
At the moment I don't own a MSO5000.
Nevertheless I want to understand what you did to turn on all functions.

Does anyone know a reference to some kind of walk through, what was patched and how the journey went there?


Best
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on August 16, 2019, 09:49:16 am
Remember, that jitter feature is not officially part of the MSO5000. The patch just blindly enables all features there are, I rigged up a simple test with the internal wave generator and firmware 01.01.04.08. See attached file. It feels stable. I guess they invested some effort for the MSO8000 launch and we just profit from that . Also auto baud rate detection works rather well.

Hi mabl

Thank you for sharing  :)

The jitter feature which is now working on your machine has to be related to the new FW, your machine has three more options installed on the jitter tab.

Something to attend to at the weekend!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: swansonbroth on August 16, 2019, 11:41:17 am
Can anybody share the new firmware (patched ;-)) with the new Options like Jitter??
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 16, 2019, 12:47:53 pm
I just don't want to commit mass copy right infringements anymore  :-\

I don't blame you with sites like hackaday broadcasting the hack out loud. (Meanwhile hypocritically they censored the Tektronix hacks they had)

Thanks for your work though, easy enough to build upon ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on August 17, 2019, 12:31:01 am
So here are the notes from what I've gathered so far:
- Connect scope to PC/network with ethernet
- Apply patch to enable SSH (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076)
- SSH into the scope (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2073202/#msg2073202), backup files if needed, then copy appEntry file to your USB (cp /rigol/appEntry /media/sda1/).
- Apply patch to the binary (this part is known by mabl but not public, needs to be figured out)
- Copy this file back to the scope in temporary location, mark as executable (chmod +x appEntry)
- Test run it by using command: ./appEntry $PowerOn -run
- If it works, replace the original appEntry, and sync


Side note: can run 'top' to see CPU usage:
- All channels on or off 4-5%
- Logic analyzer on 5%
- FFT on 60-70%
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 17, 2019, 01:20:30 am
Just actually got my MS5074 in the mail today. Updated and then replicated mabl's patch for 01.01.04.08
Works all the same.

Also just as easy to modify the web control to report forever as well ;)


I will say, the hardware rev should have the fan fix but it's also infrequently emitting a really high pitch whine that's driving me mad and I'm going to have to replace it. The joys of being on the younger side to hear it.


I'll be nice and attach the bsdiff. But making the gel file is  :effort: and I don't need it myself
Edit: Woops, accidentally attached tar copy of the file before. Attachment corrected, can be applied with bspatch

The resulting md5sum of appEntry should be 3f95cb3236b47826e303de960596f966 if you did it right.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on August 17, 2019, 01:04:11 pm
I will say, the hardware rev should have the fan fix but it's also infrequently emitting a really high pitch whine that's driving me mad and I'm going to have to replace it. The joys of being on the younger side to hear it.

I'm not sure what you imagine happens to people's hearing as they age, but it's not true.

(unless you frequently go to too-loud places without hearing protection)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 17, 2019, 01:05:22 pm
I will say, the hardware rev should have the fan fix but it's also infrequently emitting a really high pitch whine that's driving me mad and I'm going to have to replace it. The joys of being on the younger side to hear it.

I'm not sure what you imagine happens to people's hearing as they age, but it's not true.

(unless you frequently go to too-loud places without hearing protection)

presbycusis
https://hearnet.org.au/hearing-problems/presbycusis (https://hearnet.org.au/hearing-problems/presbycusis)
https://www.nidcd.nih.gov/sites/default/files/Content%20Images/presbycusis.pdf (https://www.nidcd.nih.gov/sites/default/files/Content%20Images/presbycusis.pdf)
https://en.wikipedia.org/wiki/Presbycusis (https://en.wikipedia.org/wiki/Presbycusis)

Doesn't affect everyone the same of course
Nonetheless, being the only under 30 at work and having the scope delivered to work (UPS and private keyed apartment building dont mix), nobody else could hear the fan whining :/ Who knows, maybe they lived through the time less of OSHA regulations quite well heh
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on August 17, 2019, 01:08:59 pm
I incidentally had to delivered to work, all the old guys around me couldn't hear it. Who knows, maybe they lived through the time less OSHA regulations quite well heh

I think bars and "live music" is a big culprit. I often walk into places and turn right around and walk out because it's unbearable inside. The people in there seem happy enough though.  :-//

I don't know who decided what level music is supposed to be played at but they're wrong (and it's a downward spiral...)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on August 17, 2019, 01:12:00 pm
I'm not sure what you imagine happens to people's hearing as they age, but it's not true.
(unless you frequently go to too-loud places without hearing protection)

A loss of sensitivity for higher frequencies is extremely common, if not unavoidable. I understand that's purely age-related, doesn't take any noise-induced damage.

I used to be able to hear the 16 kHz TV line frequency, but those days are long gone (and I don't mean because of the transition to LCD screens...  ;))  And I don't know anybody my age who can still hear that frequency.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 17, 2019, 02:39:52 pm
Agreed on the hearing part. 

But back to the subject at hand, thm_w and delfinom have given us the clue to us firmware neophytes in #1151 and #1152, along with the work mabl and others provided in the last release - THANK YOU!

delfinom, to make use of your tar file, do I untar, change name to appEntry (by removing the version number behind it) and follow the last three steps in thm_w procedure?

Thanks.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 17, 2019, 02:59:30 pm
Agreed on the hearing part. 

But back to the subject at hand, thm_w and delfinom have given us the clue to us firmware neophytes in #1151 and #1152, along with the work mabl and others provided in the last release - THANK YOU!

delfinom, to make use of your tar file, do I untar, change name to appEntry (by removing the version number behind it) and follow the last three steps in thm_w procedure?

Thanks.

No. I accidentally made it a tar file before. Now it's a bsdiff/bspatch file. You must use bspatch to apply the patch to your own copy of appEntry from the .08 version from the scope. Sharing the appEntry itself would be bad.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 17, 2019, 04:44:42 pm
Got it, so it is part of step 4, the patch file in the bspatch command using my own appEntry as the source file.

Thank you, I will play with it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mr. Scram on August 18, 2019, 12:40:10 am
I'm not sure what you imagine happens to people's hearing as they age, but it's not true.

(unless you frequently go to too-loud places without hearing protection)
The only thing worse than aging is denying it while you do it. Or maybe not aging at all is worst.

(https://www.avsforum.com/photopost/data/2197550/7/79/79dcc9f3_hearingrange.jpeg)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on August 18, 2019, 04:16:39 pm
I'm not sure what you imagine happens to people's hearing as they age, but it's not true.

(unless you frequently go to too-loud places without hearing protection)
The only thing worse than aging is denying it while you do it. Or maybe not aging at all is worst.

Is it the law or are people allowed to vary? According to that I shouldn't be able to hear much above 8kHz but that's definitely not true. I just did quick test and I can hear up to about 13.5kHz, no problem. Starts to get iffy around 14kHz.

Maybe I could maybe rephrase the original statement though. It's probably true in general.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 19, 2019, 06:41:28 am
The new firmware upgrade went well, except now when I boot the scope with the LAN cable attached, it freezes solid a couple seconds after it completes the boot.  It will not respond to any button inputs, the only way to fix it is to reboot with out a LAN cable attached.

If I boot without the LAN cable attached, everything is fine.  I can attached the LAN after boot, no problem, it connects to the LAN properly and gets an IP address. 

The problem began when I finished all the steps required for the "patch", my appEntry has the right MD5 checksum, I copy it back to the rigol directory, did a sync, reboot, and that's when the freeze began occurring.  I have downgraded back to the 04_04 version, the problem persists now in 04_04, 04_08, with and without "patch" in both versions.

Does anyone has an idea of a fix or what to look for? 

BTW, I have noticed that there are a couple posts here with similar problem even prior to 04.08, as well as a couple incidents in the MSO5000 bug topic.  Wondering if it is happening to everyone or just some unlucky individuals.

Thanks in advance.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: timber23 on August 19, 2019, 08:05:01 am
Wondering if it is happening to everyone or just some unlucky individuals.
I use firmware 04.08 without patch. My scope is always connected to LAN and boots flawless. Previously I had patched firmware 04.04 and LAN connected while booting also without problems.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 19, 2019, 11:07:14 am
The new firmware upgrade went well, except now when I boot the scope with the LAN cable attached, it freezes solid a couple seconds after it completes the boot.  It will not respond to any button inputs, the only way to fix it is to reboot with out a LAN cable attached.

If I boot without the LAN cable attached, everything is fine.  I can attached the LAN after boot, no problem, it connects to the LAN properly and gets an IP address. 

The problem began when I finished all the steps required for the "patch", my appEntry has the right MD5 checksum, I copy it back to the rigol directory, did a sync, reboot, and that's when the freeze began occurring.  I have downgraded back to the 04_04 version, the problem persists now in 04_04, 04_08, with and without "patch" in both versions.

Does anyone has an idea of a fix or what to look for? 

BTW, I have noticed that there are a couple posts here with similar problem even prior to 04.08, as well as a couple incidents in the MSO5000 bug topic.  Wondering if it is happening to everyone or just some unlucky individuals.

Thanks in advance.
No issues here. The patch does not touch any section of the program that is involved in networking.
You don't have any IVI/LXI/lan control utilities running on your PC(s) on the same network do you? They may be scanning and picking up the scope on boot and triggering it into remote mode/locking the input.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mr. Scram on August 19, 2019, 11:44:30 am
Is it the law or are people allowed to vary? According to that I shouldn't be able to hear much above 8kHz but that's definitely not true. I just did quick test and I can hear up to about 13.5kHz, no problem. Starts to get iffy around 14kHz.

Maybe I could maybe rephrase the original statement though. It's probably true in general.
The exact numbers vary as with any biological process. In the end it's aging and we know there's no escaping that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 19, 2019, 02:35:55 pm
Hey Delfinom and timber23,

Thanks for your quick responses.  I don't have anything running on my PC for remote control, but I will try it later today with the computer off just to be sure.  I will do another test to attach it to another router that is not connected to anything else to see how it reacts.

Update: Definitely odd behavior, when I connect it to a Cisco router that is not attached to anything, it works fine.  It gets an IP address from the router, my next test would be trying to identify whether it is something in my LAN or the WAN that's causing the hang.  It may help those who are dealing with the same problem.

No issues here. The patch does not touch any section of the program that is involved in networking.
You don't have any IVI/LXI/lan control utilities running on your PC(s) on the same network do you? They may be scanning and picking up the scope on boot and triggering it into remote mode/locking the input.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Magnum on August 19, 2019, 04:03:39 pm
I had the same network problem. The unit freezes when the network cable is attached. Tried it again today, and now it works.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on August 19, 2019, 09:12:01 pm
Solved  thanks to thm_w ,delfinom ,mabl

attached files for windows and how i've done it:)
appEntry file not included . you can always update this attachement and share it with others

Good luck

I tried renaming this to .rar, and opening but there is just the one file inside. Can you try re-uploading please. Thanks

edit: for some reason first time I copied the file I got a weird MD5, re-patched the scope from bootloader, and now MD5 is OK. Maybe 'umount /media/sda1' was a necessary step.
edit2: to kill the app you can run the command: pkill -f "appEntry"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 19, 2019, 10:03:46 pm
Solved  thanks to thm_w ,delfinom ,mabl

attached files for windows and how i've done it:)
appEntry file not included . you can always update this attachement and share it with others

Good luck

Your readme is silly.
Don't include both bsdiff and bspatch commands, you just need bspatch. bsdiff is what creates the patch file in the first place, you may be unwittingly deleting/overwriting it.
Also I'm curious the bspatch.exe you found isn't complaining about the old and new files being identical because the linux versions do not like that.

Also instead of running strange third party software to compute a md5sum of a file on windows just do
  CertUtil -hashfile appEntry MD5
in a command window
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 20, 2019, 01:43:36 am
The plot thickens.  I did more test on the freeze problem, and I discovered the following:
* If router is not attached to anything, machine boots fine.
* If router is not connected to the Internet, but connected to all my local resources, machine boots fine.  So nothing on my local network is trying to issue remote control to the scope.
* Once I connect the router to the Internet, machine hangs a few seconds after boot up, just around the time the "Online Update" button flashes on.

My local network is firewalled from external access, so it cannot be someone on the Internet trying to take over my scope via remote control.  The action must be initiated from my scope, and the only thing I can think of is it tries to connect back to Rigol to check for online updates even without pressing the button.  And something went wrong and cause the scope to hang.  It may be due to the fact that rigolna still only has the 04_04 upgrade, and the scope cannot deal with a version higher than the version from the rigolna site.  Not sure, but at least I think I might have found a probable trigger condition for the hang.

Strange thing is it does not occur to everyone, very odd indeed.

Hey Delfinom and timber23,

Thanks for your quick responses.  I don't have anything running on my PC for remote control, but I will try it later today with the computer off just to be sure.  I will do another test to attach it to another router that is not connected to anything else to see how it reacts.

Update: Definitely odd behavior, when I connect it to a Cisco router that is not attached to anything, it works fine.  It gets an IP address from the router, my next test would be trying to identify whether it is something in my LAN or the WAN that's causing the hang.  It may help those who are dealing with the same problem.

No issues here. The patch does not touch any section of the program that is involved in networking.
You don't have any IVI/LXI/lan control utilities running on your PC(s) on the same network do you? They may be scanning and picking up the scope on boot and triggering it into remote mode/locking the input.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on August 20, 2019, 02:10:50 am
Not sure if it helps at all, but I'm able to boot my MSO5074 post 00.01.01.04.08 upgrade with the LAN connected and no outbound firewall rules which I purchased and am using in North America.  I'm using delfinom's bdiff patch posted here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 20, 2019, 02:16:09 am
The plot thickens.  I did more test on the freeze problem, and I discovered the following:
* If router is not attached to anything, machine boots fine.
* If router is not connected to the Internet, but connected to all my local resources, machine boots fine.  So nothing on my local network is trying to issue remote control to the scope.
* Once I connect the router to the Internet, machine hangs a few seconds after boot up, just around the time the "Online Update" button flashes on.

My local network is firewalled from external access, so it cannot be someone on the Internet trying to take over my scope via remote control.  The action must be initiated from my scope, and the only thing I can think of is it tries to connect back to Rigol to check for online updates even without pressing the button.  And something went wrong and cause the scope to hang.  It may be due to the fact that rigolna still only has the 04_04 upgrade, and the scope cannot deal with a version higher than the version from the rigolna site.  Not sure, but at least I think I might have found a probable trigger condition for the hang.

Strange thing is it does not occur to everyone, very odd indeed.

Hey Delfinom and timber23,

Thanks for your quick responses.  I don't have anything running on my PC for remote control, but I will try it later today with the computer off just to be sure.  I will do another test to attach it to another router that is not connected to anything else to see how it reacts.

Update: Definitely odd behavior, when I connect it to a Cisco router that is not attached to anything, it works fine.  It gets an IP address from the router, my next test would be trying to identify whether it is something in my LAN or the WAN that's causing the hang.  It may help those who are dealing with the same problem.

No issues here. The patch does not touch any section of the program that is involved in networking.
You don't have any IVI/LXI/lan control utilities running on your PC(s) on the same network do you? They may be scanning and picking up the scope on boot and triggering it into remote mode/locking the input.

Well, I could patch out the update check since it's fairly useless anyway once running the mod.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 20, 2019, 02:54:30 am
Freeze issue identified:

In reviewing web access on the router, I end up blocking the rigol.com site on my router (the rigolna.com webpage is not affected if I need to access that page), and guess what, scope boots without any issues.

The hang is definitely caused by something the scope does when it phones home to Rigol during every boot, perhaps checking for updates, and hopefully for no other reasons.  So whether it hangs or not, blocking that access is a good thing, having spent many years working in cyber security, that is a no-no in my book - especially for foreign domains.  Call it a good old American paranoia, I don't want my scope to ever go back to rigol.com during every boot without me initiating that action. 

I also used the file delfinom shared for the update (thank again for his work).

Although I cannot find the root cause, I hope it will help those with similar hangs to address the problem, and others who wants tighter control of WAN access from their test equipment.

Since I don't use remote control, the LAN cable is coming off the scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 04:28:25 am
Maybe its interesting to have a full list of SCPI commands as parsed from the scope's firmware? A list without parameters (since it gets too long) is below. A full list including parameters is attached to this post also.

This is the result of an attempt to auto-generate a Python library to talk to the machine. Not yet there on the talking part though. But the parsed commands are intersting. As always, take care and use your brain when using undocumented commands.

Code: [Select]
ACQuire:AVERages
ACQuire:AVERages?
ACQuire:MDEPth
ACQuire:MDEPth?
ACQuire:SRATe?
ACQuire:LA:SRATe?
ACQuire:LA:MDEPth?
ACQuire:TYPE
ACQuire:TYPE?
ACQuire:AALias
ACQuire:AALias?
ACQuire:INTerleave
ACQuire:INTerleave?
BUS1:MODE
BUS1:MODE?
BUS1:DISPlay
BUS1:DISPlay?
BUS1:FORMat
BUS1:FORMat?
BUS1:EVENt
BUS1:EVENt?
BUS1:EVENt:FORMat
BUS1:EVENt:FORMat?
BUS1:EVENt:VIEW
BUS1:EVENt:VIEW?
BUS1:LABel
BUS1:LABel?
BUS1:EEXPort
BUS1:DATA?
BUS1:POSition
BUS1:POSition?
BUS1:THReshold
BUS1:THReshold?
BUS1:PARallel:CLK
BUS1:PARallel:CLK?
BUS1:PARallel:SLOPe
BUS1:PARallel:SLOPe?
BUS1:PARallel:BUS
BUS1:PARallel:BUS?
BUS1:PARallel:WIDTh
BUS1:PARallel:WIDTh?
BUS1:PARallel:BITX
BUS1:PARallel:BITX?
BUS1:PARallel:SOURce
BUS1:PARallel:SOURce?
BUS1:PARallel:POLarity
BUS1:PARallel:POLarity?
BUS1:PARallel:NREJect
BUS1:PARallel:NREJect?
BUS1:PARallel:NRTime
BUS1:PARallel:NRTime?
BUS1:RS232:TX
BUS1:RS232:TX?
BUS1:RS232:RX
BUS1:RS232:RX?
BUS1:RS232:POLarity
BUS1:RS232:POLarity?
BUS1:RS232:ENDian
BUS1:RS232:ENDian?
BUS1:RS232:BAUD
BUS1:RS232:BAUD?
BUS1:RS232:BUSer
BUS1:RS232:BUSer?
BUS1:RS232:DBITs
BUS1:RS232:DBITs?
BUS1:RS232:SBITs
BUS1:RS232:SBITs?
BUS1:RS232:PARity
BUS1:RS232:PARity?
BUS1:RS232:PACKet
BUS1:RS232:PACKet?
BUS1:RS232:PEND
BUS1:RS232:PEND?
BUS1:IIC:SCLK:SOURce
BUS1:IIC:SCLK:SOURce?
BUS1:IIC:SDA:SOURce
BUS1:IIC:SDA:SOURce?
BUS1:IIC:ADDRess
BUS1:IIC:ADDRess?
BUS1:SPI:SCLK:SOURce
BUS1:SPI:SCLK:SOURce?
BUS1:SPI:SCLK:SLOPe
BUS1:SPI:SCLK:SLOPe?
BUS1:SPI:MISO:SOURce
BUS1:SPI:MISO:SOURce?
BUS1:SPI:MISO:POLarity
BUS1:SPI:MISO:POLarity?
BUS1:SPI:MOSI:SOURce
BUS1:SPI:MOSI:SOURce?
BUS1:SPI:MOSI:POLarity
BUS1:SPI:MOSI:POLarity?
BUS1:SPI:DBITs
BUS1:SPI:DBITs?
BUS1:SPI:ENDian
BUS1:SPI:ENDian?
BUS1:SPI:MODE
BUS1:SPI:MODE?
BUS1:SPI:TIMeout:TIME
BUS1:SPI:TIMeout:TIME?
BUS1:SPI:SS:SOURce
BUS1:SPI:SS:SOURce?
BUS1:SPI:SS:POLarity
BUS1:SPI:SS:POLarity?
BUS1:CAN:SOURce
BUS1:CAN:SOURce?
BUS1:CAN:STYPe
BUS1:CAN:STYPe?
BUS1:CAN:BAUD
BUS1:CAN:BAUD?
BUS1:CAN:BUSer
BUS1:CAN:BUSer?
BUS1:CAN:SPOint
BUS1:CAN:SPOint?
BUS1:FLEXray:BAUD
BUS1:FLEXray:BAUD?
BUS1:FLEXray:SOURce
BUS1:FLEXray:SOURce?
BUS1:FLEXray:SPOint
BUS1:FLEXray:SPOint?
BUS1:FLEXray:STYPe
BUS1:FLEXray:STYPe?
BUS1:LIN:BAUD
BUS1:LIN:BAUD?
BUS1:LIN:BUSer
BUS1:LIN:BUSer?
BUS1:LIN:IDFormat
BUS1:LIN:IDFormat?
BUS1:LIN:POLarity
BUS1:LIN:POLarity?
BUS1:LIN:SOURce
BUS1:LIN:SOURce?
BUS1:LIN:STANdard
BUS1:LIN:STANdard?
BUS1:IIS:SOURce:CLOCk
BUS1:IIS:SOURce:CLOCk?
BUS1:IIS:SOURce:DATA
BUS1:IIS:SOURce:DATA?
BUS1:IIS:SOURce:WSELect
BUS1:IIS:SOURce:WSELect?
BUS1:IIS:ALIGnment
BUS1:IIS:ALIGnment?
BUS1:IIS:CLOCk:SLOPe
BUS1:IIS:CLOCk:SLOPe?
BUS1:IIS:RWIDth
BUS1:IIS:RWIDth?
BUS1:M1553:SOURce
BUS1:M1553:SOURce?
BUS2:MODE
BUS2:MODE?
BUS2:DISPlay
BUS2:DISPlay?
BUS2:FORMat
BUS2:FORMat?
BUS2:EVENt
BUS2:EVENt?
BUS2:EVENt:FORMat
BUS2:EVENt:FORMat?
BUS2:EVENt:VIEW
BUS2:EVENt:VIEW?
BUS2:LABel
BUS2:LABel?
BUS2:EEXPort
BUS2:DATA?
BUS2:POSition
BUS2:POSition?
BUS2:THReshold
BUS2:THReshold?
BUS2:PARallel:CLK
BUS2:PARallel:CLK?
BUS2:PARallel:SLOPe
BUS2:PARallel:SLOPe?
BUS2:PARallel:BUS
BUS2:PARallel:BUS?
BUS2:PARallel:WIDTh
BUS2:PARallel:WIDTh?
BUS2:PARallel:BITX
BUS2:PARallel:BITX?
BUS2:PARallel:SOURce
BUS2:PARallel:SOURce?
BUS2:PARallel:POLarity
BUS2:PARallel:POLarity?
BUS2:PARallel:NREJect
BUS2:PARallel:NREJect?
BUS2:PARallel:NRTime
BUS2:PARallel:NRTime?
BUS2:RS232:TX
BUS2:RS232:TX?
BUS2:RS232:RX
BUS2:RS232:RX?
BUS2:RS232:POLarity
BUS2:RS232:POLarity?
BUS2:RS232:ENDian
BUS2:RS232:ENDian?
BUS2:RS232:BAUD
BUS2:RS232:BAUD?
BUS2:RS232:BUSer
BUS2:RS232:BUSer?
BUS2:RS232:DBITs
BUS2:RS232:DBITs?
BUS2:RS232:SBITs
BUS2:RS232:SBITs?
BUS2:RS232:PARity
BUS2:RS232:PARity?
BUS2:RS232:PACKet
BUS2:RS232:PACKet?
BUS2:RS232:PEND
BUS2:RS232:PEND?
BUS2:IIC:SCLK:SOURce
BUS2:IIC:SCLK:SOURce?
BUS2:IIC:SDA:SOURce
BUS2:IIC:SDA:SOURce?
BUS2:IIC:ADDRess
BUS2:IIC:ADDRess?
BUS2:SPI:SCLK:SOURce
BUS2:SPI:SCLK:SOURce?
BUS2:SPI:SCLK:SLOPe
BUS2:SPI:SCLK:SLOPe?
BUS2:SPI:MISO:SOURce
BUS2:SPI:MISO:SOURce?
BUS2:SPI:MISO:POLarity
BUS2:SPI:MISO:POLarity?
BUS2:SPI:MOSI:SOURce
BUS2:SPI:MOSI:SOURce?
BUS2:SPI:MOSI:POLarity
BUS2:SPI:MOSI:POLarity?
BUS2:SPI:DBITs
BUS2:SPI:DBITs?
BUS2:SPI:ENDian
BUS2:SPI:ENDian?
BUS2:SPI:MODE
BUS2:SPI:MODE?
BUS2:SPI:TIMeout:TIME
BUS2:SPI:TIMeout:TIME?
BUS2:SPI:SS:SOURce
BUS2:SPI:SS:SOURce?
BUS2:SPI:SS:POLarity
BUS2:SPI:SS:POLarity?
BUS2:CAN:SOURce
BUS2:CAN:SOURce?
BUS2:CAN:STYPe
BUS2:CAN:STYPe?
BUS2:CAN:BAUD
BUS2:CAN:BAUD?
BUS2:CAN:BUSer
BUS2:CAN:BUSer?
BUS2:CAN:SPOint
BUS2:CAN:SPOint?
BUS2:FLEXray:BAUD
BUS2:FLEXray:BAUD?
BUS2:FLEXray:SOURce
BUS2:FLEXray:SOURce?
BUS2:FLEXray:SPOint
BUS2:FLEXray:SPOint?
BUS2:FLEXray:STYPe
BUS2:FLEXray:STYPe?
BUS2:LIN:BAUD
BUS2:LIN:BAUD?
BUS2:LIN:BUSer
BUS2:LIN:BUSer?
BUS2:LIN:IDFormat
BUS2:LIN:IDFormat?
BUS2:LIN:POLarity
BUS2:LIN:POLarity?
BUS2:LIN:SOURce
BUS2:LIN:SOURce?
BUS2:LIN:STANdard
BUS2:LIN:STANdard?
BUS2:IIS:SOURce:CLOCk
BUS2:IIS:SOURce:CLOCk?
BUS2:IIS:SOURce:DATA
BUS2:IIS:SOURce:DATA?
BUS2:IIS:SOURce:WSELect
BUS2:IIS:SOURce:WSELect?
BUS2:IIS:ALIGnment
BUS2:IIS:ALIGnment?
BUS2:IIS:CLOCk:SLOPe
BUS2:IIS:CLOCk:SLOPe?
BUS2:IIS:RWIDth
BUS2:IIS:RWIDth?
BUS2:M1553:SOURce
BUS2:M1553:SOURce?
BUS3:MODE
BUS3:MODE?
BUS3:DISPlay
BUS3:DISPlay?
BUS3:FORMat
BUS3:FORMat?
BUS3:EVENt
BUS3:EVENt?
BUS3:EVENt:FORMat
BUS3:EVENt:FORMat?
BUS3:EVENt:VIEW
BUS3:EVENt:VIEW?
BUS3:LABel
BUS3:LABel?
BUS3:EEXPort
BUS3:DATA?
BUS3:POSition
BUS3:POSition?
BUS3:THReshold
BUS3:THReshold?
BUS3:PARallel:CLK
BUS3:PARallel:CLK?
BUS3:PARallel:SLOPe
BUS3:PARallel:SLOPe?
BUS3:PARallel:BUS
BUS3:PARallel:BUS?
BUS3:PARallel:WIDTh
BUS3:PARallel:WIDTh?
BUS3:PARallel:BITX
BUS3:PARallel:BITX?
BUS3:PARallel:SOURce
BUS3:PARallel:SOURce?
BUS3:PARallel:POLarity
BUS3:PARallel:POLarity?
BUS3:PARallel:NREJect
BUS3:PARallel:NREJect?
BUS3:PARallel:NRTime
BUS3:PARallel:NRTime?
BUS3:RS232:TX
BUS3:RS232:TX?
BUS3:RS232:RX
BUS3:RS232:RX?
BUS3:RS232:POLarity
BUS3:RS232:POLarity?
BUS3:RS232:ENDian
BUS3:RS232:ENDian?
BUS3:RS232:BAUD
BUS3:RS232:BAUD?
BUS3:RS232:BUSer
BUS3:RS232:BUSer?
BUS3:RS232:DBITs
BUS3:RS232:DBITs?
BUS3:RS232:SBITs
BUS3:RS232:SBITs?
BUS3:RS232:PARity
BUS3:RS232:PARity?
BUS3:RS232:PACKet
BUS3:RS232:PACKet?
BUS3:RS232:PEND
BUS3:RS232:PEND?
BUS3:IIC:SCLK:SOURce
BUS3:IIC:SCLK:SOURce?
BUS3:IIC:SDA:SOURce
BUS3:IIC:SDA:SOURce?
BUS3:IIC:ADDRess
BUS3:IIC:ADDRess?
BUS3:SPI:SCLK:SOURce
BUS3:SPI:SCLK:SOURce?
BUS3:SPI:SCLK:SLOPe
BUS3:SPI:SCLK:SLOPe?
BUS3:SPI:MISO:SOURce
BUS3:SPI:MISO:SOURce?
BUS3:SPI:MISO:POLarity
BUS3:SPI:MISO:POLarity?
BUS3:SPI:MOSI:SOURce
BUS3:SPI:MOSI:SOURce?
BUS3:SPI:MOSI:POLarity
BUS3:SPI:MOSI:POLarity?
BUS3:SPI:DBITs
BUS3:SPI:DBITs?
BUS3:SPI:ENDian
BUS3:SPI:ENDian?
BUS3:SPI:MODE
BUS3:SPI:MODE?
BUS3:SPI:TIMeout:TIME
BUS3:SPI:TIMeout:TIME?
BUS3:SPI:SS:SOURce
BUS3:SPI:SS:SOURce?
BUS3:SPI:SS:POLarity
BUS3:SPI:SS:POLarity?
BUS3:CAN:SOURce
BUS3:CAN:SOURce?
BUS3:CAN:STYPe
BUS3:CAN:STYPe?
BUS3:CAN:BAUD
BUS3:CAN:BAUD?
BUS3:CAN:BUSer
BUS3:CAN:BUSer?
BUS3:CAN:SPOint
BUS3:CAN:SPOint?
BUS3:FLEXray:BAUD
BUS3:FLEXray:BAUD?
BUS3:FLEXray:SOURce
BUS3:FLEXray:SOURce?
BUS3:FLEXray:SPOint
BUS3:FLEXray:SPOint?
BUS3:FLEXray:STYPe
BUS3:FLEXray:STYPe?
BUS3:LIN:BAUD
BUS3:LIN:BAUD?
BUS3:LIN:BUSer
BUS3:LIN:BUSer?
BUS3:LIN:IDFormat
BUS3:LIN:IDFormat?
BUS3:LIN:POLarity
BUS3:LIN:POLarity?
BUS3:LIN:SOURce
BUS3:LIN:SOURce?
BUS3:LIN:STANdard
BUS3:LIN:STANdard?
BUS3:IIS:SOURce:CLOCk
BUS3:IIS:SOURce:CLOCk?
BUS3:IIS:SOURce:DATA
BUS3:IIS:SOURce:DATA?
BUS3:IIS:SOURce:WSELect
BUS3:IIS:SOURce:WSELect?
BUS3:IIS:ALIGnment
BUS3:IIS:ALIGnment?
BUS3:IIS:CLOCk:SLOPe
BUS3:IIS:CLOCk:SLOPe?
BUS3:IIS:RWIDth
BUS3:IIS:RWIDth?
BUS3:M1553:SOURce
BUS3:M1553:SOURce?
BUS4:MODE
BUS4:MODE?
BUS4:DISPlay
BUS4:DISPlay?
BUS4:FORMat
BUS4:FORMat?
BUS4:EVENt
BUS4:EVENt?
BUS4:EVENt:FORMat
BUS4:EVENt:FORMat?
BUS4:EVENt:VIEW
BUS4:EVENt:VIEW?
BUS4:LABel
BUS4:LABel?
BUS4:EEXPort
BUS4:DATA?
BUS4:POSition
BUS4:POSition?
BUS4:THReshold
BUS4:THReshold?
BUS4:PARallel:CLK
BUS4:PARallel:CLK?
BUS4:PARallel:SLOPe
BUS4:PARallel:SLOPe?
BUS4:PARallel:BUS
BUS4:PARallel:BUS?
BUS4:PARallel:WIDTh
BUS4:PARallel:WIDTh?
BUS4:PARallel:BITX
BUS4:PARallel:BITX?
BUS4:PARallel:SOURce
BUS4:PARallel:SOURce?
BUS4:PARallel:POLarity
BUS4:PARallel:POLarity?
BUS4:PARallel:NREJect
BUS4:PARallel:NREJect?
BUS4:PARallel:NRTime
BUS4:PARallel:NRTime?
BUS4:RS232:TX
BUS4:RS232:TX?
BUS4:RS232:RX
BUS4:RS232:RX?
BUS4:RS232:POLarity
BUS4:RS232:POLarity?
BUS4:RS232:ENDian
BUS4:RS232:ENDian?
BUS4:RS232:BAUD
BUS4:RS232:BAUD?
BUS4:RS232:BUSer
BUS4:RS232:BUSer?
BUS4:RS232:DBITs
BUS4:RS232:DBITs?
BUS4:RS232:SBITs
BUS4:RS232:SBITs?
BUS4:RS232:PARity
BUS4:RS232:PARity?
BUS4:RS232:PACKet
BUS4:RS232:PACKet?
BUS4:RS232:PEND
BUS4:RS232:PEND?
BUS4:IIC:SCLK:SOURce
BUS4:IIC:SCLK:SOURce?
BUS4:IIC:SDA:SOURce
BUS4:IIC:SDA:SOURce?
BUS4:IIC:ADDRess
BUS4:IIC:ADDRess?
BUS4:SPI:SCLK:SOURce
BUS4:SPI:SCLK:SOURce?
BUS4:SPI:SCLK:SLOPe
BUS4:SPI:SCLK:SLOPe?
BUS4:SPI:MISO:SOURce
BUS4:SPI:MISO:SOURce?
BUS4:SPI:MISO:POLarity
BUS4:SPI:MISO:POLarity?
BUS4:SPI:MOSI:SOURce
BUS4:SPI:MOSI:SOURce?
BUS4:SPI:MOSI:POLarity
BUS4:SPI:MOSI:POLarity?
BUS4:SPI:DBITs
BUS4:SPI:DBITs?
BUS4:SPI:ENDian
BUS4:SPI:ENDian?
BUS4:SPI:MODE
BUS4:SPI:MODE?
BUS4:SPI:TIMeout:TIME
BUS4:SPI:TIMeout:TIME?
BUS4:SPI:SS:SOURce
BUS4:SPI:SS:SOURce?
BUS4:SPI:SS:POLarity
BUS4:SPI:SS:POLarity?
BUS4:CAN:SOURce
BUS4:CAN:SOURce?
BUS4:CAN:STYPe
BUS4:CAN:STYPe?
BUS4:CAN:BAUD
BUS4:CAN:BAUD?
BUS4:CAN:BUSer
BUS4:CAN:BUSer?
BUS4:CAN:SPOint
BUS4:CAN:SPOint?
BUS4:FLEXray:BAUD
BUS4:FLEXray:BAUD?
BUS4:FLEXray:SOURce
BUS4:FLEXray:SOURce?
BUS4:FLEXray:SPOint
BUS4:FLEXray:SPOint?
BUS4:FLEXray:STYPe
BUS4:FLEXray:STYPe?
BUS4:LIN:BAUD
BUS4:LIN:BAUD?
BUS4:LIN:BUSer
BUS4:LIN:BUSer?
BUS4:LIN:IDFormat
BUS4:LIN:IDFormat?
BUS4:LIN:POLarity
BUS4:LIN:POLarity?
BUS4:LIN:SOURce
BUS4:LIN:SOURce?
BUS4:LIN:STANdard
BUS4:LIN:STANdard?
BUS4:IIS:SOURce:CLOCk
BUS4:IIS:SOURce:CLOCk?
BUS4:IIS:SOURce:DATA
BUS4:IIS:SOURce:DATA?
BUS4:IIS:SOURce:WSELect
BUS4:IIS:SOURce:WSELect?
BUS4:IIS:ALIGnment
BUS4:IIS:ALIGnment?
BUS4:IIS:CLOCk:SLOPe
BUS4:IIS:CLOCk:SLOPe?
BUS4:IIS:RWIDth
BUS4:IIS:RWIDth?
BUS4:M1553:SOURce
BUS4:M1553:SOURce?
CALibration:ENTer
CALibration:EXIT
CALibration:STATus?
CALibration:COMPlete?
CALibration:AFE:PATH
CALibration:AFE:K
CALibration:AFE:K?
CALibration:AFE:KX
CALibration:AFE:KX?
CALibration:AFE:ZERO
CALibration:AFE:ZERO?
CALibration:AFE:LSB
CALibration:AFE:LSB?
CALibration:AFE:REG
CALibration:AFE:REG?
CALibration:AFE:CFGM
CALibration:AFE:CMT
CALibration:AFE:CMT?
CALibration:AFE:RC
CALibration:AFE:R?
CALibration:AFE:C?
CALibration:AFE:VPP?
CALibration:AFE:MAX?
CALibration:AFE:MIN?
CALibration:AFE:FAVG?
CALibration:AFE:AVG?
CALibration:AFE:FPP?
CALibration:AFE:osel
CALibration:AFE:dsel
CALibration:AFE:zcal
CALibration:AFE:zcal?
CALibration:AFE:AZVos
CALibration:AFE:AZVos?
CALibration:AFE:GPO0
CALibration:DAC
CALibration:DAC?
CALibration:SAVE
CALibration:LOAD
CALibration:DELay
CALibration:DELay?
CALibration:PLL:MASTer:OUTPut
CALibration:PLL:MASTer:REG
CALibration:PLL:MASTer:CFG
CALibration:PLL:MASTer:CFG?
CALibration:PLL:SLAVe:OUTPut
CALibration:PLL:SLAVe:REG
CALibration:PLL:SLAVe:CFG
CALibration:PLL:SLAVe:CFG?
CALibration:STARt
CALibration:QUIT
CALibration:DATE?
CALibration:TIME?
CALibration:LA
CALibration:LA?
CALibration:LA:PATTern?
CALibration:LAData?
CALibration:ADC:BWTRim
CALibration:ADC:BWTRim?
CALibration:ADC:REG
CALibration:ADC:REG?
CHANnel1:BWLimit
CHANnel1:BWLimit?
CHANnel1:COUPling
CHANnel1:COUPling?
CHANnel1:DISPlay
CHANnel1:DISPlay?
CHANnel1:INVert
CHANnel1:INVert?
CHANnel1:OFFSet
CHANnel1:OFFSet?
CHANnel1:POSition
CHANnel1:POSition?
CHANnel1:SCALe
CHANnel1:SCALe?
CHANnel1:UNITs
CHANnel1:UNITs?
CHANnel1:VERNier
CHANnel1:VERNier?
CHANnel1:TCALibrate
CHANnel1:TCALibrate?
CHANnel1:IMPedance
CHANnel1:IMPedance?
CHANnel1:BVOLtage
CHANnel1:BVOLtage?
CHANnel1:CSTart
CHANnel1:PROBe
CHANnel1:PROBe?
CHANnel1:PROBe:PROT
CHANnel1:PROBe:PROT?
CHANnel1:PROBe:DELAY
CHANnel1:PROBe:DELAY?
CHANnel1:PROBe:BIAS
CHANnel1:PROBe:BIAS?
CHANnel1:PROBe:CALibration
CHANnel1:CHCAL
CHANnel1:CHCAL?
CHANnel2:BWLimit
CHANnel2:BWLimit?
CHANnel2:COUPling
CHANnel2:COUPling?
CHANnel2:DISPlay
CHANnel2:DISPlay?
CHANnel2:INVert
CHANnel2:INVert?
CHANnel2:OFFSet
CHANnel2:OFFSet?
CHANnel2:POSition
CHANnel2:POSition?
CHANnel2:SCALe
CHANnel2:SCALe?
CHANnel2:UNITs
CHANnel2:UNITs?
CHANnel2:VERNier
CHANnel2:VERNier?
CHANnel2:TCALibrate
CHANnel2:TCALibrate?
CHANnel2:IMPedance
CHANnel2:IMPedance?
CHANnel2:BVOLtage
CHANnel2:BVOLtage?
CHANnel2:CSTart
CHANnel2:PROBe
CHANnel2:PROBe?
CHANnel2:PROBe:PROT
CHANnel2:PROBe:PROT?
CHANnel2:PROBe:DELAY
CHANnel2:PROBe:DELAY?
CHANnel2:PROBe:BIAS
CHANnel2:PROBe:BIAS?
CHANnel2:PROBe:CALibration
CHANnel2:CHCAL
CHANnel2:CHCAL?
CHANnel3:BWLimit
CHANnel3:BWLimit?
CHANnel3:COUPling
CHANnel3:COUPling?
CHANnel3:DISPlay
CHANnel3:DISPlay?
CHANnel3:INVert
CHANnel3:INVert?
CHANnel3:OFFSet
CHANnel3:OFFSet?
CHANnel3:POSition
CHANnel3:POSition?
CHANnel3:SCALe
CHANnel3:SCALe?
CHANnel3:UNITs
CHANnel3:UNITs?
CHANnel3:VERNier
CHANnel3:VERNier?
CHANnel3:TCALibrate
CHANnel3:TCALibrate?
CHANnel3:IMPedance
CHANnel3:IMPedance?
CHANnel3:BVOLtage
CHANnel3:BVOLtage?
CHANnel3:CSTart
CHANnel3:PROBe
CHANnel3:PROBe?
CHANnel3:PROBe:PROT
CHANnel3:PROBe:PROT?
CHANnel3:PROBe:DELAY
CHANnel3:PROBe:DELAY?
CHANnel3:PROBe:BIAS
CHANnel3:PROBe:BIAS?
CHANnel3:PROBe:CALibration
CHANnel3:CHCAL
CHANnel3:CHCAL?
CHANnel4:BWLimit
CHANnel4:BWLimit?
CHANnel4:COUPling
CHANnel4:COUPling?
CHANnel4:DISPlay
CHANnel4:DISPlay?
CHANnel4:INVert
CHANnel4:INVert?
CHANnel4:OFFSet
CHANnel4:OFFSet?
CHANnel4:POSition
CHANnel4:POSition?
CHANnel4:SCALe
CHANnel4:SCALe?
CHANnel4:UNITs
CHANnel4:UNITs?
CHANnel4:VERNier
CHANnel4:VERNier?
CHANnel4:TCALibrate
CHANnel4:TCALibrate?
CHANnel4:IMPedance
CHANnel4:IMPedance?
CHANnel4:BVOLtage
CHANnel4:BVOLtage?
CHANnel4:CSTart
CHANnel4:PROBe
CHANnel4:PROBe?
CHANnel4:PROBe:PROT
CHANnel4:PROBe:PROT?
CHANnel4:PROBe:DELAY
CHANnel4:PROBe:DELAY?
CHANnel4:PROBe:BIAS
CHANnel4:PROBe:BIAS?
CHANnel4:PROBe:CALibration
CHANnel4:CHCAL
CHANnel4:CHCAL?
*CLS
*ESE
*ESE?
*ESR?
*IDN?
*OPC
*OPC?
*RCL
*RST
*SAV
*SRE
*SRE?
*STB?
*WAI
*TST?
*TEST?
GPIB:PARSE:END
COUNter:CURRent?
COUNter:ENABle
COUNter:ENABle?
COUNter:SOURce
COUNter:SOURce?
COUNter:MODE
COUNter:MODE?
COUNter:NDIGits
COUNter:NDIGits?
COUNter:TOTalize:ENABle
COUNter:TOTalize:ENABle?
COUNter:TOTalize:CLEar
CURSor:MODE
CURSor:MODE?
CURSor:MANual:TYPE
CURSor:MANual:TYPE?
CURSor:MANual:SOURce
CURSor:MANual:SOURce?
CURSor:MANual:TUNit
CURSor:MANual:TUNit?
CURSor:MANual:VUNit
CURSor:MANual:VUNit?
CURSor:MANual:CAX
CURSor:MANual:CAX?
CURSor:MANual:CBX
CURSor:MANual:CBX?
CURSor:MANual:CAY
CURSor:MANual:CAY?
CURSor:MANual:CBY
CURSor:MANual:CBY?
CURSor:MANual:AXValue?
CURSor:MANual:BXValue?
CURSor:MANual:AYValue?
CURSor:MANual:BYValue?
CURSor:MANual:XDELta?
CURSor:MANual:IXDelta?
CURSor:MANual:YDELta?
CURSor:TRACk:SOURce1
CURSor:TRACk:SOURce1?
CURSor:TRACk:SOURce2
CURSor:TRACk:SOURce2?
CURSor:TRACk:CAX
CURSor:TRACk:CAX?
CURSor:TRACk:CBX
CURSor:TRACk:CBX?
CURSor:TRACk:CAY?
CURSor:TRACk:CBY?
CURSor:TRACk:AXValue?
CURSor:TRACk:AYValue?
CURSor:TRACk:BXValue?
CURSor:TRACk:BYValue?
CURSor:TRACk:XDELta?
CURSor:TRACk:YDELta?
CURSor:TRACk:IXDelta?
CURSor:XY:AX
CURSor:XY:AX?
CURSor:XY:BX
CURSor:XY:BX?
CURSor:XY:AY
CURSor:XY:AY?
CURSor:XY:BY
CURSor:XY:BY?
CURSor:XY:AXValue?
CURSor:XY:AYValue?
CURSor:XY:BXValue?
CURSor:XY:BYValue?
CURSor:MEASure:INDicator
CURSor:MEASure:INDicator?
DISPlay:CLEar
DISPlay:TYPE
DISPlay:TYPE?
DISPlay:GRADing:TIME
DISPlay:GRADing:TIME?
DISPlay:WBRightness
DISPlay:WBRightness?
DISPlay:GRID
DISPlay:GRID?
DISPlay:GBRightness
DISPlay:GBRightness?
DISPlay:SNAP?
DISPlay:PULL?
DISPlay:READy?
DISPlay:DATA?
DISPlay:RULers
DISPlay:RULers?
DISPlay:VDIV
DISPlay:VDIV?
DISPlay:COLor
DISPlay:COLor?
DVM:CURRent?
DVM:ENABle
DVM:ENABle?
DVM:SOURce
DVM:SOURce?
DVM:MODE
DVM:MODE?
HISTogram:DISPlay
HISTogram:DISPlay?
HISTogram:TYPE
HISTogram:TYPE?
HISTogram:SOURce
HISTogram:SOURce?
HISTogram:SIZE
HISTogram:SIZE?
HISTogram:STATic
HISTogram:STATic?
HISTogram:RESet
HISTogram:BLIMit
HISTogram:BLIMit?
HISTogram:LLIMit
HISTogram:LLIMit?
HISTogram:RLIMit
HISTogram:RLIMit?
HISTogram:TLIMit
HISTogram:TLIMit?
JITTer:ENABle
JITTer:ENABle?
JITTer:SOURce
JITTer:SOURce?
JITTer:HISTogram:APPLy
JITTer:HISTogram:APPLy?
JITTer:SPECtrum:APPLy
JITTer:SPECtrum:APPLy?
JITTer:TRENd:APPLy
JITTer:TRENd:APPLy?
JITTer:MEASure:TYPE
JITTer:MEASure:TYPE?
JITTer:MEASure:ITEM
JITTer:MEASure:ITEM?
JITTer:MEASure:STATistic:ITEM?
JITTer:MEASure:ENABle
JITTer:MEASure:ENABle?
JITTer:SLOPe
JITTer:SLOPe?
CLOCk:METHod
CLOCk:METHod?
CLOCk:TYPE
CLOCk:TYPE?
CLOCk:RATE
CLOCk:RATE?
CLOCk:PLL:ORDer
CLOCk:PLL:ORDer?
CLOCk:PLL:BW
CLOCk:PLL:BW?
CLOCk:EXTChan
CLOCk:EXTChan?
EYE:ENABle
EYE:ENABle?
EYE:SOURce
EYE:SOURce?
EYE:MEASure:ENABle
EYE:MEASure:ENABle?
EYE:MEASure:ITEM?
EYE:OVERlap
EYE:OVERlap?
LA:STATe
LA:STATe?
LA:ACTive
LA:ACTive?
LA:DISPlay
LA:DISPlay?
LA:AUTosort
LA:DELete
LA:SIZE
LA:SIZE?
LA:TCALibrate
LA:TCALibrate?
LA:DIGital:DISPlay
LA:DIGital:DISPlay?
LA:DIGital:POSition
LA:DIGital:POSition?
LA:DIGital:LABel
LA:DIGital:LABel?
LA:POD1:DISPlay
LA:POD1:DISPlay?
LA:POD1:THReshold
LA:POD1:THReshold?
LA:POD2:DISPlay
LA:POD2:DISPlay?
LA:POD2:THReshold
LA:POD2:THReshold?
LA:GROup:APPend
LA:probe:status?
LAN:DHCP
LAN:DHCP?
LAN:AUToip
LAN:AUToip?
LAN:GATeway
LAN:GATeway?
LAN:DNS
LAN:DNS?
LAN:MAC?
LAN:DSERver?
LAN:MANual
LAN:MANual?
LAN:INITiate
LAN:IPADdress
LAN:IPADdress?
LAN:SMASk
LAN:SMASk?
LAN:STATus?
LAN:VISA?
LAN:MDNS
LAN:MDNS?
LAN:APPLy
LAN:HOST:NAME
LAN:HOST:NAME?
LAN:DOMain
LAN:DOMain?
LAN:DESCription
LAN:DESCription?
LAN:IPMode
LAN:WEBControl:DEFault
MASK:ENABle
MASK:ENABle?
MASK:SOURce
MASK:SOURce?
MASK:OPERate
MASK:OPERate?
MASK:MDISplay
MASK:MDISplay?
MASK:X
MASK:X?
MASK:Y
MASK:Y?
MASK:CREate
MASK:RESet
MASK:NUMBers?
MASK:ERRaction
MASK:ERRaction?
MATH1:DISPlay
MATH1:DISPlay?
MATH1:OPERator
MATH1:OPERator?
MATH1:SOURce1
MATH1:SOURce1?
MATH1:SOURce2
MATH1:SOURce2?
MATH1:LSOurce1
MATH1:LSOurce1?
MATH1:LSOurce2
MATH1:LSOurce2?
MATH1:SCALe
MATH1:SCALe?
MATH1:OFFSet
MATH1:OFFSet?
MATH1:INVert
MATH1:INVert?
MATH1:RESet
MATH1:FFT:SOURce
MATH1:FFT:SOURce?
MATH1:FFT:WINDow
MATH1:FFT:WINDow?
MATH1:FFT:SPLit
MATH1:FFT:SPLit?
MATH1:FFT:UNIT
MATH1:FFT:UNIT?
MATH1:FFT:SCALe
MATH1:FFT:SCALe?
MATH1:FFT:OFFSet
MATH1:FFT:OFFSet?
MATH1:FFT:HSCale
MATH1:FFT:HSCale?
MATH1:FFT:HCENter
MATH1:FFT:HCENter?
MATH1:FFT:FREQuency:STARt
MATH1:FFT:FREQuency:STARt?
MATH1:FFT:FREQuency:END
MATH1:FFT:FREQuency:END?
MATH1:FFT:SEARch:ENABle
MATH1:FFT:SEARch:ENABle?
MATH1:FFT:SEARch:NUM
MATH1:FFT:SEARch:NUM?
MATH1:FFT:SEARch:THReshold
MATH1:FFT:SEARch:THReshold?
MATH1:FFT:SEARch:EXCursion
MATH1:FFT:SEARch:EXCursion?
MATH1:FFT:SEARch:ORDer
MATH1:FFT:SEARch:ORDer?
MATH1:FFT:SEARch:Res?
MATH1:FILTer:TYPE
MATH1:FILTer:TYPE?
MATH1:FILTer:W1
MATH1:FILTer:W1?
MATH1:FILTer:W2
MATH1:FILTer:W2?
MATH1:SENSitivity
MATH1:SENSitivity?
MATH1:DISTance
MATH1:DISTance?
MATH1:THReshold1
MATH1:THReshold1?
MATH1:THReshold2
MATH1:THReshold2?
MATH1:THReshold3
MATH1:THReshold3?
MATH1:THReshold4
MATH1:THReshold4?
MATH2:DISPlay
MATH2:DISPlay?
MATH2:OPERator
MATH2:OPERator?
MATH2:SOURce1
MATH2:SOURce1?
MATH2:SOURce2
MATH2:SOURce2?
MATH2:LSOurce1
MATH2:LSOurce1?
MATH2:LSOurce2
MATH2:LSOurce2?
MATH2:SCALe
MATH2:SCALe?
MATH2:OFFSet
MATH2:OFFSet?
MATH2:INVert
MATH2:INVert?
MATH2:RESet
MATH2:FFT:SOURce
MATH2:FFT:SOURce?
MATH2:FFT:WINDow
MATH2:FFT:WINDow?
MATH2:FFT:SPLit
MATH2:FFT:SPLit?
MATH2:FFT:UNIT
MATH2:FFT:UNIT?
MATH2:FFT:SCALe
MATH2:FFT:SCALe?
MATH2:FFT:OFFSet
MATH2:FFT:OFFSet?
MATH2:FFT:HSCale
MATH2:FFT:HSCale?
MATH2:FFT:HCENter
MATH2:FFT:HCENter?
MATH2:FFT:FREQuency:STARt
MATH2:FFT:FREQuency:STARt?
MATH2:FFT:FREQuency:END
MATH2:FFT:FREQuency:END?
MATH2:FFT:SEARch:ENABle
MATH2:FFT:SEARch:ENABle?
MATH2:FFT:SEARch:NUM
MATH2:FFT:SEARch:NUM?
MATH2:FFT:SEARch:THReshold
MATH2:FFT:SEARch:THReshold?
MATH2:FFT:SEARch:EXCursion
MATH2:FFT:SEARch:EXCursion?
MATH2:FFT:SEARch:ORDer
MATH2:FFT:SEARch:ORDer?
MATH2:FFT:SEARch:Res?
MATH2:FILTer:TYPE
MATH2:FILTer:TYPE?
MATH2:FILTer:W1
MATH2:FILTer:W1?
MATH2:FILTer:W2
MATH2:FILTer:W2?
MATH2:SENSitivity
MATH2:SENSitivity?
MATH2:DISTance
MATH2:DISTance?
MATH2:THReshold1
MATH2:THReshold1?
MATH2:THReshold2
MATH2:THReshold2?
MATH2:THReshold3
MATH2:THReshold3?
MATH2:THReshold4
MATH2:THReshold4?
MATH3:DISPlay
MATH3:DISPlay?
MATH3:OPERator
MATH3:OPERator?
MATH3:SOURce1
MATH3:SOURce1?
MATH3:SOURce2
MATH3:SOURce2?
MATH3:LSOurce1
MATH3:LSOurce1?
MATH3:LSOurce2
MATH3:LSOurce2?
MATH3:SCALe
MATH3:SCALe?
MATH3:OFFSet
MATH3:OFFSet?
MATH3:INVert
MATH3:INVert?
MATH3:RESet
MATH3:FFT:SOURce
MATH3:FFT:SOURce?
MATH3:FFT:WINDow
MATH3:FFT:WINDow?
MATH3:FFT:SPLit
MATH3:FFT:SPLit?
MATH3:FFT:UNIT
MATH3:FFT:UNIT?
MATH3:FFT:SCALe
MATH3:FFT:SCALe?
MATH3:FFT:OFFSet
MATH3:FFT:OFFSet?
MATH3:FFT:HSCale
MATH3:FFT:HSCale?
MATH3:FFT:HCENter
MATH3:FFT:HCENter?
MATH3:FFT:FREQuency:STARt
MATH3:FFT:FREQuency:STARt?
MATH3:FFT:FREQuency:END
MATH3:FFT:FREQuency:END?
MATH3:FFT:SEARch:ENABle
MATH3:FFT:SEARch:ENABle?
MATH3:FFT:SEARch:NUM
MATH3:FFT:SEARch:NUM?
MATH3:FFT:SEARch:THReshold
MATH3:FFT:SEARch:THReshold?
MATH3:FFT:SEARch:EXCursion
MATH3:FFT:SEARch:EXCursion?
MATH3:FFT:SEARch:ORDer
MATH3:FFT:SEARch:ORDer?
MATH3:FFT:SEARch:Res?
MATH3:FILTer:TYPE
MATH3:FILTer:TYPE?
MATH3:FILTer:W1
MATH3:FILTer:W1?
MATH3:FILTer:W2
MATH3:FILTer:W2?
MATH3:SENSitivity
MATH3:SENSitivity?
MATH3:DISTance
MATH3:DISTance?
MATH3:THReshold1
MATH3:THReshold1?
MATH3:THReshold2
MATH3:THReshold2?
MATH3:THReshold3
MATH3:THReshold3?
MATH3:THReshold4
MATH3:THReshold4?
MATH4:DISPlay
MATH4:DISPlay?
MATH4:OPERator
MATH4:OPERator?
MATH4:SOURce1
MATH4:SOURce1?
MATH4:SOURce2
MATH4:SOURce2?
MATH4:LSOurce1
MATH4:LSOurce1?
MATH4:LSOurce2
MATH4:LSOurce2?
MATH4:SCALe
MATH4:SCALe?
MATH4:OFFSet
MATH4:OFFSet?
MATH4:INVert
MATH4:INVert?
MATH4:RESet
MATH4:FFT:SOURce
MATH4:FFT:SOURce?
MATH4:FFT:WINDow
MATH4:FFT:WINDow?
MATH4:FFT:SPLit
MATH4:FFT:SPLit?
MATH4:FFT:UNIT
MATH4:FFT:UNIT?
MATH4:FFT:SCALe
MATH4:FFT:SCALe?
MATH4:FFT:OFFSet
MATH4:FFT:OFFSet?
MATH4:FFT:HSCale
MATH4:FFT:HSCale?
MATH4:FFT:HCENter
MATH4:FFT:HCENter?
MATH4:FFT:FREQuency:STARt
MATH4:FFT:FREQuency:STARt?
MATH4:FFT:FREQuency:END
MATH4:FFT:FREQuency:END?
MATH4:FFT:SEARch:ENABle
MATH4:FFT:SEARch:ENABle?
MATH4:FFT:SEARch:NUM
MATH4:FFT:SEARch:NUM?
MATH4:FFT:SEARch:THReshold
MATH4:FFT:SEARch:THReshold?
MATH4:FFT:SEARch:EXCursion
MATH4:FFT:SEARch:EXCursion?
MATH4:FFT:SEARch:ORDer
MATH4:FFT:SEARch:ORDer?
MATH4:FFT:SEARch:Res?
MATH4:FILTer:TYPE
MATH4:FILTer:TYPE?
MATH4:FILTer:W1
MATH4:FILTer:W1?
MATH4:FILTer:W2
MATH4:FILTer:W2?
MATH4:SENSitivity
MATH4:SENSitivity?
MATH4:DISTance
MATH4:DISTance?
MATH4:THReshold1
MATH4:THReshold1?
MATH4:THReshold2
MATH4:THReshold2?
MATH4:THReshold3
MATH4:THReshold3?
MATH4:THReshold4
MATH4:THReshold4?
MEASure:SOURce
MEASure:SOURce?
MEASure:COUNter:ENABle
MEASure:COUNter:ENABle?
MEASure:COUNter:SOURce
MEASure:COUNter:SOURce?
MEASure:COUNter:VALue?
MEASure:CLEar
MEASure:AMSource
MEASure:AMSource?
MEASure:STATistic:DISPlay
MEASure:STATistic:DISPlay?
MEASure:STATistic:RESet
MEASure:STATistic:ITEM
MEASure:STATistic:ITEM?
MEASure:SETup:MAX
MEASure:SETup:MAX?
MEASure:SETup:MID
MEASure:SETup:MID?
MEASure:SETup:MIN
MEASure:SETup:MIN?
MEASure:SETup:PSA
MEASure:SETup:PSA?
MEASure:SETup:PSB
MEASure:SETup:PSB?
MEASure:SETup:DSA
MEASure:SETup:DSA?
MEASure:SETup:DSB
MEASure:SETup:DSB?
MEASure:THReshold:SOURce
MEASure:THReshold:DEFault
MEASure:MODE
MEASure:MODE?
MEASure:AREA
MEASure:AREA?
MEASure:TYPE
MEASure:TYPE?
MEASure:CREGion:CAX
MEASure:CREGion:CAX?
MEASure:CREGion:CBX
MEASure:CREGion:CBX?
MEASure:ITEM
MEASure:ITEM?
MEASure:EPOS:SA?
MEASure:EPOS:SB?
MEASure:CATegory
MEASure:CATegory?
MEASure:INDicator
MEASure:INDicator?
POWer:TYPE
POWer:TYPE?
POWer:CURRentsource
POWer:CURRentsource?
POWer:VOLTagesource
POWer:VOLTagesource?
POWer:REFLevel:METHod
POWer:REFLevel:METHod?
POWer:REFLevel:ABSolute:HIGH
POWer:REFLevel:ABSolute:HIGH?
POWer:REFLevel:ABSolute:LOW
POWer:REFLevel:ABSolute:LOW?
POWer:REFLevel:ABSolute:MID
POWer:REFLevel:ABSolute:MID?
POWer:REFLevel:PERCent:HIGH
POWer:REFLevel:PERCent:HIGH?
POWer:REFLevel:PERCent:LOW
POWer:REFLevel:PERCent:LOW?
POWer:REFLevel:PERCent:MID
POWer:REFLevel:PERCent:MID?
POWer:QUALity:DISPlay
POWer:QUALity:DISPlay?
POWer:QUALity:FREQreference
POWer:QUALity:FREQreference?
POWer:RIPPle:SOURce
POWer:RIPPle:SOURce?
POWer:RIPPle:DISPlay
POWer:RIPPle:DISPlay?
POWer:STATistics:RESet
QUICk:OPERation
QUICk:OPERation?
RECord:ENABle
RECord:ENABle?
RECord:STARt
RECord:STARt?
RECord:PLAY
RECord:PLAY?
RECord:CURRent
RECord:CURRent?
RECord:FRAMes
RECord:FRAMes?
REFerence:DISPlay
REFerence:DISPlay?
REFerence:SOURce
REFerence:SOURce?
REFerence:VSCale
REFerence:VSCale?
REFerence:VOFFset
REFerence:VOFFset?
REFerence:RESet
REFerence:CURRent
REFerence:SAVe
REFerence:COLor
REFerence:COLor?
REFerence:LABel:ENABle
REFerence:LABel:ENABle?
REFerence:LABel:CONTent
REFerence:LABel:CONTent?
SAVE:CSV
SAVE:CSV:FACTors
SAVE:CSV:FACTors?
SAVE:CSV:LENGth
SAVE:CSV:LENGth?
SAVE:FORMat
SAVE:FORMat?
SAVE:IMAGe
SAVE:IMAGe:TYPE
SAVE:IMAGe:TYPE?
SAVE:IMAGe:FACTors
SAVE:IMAGe:FACTors?
SAVE:IMAGe:INVert
SAVE:IMAGe:INVert?
SAVE:IMAGe:COLor
SAVE:IMAGe:COLor?
SAVE:SETup
SAVE:WAVeform
SAVE:STATus?
LOAd:SETup
SEARch:STATe
SEARch:STATe?
SEARch:MODE
SEARch:MODE?
SEARch:EVENt
SEARch:EVENt?
SEARch:COUNt?
SEARch:VALue?
SEARch:EDGE:SLOPe
SEARch:EDGE:SLOPe?
SEARch:EDGE:SOURce
SEARch:EDGE:SOURce?
SEARch:EDGE:THReshold
SEARch:EDGE:THReshold?
SEARch:RUNT:POLarity
SEARch:RUNT:POLarity?
SEARch:RUNT:QUALifier
SEARch:RUNT:QUALifier?
SEARch:RUNT:SOURce
SEARch:RUNT:SOURce?
SEARch:RUNT:WUPPer
SEARch:RUNT:WUPPer?
SEARch:RUNT:WLOWer
SEARch:RUNT:WLOWer?
SEARch:RUNT:THReshold1
SEARch:RUNT:THReshold1?
SEARch:RUNT:THReshold2
SEARch:RUNT:THReshold2?
SEARch:PULSe:POLarity
SEARch:PULSe:POLarity?
SEARch:PULSe:QUALifier
SEARch:PULSe:QUALifier?
SEARch:PULSe:SOURce
SEARch:PULSe:SOURce?
SEARch:PULSe:UWIDth
SEARch:PULSe:UWIDth?
SEARch:PULSe:LWIDth
SEARch:PULSe:LWIDth?
SEARch:PULSe:THReshold
SEARch:PULSe:THReshold?
SEARch:SLOPe:POLarity
SEARch:SLOPe:POLarity?
SEARch:SLOPe:QUALifier
SEARch:SLOPe:QUALifier?
SEARch:SLOPe:SOURce
SEARch:SLOPe:SOURce?
SEARch:SLOPe:TUPPer
SEARch:SLOPe:TUPPer?
SEARch:SLOPe:TLOWer
SEARch:SLOPe:TLOWer?
SEARch:SLOPe:THReshold1
SEARch:SLOPe:THReshold1?
SEARch:SLOPe:THReshold2
SEARch:SLOPe:THReshold2?
SOURce:FREQuency:FIXed
SOURce:FREQuency:FIXed?
SOURce:PHASe:ADJust
SOURce:PHASe:ADJust?
SOURce:PHASe:INITiate
SOURce:FUNCtion:SHAPe
SOURce:FUNCtion:SHAPe?
SOURce:FUNCtion:RAMP:SYMMetry
SOURce:FUNCtion:RAMP:SYMMetry?
SOURce:VOLTage:LEVel:IMMediate:AMPLitude
SOURce:VOLTage:LEVel:IMMediate:AMPLitude?
SOURce:VOLTage:LEVel:IMMediate:OFFSet
SOURce:VOLTage:LEVel:IMMediate:OFFSet?
SOURce:PULSe:DCYCle
SOURce:PULSe:DCYCle?
SOURce:MOD:TYPE
SOURce:MOD:TYPE?
SOURce:MOD:AM:DEPTh
SOURce:MOD:AM:DEPTh?
SOURce:MOD:AM:INTernal:FREQuency
SOURce:MOD:AM:INTernal:FREQuency?
SOURce:MOD:AM:INTernal:FUNCtion
SOURce:MOD:AM:INTernal:FUNCtion?
SOURce:MOD:FM:DEViation
SOURce:MOD:FM:DEViation?
SOURce:MOD:FM:INTernal:FREQuency
SOURce:MOD:FM:INTernal:FREQuency?
SOURce:MOD:FM:INTernal:FUNCtion
SOURce:MOD:FM:INTernal:FUNCtion?
SOURce:SWEep:TYPE
SOURce:SWEep:TYPE?
SOURce:SWEep:STIMe
SOURce:SWEep:STIMe?
SOURce:SWEep:BTIMe
SOURce:SWEep:BTIMe?
SOURce:BURSt:TYPE
SOURce:BURSt:TYPE?
SOURce:BURSt:CYCLes
SOURce:BURSt:CYCLes?
SOURce:BURSt:DELay
SOURce:BURSt:DELay?
SOURce:APPLy:NOISe
SOURce:APPLy:PULSe
SOURce:APPLy:RAMP
SOURce:APPLy:SINusoid
SOURce:APPLy:SQUare
SOURce:APPLy:DC
SOURce:APPLy:USER
SOURce:APPLy?
SOURce:OUTPut:STATe
SOURce:OUTPut:STATe?
SOURce:OUTPut:IMPedance
SOURce:OUTPut:IMPedance?
SOURce:OUTPut1:STATe
SOURce:OUTPut1:STATe?
SOURce:OUTPut1:IMPedance
SOURce:OUTPut1:IMPedance?
SOURce:OUTPut2:STATe
SOURce:OUTPut2:STATe?
SOURce:OUTPut2:IMPedance
SOURce:OUTPut2:IMPedance?
SOURce:CALibration:VCTXo
SOURce:CALibration:VCTXo?
SOURce:CALibration:PHASe
SOURce:CALibration:PHASe?
SOURce:CALibration:OFFSet
SOURce:CALibration:OFFSet?
SOURce:CALibration:DC
SOURce:CALibration:DC?
SOURce:CALibration:AMP
SOURce:CALibration:AMP?
SOURce:CALibration:SAVedata
SOURce:CALibration:DEFault
SOURce1:FREQuency:FIXed
SOURce1:FREQuency:FIXed?
SOURce1:PHASe:ADJust
SOURce1:PHASe:ADJust?
SOURce1:PHASe:INITiate
SOURce1:FUNCtion:SHAPe
SOURce1:FUNCtion:SHAPe?
SOURce1:FUNCtion:RAMP:SYMMetry
SOURce1:FUNCtion:RAMP:SYMMetry?
SOURce1:VOLTage:LEVel:IMMediate:AMPLitude
SOURce1:VOLTage:LEVel:IMMediate:AMPLitude?
SOURce1:VOLTage:LEVel:IMMediate:OFFSet
SOURce1:VOLTage:LEVel:IMMediate:OFFSet?
SOURce1:PULSe:DCYCle
SOURce1:PULSe:DCYCle?
SOURce1:TYPE
SOURce1:TYPE?
SOURce1:MOD:TYPE
SOURce1:MOD:TYPE?
SOURce1:MOD:AM:DEPTh
SOURce1:MOD:AM:DEPTh?
SOURce1:MOD:AM:INTernal:FREQuency
SOURce1:MOD:AM:INTernal:FREQuency?
SOURce1:MOD:AM:INTernal:FUNCtion
SOURce1:MOD:AM:INTernal:FUNCtion?
SOURce1:MOD:FM:DEViation
SOURce1:MOD:FM:DEViation?
SOURce1:MOD:FM:INTernal:FREQuency
SOURce1:MOD:FM:INTernal:FREQuency?
SOURce1:MOD:FM:INTernal:FUNCtion
SOURce1:MOD:FM:INTernal:FUNCtion?
SOURce1:SWEep:TYPE
SOURce1:SWEep:TYPE?
SOURce1:SWEep:STIMe
SOURce1:SWEep:STIMe?
SOURce1:SWEep:BTIMe
SOURce1:SWEep:BTIMe?
SOURce1:BURSt:TYPE
SOURce1:BURSt:TYPE?
SOURce1:BURSt:CYCLes
SOURce1:BURSt:CYCLes?
SOURce1:BURSt:DELay
SOURce1:BURSt:DELay?
SOURce1:APPLy:NOISe
SOURce1:APPLy:PULSe
SOURce1:APPLy:RAMP
SOURce1:APPLy:SINusoid
SOURce1:APPLy:SQUare
SOURce1:APPLy:DC
SOURce1:APPLy:USER
SOURce1:APPLy?
SOURce1:OUTPut:STATe
SOURce1:OUTPut:STATe?
SOURce1:OUTPut:IMPedance
SOURce1:OUTPut:IMPedance?
SOURce1:OUTPut1:STATe
SOURce1:OUTPut1:STATe?
SOURce1:OUTPut1:IMPedance
SOURce1:OUTPut1:IMPedance?
SOURce1:OUTPut2:STATe
SOURce1:OUTPut2:STATe?
SOURce1:OUTPut2:IMPedance
SOURce1:OUTPut2:IMPedance?
SOURce1:CALibration:VCTXo
SOURce1:CALibration:VCTXo?
SOURce1:CALibration:PHASe
SOURce1:CALibration:PHASe?
SOURce1:CALibration:OFFSet
SOURce1:CALibration:OFFSet?
SOURce1:CALibration:DC
SOURce1:CALibration:DC?
SOURce1:CALibration:AMP
SOURce1:CALibration:AMP?
SOURce1:CALibration:SAVedata
SOURce1:CALibration:DEFault
SOURce2:FREQuency:FIXed
SOURce2:FREQuency:FIXed?
SOURce2:PHASe:ADJust
SOURce2:PHASe:ADJust?
SOURce2:PHASe:INITiate
SOURce2:FUNCtion:SHAPe
SOURce2:FUNCtion:SHAPe?
SOURce2:FUNCtion:RAMP:SYMMetry
SOURce2:FUNCtion:RAMP:SYMMetry?
SOURce2:VOLTage:LEVel:IMMediate:AMPLitude
SOURce2:VOLTage:LEVel:IMMediate:AMPLitude?
SOURce2:VOLTage:LEVel:IMMediate:OFFSet
SOURce2:VOLTage:LEVel:IMMediate:OFFSet?
SOURce2:PULSe:DCYCle
SOURce2:PULSe:DCYCle?
SOURce2:TYPE
SOURce2:TYPE?
SOURce2:MOD:TYPE
SOURce2:MOD:TYPE?
SOURce2:MOD:AM:DEPTh
SOURce2:MOD:AM:DEPTh?
SOURce2:MOD:AM:INTernal:FREQuency
SOURce2:MOD:AM:INTernal:FREQuency?
SOURce2:MOD:AM:INTernal:FUNCtion
SOURce2:MOD:AM:INTernal:FUNCtion?
SOURce2:MOD:FM:DEViation
SOURce2:MOD:FM:DEViation?
SOURce2:MOD:FM:INTernal:FREQuency
SOURce2:MOD:FM:INTernal:FREQuency?
SOURce2:MOD:FM:INTernal:FUNCtion
SOURce2:MOD:FM:INTernal:FUNCtion?
SOURce2:SWEep:TYPE
SOURce2:SWEep:TYPE?
SOURce2:SWEep:STIMe
SOURce2:SWEep:STIMe?
SOURce2:SWEep:BTIMe
SOURce2:SWEep:BTIMe?
SOURce2:BURSt:TYPE
SOURce2:BURSt:TYPE?
SOURce2:BURSt:CYCLes
SOURce2:BURSt:CYCLes?
SOURce2:BURSt:DELay
SOURce2:BURSt:DELay?
SOURce2:APPLy:NOISe
SOURce2:APPLy:PULSe
SOURce2:APPLy:RAMP
SOURce2:APPLy:SINusoid
SOURce2:APPLy:SQUare
SOURce2:APPLy:DC
SOURce2:APPLy:USER
SOURce2:APPLy?
SOURce2:OUTPut:STATe
SOURce2:OUTPut:STATe?
SOURce2:OUTPut:IMPedance
SOURce2:OUTPut:IMPedance?
SOURce2:OUTPut1:STATe
SOURce2:OUTPut1:STATe?
SOURce2:OUTPut1:IMPedance
SOURce2:OUTPut1:IMPedance?
SOURce2:OUTPut2:STATe
SOURce2:OUTPut2:STATe?
SOURce2:OUTPut2:IMPedance
SOURce2:OUTPut2:IMPedance?
SOURce2:CALibration:VCTXo
SOURce2:CALibration:VCTXo?
SOURce2:CALibration:PHASe
SOURce2:CALibration:PHASe?
SOURce2:CALibration:OFFSet
SOURce2:CALibration:OFFSet?
SOURce2:CALibration:DC
SOURce2:CALibration:DC?
SOURce2:CALibration:AMP
SOURce2:CALibration:AMP?
SOURce2:CALibration:SAVedata
SOURce2:CALibration:DEFault
SYSTem:AOUTput
SYSTem:AOUTput?
SYSTem:AUToscale
SYSTem:AUToscale?
SYSTem:BEEPer
SYSTem:BEEPer?
SYSTem:TICK
SYSTem:DATE
SYSTem:DATE?
SYSTem:ERRor:NEXT?
SYSTem:GAMount?
SYSTem:GPIB
SYSTem:GPIB?
SYSTem:KEY:PRESs
SYSTem:KEY:INCRease
SYSTem:KEY:DECRease
SYSTem:TOUCh
SYSTem:LANGuage
SYSTem:LANGuage?
SYSTem:OPTion:INSTall
SYSTem:OPTion:UNITem
SYSTem:OPTion:UNINstall
SYSTem:OPTion:STATus?
SYSTem:OPTion:VALid?
SYSTem:OPTion:LIST?
SYSTem:FLASh:WRITe
SYSTem:PON
SYSTem:PON?
SYSTem:PSTatus
SYSTem:PSTatus?
SYSTem:RAMount?
SYSTem:RESet
SYSTem:SETup
SYSTem:SETup?
SYSTem:SSAVer:TIME
SYSTem:SSAVer:TIME?
SYSTem:TIME
SYSTem:TIME?
SYSTem:VERSion?
SYSTem:SCINfo?
SYSTem:LOCKed
SYSTem:LOCKed?
SYSTem:MODules?
SYSTem:PRES
SYSTem:PRES?
SYSTem:LABel
SYSTem:DGSTatus?
SYSTem:RCLock
SYSTem:RCLock?
SYSTem:NVClear
SYSTem:PWDClear
SYSTem:ROM?
SYSTem:AUTClear
SYSTem:KIMPedance
SYSTem:KIMPedance?
VENDor:CONFigure
VENDor:CONFigure?
TIMebase:DELay:ENABle
TIMebase:DELay:ENABle?
TIMebase:DELay:OFFSet
TIMebase:DELay:OFFSet?
TIMebase:DELay:SCALe
TIMebase:DELay:SCALe?
TIMebase:MAIN:OFFSet
TIMebase:MAIN:OFFSet?
TIMebase:MAIN:SCALe
TIMebase:MAIN:SCALe?
TIMebase:MODE
TIMebase:MODE?
TIMebase:HREFerence:MODE
TIMebase:HREFerence:MODE?
TIMebase:HREFerence:POSition
TIMebase:HREFerence:POSition?
TIMebase:VERNier
TIMebase:VERNier?
TIMebase:HOTKeys
TIMebase:STATus?
AUToscale
TRIGger:MODE
TRIGger:MODE?
TRIGger:COUPling
TRIGger:COUPling?
TRIGger:STATus?
TRIGger:SWEep
TRIGger:SWEep?
TRIGger:HOLDoff
TRIGger:HOLDoff?
TRIGger:NREJect
TRIGger:NREJect?
TRIGger:POSition?
TRIGger:EDGE:SOURce
TRIGger:EDGE:SOURce?
TRIGger:EDGE:SLOPe
TRIGger:EDGE:SLOPe?
TRIGger:EDGE:LEVel
TRIGger:EDGE:LEVel?
TRIGger:PULSe:SOURce
TRIGger:PULSe:SOURce?
TRIGger:PULSe:WHEN
TRIGger:PULSe:WHEN?
TRIGger:PULSe:WIDTh
TRIGger:PULSe:WIDTh?
TRIGger:PULSe:UWIDth
TRIGger:PULSe:UWIDth?
TRIGger:PULSe:LWIDth
TRIGger:PULSe:LWIDth?
TRIGger:PULSe:LEVel
TRIGger:PULSe:LEVel?
TRIGger:SLOPe:SOURce
TRIGger:SLOPe:SOURce?
TRIGger:SLOPe:WHEN
TRIGger:SLOPe:WHEN?
TRIGger:SLOPe:TIME
TRIGger:SLOPe:TIME?
TRIGger:SLOPe:TUPPer
TRIGger:SLOPe:TUPPer?
TRIGger:SLOPe:TLOWer
TRIGger:SLOPe:TLOWer?
TRIGger:SLOPe:WINDow
TRIGger:SLOPe:WINDow?
TRIGger:SLOPe:ALEVel
TRIGger:SLOPe:ALEVel?
TRIGger:SLOPe:BLEVel
TRIGger:SLOPe:BLEVel?
TRIGger:VIDeo:SOURce
TRIGger:VIDeo:SOURce?
TRIGger:VIDeo:POLarity
TRIGger:VIDeo:POLarity?
TRIGger:VIDeo:MODE
TRIGger:VIDeo:MODE?
TRIGger:VIDeo:LINE
TRIGger:VIDeo:LINE?
TRIGger:VIDeo:STANdard
TRIGger:VIDeo:STANdard?
TRIGger:VIDeo:LEVel
TRIGger:VIDeo:LEVel?
TRIGger:PATTern:PATTern
TRIGger:PATTern:PATTern?
TRIGger:PATTern:LEVel
TRIGger:PATTern:LEVel?
TRIGger:PATTern:SOURce
TRIGger:PATTern:SOURce?
TRIGger:DURation:SOURce
TRIGger:DURation:SOURce?
TRIGger:DURation:TYPE
TRIGger:DURation:TYPE?
TRIGger:DURation:WHEN
TRIGger:DURation:WHEN?
TRIGger:DURation:TUPPer
TRIGger:DURation:TUPPer?
TRIGger:DURation:TLOWer
TRIGger:DURation:TLOWer?
TRIGger:DURation:LEVel
TRIGger:DURation:LEVel?
TRIGger:TIMeout:SOURce
TRIGger:TIMeout:SOURce?
TRIGger:TIMeout:SLOPe
TRIGger:TIMeout:SLOPe?
TRIGger:TIMeout:TIME
TRIGger:TIMeout:TIME?
TRIGger:TIMeout:LEVel
TRIGger:TIMeout:LEVel?
TRIGger:RUNT:SOURce
TRIGger:RUNT:SOURce?
TRIGger:RUNT:POLarity
TRIGger:RUNT:POLarity?
TRIGger:RUNT:WHEN
TRIGger:RUNT:WHEN?
TRIGger:RUNT:WUPPer
TRIGger:RUNT:WUPPer?
TRIGger:RUNT:WLOWer
TRIGger:RUNT:WLOWer?
TRIGger:RUNT:ALEVel
TRIGger:RUNT:ALEVel?
TRIGger:RUNT:BLEVel
TRIGger:RUNT:BLEVel?
TRIGger:WINDows:SOURce
TRIGger:WINDows:SOURce?
TRIGger:WINDows:SLOPe
TRIGger:WINDows:SLOPe?
TRIGger:WINDows:POSition
TRIGger:WINDows:POSition?
TRIGger:WINDows:TIME
TRIGger:WINDows:TIME?
TRIGger:WINDows:ALEVel
TRIGger:WINDows:ALEVel?
TRIGger:WINDows:BLEVel
TRIGger:WINDows:BLEVel?
TRIGger:DELay:SA
TRIGger:DELay:SA?
TRIGger:DELay:SLOPa
TRIGger:DELay:SLOPa?
TRIGger:DELay:SB
TRIGger:DELay:SB?
TRIGger:DELay:SLOPb
TRIGger:DELay:SLOPb?
TRIGger:DELay:TYPE
TRIGger:DELay:TYPE?
TRIGger:DELay:TUPPer
TRIGger:DELay:TUPPer?
TRIGger:DELay:TLOWer
TRIGger:DELay:TLOWer?
TRIGger:DELay:ALEVel
TRIGger:DELay:ALEVel?
TRIGger:DELay:BLEVel
TRIGger:DELay:BLEVel?
TRIGger:SHOLd:DSRC
TRIGger:SHOLd:DSRC?
TRIGger:SHOLd:CSRC
TRIGger:SHOLd:CSRC?
TRIGger:SHOLd:SLOPe
TRIGger:SHOLd:SLOPe?
TRIGger:SHOLd:PATTern
TRIGger:SHOLd:PATTern?
TRIGger:SHOLd:TYPE
TRIGger:SHOLd:TYPE?
TRIGger:SHOLd:STIMe
TRIGger:SHOLd:STIMe?
TRIGger:SHOLd:HTIMe
TRIGger:SHOLd:HTIMe?
TRIGger:SHOLd:DLEVel
TRIGger:SHOLd:DLEVel?
TRIGger:SHOLd:CLEVel
TRIGger:SHOLd:CLEVel?
TRIGger:NEDGe:SOURce
TRIGger:NEDGe:SOURce?
TRIGger:NEDGe:SLOPe
TRIGger:NEDGe:SLOPe?
TRIGger:NEDGe:IDLE
TRIGger:NEDGe:IDLE?
TRIGger:NEDGe:EDGE
TRIGger:NEDGe:EDGE?
TRIGger:NEDGe:LEVel
TRIGger:NEDGe:LEVel?
TRIGger:RS232:SOURce
TRIGger:RS232:SOURce?
TRIGger:RS232:WHEN
TRIGger:RS232:WHEN?
TRIGger:RS232:PARity
TRIGger:RS232:PARity?
TRIGger:RS232:STOP
TRIGger:RS232:STOP?
TRIGger:RS232:DATA
TRIGger:RS232:DATA?
TRIGger:RS232:WIDTh
TRIGger:RS232:WIDTh?
TRIGger:RS232:BAUD
TRIGger:RS232:BAUD?
TRIGger:RS232:BUSer
TRIGger:RS232:BUSer?
TRIGger:RS232:LEVel
TRIGger:RS232:LEVel?
TRIGger:IIC:SCL
TRIGger:IIC:SCL?
TRIGger:IIC:SDA
TRIGger:IIC:SDA?
TRIGger:IIC:WHEN
TRIGger:IIC:WHEN?
TRIGger:IIC:AWIDth
TRIGger:IIC:AWIDth?
TRIGger:IIC:ADDRess
TRIGger:IIC:ADDRess?
TRIGger:IIC:DIRection
TRIGger:IIC:DIRection?
TRIGger:IIC:DATA
TRIGger:IIC:DATA?
TRIGger:IIC:CLEVel
TRIGger:IIC:CLEVel?
TRIGger:IIC:DLEVel
TRIGger:IIC:DLEVel?
TRIGger:CAN:BAUD
TRIGger:CAN:BAUD?
TRIGger:CAN:SOURce
TRIGger:CAN:SOURce?
TRIGger:CAN:STYPe
TRIGger:CAN:STYPe?
TRIGger:CAN:WHEN
TRIGger:CAN:WHEN?
TRIGger:CAN:SPOint
TRIGger:CAN:SPOint?
TRIGger:CAN:LEVel
TRIGger:CAN:LEVel?
TRIGger:SPI:CLEVel
TRIGger:SPI:CLEVel?
TRIGger:SPI:DLEVel
TRIGger:SPI:DLEVel?
TRIGger:SPI:CS
TRIGger:SPI:CS?
TRIGger:SPI:DATA
TRIGger:SPI:DATA?
TRIGger:SPI:MODE
TRIGger:SPI:MODE?
TRIGger:SPI:SCL
TRIGger:SPI:SCL?
TRIGger:SPI:SDA
TRIGger:SPI:SDA?
TRIGger:SPI:SLEVel
TRIGger:SPI:SLEVel?
TRIGger:SPI:SLOPe
TRIGger:SPI:SLOPe?
TRIGger:SPI:TIMeout
TRIGger:SPI:TIMeout?
TRIGger:SPI:WHEN
TRIGger:SPI:WHEN?
TRIGger:SPI:WIDTh
TRIGger:SPI:WIDTh?
TRIGger:FLEXray:BAUD
TRIGger:FLEXray:BAUD?
TRIGger:FLEXray:SOURce
TRIGger:FLEXray:SOURce?
TRIGger:FLEXray:WHEN
TRIGger:FLEXray:WHEN?
TRIGger:FLEXray:LEVel
TRIGger:FLEXray:LEVel?
TRIGger:IIS:ALIGnment
TRIGger:IIS:ALIGnment?
TRIGger:IIS:CLOCk:SLOPe
TRIGger:IIS:CLOCk:SLOPe?
TRIGger:IIS:SOURce:CLOCk
TRIGger:IIS:SOURce:CLOCk?
TRIGger:IIS:SOURce:DATA
TRIGger:IIS:SOURce:DATA?
TRIGger:IIS:SOURce:WSELect
TRIGger:IIS:SOURce:WSELect?
TRIGger:IIS:WHEN
TRIGger:IIS:WHEN?
TRIGger:IIS:AUDio
TRIGger:IIS:AUDio?
TRIGger:IIS:DATA
TRIGger:IIS:DATA?
TRIGger:LIN:SOURce
TRIGger:LIN:SOURce?
TRIGger:LIN:ID
TRIGger:LIN:ID?
TRIGger:LIN:BAUD
TRIGger:LIN:BAUD?
TRIGger:LIN:STANdard
TRIGger:LIN:STANdard?
TRIGger:LIN:SAMPlepoint
TRIGger:LIN:SAMPlepoint?
TRIGger:LIN:WHEN
TRIGger:LIN:WHEN?
TRIGger:LIN:LEVel
TRIGger:LIN:LEVel?
TRIGger:M1553:SOURce
TRIGger:M1553:SOURce?
TRIGger:M1553:WHEN
TRIGger:M1553:WHEN?
TRIGger:M1553:POLarity
TRIGger:M1553:POLarity?
TRIGger:M1553:ALEVel
TRIGger:M1553:ALEVel?
TRIGger:M1553:BLEVel
TRIGger:M1553:BLEVel?
TFORce
WAVeform:SOURce
WAVeform:SOURce?
WAVeform:MODE
WAVeform:MODE?
WAVeform:FORMat
WAVeform:FORMat?
WAVeform:POINts
WAVeform:POINts?
WAVeform:DATA?
WAVeform:XINCrement?
WAVeform:XORigin?
WAVeform:XREFerence?
WAVeform:YINCrement?
WAVeform:YORigin?
WAVeform:YREFerence?
WAVeform:STARt
WAVeform:STARt?
WAVeform:STOP
WAVeform:STOP?
WAVeform:BEGin
WAVeform:END
WAVeform:RESet
WAVeform:PREamble?
WAVeform:STATus?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 20, 2019, 04:45:34 am
Here's a new bspatch that should disable two callbacks to rigol. But I could only test that it stopped storing the response in /tmp/firmware.xml right now.

Interestingly both callbacks are two different urls and both don't work.

This should be applied on a clean .04.08 appEntry, final md5sum edb0207efa63aec9d801036521b5452a


Most likely the freeze is due to a connection issue back to the rigol chinese site (and the randomness with the great firewall and peering) and from what I can tell its executing it awkwardly on the ui thread without much concern for what happens if the http connection stalls.




On the plus side, given how...crappy the update check is, I'm pretty sure another update/attack vector in the future is simply MITMing the http requests asking for version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 20, 2019, 05:03:03 am
Thanks delfinom, you rock  :-+

You think perhaps something erroneous got stored in the firmware.xml response file on the affected scopes and that's what caused the hang?  And if so, you think there's a way to copy over a good copy and fix the problem without going through re-patching?  Once the freeze occurs, even the original 04.04 and 04.08 without patch would cause the freeze, that's what leads me to think some erroneous data got stored somewhere.

If not, there's no big deal.  It is easy to re-patch just to remove the phone home "features", especially given how infrequent patches are released.

Again, thanks for all your hard work to look into this matter, it is much appreciated..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 08:30:27 am
I think its pretty certain that the scope phones home everytime it can.

One thing it does in that phone call, i think, is to send a RSA encrypted pack that contains some relevant data from the /data dir. Personal data: keys, licenses,etc

If someone wants to put a wireshark to work we can verify this info.

Mabl, no pissing contest here, but i released the SCPI commands in the general Rigol all SCPI commands thread. I'll try and check with yours.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 08:33:22 am
 Maybe after a successful home call it sets a flag until further changes demand a new phone call or a online update is triggered
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on August 20, 2019, 08:39:17 am
I think its pretty certain that the scope phones home everytime it can.

One thing it does in that phone call, i think, is to send a RSA encrypted pack that contains some relevant data from the /data dir. Personal data: keys, licenses,etc

If someone wants to put a wireshark to work we can verify this info.

There is also a non-technical solution to this, which would help to work around the RSA encryption: Since Rigol sell this scope in Europe, they have to adhere to the GDPR data protection/privacy regulations. They can't collect any personal data without informing you about the data they use, the purpose of that exercise, the storage duration etc.. And yes, if they collect a unique identifier like the scope's serial number, and potentially link that back to the buyer via sales records from their distributors, that's personal information.

Could someone who bought the MSO5000 in Europe file an information request with Rigol Europe?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mr. Scram on August 20, 2019, 08:44:08 am
An oscilloscope calling home. Sometimes I hate the era we live in.  :palm:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 08:49:28 am
We can also change the key... and the info will be worthless.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on August 20, 2019, 08:52:09 am
I think its pretty certain that the scope phones home everytime it can.

I dunno about "every time it can" but it looks like it does something at bootup.

If someone wants to put a wireshark to work we can verify this info.

Maybe it's just checking for updates. Has anybody seen any sort of "new updates are available" message on one of these?

Tracking how much hacking is going on seems pointless (it's probably in the "90%" region) but that doesn't mean they aren't doing it.

Making the 'scope hang at bootup is a bug though, it needs fixing. A wireshark session would be very informative, if only to figure out what it's doing and how to tweak routers to block it so it boots up as fast as possible.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 09:03:11 am
We can patch out the home calling but i don't appreciate patching very much. Not future proof.  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 20, 2019, 11:17:37 am
Thanks delfinom, you rock  :-+

You think perhaps something erroneous got stored in the firmware.xml response file on the affected scopes and that's what caused the hang?  And if so, you think there's a way to copy over a good copy and fix the problem without going through re-patching?  Once the freeze occurs, even the original 04.04 and 04.08 without patch would cause the freeze, that's what leads me to think some erroneous data got stored somewhere.

If not, there's no big deal.  It is easy to re-patch just to remove the phone home "features", especially given how infrequent patches are released.

Again, thanks for all your hard work to look into this matter, it is much appreciated..

A good one won't fix it because it's placed in /tmp which is nuked on reboot. The file itself is most likely not causing it, but rather the http connection going outbound through the great firewall of china.


I think its pretty certain that the scope phones home everytime it can.

I dunno about "every time it can" but it looks like it does something at bootup.

If someone wants to put a wireshark to work we can verify this info.

Maybe it's just checking for updates. Has anybody seen any sort of "new updates are available" message on one of these?

Tracking how much hacking is going on seems pointless (it's probably in the "90%" region) but that doesn't mean they aren't doing it.

Making the 'scope hang at bootup is a bug though, it needs fixing. A wireshark session would be very informative, if only to figure out what it's doing and how to tweak routers to block it so it boots up as fast as possible.

Well there are two callbacks.
One is definitely an update check, and doesn't send anything other than your scope serial number.

The other is a "upload" function but  it's not set to upload anything that would reveal it's hacked since that is only in appEntry with no file system modifications.
More than likely it's a diagnostic/troubleshooting function. But I can't even find where it's triggered and is most likely not in use.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mr. Scram on August 20, 2019, 11:30:59 am
Having a device in the network independently upload data or being able to do so is definitely a concern.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on August 20, 2019, 11:50:42 am
Well there are two callbacks.
One is definitely an update check, and doesn't send anything other than your scope serial number.

Does it do that during boot, shortly after power-on?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 20, 2019, 02:37:53 pm
At boot, a few seconds after all the UI are up, after you get the network attached message.  Troubleshooting the bug that froze my scope while it connects to Rigol.com is what made me discover this phone-home behavior.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 03:34:13 pm
Mabl, no pissing contest here, but i released the SCPI commands in the general Rigol all SCPI commands thread. I'll try and check with yours.

Oh okay. I did not see or find that thread. It was just a side product of the python wrapper that I'm working on.

EDIT: Found it https://www.eevblog.com/forum/testgear/lists-of-rigol-scpi-commands/ (https://www.eevblog.com/forum/testgear/lists-of-rigol-scpi-commands/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 04:35:05 pm
Well there are two callbacks.
One is definitely an update check, and doesn't send anything other than your scope serial number.

The other is a "upload" function but  it's not set to upload anything that would reveal it's hacked since that is only in appEntry with no file system modifications.
More than likely it's a diagnostic/troubleshooting function. But I can't even find where it's triggered and is most likely not in use.

Hmm I still don't get this.

The function at 0x000c4fe4 downloads from  http://www.rigol.com/Support/ProductUpgradeStatue?SN=%1&result=1 (http://www.rigol.com/Support/ProductUpgradeStatue?SN=%1&result=1) to also ask for a firmware.xml.   It downloads the content via HTTP  to /tmp/firmware.xml. For me, currently the downloaded content is

Code: [Select]
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<h1>301 Moved Permanently</h1>
<p>The requested resource has been assigned a new permanent URI.</p>
<hr/>Powered by Tengine</body>
</html>

EDIT: Note the typo and the change of URL to what skip reported:

[...]  scope does a regular http (not https) get of "/Support/ProductUpgradeFile?sn=MS5xxxxxxxxxx&hardware=1.0&behaviour=soft&software=00.01.01.02.03 HTTP/1.1". 

Function at 0x000c46f4: Triggers on manual update, triggers the dowload of firmware.xml via 0x000c4fe4 via an unclear mechanism. It also generates the hardware/behaviour/software strings for the URI which gets extended to the above URI somewhere. It contains references to http://www.rigol.com/up.aspx?act=%1&filename=%2.dat. (http://www.rigol.com/up.aspx?act=%1&filename=%2.dat.) with the %1="up". It is unclear when this triggers. It looks like an XML path lookup of "storage/firmware" is involved somehow.

EDIT2: Yep it is XML. It actually loads the URLs from /rigol/resource/dsometa.xml, and these sound far more up-to-date.

Code: [Select]
<firmware>http://www.rigol.com/Support/ProductUpgradeFile?sn=%1$hardware=%2$behaviour=%3$software=%4</firmware>
<uploadurl>http://www.rigol.com/up.aspx?act=%1$filename=%2</uploadurl>

That upload-url makes me a bit squeezy.


In any case, it fails to parse this firmware.xml, probably due to its wrong content, and fails with "ASSERT: "false" in file cmetanode.cpp, line 121" on stdout. Since appEntry exits, the GUI appears to hang.

I would guess that on some machines, the update check triggers automatically without manual update check, gets a "mal-formed" XML and then appEntry dies. I don't get why my scope doesn't do it however...


The backtrace to 0x000c4fe4 when executing a manual update (after breakpoint at 0x000c46f4 has triggered)

Code: [Select]
#0  0x000c4fe4 in ?? ()
#1  0xb62fec28 in QMetaObject::activate(QObject*, int, int, void**) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#2  0x000d42e8 in CHttp::sigFinish(QNetworkReply::NetworkError) ()
#3  0x000cf3f0 in ?? ()
#4  0x000cf1bc in ?? ()
#5  0x000d3e88 in ?? ()
#6  0xb62fec28 in QMetaObject::activate(QObject*, int, int, void**) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#7  0xb6630770 in ?? () from target:/rigol/Qt5.5/lib/libQt5Network.so.5
#8  0xb66907b4 in ?? () from target:/rigol/Qt5.5/lib/libQt5Network.so.5
#9  0xb62fc8c4 in QMetaCallEvent::placeMetaCall(QObject*) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#10 0xb630006c in QObject::event(QEvent*) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#11 0xb6bb76e8 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from target:/rigol/Qt5.5/lib/libQt5Widgets.so.5
#12 0xb6bbcccc in QApplication::notify(QObject*, QEvent*) () from target:/rigol/Qt5.5/lib/libQt5Widgets.so.5
#13 0xb62ce5bc in QCoreApplication::notifyInternal(QObject*, QEvent*) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#14 0xb62d151c in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#15 0xb6325ec0 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#16 0xb5914ba0 in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from target:/rigol/Qt5.5/plugins/platforms/libqlinuxfb.so
#17 0xb62cc3f0 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#18 0xb62cc81c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#19 0xb62d43e0 in QCoreApplication::exec() () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#20 0x0004334c in ?? ()
#21 0xb5da7874 in __libc_start_main () from target:/lib/libc.so.6
#22 0x00042d98 in ?? ()


BTW. The backtrace of the assert is the following
Code: [Select]
#0  0xb5dbfb48 in raise () from target:/lib/libc.so.6
#1  0xb5dc4ed8 in abort () from target:/lib/libc.so.6
#2  0xb60f1018 in QMessageLogger::fatal(char const*, ...) const () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#3  0xb60ec660 in qt_assert(char const*, char const*, int) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#4  0x0087256c in ?? ()
#5  0x0087065c in ?? ()
#6  0x000c5b28 in ?? ()
#7  0x000c50a0 in ?? ()
#8  0x000d2544 in ?? ()
#9  0xb62fec28 in QMetaObject::activate(QObject*, int, int, void**) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#10 0x000d42e8 in CHttp::sigFinish(QNetworkReply::NetworkError) ()
#11 0x000cf3f0 in ?? ()
#12 0x000cf1bc in ?? ()
#13 0x000d3e88 in ?? ()
#14 0xb62fec28 in QMetaObject::activate(QObject*, int, int, void**) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#15 0xb6630770 in ?? () from target:/rigol/Qt5.5/lib/libQt5Network.so.5
#16 0xb66907b4 in ?? () from target:/rigol/Qt5.5/lib/libQt5Network.so.5
#17 0xb62fc8c4 in QMetaCallEvent::placeMetaCall(QObject*) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#18 0xb630006c in QObject::event(QEvent*) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#19 0xb6bb76e8 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from target:/rigol/Qt5.5/lib/libQt5Widgets.so.5
#20 0xb6bbcccc in QApplication::notify(QObject*, QEvent*) () from target:/rigol/Qt5.5/lib/libQt5Widgets.so.5
#21 0xb62ce5bc in QCoreApplication::notifyInternal(QObject*, QEvent*) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#22 0xb62d151c in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#23 0xb6325ec0 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#24 0xb5914ba0 in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from target:/rigol/Qt5.5/plugins/platforms/libqlinuxfb.so
#25 0xb62cc3f0 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#26 0xb62cc81c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#27 0xb62d43e0 in QCoreApplication::exec() () from target:/rigol/Qt5.5/lib/libQt5Core.so.5
#28 0x0004334c in ?? ()
--Type <RET> for more, q to quit, c to continue without paging--
#29 0xb5da7874 in __libc_start_main () from target:/lib/libc.so.6
#30 0x00042d98 in ?? ()

Where 0x000c5b28 is inside the firmware.xml parser at 0x000c5aac, which extracts firmware comments, version and url for download.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 06:25:11 pm
mabl, i think yours isnt dying because the update check isnt being triggered. Or did you try it manually? Mine also doesnt hang when i trigger it manually.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 06:27:20 pm
Mine (firmware 00.01.01.04.08) hangs on manual update trigger, with that wrong content in the firmware.xml.  The old path to download firmware.xml still works though.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 20, 2019, 06:41:20 pm
Quote
I would guess that on some machines, the update check triggers automatically without manual update check, gets a "mal-formed" XML and then appEntry dies. I don't get why my scope doesn't do it however...

Yea, I triggered it manually and didn't have it die, same exact file contents you have and that same typoed url.


I also wonder if the freeze at bootup has to do with the fact the online update button press is also persisted, if you press the button it greys out, and if you were to reboot the scope, it stays greyed out for some time still.
But I did try and it had no effect on it freezing.



I see you are much further along by running gdb on the scope :P
I am probably just going to leave it at just patching out the http requests and calling it a day. They serve no useful function once you start using the changes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 06:58:17 pm
Yea, I triggered it manually and didn't have it die, same exact file contents you have and that same typoed url.
Strange.


I see you are much further along by running gdb on the scope :P

Oh that was surprisingly simple. I just compiled gdbserver in gdb-7.12 with the xilinx toolchain (attached to this post). On the scope I just run

Code: [Select]
$ ./gdbserver localhost:30000 /rigol/appEntry -run

And on the client, using a cross-toolchain (gdb version is 8.2, so its is backward compatible) I use

Code: [Select]
$ arm-linux-gnueabihf-gdb

target remote ip:30000
b *0xaddress
layout asm
c
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 07:09:25 pm
 Can i use IDA Pro as client, mabl?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 07:13:05 pm
I do not know, but it looks like it, see https://www.hex-rays.com/products/ida/support/idadoc/1343.shtml. (https://www.hex-rays.com/products/ida/support/idadoc/1343.shtml.)
Unfortunately, Ghidra  does not yet have support. I just used the command line manually.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 07:19:07 pm
That's a PITA. Can you single step, step into, step over? All my previous mso5000 investigations were done with jtag but i dont want to open mine for now...

Of course the specs say IDA work but i wanted full testimony in this particular case.

Thankx for the gdbserver.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 07:22:25 pm
I only tried step (command stepi) on gdb and that works. Backtrace (bt) also works. I did not yet try step-over(nexti). I'm no gdb wizard :-D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 07:41:13 pm
I also wonder if the freeze at bootup has to do with the fact the online update button press is also persisted, if you press the button it greys out, and if you were to reboot the scope, it stays greyed out for some time still.
But I did try and it had no effect on it freezing.

Interesting. The Power-On state set to "Last" now restores the scope state. I thought that did not work in the last firmware version?  :-+

It looks like the scope writes the current state (a 1K field of memory) approximately every minute to /rigol/data/stat.dat  (independently of the power on state setting).  That mount point has the realtime option:

Code: [Select]
/dev/ubi1_0 on /rigol/data type ubifs (rw,sync,relatime)

I wonder how long this small ubi partition will survive? And there are the calibration files and licenses on it....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 08:03:06 pm
It looks like the scope writes the current state (a 1K field of memory) approximately every minute to /rigol/data/stat.dat  (independently of the power on state setting).  That mount point has the realtime option:

It's been a long time since I saw that but I have the impression that all those constant writings are in the FRAM copy and not in the NAND.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 20, 2019, 08:04:16 pm
It is self-healing!

To try out some of the latest finding you have discovered, I removed the firewall rule on my router, plug the scope into the network, and tried to recreate the problem.  Guess what, now the scope boots fine with the LAN attached, and rigol.com no longer blocked.

Not sure if some flags were reset in my scope or something happened on rigol.com end. 

One thing I did earlier was booting the scope with the firewall rule in place, when the Online Upgrade button light up, I push it for an online upgrade.  I backed out at the first screen when it asked me to accept the terms and condition.  Not sure if that might have somehow reset the flag, but for now, everything is back to normal.

BTW, the Online Upgrade button lights up whenever the scope is connected to the LAN, it does not matter if it can actually reach the rigol.com site.

On the safe side, I am keeping it off the Internet.  If I need remote control, it will only go on the physically isolated network at my hobby lab.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 08:05:51 pm
It's been a long time since I saw that but I have the impression that all those constant writings are in the FRAM copy and not in the NAND.

I hope so... But just by looking at the file modification date suggests it changes repeatedly....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 08:12:13 pm
The other is a "upload" function but  it's not set to upload anything that would reveal it's hacked since that is only in appEntry with no file system modifications.

Not everyone patches.  ;)

Code: [Select]
<firmware>http://www.rigol.com/Support/ProductUpgradeFile?sn=%1$hardware=%2$behaviour=%3$software=%4</firmware>
<uploadurl>http://www.rigol.com/up.aspx?act=%1$filename=%2</uploadurl>

That upload-url makes me a bit squeezy.

This is what I was referring as "calling home". It shouldn't be too hard to see, with a well placed breakpoint, what is being sent.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 08:17:30 pm
It is self-healing!

To try out some of the latest finding you have discovered, I removed the firewall rule on my router, plug the scope into the network, and tried to recreate the problem.  Guess what, now the scope boots fine with the LAN attached, and rigol.com no longer blocked.

 ;D

Let's admit that they keep track of the last date when you reported your scope status. And, from time to time, they require you to report the status. If you don't...

Now, you've good for a certain period of time.

(This is a just a feeling...)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 20, 2019, 08:23:27 pm
Intriguing idea  |O. Possibly there is some kind of counter for power-ups or time persisted in /rigol/data/stat.dat. Next time I debug this, I'll set a breakpoint and try to trigger that auto-connect.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 08:37:11 pm
Intriguing idea  |O. Possibly there is some kind of counter for power-ups or time persisted in /rigol/data/stat.dat. Next time I debug this, I'll set a breakpoint and try to trigger that auto-connect.

That's all in the FRAM.

Answering your previous thoughts, I think the scope keeps all the status in the FRAM and then (after boot or in any specific periods/events) creates a copy in the NAND of that info in the /data files. Maybe just to ease the "calling home" task.

You can zero the whole FRAM and the scope is able to work (unlicensed).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on August 20, 2019, 08:40:43 pm
Let's admit that they keep track of the last date when you reported your scope status. And, from time to time, they require you to report the status. If you don't...

What if you never connect it to a network?  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 20, 2019, 08:44:44 pm
Let's admit that they keep track of the last date when you reported your scope status. And, from time to time, they require you to report the status. If you don't...

What if you never connect it to a network?  :popcorn:

Of course, that's one solution. Better one is to patch the hyperlinks that try to dump the XML link page and do the upload.

BTW, we also must remember that in the code there is an email client, so the reporting can exist via email. The email address to which it reports can be easily found in the code.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 20, 2019, 11:16:42 pm
Let's admit that they keep track of the last date when you reported your scope status. And, from time to time, they require you to report the status. If you don't...

What if you never connect it to a network?  :popcorn:

Of course, that's one solution. Better one is to patch the hyperlinks that try to dump the XML link page and do the upload.

BTW, we also must remember that in the code there is an email client, so the reporting can exist via email. The email address to which it reports can be easily found in the code.

Fun fact about the email function. They hardcoded smtp credentials into appEntry.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 21, 2019, 12:41:23 am
Does Rigol have a security team email? they dun fucked up with their smtp credentials.

You can uh, log into their IBM iNotes instance using them and at minimum send email as rigol.com

You can even see their full internal employee directory.


They do have 4x "IT Operations, Process and Maintenance" addresses, maybe I'll send them a nice email from their own IBM instance  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 21, 2019, 04:03:37 am
Oh dear.... I did see the hard coded credentials, but thought nobody was crazy enough to do this. I once even checked the credentials on an older firmware and they did not work for sending mails (maybe the server was down or I made a mistake or they even changed).

Now you get into their company mail server? And see the employee directory? :palm: Maybe even see all the old sent emails by that account?

This is where the fun ends. Please contact Rigol as soon as possible.

EDIT: I tried sending them a warning message using their own SMTP server - it did not answer on port 25, which the scope also uses. So as I said before, their mail credentials seems broken. I wonder if this is due to your last message now, or if they removed plain text SMTP...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 21, 2019, 11:55:24 am
Oh dear.... I did see the hard coded credentials, but thought nobody was crazy enough to do this. I once even checked the credentials on an older firmware and they did not work for sending mails (maybe the server was down or I made a mistake or they even changed).

Now you get into their company mail server? And see the employee directory? :palm: Maybe even see all the old sent emails by that account?

This is where the fun ends. Please contact Rigol as soon as possible.

EDIT: I tried sending them a warning message using their own SMTP server - it did not answer on port 25, which the scope also uses. So as I said before, their mail credentials seems broken. I wonder if this is due to your last message now, or if they removed plain text SMTP...
Are you sure it's not due to your ISP blocking port 25 like mine does?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on August 21, 2019, 02:11:08 pm
Oh dear.... I did see the hard coded credentials, but thought nobody was crazy enough to do this. I once even checked the credentials on an older firmware and they did not work for sending mails (maybe the server was down or I made a mistake or they even changed).

Now you get into their company mail server? And see the employee directory? :palm: Maybe even see all the old sent emails by that account?

This is where the fun ends. Please contact Rigol as soon as possible.

EDIT: I tried sending them a warning message using their own SMTP server - it did not answer on port 25, which the scope also uses. So as I said before, their mail credentials seems broken. I wonder if this is due to your last message now, or if they removed plain text SMTP...
Are you sure it's not due to your ISP blocking port 25 like mine does?

Why would they include credentials?  If it is sending email to @rigol.com, then it just needs to connect to the rigol.com MX.
Of course, as you mention they cannot rely on port 25 being open outbound (rarely is these days) so they'd want to use 587 or similar, and I guess their server configuration may then require auth.
In any case, sending email from the scope is just stupid when they could more reliably use a web API for notifications or data exfiltration.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 21, 2019, 02:28:40 pm
Oh dear.... I did see the hard coded credentials, but thought nobody was crazy enough to do this. I once even checked the credentials on an older firmware and they did not work for sending mails (maybe the server was down or I made a mistake or they even changed).

Now you get into their company mail server? And see the employee directory? :palm: Maybe even see all the old sent emails by that account?

This is where the fun ends. Please contact Rigol as soon as possible.

EDIT: I tried sending them a warning message using their own SMTP server - it did not answer on port 25, which the scope also uses. So as I said before, their mail credentials seems broken. I wonder if this is due to your last message now, or if they removed plain text SMTP...
Are you sure it's not due to your ISP blocking port 25 like mine does?

Why would they include credentials?  If it is sending email to @rigol.com, then it just needs to connect to the rigol.com MX.
Of course, as you mention they cannot rely on port 25 being open outbound (rarely is these days) so they'd want to use 587 or similar, and I guess their server configuration may then require auth.
In any case, sending email from the scope is just stupid when they could more reliably use a web API for notifications or data exfiltration.

They are using the credentials as a smtp relay which is normal. There's a giant list of reasons why nobody sends mail directly to domains these days (i.e. 90% chance the receiving mail server or your ISP or corporate network will block you)
It's just providing their own credentials and their own relay is stupid.
And then doing so by creating an user in their IBM Notes instance without blocking the user from login is extra icing on the cake.


Their intention is to allow users to enter in their own SMTP settings such as a corporate network relay or personal service like gmail. But yea they screwed up.



This is where the fun ends. Please contact Rigol as soon as possible.


Well I sent an email to their IT groups internally via the account.....hopefully they understand english.....  :D

Otherwise it's not like they have a security email address for such reports.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on August 21, 2019, 03:06:05 pm
They are using the credentials as a smtp relay which is normal. There's a giant list of reasons why nobody sends mail directly to domains these days (i.e. 90% chance the receiving mail server or your ISP or corporate network will block you)

Yes, the fact it will likely be blocked, even if using a non-standard SMTP port, is why this whole thing is bonkers.
The fact that they then included credentials that can be used to do more than sending emails to their domain, just shows they shouldn't be writing networking code, or probably any embedded applications.

Please update us if you hear back from them.  If you don't hear that they've closed up the security hole in a pretty short time, then this should be reported to a security researcher to name & shame them.  e.g Brian Krebs or Troy Hunt.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 21, 2019, 03:28:52 pm
They are using the credentials as a smtp relay which is normal. There's a giant list of reasons why nobody sends mail directly to domains these days (i.e. 90% chance the receiving mail server or your ISP or corporate network will block you)

Yes, the fact it will likely be blocked, even if using a non-standard SMTP port, is why this whole thing is bonkers.
The fact that they then included credentials that can be used to do more than sending emails to their domain, just shows they shouldn't be writing networking code, or probably any embedded applications.

Please update us if you hear back from them.  If you don't hear that they've closed up the security hole in a pretty short time, then this should be reported to a security researcher to name & shame them.  e.g Brian Krebs or Troy Hunt.

Meh, you are making it out to worse than it is. Shit I've seen worse at major defense contractors and the stories I could tell.

Is it bad? Yes.
But does it mean they shouldn't be writing networking code or embedded applications? Hah
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on August 21, 2019, 03:42:07 pm
Meh, you are making it worse than it is. Shit I've seen worse at major defense contractors and the stories I could tell.

Possibly, but they've just compromised their own email server.  Think about that, and then what concerns there might be in putting this scope on an engineering network in a large corporation or university.

These scopes connect to external web servers via http (not https, so no encryption and no way to validate certificate to ensure there isn't a MITM attack), and then writes downloaded data to the filesystem.  I wouldn't be surprised if there was a serious vulnerability there that allowed malicious code to be injected and run on the scope, and not just via the firmware update process.

Is it bad? Yes.
But does it mean they shouldn't be writing networking code or embedded applications? Hah

The fact that a lot worse happens elsewhere doesn't mimimise how bad this is.

Of course... if it wasn't for these same developers this thread wouldn't exist at all.  And Rigol would be selling a lot less of their latest scopes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mr. Scram on August 21, 2019, 03:54:25 pm
Maybe Keysight is willing to pay a pretty penny for some Rigol company secrets they can dig up with those credentials.  :-DD  Making vulnerable firmware on purpose is one thing but this doesn't look like being done on purpose at all.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 21, 2019, 05:12:28 pm
Meh, you are making it worse than it is. Shit I've seen worse at major defense contractors and the stories I could tell.

Possibly, but they've just compromised their own email server.  Think about that, and then what concerns there might be in putting this scope on an engineering network in a large corporation or university.

These scopes connect to external web servers via http (not https, so no encryption and no way to validate certificate to ensure there isn't a MITM attack), and then writes downloaded data to the filesystem.  I wouldn't be surprised if there was a serious vulnerability there that allowed malicious code to be injected and run on the scope, and not just via the firmware update process.

Is it bad? Yes.
But does it mean they shouldn't be writing networking code or embedded applications? Hah

The fact that a lot worse happens elsewhere doesn't mimimise how bad this is.

Of course... if it wasn't for these same developers this thread wouldn't exist at all.  And Rigol would be selling a lot less of their latest scopes.

Why are you concerned about it being a vulnerability? It's a feature.  :-DD
The literal design of the download mechanism is download via http and just applying the gel file. And uh, you can see we can generate our own gel files by hand pretty easily.
So you could inject the malicious code yourself if you wanted to via a MITM easily over http.

But uh, I'll take my $1k scope that's worth far more since being patched and sit in the corner hugging it ;)


Possibly, but they've just compromised their own email server.  Think about that, and then what concerns there might be in putting this scope on an engineering network in a large corporation or university.


I still like relative comparisons. Why?
Because I'm seen so much shit in different industries that everything is fucking terrible to the point you can't escape it, there's just different levels of terrible. You can only work to compartmentalize your network and security to minimize damage when shit goes wrong. Shit, even my home network is running 5 VLANs with 2 dedicated just for IoT devices.

So I rank the scopes with some poor security decisions as less than say, the backdoored Cisco hardware those large corps or univerisities are most likely running ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on August 21, 2019, 10:05:40 pm
Anyone allowing this thing to connect to external networks is a fool.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 22, 2019, 12:19:30 am
That's why mine is only going on a physically isolated network if remote control is required, there's really no reason for it to ever go on the Internet.  I will make all firmware update manually through an USB Drive, especially given how infrequent they come out.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 22, 2019, 12:38:00 am
It appears they disabled the account and no longer works to login via iNotes and SMTP. No reply to me, I assume there was some internal yelling after I CCed 4x internal IT distribution groups on my "you dun fucked up" email.

You know what's interesting digging further (and avoiding the temptation to anally probe some infrastructure), for a Chinese company they sure like to escape the great firewall by using an email provider who proceeds to host all their infrastructure on DigitalOcean (which has no Chinese datacenters).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on August 22, 2019, 02:56:56 am
Dave tweeted about it, so the word has got out  >:D

Glad they closed the hole so quickly.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 22, 2019, 03:00:15 am
Dave tweeted about it, so the word has got out  >:D

Glad they closed the hole so quickly.

They fixed it way before the tweet ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on August 22, 2019, 04:16:10 am
Hey, just a shout out of thanks to the following:
mabl, tv84, delfinom,piskers and oliv3r.... and others I missed for the information on how to hack the appEntry.  With the data and a good dissembler you can re-create the earlier hacks as discribed on the lastest firmware. (or use delfinom's patch file)...

Again - my thanks for your efforts...
-Stan
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: borjam on August 22, 2019, 01:02:01 pm
I think its pretty certain that the scope phones home everytime it can.

One thing it does in that phone call, i think, is to send a RSA encrypted pack that contains some relevant data from the /data dir. Personal data: keys, licenses,etc

If someone wants to put a wireshark to work we can verify this info.

Mabl, no pissing contest here, but i released the SCPI commands in the general Rigol all SCPI commands thread. I'll try and check with yours.
Curious. At least I haven't observed anything of the sort with a DS1000Z, SDS1202X-E nor a SVA1015X (and I keep a year worth of Netflow data for my home network).

Phoning home would be quite rude.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 22, 2019, 01:54:10 pm
Phoning home would be quite rude.

I raised this question from the very beginning.

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2073469/#msg2073469 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2073469/#msg2073469)

At the time few people had the scope so the matter went to sleep.

Then I just saw the email thing, later I saw the RSA package upload....

When people started reporting the "bug" of the delays in booting up when connected to the net, I immediately started thinking that it was a "feature" and not a "bug". I confess that I never investigated thoroughly... It was just a hunch until a few days ago.

I hate something like this and specially when it's done by the same guys who are able to create the SMTP vulnerabilities that we saw in the last few days...

Deeply worrisome!!

I've done plenty of assembly analysis on all those equipments and never saw this in any of them.

This is a thing that I think can be seen in the new Rigol line of equipments: MSO5000,7000 and for sure the 8000. I think it's also in the RSA3000/5000 (but this one I would need to recheck).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: borjam on August 22, 2019, 02:08:35 pm
Phoning home would be quite rude.

I hate something like this and specially when it's done by the same guys who are able to create the SMTP vulnerabilities that we saw in the last few days...

Deeply worrisome!!

With all the paranoia about Chinese equipment with backdoors it's extraordinarily dumb to do something like that.

If they are deeply worried about hacking, well, it's not that hard ot make it much more difficult. I can even imagine that they somewhat tolerate some hacking activity in the lower end.

I recall that Siglent dropped an automatic firmware version check from the SDS1202X-E and I wouldn't be surprised if that was the reason.

So is it really just an RSA encrypted packet? If it connects using SSL/TLS it could be possible to try to intercept it. Maybe they won't actually check the certificate (or it's possible to replace certificate trust settings on a firmware file).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 22, 2019, 02:34:37 pm
With all the paranoia about Chinese equipment with backdoors it's extraordinarily dumb to do something like that.

If they are deeply worried about hacking, well, it's not that hard ot make it much more difficult. I can even imagine that they somewhat tolerate some hacking activity in the lower end.


Most of the backdoors I have seen even in examples of the "backdoored" Chinese equipment can be described by Hanlon's razor just like in Rigol's smtp case.

Quote
Never attribute to malice that which is adequately explained by stupidity

People get paranoid because of the "Chinese" boogeyman (not to say there isn't a threat), but I've seen as equivalent stupidity from American equipment vendors, even big names like Cisco are part of it like this (https://www.bleepingcomputer.com/news/security/cisco-botches-fix-for-rv320-rv325-routers-just-blocks-curl-user-agent/), or this (https://www.securityweek.com/cisco-patches-critical-vulnerability-data-center-switches), or this (https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-software/), or this (https://threatpost.com/default-ssh-key-found-in-many-cisco-security-appliances/113480/) (suspicious they keep leaving these backdoors eh?)


Just reinforcing the point that you can't trust any piece of networked hardware from any vendor anywhere in the world.



So is it really just an RSA encrypted packet? If it connects using SSL/TLS it could be possible to try to intercept it. Maybe they won't actually check the certificate (or it's possible to replace certificate trust settings on a firmware file).

SSL/TLS  :-DD
No, they are posting it over http.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 22, 2019, 02:38:22 pm
So is it really just an RSA encrypted packet? If it connects using SSL/TLS it could be possible to try to intercept it. Maybe they won't actually check the certificate (or it's possible to replace certificate trust settings on a firmware file).

The info seems to be packaged and then encrypted with the RSA pubkey. It's not a big deal since we can intercept the info buffer (in realtime) before the encryption and see what is being packaged.

It's mostly info from the /data dir. But this is from what I've seen. There could be other info exchanges that I didnt notice.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: borjam on August 22, 2019, 02:46:37 pm
Most of the backdoors I have seen even in examples of the "backdoored" Chinese equipment can be described by Hanlon's razor just like in Rigol's smtp case.

Quote
Never attribute to malice that which is adequately explained by stupidity

I know, that's why I said "paranoia". ;) That said, lousy security can be a very serious problem in some environments.

Quote
People get paranoid because of the "Chinese" boogeyman (not to say there isn't a threat), but I've seen as equivalent stupidity from American equipment vendors, even big names like Cisco are part of it
Of course. Getting it right in a big company is very hard. Especially when everything was just soooo coool, dude, in happiest times! ;) Straightening poor practices inherited from the past is really difficult.

Quote
Just reinforcing the point that you can't trust any piece of networked hardware from any vendor period.
And indeed you are right. My commment deals with the trust problem that these new manufacturers can face. They are newcomers, they are beginning to sell somewhat mature products and nowadays people pays much more attention to this crap than 30 years ago.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 22, 2019, 03:33:53 pm
Of course. Getting it right in a big company is very hard. Especially when everything was just soooo coool, dude, in happiest times! ;) Straightening poor practices inherited from the past is really difficult.


Well, I don't see it as an issue about getting it right at a big company. It's the year 2019. A "big company" not auditing it's releases and processes at this point is committing willful negligence at this point (or if I continue my rant about Cisco, increasing outsourcing their development to a patchwork of lowest bidders/it doesn't take "a change in company practices" to learn how to grep your update packages for ssh keys before release).


The optics are just against new/smaller manufacturers like you say.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on August 22, 2019, 03:46:44 pm
Unfortunately a lot of large corporate entities are very much in big company mentality of the left hand is not knowing what the right hand is doing.

In this case Rigol should take a very seriouy look at the cyber security dept and kick a few backsides as this is a fundamental faux par of large proportions. The possibility of looking in on any of Rigol's personal and private files even for a brief period is pretty grim, as a customer it certainly does no favors for their brand image or credibility in the market place, which is a shame.

Looking to trade up to an MSO 8000 very soon, maybe not so sure now  :-\
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on August 22, 2019, 07:42:54 pm
I didn´t see a reason to connect my scope to lan at home, at work I would be "killed" for if I connect anything else to lan as my authorized notebook.
So I don´t have problems with things who want to phoning home...they couldn´t.
Or:

Do anyone have a fire-tv stick from amazon ? Or a pc connected to lan ? Or alexa ? Or home automations ?
So why worrying about a scope….
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on August 23, 2019, 01:30:43 am
As a FYI, if you are using a somewhat modern router, it is pretty easy to set up a rule to prohibit the scopes nic from going through the router.  You can still access it on your lan, but it can no longer 'call home'.

DD-WRT (router firmware) calls this 'Access Restrictions -> Wan'.


-Stan
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on August 23, 2019, 07:37:02 am
Or just set a fixed IP and leave the gateway out.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Xtremexp on August 24, 2019, 05:58:34 am
Does this enable all features?

Thanks.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 24, 2019, 03:07:06 pm
Here's a new bspatch that should disable two callbacks to rigol. But I could only test that it stopped storing the response in /tmp/firmware.xml right now.

delfinom, what about disabling email capabilities?

sub_273B50
sub_2745AC
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on August 25, 2019, 02:15:01 am
Here's a new bspatch that should disable two callbacks to rigol. But I could only test that it stopped storing the response in /tmp/firmware.xml right now.

delfinom, what about disabling email capabilities?

sub_273B50
sub_2745AC

May be better to just nuke the smtp client at  /rigol/mail/bin/msmtp
I like how in the invocation they are turning off tls.

273B50 creates the config file for it.
2745AC sends mail using it
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 25, 2019, 03:05:08 pm
My analysis (FW v00.01.01.04.08):

sub_273B50 - load_mail_config_vars
/rigol/mail/etc/Muttrc
/rigol/mail/etc/msmtprc

sub_2745AC - send_mail_test
/rigol/mail/bin/msmtp

sub_274B70 - send_mail
/rigol/shell/send_mail.sh (uses /rigol/mail/bin/mutt)

It seems they use it to send system logs and/or screen snapshots of the scope. Let's assume that with our previous authorization.

To stop mails from the MSO5000:

Option 1
Delete/rename files:
/rigol/mail/bin/msmtp
/rigol/mail/bin/mutt

Option 2
Patch appEntry (sub_275A08):
offset 0x26DA08 - patch: 00 48 2D E9 -> 1E FF 2F E1
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 26, 2019, 06:26:54 pm
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

I will have a new look at this claim in the coming days. I have a "feeling"...   ;)

Edit1: I'll start by recreating what is shown in this image. (And, yes, I believe it's a real image...) It should be pretty easy to do (although not by everyone).

These asiatic forum members are extremely volatile and that's why this line of thought has been kept buried somewhere! I'll try to dig it up in plain english...  :)

(https://www.eevblog.com/forum/testgear/rigol-mso5000-upgrade-to-500m-bandwidth/?action=dlattach;attach=695145;image)
https://www.eevblog.com/forum/testgear/rigol-mso5000-upgrade-to-500m-bandwidth/msg2316924/#msg2316924 (https://www.eevblog.com/forum/testgear/rigol-mso5000-upgrade-to-500m-bandwidth/msg2316924/#msg2316924)

I will then need some external help to test the performance. But that should be easy for some of you guys!

Once we do this step, we step up the game...

Let's see where we'll end.

(Of course, let's hope all of this may be extendable to the 7000, 8000 series.)

PS: And, all in "feature" mode. No "patches" or "hacks".   :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on August 27, 2019, 01:38:47 pm
That last thread (https://www.eevblog.com/forum/testgear/rigol-mso5000-upgrade-to-500m-bandwidth/msg2316924/#msg2316924) left off with a suggestion that this was an April Fool's thing.  Do we have reason to think the front end on these devices can function past 500MHz?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on August 27, 2019, 01:44:23 pm
Maybe. Same chip like mso8000 but IT will not be interesting because of the missing 50Ohm input. 500MHz is max what can be done with passive probe.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 29, 2019, 09:30:30 pm
So, as promised, here is the replication of that accomplishment. And, I will not disappear in the myst...

The tests (done by another forum member) with the new FW version still continue.

But, at first sight, it seems that the BW limit of the MSO5000 is definitely near the 500MHz mark and doesnt go further:

To be continued...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on August 29, 2019, 10:43:01 pm
But, at first sight, it seems that the BW limit of the MSO5000 is definitely near the 500MHz mark and doesnt go further:
Maybe the lack of 50ohm input?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 29, 2019, 11:25:51 pm
tv84,

That’s an excellent update, can’t wait to learn more. 

Even if we don’t use all 500MHz, just not having the -3dB drop at 350MHz is a welcomed enhancement.

I agree that not having the 50 Ohm input would limit how high we can go on the hardware without modification.

Have you had a chance to check if heat on the front end increases with the update and how well the existing cooling handles it?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on August 29, 2019, 11:46:40 pm
tv84,

That’s an excellent update, can’t wait to learn more. 
Even if we don’t use all 500MHz, just not having the -3dB drop at 350MHz is a welcomed enhancement.
I agree that not having the 50 Ohm input would limit how high we can go on the hardware without modification.
Have you had a chance to check if heat on the front end increases with the update and how well the existing cooling handles it?

Its already been measured at 450-500MHz prior to modifications tv84 is currently working on: https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/ (https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/)
What he could unlock is possibly  >500MHz or >8Gs/s, the second of which would increase power consumption.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on August 30, 2019, 03:13:47 am
tv84,

That’s an excellent update, can’t wait to learn more. 
Even if we don’t use all 500MHz, just not having the -3dB drop at 350MHz is a welcomed enhancement.
I agree that not having the 50 Ohm input would limit how high we can go on the hardware without modification.
Have you had a chance to check if heat on the front end increases with the update and how well the existing cooling handles it?

Its already been measured at 450-500MHz prior to modifications tv84 is currently working on: https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/ (https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/)
What he could unlock is possibly  >500MHz or >8Gs/s, the second of which would increase power consumption.

Is > 8GS/s needed at 500MHz max BW? It looks like the hard analog bw 3dB point is 500MHz, which is likely limited by the actual frontend. So with 4x oversampling that's 2GS/channel and that's enough for 500MHz I guess. But I am not an expert.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 30, 2019, 04:03:38 am
thm_w, thanks for pointing that post out. 

Do you happen to know what "correction of the measuring path" means in graph 4.1 for the MSO5000?  In the MSO4000, I believe they upgraded the heat sinks for the FPGA and ADC, I wonder if they perform the same hardware upgrade in the MSO5000 to get this "correction".

I ask because without this correction, it is -2.2dB at 350MHz, vs. -0.6dB with correction, that's a meaningful difference.  And without this correction, the -3dB point is about 450 MHz.

But if tv84 can perform his magic, I would gladly take the extra 100MHz bandwidth  :-+



Its already been measured at 450-500MHz prior to modifications tv84 is currently working on: https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/ (https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/)
What he could unlock is possibly  >500MHz or >8Gs/s, the second of which would increase power consumption.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on August 30, 2019, 03:20:59 pm
After an embarrassing long delay, here are the changes for 01.04.08 uploaded to git:
https://gitlab.com/riglol/rigolee/commit/ae77323ac04da753d98ae9a1d99a658e000b9088

for those that care ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on August 30, 2019, 08:19:33 pm
Using the existing 350MHz license unlock myself (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2446644/#msg2446644) and others (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2404608/#msg2404608) have tested the MSO5074 up around 450MHz already.  Is the 500MHz unlock just a display thing? Or is there some extra headroom left in these things?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rucu on August 31, 2019, 10:39:41 am
I managed to goof up. I tried following the same lines of the hack in this thread, but managed to get myself in a bad situation.
I was trying as a first step to gain SSH access to my MSO5000 scope, which I did by modding the start.sh file. I appended the following code to the end of the file:

Code: [Select]
/usr/sbin/sshd
/etc/init.d/550sshd restart

However, now after applying the patched firmware to the scope, it correctly goes into the boot loading showing the RIGOL logo, however, when the progress bar reaches the end it stalls - I assume because either of the commands I added are not valid.

I've tried holding down the SINGLE button while booting, but I do not seem to get into the secret menu to be able to re-patch the firmware.
Also, even with the network cable plugged in, the network does not seem to initialise and the Rigol scope does not get assigned an IP, so SSH does not seem like an option to recover as well.

Do you guys have any ideas on how to recover from this?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 31, 2019, 10:52:09 am
I've tried holding down the SINGLE button while booting

It's not "holding". It's multiple presses.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TopLoser on August 31, 2019, 10:52:27 am
Just press the SINGLE button, don’t hold it down.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rucu on August 31, 2019, 10:57:54 am
Ah, I thank you guys so much, apparently I was not quick enough when I tried the first 10 times :-).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 31, 2019, 06:08:46 pm
Model conversion of a MSO5000 to 500 MHz model (MSO5504) - PART 2

- The measurements used a genuine 50 Ohm termination 1Ghz model
- No significant changes in output (heat wise)

Some results/confirmations of the tests:

- The scope BW is 470 MHz, as previously announced by others.
- With the 500 MHz model setting, the horizontal scale can be lowered to 500 ps. But, no further BW increase is noticeable.
- Besides the official models, currently on sale, MSO5504/02 seems to be the only additional Model possible. Maybe the scope was designed to have a 500MHz BW but, in the end, they couldn't reach it.
- With MSO5504 model, and after a self-calibration, we made some attempts in creating eye diagrams. The scope clearly hasn't the BW nor the memory to do them in a usable way but, nonetheless, it's a nice accomplishment in a scope with these characteristics. You can check them in the attached pics. It seems to prove that it shares much code with the 8000 model.

BTW, and likewise, we also changed a MSO7000 to 1GHz model (MSO7104). It also seems the only possible model besides the "official" ones. No eye/jitter possible with the latest DS7000 FW. Real BW seems close to 989 MHz (measured with bodnar pulser). Further tests ongoing.

Edit1: Corrected the BW of both equipments, by using the correct formulas. The 7000 is almost 1GHz!!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on August 31, 2019, 07:04:00 pm
Tv84,

Excellent findings, thanks for sharing the additional data points to confirm earlier observations.  Did you use the 50 ohm termination in all these tests?  If so, is it the 50 ohm pass through with 1 GHz bandwidth?

The 500ps horizontal scale can be handy in some instances, and good to see there’s no heat issues.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 31, 2019, 07:27:09 pm
50 ohm pass through with 1 GHz bandwidth?

Exactly.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 31, 2019, 08:06:57 pm
Looking at the System Information menu code we can see that it was prepared to display the following params:

Manufacturer:   INF_SYS_VENDOR
Model:          INF_SYS_MODEL
Serial number:  INF_SYS_SERIAL
Firmware:       INF_SYS_FIRMWARE
Hardware:       INF_SYS_HARDWARE
Boot:           INF_SYS_BOOT
Build date:     INF_SYS_BUILD

FPGA.K7:
FPGA.ZYNQ:
FPGA.SP6:
ADC.ID0:
ADC.ID0:
AFE.VER0:
AFE.VER1:
AFE.VER2:
AFE.VER3:
Started:
Live Time:


The red ones are missing from the final display.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on September 01, 2019, 12:45:48 am
How does one enable this mystical 500MHz mode?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 01, 2019, 01:17:44 pm
How does one enable this mystical 500MHz mode?

I won't go into details because the benefits are residual compared to the possible headaches when executing the procedure wrongly. I leave that as homework for the ones who are not faint of heart.

But, as general knowledge, I'll add the following:

These equipments keep their config in a FRAM memory. In that FRAM, among other possible things, usually there are the following params (specific to the unit):
- E_CFG_MODEL_RAW
- E_CFG_SN_RAW
- E_CFG_MAC
- ECC Public key of the scope
- Option's licenses

These fields are replicated in the sysvendor.bin, Key.data and the *.LIC files (for "external" consumption).

So, to change the Model, you just have to change the contents of the param E_CFG_MODEL_RAW, in the FRAM, and the scope will adjust everything else accordingly.




Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on September 01, 2019, 02:42:45 pm
Have you tried what happens if you set E_CFG_MODEL_RAW to be an MSO7000 model?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 01, 2019, 03:43:29 pm
Have you tried what happens if you set E_CFG_MODEL_RAW to be an MSO7000 model?

It was discussed but not tried. I'll try it next time. I'm almost certain it won't be accepted as all other MSO5xxx models.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on September 02, 2019, 05:29:50 am
Looking at the System Information menu code we can see that it was prepared to display the following params:

Manufacturer:   INF_SYS_VENDOR
Model:          INF_SYS_MODEL
Serial number:  INF_SYS_SERIAL
Firmware:       INF_SYS_FIRMWARE
Hardware:       INF_SYS_HARDWARE
Boot:           INF_SYS_BOOT
Build date:     INF_SYS_BUILD

FPGA.K7:
FPGA.ZYNQ:
FPGA.SP6:
ADC.ID0:
ADC.ID0:
AFE.VER0:
AFE.VER1:
AFE.VER2:
AFE.VER3:
Started:
Live Time:


The red ones are missing from the final display.
Where the red ones are the more interesting finds :)

Do we know also how this information is read? Or is it simply not implemented. Have you managed to get it onto the screen? I'm curious to see if we can probe these over the SPI bus ourselves (should be possible of course). Maybe these fields are only shown when putting the scope into 'debug' or 'dev' mode. Getting the versions also means we can see if/when these are changed of course. Sadly, I don't think it'll be easy to extract this information from the FPGA binaries.

That the FPGA's had individual versions makes sense, they are uploaded each boot.

ADC.ID0 is in the list twice, a typo perhaps? I would guess there'd be ADC.ID1 as well, as we have 2 ADC's, didn't we (chan 1 + 2; chan 3 + 4)? Also interesting it's an identifier, and not a version. That would indicate it's not upgradeable or doesn't run software. So the ID probably relates to the board. MSO5000's vs MSO7000/MSO8000. I am curious how these relate.

It seems however that the Analog frontend's also have individual versions. That would explain why we sometimes see different behaviors between the 4? I wonder who and when uploads the software into the AFE's. Again, having this information visible, means we can see when they are changed.

The Live time used to be printed on the previous gen scopes, wonder why they are not showing it now. As a user, you may want to know this with regards to getting the device re-calibrated ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 02, 2019, 09:15:33 pm
Do we know also how this information is read? Or is it simply not implemented. Have you managed to get it onto the screen? I'm curious to see if we can probe these over the SPI bus ourselves (should be possible of course). Maybe these fields are only shown when putting the scope into 'debug' or 'dev' mode. Getting the versions also means we can see if/when these are changed of course. Sadly, I don't think it'll be easy to extract this information from the FPGA binaries.

That the FPGA's had individual versions makes sense, they are uploaded each boot.

ADC.ID0 is in the list twice, a typo perhaps?

I'll try to read it.

When you call appEntry with the param "-ds8000" you get another field (attached).

If it's a typo, it exists in all FWs (5k, 7k & 8k).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AngusBeef on September 03, 2019, 04:36:56 pm
Howdy -

Well after reading all of this thread and half the rest of the forum - bought my first Oscilloscope yesterday from the RigolNA clearance section - MSO5074. Buy once cry once - but I'll update once I get it setup and ... patched ....  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on September 03, 2019, 04:47:47 pm
Hey tv84,

If I interpret your finding properly, does the model change actually upgrade the -3dB point from 350MHz to 470MHz by removing any hidden software limitation?  And other than the 500ps horizontal scale, is there any other benefit that you observed?


I won't go into details because the benefits are residual compared to the possible headaches when executing the procedure wrongly. I leave that as homework for the ones who are not faint of heart.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nimish on September 03, 2019, 06:46:54 pm
Hey tv84,

If I interpret your finding properly, does the model change actually upgrade the -3dB point from 350MHz to 470MHz by removing any hidden software limitation?  And other than the 500ps horizontal scale, is there any other benefit that you observed?


I won't go into details because the benefits are residual compared to the possible headaches when executing the procedure wrongly. I leave that as homework for the ones who are not faint of heart.


Yeah, I'd like to know this. Just adding 500ps/div is minor, but 120MHz of "extra" bandwidth is fairly useful!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 03, 2019, 07:08:57 pm
If I interpret your finding properly, does the model change actually upgrade the -3dB point from 350MHz to 470MHz by removing any hidden software limitation?  And other than the 500ps horizontal scale, is there any other benefit that you observed?

As others have said before, the BW already approached the 460-470 MHz. And, that was without any 5504 "modelling".

You may gain a few MHz, but the -3dB threshold is very similar between 5354 and 5504, if not the same.

It seems the 500ps HS is the only visible difference (assuming that you can accomplish those proto-eye diagrams in 5354 mode).

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on September 03, 2019, 09:19:38 pm
tv84,

Thanks for the clarification, as well as all the wisdom you had shared on this discovery.  I think I will leave things as is for now until I need that 500 ps setting.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on September 07, 2019, 08:47:26 am
Yes, I also looked into these. However, I do think all interaction is via SCPI commands and there is hence no secret there, which is not also in the SCPI definitions in /rigol/resources.

It looks to me, that there is a message passing system, which is also partially used to define the SCPI commands. However not all messages are also exposed via SCPI commands. I believe the production version of the firmware is not shipped with a full set of SCPI command definitions, hence giving no way to access all possible messages.  (until we define our own SCPI commands to access them :popcorn:. I failed in my first quick attempt tough.)

Indeed by far not all commands are currently exposed via SCPI. I believe there is an additional command set not shipped with release firmwares. However, we can start and define our own SCPI commands. Let me start with a simple one.

Toggle Project Mode
Enables  ssh and ftpd. Also enables a "key recording mode". Maybe more.

Add this block to the SCPI definitions, e.g. into /rigol/resources/scpi/SYSTem.xml.

Code: [Select]
<TotalItem>
<head>^(:?HACK|:?H)(:PROJECT|:PRO)$</head>
<service>utility</service>
<cmd>48</cmd>
<minSize>-1</minSize>
<indexes>
</indexes>
<unit>
</unit>
</TotalItem>

This will add a new SCPI command HACK:PROJECT, which enables trigger mode.

EDIT: The definition might be a bit wrong. It only works when I execute a prior "SYSTem:PON?" or similar. Strange.

EDIT2: Project mode enables the talked about full About Dialog. Not sure what is unique info here. so blanking a lot.
EDIT3:
 Note that resource/menu/msg.h defines MSG_APP_UTILITY_PROJECT as follows:
Code: [Select]
resource/menu/msg.h:#define MSG_APP_UTILITY_PROJECT               12073
That code decodes inside the servEdgeTrigger::_cmdEntry  (at 0x0149e634)  to function at 0x0023ccbc. However that function forwards to  the identical code 12073 to "utility" (at 0x014a1f58) to fun at 0x0027839c.  That function returns if the project mode is enabled or not, I would have expected it to route to the project state toggle (cmd  48) defined one entry above. But anyways, it looks like there is a relation between edge trigger mode and project mode. Interestingly, going into edge trigger mode was one of the requirements to manually trigger project mode on older scopes, see also here (https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-04b7/1/-/-/-/-/DS4000%20Calibration%20Guide.pdf?sid=TV2:xBDzVJlWK).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on September 07, 2019, 10:53:18 am
In project mode, one can specify what to calibrate and export the calibration result (if a cal directory exists on the pen drive) in a user readable value:

Code: [Select]
<root@rigol>ls /media/sda1/cal/
ADC1_iDelay.csv          hzgnd1.csv               hzscale1.csv             lzgnd0.csv               lzscale_20x_flt0.csv     lzscale_20x_normal0.csv  lzscale_2x_flt0.csv      lzscale_2x_normal0.csv
ADC2_iDelay.csv          hzgnd2.csv               hzscale2.csv             lzgnd1.csv               lzscale_20x_flt1.csv     lzscale_20x_normal1.csv  lzscale_2x_flt1.csv      lzscale_2x_normal1.csv
go.csv                   hzgnd3.csv               hzscale3.csv             lzgnd2.csv               lzscale_20x_flt2.csv     lzscale_20x_normal2.csv  lzscale_2x_flt2.csv      lzscale_2x_normal2.csv
hzgnd0.csv               hzscale0.csv             lf.csv                   lzgnd3.csv               lzscale_20x_flt3.csv     lzscale_20x_normal3.csv  lzscale_2x_flt3.csv      lzscale_2x_normal3.csv

EDIT: There is also now a log output in the calibration window, which specifies what is currently done.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on September 07, 2019, 12:41:28 pm
There is also an option to get system temperatures as well an additional self-check option for the screen. Further more one can reset the counters for LifeTime and BootTime.   :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 07, 2019, 01:07:24 pm
Very interesting, how can I activate this ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on September 07, 2019, 01:31:15 pm
I have updated my initial post about this above. I think, the project mode is normally enabled by a key combination. I have not found it yet though. So for now, one can add a new SCPI command, which will also trigger project mode (see above post). One can than just use TCP/IP (default port 5555) or USB to send the SCPI command.

In general, I feel that I have not yet found all the user interface definition and logic. The binary has multiple resources inside, such as PNGs and XML data. That is a feature for Qt, see here (https://doc.qt.io/qt-5/resources.html). However, it also includes compressed artifacts, so just searching is not always successful. I looked at some binary extractors for Qt, but they failed. Possibly one can dump the memory of the appEntry process too...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bitseeker on September 07, 2019, 05:27:05 pm
Well after reading all of this thread and half the rest of the forum - bought my first Oscilloscope yesterday from the RigolNA clearance section - MSO5074. Buy once cry once - but I'll update once I get it setup and ... patched ....  :-+

Nice catch. I wouldn't have expected MSO5000 to be in there already.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AngusBeef on September 07, 2019, 05:31:00 pm
Well after reading all of this thread and half the rest of the forum - bought my first Oscilloscope yesterday from the RigolNA clearance section - MSO5074. Buy once cry once - but I'll update once I get it setup and ... patched ....  :-+

Nice catch. I wouldn't have expected MSO5000 to be in there already.
They had a 5072 there as well the other day but I wanted 4 probes and factory warranty for four channels
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 08, 2019, 10:00:25 am
That code decodes inside the servEdgeTrigger::_cmdEntry  (at 0x0149e634)  to function at 0x0023ccbc. However that function forwards to  the identical code 12073 to "utility" (at 0x014a1f58) to fun at 0x0027839c.  That function returns if the project mode is enabled or not, I would have expected it to route to the project state toggle (cmd  48) defined one entry above. But anyways, it looks like there is a relation between edge trigger mode and project mode. Interestingly, going into edge trigger mode was one of the requirements to manually trigger project mode on older scopes, see also here (https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-04b7/1/-/-/-/-/DS4000%20Calibration%20Guide.pdf?sid=TV2:xBDzVJlWK).

mabl, very nice finds!!!  I'll try to replicate it to see if I can help finding the key sequence as I have some logs from the "not married" investigation. ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AngusBeef on September 09, 2019, 08:59:10 pm
MSO5000 arrived today. Applied the patched .04.04 GEL and it worked easily. However channel 1 overshoots and channel 2-4 undershoot regardless of probes. I have the self-calibration running right now to see if it resolves it, but after a little reading it seems the self-calibration is mostly focused on ensuring the internal offset to show an accurate 0v is accurate
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on September 09, 2019, 09:02:16 pm
You need firmware 04.08 to have the overshoot-undershoot correction
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AngusBeef on September 09, 2019, 09:15:47 pm
You need firmware 04.08 to have the overshoot-undershoot correction
Awesome! I may have missed it but I'm assuming there's a different update patch in this thread I can find once I'm back at my PC, or it's back to the ole Putty?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 09, 2019, 09:25:03 pm
Very interesting, how can I activate this ?

Rigol.eu told me, they don´t know about a project mode on the 5000/7000....

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 09, 2019, 09:39:42 pm
Rigol.eu told me, they don´t know about a project mode on the 5000/7000....

I believe that. But, refer them to mabl's post and they'll learn how to enable it.  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 10, 2019, 07:41:50 pm
They wouldn´t know about it because they don´t need it for servicing.

Quote
But, refer them to mabl's post and they'll learn how to enable it.

That´s what I replied…. 8)
OK, not directly.. ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 11, 2019, 06:52:35 pm
Hmpf,

After updating to 01.01.04.08, mabl´s usb patch wouldn´t function any more... :(

EDIT:

Downgrade to 01.01.04.04 doesn´t function, too…..

Message in both cases : "Failed to upgrade, check the upgrade file"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on September 11, 2019, 07:33:22 pm
After updating to 01.01.04.08, mabl´s usb patch wouldn´t function any more... :(
What is mabi's usb patch?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 11, 2019, 07:43:54 pm
It´s a little (20kb) GEL.file which enable all options.
Edit : https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401)

Meanwhile I could downgrade to 04.04, thanks to the secret menu…... ;)
Hope, there will be a new "usb-patch" in the future, which works with newer Firmware ( I´m dependet from the cracks here... :( )

Edit 2 : Could it be patched with the "old" all options file although having the latest Firmware installed, by using the secret menu…..hm-hm...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on September 11, 2019, 07:52:31 pm
mabi said that he doesn't want to create a new usb hack file.  The hack for 01.01.04.08 is applied using a bdiff patch file using the sshd hack
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 11, 2019, 07:56:53 pm
I don´t have the skills to do the hack apart from the usb hack file….. :(
So I have to wait until  someone have mercy for users like me.  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AngusBeef on September 11, 2019, 10:35:13 pm
I don´t have the skills to do the hack apart from the usb hack file….. :(
So I have to wait until  someone have mercy for users like me.  ;)
I struggled my way through it and will do a write up shortly, but in the meantime if you don't have a Linux computer I recommend downloading VirtualBox (https://www.virtualbox.org/) and following the instructions to install Linux on your virtual computer running inside virtualbox (https://download.virtualbox.org/virtualbox/6.0.12/UserManual.pdf)

Once you've got Linux installed it will make it possible to accomplish the patch.

For non-Linux nerds this distro is very user friendly  - https://www.linuxmint.com/

It is possible to accommodate the patch using Windows software but it's much easier in Linux
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: furmek on September 11, 2019, 11:04:57 pm
A write-up will be greatly appreciated :)

BTW if you're running any recent version of windows 10 you can use Windows subsystem for linux.
I find it easier than virtual box:
- open Windows Store app
- type "WSL" in search box
- pick your flavor (right now 8 available)
- Hit Get
- profit
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AngusBeef on September 11, 2019, 11:25:32 pm
This is just a play-by-play of what I did – I struggled my way through it so there are ways to run things more efficiently or better that I wasn’t aware of at the time.

Step 1: Get your Linux workstation functional, either by installing directly or running it within VirtualBox. I’m using a Windows PC so I’m running everything through VirtualBox, which just adds a couple intermediate steps.

Step 2:
Get organized – I made 3 folders, “Upgrade”, “Enable SSH”, and “Patch”.
-   In the Upgrade folder, download the 01.01.04.08 GEL from GitLab and rename it DS5000Update.GEL (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL))
-   In the Enable SSH folder, add the GEL file from this post and rename it DS5000Update.GEL (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076))
-   In the Patch folder, download the Bpatch folder from this post and remove the .txt extension (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701))

Step 3: Upgrade the MSO5000 using the DS5000Update.GEL file from the Upgrade Folder. Put the file onto the root directory of the USB drive and then go to the Utility / System / Help / Local Upgade menu once you’ve put the USB into the MSO5000 and upgrade to 01.01.04.08. Restart the Oscilloscope

Step 4: Now time for the heavy lifting. Put the USB drive back into the computer and remove the update file you just used from the USB stick. Now go to the Enable SSH folder and put that DS5000Update.GEL file onto the USB drive. Put the USB stick into the MSO5000 and run the Local Upgrade again. Oh no, it failed! Except it didn’t, as @mabl stated in his post, it will look like it failed but it works. DO NOT RESTART THE OSCILLOSCOPE, otherwise you will have to run step 4 again. Also, leave the USB stick in the MSO5000 for the next steps.

Step 5: If it’s not already connected, connect your MSO5000 to your LAN or use a crossover cable if you have one to hook it to your computer. If all you have is “normal” LAN cables, you’ll need to use your router and can’t hook directly to your PC. Now go to the Utility/ IO / LAN menu and write down the IP address of your MSO5000.

Step 6: If it’s not already in your distro, go to the software manager and download Putty so that you can SSH (Secure Shell) across the network into your MSO5000. Once it’s downloaded, you’re going to follow some of the instructions from @TopLoser that @TrickTronic posted.  First, run PuTTY and put the IP address into the IP window, use Port 22, and select SSH for your connection type. Then, use “root” as the username and “Rigol201” as the pwd. You’re now connected to the Oscilloscope.

Step 7: In the SSH, type (without quotes) “cp /rigol/appEntry /media/sda1/”. Once it’s finished writing it to the USB stick (although it’s probably not the “best” answer, just pull the USB stick out and put it back into your computer. Copy the bspatch file into the root of the USB stick as well. Right click and open a terminal window starting in the USB stick and type “bspatch appEntry appEntryPatched appEntry_01_01_04_08.bpatch” into the terminal. It will create you a new file called appEntryPatched. Rename the original file to appEntryUnpatched or something similar and then rename the patched file to appEntry. Now remove the USB stick and put it back into the Oscilloscope.

Step 8: I hope you kept your SSH open, if not then open it back up. Type “cd /media/sda1”. If the command fails, replace sda1 with sdb1. My MSO5000 mounted the USB drive into this second location when I put it back in. Type “ls” (LS in lower case if the font here sucks) to see the files in the directory. You should see your files. Now run “chmod +x appEntry” to allow the appEntry file to be an executable, otherwise it will not work. To make this next step easier, move back to the root directory using “cd /”. You can type “pwd” at any time in SSH or Terminal to see the directory you’re currently in at any time. Now copy the file back to the oscilloscope, “cp /media/sda1/appEntry /rigol/” and you should be good to go.

Step 9: Restart your Oscilloscope and don’t forget to thank the dozens of people on this forum who made this possible.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on September 12, 2019, 12:30:55 am
I don´t have the skills to do the hack apart from the usb hack file….. :(
So I have to wait until  someone have mercy for users like me.  ;)
I struggled my way through it and will do a write up shortly, but in the meantime if you don't have a Linux computer I recommend downloading VirtualBox (https://www.virtualbox.org/ (https://www.virtualbox.org/)) and following the instructions to install Linux on your virtual computer running inside virtualbox (https://download.virtualbox.org/virtualbox/6.0.12/UserManual.pdf (https://download.virtualbox.org/virtualbox/6.0.12/UserManual.pdf))

Once you've got Linux installed it will make it possible to accomplish the patch.

For non-Linux nerds this distro is very user friendly  - https://www.linuxmint.com/ (https://www.linuxmint.com/)

It is possible to accommodate the patch using Windows software but it's much easier in Linux
It works on mac osx as well... it should work on windows 10 with WSL (Windows Subsystem for Linux)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 12, 2019, 09:12:24 pm
@AngusBeef :

Sounds complicating to me, but I will try it at forthcoming weekend....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NED88 on September 12, 2019, 09:30:03 pm
The step-by-step instructions are very helpful.  I'd make a few additional comments/suggestions...

Before copying back the patched "appEntry" file to "/rigol" (see end of step 8 in AngusBeef's post above), I ran:  echo "3f95cb3236b47826e303de960596f966  appEntry" | md5sum -c   to make sure it had the correct md5sum (see delfinom's post: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701)).

Also, one can use the "bspatch" that is contained inside mabl's "DS5000Update_backup.GEL.txt" (see: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380)).  Just rename it to "DS5000Update_backup.GEL.gz" and gunzip the file into a temporary folder then gunzip the file "bspatch.gz" to get the bspatch utility. 

I used a Mac OS X terminal (but only for ssh) and copied the bspatch utility onto a USB stick as well as the files listed in step 2 and worked with those successfully.  It's a good idea to run "umount /dev/sda1" , after you have finished using the USB stick.

We do actually have all the information required for creating a single GEL patch file by modifying the previous 04.04 patch (and backup) files after gunzipping them (and the enclosed files) and decrypting the various encrypted shell files enclosed.  It shouldn't take a very long for a unix script programmer to modify them for 04.08.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: SpaleKG on September 17, 2019, 10:28:27 pm
After an embarrassing long delay, here are the changes for 01.04.08 uploaded to git:
https://gitlab.com/riglol/rigolee/commit/ae77323ac04da753d98ae9a1d99a658e000b9088

for those that care ;)

Hi oliv3r. I had to read all 52 pages in this topic to be clear did I miss something about your https://gitlab.com/riglol/rigolee repository.
I have several findings.
- by your README file and instructions about using docker to build image for gal_unpack/pack scripts, I have found that docker build doesn't work because there is some issues in .dockerignore file (about bin/ folder you not ignoring only one .sh file but in Dockerfile you using all files in bin/ folder).
- When I have fixed .dockerignore file, and built image, I discovered that gel_unpack.sh doesnt work too. There is some errors about dumpimage part in script.

My question: Is it because of some way of "kid protection" made errors by some intention or this should be fixed? Or maybe gel_unpack.sh (dumpimage part about unknown -i option) doesnt work because of newer version of linux alpine you using for build docker image.

I have tried to build docker image on my MacOS and also on ubuntu 16.04 and everytime the same errors was happening when I tried to generate docker image by cloning your repo without any modifications.

Also I have forked your repo, so I can commit changes I have made on my fork, and send pull request so you can take a look about them if you want.
I have fixed all issues I have found about creating docker image and gel_unpack.sh now working in docker container.

BTW, this is my 1st post, so hello to all. I have MSO7000 series scope and I will try to perform hacks on this model.

Best regards,
Spale
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 22, 2019, 10:36:45 am
@AngusBeef :

Sounds complicating to me, but I will try it at forthcoming weekend....

Still complicated for me....
Today I´ve installed a linux subsystem on win10 (ubuntu).
When I start this, a command line appears…ok and now...I don´t know a thing about  :(
Putty is a program to connect a windows computer to a linux computer - So why must I do the things under a linux system....
I´m really thinking about to buy the optionbundle, but there´s the bandwith upgrade for free in this hack....
Ah, a keygen for dummies like me would be heaven..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on September 23, 2019, 12:24:18 pm
Dear all, I have rigged up a general purpose auto patcher, attached to this post.

It will read a configuration file "patch.txt" from the usb drive and execute according to the specifications within. It does NOT include any patches and is not enough to patch your scope.

As an example, the  "patch.txt"  file should contain something like:

Code: [Select]
file_to_patch=/rigol/appEntry
file_to_patch_md5sum=afe3e7c2d38bdebb66d3f1f11d910743
patch_file=name_of_patch.bpatch
after_patch_md5sum=expected_md5_sum_after_patch

You have to obtain these bspatch files and checksums from somewhere else. (The  file_to_patch_md5sum is correct for 01.01.04.08 firmware). Fill the other fields out accordingly.

On your USB drive, there should then be the following files (obviously name_of_patch must match your configuration):


At all points of the firmware patching, the md5 sums will be checked and an error raised if anything does not match. So it should be pretty safe. I have tested it.  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on September 24, 2019, 02:34:03 am
Does anyone know why the FW update is still absent from the North America site?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on September 24, 2019, 04:50:21 pm
And interestingly the old chinese webseite at www.rigol.com/Support/SoftDownload/3 (http://www.rigol.com/Support/SoftDownload/3) does not work anymore. The international site http://int.rigol.com/Support/SoftDownload/3 (http://int.rigol.com/Support/SoftDownload/3) works, but misses the DSO5000 completely. The only online source for the current firmware, that I know of is at https://gitlab.com/riglol/rigolee/tree/MSO5000/GEL (https://gitlab.com/riglol/rigolee/tree/MSO5000/GEL)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 24, 2019, 07:14:38 pm
Does anyone know why the FW update is still absent from the North America site?

And still absent in europe (rigol.eu), strange….
I´ve ask them about without getting an answer.
I´ll try again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on September 24, 2019, 08:17:56 pm
The chaps I purchased from have it in the UK
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qwerty on September 25, 2019, 09:05:48 am
Hi,
I own an MSO5074 as well. My real concern is that it is extremely slow. All the reactions and the boot and everything. It is jut not as responsive, as any other equipment i ever owned.
Is there a fix for that?

Thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 25, 2019, 05:34:01 pm
Does anyone know why the FW update is still absent from the North America site?

And still absent in europe (rigol.eu), strange….
I´ve ask them about without getting an answer.
I´ll try again.

Probably the 01.01.04.08 firmware from the chinese site is a beta version - Because today I got an answer from rigol support.
They await the next official version in october and recommend to use the official updates on their site…..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 25, 2019, 05:44:33 pm
Probably the 01.01.04.08 firmware from the chinese site is a beta version - Because today I got an answer from rigol support.
They await the next official version in october and recommend to use the official updates on their site…..

So you think 1B chinese are beta-testers?? 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 25, 2019, 05:50:43 pm
I´ve asked rigol.eu and this was their answer...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: SpaleKG on September 25, 2019, 07:06:28 pm
https://rigol.com/SUPPORTS/Software-Firmware-Download_3.html (https://rigol.com/SUPPORTS/Software-Firmware-Download_3.html)

That doesn't work for me. But this works: https://supportcn.rigol.com/Support/SoftDownload/3
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 26, 2019, 10:28:31 am
So you think 1B chinese are beta-testers??

I´ve asked them again and directly, if this one is a Beta, the answer :

"We´ve decided to publish only the next version on our US/EU sites, because this version got beta-state. "

So 1B chinese are beta-testers and some from this forum here too.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 27, 2019, 07:59:59 pm
I´m really thinking about to buy the optionbundle, but there´s the bandwith upgrade for free in this hack....

No need to think about any longer….. ;)
Got an offer where I couldn´t resist, delievery time 1-2 weeks.
Now, only bandwith is interesting...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on September 29, 2019, 07:41:21 pm
So Martin you obtain your 8000 before mine then   :palm:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on September 29, 2019, 11:26:12 pm
Do we have any recent Canadian buyer of the 5000, I plan to buy one, and would like to know if the ones available in Canada, are the newest version, with display issue solved, or if still the bad one.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Aztlanpz on September 30, 2019, 01:03:39 am
I am a proud owner of a new Rigol MSo5000.  I do not know if I should hack or wait for the new firmware to be posted to US site.  What do you think? >:D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on September 30, 2019, 05:25:49 am
I am a proud owner of a new Rigol MSo5000.  I do not know if I should hack or wait for the new firmware to be posted to US site.  What do you think? >:D

Take it apart!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on September 30, 2019, 09:08:26 am
I am a proud owner of a new Rigol MSo5000.  I do not know if I should hack or wait for the new firmware to be posted to US site.  What do you think? >:D

I do believe the current "beta" firmware to be a nice improvement over the older 04.04 firmware. If you have it and want it hacked, hack it now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on September 30, 2019, 10:20:17 am
Hi,
I own an MSO5074 as well. My real concern is that it is extremely slow. All the reactions and the boot and everything. It is jut not as responsive, as any other equipment i ever owned.
Is there a fix for that?

Thanks
Yes, change it for a Keysight
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on September 30, 2019, 11:17:54 am
Hi,
I own an MSO5074 as well. My real concern is that it is extremely slow. All the reactions and the boot and everything. It is jut not as responsive, as any other equipment i ever owned.
Is there a fix for that?

Thanks
Yes, change it for a Keysight

Exactly. Because my Keysight 3000T boots in 55 seconds...

DSO's are computers with knobs. They need to boot, and not everything will happen in less than 10 ms so you will have a perception it is instantaneous.
I compared MSO5000 and MSO7000 with R&S 3000 series, and they felt equally sluggish. Or not, depending of who you ask.

No DSO will be as interactive as analog scope. Not even 3000T is always so fast that you cannot say you didn't wait for it  at least for a little bit.
When you are setting vertical offset it stops acquiring data,  so it can redraw static picture to get speed. And it is nonlinear around zero, so in beginning it felt like it skips on encoder. After I got used to it, it is fine.

On R&S 3000 horizontal scrolling with finger was much slower than on Rigol. Some other things were faster.

It is not about Rigol, it is about manufacturers putting stupid menu animations and other stupid stuff that slows down U/I. Because cool new kids generations are used to it from their phones and tablets, and guess what, they don't mind that it could be faster...

So we old school analog knob aficionados have to get used to brave new world.  Fact that you can percept that scope has reaction time shouldn't distract you from the fact that despite that, you will be able to do the job.

And if you want to replace MSO5000 with Keysight that is BETTER that it you have to jump to MSOX3000T series. Take note of money difference and decide if it is worth to you.
Or just get over it and you will get used to it after some time...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on September 30, 2019, 11:31:13 am

Yes, change it for a Keysight[/quote]

Or a Tek  :)

The odd thing is the MSO5000 I find very responsive, no noisy fan or screen issues, granted the boot up time is grim at best but you pay your money and take your choice.

Most processional guys will have R&S / Keysight or Tek those at home may use something different.


 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on September 30, 2019, 12:04:01 pm
Rigols are sluggish.  If you look at the MSO8000 video on youtube doing serial decoding, it shows the waveform, then 1 second later the decoded information.  It is the same on the MSO5000 that I have.  The knobs are sluggish, it takes some time from when you move them and the scope shows the update.  It has been the same since the 2nd generation (DSO1054Z).  It used to be very responsive when they were manufacturing for Agilent, around 2009.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on September 30, 2019, 12:35:27 pm
Rigols are sluggish.  If you look at the MSO8000 video on youtube doing serial decoding, it shows the waveform, then 1 second later the decoded information.  It is the same on the MSO5000 that I have.

400Mb of RAM takes time to process. It's not really fair to compare it with 1MB RAM Keysights.  :popcorn:

You can probably reduce the memory depth a bit if you want faster decodes.

The knobs are sluggish, it takes some time from when you move them and the scope shows the update.  It has been the same since the 2nd generation (DSO1054Z).  It used to be very responsive when they were manufacturing for Agilent, around 2009.

Those older Rigols used to freeze the waveform update while you were moving the trace up/down.

I've seen quite a few other scopes doing that, too.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on September 30, 2019, 02:13:17 pm
Rigols are sluggish.  If you look at the MSO8000 video on youtube doing serial decoding, it shows the waveform, then 1 second later the decoded information.  It is the same on the MSO5000 that I have.

400Mb of RAM takes time to process. It's not really fair to compare it with 1MB RAM Keysights.  :popcorn:

You can probably reduce the memory depth a bit if you want faster decodes.
It has nothing to do with the capture memory.  It only decodes what is being displayed.  I set it to auto, and it is sluggish even with some KB of capture memory.  If you get used to it, it is fine.  Or use the event table.

Still has lots of bugs and Rigol is not correcting them.  For example you can navigate the menu and press the back button and get the scope to show a trigger settings that is not the current one.  For example, you change the trigger from edge to serial, then make some changes in the serial trigger... then press back and you get to the previous menu where it still shows EDGE but it is triggering on serial decoding...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on September 30, 2019, 02:21:19 pm
Rigols are sluggish.  If you look at the MSO8000 video on youtube doing serial decoding, it shows the waveform, then 1 second later the decoded information.  It is the same on the MSO5000 that I have.

400Mb of RAM takes time to process. It's not really fair to compare it with 1MB RAM Keysights.  :popcorn:

You can probably reduce the memory depth a bit if you want faster decodes.
It has nothing to do with the capture memory.  It only decodes what is being displayed.

What if you're displaying 400Mb of memory?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on September 30, 2019, 04:45:21 pm
Interesting discussion, worth a new topic to compare responsiveness of various scopes and a set of standard metrics to measure them, and create a responsiveness spreadsheet over time like what we had done for DMMs.  That may be useful for people who crave highly responsive scopes, that way they can find out the tradeoff (features, memory depth, cost, etc...).

But not sure if it should be discuss in this topic as most people come here to find hacking info, it will only make this thread even harder to read through for new comers.

With regard to speed, I don't have issue with the MSO5000, at least for my limited use cases. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mikeselectricstuff on October 01, 2019, 05:37:04 pm
Hi,
I own an MSO5074 as well. My real concern is that it is extremely slow. All the reactions and the boot and everything. It is jut not as responsive, as any other equipment i ever owned.
Is there a fix for that?

Thanks
Yes, change it for a Keysight

Exactly. Because my Keysight 3000T boots in 55 seconds...

Though after that, everything is pretty much instant. The R&S boots much faster but is much more sluggish in use
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on October 01, 2019, 06:06:04 pm
Got an offer where I couldn´t resist, delievery time 1-2 weeks.

Today the key has arrived.
You have to enter this and your serialnumber there (http://licenseen.rigol.com/CustomerService/ProductRight_EN), click to generate and you got a (very small) lic. file for download.
Putting this to usb-stick, click "option install" on the rigol and this was it (so fast, you couldn´t see the confirmation).
No need to reboot and the forever options are immediately present….
Nice one.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Aztlanpz on October 01, 2019, 07:04:20 pm
Let’s do this
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on October 01, 2019, 07:17:49 pm
 :D
I´ve described the procedure for another reason..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on October 01, 2019, 09:48:14 pm
Your licence ist now used and cannot bei used by another person.

Would you provide us or maybe mabl or another "pro" with PM your already used licence code, serial number, lic file?
Im sure they can find interesting things with these new informations.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pipe2null on October 02, 2019, 04:35:46 am
Many thanks to all who contributed to unlocking the goodness, especially mabl, and AngusBeef for putting together the Step-by-Step so people like me could avoid the painful Page-by-Page...   :D

One thing I've noticed, twice I have set the unit to use a static IP with junk IPs for gateway and DNS, and after a reboot the unit reverted to DHCP which put it right back connected to the internet and able to phone home.  I *THINK* I setup my DD-WRT access restrictions on my router to prevent the scope's MAC from getting to the internet regardless of its IP, but...  So the revert of the setting to DHCP might have been part of "unlocking the (slightly buggy) goodness" with applying updates and what-not, but I'm not positive.

Has anyone else seen the "revert to DHCP" behavior?

Also, is there a way to turn on SSH "permanently" without having to use the EnableSSH.GEL hack every boot?  I don't know how to hack (yet) but I want to dig around and "play".  But, I'm kinda lazy sometimes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Shodge on October 02, 2019, 05:07:32 pm
Let the scope use DHCP and create a static lease in your router which will be tied to the scopes NIC.  The router will always respond to the scopes NIC's DHCP request with the IP you set.  Simple enough....

-Stan
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pipe2null on October 02, 2019, 08:08:09 pm
Let the scope use DHCP and create a static lease in your router which will be tied to the scopes NIC.  The router will always respond to the scopes NIC's DHCP request with the IP you set.  Simple enough....

-Stan

I occasionally reconfigure my network, including flashing routers with various open source firmware.  I am prone to stupid mistakes and sometimes forget why I did a specific bit of configuration, so...  On my router, the scope has a static lease plus MAC and IP access restrictions.  Taking this one step further to compensate for my own absent mindedness, I have the scope setup with static IP and subnet mask the same as its static lease, but with junk IPs for gateway and DNS.

My question to the forum regarding the odd reverting of network settings that I saw 2x times was to see if it was a safely-ignorable blip, if I hit a known bug, or what.  If no one else has seen it, then there is nothing to be concerned about, which appears to be the case.  I admit I am likely overly paranoid about the "phone home" thing and it is most likely only used for doing online firmware updates or submitting crash dumps with user consent, which is a good feature when you haven't hacked your scope.   ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on October 02, 2019, 08:28:08 pm
Just got this from tequipment

Quote
Effective yesterday, any purchase of a MSO5000 oscilloscope will include the BUNDLE OPTION for FREE: https://www.tequipment.net/Rigol/MSO5000-BND/Options/ (https://www.tequipment.net/Rigol/MSO5000-BND/Options/)

Oscilloscopes purchased during the promotion period qualifies for a free bundle upgrade with registration. This option bundle enables all serial decode capabilities, power analysis, and the integrated function generator.

I wonder what this means.....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on October 02, 2019, 08:37:39 pm
The same as by the 7000 series, buy a scope, get the optionbundle for free….Bandwith and memory upgrade excluded.

Therefore I got the optionbundle a few days before for free from rigol.eu - Although I´ve already own one, this was a thanks for my permanent feedback over the year..

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Aztlanpz on October 02, 2019, 10:19:29 pm
I talked to Rigol I am getting the upgraded for free too  .   8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on October 02, 2019, 10:57:50 pm
Same offer in the U.S., bundle includes protocol analysis, waveform generator, and power analysis ($699) value.  You get it when you register your product, offer expires 3/31/20.  MSO5204 gets a bandwidth upgrade to 350MHz

This makes the MSO5000 a much more compelling offering in the MSO space.

BTW, DS7000, MSO7000, MSO8000 all offers free bundles, and some with free bandwidth upgrade.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on October 03, 2019, 01:28:52 am
Too bad there is a better offer here.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on October 03, 2019, 01:48:44 am
 :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on October 03, 2019, 04:11:01 am
Same offer in the U.S., bundle includes protocol analysis, waveform generator, and power analysis ($699) value.  You get it when you register your product, offer expires 3/31/20.  MSO5204 gets a bandwidth upgrade to 350MHz

This makes the MSO5000 a much more compelling offering in the MSO space.

BTW, DS7000, MSO7000, MSO8000 all offers free bundles, and some with free bandwidth upgrade.

Ah yes,
https://beyondmeasure.rigoltech.com/acton/form/1579/0065:d-0001/0/-/-/-/-/index.htm

here's the registration page for it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Aztlanpz on October 03, 2019, 04:31:10 am
I applied the hack to my MSO5000 and now it will not boot. Thank you ToThePub it worked
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on October 03, 2019, 04:55:15 am
Copy the official firmware to a usb key. Stick it in the scope.
While powering on the scope, keep pressing the single button.
You'll see two options show up and you should be able to flash back to the official firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on October 03, 2019, 05:01:22 am
Just got this from tequipment

Quote
Effective yesterday, any purchase of a MSO5000 oscilloscope will include the BUNDLE OPTION for FREE: https://www.tequipment.net/Rigol/MSO5000-BND/Options/ (https://www.tequipment.net/Rigol/MSO5000-BND/Options/)

Oscilloscopes purchased during the promotion period qualifies for a free bundle upgrade with registration. This option bundle enables all serial decode capabilities, power analysis, and the integrated function generator.

I wonder what this means.....

It means that there's people out there who aren't reading this thread (hard to believe, I know...)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Aztlanpz on October 03, 2019, 08:45:14 am
I keep on getting checksums errors when applying ambl hack. Anyone know what is the correct checksums is.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on October 03, 2019, 09:45:37 am
Did you do a manual hack? None of my patchers should result in a broken scope. Please report a bug in that case.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Aztlanpz on October 03, 2019, 10:16:54 am
I fallowed AngusBeef steps for the hacks and brick my scope in the process . Also when I do echo “3f95cb3236b47826e303de960596f966  appEntry" | md5sum -c I get an error checksum does not match
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on October 03, 2019, 05:28:08 pm
If they want to give something away I wish it would have been the overpriced logic probe. You know, the thing that makes an "MSO" an "MSO". Charging 40% the base cost of the scope is ridiculous.

https://www.tequipment.net/Rigol/PLA2216/Logic-Probes/ (https://www.tequipment.net/Rigol/PLA2216/Logic-Probes/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Aztlanpz on October 03, 2019, 07:51:31 pm
I was able to apply the hack if anyone need some help feel free to pm me.




Aztlan 8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AngusBeef on October 04, 2019, 05:47:24 am
If they want to give something away I wish it would have been the overpriced logic probe. You know, the thing that makes an "MSO" an "MSO". Charging 40% the base cost of the scope is ridiculous.

https://www.tequipment.net/Rigol/PLA2216/Logic-Probes/ (https://www.tequipment.net/Rigol/PLA2216/Logic-Probes/)

https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/?topicseen (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/?topicseen)

Here's one option. I just got mine together but I'm in the process of moving so I haven't been able to fully utilize them yet.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: forfly on October 06, 2019, 03:41:17 pm
Oh, shit, I saw the same for-ever-boot-screen as Antlanpz, but the trick with pressing "single" with the original firmware (01.01.04.04) from Rigol on USB-stick failed? Are there any other suggestions to restore to factory default?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on October 06, 2019, 03:47:30 pm
Quote
but the trick with pressing "single" with the original firmware (01.01.04.04) from Rigol on USB-stick failed?

See :

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2655762/#msg2655762 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2655762/#msg2655762)

First I don´t get the "secret menu" too.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: forfly on October 06, 2019, 04:25:43 pm
Many thanks!

(pressing "single" several times immediatly after power on did the job at the first try.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on October 07, 2019, 07:18:22 am
Oh, shit, I saw the same for-ever-boot-screen as Antlanpz, but the trick with pressing "single" with the original firmware (01.01.04.04) from Rigol on USB-stick failed? Are there any other suggestions to restore to factory default?

You should not need to do manual patching if you want to apply a bspatch. You can use my automatic patcher (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640) to apply any patch you want. You will have to provide the proper checksums, which will be checked and the patch only applied if everything worked.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on October 07, 2019, 06:55:36 pm
For those that want to use the UART port and can't because their PCB misses the inline Res, just to inform that it is a Res = 0 ohms.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Urzov on October 09, 2019, 09:33:40 am
Greetings to all. There was a problem: I installed the DS5000Update_01.01.04.08 version (I can’t change it to another). When creating a Putty link over SSH. After entering the word "boot" and continuing, it says that "access is closed"
5 times, after which it does not hang much ... What can be done?  :(  Thank you very much!

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Aztlanpz on October 09, 2019, 09:41:19 am
Why are you doing that look at the post by Agnes
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on October 09, 2019, 09:53:17 am
Yep, here it is:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Urzov on October 09, 2019, 04:10:11 pm
Hello again to everyone. It seems that something is not right ... After connecting via LAN cable, with the PuTTY program (Windows 10 installed), after entering "root" it writes to enter the password, but does not respond to typing, only to Enter. At the same time, it says "Access denitd" after 5 presses "Enter" is buggy ... I did a reset at startup ... It does not help! Maybe something I'm doing wrong? Thank you very much!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on October 09, 2019, 04:19:41 pm
Hi,

Did you follow the instructions from the post I´ve linked here before ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Urzov on October 09, 2019, 05:00:44 pm
I did everything on points! Updated to version “8”, rebooted (turned it off and on), erased the update from USB, wrote the file to enable SSH, turned on SSH, connected the cable to the PC, launched PuTTY with the address, ... But it doesn’t enter the password!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on October 09, 2019, 05:07:01 pm
after entering "root" it writes to enter the password, but does not respond to typing, only to Enter.

Passwords are (almost) always hidden, so just type the password and hit enter.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Urzov on October 09, 2019, 06:39:54 pm
Oh .. It turned out with a password! But he can not find either: "cp / rigol / appEntry / media / sda1 /" nor: "cd / media / sda1" I think and more ...   :-[ What can I do? Thank!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on October 09, 2019, 06:45:34 pm
Oh .. It turned out with a password! But he can not find either: "cp / rigol / appEntry / media / sda1 /" nor: "cd / media / sda1" I think and more ...   :-[ What can I do? Thank!
You are doing it wrong... there must be a space after cp.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Urzov on October 09, 2019, 07:11:07 pm
Thank you, I realized it! But it is not clear in "Step 7". Do you need to register the path to the USB drive to create a "bspatch" file in it? Can you please for more details. Thank!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on October 09, 2019, 07:14:49 pm
Thank you, I realized it! But it is not clear in "Step 7". Do you need to register the path to the USB drive to create a "bspatch" file in it? Can you please for more details. Thank!
Every file involved in the bspatch execution must be located in the same directory... I assume appEntry is in your USB drive, so yes... change directory to the USB drive where all the files are located before executing bspatch.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on October 09, 2019, 07:40:51 pm
Learning linux commands in a scope's shell is not the best scenario...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on October 09, 2019, 07:42:11 pm
 ;D

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Urzov on October 09, 2019, 07:55:08 pm
I don’t understand "Step 7" ... How to copy "bspatch" to the root of the USB drive. How to set the address on a USB drive so that it creates a “bspatch” file in it How do I understand after creating a “bspatch” file it needs to be renamed to “appEntry”? Confused ... Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on October 09, 2019, 09:40:00 pm
bspatch is the linux/unix command you need to execute on the appEntry application you copied from your scope to the USB drive. 

It is a "Binary patch" tool.  You apply it to the original appEntry using the file that contains the information on what to patch, then you copy the resulted appEntry file back to the scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on October 10, 2019, 04:12:45 am
Oh, shit, I saw the same for-ever-boot-screen as Antlanpz, but the trick with pressing "single" with the original firmware (01.01.04.04) from Rigol on USB-stick failed? Are there any other suggestions to restore to factory default?

You should not need to do manual patching if you want to apply a bspatch. You can use my automatic patcher (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640) to apply any patch you want. You will have to provide the proper checksums, which will be checked and the patch only applied if everything worked.

I want to again point out, that manual patching, such as described by Angus and others is not required. Especially, if you know what to patch, have the MD5 sums of the binary before and after patch. Just use my new patcher firmware and create a proper configuration file containing the file name of the bspatch file, and the two md5 sums before and after patch. It works with any firmware, does not require SSH and is pretty safe.  Especially, if you have never interacted with Linux on a shell only.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Urzov on October 10, 2019, 04:49:05 pm
Hello! I saved the file (appEntry) to the USB drive with the command: "cp / rigol / appEntry / media / sda1 /". I'm trying through Ubuntu with the files "appEntry" and "appEntry_01_01_04_08.bpatch" to create "appEntryPatched". But "bspatch" does not work, nor how it doesn’t work, it isn’t anywhere ... Does anyone have a working "bspatch" utility? Thank you very much!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on October 10, 2019, 05:26:57 pm
You really should pay attention to what mabl has to say, it will save you a lot of headache if you are having trouble with the process.  He has spent a lot of time to create tools to help the less experienced owners to avoid the exact challenges you are facing.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Urzov on October 10, 2019, 05:46:51 pm
Good! I'll try as Mabl suggests. There are questions: where to get "name_of_patch.bpatch" What is it? The file: appEntry is mentioned in the patch.txt file. File "appEntry" to take the one that created the command "cp / rigol / appEntry / media / sda1 /" Thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on October 10, 2019, 06:28:37 pm
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: texaspyro on October 11, 2019, 01:52:41 am
  • after_patch_md5sum - change to value to the expected checksum after  patch_file was applied to file_to_patch.

Where/how does one come up with this checksum?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Urzov on October 11, 2019, 05:10:19 am
Hello everybody. Same question! Is it possible not to apply a checksum? Should there be only 2 files on a USB drive? (renamed "patch_file" and "patch.txt") and "DS5000Update.GEL" is not needed on a USB drive?
Need help! I don’t feel like buying another MSO5072 and torturing him too...  :-[  Thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NED88 on October 11, 2019, 11:35:38 am
  • after_patch_md5sum - change to value to the expected checksum after  patch_file was applied to file_to_patch.

Where/how does one come up with this checksum?


The expected md5 checksum is quoted here:  https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701)  and the md5 checksum for the original file is generated with this command:  md5 -q appEntry (using a Unix/Linux/Mac terminal).  To check the md5 checksum of the patched file,  run:  echo "3f95cb3236b47826e303de960596f966  appEntry" | md5sum -c from the scope once you've ssh'd into it from Unix.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on October 12, 2019, 09:41:26 pm
It is also possible to generate the MD5 checksum in windows, as delfinom pointed out in this message


Also instead of running strange third party software to compute a md5sum of a file on windows just do
  CertUtil -hashfile appEntry MD5
in a command window
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Xtremexp on October 12, 2019, 09:58:02 pm
Or you can use hxd hex editor to find the md5 hash
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on October 14, 2019, 09:05:39 am
It is also possible to generate the MD5 checksum in windows, as delfinom pointed out in this message


Also instead of running strange third party software to compute a md5sum of a file on windows just do
  CertUtil -hashfile appEntry MD5
in a command window

Or you can use hxd hex editor to find the md5 hash

The md5 checksum after patching is usually not available to the user, since the patched file is only on the scope. The md5 should be given together with the patch file. Note that if the md5 does not match, my patcher will output the mismatch checksum values.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nelson_mendes on October 14, 2019, 09:16:40 pm
Hello everyone!

I've been following this topic quite often but never broke the ice to present myself, so here it goes...

I'm Nelson, Portuguese and currently living in Sweden.

Owning a Rigol 5072 since some time, I was able to unlock was able to unlock its features thanks to the hard worked information from this topic.
So, a special thank you to Mabi, TV84, NED88 and so many others that made it possible...

The latest firmware got my interest due to fix the overshoot in the 4 channels, something that also seen in my scope in channels 3 and 4.

Being ungodly unblessed with any kind of hacking skills, I tried my best to follow the instructions given to other members and attached You can see what I got.


When I tried to patch the scope 04.08 using Mabi's autopatcher I got the MD5sum error and a whole different MD5sum and at this moment I'm feeling quite lost.
It was only today that I got SSH working (using Putty in windows 10 didn't work for me) and I'm strugling to basically do what needs to be done.

I generated the bpatch file over the firmware file and got a wrong md5sum while atempting to patch the scope.
I also generated the bpatch file over the app_Entry file copied by SSH and tried atempted to patch the scope, but again wrong md5.

Could someone please help?
I really don't have a notion about what I'm doing wrong...

Thank you all.

//Nelson





Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on October 15, 2019, 03:37:56 am
Finally, the time arrives and I will trigger an order for 5072 or 5074

Are the new ones hackable same way, as the old ones?

Any terrifying problem that can void the new order plan?

Still the best Scope for 1K USD?  ( assuming I will hack, and I will )

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on October 15, 2019, 08:53:17 am
Could someone please help?
I really don't have a notion about what I'm doing wrong...

Which patch_file did you use? Reference it's origin.

Finally, the time arrives and I will trigger an order for 5072 or 5074

Are the new ones hackable same way, as the old ones?

Any terrifying problem that can void the new order plan?

Still the best Scope for 1K USD?  ( assuming I will hack, and I will )

Y N Y
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nelson_mendes on October 15, 2019, 10:31:22 am
Hi TV84,

I got it from here and called it MABI.GEL just to make it simple during the bsdiff/bspatch process:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640)

Let me see if I got this right...

Do I need to do "bsdiff Firmware_04.08.gel Mabi.GEL patch04.08.bpatch" or "bsdiff appEntry Mabi.GEL patch04.08.bpatch"?

Or is it something even different?


Thanks! ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on October 15, 2019, 10:40:55 am
Finally, the time arrives and I will trigger an order for 5072 or 5074

Are the new ones hackable same way, as the old ones?

Any terrifying problem that can void the new order plan?

Still the best Scope for 1K USD?  ( assuming I will hack, and I will )
And Rigol has a promotion where you can get lots of the software options included for free (does not include BW upgrade, 4-channel in case you purchase 2-channel model and maybe some other options are not included in the promotion)... but you can still hack it and get all  the options activated.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on October 15, 2019, 11:00:06 am
I got it from here and called it MABI.GEL just to make it simple during the bsdiff/bspatch process:

Or is it something even different?

Way off! Read mabl's msg carefully. You need to place the 3 files in the USB pen. And, mabl's doesn't include any patching info. So, you must create it yourself or get it from another place.

mabl's GEL is just a patcher tool.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nelson_mendes on October 15, 2019, 08:46:56 pm
Good evening!

I finally made it! A very special thanks to Mabi, AngusBeef, Delfinon, TV84 and many others...

It happens I was being such a "Nabo da Serra" |O and was mixing the md5sums... All good now...


//Nelson
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AngusBeef on October 17, 2019, 03:46:45 am

The latest firmware got my interest due to fix the overshoot in the 4 channels, something that also seen in my scope in channels 3 and 4.

Being ungodly unblessed with any kind of hacking skills, I tried my best to follow the instructions given to other members and attached You can see what I got.


The .04.08 patch didn't fix my overshoot issues, I used the calibration data that @Mabl had posted  before on a different topic and it worked for me.

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2240841/#msg2240841 (https://www.eevblog.com/forum/blog/new-rigol-scope/msg2240841/#msg2240841)

EDIT3:
The problematic calibration is lfcal.hex. Just replacing that file gives perfectly shaped squares again.

mabl, would it be possible for you to upload, or send to me, your working lfcal.hex?

See attached.


I will check later to be sure, but I suspect that auto-cal does nothing... I have the overshoots on 3 channels and nothing changes when I use auto-cal. I even did it while I had input signals fed to all channels - the result didn’t change, everything looked as before, and I suppose that in that scenario the ‘scope should have lost calibration.

Cannot confirm. When using the default calibration, the spikes are less pronounced then after the autocalibration. Things do not change afterwards however.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on October 27, 2019, 09:18:26 pm
Backup scripts for Rigol MSO5000 and MSO/DS7000

Attached is a .GEL that does a backup of the /rigol/data directory and the 8 kB FRAM memory. Run as a normal update.

It also does a memdump (450MB) so you should use a USB disk with size >= 512 MB. (Why this one? Because sometimes its useful...  ;) )

With /rigol/data and FRAM, we can recreate the scope from scratch (as long as the bootloader is OK).

If anyone tests the script, please report the results and how much time it took.

Edit1: Added a .GEL that does a backup of the full NAND (mt0->mt12). Since the NAND is 1 GB in size, you must be patient! It could take some minutes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on October 27, 2019, 09:39:17 pm
Man, I hope I just did something wrong that is easily fixable. I updated to 01.01.04.08, enabled SSH, ssh'ed in and grabbed the appEntry. I then removed the USB stick and put it in my PC where I ran the bspatch and the put the appEntry back into the /rigol folder after making sure it was executable. Now my MSO 5074 starts up and show the progress bar going completely across the screen, but the Rigol logo does not disappear and the scope does nothing. Any ideas how I can fix this?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on October 27, 2019, 09:46:58 pm
Any ideas how I can fix this?

Here. (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2721390/?topicseen#msg2721390)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on October 27, 2019, 09:49:38 pm
Thanks. I found that after I stopped freaking out a bit. So I believe the issue was that I did an online upgrade from Rigol to get to official firmware before I did the binary patch on appEntry. Clearly the version posted is different from the version included in the steps here. I haven't been able to find it on rigolna though.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on October 27, 2019, 10:17:46 pm
Well, I went back and tried it with the version from https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL but I got the same results where the scope wouldn't get past the boot screen  :'( I'm not sure what I've done wrong, but at least I've back to 01.01.04.04 with all options and that silly overshoot still.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on October 27, 2019, 11:20:34 pm
backup + FRAM: 2 minutes 40 seconds
NAND: not tested yet
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on October 28, 2019, 02:39:26 am
backup + FRAM: 2 minutes 40 seconds
NAND: not tested yet

I'm sorry, if this was to me, I'm not sure what you mean.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on October 28, 2019, 03:57:26 am
I resolved my issues and now am good to go with the fixed Cal data provided earlier, the 01.01.04.08 firmware and all of the options. Thanks everyone!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on October 28, 2019, 12:57:07 pm
NAND backup does not work. After one second get message that upgrade is completed and need reboot but on the stick there is nothing saved.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on October 28, 2019, 01:09:14 pm
backup + FRAM: 2 minutes 40 seconds
NAND: not tested yet

I'm sorry, if this was to me, I'm not sure what you mean.
Sorry, it is for TV84
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Jean-Michel on October 28, 2019, 02:49:44 pm
Hello,

I have full opetion mode version 01.01.04.04, does someone try to make the upgrade 01.01.04.08?
Do you always keep the full option?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on October 28, 2019, 08:04:30 pm
Sorry I have to finish some home business .
The task was completed succesfully in about 10 minutes .
On disk I found this files (attached).
Scope is 5074 witn FW: 00.01.01.04.08 with mod (bspatch).



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on October 28, 2019, 09:16:20 pm
Hello,

I have full opetion mode version 01.01.04.04, does someone try to make the upgrade 01.01.04.08?
Do you always keep the full option?

You don't. You have to apply the new fix for the patched appEntry, but it is possible after a bit of tinkering I was able to get it to work last night.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on November 01, 2019, 06:25:12 am
Does anyone know why the FW update is still absent from the North America site?

And still absent in europe (rigol.eu), strange….
I´ve ask them about without getting an answer.
I´ll try again.

And another month passes with no update :(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on November 01, 2019, 07:36:17 am
Yep.. :(
I´ve asked again on october 29th, answer was sorry for delaying but it should happen "soon".....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Ditiris on November 01, 2019, 01:29:38 pm
Just wanted to drop a big THANK YOU! on this thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nikolai on November 02, 2019, 04:40:37 am
Got my MSO5074 from China two weeks ago. Hardware revision 01.01.000 FW revision 00.01.01.04.08 out of the box.
Hacked successfully. Big thanks to all smart contributers for the creative solutions.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilyacniihm on November 04, 2019, 02:32:53 pm
Hello. please tell me again how to hack the firmware 01.01.04.08 correctly.

1) Сopy DS5000Update.GEL  file on the USB drive.

2) Download the Bpatch file from this post and remove the .txt extension (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701))
and copy on USB drive

3) create configuration file on USB drive "patch.txt"

file_to_patch=/rigol/appEntry
file_to_patch_md5sum=afe3e7c2d38bdebb66d3f1f11d910743
patch_file=appEntry_01_01_04_08.bpatch
after_patch_md5sum=3f95cb3236b47826e303de960596f966

4) Connect USB drive and go to the Utility / System / Help / Local Upgade menu


correct me if something is wrong. I have never worked with linux. |O
Thank you very much.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on November 04, 2019, 06:39:54 pm
Hi ,
First do a backup of rigol/data directory with script from TV84 post above - https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
Then upgrade scope to 01_01_04_08 version .
After that do what you said from point 1 to 4 .
Make sure that DS5000Update.gel is the right one . https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=841706 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=841706)
You must have three files on the disk for this FW :

  DS5000Update.GEL
  patch.txt
  appEntry_01_01_04_08.bpatch

Succes !


A big thank you to all that have spend their personal time to make this thing and share with us !
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: matlipinski on November 05, 2019, 12:22:46 pm
Could someone dump rights and ownership of /rigol/data directory and files (/rigol/data folder itself too). Thank you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on November 05, 2019, 10:08:06 pm
Could someone dump rights and ownership of /rigol/data directory and files (/rigol/data folder itself too). Thank you.

Done in the other thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Xandr on November 07, 2019, 05:43:18 pm
Hello!
Help patch. Did everything by intrusion above:
3 files on a flash drive, starting the update. Gives an error message:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Xandr on November 07, 2019, 07:16:21 pm
Hello!
Help patch. Did everything by intrusion above:
3 files on a flash drive, starting the update. Gives an error message:

Dear skander36 promptly helped! Many thanks to everyone!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilyacniihm on November 08, 2019, 05:09:49 am

Dear skander36 promptly helped! Many thanks to everyone!

Hi! Can you tell me how you hacked the oscilloscope? What was wrong with the three files? I just ordered the oscilloscope, haven't received it yet. Prepare)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Xandr on November 08, 2019, 05:33:43 am
I have not compared files yet.  I think it's all about file encoding "patch.txt"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: matlipinski on November 08, 2019, 08:49:03 am
You have to use LINUX line endings (not Windows) for patch.txt.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on November 08, 2019, 10:22:50 am
You have to use LINUX line endings (not Windows) for patch.txt.
I have used Windows (Notepad used) with no problem. Nothing edit with Linux .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Xandr on November 08, 2019, 12:59:24 pm
I had in Windows (CR LF), I need Unix (LF). I don’t want to check anymore, but I think the reason was this.
(Screenshots Notepad ++)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ryohnosuke on November 12, 2019, 05:20:25 pm

Dear skander36 promptly helped! Many thanks to everyone!

Hi! Can you tell me how you hacked the oscilloscope? What was wrong with the three files? I just ordered the oscilloscope, haven't received it yet. Prepare)

What was the fix? I checked the MD5 file and seems OK but I have the same error. :'(

Edit: You right!

With Notepad++

Edit -> EOL Convertion -> (Unix LF) and save changes


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on November 12, 2019, 06:54:08 pm
My fresh 5074 just arrive, what is the latest procedure to do the magic?

I have a free bundle for some options, will the magic interfere with this?

Hardware 01 00 000
Firmware  00 01 01 04 04
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sumect on November 15, 2019, 08:35:25 am
This is just a play-by-play of what I did – I struggled my way through it so there are ways to run things more efficiently or better that I wasn’t aware of at the time.

Step 1: Get your Linux workstation functional, either by installing directly or running it within VirtualBox. I’m using a Windows PC so I’m running everything through VirtualBox, which just adds a couple intermediate steps.

Step 2:
Get organized – I made 3 folders, “Upgrade”, “Enable SSH”, and “Patch”.
-   In the Upgrade folder, download the 01.01.04.08 GEL from GitLab and rename it DS5000Update.GEL ([url]https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL[/url] ([url]https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL[/url]))
-   In the Enable SSH folder, add the GEL file from this post and rename it DS5000Update.GEL ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076[/url] ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076[/url]))
-   In the Patch folder, download the Bpatch folder from this post and remove the .txt extension ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701[/url] ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701[/url]))

Step 3: Upgrade the MSO5000 using the DS5000Update.GEL file from the Upgrade Folder. Put the file onto the root directory of the USB drive and then go to the Utility / System / Help / Local Upgade menu once you’ve put the USB into the MSO5000 and upgrade to 01.01.04.08. Restart the Oscilloscope

Step 4: Now time for the heavy lifting. Put the USB drive back into the computer and remove the update file you just used from the USB stick. Now go to the Enable SSH folder and put that DS5000Update.GEL file onto the USB drive. Put the USB stick into the MSO5000 and run the Local Upgrade again. Oh no, it failed! Except it didn’t, as @mabl stated in his post, it will look like it failed but it works. DO NOT RESTART THE OSCILLOSCOPE, otherwise you will have to run step 4 again. Also, leave the USB stick in the MSO5000 for the next steps.

Step 5: If it’s not already connected, connect your MSO5000 to your LAN or use a crossover cable if you have one to hook it to your computer. If all you have is “normal” LAN cables, you’ll need to use your router and can’t hook directly to your PC. Now go to the Utility/ IO / LAN menu and write down the IP address of your MSO5000.

Step 6: If it’s not already in your distro, go to the software manager and download Putty so that you can SSH (Secure Shell) across the network into your MSO5000. Once it’s downloaded, you’re going to follow some of the instructions from @TopLoser that @TrickTronic posted.  First, run PuTTY and put the IP address into the IP window, use Port 22, and select SSH for your connection type. Then, use “root” as the username and “Rigol201” as the pwd. You’re now connected to the Oscilloscope.

Step 7: In the SSH, type (without quotes) “cp /rigol/appEntry /media/sda1/”. Once it’s finished writing it to the USB stick (although it’s probably not the “best” answer, just pull the USB stick out and put it back into your computer. Copy the bspatch file into the root of the USB stick as well. Right click and open a terminal window starting in the USB stick and type “bspatch appEntry appEntryPatched appEntry_01_01_04_08.bpatch” into the terminal. It will create you a new file called appEntryPatched. Rename the original file to appEntryUnpatched or something similar and then rename the patched file to appEntry. Now remove the USB stick and put it back into the Oscilloscope.

Step 8: I hope you kept your SSH open, if not then open it back up. Type “cd /media/sda1”. If the command fails, replace sda1 with sdb1. My MSO5000 mounted the USB drive into this second location when I put it back in. Type “ls” (LS in lower case if the font here sucks) to see the files in the directory. You should see your files. Now run “chmod +x appEntry” to allow the appEntry file to be an executable, otherwise it will not work. To make this next step easier, move back to the root directory using “cd /”. You can type “pwd” at any time in SSH or Terminal to see the directory you’re currently in at any time. Now copy the file back to the oscilloscope, “cp /media/sda1/appEntry /rigol/” and you should be good to go.

Step 9: Restart your Oscilloscope and don’t forget to thank the dozens of people on this forum who made this possible.


Hi, I did exactly as you said, but after reboot oscilloscope, it can not work now,  it stuck in the logo interface.

can anyone help me ? thanks a lot!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on November 15, 2019, 08:59:45 am
Hi Sumect ,
Try to downgrade firmware using version from Rigol site .
For that you need to press "Single" key from oscilloscope keyboard after pressing power button . You will see a black screen with a menu with two entry that gives you the posibility to install firmware .
Please let us now if you succeed .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on November 15, 2019, 01:04:06 pm
Hi ,
As long as the current fw. version 01.01.04.08 is available from Rigol site, the procedure for patching is simple .

1. Upgrade scope to version 01.01.04.08 by method Online upgrade. Please double check if the new version at which the scope was upgraded is 01.01.04.08 . If it's newer you cannot apply this patch until a new version will be released .
2. Put on a USB stick the three file attached (doc extension must be removed , as the forum does not allow gel or bpatch extension) and do the upgrade .

Thast's all .

Again a big Thank you to those that make this possible !  :-+



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sq6iyn on November 19, 2019, 05:10:06 pm
OK. It works. Many thanks to those who give joy of this fun.  :-+ :D :clap:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mitchel on November 21, 2019, 11:32:14 pm
This Patch works great! Thank you very much. I just received my new MSO5074 and successfully aplied the patch in about 3 minutes. The scope is fully upgraded now. Thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DeKu on November 30, 2019, 07:16:14 pm
Hi again,
I too can confirm, that the Patch works just as easy as described. I did an online Upgrade of my MSO5074 which was already patched / unlocked.

After the Official Upgrade all Options went back to regular. And after Patching it via the 3 Files on an USB Stick, everything was unlocked again.

So big Thanks to everyone to make it such a simple Task.

DeKu
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rolfdegen on November 30, 2019, 08:06:53 pm
Hallo

Its my first time with an Rigol MSO5104. How can I trigger two waveforms on my MSO5104 ?

My old siglend Siglent SDS1102CML+ have Alternative trigger function.

I find in the trigger menu only this solution (see picture).

Trigger tow waveforms
(https://i.ibb.co/Ypj5Rdg/RigolDS0.png)

Thanks for help. Rolf
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on November 30, 2019, 08:10:29 pm
Hi Rolf,

Please use the suitable thread for your question (see my signature), this here is only for hacking.


Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jaromir on November 30, 2019, 09:42:52 pm
As long as the current fw. version 01.01.04.08 is available from Rigol site, the procedure for patching is simple .
<SNIP>
Thank you for recap, this worked really well, it's really as simple as that. Applied on MSO5074 01.01.04.04 factory firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on December 01, 2019, 10:07:00 am
Another happy user of the path, Thank you very much

But no ssh available to take a look on files, who needs since everything is hacked as expected
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on December 03, 2019, 11:27:49 pm
But no ssh available to take a look on files, who needs since everything is hacked as expected

You can still use mabls SSH patch  (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076)to get temporary access (until the scope is rebooted). Login, password, etc. is the same.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on December 04, 2019, 01:37:01 am
Yep.. :(
I´ve asked again on october 29th, answer was sorry for delaying but it should happen "soon".....

Looks like Rigol has a very loose definition of "soon" regarding release of new FW. My biggest concern with buying this scope without updated FW is the trigger over shoot bug. It seems that some have performed a calibration to get around the problem, but it isn't clear to me if that is just masking the issue. I know I would feel a lot better about buying this scope if I knew for sure that bug wasn't going to exist out of the box.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on December 04, 2019, 08:10:53 am
soon in China is same as never
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 04, 2019, 08:33:21 am
........................My biggest concern with buying this scope without updated FW is the trigger over shoot bug................................
What trigger overshoot bug ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on December 04, 2019, 01:45:28 pm
The one Dave identify in his initial review video of the scope.  This (https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2677629/#msg2677629) post and the 3 after it discuss the problem and a "fix" that seems to work for some users.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jemangedeslolos on December 05, 2019, 09:29:51 am
I don't think it's a widespread problem.
I bought mine in April 2019, so I have HW 1.00 with FW 01.01.04.04.
I never performed a sw calibration, just powered my scope, probe calibration and I have no over/undershoot issue.

 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on December 05, 2019, 11:47:15 am
Same here, no overshoot at all running .08 firmware.

Martin 72 has Boris given you any indication of when the 5000 FW is going to updated at all?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on December 05, 2019, 01:54:40 pm
The one Dave identify in his initial review video of the scope.  This (https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2677629/#msg2677629) post and the 3 after it discuss the problem and a "fix" that seems to work for some users.
What does that have to do with triggering?
It is a pulse response overshoot, and it is not widespread problem it seems.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 05, 2019, 06:29:10 pm
Hi,

Quote
Martin 72 has Boris given you any indication of when the 5000 FW is going to updated at all?

In short form he "told" me "in a couple of days (at last) " .
This was on Nov26th.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on December 06, 2019, 12:38:28 am
The 8000 has landed will report back over the weekend

I suspect now the 8000 is moving the 5000 fw upgrade will not be long now
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on December 06, 2019, 10:34:01 am
Mine is a new unit, and does not show this problem
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 06, 2019, 09:59:10 pm
Mine is the "very old" unit (bought in Nov. 2018) and never had any issues at all... ;)
Apart from this, the overshoot issue is a real problem rigol.eu once confirmed to me.

Quote
I suspect now the 8000 is moving the 5000 fw upgrade will not be long now

Boris wrote me it will last a couple of days - this was nearly 2 weeks ago.
I won´t blame him for this, he´s depended from what rigol says to their distribution quarters.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on December 06, 2019, 11:07:16 pm
Do not think it will be long now before the FW is released
 
The 8000 has some very slick operations compared to the 5000 and 7000 models, nice colour change for the input screens and pretty close to 1.4Ghz with 245ps rise time (currently)

Feels a very different animal to the previous two Phoenix chip-set models.

If they (Rigol) can incorporate some of the 8000's slick gui updates then it will make a lot of you guys very happy.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 07, 2019, 07:08:40 pm
Sighound36 was kind enough to loan me his time and new purchase so that I could try some model changes...  :popcorn:

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on December 08, 2019, 01:33:51 pm
Sighound36 was kind enough to loan me his time and new purchase so that I could try some model changes...  :popcorn:

Wow, that was quick...  8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on December 09, 2019, 08:00:10 pm
Apologies new thread started for the MSO8000

https://www.eevblog.com/forum/testgear/rigol-mso-8000/ (https://www.eevblog.com/forum/testgear/rigol-mso-8000/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 09, 2019, 08:16:43 pm
Quote
More to come later in the week.

And maybe in a new thread ?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: swperk on December 10, 2019, 01:46:47 am
I just received a Rigol DS7014 scope with 01.01.06.00 firmware. I used Putty to open start.sh, but cannot find the place to insert the -fullopt keyword, as there is no appEntry text in the entire script. I'm not a big Linux guy, so any and all help will be appreciated. Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Xtremexp on December 10, 2019, 01:49:14 am
Then rigol has new firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: swperk on December 10, 2019, 01:56:19 am
All I see in the firmware release notes for the DS7000 are firmware versions v00.01.01.05.09 dated 2018/05/03, and v00.01.01.07.01 dated 2018/07/10. There is no mention of 00.01.01.06.00. Strange.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: swperk on December 10, 2019, 05:02:04 am
A few questions about my DS7014:

Does the appEntry hack survive firmware upgrades?
Is it possible to downgrade the firmware to 01.01.04 from 01.01.06?
If so, where can I find a copy of the 01.01.04 firmware?

Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Simon on December 10, 2019, 06:33:41 pm
A few questions about my DS7014:

Does the appEntry hack survive firmware upgrades?
Is it possible to downgrade the firmware to 01.01.04 from 01.01.06?
If so, where can I find a copy of the 01.01.04 firmware?

Thanks!

Start a new thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 12, 2019, 06:35:01 pm
Hi,

Quote
Martin 72 has Boris given you any indication of when the 5000 FW is going to updated at all?

In short form he "told" me "in a couple of days (at last) " .
This was on Nov26th.

Asked today again, the launch date will be postponed until the end of january..  :palm:  :--
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on December 13, 2019, 07:44:58 am
Hi,

Quote
Martin 72 has Boris given you any indication of when the 5000 FW is going to updated at all?

In short form he "told" me "in a couple of days (at last) " .
This was on Nov26th.

Asked today again, the launch date will be postponed until the end of january..  :palm:  :--

At this point I'm not going to hold my breath.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tonylam on December 17, 2019, 03:44:20 pm
I just received a brand new 5072 today and come with the fw ver 01.01.04.08.

Those three files from skander36 are perfectly work.

I encountered a problem while using 16GB USB Drive. But it solved after replace with the 32GB USB Drive. It is highly recommend that you have prepared two or more different brand and size USB Drive before perform the upgrade. My failure one is Sandisk 16GB and workable one is Sandisk 32GB (Tiny one).

Case :
When you found that the USB Drive is empty except the GEL file after the backup process:
   - Attach the USB drive back to the scope, press Storage/Disk
   - If you found there are two or more USB Disk, it means that you may need to try another USB Drive.

Enclosed with all the files from skander36 and backup GEL file from TV84.


My workflow are :
(Please read carefully especially handle the same name GEL files).

1. Format the USB Drive (FAT32 Format);
2. Copy the DS5000Update.GEL.backup.doc to the USB Drive;
3. Rename it by delete the "backup.doc" extension;
4. Attach the USB Drive to scope;
5. Press Utility/System/Help/Local upgrade;
6. After finished the screen will have message told you to reboot the scope;
7. Turn off the scope;
8. Attach the USB drive back to your Mac / PC;
9. Copy all the file except the GEL files and folder back to your Mac / PC for your backup;
10. Format the USB Drive (FAT32 Format);
11. Copy another three files to the USB Drive, rename them by remove the ".doc" extension;
12. Attach the USB Drive back to the Scope, turn it on;
14. Wait for the screen shows that USB Drive was attached.
15. Press Utility/System/Help/Local upgrade
16. The screen will turn to white background and follow the instruction to press any keys.
17. After the upgrade process is finished, the scope will reboot.
18. Done! Enjoy!

Please correct me if any mistake or typo. Thanks!

Thank you so much for all of you to contribute here!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: eurofox on December 17, 2019, 10:35:16 pm
Hi,

Your guy's could confirm that a MSO5074 70 Mhz version could be upgraded to 350 Mhz?  :popcorn:

Thanks,

eurofox
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 17, 2019, 10:35:46 pm
Sure... ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: texaspyro on December 17, 2019, 10:39:23 pm

Your guy's could confirm that a MSO5074 70 Mhz version could be upgraded to 350 Mhz?  :popcorn:


Measured bandwidth using a Leo Bodner pulser was 430-440 MHz.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 17, 2019, 10:53:05 pm
Like this:

https://www.eevblog.com/forum/testgear/50-ohm-terminator-for-oscilloscope-input-from-function-generator-ouput/msg2828672/#msg2828672 (https://www.eevblog.com/forum/testgear/50-ohm-terminator-for-oscilloscope-input-from-function-generator-ouput/msg2828672/#msg2828672)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jeferreira on January 03, 2020, 05:22:52 pm
Dear, I come here to thank the fantastic geniuses who developed the magic of turning 70 into 350! I just did this upgrade and in fact it allows you to easily view signals up to 500MHz and with little difficulty up to 900MHz. Fantastic!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jeferreira on January 03, 2020, 05:48:06 pm
See this:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on January 03, 2020, 09:55:52 pm
It's amazing putting that Pendrive on a 70 Mhz scope, and 2 minutes later have a 350 Mhz and above scope

Yes Eurofox it's possible and very easy
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on January 04, 2020, 12:53:56 am
Two quick questions:
1. If someone were to buy a scope to upgrade, can they buy the MSO5072 and end up with a MSO5354?
2. Has anyone found a cheaper option for the logic analyzer cables than the $400 PLA2216?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on January 04, 2020, 01:15:13 am
Both are the same hardware scope, But the 5074 comes with 4 350 Mhz probes and the 5072 only 2 since those probes aren't cheap, it's a better deal to buy 5074. On the forum, you can find some DYI  logic probes, but costs near 65% of a rigol one
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on January 04, 2020, 02:29:02 pm
Two quick questions:
1. If someone were to buy a scope to upgrade, can they buy the MSO5072 and end up with a MSO5354?

Yes, Rigol sells all the upgrades, including bandwidth.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mattkai45 on January 07, 2020, 02:58:25 pm
Thanks for the instructions, I am about to try this. My only concern is firmware version, do I need a specific firmware version before applying the hack? I have 00.01.01.020.03.

I just received a brand new 5072 today and come with the fw ver 01.01.04.08.

Those three files from skander36 are perfectly work.

I encountered a problem while using 16GB USB Drive. But it solved after replace with the 32GB USB Drive. It is highly recommend that you have prepared two or more different brand and size USB Drive before perform the upgrade. My failure one is Sandisk 16GB and workable one is Sandisk 32GB (Tiny one).

Case :
When you found that the USB Drive is empty except the GEL file after the backup process:
   - Attach the USB drive back to the scope, press Storage/Disk
   - If you found there are two or more USB Disk, it means that you may need to try another USB Drive.

Enclosed with all the files from skander36 and backup GEL file from TV84.


My workflow are :
(Please read carefully especially handle the same name GEL files).

1. Format the USB Drive (FAT32 Format);
2. Copy the DS5000Update.GEL.backup.doc to the USB Drive;
3. Rename it by delete the "backup.doc" extension;
4. Attach the USB Drive to scope;
5. Press Utility/System/Help/Local upgrade;
6. After finished the screen will have message told you to reboot the scope;
7. Turn off the scope;
8. Attach the USB drive back to your Mac / PC;
9. Copy all the file except the GEL files and folder back to your Mac / PC for your backup;
10. Format the USB Drive (FAT32 Format);
11. Copy another three files to the USB Drive, rename them by remove the ".doc" extension;
12. Attach the USB Drive back to the Scope, turn it on;
14. Wait for the screen shows that USB Drive was attached.
15. Press Utility/System/Help/Local upgrade
16. The screen will turn to white background and follow the instruction to press any keys.
17. After the upgrade process is finished, the scope will reboot.
18. Done! Enjoy!

Please correct me if any mistake or typo. Thanks!

Thank you so much for all of you to contribute here!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on January 07, 2020, 03:05:32 pm
One must read entire thread to understand what was done and by who .
Shortcuts may be costly .
Actual patch can be applyed only on version 01.01.04.08 .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 07, 2020, 08:38:07 pm
Quote
I have 00.01.01.020.03.

Sure?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 07, 2020, 09:07:44 pm
00.01.01.02.03
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hedehede81 on January 12, 2020, 03:35:08 am
my MSO5074 is on its way now, what if it is on an older firmware than  01.01.04.08 ? Is making an online upgrade enough? or is there a local upgrade file for  01.01.04.08 ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on January 12, 2020, 04:10:45 am
Both will work
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 808exe on January 16, 2020, 03:30:38 am
Just got my 5074 today and upgraded it straight away! Super easy! Just followed this exchange and everything worked fine!
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2769676/#msg2769676 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2769676/#msg2769676)
Thanks guys, your awesome!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gudvin1 on January 17, 2020, 07:42:21 am
Good afternoon! I got my Rigol MSO5072 in the morning. Firmware 01.01.01.04.04
hardwar 01.01.000
Can I use the files from this page for firmware 08. Thank you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gudvin1 on January 17, 2020, 01:58:26 pm
All! To all participants a huge human
thanks! I asked without waiting for a hint.
But first updated to version 08. Restarted and all options are enabled! Good luck to all!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: the Goat on January 18, 2020, 06:41:15 pm
A big, "Thank you!" to everybody who contributed to this thread.  You guys and gals are amazing.

I will say, the important info unnecessarily buried throughout the thread.  But the process is quite painless once you figure it out.  I thought about writing a definitive set of instructions.  But that would probably just make it even more confusing for newcomers.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on January 21, 2020, 01:21:51 pm
A big, "Thank you!" to everybody who contributed to this thread.  You guys and gals are amazing.

I will say, the important info unnecessarily buried throughout the thread.  But the process is quite painless once you figure it out.  I thought about writing a definitive set of instructions.  But that would probably just make it even more confusing for newcomers.
I say go ahead and write a post here giving your specific experience, people do it all the time and it is useful as it's otherwise necessary to go through pages of comments to see what worked for others and if anything got changed along the way.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on January 22, 2020, 01:21:01 pm
We're getting close to the end of January, anybody heard any more about the pending new firmware release?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 22, 2020, 06:18:15 pm
My last information was "probably end of january".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BitBug on January 23, 2020, 03:27:29 pm
My last information was "probably end of january".

Probably working on trying to "secure" their product.  ;)

BB
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on January 23, 2020, 05:38:23 pm
I don't think Rigol, like most Chinese companies, really focuses on firmware update.  Just look at their firmware update history across all their products, the last update on any of their products was one update back in mid November.  It would be OK if their firmware is rock solid, but it is not so great given many of the issues identified by the community.  With the release of the Siglent 2000X Plus, if it steals away enough of Rigols market share, then perhaps it will motivate them to release the firmware update.  But I am certainly not holding my breath.

Martin72, I am watching closely on your experience with the new Siglent scope, I may very well follow your footstep.  Siglent appears to do a much better job in upgrading firmware, and paying attention to our issues in the EEVblog related to their products (of course, there is always the excellent support from Daniel at Keysight). 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 23, 2020, 09:42:51 pm
Finally Rigol acknowledging the use of Open Source in their latest products!!!!!!!!!!

MSO5000 example (https://eu.rigol.com/Public/Uploads/uploadfile/files/ftp/DS/MSO5000%20Open%20Source%20Acknowledgment.pdf)

 ::) well let's assume "acknowledgement" is what they meant.

And, if we could access the source code then that would be a killer factor!  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on January 23, 2020, 10:14:34 pm
tv84, that would be truly interesting indeed, just think all the extension we can add.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 23, 2020, 10:18:10 pm
MSO5000 HW would be a very nice FOSS platform...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on January 23, 2020, 10:56:49 pm
Finally Rigol acknowledging the use of Open Source in their latest products!!!!!!!!!!

MSO5000 example (https://eu.rigol.com/Public/Uploads/uploadfile/files/ftp/DS/MSO5000%20Open%20Source%20Acknowledgment.pdf)

 ::) well let's assume "acknowledgement" is what they meant.

And, if we could access the source code then that would be a killer factor!  :popcorn:

Did you request it? If not I've made a request now, will update if they respond.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BitBug on January 24, 2020, 01:58:31 am
And, if we could access the source code then that would be a killer factor!  :popcorn:

It's only a matter of time before we, as a community, pick a relatively inexpensive "base" piece of DSO hardware and make it our own (as in, we maintain the firmware/software - they just compete on the best hardware). What DSO engineering company wouldn't want to be "chosen" by our community as the first hardware "base"? ...Certainly not Rigol - they just want to sell their hardware... and I'm half thinking (at least, in part) this is Rigol's modus operandi when it comes to the ease of hacking their scopes. I'm actually really surprised that a entire source code tree hasn't mysteriously "appeared" on the web to force some companies' sales into the stratosphere... and it would!

Nahh, couldn't be... could it!?  :-X

BB
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bitseeker on January 24, 2020, 06:21:51 am
Finally Rigol acknowledging the use of Open Source in their latest products!!!!!!!!!!

MSO5000 example (https://eu.rigol.com/Public/Uploads/uploadfile/files/ftp/DS/MSO5000%20Open%20Source%20Acknowledgment.pdf)

 ::) well let's assume "acknowledgement" is what they meant.

And, if we could access the source code then that would be a killer factor!  :popcorn:

Unfortunately, using open source software in their product is not as interesting as publishing theirs as open source. The software they use is pretty standard stuff (lighttpd, linux, lua, lxi, u-boot, etc.).

Officially acknowledging that they're using it is certainly a good thing.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on January 24, 2020, 06:38:52 am
Unfortunately, using open source software in their product is not as interesting as publishing theirs as open source. The software they use is pretty standard stuff (lighttpd, linux, lua, lxi, u-boot, etc.).

However the modified u-boot source as well as kernel and related modules might be nice having.  ^-^
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: vr2whf on January 24, 2020, 03:49:06 pm
My last information was "probably end of january".

Chance to add the bode plot feature?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 808exe on January 24, 2020, 11:51:39 pm
Hey, so not totally hacking related but if you bought your scope after 10/1/2019 Rigol will update your license for free.
Now, this does not include the bandwidth, but it enables all the serial decode capabilities, power analysis and also enables the function generator
https://beyondmeasure.rigoltech.com/acton/form/1579/0065:/0/index.htm?sid=TV2:U3tSfkw22 (https://beyondmeasure.rigoltech.com/acton/form/1579/0065:/0/index.htm?sid=TV2:U3tSfkw22)
As it is a promo, it does end on 3/30/2020
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 25, 2020, 12:07:38 am
My last information was "probably end of january".

Chance to add the bode plot feature?

Once they (rigol EU support) told me clearly, bode will come.
But they did it in may 2019.
Now we got january 2020 and still there´s no update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BitBug on January 25, 2020, 05:00:16 pm
Hey, so not totally hacking related but if you bought your scope after 10/1/2019 Rigol will update your license for free.
Now, this does not include the bandwidth, but it enables all the serial decode capabilities, power analysis and also enables the function generator
https://beyondmeasure.rigoltech.com/acton/form/1579/0065:/0/index.htm?sid=TV2:U3tSfkw22 (https://beyondmeasure.rigoltech.com/acton/form/1579/0065:/0/index.htm?sid=TV2:U3tSfkw22)
As it is a promo, it does end on 3/30/2020

Wonder if this is an "online" scope update/promo to see who has hacked their scopes.

BB
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 808exe on January 26, 2020, 03:34:42 am
Nope! Upgrade worked for me! Scope does not need to be connected to the internet for the upgrade

What happens is rigol sends your an email with a PDF with a product key
You then punch the product key and serial in to a website they link you too. This then generates a software licensing code, and an authorization file.
Load the authorization file onto a USB and the option install button becomes active. Press it to install and your done

If anyone is interested I can provide screenshots and maybe some files too  :-X
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kwinz on January 27, 2020, 08:57:35 am
Thank you all!  :-+ After reading 60 pages of this thread again, and also of the almost 40 pages of https://www.eevblog.com/forum/blog/new-rigol-scope/ (https://www.eevblog.com/forum/blog/new-rigol-scope/) I successfully

upgraded to 00.01.01.04.08
unlocked the options

What set me up during upgrading?

So now what still doesn't work?

I already spent too much time on the weekend and I will leave it as is for now.
Anybody can confirm they have the same issue on unlocked 00.01.01.04.08?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Pizzalover on January 30, 2020, 02:09:07 am
Hi,

My first post.

I read the whole thread and will order a MSO5074 very soon, and armed with the knowledge from this thread will have extended functionality as soon as the unit arrives.

A big thank you to everyone who made this possible.


-Thor-
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cust on January 30, 2020, 01:32:45 pm
This is just a play-by-play of what I did – I struggled my way through it so there are ways to run things more efficiently or better that I wasn’t aware of at the time.

Step 1: Get your Linux workstation functional, either by installing directly or running it within VirtualBox. I’m using a Windows PC so I’m running everything through VirtualBox, which just adds a couple intermediate steps.

Step 2:
Get organized – I made 3 folders, “Upgrade”, “Enable SSH”, and “Patch”.
-   In the Upgrade folder, download the 01.01.04.08 GEL from GitLab and rename it DS5000Update.GEL ([url]https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL[/url] ([url]https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL[/url]))
-   In the Enable SSH folder, add the GEL file from this post and rename it DS5000Update.GEL ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076[/url] ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076[/url]))
-   In the Patch folder, download the Bpatch folder from this post and remove the .txt extension ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701[/url] ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701[/url]))

Step 3: Upgrade the MSO5000 using the DS5000Update.GEL file from the Upgrade Folder. Put the file onto the root directory of the USB drive and then go to the Utility / System / Help / Local Upgade menu once you’ve put the USB into the MSO5000 and upgrade to 01.01.04.08. Restart the Oscilloscope

Step 4: Now time for the heavy lifting. Put the USB drive back into the computer and remove the update file you just used from the USB stick. Now go to the Enable SSH folder and put that DS5000Update.GEL file onto the USB drive. Put the USB stick into the MSO5000 and run the Local Upgrade again. Oh no, it failed! Except it didn’t, as @mabl stated in his post, it will look like it failed but it works. DO NOT RESTART THE OSCILLOSCOPE, otherwise you will have to run step 4 again. Also, leave the USB stick in the MSO5000 for the next steps.

Step 5: If it’s not already connected, connect your MSO5000 to your LAN or use a crossover cable if you have one to hook it to your computer. If all you have is “normal” LAN cables, you’ll need to use your router and can’t hook directly to your PC. Now go to the Utility/ IO / LAN menu and write down the IP address of your MSO5000.

Step 6: If it’s not already in your distro, go to the software manager and download Putty so that you can SSH (Secure Shell) across the network into your MSO5000. Once it’s downloaded, you’re going to follow some of the instructions from @TopLoser that @TrickTronic posted.  First, run PuTTY and put the IP address into the IP window, use Port 22, and select SSH for your connection type. Then, use “root” as the username and “Rigol201” as the pwd. You’re now connected to the Oscilloscope.

Step 7: In the SSH, type (without quotes) “cp /rigol/appEntry /media/sda1/”. Once it’s finished writing it to the USB stick (although it’s probably not the “best” answer, just pull the USB stick out and put it back into your computer. Copy the bspatch file into the root of the USB stick as well. Right click and open a terminal window starting in the USB stick and type “bspatch appEntry appEntryPatched appEntry_01_01_04_08.bpatch” into the terminal. It will create you a new file called appEntryPatched. Rename the original file to appEntryUnpatched or something similar and then rename the patched file to appEntry. Now remove the USB stick and put it back into the Oscilloscope.

Step 8: I hope you kept your SSH open, if not then open it back up. Type “cd /media/sda1”. If the command fails, replace sda1 with sdb1. My MSO5000 mounted the USB drive into this second location when I put it back in. Type “ls” (LS in lower case if the font here sucks) to see the files in the directory. You should see your files. Now run “chmod +x appEntry” to allow the appEntry file to be an executable, otherwise it will not work. To make this next step easier, move back to the root directory using “cd /”. You can type “pwd” at any time in SSH or Terminal to see the directory you’re currently in at any time. Now copy the file back to the oscilloscope, “cp /media/sda1/appEntry /rigol/” and you should be good to go.

Step 9: Restart your Oscilloscope and don’t forget to thank the dozens of people on this forum who made this possible.
Nice! My Rigol is dead!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on January 30, 2020, 01:52:35 pm
This is just a play-by-play of what I did – I struggled my way through it so there are ways to run things more efficiently or better that I wasn’t aware of at the time.

Step 1: Get your Linux workstation functional, either by installing directly or running it within VirtualBox. I’m using a Windows PC so I’m running everything through VirtualBox, which just adds a couple intermediate steps.

Step 2:
Get organized – I made 3 folders, “Upgrade”, “Enable SSH”, and “Patch”.
-   In the Upgrade folder, download the 01.01.04.08 GEL from GitLab and rename it DS5000Update.GEL ([url]https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL[/url] ([url]https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL[/url]))
-   In the Enable SSH folder, add the GEL file from this post and rename it DS5000Update.GEL ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076[/url] ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076[/url]))
-   In the Patch folder, download the Bpatch folder from this post and remove the .txt extension ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701[/url] ([url]https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701[/url]))

Step 3: Upgrade the MSO5000 using the DS5000Update.GEL file from the Upgrade Folder. Put the file onto the root directory of the USB drive and then go to the Utility / System / Help / Local Upgade menu once you’ve put the USB into the MSO5000 and upgrade to 01.01.04.08. Restart the Oscilloscope

Step 4: Now time for the heavy lifting. Put the USB drive back into the computer and remove the update file you just used from the USB stick. Now go to the Enable SSH folder and put that DS5000Update.GEL file onto the USB drive. Put the USB stick into the MSO5000 and run the Local Upgrade again. Oh no, it failed! Except it didn’t, as @mabl stated in his post, it will look like it failed but it works. DO NOT RESTART THE OSCILLOSCOPE, otherwise you will have to run step 4 again. Also, leave the USB stick in the MSO5000 for the next steps.

Step 5: If it’s not already connected, connect your MSO5000 to your LAN or use a crossover cable if you have one to hook it to your computer. If all you have is “normal” LAN cables, you’ll need to use your router and can’t hook directly to your PC. Now go to the Utility/ IO / LAN menu and write down the IP address of your MSO5000.

Step 6: If it’s not already in your distro, go to the software manager and download Putty so that you can SSH (Secure Shell) across the network into your MSO5000. Once it’s downloaded, you’re going to follow some of the instructions from @TopLoser that @TrickTronic posted.  First, run PuTTY and put the IP address into the IP window, use Port 22, and select SSH for your connection type. Then, use “root” as the username and “Rigol201” as the pwd. You’re now connected to the Oscilloscope.

Step 7: In the SSH, type (without quotes) “cp /rigol/appEntry /media/sda1/”. Once it’s finished writing it to the USB stick (although it’s probably not the “best” answer, just pull the USB stick out and put it back into your computer. Copy the bspatch file into the root of the USB stick as well. Right click and open a terminal window starting in the USB stick and type “bspatch appEntry appEntryPatched appEntry_01_01_04_08.bpatch” into the terminal. It will create you a new file called appEntryPatched. Rename the original file to appEntryUnpatched or something similar and then rename the patched file to appEntry. Now remove the USB stick and put it back into the Oscilloscope.

Step 8: I hope you kept your SSH open, if not then open it back up. Type “cd /media/sda1”. If the command fails, replace sda1 with sdb1. My MSO5000 mounted the USB drive into this second location when I put it back in. Type “ls” (LS in lower case if the font here sucks) to see the files in the directory. You should see your files. Now run “chmod +x appEntry” to allow the appEntry file to be an executable, otherwise it will not work. To make this next step easier, move back to the root directory using “cd /”. You can type “pwd” at any time in SSH or Terminal to see the directory you’re currently in at any time. Now copy the file back to the oscilloscope, “cp /media/sda1/appEntry /rigol/” and you should be good to go.

Step 9: Restart your Oscilloscope and don’t forget to thank the dozens of people on this forum who made this possible.
Nice! My Rigol is dead!
It is most probable that you made a mistake in one of the steps.  I think there is a MAGIC button you can press while the scope powers up to recover it from bricked state
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cust on January 30, 2020, 02:00:54 pm
Hi, yes, I make mistake. I patch patched file.  |O
What is the magic button?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on January 30, 2020, 02:08:45 pm
From a previous post on this thread:

Copy the official firmware to a usb key. Stick it in the scope.
While powering on the scope, keep pressing the single button.
You'll see two options show up and you should be able to flash back to the official firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cust on January 30, 2020, 02:28:53 pm
Thanks, my MSO5104 is alive!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cust on January 30, 2020, 03:55:04 pm
Patch not work for my Rigol...
I have downloaded new firmware from the official Rigol web. Maybe there's new protection. ???
Cust

EDIT: I have FFT, I have some features... I do not understand that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on January 30, 2020, 05:01:04 pm
FFT is standard.  For the hack to work you need a specific firmware version installed, as the patched file is for that version only.  Make sure your scope has the correct firmware installed.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on January 30, 2020, 06:35:26 pm
Patch not work for my Rigol...
I have downloaded new firmware from the official Rigol web. Maybe there's new protection. ???
Cust

EDIT: I have FFT, I have some features... I do not understand that.
Current firmware available is 00.01.01.04.08 . It is from august 2019 .
If you have this version of firmware try to folow instructions from this post : https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2785686/#msg2785686 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2785686/#msg2785686)

Let us know if you succeed .

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cust on January 31, 2020, 06:37:13 pm
I had version 00.01.01.04.04 in Rigol. I patched this version. Osciloscope was working. Menu said BW: 100MHz. Then I upgraded (from help menu) to version 00.01.01.04.08. Osciloscope was working. Menu said BW: 100MHz.

I patch this patched and upgraded appEntry again and osciloscope has stopped working -  at the loading sw (picture with RIGOL and white loading line - at 100%).     

Then I updated fw from safe mode to version 00.01.01.04.08 (RIGOL web,  date: 2. august 2019). I patch appEntry with the same result: oscilloscope does not work.

Then I download version 00.01.01.04.04 -> safe mode -> update -> patch ->  oscilloscope does not work.
Then I download version 00.01.01.04.08 -> safe mode -> update -> patch ->  oscilloscope does not work.

Now, I have unpatched version 00.01.01.04.08.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 31, 2020, 07:17:23 pm
 :palm: You must be patching 1.04.08 with the 1.04.04 patch...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cust on January 31, 2020, 09:33:02 pm
You mean:
1) downgrade to version 1.04.04
2) upgrade by "DS5000Update_patch_01_01_04_04_usb.GEL"
3) upgrade to version 1.08.08

????
_
or only upgrade from menu ("DS5000Update_patch_01_01_04_04_usb.GEL")?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on January 31, 2020, 11:57:52 pm
You mean:
1) downgrade to version 1.04.04
2) upgrade by "DS5000Update_patch_01_01_04_04_usb.GEL"
3) upgrade to version 1.08.08

He is saying you might be applying the 1.04.04 patch to the 1.04.08 firmware which won't work.
Follow the instructions posted recently here, try again from scratch get rid of whatever files you have. Make sure ethernet cable is unplugged from oscilloscope, in case that is interfering with bootup.

If you are on 1.04.08 and its working then no downgrading/upgrading/etc is needed.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cust on February 01, 2020, 10:43:10 am
OK, thanks.
I try it on monday.

I always had the ethernet cable connected.

Cust
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 01, 2020, 11:38:41 am
Hello , anybody know if there is a software that can control the AWG in MSO5000 ?
Thank you !
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cust on February 03, 2020, 07:11:53 am
You mean:
1) downgrade to version 1.04.04
2) upgrade by "DS5000Update_patch_01_01_04_04_usb.GEL"
3) upgrade to version 1.08.08

He is saying you might be applying the 1.04.04 patch to the 1.04.08 firmware which won't work.
Follow the instructions posted recently here, try again from scratch get rid of whatever files you have. Make sure ethernet cable is unplugged from oscilloscope, in case that is interfering with bootup.

If you are on 1.04.08 and its working then no downgrading/upgrading/etc is needed.
ufff, my MSO has BW 350 MHz :-)

I had to downgrade first....

Cust
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on February 03, 2020, 10:56:09 pm
My last information was "probably end of january".

Chance to add the bode plot feature?

Once they (rigol EU support) told me clearly, bode will come.
But they did it in may 2019.
Now we got january 2020 and still there´s no update.

Looks like the FW on the North America site was updated within the past few days, but it was updated from 01.01.04.04 to 01.01.04.08.  Are they considering 01.01.04.08 the update that was targeted for January?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on February 03, 2020, 11:08:56 pm
Can´t believe it:

Quote
v00.01.01.04.08 2019/08/02

      -Fixed system crashed when clicking Default.
      -Fixed 4CH option bug.
      -Fixed noise signal captured.
      -Improved the measure result updating rate.
      -Fixed accurate measurements not updated in ROLL

Old known things...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on February 03, 2020, 11:50:24 pm
Can´t believe it:

Quote
v00.01.01.04.08 2019/08/02

      -Fixed system crashed when clicking Default.
      -Fixed 4CH option bug.
      -Fixed noise signal captured.
      -Improved the measure result updating rate.
      -Fixed accurate measurements not updated in ROLL

Old known things...

Yeah, this is very disappointing.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on February 04, 2020, 12:02:45 am
Hello , anybody know if there is a software that can control the AWG in MSO5000 ?
Thank you !

Use python or other software instead, its going to be a better solution IMO. There was a GUI made for DG800 that could potentially be ported if you need UI.

Here is an idea of how it looks (pyvisa):
Code: [Select]
#disable generator
gen.write(':source1:output1 0')
print(gen.query(':source1:output?'))

#Set generator output 1 voltage/frequency sine wave
gen.write(':source1:volt 1')
gen.write(':source1:freq 1000')
gen.write(':source1:function sin')
gen.write(':source1:voltage:offset 0')

#enable generator output
gen.write(':source1:output1 1')

#normal or precision measurement
gen.write(':measure:mode normal')
gen.write(':measure:source channel1')

#Memory depth
gen.write(':acq:type aver')
gen.write(':acq:averages 4')
gen.write(':acq:mdepth 100k')

print('Settings: ' + gen.query(':source1:apply?'))

gen.write(':measure:source channel1')
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 04, 2020, 07:32:28 am
Thanks ,
I know about pyvisa aproach .I used it for a FFT on Rigol DS2000. In fact if we combine this two and a some UI we can create a FRA app .
Next step, port the code to QT and integrate into MSO 5000 firmware  ...  ;D

The reality is that Rigol has launched this new line of scopes without a proper PC software applications that can use new functions aboard on this .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on February 05, 2020, 12:06:47 am
Thanks ,
I know about pyvisa aproach .I used it for a FFT on Rigol DS2000. In fact if we combine this two and a some UI we can create a FRA app .
Next step, port the code to QT and integrate into MSO 5000 firmware  ...  ;D

The reality is that Rigol has launched this new line of scopes without a proper PC software applications that can use new functions aboard on this .

All of their PC software is garbage IMO. I wouldn't expect anything less.
Their SCPI however, is incredibly well documented, broad, and for the most part works.

I agree there is potential for FRA, bode plots, quadrature modulation (?), etc. which can be more convenient to do in a single instrument. I'm working on a board to amplify the 2 channel gen to 2x the current voltage, but there are many more things you could think of to do with 2 outputs and 4 inputs. Another idea I have is measuring one channel current and one voltage.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hedehede81 on February 05, 2020, 07:26:54 am
I received my MSO5074 and immediately upgraded it, many thanks to everyone involved.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 05, 2020, 11:39:55 am
All of their PC software is garbage IMO. I wouldn't expect anything less.
Their SCPI however, is incredibly well documented, broad, and for the most part works.

I agree there is potential for FRA, bode plots, quadrature modulation (?), etc. which can be more convenient to do in a single instrument. I'm working on a board to amplify the 2 channel gen to 2x the current voltage, but there are many more things you could think of to do with 2 outputs and 4 inputs. Another idea I have is measuring one channel current and one voltage.

Yes I agree, their software is far better from  usefull  ...
I was done a capture component in NILAB, using their instructions in Programing Manual and is displaying waveforms faster than Ultrascope . Keysight also with their Benchvue is displaying waveforms very slow .
About Python , the script I used for FFT used NumPy if I remeber well . I don't know if will work now on Windows 10 ...
It was from here : http://www.righto.com/2013/07/rigol-oscilloscope-hacks-with-python.html (http://www.righto.com/2013/07/rigol-oscilloscope-hacks-with-python.html)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hedehede81 on February 07, 2020, 02:07:54 pm
Guys, I have a question, please check the attached photos from the built-in oscillator for the probe compensation. It is straight Auto trigger, no averaging etc. Do you think I have more noise than usual or is it normal? I feel like the flat portion of the signal(high signal) have a bit more noise than I expected?  (first photo is with 1x compensation on the physical probe and second photo is 10x)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on February 07, 2020, 04:14:27 pm
10x hast higher bandwith.. than 1x so Looks decent for me...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 07, 2020, 05:46:38 pm
Maybe some noise on your bench ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hedehede81 on February 07, 2020, 06:01:11 pm
yeah, you're right, it gets better if I move it away from the bench. Probably picking up high frequency noise from several switching power supplies. it gets a lot better if I use an extension alligator clip instead of directly hooking up the probe to the oscilloscope, so maybe it is picking up some noise from there too. thanks for the screenshots, I am relieved I don't have a lemon :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Yuriy68 on February 09, 2020, 11:28:02 am
Good day! I want to thank everyone who took part in this megaproject, primarily mabl, tv84, oliv3r and other wonderful people.
I purchased my MSO5074 by promoaction in China and got it already completely open with all options and a 350 MHz BW, and I didn’t even have to crack it. I made a backcup of the /rigol/data directory and the 8 kB FRAM memory and backup of the full NAND using utilities by tv84 and everything turned out great! https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)

Quote
Backup scripts for Rigol MSO5000 and MSO/DS7000

Attached is a .GEL that does a backup of the /rigol/data directory and the 8 kB FRAM memory. Run as a normal update.

It also does a memdump (450MB) so you should use a USB disk with size >= 512 MB. (Why this one? Because sometimes its useful...  ;) )

With /rigol/data and FRAM, we can recreate the scope from scratch (as long as the bootloader is OK).

If anyone tests the script, please report the results and how much time it took.

Edit1: Added a .GEL that does a backup of the full NAND (mt0->mt12). Since the NAND is 1 GB in size, you must be patient! It could take some minutes.
* Rigol_MSO5000_7000_backup_scripts.zip (1.4 kB - downloaded 288 times.)
* Rigol_MSO5000_7000_NAND_backup_scripts.zip (2.1 kB - downloaded 204 times.)
« Last Edit: October 28, 2019, 03:23:02 pm by tv84 »

Then saved the backcup on the PC.
But, still, I have some questions.
For example, if the program of oscilloscope will crash or the instrument will be repaired, how can I write saved backups of FRAM, NAND and / rigol / data back to the device? I rarely had to do this before. Please tell me the steps by step to know to do this. On my PC Windows 7, PuTTY and Ultra Sigma are installed. The scope is connected to a PC via USB, and can be connected via LAN.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 10, 2020, 04:49:37 pm
For example, if the program of oscilloscope will crash or the instrument will be repaired, how can I write saved backups of FRAM, NAND and / rigol / data back to the device? I rarely had to do this before. Please tell me the steps by step to know to do this. On my PC Windows 7, PuTTY and Ultra Sigma are installed. The scope is connected to a PC via USB, and can be connected via LAN.

You made the backup, that's well done.

Don't worry about the other part. If you are not able to learn how to recover it with the available info in this forum and others, you should not mess  with the scope in order to brick it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Yuriy68 on February 10, 2020, 05:33:04 pm
Yes, thanks, this is a smart solution. Having a backup, I can always turn to more experienced users for recovery. :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on February 13, 2020, 12:35:08 am
Having just sold my Keysight MSO7104B, I'm thinking of a MSO5074.  A few questions:

1. What is the serial decode like? Is it hardware or software based? Either way, is it any good?

2. What alternatives, if any, has anyone figured out for the $360 PLA2216 logic probe accessory?

3. Is there still an offer to get official free serial decode options?

Thanks in advance.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jake111 on February 13, 2020, 12:41:48 am
Having just sold my Keysight MSO7104B, I'm thinking of a MSO5074.  A few questions:

1. What is the serial decode like? Is it hardware or software based? Either way, is it any good?

2. What alternatives, if any, has anyone figured out for the $360 PLA2216 logic probe accessory?

3. Is there still an offer to get official free serial decode options?

Thanks in advance.


The scope in general seems really laggy.  With the limited capture depth, I think an important question is what you are trying to do, diagnose bus problems or capture lots of data.  Have you looked at saleae logic pro series?  I am just tickled pink by these things.  The analog + digital capture is great and with USB 3.0 you can stream to the limits of your PC's ability.  I resisted buying one of these for a long time, who spends 600 bucks on a USB logic analyzer, etc, but finally did it and I just can't believe how long I made do with my zeroplus and scope's limited abilities...  The software is just great.  I love it!!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on February 13, 2020, 02:07:47 am
The Siglent SDS2000X plus looks better to me.  I had the MSO5074 and it was very laggy to use, I found it less responsive than the DS1054Z.  The display is very dim, even with the new hardware update.  Rigol has not released a software update for more than 6-8 months.  Minor cosmetic details in the UI that shows a very little care from Rigol for having a professional scope, like the buttons not aligning with the options in the menu (right side of the screen with the right vertical buttons).

Serial decoding trigger seems to be hardware based, as I tested a 45MHz SPI transfer with an infrequent 0xFF packet sent when I pressed a button and it captured every single time, the SDS1104X-E missed a lot and the Keysight 1000X also captured almost every single time.  But the display refresh rate of serial decoding is also laggy on the MSO5074, nothing compared to what Keysight scopes can do (real hardware decoding).

I am waiting for the Siglent SDS2104X plus to arrive to test the same 45MHz SPI signal and see if it is better than the SDS1104X-E capturing infrequent packets.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 13, 2020, 06:53:54 am
About the screen , everyone complain about , but mine is very bright , I did not feel the need to make it brighter . It was aquired in Octomber 2019 .
The UI is laggy indeed but not so laggy as DS1054 with all 4 channels activated.
Also it does not have a software companion . You need to use Ultra Scope which is not updated for the new series 5x/7x/8x .
You can still get bundle promo until end of march : https://www.rigolna.com/promos/ (https://www.rigolna.com/promos/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on February 13, 2020, 10:46:30 am
Thanks for all replies to my questions.

I own a Salae Logic 8 (not the Pro) so I only have USB2 (not USB3) connectivity but it's enough for my needs.  My major disappointment with the Salae products is that they are listen-only, you can't send signals out from them. To get bidirectional features you need something like a Bus Pirate - I own a 3.8 and the instructions are here (http://dangerousprototypes.com/docs/I2C#I2C_address_search_scanner_macro)  The Bus Pirate is cheap but the documentation is scattered to the 4 corners of the internet and learning the UI is one step removed from understanding cuneiform.

I really don't need more than 350 MHz bandwidth and, at $1,000 this looks attractive as a cheap fill in for gap left by the MSO7104B but I do worry that Rigol seems to have abandoned this series with no firmware updates for many months.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 13, 2020, 10:56:53 am
... one step removed from understanding cuneiform.

 :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 13, 2020, 11:18:56 am
About the screen , everyone complain about , but mine is very bright , I did not feel the need to make it brighter . It was aquired in Octomber 2019 .
The UI is laggy indeed but not so laggy as DS1054 with all 4 channels activated.
Also it does not have a software companion . You need to use Ultra Scope which is not updated for the new series 5x/7x/8x .
You can still get bundle promo until end of march : Keysight MSO7104B https://www.rigolna.com/promos/ (https://www.rigolna.com/promos/)

LOL Keysight... ^-^
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on February 13, 2020, 11:30:07 am
Shouldn't we limit this thread to the discussion of the hack, as its title suggests? The thread is awfully long already, and many people struggle to get the gist of what's currently the "state of the art" for hacking the MSO5000.

There are other threads to discuss the merits (and weaknesses) of this family of scopes, e.g.
https://www.eevblog.com/forum/blog/new-rigol-scope/ (https://www.eevblog.com/forum/blog/new-rigol-scope/)
https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/ (https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on February 13, 2020, 11:31:28 am
Although I do not use a net connection for our workshop or need ultra scope for daily use.

You need to update ultra sigma first before using ultra scope I believe and that has been updated, the ultra sigma recognizes the 5/7 and 8000 series no problem. Worth a try

 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on February 13, 2020, 12:05:27 pm
OK, to get the subject back to hacking. If I buy a MSO5074 (so I get 4 probes), I can currently take the Rigol offer for their bundle.

Once that's done, what are the steps to get extra bandwidth? 
Is there any other feature you don't get from the free bundle?
Has anyone created a DIY LA harness?

Thanks in advance.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 13, 2020, 12:21:45 pm


LOL Keysight... ^-^


 |O
yeap, I removed it now . It was on my clipboard . I searched for it .
I still don't understand how one may want to get rid of such scope and turn to a Rigol ....

sorry for offtopic .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2N3055 on February 13, 2020, 12:24:07 pm


LOL Keysight... ^-^


 |O
yeap, I removed it now . It was on my clipboard . I searched for it .
I still don't understand how one may want to get rid of such scope and turn to a Rigol ....

sorry for offtopic .
:-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 13, 2020, 12:27:47 pm

Has anyone created a DIY LA harness?

Thanks in advance.

Yes there is such of thing :
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2908500/#msg2908500 (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2908500/#msg2908500)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on February 13, 2020, 01:19:32 pm

Has anyone created a DIY LA harness?

Thanks in advance.

Yes there is such of thing :
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2908500/#msg2908500 (https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2908500/#msg2908500)
Read the probe thread carefully, apparently there is a lot of noise from the homemade probes, and the cost is not low, probably only 50% of the cost of the original one.  And most of the published PCB files has mistakes on them.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on February 13, 2020, 04:32:51 pm
Yeah, I read through that thread and thought it would be better to buy the Rigol original.  Thanks.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 13, 2020, 07:16:51 pm
Yeah, I read through that thread and thought it would be better to buy the Rigol original.  Thanks.

There's a lot more to those adapters than just a few cables. I'm not saying they cost $300 to manufacture but making your own isn't for the faint-hearted.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on February 13, 2020, 10:30:52 pm
Yeah, I read through that thread and thought it would be better to buy the Rigol original.  Thanks.

There's a lot more to those adapters than just a few cables. I'm not saying they cost $300 to manufacture but making your own isn't for the faint-hearted.
Yeah but they were getting wrapped around the axles on detail like balanced pair routing and equal length tracks; it's a 350 MHz scope at which frequency the wavelength is 0.86 meters and the logic signals would probably not go over 100 MHz anyway.

I think a much simpler design with less exotic buffers and standard 0.05" ribbon cable would work just fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on February 13, 2020, 11:55:26 pm
Yeah but they were getting wrapped around the axles on detail like balanced pair routing and equal length tracks; it's a 350 MHz scope at which frequency the wavelength is 0.86 meters and the logic signals would probably not go over 100 MHz anyway.

I think a much simpler design with less exotic buffers and standard 0.05" ribbon cable would work just fine.

I'm going to permit myself this one off-topic digression and then suggest we shut up and keep the design discussion of an LA cable out of the hacking thread.

Routing is an issue, but not because of delays or anything like that - it's down to managing current return paths. The kind of fast comparators you need for this task tend to splash a lot of current about and quite spiky current at that. If you don't manage your routes so that signal and return current keep physically close to each other with small loop areas you get into crosstalk and impulse noise issues. If you're packing 16 fast comparators into 2 sq in of board space you're going to have to spend significant time on getting your decoupling and return current paths properly sorted.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thmjpr on February 14, 2020, 01:04:52 am
Read the probe thread carefully, apparently there is a lot of noise from the homemade probes, and the cost is not low, probably only 50% of the cost of the original one.  And most of the published PCB files has mistakes on them.

The noise is internal to the oscilloscope, has nothing to do with the probe. If you enable the LA by shorting the pins on the connector, and don't connect anything to it, ghost signals will show up on the channels as they are unterminated internally. If you have any inputs connected (on DIY or retail probe), there are no ghost signals on those as the inputs are being actively driven. Rev 2 of the probe has the correct pinouts.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on February 15, 2020, 11:19:12 am
Can someone please do us new purchasers a favor and make a summary comment on the latest state of play with regards to hacking?  I am ready to buy an MSO5074 but looking through the thread I'm confused as to the latest recommended best practice approach.

Thanks :D

[EDIT] Is post #933 still the latest to follow?
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on February 15, 2020, 12:49:48 pm
Can someone please do us new purchasers a favor and make a summary comment on the latest state of play with regards to hacking?  I am ready to buy an MSO5074 but looking through the thread I'm confused as to the latest recommended best practice approach.

Thanks :D

[EDIT] Is post #933 still the latest to follow?
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401)

No, that's for firmware version 01.01.04.04 and the current version is 01.01.04.08.

Start reading forward from this post   Reply #1293 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411) which contains the most recent reasonable summary of the manual version of the update.

Please note that if you're Unix/Linux competent you can make this manual process much easier to do by using 'scp' rather than shuffling appEntry back and forwards on a USB stick - basically get ssh access and then run the update entirely using ssh/scp.

I would suggest augmenting that procedure by checking the md5sum of both the pre and post patched appEntry to make sure that you've got it right. For reference:

md5sum of appEntry before patchingafe3e7c2d38bdebb66d3f1f11d910743
md5sum of appEntry after patching3f95cb3236b47826e303de960596f966

If you read later on you'll find mabi has posted a script to automate applying the same patch automatically from a USB stick. If using mabi's method be sure to save the patch.txt file with Unix line endings, not DOS/Windows ones.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sb42 on February 15, 2020, 01:06:29 pm
The instructions/attachments in this message (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308) work for firmware 01.01.04.08.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: zhang011101 on February 28, 2020, 05:38:05 am
Rigol had updated the V00.01.02.00.02 firmwire for MSO5000 few days ago. Does anyone use this latest version?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on February 28, 2020, 06:30:30 am
00.01.01.04.08 is still the most recent available on the North American website.  They also have the link mislabeled, but the file that downloads is 00.01.01.04.08: :palm:

https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-f24095b5-cc11-4e8d-8df9-d2bfdffd5efc/0/-/-/-/-/MSO5_FW_V1_1_4_4.zip
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 28, 2020, 06:43:15 am
Rigol had updated the V00.01.02.00.02 firmwire for MSO5000 few days ago. Does anyone use this latest version?
Yeah , but doesn't seem to worth loosing "upgrades".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sergey Astakhov on February 28, 2020, 09:51:07 am
Link from international site: https://int.rigol.com/Public/Uploads/uploadfile/files/ftp/DS/%E8%BD%AF%E5%9B%BA%E4%BB%B6/MSO5000(ARM)Update.rar
Release notes:

Quote
[Supported Model]    All the MSO5000 Series Digital Oscilloscopes
[Latest Revision Date] 2020/02/25

[Updated Contents]
--------------------

v00.01.02.00.02  2020/02/25
       
     - Optimized the connection HDMI start problem optimized the connection HDMI start problem
     - Optimize the vertical gear, channel zero elimination error
     - Optimization of the inconsistency between SPI CLK and SDA names
     - Zoom mode square wave display in optimized 2S time base
     - Added command to get pass / fail times
     - Delete the default email account and password
     - Problems in remote instructions are optimized
     - Optimized 1K storage depth, waveform recording
     - The problem of too many stuck events in optimized decoding
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on February 28, 2020, 08:16:58 pm
So, I hope the experts in this topic would soon begin looking into this version of the firmware to see how the enhancement can be performed.  Rigol has tried to make some of its AWG harder to "enhance" with the latest firmware, it would be interesting to see if they will do the same to the MSO5000.

mabl and tv84, would you kindly look into the feasibility of creating a patch file for this version of firmware, as well as whether there is any updated GEL file required to enable SSH?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 28, 2020, 09:38:17 pm
The patch adaptation is a no-brainer that others can easily do. About the telnet .GEL, I think the one that is available can still work. If not I can look into it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on February 28, 2020, 09:47:11 pm
Thanks tv84, I appreciate it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on February 29, 2020, 06:51:17 am
i didn't noticed before but wtf rigol, zip != rar
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on February 29, 2020, 02:52:40 pm
     - Delete the default email account and password

Ah yes ... that one
 :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on February 29, 2020, 03:05:19 pm
I afraid they are referring to the email feature documented in the manual, not the undocumented phone home feature.  Who knows, they might actually have fixed the undocumented one  :-DD

Any chance you can work on a new patch file for this version?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on February 29, 2020, 04:10:14 pm
If we take it as a new major firmware version (upgrade from 01.01.xx.xx to 01.02.xx.xx),  it seems that Rigol have no intention to add some new useful features (like Bode Plot, a better hi-res implementation, etc).

I suppose in the future there will be only incremental improvements for bugs.

Still, MSO5000 is a funny brute force beast. And hackable  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on February 29, 2020, 04:16:54 pm
I afraid they are referring to the email feature documented in the manual, not the undocumented phone home feature.  Who knows, they might actually have fixed the undocumented one  :-DD

Any chance you can work on a new patch file for this version?

No, they are referring to the default username and password that I used to log into their IBM Notes system because :woops: it wasn't just a placeholder.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on February 29, 2020, 04:24:57 pm
So perhaps your last email to them using the hidden ID actually made it through.

When you create the patch, it would definitely be a good idea to create a version with disabled ET phone home, it just opens such a security hole in the lab network.  The scope should have no business emailing Rigol anything without a user’s knowledge.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on February 29, 2020, 05:13:15 pm
So perhaps your last email to them using the hidden ID actually made it through.

When you create the patch, it would definitely be a good idea to create a version with disabled ET phone home, it just opens such a security hole in the lab network.  The scope should have no business emailing Rigol anything without a user’s knowledge.
I actually attached a patch just like that for the .08 firmware miles back. It just seems everyone ignored it.  :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 01, 2020, 02:36:38 am
I got that patch, I am not sure if others have the same security concern like we do.  I put it on an isolated network regardless.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on March 01, 2020, 05:30:08 am
1.02.00.02 patch

Before: 78d71292a1828ee597a341bd14797e18
After: 86d162a29297ae03af88a6d8f7c40247
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 01, 2020, 05:39:19 am
Hey delfinom,

A big thank as usual, did you notice any new options or notable changes in the firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on March 01, 2020, 05:42:24 am
Hey delfinom,

A big thank as usual, did you notice any new options or notable changes in the firmware?

Wasn't looking. That would take actual effort :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on March 01, 2020, 07:16:06 am
No warranties.

Before: 78d71292a1828ee597a341bd14797e18
After: 86d162a29297ae03af88a6d8f7c40247


Thank you !
It works perfect !
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 02, 2020, 08:10:02 pm
Changes to the file system:
Code: [Select]
Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        modified:   firmware/logo.png
        modified:   firmware/rootfs/rigol/K160M_TOP.bit
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/resource/help/b/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/display.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/email.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/storage.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/trigger.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/display.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/storage.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/trigger.hlp
        modified:   firmware/rootfs/rigol/resource/menu/b.hex
        modified:   firmware/rootfs/rigol/resource/menu/c.hex
        modified:   firmware/rootfs/rigol/resource/menu/d.hex
        modified:   firmware/rootfs/rigol/resource/menu/desc.hex
        modified:   firmware/rootfs/rigol/resource/menu/h.hex
        modified:   firmware/rootfs/rigol/resource/menu/i.hex
        modified:   firmware/rootfs/rigol/resource/menu/j.hex
        modified:   firmware/rootfs/rigol/resource/menu/k.hex
        modified:   firmware/rootfs/rigol/resource/menu/l.hex
        modified:   firmware/rootfs/rigol/resource/menu/m.hex
        modified:   firmware/rootfs/rigol/resource/menu/menu.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ch.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ext.hex
        modified:   firmware/rootfs/rigol/resource/menu/msg.h
        modified:   firmware/rootfs/rigol/resource/menu/n.hex
        modified:   firmware/rootfs/rigol/resource/menu/o.hex
        modified:   firmware/rootfs/rigol/resource/menu/pic.hex
        modified:   firmware/rootfs/rigol/resource/menu/res.hex
        modified:   firmware/rootfs/rigol/resource/menu/t.hex
        modified:   firmware/rootfs/rigol/resource/menu/u.hex
        modified:   firmware/rootfs/rigol/resource/scpi/ACQuire.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/COMMon.xml
        modified:   firmware/rootfs/rigol/resource/scpi/DISPlay.xml
        modified:   firmware/rootfs/rigol/resource/scpi/LA.xml
        modified:   firmware/rootfs/rigol/resource/scpi/LAN.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MASK.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/REF.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SAVE.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SOURce.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SOURce1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SOURce2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/TIMebase.xml
        modified:   firmware/rootfs/rigol/resource/scpi/TRIGger.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/BUS1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/BUS2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/BUS3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/BUS4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/DISPlay.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/LA.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/MEASure.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/REF.xml
        deleted:    firmware/rootfs/rigol/resource/scpi/compatible/Ref.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/TIMebase.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/TRIGger.xml
        deleted:    firmware/rootfs/rigol/resource/scpi/compatible/common.xml
        deleted:    firmware/rootfs/rigol/resource/scpi/compatible/cursor.xml
        deleted:    firmware/rootfs/rigol/resource/scpi/compatible/quick.xml
        modified:   firmware/rootfs/rigol/resource/scpi/scpiConfig.xml
        deleted:    firmware/rootfs/rigol/webcontrol/config/conf.d/Makefile
        deleted:    firmware/rootfs/rigol/webcontrol/config/conf.d/Makefile.am
        deleted:    firmware/rootfs/rigol/webcontrol/config/conf.d/Makefile.in
        deleted:    firmware/rootfs/rigol/webcontrol/include/openssl/ui_compat.h
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/AUTHORS
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/COPYING
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/ChangeLog
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/LICENCE
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/NEWS
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/README
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/index.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre-config.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_compile.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_compile2.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_config.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_copy_named_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_copy_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_dfa_exec.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_exec.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_free_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_free_substring_list.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_fullinfo.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_named_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_stringnumber.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_stringtable_entries.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_substring_list.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_info.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_maketables.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_refcount.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_study.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_version.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcreapi.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrebuild.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrecallout.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrecompat.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrecpp.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcredemo.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcregrep.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrematching.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrepartial.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrepattern.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcreperform.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcreposix.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcreprecompile.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcresample.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrestack.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcresyntax.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcretest.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/pcre-config.txt
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/pcre.txt
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/pcregrep.txt
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/pcretest.txt

Untracked files:
  (use "git add <file>..." to include in what will be committed)
        firmware/rootfs/rigol/cups/testPage.bmp
        firmware/rootfs/rigol/resource/help/b/CVS/
        firmware/rootfs/rigol/resource/help/d/CVS/
        firmware/rootfs/rigol/resource/help/picture/CVS/
        firmware/rootfs/rigol/resource/help/picture/autoset/CVS/
        firmware/rootfs/rigol/resource/help/picture/chan1/
        firmware/rootfs/rigol/resource/help/picture/counter/
        firmware/rootfs/rigol/resource/help/picture/cursor/CVS/
        firmware/rootfs/rigol/resource/help/picture/display/
        firmware/rootfs/rigol/resource/help/picture/dvm/
        firmware/rootfs/rigol/resource/help/picture/email/
        firmware/rootfs/rigol/resource/help/picture/eyejit/CVS/
        firmware/rootfs/rigol/resource/help/picture/help/
        firmware/rootfs/rigol/resource/help/picture/horizontal/
        firmware/rootfs/rigol/resource/help/picture/ioset/
        firmware/rootfs/rigol/resource/help/picture/la/CVS/
        firmware/rootfs/rigol/resource/help/picture/mask/CVS/
        firmware/rootfs/rigol/resource/help/picture/math/CVS/
        firmware/rootfs/rigol/resource/help/picture/mathsel/
        firmware/rootfs/rigol/resource/help/picture/measure/CVS/
        firmware/rootfs/rigol/resource/help/picture/print/
        firmware/rootfs/rigol/resource/help/picture/quick/
        firmware/rootfs/rigol/resource/help/picture/record/
        firmware/rootfs/rigol/resource/help/picture/ref/CVS/
        firmware/rootfs/rigol/resource/help/picture/search/
        firmware/rootfs/rigol/resource/help/picture/selfcal/
        firmware/rootfs/rigol/resource/help/picture/source/CVS/
        firmware/rootfs/rigol/resource/help/picture/trigger/CVS/
        firmware/rootfs/rigol/resource/help/picture/upa/CVS/
        firmware/rootfs/rigol/resource/help/picture/utility/
        firmware/rootfs/rigol/resource/help/picture/vdecode/CVS/
        firmware/rootfs/rigol/resource/help/picture/vdecodesel/
        firmware/rootfs/rigol/resource/help/picture/wifi/
        firmware/rootfs/rigol/tools/cfg_gtp



Quick things I saw:

New commands:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sb42 on March 02, 2020, 09:29:15 pm
Changes to the file system:

Noticed much the same while looking at the app.img contents. They got rid of some random cruft that should never have been there in the first place (pcre html docs), added some more (CVS data :palm:), kept the rest intact (full installation of openssl with headers and manpages). Another case of a hardware vendor struggling to meet software development deadlines and grok FOSS toolchains and platforms, I suppose :horse:.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on March 02, 2020, 10:44:22 pm
Did anyone noticed a new script added on the latest FW ("/rigol/tools/cfg_gtp")?
Checked MSO7000 / 5000 / 8000 series & this script exists on all.

Checked on IDA & it looks very suspicious as on execution it writes to /dev/i2c-0 with an increment constant data.
Worth writing a small script to backup this registry (just in case) as it may contain valuable data which would be overwritten by this script.
It does have a getter method but it's never called.
On nandboot there is a call to "checkGTP".

Can this all mean that this script may be included for a purpose of locking down hacked scopes ?
Can somebody check this theory, or brave enough try to run it ? :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on March 03, 2020, 12:34:10 pm
Did anyone noticed a new script added on the latest FW ("/rigol/tools/cfg_gtp")?
Checked MSO7000 / 5000 / 8000 series & this script exists on all.

Checked on IDA & it looks very suspicious as on execution it writes to /dev/i2c-0 with an increment constant data.
Worth writing a small script to backup this registry (just in case) as it may contain valuable data which would be overwritten by this script.
It does have a getter method but it's never called.
On nandboot there is a call to "checkGTP".

Can this all mean that this script may be included for a purpose of locking down hacked scopes ?
Can somebody check this theory, or brave enough try to run it ? :)

A little strong on the tinfoil.

GTP would most likely be referring to the touch screen controller IC which is a Goodix-TS part but in linux kernel sources is referred to as "GTP".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on March 03, 2020, 02:22:13 pm
An interesting line found on MSO8000 fw4linux.sh script:

Chinese (Original):
#checkGTP;金手指里面已经执行了GTP配置,普通启动取消该配置,由于8000一台机器发现这里导致无法启动

Translation:
#checkGTP; GTP configuration has been performed in cheat. Normal configuration cancels the configuration. 8000 machines found it and failed to start.

So "checkGTP" is disabled on MSO8000 because it fails to start due to a false trigger on GTP configuration.
This increase my concerns on a new added script.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on March 03, 2020, 02:39:53 pm
An interesting line found on MSO8000 fw4linux.sh script:

Chinese (Original):
#checkGTP;金手指里面已经执行了GTP配置,普通启动取消该配置,由于8000一台机器发现这里导致无法启动

Translation:
#checkGTP; GTP configuration has been performed in cheat. Normal configuration cancels the configuration. 8000 machines found it and failed to start.

So "checkGTP" is disabled on MSO8000 because it fails to start due to a false trigger on GTP configuration.
This increase my concerns on a new added script.

checkGTP has been part of the firmware from the beginning from at least 01.01.01.07
Seriously, if Rigol wanted to lock down the scope, it wouldn't require "extra super secret scripts" to do so. Especially ones you would have to SSH into and run yourself.

I also ran cfg_gtp, nothing happened.

Here's a better translation
Quote
#Checkgtp: GTP configuration has been executed in goldfinger. It is cancelled during normal startup. Because 8000 machines find this, they cannot start
GoldFinger is simply their name for the ASIC I think, they even have a JTAG header for it named Goldfinger
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=586343;image (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=586343;image)


This new MSO5000 firmware simply includes all the changes they had to make for the MSO8000.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on March 03, 2020, 04:24:44 pm
I think we should raise a petition to Google for misleading translation from Chinese, thanks for clarification & testing.
It's still unclear what's the purpose of this script on Boot as it does not make any sense to me.

Regarding "extra super secret scripts" - it would not surprise me, as this would be not the first case, few examples: root:root, SMTP passwords :-DD
/dev/i2c-0 brought my attention as it's used for FRAM access as well, just on a different registry.
The question is does it (cfg_gtp) update on memory or persist it. If the later than it might be an initialisation script, but so far have not found any usage cases (calls).

Just don't forget that scope have a magic "call home" function & capability to execute any shell command i.e. sshd.
This combination can lead to a locked scope. It's better to be cautious & be critical on the changes found on new FW's.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 03, 2020, 05:16:13 pm
I don't trust their firmware when it comes to security.  Mine is sitting in a physically isolated network, so it is not sending anything to China. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on March 03, 2020, 05:34:06 pm
Just don't forget that scope have a magic "call home" function & capability to execute any shell command i.e. sshd.
This combination can lead to a locked scope. It's better to be cautious & be critical on the changes found on new FW's.

Eh, they disabled SSHD, we are the ones enabling it. Even enabling it does nothing to give them access on a standard network.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on March 03, 2020, 06:09:07 pm
Mine to  8) totally isolated network
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tonywood on March 03, 2020, 08:32:09 pm
So, can we use the current patch for the new firmware? Do we need to edit the patch file? Thanks - I'm on firmware 00.01.02.00.02
Do I need to downgrade firmware?

Thank you
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on March 04, 2020, 03:20:52 pm
So, can we use the current patch for the new firmware? Do we need to edit the patch file? Thanks - I'm on firmware 00.01.02.00.02
Do I need to downgrade firmware?

Thank you

The only safe option is to buy a license.
So regarding recently discussed GTP thing would say it's something to look at in more details, but it should be safe as #delfinom already tested & confirmed that no "fireworks" had been rendered on the scope after execution.

I own MSO7000 so the patch is not available for my device yet & as I can't see any major improvement on the new FW I'll postpone upgrade on my device.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 04, 2020, 03:36:51 pm
The only safe option is to buy a license.

So regarding recently discussed GTP thing would say it's something to look at in more details, but it should be safe as #delfinom already tested & confirmed that no "fireworks" had been rendered on the scope after execution.

I own MSO7000 so the patch is not available for my device yet & as I can't see any major improvement on the new FW I'll postpone upgrade on my device.

That's not true. In any device that is disconnected from the internet, any license can be used. The scope doesn't have any mechanism to check if it's an "official" or "unofficial" license.

I've looked at the GTP a while back. It didn't look suspicious. It's just their way for configure/validate things at boot time.

Use your time to migrate the 7000 patch (it should be kiddy stuff using simple pattern search - no need to open IDA...) and don't create unsubstantiated panic over the FW scripts.

BTW, with a full NAND backup you can reflash any of theses MSOs from scratch as long as you have your bootloader healthy.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 04, 2020, 03:41:24 pm
Just an additional 2 cents:

We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on March 04, 2020, 03:56:20 pm
No issues at all with our 7000 updates and working 'upgrades' though as stated we have an internal network only no outside connections
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mindy on March 04, 2020, 03:56:47 pm
Just an additional 2 cents:

We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Thanks for clarification, I just wanted to be sure that we identified & backup all persistent data on the scope of all components, or at least the ones which store a scope specific data (FRAM, ...).
So GTP question is closed ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: the Goat on March 04, 2020, 05:41:52 pm
We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Point of clarification: DEFCON means Defense Readiness Condition.  So you lower the DEFCON level when closer to danger, not elevate it. 8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jemangedeslolos on March 04, 2020, 05:45:25 pm
Here we learn every day  8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 04, 2020, 06:14:05 pm
We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Point of clarification: DEFCON means Defense Readiness Condition.  So you lower the DEFCON level when closer to danger, not elevate it. 8)

 :-+  I was totally aware of it, although I wrote "level" when I meant "state" of alert. Thanks for the correction.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on March 04, 2020, 08:15:27 pm
I thought that only meant defcon one was Tautech was on the prowl :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on March 04, 2020, 08:18:50 pm
I thought that only meant defcon one was Tautech was on the prowl :-DD
Who me ? Always !  >:D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: marshalljmp on March 04, 2020, 10:56:34 pm
https://www.temcom.com/instruments-presented-by-rigol-at-embedded-world-2020/ (https://www.temcom.com/instruments-presented-by-rigol-at-embedded-world-2020/)

"As a further novelty, the BodePlot function has now been integrated in all MSO5000 series oscilloscopes as an addition to the existing standard application."

Can anybody confirm the Bodeplot function ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on March 04, 2020, 11:12:05 pm
https://www.temcom.com/instruments-presented-by-rigol-at-embedded-world-2020/ (https://www.temcom.com/instruments-presented-by-rigol-at-embedded-world-2020/)

"As a further novelty, the BodePlot function has now been integrated in all MSO5000 series oscilloscopes as an addition to the existing standard application."

Can anybody confirm the Bodeplot function ?
From the same source: Both series (MSO8000 and MSO5000) have been expanded with a 12-bit high resolution mode.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jemangedeslolos on March 05, 2020, 08:46:52 am
and nothing for MSO7000  :rant:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on March 05, 2020, 09:37:08 am
We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Point of clarification: DEFCON means Defense Readiness Condition.  So you lower the DEFCON level when closer to danger, not elevate it. 8)

DEFCON 1 is at the top of the list so you go upwards towards it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on March 05, 2020, 09:47:09 am
The bode plot is coming very, very soon by the end of the month for the 5000.

Along with some long standing bug fixes as well

The 7000 and 8000 will follow in the next month.

Not sure about the 12 bit high resolution mode though? as they all already have both high resolution and precision modes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: the Goat on March 05, 2020, 01:27:55 pm
We can even recreate a FRAM from scratch so I think there are no reasons for elevating the DEFCON level.

Point of clarification: DEFCON means Defense Readiness Condition.  So you lower the DEFCON level when closer to danger, not elevate it. 8)

DEFCON 1 is at the top of the list so you go upwards towards it.

Ha ha!  You got me there.  :clap:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 05, 2020, 05:51:25 pm
The scope doesn't have any mechanism to check if it's an "official" or "unofficial" license.

There is no way to be sure of that! There are plenty of possibilities they could use to detect if the firmware is modded. The easiest of which is to simply call the license checking function with an "unused/invalid" license ID that the user could not have a licence for. I don't want to overpanic, but remember we (atleast I) don't even fully understand the structure of their firmware yet. Who is calling the license checking function and whats the context? How is the license file being read and certified? They seem to hide that stuff pretty good from a disassembler. I only found the license checking function back then because it checked the -fullopt flag in earlier versions.  There a also plenty of places they could use to store whether a scope was hacked or not (not only the dedicated 8KiB FRAM IC): Zynq-7000 Soc/FPGA (eFuses), Kintex K7 FPGA (eFuses), Spartan-6 FPGA (eFuses). Let's not be foolish, I'm sure they also have some very clever software developers at rigol and it would be easy for them to trick us!

I didnt put a lot of effort into reverse engineering the firmware (yet), maybe some of you did. Maybe you understand the whole system, if so I'm sorry.

P.S. I also found some instructions that look for a "magic" file on an inserted USB drive. More about that if I find some more time to dig into it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 05, 2020, 06:40:34 pm
The scope doesn't have any mechanism to check if it's an "official" or "unofficial" license.

There is no way to be sure of that! There are plenty of possibilities they could use to detect if the firmware is modded.

Re-read my phrase. I talked about licenses, not modded FW. ;)

"Some of you" group: CHECK!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 05, 2020, 06:57:30 pm
Well, but thats definitely not true because of the e-fuses:
BTW, with a full NAND backup you can reflash any of theses MSOs from scratch as long as you have your bootloader healthy.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 05, 2020, 07:09:27 pm
Well, but thats definitely not true because of the e-fuses:
BTW, with a full NAND backup you can reflash any of theses MSOs from scratch as long as you have your bootloader healthy.

 :palm: Who talked about e-fuses? And changing e-fuses? Read carefully my words, as I and others (besides Rigol) have recreated the scope from scratch. I never said anything about creating perfect copycats...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: piskers on March 05, 2020, 07:22:37 pm
You said you can reflash the devices from scratch, for example after a future firmware update when they try to detect modded firmwares. All I'm saying is that there are ways for rigol in which this is not true and one could loose warranty forever. Once written eFuses cannot be cleared again. There are many cases where manufacturers in the past used eFuses to prevent warranty service (Samsung Knox e.g.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: delfinom on March 05, 2020, 08:30:54 pm
They seem to hide that stuff pretty good from a disassembler.

They don't hide anything. It's just a C++ application which will always make the resulting assembly more irritating to follow than C, especially with the heavy use of QT5 which has many of its own types instead of using stl types.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on March 06, 2020, 07:49:41 am
All I'm saying is that there are ways for rigol in which this is not true and one could loose warranty forever. Once written eFuses cannot be cleared again. There are many cases where manufacturers in the past used eFuses to prevent warranty service (Samsung Knox e.g.)

Yes there are ways to do more than that, but no producer will do . All  important scope brands are hacked but no one has taken such measures as far as I know ... they act to improve FW to be hard to crack but not like this .
One of the reason to not reacting as you said  is  that the procent of cracked fw of scopes is little from all sales.
The benefit is much bigger observing us reporting bugs and other info for their scopes .


 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 08, 2020, 04:42:07 pm
I think I have already posted this somewhere but here it is again...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: peppy88 on March 14, 2020, 04:45:51 pm
1.02.00.02 patch

Before: 78d71292a1828ee597a341bd14797e18
After: 86d162a29297ae03af88a6d8f7c40247

Hi I am following this guide: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308)

My MSO 5072 is already patched with the older 01.01.04.04 firmware and I already made a backup containing the memdump and backup folder.

Can someone please confirm if these are the correct steps to update to this:
1) Download Update from here https://int.rigol.com/Public/Uploads/uploadfile/files/ftp/DS/%E8%BD%AF%E5%9B%BA%E4%BB%B6/MSO5000(ARM)Update.rar (https://int.rigol.com/Public/Uploads/uploadfile/files/ftp/DS/%E8%BD%AF%E5%9B%BA%E4%BB%B6/MSO5000(ARM)Update.rar)
2) Unrar the files and copy the DS5000Update.GEL to blank usb (fat32)
3) Copy 01.02.00.02.bspatch.txt to usb and remove the .txt extension
4) Edit patch.txt file

file_to_patch=/rigol/appEntry
file_to_patch_md5sum=78d71292a1828ee597a341bd14797e18
patch_file=01.02.00.02.bspatch
after_patch_md5sum=86d162a29297ae03af88a6d8f7c40247

5) Save and copy to usb
6) Files on usb are
- DS5000Update.GEL
- 01.02.00.02.bspatch
- patch.txt
7) Attach the USB Drive back to the Scope, turn it on;
8 ) Wait for the screen shows that USB Drive was attached.
9) Press Utility/System/Help/Local upgrade
10) The screen will turn to white background and follow the instruction to press any keys.
11) After the upgrade process is finished, the scope will reboot.
12) Done! Enjoy!

Just want to confirm this is the correct procedure to minimize the change of bricking.


Thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 14, 2020, 08:13:00 pm
Well done!  Do you now get channel 3 coming on even if you have nothing attached to it when you press Auto (if you have a signal on channel 1)?  So far, this appears to be a major bug they introduced in the new firmware, but I don’t know if this is affecting all scopes, mine has 1.00.00 hardware.

If that is the case with you as well, my personal recommendations is not to upgrade until they fix the Auto problem, unless you see something in the small fix list that you need. 

No idea how the “in your face” Auto problem ever pass any QA test in Rigol. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on March 14, 2020, 08:17:43 pm
The MSO 8000 does not suffer this channel 3 issue NB
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: peppy88 on March 14, 2020, 11:59:15 pm
Has anyone done the 01.02.00.02? Can you please confirm that the steps above are the correct ones?

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2963402/#msg2963402 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2963402/#msg2963402)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on March 15, 2020, 11:08:46 am
Has anyone done the 01.02.00.02? Can you please confirm that the steps above are the correct ones?

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2963402/#msg2963402 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2963402/#msg2963402)

v00.01.02.00.02 and 03 has a bug.
Is better to stay at 00.01.01.04.08.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DeKu on March 15, 2020, 09:47:38 pm
Well done!  Do you now get channel 3 coming on even if you have nothing attached to it when you press Auto (if you have a signal on channel 1)?  So far, this appears to be a major bug they introduced in the new firmware, but I don’t know if this is affecting all scopes, mine has 1.00.00 hardware.

If that is the case with you as well, my personal recommendations is not to upgrade until they fix the Auto problem, unless you see something in the small fix list that you need. 

No idea how the “in your face” Auto problem ever pass any QA test in Rigol.

I have the same Issue but its Channel 4 and sometimes Channel 2 on my Device. Its an MSO5104 HW. 1.00.00

But i seem to have a bigger Problem. Can someone try the same and tell me (or show me) the Results?

I used the Integrated Function Generator and am a bit surprised on how it looks.. Unfortunately i dont have another Osci at hand, so i cant check if its the Generator or Something else. Is it supposed to look like this?

Settings are in the Screenshots. Thx in advance for any Help

DeKu
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 15, 2020, 10:42:48 pm
You referring to the color grading being on?  It should default to off, does everything go back to yellow if you press default button?

Perhaps you have your scope set up to start from previous state rather than default?  And it had been turned on at some point in the past.

If you are referring to square wave distortion at higher frequency, it is not new.  As the AWG in it is a relatively low spec AWG.

I also saw channel 2 and 3 came on when there’s nothing attached, but it only did it on channel 2 a couple times.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on March 15, 2020, 10:50:51 pm
I think the complain is about the quality of the square wave of the integrated waveform generator
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 15, 2020, 11:01:43 pm
If it is the square wave distortion he is referring to, that’s normal for that scope.  Low grade AWGs is not going to give you crisp square wave at high frequency.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DeKu on March 15, 2020, 11:12:47 pm
Im Sorry. Seems i left out the most important Part. The Colourgrading isnt an Issue as i can turn it on an off myself.

I actually meant the poor quality of the "supposedly" Square Form. But if thats a known "Issue" cause of the poor quality AWG, than my Question is already answered.

ty
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on March 16, 2020, 12:01:45 am
Yup, not the best squarewave.

For comparison top trace Rigol internal G1 10 MHz, bottom trace HP3325A synthesiser. The HP is at the top of its square wave range there - the Rigol has in theory another 5 MHz to go, but as we're seen, it's fugly.

[attachimg=1 width=1024]

And at 1 MHz:

[attachimg=2 width=1024]
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 16, 2020, 12:24:12 pm
Has anyone done the 01.02.00.02? Can you please confirm that the steps above are the correct ones?

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2963402/#msg2963402 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2963402/#msg2963402)

Yes they should work. Nice work of  delfinom, and it also includes patches against online updates. I applied a similar patch to 00.01.02.00.03 and it works well for me.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on March 16, 2020, 01:48:34 pm
Hey mabl,

Similar patch as in the exact same patch?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 16, 2020, 03:02:53 pm
Similar patch as in the exact same patch?

Similar, as in opened-up a disassembler, looking at the chances and applying a similar modification to the slightly moved functions version in the new firmware. So not the exact same patch.  ;) I just wanted to encourage everyone to look at the newest firmware.

Also, I would like to stress that my patcher will check the MD5 sumes before and after the patch. So it is very hard to corrupt the system using it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: el_man on March 19, 2020, 10:09:02 pm
Similar patch as in the exact same patch?

Similar, as in opened-up a disassembler, looking at the chances and applying a similar modification to the slightly moved functions version in the new firmware. So not the exact same patch.  ;) I just wanted to encourage everyone to look at the newest firmware.

Also, I would like to stress that my patcher will check the MD5 sumes before and after the patch. So it is very hard to corrupt the system using it.

Thanks mabl for the clarification. Is there any chance to post the bspatch file and MD5 sums for 00.01.02.00.03. :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 19, 2020, 10:24:22 pm
So it is very hard to corrupt the system using it.

Assuming that the patch is well done... ;)  A faulty patch with correct hashes will still not work.  (just decided to nitpick a bit... :) )
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 20, 2020, 07:01:07 am
So it is very hard to corrupt the system using it.

Assuming that the patch is well done... ;)  A faulty patch with correct hashes will still not work.  (just decided to nitpick a bit... :) )

Haha right you are. It assumes the patch is good. I was implicitly thinking people would develop and test their patches via SSH. But funny enough, I did my patch on 00.01.02.00.03 and directly used the patcher, and only while patching realized what I was doing without much of a safety net. It worked, but in the worst case scenario I would have had to reflash from the bootloader.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on March 28, 2020, 12:34:23 am
So it is very hard to corrupt the system using it.

Assuming that the patch is well done... ;)  A faulty patch with correct hashes will still not work.  (just decided to nitpick a bit... :) )

Haha right you are. It assumes the patch is good. I was implicitly thinking people would develop and test their patches via SSH. But funny enough, I did my patch on 00.01.02.00.03 and directly used the patcher, and only while patching realized what I was doing without much of a safety net. It worked, but in the worst case scenario I would have had to reflash from the bootloader.

I'd love to get a copy of that 00.01.02.00.03 patch as well. It does not appear I can go back to 00.01.02.00.02 after putting 00.01.02.00.03 on, unless there's a tip for that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ZXSpectrum on March 31, 2020, 03:52:58 pm
Hello. I bought an oscilloscope with firmware 00.01.02.00.03 tell me how to patch it?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on March 31, 2020, 05:50:42 pm
Hi,

Just search in this thread and you´ll find the answer..
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on March 31, 2020, 06:06:02 pm
Hello. I bought an oscilloscope with firmware 00.01.02.00.03 tell me how to patch it?

I don't think anyone has posted a patch for 00.01.02.00.03 yet, though some have claimed to have developed a patch for that version. The most recent version a patch has been uploaded for is 00.01.02.00.02 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152) and the instructions for using it are here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2963402/#msg2963402).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ZXSpectrum on March 31, 2020, 06:21:49 pm
Is it possible to flash on top of 00.01.02.00.03 patched 00.01.02.00.02?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sbehnke on March 31, 2020, 06:38:30 pm
I did figure it out. My USB drive I was using was not very compatible for whatever reason. I switched to a different USB stick and was able to go backward in time. If you repeatedly press the SINGLE button on your scope as it boots, you'll get an option to restore the firmware and you can use an older version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on March 31, 2020, 06:51:43 pm
Is it possible to flash on top of 00.01.02.00.03 patched 00.01.02.00.02?

IDK for sure, but based on this (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2966302/#msg2966302) post and the two after it, I would say no.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ZXSpectrum on April 01, 2020, 07:56:45 pm
Everything turned out :) Flashed 00.01.02.00.02 using the menu on the SINGLE button, and then launched the patch from answer # 1558
Thanks to all!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ykurban on April 02, 2020, 04:19:02 pm
is there a tutorial for MSO 5204 or its same for all mso 5000 series?

current firmware: 00.01.01.04.08
hw: 01.01.000

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 02, 2020, 04:53:26 pm
Hi , congratulations !
The procedure is the same for all MSO 5000 .
For 04.08 - here - https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2785686/#msg2785686 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2785686/#msg2785686)
for newer 02.02 - you must replace md5 sum in patch.txt , and bspatch file with the ones from here - https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152)
But I have a question , as I have seen that on the other thread there is another who show the oscilloscope options panel . Why you aren't get MSO Bundle license (Serial Decoding , WaveGEN,PWR analisys) . It was supposed to be until the end of march valid. You acquired in April ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: electricMN on April 02, 2020, 06:03:16 pm
Hi , congratulations !
....
But I have a question , as I have seen that on the other thread there is another who show the oscilloscope options panel . Why you aren't get MSO Bundle license (Serial Decoding , WaveGEN,PWR analisys) . It was supposed to be until the end of march valid. You acquired in April ?

He probably hasn't registered on Rigol's web site. That's how you get the key to enable the free options. It's best to make sure the scope works before adding the options just in case there's a problem with the options.
They've extended the free options through the end of April.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 02, 2020, 06:28:53 pm
Yes, the license is coming by email and code inside must be registered on Rigol site.
Even if the hack is enabling all options is better that you have it officially enabled. With bundle options you miss only BW and Memory .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on April 02, 2020, 07:39:31 pm
Rigol has implemented some changes on their site to force one to his regional Rigol page.  In the US, we can no longer reach the  international, EU, or China site, they all redirect us back to the rigolna site. 

I know the promo is available in the US, but not sure if that's true in Turkey (I presume that would go to the EU site).  If it is available in Turkey, I agree it is better to get the promo so you will get the legit free licenses in perpetuity without fear that the hack will not work with some future firmware version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ykurban on April 02, 2020, 08:34:15 pm
Thanks for quick reply.

Patch worked fine

I bought a few months ago from Turkey, where unfortunately bundle was not available

Now its like a new device! Thank you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 02, 2020, 09:10:47 pm
Maybe you should try to apply for the bundle to your seller or directly to Rigol . You have nothing to loose but gaining .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ykurban on April 02, 2020, 09:32:22 pm
I just filled the form from rigol webpage

waiting for answer
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: boris.t on April 02, 2020, 11:30:10 pm
I sent request twice (january and marth) and no answer..
Please, reply if you got answer.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 02, 2020, 11:32:14 pm
I got my bundle license the day after I filled out the form. I'm in the US if it matters.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: boris.t on April 02, 2020, 11:34:36 pm
I got my bundle license the day after I filled out the form. I'm in the US if it matters.
When did you send the request?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 03, 2020, 01:30:54 am
 Sent 3/26, got response 3/27.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ykurban on April 03, 2020, 08:43:46 am
still don't get anything from rigol, btw internal signal generator works fine

since we have a nice scope and signal generator in the same box, can we use it as a network analyzer?
im designing lots of analog filters and instrumentation amplifiers in roughly audio range.
It would be nice to see some frequency - amplitude graphs

I tried analog discovery 2 for this, works reasonably fine  but it would be nicer to do that in the scope

So may be a pc software connects to scope via usb or ethernet can do this. Any ideas?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on April 03, 2020, 09:06:55 am
I made a quick version without any software, only tuning the generator to ramp the frequency with a given step. It turns out very clearly:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 03, 2020, 10:21:37 am
I just filled the form from rigol webpage

waiting for answer

You are also entitled to a free bw upgrade to 350 Mhz as you can see attached.
So if you will have all bundles you will miss only 200 mpts memory which is not a problem as the scope have 100 mpts by default.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jemangedeslolos on April 03, 2020, 11:41:07 am
I sent request twice (january and marth) and no answer..
Please, reply if you got answer.

I made the request in early March and got the answer 3 or 4 days after !
Maybe with the covid it will take longer than usual.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: electricMN on April 03, 2020, 04:00:03 pm
I got my bundle license the day after I filled out the form. I'm in the US if it matters.
When did you send the request?

I requested mine last Saturday and got a response on the following Tuesday.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: douggoldberg on April 04, 2020, 10:31:45 pm
Folks, Before I pull the trigger on the entry level 5000 I wanted to be sure that "improvements" in this thread will still work with current firmware. Should I still be able to implement these?

Cheers...Doug
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 04, 2020, 10:37:50 pm
Folks, Before I pull the trigger on the entry level 5000 I wanted to be sure that "improvements" in this thread will still work with current firmware. Should I still be able to implement these?

Cheers...Doug

Yes, it is possible to hack the latest firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on April 06, 2020, 08:50:22 am
Yes, it is possible to hack the latest firmware.
Can you share the recipe?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stafil on April 06, 2020, 08:54:54 am
Yes, it is possible to hack the latest firmware.
Can you share the recipe?

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308)

These steps worked fine for me
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on April 06, 2020, 09:28:18 am
These steps worked fine for me
Is the medicine for 01.01.04.08 suitable for 01.02.00.03 without changes? Are the checksums the same?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 06, 2020, 09:31:42 am
No.
Ask Delfinom or Mable for this. They said that made some tests but did they not made it public yet .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: azone on April 06, 2020, 05:07:59 pm
[Edited] Has anyone done the 01.02.00.02? Can you please confirm that the steps below are the correct ones?
I've read the entire post. So far I've done:
1) Updated to v01.02.00.02
2) Downloaded 01.02.00.02.bspatch from Post #1558 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152). Removed .txt extension
3) Downloaded Patch.txt from Post #1451 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308)
4) Edited the before and after md5sum in the patch.txt file to Before: 78d71292a1828ee597a341bd14797e18 After: 86d162a29297ae03af88a6d8f7c40247 as described in Post #1558 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152). This should correspond to the new v01.02.00.02.
5) Put DS5000Update.GEL (the v01.02.00.02 firmware), patch.txt, and 01.02.00.02.bspatch on a USB drive formatted for FAT32.
6) Performed a local update from the scope by going to Utility -> System -> Help -> Local Update
7) The firmware updates fine and says to reboot - but after I restart none of the upgrades are enabled - for example if I select channel 3 it says "This function requires the following license..." 
8] Decided to try to install v01.01.04.08 firmware since it's the most recent 'stable' version (then I could try the well-known working v01.01.04.08 hack/patch). Downloaded the old firmware version from Github (https://gitlab.com/riglol/rigolee/-/tree/MSO5000/GEL). However when I try to update the scope says "Failed to Upgrade. Check the File". This is the official file from Rigol that was simply reposed to Github for safe-keeping. Early pages from this thread state that the firmware can't be downgraded, so I guess those of us with units shipped with v01.02.00.02 and above will have to wait for a working method?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 06, 2020, 05:43:15 pm
I know this is a long thread guys, but all the answers are here, most of them with in the last 3 pages. Just gotta read a bit ;)

Older firmware can be found here.
https://gitlab.com/riglol
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on April 06, 2020, 07:00:49 pm
I know this is a long thread guys, but all the answers are here, most of them with in the last 3 pages. Just gotta read a bit ;)
I read the whole topic. And now separately the last 4 pages. There is a solution for version 02. And the mention that there is a cure for version 03. But there is no cure. Or am I stupid enough :(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 06, 2020, 07:19:48 pm
I know this is a long thread guys, but all the answers are here, most of them with in the last 3 pages. Just gotta read a bit ;)
I read the whole topic. And now separately the last 4 pages. There is a solution for version 02. And the mention that there is a cure for version 03. But there is no cure. Or am I stupid enough :(

I can confirm there is a patch for 01.02.00.03, but it hasn't been posted yet. When the person who made the patch is ready I'm sure they will post it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 06, 2020, 08:27:50 pm
[Edited] Has anyone done the 01.02.00.02? Can you please confirm that the steps below are the correct ones?
I've read the entire post. So far I've done:
1) Updated to v01.02.00.02
2) Downloaded 01.02.00.02.bspatch from Post #1558 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152). Removed .txt extension
3) Downloaded Patch.txt from Post #1451 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308)
4) Edited the before and after md5sum in the patch.txt file to Before: 78d71292a1828ee597a341bd14797e18 After: 86d162a29297ae03af88a6d8f7c40247 as described in Post #1558 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152). This should correspond to the new v01.02.00.02.
5) Put DS5000Update.GEL (the v01.02.00.02 firmware), patch.txt, and 01.02.00.02.bspatch on a USB drive formatted for FAT32.
6) Performed a local update from the scope by going to Utility -> System -> Help -> Local Update
7) The firmware updates fine and says to reboot - but after I restart none of the upgrades are enabled - for example if I select channel 3 it says "This function requires the following license..." 
8] Decided to try to install v01.01.04.08 firmware since it's the most recent 'stable' version (then I could try the well-known working v01.01.04.08 hack/patch). Downloaded the old firmware version from Github (https://gitlab.com/riglol/rigolee/-/tree/MSO5000/GEL). However when I try to update the scope says "Failed to Upgrade. Check the File". This is the official file from Rigol that was simply reposed to Github for safe-keeping. Early pages from this thread state that the firmware can't be downgraded, so I guess those of us with units shipped with v01.02.00.02 and above will have to wait for a working method?

Git Lab, not Git Hub ;)

It does not appear 01.02.00.03 has a bug, it just looks like the noise threshold was reduced in that firmware.

https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg2984056/#msg2984056 (https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg2984056/#msg2984056)

Press the SINGLE button during boot to downgrade FW.

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2992368/#msg2992368 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2992368/#msg2992368)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: azone on April 06, 2020, 08:53:30 pm
After reading the entire thread a few times... below are details on updating your MSO5000 to  v01.02.00.02 or v01.01.04.08 with all options enabled.
Also of note, you can revert to a previous firmware version.

Updating to v01.02.00.02 w/ all options enabled
1) Format your USB stick FAT32. Format the damn USB stick every time you add/remove files - I had problems if I didn't.
2) Update to v01.02.00.02 if not already installed. Use the official update, this one will have 66- 68 MB.
3) Put the stick in your MSO5000 and goto Utility -> System -> Help -> Local Upgrade and update the firmware.
4) Delete the file from the USB stick, format again just in case.
5) Download the DS5000Update.GEL file from Post #1558 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152) which is the script that will apply the patch (bspatch). This one will have 130k.
6) Download 01.02.00.02.bspatch from Post #1558 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152). Delete the .txt extension (this is only done because this forum won't host the file without a qualified extension). Put it on the USB Stick.
7) Make a new patch.txt file with the contents below (this is the new md5 checksums for v01.02.00.02 and the correct name link to the bspatch file). Put this on the USB stick too.

file_to_patch=/rigol/appEntry
file_to_patch_md5sum=78d71292a1828ee597a341bd14797e18
patch_file=01.02.00.02.bspatch
after_patch_md5sum=86d162a29297ae03af88a6d8f7c40247

8] Put the stick in your MSO5000 and goto Utility -> System -> Help -> Local Upgrade and update the firmware.
 
I couldn't get it to work - after reading skanders response below I think I had the wrong DS5000Update.GEL file.
v01.02.00.02 has a few bugs so it may be better to wait for new firmware.

[Edit] typoknig notes in Post #1649 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3002746/#msg3002746post)
It does not appear 01.02.00.03 has a bug, it just looks like the noise threshold was reduced in that firmware
https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg2984056/#msg2984056 (https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg2984056/#msg2984056)
Maybe it's better to wait for someone to share the v01.02.00.03 patch it will most likely be shared very soon.

Reverting firmware to an earlier version and updating v01.01.04.08 w/ all options enabled
1) Apparently v01.02.00.02 & v01.02.00.03 firmware is buggy, and the patch is not verified/proven like v01.01.04.08. Since new MSO's are now shipping with firmware greater than v01.01.04.08 I had to revert firmware to this earlier version.
2) Format your USB stick FAT32. Format the damn USB stick every time you add/remove files - I had problems if I didn't.
3) Put the official v01.01.04.08 firmware on the USB stick. Make sure the firmware is named DS5000Update.GEL. Sometimes the name has been extended to differentiate versions, however the firmware must be name DS5000Update.GEL
4) If you can't find older firmware get it from Gitlab (https://gitlab.com/riglol/rigolee/-/tree/MSO5000/GEL)
5) Put the USB stick in the MSO5000. While turning it on keep pressing SINGLE to enter 'secret' mode. The screen will have an option to Upgrade Firmware.
6) Press Upgrade firmware. If the scope doesn't respond and you don't hear a beep when you press "Upgrade Firmware" restart the scope and try again. For some reason if you wait a few milliseconds too long it won't recognize your selection.
7) The firmware will update and ask you to reboot. Turn off the scope.
8] Now, follow the exact instruction from Post #1451 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308) to update to v01.01.04.08 w/ all options enabled. Again make sure you are using the correct DS5000Update.GEL file from post #1451 - it should be ~130KB.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 06, 2020, 09:33:27 pm
Please.
There are two steps.
Step 1 - DS5000Update.GEL is the Rigol firmware that must be applied before. This one will have 66- 68 MB. After apply, delete it from stick (or format if you feell safe ... :) )
Step 2 - DS5000Update.GEL is the script that will apply the patch (bspatch) . This one will have 130 k. On the stick must be this gel (130k) + patch.txt + patch file, 3 files . Run local update.

Good luck !
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: azone on April 06, 2020, 09:58:54 pm
thanks skander, I updated my post for us laymen/clueless of the bunch.
I don't think I was using the correct DS5000Update file when I was trying to unlock everything with v01.02.00.02 - I think I was using the actual v01.02.00.02 firmware file by mistake.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Norbi on April 16, 2020, 11:46:55 pm

new firmware 00.01.03.00.01 mso5000 has appeared
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on April 17, 2020, 12:16:57 am
I just saw that in the US site as well, Bode Plot is here!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on April 17, 2020, 05:38:09 am
MSO5_FW_V1_1_4_4.zip, hmm, no enhancement on winzip usage  :palm:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on April 17, 2020, 06:16:52 am
There has been no changes to license checks etc. so the binary can be patched the usual way  :-+. However you will need a new patch file. If you cannot prepare one yourself, maybe somebody is friendly enough to do one and post it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: yumcca on April 18, 2020, 02:31:41 am
support bode plot ?? where to down?  I search the RIGOL webside they only offer the v00.01.02.00.03
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: YZEPT on April 18, 2020, 02:41:29 am
The link is labeled incorrectly on the RigolNA site. The new version with Bode plots will download. For whatever reason Rigol are very slack about how they label links. |O
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on April 18, 2020, 02:55:37 am
In true Rigol style it's a bit of mess.

If you go here:
https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/ (https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/)

Scroll down, go to the "Downloads" tab, Click the firmware file "MSO5000 scope family latest firmware" and it'll download the correct version.
If you look at the link, you will think it's downloading MSO5_FW_V1_1_4_4.zip
But it'll actually download a file called MSO5_FW_Update.zip which is the latest:
v00.01.03.00.01 2020/04/13
     -Add bode map function
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: YZEPT on April 18, 2020, 10:13:52 am
I thought I knew how to generate the new hashes but the results prove otherwise :--
Is there anyone out there that has the knowledge and time to show me and the other script kiddies the correct CRC values to plug into the script so we can patch the newest version MSO5074 firmware Rigol just released? : v00.01.03.00.01
I have tried but I cannot get it to work and I think its to do with how I've gotten lost down this many kilometre deep rabbit hole.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ForceFed on April 19, 2020, 07:45:21 pm
Cool. Bode plotting in new firmware, happy I didn't jump ship...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: el_man on April 19, 2020, 08:41:23 pm
Can someone attach a screenshot of Bode plot function ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on April 19, 2020, 09:00:26 pm
Can someone attach a screenshot of Bode plot function ;D
https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg3021120/#msg3021120 (https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg3021120/#msg3021120)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: el_man on April 19, 2020, 09:11:23 pm
Can someone attach a screenshot of Bode plot function ;D
https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg3021120/#msg3021120 (https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg3021120/#msg3021120)

Thanks, Looks good unfortunately...  :'(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sb42 on April 19, 2020, 10:47:18 pm
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 20, 2020, 12:20:24 am
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: boris.t on April 20, 2020, 01:27:05 am
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.
Thank you! But, can anyone make full instruction for 01.03.00.01?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 20, 2020, 02:02:46 am
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.
Thank you! But, can anyone make full instruction for 01.03.00.01?

Same as all the other patches. Just read the instructions in the first post on this page:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3002776/#msg3002776 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3002776/#msg3002776)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on April 20, 2020, 02:47:36 pm
Hm,
I think your (typoknig) patch is not working right.

I updated to 1.3 and it was working. Then i sshed in and grabbed appEntry. Checked the md5sums and then i applied your patch on my linux machine. Checked md5sum again. Patched appEntry has correct md5sum. I did chmod +x appEntry and copied back onto the scope.
But now it is not starting up anymore. Think i have to apply the original patch again...

Maybe i have to check again spelling and chmod but i think it was correct..

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 20, 2020, 03:38:39 pm
Hm,
I think your (typoknig) patch is not working right.

I updated to 1.3 and it was working. Then i sshed in and grabbed appEntry. Checked the md5sums and then i applied your patch on my linux machine. Checked md5sum again. Patched appEntry has correct md5sum. I did chmod +x appEntry and copied back onto the scope.
But now it is not starting up anymore. Think i have to apply the original patch again...

Maybe i have to check again spelling and chmod but i think it was correct..

Using SSH to apply the patch isn't necessary.  Just use the DS5000Update.GEL.doc file from this post (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308).  I have re-attached it here for convenience.

The permissions, owner, and group of appEntry should be 0755, root, and root respectively.  It will look like this when correct:

Code: [Select]
-rwxr-xr-x    1 root     root      22558088 Apr 19 07:00 appEntry
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on April 20, 2020, 05:40:52 pm
... Checked the md5sums and then i applied your patch on my linux machine. Checked md5sum again. Patched appEntry has correct md5sum. I did chmod +x appEntry and copied back onto the scope.
But now it is not starting up anymore. Think i have to apply the original patch again...

That ordering might be your problem, chmod then copying it. Might have lost permissions during the copy, I'd have copied and then chmod'd. Check the md5sum of what you copied onto the scope on the scope and check the permissions as above.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: boris.t on April 20, 2020, 06:13:10 pm
Hm,
I think your (typoknig) patch is not working right.

I updated to 1.3 and it was working. Then i sshed in and grabbed appEntry. Checked the md5sums and then i applied your patch on my linux machine. Checked md5sum again. Patched appEntry has correct md5sum. I did chmod +x appEntry and copied back onto the scope.
But now it is not starting up anymore. Think i have to apply the original patch again...

Maybe i have to check again spelling and chmod but i think it was correct..

Using SSH to apply the patch isn't necessary.  Just use the DS5000Update.GEL.doc file from this post (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2833308/#msg2833308).  I have re-attached it here for convenience.

The permissions, owner, and group of appEntry should be 0755, root, and root respectively.  It will look like this when correct:

Code: [Select]
-rwxr-xr-x    1 root     root      22558088 Apr 19 07:00 appEntry

Works. Thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Norbi on April 20, 2020, 09:46:43 pm

I confirm works, thank you :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on April 21, 2020, 07:31:02 am
Thx for the hint with the "autopatcher" ;-)
This time it worked. So must be my fault with chmod before copy or something else...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on April 21, 2020, 02:25:37 pm
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.

I've applied this particular version of the patch for 01.03.00.01 and, just to give others comfort, it all seems to be working as intended.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: el_man on April 21, 2020, 03:31:22 pm
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.

I've applied this particular version of the patch for 01.03.00.01 and, just to give others comfort, it all seems to be working as intended.

I can confirm this too!  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sjm on April 21, 2020, 10:57:27 pm
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.

I've applied this particular version of the patch for 01.03.00.01 and, just to give others comfort, it all seems to be working as intended.

Yes, I confirm that this worked for me too. Thanks a lot.

I find it a bit strange that the updated firmware seems to be available only on the Rigol NA site, not on intl or EU.

BR, -sjm
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on April 21, 2020, 11:22:43 pm
I find it a bit strange that the updated firmware seems to be available only on the Rigol NA site, not on intl or EU.

No, we've seen this before. New firmware goes up on one of the Rigol sites and the others don't seem to keep in step. It's anybody's guess as to which site the firmware will appear on first, there's been no particular pattern in the past.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TrickTronic on April 22, 2020, 10:22:06 am
Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.


I've applied this particular version of the patch for 01.03.00.01 and, just to give others comfort, it all seems to be working as intended.

Thanks to all contributors: You've done great work, works smoothly on my MSO5074!  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dxl on April 22, 2020, 05:51:45 pm
Did anyone ever try to run their own kernel on these things? That would be interesting as it would open up a nice list of tracing tools - like kprobes, ftrace and so on, which would be very helpful in reversing the scope hardware. The device drivers loaded into the kernel seem pretty simple from what i've seen.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 22, 2020, 07:17:24 pm
Did anyone ever try to run their own kernel on these things?

I've ran 1 or 2 homemade apps but a kernel ? ?   :scared:  That's big boys stuff...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dxl on April 22, 2020, 07:25:40 pm
Did anyone ever try to run their own kernel on these things?

I've ran 1 or 2 homemade apps but a kernel ? ?   :scared:  That's big boys stuff...

Depends on whether it's a stock kernel, or whether rigol made a lot of modifications. I extracted the devicetree which tells the kernel what devices are living where on which bus, which is a good starting point. I have not received my scope (I ordered a MSO5072 yesterday). Can anyone with a scope check whether /proc/config.gz exists? Pretty unlikely, but you never know...

Looking at the rigol kernel modules it seems like they tried to do everything in userspace, which would be good.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dxl on April 22, 2020, 07:32:41 pm
Not sure whether it was already posted in the amount of thread pages, but attached is the devicetree file for the linux kernel. What i can make out of this is:

I2C BUS @e0004000:

0x32: RTC
0x14: Touchscreen
0x1c: TMP421 temperature sensor
0x1d: TMP421
0x52: FRAM
0x1f: ADC #1 adc128d818 (knobs?)
0x35: ADC #2
0x37: ADC #3

Ignore it if that was already posted in this thread somewhere.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thinkfat on April 22, 2020, 07:52:28 pm
The device tree reveals a lot and nothing at the same time. There's no interesting peripherals listed here, the really interesting stuff will be in the PL part of the Zynq-7000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dxl on April 22, 2020, 07:57:40 pm
The device tree reveals a lot and nothing at the same time. There's no interesting peripherals listed here, the really interesting stuff will be in the PL part of the Zynq-7000.

It's at least a starting point to know what drivers are used for the hardware in the kernel. Of course there might be drivers in the kernel that are not listed in the dt that are used by some platform code. One thing i can't find in the upstream kernel is the DPU driver. Which might be possible, as graphics processing might be different in a scope... I can't say about the PL part in the Zynq, i have no knowledge about Zynq FPGAs.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 22, 2020, 08:47:26 pm
Depends on whether it's a stock kernel, or whether rigol made a lot of modifications.

What is a "stock kernel" in a scope like this?  ???

Look here: https://gitlab.com/riglol/rigolee/ (https://gitlab.com/riglol/rigolee/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sjm on April 22, 2020, 09:58:16 pm
Can someone attach a screenshot of Bode plot function ;D

OK, let's see if this works... well I made a stupid 2x RC filter on a breadboard and after some trial and error with component values, I managed to make a nice bode plot.

BR, -sjm
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dxl on April 23, 2020, 08:53:46 pm
I received my MSO5072 today. It came with 01.01.04.04, upgraded to latest firmware, applied the patches. all worked fine. Applying the bpatch was even faster than receiving the free options from Rigol :-). I now modified /rigol/shell/start.sh to automatically start ssh, hope i find some time during the next week
to solder the serial + jtag port...

Many thanks to the people who made that upgrade possible!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MartinMajewski on April 23, 2020, 10:53:09 pm
Hi all,

I read through a lot of posts of this thread, but there are 68 pages now! On the last couple of pages, I saw that the MSO5000 is pretty easily hackable without a big brick-risk. I am now about to order an MSO5074 or an MSO5104. Both have nearly all software options enabled because of a special offer. The only thing locked is the frequency.

So what I am not sure still is, if the frequencies can also be unlocked with this hack. The 70 Mhz Version is like 200 Euros (net) less, and I need the PLA2216, too. Should I spare myself the money and get the 70Mhz and "hack" as soon as I need more bandwidth, or should I go with the 100Mhz version "just in case"?

And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?

A status overview page would be really helpful on this topic for us noobs.


I really appreciate all your efforts! Stay safe!

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stafil on April 23, 2020, 10:58:20 pm
Hi all,

I read through a lot of posts of this thread, but there are 68 pages now! On the last couple of pages, I saw that the MSO5000 is pretty easily hackable without a big brick-risk. I am now about to order an MSO5074 or an MSO5104. Both have nearly all software options enabled because of a special offer. The only thing locked is the frequency.

So what I am not sure still is, if the frequencies can also be unlocked with this hack. The 70 Mhz Version is like 200 Euros (net) less, and I need the PLA2216, too. Should I spare myself the money and get the 70Mhz and "hack" as soon as I need more bandwidth, or should I go with the 100Mhz version "just in case"?

And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?

A status overview page would be really helpful on this topic for us noobs.


I really appreciate all your efforts! Stay safe!

Martin

MSO5074, the hack works like a charm

Also given the hack is so easy, you will have hard time selling the 100Hz more than the 70Hz, so resale value is not as good for the 100Hz
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on April 24, 2020, 12:46:11 am
Hi all,

I read through a lot of posts of this thread, but there are 68 pages now! On the last couple of pages, I saw that the MSO5000 is pretty easily hackable without a big brick-risk. I am now about to order an MSO5074 or an MSO5104. Both have nearly all software options enabled because of a special offer. The only thing locked is the frequency.

So what I am not sure still is, if the frequencies can also be unlocked with this hack. The 70 Mhz Version is like 200 Euros (net) less, and I need the PLA2216, too. Should I spare myself the money and get the 70Mhz and "hack" as soon as I need more bandwidth, or should I go with the 100Mhz version "just in case"?

And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?

A status overview page would be really helpful on this topic for us noobs.


I really appreciate all your efforts! Stay safe!

Martin

MSO5074, the hack works like a charm

Also given the hack is so easy, you will have hard time selling the 100Hz more than the 70Hz, so resale value is not as good for the 100Hz

Another option that isn't enabled in the bundle is 200M memory. The 5074 is the best deal out of the MSO5000 line assuming you want 4 probes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on April 24, 2020, 05:27:29 am
Depends on whether it's a stock kernel, or whether rigol made a lot of modifications.

What is a "stock kernel" in a scope like this?  ???

They run Linux on a commercial chip. It comes with a kernel as a starting point.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on April 24, 2020, 08:15:10 am
Can someone attach a screenshot of Bode plot function ;D

 :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 24, 2020, 08:47:40 am
They run Linux on a commercial chip. It comes with a kernel as a starting point.

It does but without specific patches and drivers we're far from having a scope. I think when Linus developed the thing he wasn't doing circuit analysis...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mantis on April 24, 2020, 08:57:59 am
Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.
Thank you!
Works perfect!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on April 24, 2020, 09:02:02 am
...And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?
I think you're wrong, I believe the hack makes it as though the MSO5xxx has all the hacked features and they continue through power cycling.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 24, 2020, 09:08:47 am
...And what about the persistence of the hack? Somewhere in the thread, I read that it is gone after a reboot. But I guess this was just a work-in-progress issue during the investigation of a possible hack. Am I right?
I think you're wrong, I believe the hack makes it as though the MSO5xxx has all the hacked features and they continue through power cycling.

Sure it does. The hack doesnt resist to a FW upgrade but it resists to reboots!  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pipe2null on April 24, 2020, 08:34:41 pm
...
So what I am not sure still is, if the frequencies can also be unlocked with this hack. The 70 Mhz Version is like 200 Euros (net) less, and I need the PLA2216, too. Should I spare myself the money and get the 70Mhz and "hack" as soon as I need more bandwidth, or should I go with the 100Mhz version "just in case"?
...

If you're going the cheap as possible route, I'd suggest NOT doing what I did:  I bought an MSO5072 last year on clearance (good thing) and hacked all features including the 2->4 channel upgrade (also good thing).  The 2 channel model only comes with 2 probes (less-good thing), which I knew prior to purchase but bought anyway since I had intended to buy a couple higher BW probes anyway (good thing, with max BW hack).  But I didn't consider the future resale of my scope and kinda wish I started out with the 4 channel 70MHz model instead since it comes with 4 probes.  When I eventually end up selling my scope, I'm NOT going to charge for hacked features, but leaving it as buyer's choice whether or not to undo hacks prior to shipping would help unload it (down the road a while), and having 4 probes to go with it would have been better.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on April 25, 2020, 04:36:01 pm
Did we already extract the u-boot image and environment? If so, is there an easy way to do this? Hints are very welcome.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on April 25, 2020, 05:19:12 pm
I've successfully gone up to vn  01.03.00.01 and all is working well (now that I fixed the loose rotary encoder (https://www.eevblog.com/forum/testgear/mso5000-use-with-monitor/msg3033844/#msg3033844)) as far as I've tested.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on April 25, 2020, 05:34:02 pm
I also tried a Bode plot of the response of a guitar preamp I'm working on...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on April 25, 2020, 07:55:07 pm
I also tried a Bode plot of the response of a guitar preamp I'm working on...

preAMP? I see a maximum gain of -22dB, or is there a scaling trick involved?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on April 26, 2020, 12:01:56 am
I also tried a Bode plot of the response of a guitar preamp I'm working on...

preAMP? I see a maximum gain of -22dB, or is there a scaling trick involved?
Hmmm, well it isn't working very well so I suppose there may be a problem, it's more a tone control than a preamp.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on April 27, 2020, 01:48:29 am
Do you need to apply all intermediary patch Or can I go from the 1st one directly to the Last one

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fluffhamster on April 27, 2020, 02:19:02 am
Do you need to apply all intermediary patch Or can I go from the 1st one directly to the Last one

Go directly to last one.

Did anyone noticed change in UI responsiveness after patching new FW? I have much better experience.
p.s. Shout out to everyone here for your work @delfinom, @mabl, @tv84 and so many others - long time observer here 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 27, 2020, 08:29:01 am
Did we already extract the u-boot image and environment? If so, is there an easy way to do this? Hints are very welcome.

AFAIK you need to read the SPI mem externally.

These are the u-boot commands available:
Code: [Select]
aesTest - aes test
base    - print or set address offset
bdinfo  - print Board Info structure
beeper  - Beeper
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bootz   - boot Linux zImage image from memory
checkGTP- Config the clock 125MHz
checkVer- check version
clk     - CLK sub-system
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
cpldver - Get cpld version
crc32   - checksum calculation
dcache  - enable or disable data cache
dhcp    - boot image via network using DHCP/TFTP protocol
dpu     - Init DPU
dver    - DPU version
echo    - echo args to console
editenv - edit environment variable
env     - environment handling commands
exec    - exec memaddr ,return 0 on success, or != 0 on error by rigol
exit    - exit script
ext2load- load binary file from a Ext2 filesystem
ext2ls  - list files in a directory (default /)
false   - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fatwrite- write file into a dos filesystem
fdt     - flattened device tree utility commands
fpga    - loadable FPGA image support
go      - start application at address 'addr'
goldFinger- Set boot from Gold finger
help    - print command description/usage
hwver   - Get hardware version
i2c     - I2C sub-system
icache  - enable or disable instruction cache
iminfo  - print header information for application image
itest   - return true/false on integer compare
ledoff  - turn led off
ledon   - turn led on
loadb   - load binary file over serial line (kermit mode)
loadlogo- load logo
loads   - load S-Record file over serial line
loadx   - load binary file over serial line (xmodem mode)
loady   - load binary file over serial line (ymodem mode)
loadzynq- load zynq bit
loop    - infinite loop on address range
md      - memory display
md5sum  - compute MD5 message digest
mdio    - MDIO utility commands
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
progGTP - Programing the clock of 125MHz
readfile- Read the package from USB DISK to memory
reset   - Perform RESET of the CPU
restart - Restart the power
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
showMessage- show message on the bottom of the LCD
showvar - print local hushshell variables
sleep   - delay execution for some time
source  - run script from memory
sspi    - SPI utility command
storage - Select Nand or QSPI as the current storage device
tar     - tar command by rigol
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
true    - do nothing, successfully
unzip   - unzip a memory region
upgradeFromUSB- Upgrade firmware from USB Disk
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version
zynqaes - Zynq AES decryption
zynqrsa - Zynq RSA verfication
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thinkfat on April 27, 2020, 08:48:14 am
Did we already extract the u-boot image and environment? If so, is there an easy way to do this? Hints are very welcome.

AFAIK you need to read the SPI mem externally.

These are the u-boot commands available:
Code: [Select]
fatwrite- write file into a dos filesystem
nand    - NAND sub-system
sspi    - SPI utility command
storage - Select Nand or QSPI as the current storage device
upgradeFromUSB- Upgrade firmware from USB Disk
usb     - USB sub-system
usbboot - boot from USB device

Might not be necessary. I see there's the "usb" command and the "fatwrite" command, it might be possible to read the boot memory into RAM and then write it out to a memory stick. The "upgradeFromUSB" and "usbboot" commands hint that it's feasible.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 27, 2020, 09:54:47 am
Might not be necessary. I see there's the "usb" command and the "fatwrite" command, it might be possible to read the boot memory into RAM and then write it out to a memory stick. The "upgradeFromUSB" and "usbboot" commands hint that it's feasible.

I think that's the problem: IIRC, you can't reach the bus to read to mem.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thinkfat on April 27, 2020, 11:20:57 am
Might not be necessary. I see there's the "usb" command and the "fatwrite" command, it might be possible to read the boot memory into RAM and then write it out to a memory stick. The "upgradeFromUSB" and "usbboot" commands hint that it's feasible.

I think that's the problem: IIRC, you can't reach the bus to read to mem.

You mean, u-boot doesn't have a driver for the first-stage boot medium? And the "sspi" command group is not allowing access to it?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 27, 2020, 12:17:28 pm
You mean, u-boot doesn't have a driver for the first-stage boot medium? And the "sspi" command group is not allowing access to it?

I'm unable to follow you at that level!  :-\ It seems that SPI bus is "private" and not accessible after boot. Or the FPGA (that seems to police access to devices) needs a special setting to allow the access... All tries were unsuccessful. Most probably we were missing your contribution when it was investigated!   :D

We became convinced that to flash the bootloader we need to connect the device to an external programmer. If it is like that is bad but it is also good as the probability of someone bricking it is much lower.

Do these responses help?

rigol-uboot>sspi
00FFFF

rigol-uboot>sspi blabla
00FFFF
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on April 27, 2020, 01:30:41 pm
I redid my Bode plot having realized that the Ch2 probe was switched to x10 but the input was set to x1; looks a bit more reasonable
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sjm on April 28, 2020, 12:57:56 pm
Yeah... well I had an old Onkyo TX-NR509 AV amplifier that was kinda brain dead for last 5 years but the power amp part looked intact and should work. Finally had time to look at it.
After some merciless slaughtering and removal of something around 7 circuit boards and half a dozen relays -- no brains, no drive to the relays -- I managed to have a working 5 x 80W power amp!

Then with 100mV drive and 10 ohm power resistor as the load, I gave it a shot and measured the freq response. Nice flat curve from 20Hz to around 100kHz.

BR, -sjm
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on April 28, 2020, 02:39:47 pm
@sjm
Nice flat response :D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: cv_pacifier on April 30, 2020, 04:24:27 am
First let me say thanks to all of the hard working much more competent people that made unlocking the features of the mso5000 possible. just bought a mso5074 and followed your instructions with success. I also have a MSO2072A and a ds6000 test board. I have been trying to get the rs-232 function to work. I hook probes from both instruments into the demo board and though i can get the mso2072a to sync to the rs-232 signal, i cannot do the same for the mso5074 instrument. Just wonder if anyone has checked the decoding capabilities of the unlocked scope and have you had any trouble making this work. Thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on April 30, 2020, 05:55:36 am
i've used the decoders since day 1, and rs232 is working perfectly, except the UI is ugly as hell, and should be nicked Unusable Interface instead. The decoded buffer seems to be the display buffer, and zooming out changes everything in the decoding result.
So yeah, it decodes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on April 30, 2020, 06:24:17 am
Does somebody know if the "jitter measurment" is working?
Does somebody know if the "eye measurment" is working? And how can i draw an eye?

MSO5000 not 7k/8k


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on April 30, 2020, 08:41:08 am
Hello Noy


The 5000 is not supposed to have the jitter app, however Tv84's opening up of the scope allows you access. The eye app will not function on the 5000, we struggled to get it work on the 7000 currently only the 8000 has this option.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on April 30, 2020, 11:03:17 am
Hm thats sad.

TV said he was able to run homebrew software?

Maybe we are able to build an app by our own?

I'm thinking of using these pass/fail measure thing but putting an eye into it?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on April 30, 2020, 11:43:06 am
You might find its the hardware requirements that are the short fall for the eye app Noy
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: eutectique on May 01, 2020, 11:14:12 am
i've used the decoders since day 1, and rs232 is working perfectly, except the UI is ugly as hell, and should be nicked Unusable Interface instead. The decoded buffer seems to be the display buffer, and zooming out changes everything in the decoding result.
So yeah, it decodes.

Can you trigger on rs232?

For example, on condition "bit pattern 1xx0x0xx on any of Tx or Rx lines"?

Can you set bit pattern 1xx0x0xx with SCPI command ":trig:rs232:data ..."?

Can you search for these trigger events (chapter 15 Search and Navigation Functions)?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: cv_pacifier on May 02, 2020, 01:29:13 am
re decoder: After I read that the instrument did decode, i played with mine  for several hours. My MSO2072 worked great and i thought i had correctly set all the characteristics on both machines. I was a bit confused by the copy trigger function to the decoder. I went over meticulously all the settings and finally got it working after i realized that it was decoding correctly the data it was receiving (RS-232) Changing the polarity on the trigger characteristic solved the problem. Not sure why reversing the logic was necessary since  i thought the default position was appropriate. Anyway it is working now. Thank you for your comments. Its really a hell of a machine feature-wise.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on May 02, 2020, 09:05:37 am
Its really a hell of a machine feature-wise.
That statement sums up my thoughts on the MSO5074.

I'm glad to hear that you got the decode working. RS232 normally idles high so that ought to be the default setting, does your RS232 idle high or low?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on May 02, 2020, 09:56:30 am
Its really a hell of a machine feature-wise.
That statement sums up my thoughts on the MSO5074.

Completely agree you do obtain a great deal of useful features with the Rigol 5/7/8000 series machines, Martin 72 made a fair point about them being a little rough around the edges and note quite finished, I would agree to point. But what you have is the raw horsepower and decent deep memory to really delve into debug issues.

For example to obtain 500Mpts from the Lecroy wavepro254 costs a lot more than a fully optioned up and probed MSO 8000 at price points. Or Tek's BW upgrade on the new 4 series is £15K+ LOL  Concerning hobbyists and small start up's the Rigol's offer very good options for the cost, plus the clever folk on here can produce their scripts to enhance their features.

I still use the 8000 daily and its a very good scope, its more polished than the 5000 but the 5000 is still something for the cost, think back 5 years to what even a similar scope WITH all the features would cost then?

Again excellent work from all of those contributors on this thread top stuff chaps

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: cv_pacifier on May 03, 2020, 04:07:29 am
Hi there. appreciate the commentary on my rs232 difficulties. By idling high are u referring to the polarity or maybe the trigger level. I am really rusty at this and am not sure re your question. I just got the sigma installed and though i'm sure the USB connection is working , I am not familiar with entering commands to the mso5074. As far as the polarity the default polarity on the hieroglyphic for the polarity which i assume is negative shows the first transition from high to low. If I dont change it to low to high  then it misinterprets the data.  Have to make both logic symbols on the trigger and on the decoder i believe positive logic ( with the ist transition low to high) for it to work correctly.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on May 03, 2020, 09:15:58 am
Hi there. appreciate the commentary on my rs232 difficulties. By idling high are u referring to the polarity or maybe the trigger level. I am really rusty at this and am not sure re your question. I just got the sigma installed and though i'm sure the USB connection is working , I am not familiar with entering commands to the mso5074. As far as the polarity the default polarity on the hieroglyphic for the polarity which i assume is negative shows the first transition from high to low. If I dont change it to low to high  then it misinterprets the data.  Have to make both logic symbols on the trigger and on the decoder i believe positive logic ( with the ist transition low to high) for it to work correctly.
I'm referring to the polarity but RS232 is confusing. Going back 20 or 30 years, there were RS232 ports on computers that exchanged data with RS232 devices such as printers using signals that moved between +15 to -15 volts; these voltages were used to make the communications over long cables more reliable.

When we look at the RS232 signals for microcontrollers on PCBs, they typically move between 0V and 5V or 0V and 3.3V but, when those same RS232 signals travel off the PCB level to an external connector e.g. DB9, they typically are routed through a MAX232 chip  that converts the 0 - 5V signals to -5 to +5 signals and does the opposite with the incoming signal (even thought these are not -15 and +15, it still works and MAX232 ICs typically put out -6 to +6 signals).

Confusingly, all these signals are called RS232 because of the way data is encoded.  There's a popular chip that is an RS232 to USB adapter, the FT232 (there are several others) but the RS232 data signals never run at -ve voltages on that IC.  You can download a free utility for the FT232 that is used to configure the chip and, among the settings, is the ability to invert TX and/or RX signal lines. The de facto standard is for the PCB level RS232 signals to idle high (at a '1') but it's possible to have them idle at a '0'.

So what you see when looking at RS232 signals using a scope depends on where you are putting the scope leads.

Sparkfun has some good explanations here https://www.sparkfun.com/tutorials/215. (https://www.sparkfun.com/tutorials/215.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on May 03, 2020, 12:42:09 pm
At microcontroller level, the signal is called UART and usually idles high.  What is called RS232 is after the level converter like the MAX232, where the levels are around +-12V.

About the signal format, it idles high and a start bit, what is needed to identify the start of the frame, is the first High to Low transition, the decoder needs to discard this start bit and then start measuring high and low values until the stop bit (low to high transition).  It is an asynchronous protocol, it is very important to set the parameters correctly: baud, number of bits, idle high or low, parity, stop bits, etc.  As it is just a streaming of level transitions, the 2 devices need to know exactly how the information is encoded.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MartinMajewski on May 04, 2020, 09:44:16 am
Edit: This thread is getting messy!  :o I eventually found this post: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330)

...

5) Download the DS5000Update.GEL file from Post #1558 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2943152/#msg2943152) which is the script that will apply the patch (bspatch). This one will have 130k.

...


No GEL file available at post 1558?! Where do I get the most current GEL file to patch firmware version 00.01.03.00.01 ?

Best wishes,
Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: eutectique on May 04, 2020, 09:53:55 am
Edit: This thread is getting messy!  :o I eventually found this post: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330)

Yep, that's the one which works.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on May 04, 2020, 10:11:19 am
You could also just link to the original post #1298  (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640) of the auto-patcher.. When people just repost the same file over and over, it starts to get messy :-)  >:D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hajime725 on May 10, 2020, 12:46:03 pm
OMG!
help me!
My MSO5074 can not launch.(boot screen sows almost 100% loaded and freeze. )
that since patching to appEntry.

How to reset firmrware ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on May 10, 2020, 12:58:01 pm
Original firmware on an USB Stick plugged in.
Switch on and hit "single" multiple times until you are in the recovery menu. Update Original firmware.

Your patched appentry is invalid. Do the patching again with the autopatcher script.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ytterligare on May 11, 2020, 03:14:58 am

Hello folks, I'm about to pull the trigger on a MSO5072, which BTW comes as standard ( limited offer until June the 30th) with almost all the options enabled except if I'm not wrong the ->350 MhZ Bandwidth and the -> 4 ch.

Now, after reading almost all the 70 pages on the thread (pheew!), after thanking all the people who contributed to the task on the subject, I got a few questions.

1) Have no clue on how the MSO5072 will arrive, whether with pre-loaded premium features or not...anyone ? I guess they come in a s/n string to dial in...
2) Given question n. 1, if I'll have a "personalized" license to dial-in, is it worth loading it or should I jump to the hack directly ?
3) After updating to the last official version, I already have prepared the content ( 3 files ) to be copied to the USB drive : 01.03.00.01.bspatch + DS5000Update.GEL + patch.txt with this content :

file_to_patch=/rigol/appEntry
file_to_patch_md5sum=2efa4605b83bf1af48bf6736bfae3255
patch_file=01.03.00.01.bspatch
after_patch_md5sum=965a689e7e5f29c180db4a2aaf21ce6b

the question is : being almost dry of Linux knowledge, and using Windows, wil it sufficient to copy the files on the USB drive or am I forced to use any Linux PC to change any file permission etc etc..?

Thank you, and stay safe ! :-+

Ciao
A.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stafil on May 11, 2020, 03:37:10 am

Hello folks, I'm about to pull the trigger on a MSO5072, which BTW comes as standard ( limited offer until June the 30th) with almost all the options enabled except if I'm not wrong the ->350 MhZ Bandwidth and the -> 4 ch.

Now, after reading almost all the 70 pages on the thread (pheew!), after thanking all the people who contributed to the task on the subject, I got a few questions.

1) Have no clue on how the MSO5072 will arrive, whether with pre-loaded premium features or not...anyone ? I guess they come in a s/n string to dial in...
2) Given question n. 1, if I'll have a "personalized" license to dial-in, is it worth loading it or should I jump to the hack directly ?
3) After updating to the last official version, I already have prepared the content ( 3 files ) to be copied to the USB drive : 01.03.00.01.bspatch + DS5000Update.GEL + patch.txt with this content :

file_to_patch=/rigol/appEntry
file_to_patch_md5sum=2efa4605b83bf1af48bf6736bfae3255
patch_file=01.03.00.01.bspatch
after_patch_md5sum=965a689e7e5f29c180db4a2aaf21ce6b

the question is : being almost dry of Linux knowledge, and using Windows, wil it sufficient to copy the files on the USB drive or am I forced to use any Linux PC to change any file permission etc etc..?

Thank you, and stay safe ! :-+

Ciao
A.

1. For me it came without any preloaded licenses or serial keys. I had to register with Rigol in order to send to me the extra licenses.

2. I didn't even bother installing the licenses, went straight with the hack

3. No special knowledge of linux or windows is needed. Just follow the instructions and it will work.

4. If (3) for some reason doesn't work, reply to this thread. Lots of people, happy to help. If you are really really stuck, just shoot me a message and we can do a zoom or teamviewer meeting.

(4) will not be needed 99%
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on May 11, 2020, 06:49:34 am
I would suggest buy the MSO5074 because of the 2 extra probes it's worth. Or you already have enough probes which are fast enough...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hajime725 on May 11, 2020, 09:33:05 am
thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on May 11, 2020, 02:14:02 pm

Hello folks, I'm about to pull the trigger on a MSO5072, which BTW comes as standard ( limited offer until June the 30th) with almost all the options enabled except if I'm not wrong the ->350 MhZ Bandwidth and the -> 4 ch.

If this is the same bundle as offered when I got mine back in February (I think it is) the bundle also does not include the sample memory depth expansion.

The "limited time" offer seems to get re-offered every time the limitation time runs out.  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sb42 on May 11, 2020, 03:23:32 pm

Hello folks, I'm about to pull the trigger on a MSO5072, which BTW comes as standard ( limited offer until June the 30th) with almost all the options enabled except if I'm not wrong the ->350 MhZ Bandwidth and the -> 4 ch.

I would go for the MSO5074. You get all four channels permanently enabled and the price difference is likely to be small, close to the wholesale price of the two PVP2350 probes.

Quote
Now, after reading almost all the 70 pages on the thread (pheew!), after thanking all the people who contributed to the task on the subject, I got a few questions.

1) Have no clue on how the MSO5072 will arrive, whether with pre-loaded premium features or not...anyone ? I guess they come in a s/n string to dial in...
2) Given question n. 1, if I'll have a "personalized" license to dial-in, is it worth loading it or should

Mine came with the option bundle pre-installed.  If yours doesn't, do whatever is necessary to obtain and install those licence keys since there's no downside other than it being a bit of a faff :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ytterligare on May 11, 2020, 05:25:41 pm
1. For me it came without any preloaded licenses or serial keys. I had to register with Rigol in order to send to me the extra licenses.
2. I didn't even bother installing the licenses, went straight with the hack
3. No special knowledge of linux or windows is needed. Just follow the instructions and it will work.
4. If (3) for some reason doesn't work, reply to this thread. Lots of people, happy to help. If you are really really stuck, just shoot me a message and we can do a zoom or teamviewer meeting.
(4) will not be needed 99%

Tnx stafil, that was very generous of you..  ;)
I bet ( hope ?) n. 4 will not needed  :-+ since we're dealing with "simple" windows operations here...: reading all 70 pages I mistakenly thought I had to connect via SSH to the scope and copy/backup a bunch of files until I realized someone ( I'd say more than one ) did an excellent job preparing the bundle to load as "do-it-all" update.

Will report on the hack : the MSO5000 is on the way here.
'73
A.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ytterligare on May 11, 2020, 05:35:04 pm
sb42 & Noy, tnx for the suggestion, however I did not need the two additional probes right now and went for the 5072, although your math was impeccable.

Being a noob, I'm struggling with scope operations still, and on that perspective the MSO5K might be an overkill....but, I don't know...when I saw you could "squeeze" more feature from it by just "tweaking" it ( ;) ;) ), it was like a magnet to me : if I had a psychiatrist, that would be food for his thoughts..  :palm:

A.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stafil on May 11, 2020, 05:50:26 pm
sb42 & Noy, tnx for the suggestion, however I did not need the two additional probes right now and went for the 5072, although your math was impeccable.

Being a noob, I'm struggling with scope operations still, and on that perspective the MSO5K might be an overkill....but, I don't know...when I saw you could "squeeze" more feature from it by just "tweaking" it ( ;) ;) ), it was like a magnet to me : if I had a psychiatrist, that would be food for his thoughts..  :palm:

A.

+1 on the 5074. You essentially just pay for the probes. And at a good price
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on May 11, 2020, 05:53:58 pm
sb42 & Noy, tnx for the suggestion, however I did not need the two additional probes right now and went for the 5072, although your math was impeccable.

You'll get the two "optional" BNC Terminators to show off. They're very collectible.

[attachimg=1]
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jealcuna on May 14, 2020, 04:58:19 pm
Hi, first of all, thank you very much for all the effort in the forum.

I would like to know if I can use the appEntry_01_01_04_08.bpatch https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411) for my RIGOL MSO7014 appEntry, oviusly I ahve to update from 01_01_02_00_05 to 01_01_04_08 and actually I didnt find the update file yet. But anyway, I have seen a lot of good result in MSO5k so I want to give a shoot for my MSO7k.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on May 15, 2020, 03:24:40 am
Hi, first of all, thank you very much for all the effort in the forum.

I would like to know if I can use the appEntry_01_01_04_08.bpatch https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411) for my RIGOL MSO7014 appEntry, oviusly I ahve to update from 01_01_02_00_05 to 01_01_04_08 and actually I didnt find the update file yet. But anyway, I have seen a lot of good result in MSO5k so I want to give a shoot for my MSO7k.

Patches are matched to a specific binary (a specific appEntry). Unless the appEntry for the MSO5000 is the same as the appEntry for the MSO7000 (spoiler, it isn't), the patch will not work.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jealcuna on May 15, 2020, 04:58:56 am
Hi, first of all, thank you very much for all the effort in the forum.

I would like to know if I can use the appEntry_01_01_04_08.bpatch https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411) for my RIGOL MSO7014 appEntry, oviusly I ahve to update from 01_01_02_00_05 to 01_01_04_08 and actually I didnt find the update file yet. But anyway, I have seen a lot of good result in MSO5k so I want to give a shoot for my MSO7k.

Patches are matched to a specific binary (a specific appEntry). Unless the appEntry for the MSO5000 is the same as the appEntry for the MSO7000 (spoiler, it isn't), the patch will not work.

After reading and reading, I can conclude the patch for MSO7000 is possible but I nobody has reported a successfully oscilloscope patched. :c

Even the update firmware files are not available. For the moment I will take the free bundle promotion from rigol. Thank you very much.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 15, 2020, 08:55:05 am
Hi, first of all, thank you very much for all the effort in the forum.

I would like to know if I can use the appEntry_01_01_04_08.bpatch https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411) for my RIGOL MSO7014 appEntry, oviusly I ahve to update from 01_01_02_00_05 to 01_01_04_08 and actually I didnt find the update file yet. But anyway, I have seen a lot of good result in MSO5k so I want to give a shoot for my MSO7k.

MSO5000 and MSO7000 have different firmwares!

I can't understand what you are trying to say/accomplish.

v00.01.01.04.08 - is a MSO5000 version

v00.01.02.00.05 - is a MSO7000 version

The hack continues to work on both scopes (on all FW versions)! Although I don't know which ones are public.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jealcuna on May 15, 2020, 04:08:25 pm
Hi, first of all, thank you very much for all the effort in the forum.

I would like to know if I can use the appEntry_01_01_04_08.bpatch https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411) for my RIGOL MSO7014 appEntry, oviusly I ahve to update from 01_01_02_00_05 to 01_01_04_08 and actually I didnt find the update file yet. But anyway, I have seen a lot of good result in MSO5k so I want to give a shoot for my MSO7k.

MSO5000 and MSO7000 have different firmwares!

I can't understand what you are trying to say/accomplish.

v00.01.01.04.08 - is a MSO5000 version

v00.01.02.00.05 - is a MSO7000 version

The hack continues to work on both scopes (on all FW versions)! Although I don't know which ones are public.

Sorry, It was my bad. I was thinking to hack MSO7k by using the guide for v00.01.01.04.08, however, I realize that it is not possible because that is a fw for MSO5k. I know that is possible to hack MSO7k, but I got confuse about how to accomplish that. I already did a complete backup (normal and nand) of my MSO7k. Also, Nobody have reported successfully patch the MSO7k.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on May 15, 2020, 07:30:45 pm
Do read the thread, you will find it 7000 has been opened up for over a year

https://www.eevblog.com/forum/testgear/new-rigol-ds7000/ (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jealcuna on May 15, 2020, 08:32:37 pm
Do read the thread, you will find it 7000 has been opened up for over a year

https://www.eevblog.com/forum/testgear/new-rigol-ds7000/ (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/)

Thank you so much, I didnt find on ds7000 thread mainly because I notice that the hack scene for both models is on this thread. I am checking now. c:
Title: Secret menu erases calibration?!?
Post by: ve2mrx on May 18, 2020, 07:54:24 pm
Hi everyone!

First, thanks for all the information given in those 70 pages of posts here (and in the other threads about the MSO5k)! :clap:

From all this reading, I have one question: Didn't I read that installing firmware using the "SINGLE" secret boot menu erases factory calibration?!? Doesn't this cause issues in measurements? I'm asking as I keep seeing people downgrading using this menu and there's no mention of the calibration reset, and no mention of having to self-calibrate after...

Finally, I placed my order for a MSO5074. I don't think I need more than 70MHz BW for my hobby use, and with the promo bundle I get the serial decode and AWG (+PWR). And the price difference between 2 and 4 channels is very close to the price of the extra probes. The 4 channels will be useful for SPI decoding, saving the expense of the LA adapter or a separate LA (for now).

Of course, the first thing to do after unboxing is a backup using https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)  :D

Again, thanks everyone!
73s,
Martin
Title: Re: Secret menu erases calibration?!?
Post by: tv84 on May 18, 2020, 08:11:38 pm
Hi everyone!

First, thanks for all the information given in those 70 pages of posts here (and in the other threads about the MSO5k)! :clap:

From all this reading, I have one question: Didn't I read that installing firmware using the "SINGLE" secret boot menu erases factory calibration?!? Doesn't this cause issues in measurements? I'm asking as I keep seeing people downgrading using this menu and there's no mention of the calibration reset, and no mention of having to self-calibrate after...

Finally, I placed my order for a MSO5074. I don't think I need more than 70MHz BW for my hobby use, and with the promo bundle I get the serial decode and AWG (+PWR). And the price difference between 2 and 4 channels is very close to the price of the extra probes. The 4 channels will be useful for SPI decoding, saving the expense of the LA adapter or a separate LA (for now).

Of course, the first thing to do after unboxing is a backup using https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)  :D

Again, thanks everyone!
73s,
Martin

As I remember, and I'm too lazy to go back and check, you have 2 options: flash FW and reset settings.

Why makes you think that anyone doing the flashing MUST do the resetting?  :-//

BTW, after NAND and FRAM backup you can erase whatever you want that anything can be recreated.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on May 18, 2020, 09:28:40 pm
Hi tv84,

I know there are two options in the "secret menu". I'm only talking about the firmware update one.

From what I understand (from here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2250324/#msg2250324 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2250324/#msg2250324)), using the firmware update from that menu causes the non-volatile memory (including calibration) to be wiped. I want to understand what is lost in that process.

Thanks,
Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 18, 2020, 10:18:31 pm
Hi tv84,

I know there are two options in the "secret menu". I'm only talking about the firmware update one.

From what I understand (from here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2250324/#msg2250324 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2250324/#msg2250324)), using the firmware update from that menu causes the non-volatile memory (including calibration) to be wiped. I want to understand what is lost in that process.

Thanks,
Martin

I think that "DEFT" is only referring to the scope settings and nothing to do with calib. That is good programming practice: before doing a flash you should always reset to default settings.

Plenty of guys have taken the SINGLE road and I've seen no complaints...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on May 18, 2020, 10:26:42 pm
Hi tv84,

It all makes sense, else there would have been a flood of complaints or people doing wrong measurements. Now that I think of it, to do real damage you probably need to wipe the FRAM...

So, I guess it's the 'scope's way of doing a "clean install" without losing the user's data  :) Good to know!

Thanks!
Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 18, 2020, 10:30:10 pm
If calib was lost, more basic infos would be lost: S/N, model, etc.

None of that happens!

Even with the FRAM wiped we can recover the scope. The thing is resilient.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ykurban on May 20, 2020, 01:23:37 pm
the subject seems to be a little scattered.

can someone who made the last update collect all the files and the procedure under one post?

Title: How to patch - again
Post by: ve2mrx on May 20, 2020, 01:50:14 pm
Hi ykurban,

Start reading from here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3002776/#msg3002776 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3002776/#msg3002776)

All the information is on that post and the following ones. You need the AutoPatcher, the patch file for your firmware version and patch.txt file modified for your firmware version patch. Edit: Ensure patch.txt has "Linux-style" line endings, LF only. Notepad++ can do it on Windows

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024236/#msg3024236 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024236/#msg3024236)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342)

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ykurban on May 21, 2020, 11:49:23 am
thank you for your response ve2mrx

turns out, i was doing everything right, but there is a problem with my flash memory.


when i restart my scope with usb plugged in, patch worked fine. Before that, i was getting "no package found" error

i used 3 files for patch, and attached a screenshot of my flash memory.
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: santacruzjohn55 on May 21, 2020, 09:22:10 pm
Hi running into difficulties running the patch route through ssh. This is with the no-phone-home patch. When I reboot after below, it doesn't fully boot. I also tried the 3 files on a flash drive, but it keeps saying 'No package detected'. I notice that my .GEL file is 130kb, where as the screen shot above shows 133kb. Any tricks I should be looking at?

Code: [Select]
<root@rigol>ls -l
total 22324
-rwxrwxr-x    1 root     root      22558088 May 22 03:41 appEntry


Code: [Select]
<root@rigol>md5sum /rigol/appEntry
2efa4605b83bf1af48bf6736bfae3255  /rigol/appEntry
<root@rigol>cp /tmp/appEntry /rigol/
<root@rigol>md5sum /rigol/appEntry
60f1ca21475ffe9444213c2d9a571a99  /rigol/appEntry

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rodorr on May 21, 2020, 10:17:54 pm
I just received my new MSO5074 and I updated everything and it all went very smoothly, thanks to all of the hard work others here on the forum have performed. I was just wondering if, at this point I should go ahead and run the built in calibration sequence or just leave it as is. By the way, I did not do a calibration before I did the updates. I am not noticing anything in particular being out of tolerance, just wondering what the consensus is regarding calibration. Thanks again to all of those who have helped on this forum.

Thanks,

rodorr
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on May 21, 2020, 10:37:26 pm
I just received my new MSO5074 and I updated everything and it all went very smoothly, thanks to all of the hard work others here on the forum have performed. I was just wondering if, at this point I should go ahead and run the built in calibration sequence or just leave it as is. By the way, I did not do a calibration before I did the updates. I am not noticing anything in particular being out of tolerance, just wondering what the consensus is regarding calibration. Thanks again to all of those who have helped on this forum.

Thanks,

rodorr

Run the calibration as you would normally ignoring the fact that you've upgraded. i.e. Run the calibration when you're using the scope at a significantly different temperature from when you last calibrated it (usually about 5º - see the manual for model specific details) or if it's 'too long' since you last ran it. For instance, it's about a month since I last ran a cal on mine, that's not 'too long', but the ambient temperate here now is 26.9ºC (England, at 23:30 hrs in May? You're kidding me, right?), it was probably 20ºC when I last ran it, so it's time for a cal when I next turn the scope on. You can't calibrate too often, unless it reaches OCD levels, but more than once a month or when temperature dictates is usually unnecessary.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on May 21, 2020, 10:51:59 pm
I just received my new MSO5074 and I updated everything and it all went very smoothly, thanks to all of the hard work others here on the forum have performed. I was just wondering if, at this point I should go ahead and run the built in calibration sequence or just leave it as is. By the way, I did not do a calibration before I did the updates. I am not noticing anything in particular being out of tolerance, just wondering what the consensus is regarding calibration. Thanks again to all of those who have helped on this forum.

Thanks,

rodorr

I would run a cal when you have time, it takes quite a few minutes. Don't need to do it before the update.
Can be of some use to reduce DC offsets, eg if you notice a grounded signal is significantly off from 0V, etc.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on May 21, 2020, 10:57:06 pm
Oh boys, how easy life is for a siglent owner... :-X 8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on May 21, 2020, 11:02:59 pm
Oh boys, how easy life is for a siglent owner... :-X 8)
OK, pray tell; how is life easy for a Siglent owner?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on May 21, 2020, 11:11:54 pm
Once hacked ( in an "easy" way), you never must fear about it when a next update appear.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on May 21, 2020, 11:43:00 pm
I'm there already  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: santacruzjohn55 on May 21, 2020, 11:48:19 pm
Can someone give me an md5sum of a working auto-updater .GEL file? I think my problems might be that or my USB stick.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on May 21, 2020, 11:49:35 pm
I'm there already  ;D
Doesn't Rigol require repatching and hacking after a firmware upgrade?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: santacruzjohn55 on May 21, 2020, 11:53:40 pm
Never mind, the 4th USB drive I tried worked.

Just had to learn how to use the 3 seashells ^H^H^H^H^H^H^H files.

Thanks to all the hard work, the auto-updater is definitely the way to go.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on May 21, 2020, 11:54:22 pm
I'm not sure it does
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on May 22, 2020, 12:43:35 am
As you are patching a specific executable (appEntry?), I think you do need to hack after a firmware upgrade, and of course you need someone keep the hack updated as it is specific for a firmware release
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 22, 2020, 08:07:12 am
Once hacked ( in an "easy" way), you never must fear about it when a next update appear.

The "easy" way is also available in Rigol, from the start, but patching became mainstream...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebclr on May 22, 2020, 09:33:47 am
What is the actual latest firmware hacked, Are this  available as unique gel file  , to be loaded on USB sticker, this path thing is confusing
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ykurban on May 22, 2020, 04:47:51 pm
i uploaded a video of bode plot function

https://www.youtube.com/watch?v=kgv7rljlOJo (https://www.youtube.com/watch?v=kgv7rljlOJo)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on May 22, 2020, 10:22:24 pm
Could it be that bode plotting is much more faster than on the siglent sds2k+ ?


edit: forget it, it was played fast forwarding...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: texaspyro on May 23, 2020, 02:28:45 am
i uploaded a video of bode plot function

What was your connection configuration for this test?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on May 23, 2020, 02:13:14 pm
 :-DD :-DD :-DD :-DD

https://youtu.be/2dHbGTSPTGg

P.S.  How do you build youtube videos?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: santacruzjohn55 on May 23, 2020, 10:27:31 pm
Roughly this is what worked for me,
Get a new, brand name usb stick.

Go to the Rigol site and download the latest firmware. version: 01.03.00.01
Download the .GEL flie from the zip file to your usb stick, then do a local upgrade.
once complete, clear the data off the usb stick

Go here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342)

download the zip file in that post. unzip the contents, (2 files) to your USB stick

Go here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330)

download the file. rename it, removing the .DOC, copy that to your usb stick.

Your usb stick's contents should look like the file listing here, https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3077233/#msg3077233 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3077233/#msg3077233)

So, now you have a freshly upgraded scope that has been rebooted.
Insert your usb stick.
Select local upgrade.
. The screen should turn white with black text. It should ask you to press a button on the scope to upgrade.
After this completes, i think you have to press any button twice.

If you get a 'package not found', try another usb stick.
Or verify that the files look exactly like  the pictures.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on May 24, 2020, 01:12:15 am
@tv84 What is the "easy" way you mention? I have read too much in this thread to remember!

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on May 24, 2020, 01:25:08 am
To everyone contributing to this thread, Thanks!

I DID read all 72 pages of it and bought the MSO5074 :-) It will stay stock, I don't need more than 70MHz for now and I have the promo bundle (the most valuable part of the hack for me). Who knows, maybe I have backups...

Again, thanks!

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 24, 2020, 09:19:20 am
@tv84 What is the "easy" way you mention? I have read too much in this thread to remember!

You have to re-read the whole thread but, now, "read between the lines"...

I'll help a bit: read only the last 10 pages.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on May 24, 2020, 11:11:52 am
@tv84 What is the "easy" way you mention? I have read too much in this thread to remember!

You have to re-read the whole thread but, now, "read between the lines"...

I'll help a bit: read only the last 10 pages.

Is there any way to put the current instructions/links in the first post of the thread?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 24, 2020, 12:12:21 pm
OP is MIA.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gudvin1 on May 25, 2020, 05:14:29 am
Good afternoon! Updated to the latest firmware, patched and everything is OK!
Many thanks to all the participants!
gudvin1.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on May 25, 2020, 04:25:17 pm
@tv84 What is the "easy" way you mention? I have read too much in this thread to remember!

You have to re-read the whole thread but, now, "read between the lines"...

I'll help a bit: read only the last 10 pages.

I did again. I'm not sure if it's too subtle or if I read it and not figured that was it. I know licenses are stored in FRAM, and it's probable a replay attack could be done on the trial licenses (anybody tried?!?). Cloning a scope is another possibility. Or doing something in the bootloader. But after reading 150+ pages on this forum about the Rigol MSO5k and the 121GW, I'll take a break, reading about the Siglent "easy way" will wait. Besides, I have no need to hack, it's pure curiosity. That SSH hack is calling me, but I resist ;-)

And I agree that Rigol probably doesn't believe it would be a good return on investment to lock them better. The firmware updates aren't even signed! That's an invitation to create some custom software for them. Botnet, anyone?  :-DD We already know it runs Doom...

73,
Martin VE2MRX
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on May 25, 2020, 04:31:38 pm
OP is MIA.

Maybe start a new thread "How to hack the MSO5000" where the owner of the first post can update the instructions with the latest info...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 25, 2020, 05:57:36 pm
I'm not sure if it's too subtle or if I read it and not figured that was it.

"Easy way" (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2084152/#msg2084152).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ykurban on May 26, 2020, 09:08:02 am
Could it be that bode plotting is much more faster than on the siglent sds2k+ ?


edit: forget it, it was played fast forwarding...

i speed up the video, about 20X

speed depends on frequency range and "points" you selected
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ykurban on May 26, 2020, 09:09:21 am
i uploaded a video of bode plot function

What was your connection configuration for this test?

CH1 = filter output
CH2 = filter input monitor

G1 = filter input

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on May 26, 2020, 12:42:16 pm
speed depends on frequency range and "points" you selected

It would be cool if these things did a progressive refinement of the plot so a rough plot is fast and it gets more and more detailed the longer you leave it running.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on May 26, 2020, 05:59:17 pm
That's what changing the number of points does. Do few points it's done fast and ugly. Want a more refined plot choose more points.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on May 26, 2020, 06:24:38 pm
That's what changing the number of points does. Do few points it's done fast and ugly. Want a more refined plot choose more points.

I know, but you have to choose when it could be automatic.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on May 26, 2020, 06:49:42 pm
But then you'd wait a really long time as it repeats the plot over and over and over until you got some unknown resolution. It'd probably take 30 minutes for someone to figure out a couple of ideal steps for their wanted resolution which is less than waiting for it to finish successive plots until you think it looks good.

I could be misunderstanding what you're saying.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on May 26, 2020, 07:28:53 pm
But then you'd wait a really long time as it repeats the plot over and over and over until you got some unknown resolution.

No, it doesn't have to do that. Say that the 'finished' product had 100 points at 1 MHz intervals. On the first pass you plot 10MHz, 20MHz ... 100 MHz. On the second pass you already have those points, so you fill in at 5Mhz, 15MHz ... 95MHz. Third pass 7MHz, 17 MHz ... 97 MHz and so on. You add resolution with each pass by adding extra points to ones that you already have. This isn't an analogue sweep generator that has to sweep through the whole spectrum each time, it's DDS, it can hop about. Should take no longer to get to the full 100 point plot than if you had to wait for a 100 point plot done as one pass.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on May 26, 2020, 07:40:35 pm
I already thought about that and it only works if it's a specific mode with no flexibility at all. I suppose that's useful in some ways but you go from 10 points/decade to 20(1 between each existing point) to 40 to 80. I'm not sure the exact numbers but it ramps pretty quickly(for equidistance between points per decade). I don't know maybe that would be useful for someone. Does rigol take feature requests?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on May 26, 2020, 07:55:24 pm
I don't know maybe that would be useful for someone.

It removes the need for users to choose number of points before starting, it gives a fast initial display so you can quiclky see if there's a PEBKAC error in the setup, you can never select too few points, all you do is wait a bit longer and more will appear.

I don't see where the downside is.



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: maginnovision on May 26, 2020, 08:05:33 pm
Like I said the downside is the inflexible nature of the thing, you'd have fixed points even if you got an inital points/decade selection. I still don't think it's useful(this is my opinion) but if you can get Rigol to implement it go for it.

EDIT: Actually I thought of a way this might be useful. As a sort of tutorial where it can show a user how increasing the number of points affects the plot. Not really a Rigol sort of thing but I wouldn't be surprised to see it on a Keysight or Tek TBS2000 scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AlexS on June 03, 2020, 09:24:50 am
Hey guys!
I've just recently got MSO 5072. I've upgraded it to the latest firmware from official website. I've calibrated it.
Trying to activate it using all methods. I've added 3 files on my USB stick. I can clearly see white screen with the patch. I've pressed "any button" . The next I can see 4 channels a couple of second but as a result it's steel not patched.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on June 03, 2020, 11:04:29 am
A set of the right files for backup and hacking. If you do not need a backup, go straight to hacking.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AlexS on June 03, 2020, 02:51:07 pm
Thank you so much for trying to help.
Hmmm.... I got the same error.
I see on the white screen an error. And it looks like "No patch 'patch.txt' found on drive."
And the next "Press any key......"
And still the same result that I've reported.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on June 03, 2020, 05:46:55 pm
Hi AlexS,

Go read https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3076547/#msg3076547 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3076547/#msg3076547). I was on the previous page, please read a little bit more next time?

Have fun!
Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AlexS on June 04, 2020, 08:02:15 am
Thanks to all for help!
I did do that. I was right everywhere and it was just a problem with USB Stick. I've purchased a new one 4GB and everything done with first try.
You are awesome guys. Good luck to all, colleagues! :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: S. Petrukhin on June 05, 2020, 11:16:08 am
Hi, friends!

I'm create new topic with EasyEDA project low cost logic analyzer probe for Rigol MSO5000 here:
https://www.eevblog.com/forum/testgear/low-cost-logic-analyzer-probe-for-rigol-mso5000-easyeda-project/ (https://www.eevblog.com/forum/testgear/low-cost-logic-analyzer-probe-for-rigol-mso5000-easyeda-project/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hajime725 on June 10, 2020, 02:11:55 pm
thanks.
All Options is enable now!

tips:
upgrade method is normal Local upgrade(NOT boot&push SINGLE button method),DO help->Local upgrade
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on June 10, 2020, 09:55:30 pm
ALL YOUR OPTIONS ARE BELONG TO US!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on June 11, 2020, 05:57:53 am
I'd still prefer a keygen ;-)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fotris on June 16, 2020, 03:47:08 pm
Hi, I've bought a new 5074 and now I'm thinking about enabling all options using your firmware. The only thing is on the top of the scope is a label, which shows the original scale. ^^ Has someone replaced it by a 350MHz label? Do you know, where I can buy such labels? ^^
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: fact on June 16, 2020, 08:44:20 pm
I found it enough to just enable the options, not needing confirmation by some label.
If you can't do without the aesthetics, you could always print a label yourself.
I have no idea what an original label on the black market would do. It would probably set you back the amount you'd have to pay for all the upgrades.  8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on June 16, 2020, 08:54:37 pm
True, but also I can understand him.
Having the 350Mhz and only 5074 on the front.....As I owned this one, it annoys a little bit.
Bust just only a little bit.. ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nullobject on June 17, 2020, 03:15:20 am
I successfully unlocked all the features on my new MSO5074 today. Thanks for the help :)

One question: if Rigol releases a new firmware and I update with it, will I lose all the unlocked features?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: noreply on June 17, 2020, 04:47:21 am
I successfully unlocked all the features on my new MSO5074 today. Thanks for the help :)

One question: if Rigol releases a new firmware and I update with it, will I lose all the unlocked features?

Congrats on your 'new baby' (MSO5074) - hope it grows-up and behaves :P

I highly recommend that you read through the entire forum thread - not only will you learn the whole theory about the Rigol 5000 series licensing and 'hack' but also the numerous 'titbits' of priceless knowledge - well documented - on the 'patch' evolution and how to protect the 'enhancements' when there is a new FW release and you decide to upload to the 5074.

To directly answer your question - YES if you 'update' with it ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: srjaynes49 on June 25, 2020, 08:43:30 pm
JUST ran the hack STANDING ON THE SHOULDERS OF GIANTS.  It was simple and successful. 

THANKS TO EVERYONE FOR ALL THE HARD WORK MAKING THIS AVAILABLE.  Not your day jobs, but GREATLY appreciated!  :-+

Folowing was copied from another post.  I added the numbers to the steps since being in my 70's I'm easily confused.  Yes folks, I worked for Tektronix when the 465 475 were introduced...

Begin Copied Material:

Roughly this is what worked for me,
Get a new, brand name usb stick.

1)  Go to the Rigol site and download the latest firmware. version: 01.03.00.01
Download the .GEL flie from the zip file to your usb stick, then do a local upgrade.
once complete, clear the data off the usb stick

2)  Go here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342)

download the zip file in that post. unzip the contents, (2 files) to your USB stick

3)  Go here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330)

download the file. rename it, removing the .DOC, copy that to your usb stick.

4)  Your usb stick&#039;s contents should look like the file listing here, https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3077233/#msg3077233 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3077233/#msg3077233)

5)  So, now you have a freshly upgraded scope that has been rebooted.
Insert your usb stick.
6)  Select local upgrade.
. The screen should turn white with black text. It should ask you to press a button on the scope to upgrade.
After this completes, i think you have to press any button twice.

End Copied material

May you all remain well during the trying times we're experiencing!



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: srjaynes49 on June 25, 2020, 08:57:52 pm
Hey, is like a 1969 Chevy Nova "sleeper with the high HP options.  Looks like mom's car, runs like it belonged to a retired Nascar driver...  Fun when the other folks just don't know...  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: t4rmo on June 26, 2020, 02:15:16 am
I've tried to follow the last steps to upgrade my scope and i think that i've bricked because it do not advance since it finish the loading message of rigol.
How can i do to restore it?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: srjaynes49 on June 26, 2020, 02:37:17 am
Un-bricking is not my expertise. 

However, did you do a fresh format on your USB drive before you copied the installation files to it?  If not, and your scope will re-boot, I'd follow the instructions carefully, reformatting the USB drive FAT32 before you copy any files to it.  IF that doesn't help, as many others have reported in the threads, try a different USB drive.  I had the good fortune to have a USB drive that I had used successfully to install the latest firmware so I knew it worked correctly. 

Best of luck!  Hope it's not truly bricked.   :(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: t4rmo on June 26, 2020, 02:49:57 am
Thanks for your response but when i restart my oscilloscope it stays stucked in the message of rigol, i've nand backup, memdump and other files that i saved with scripts of this thread but i dont know how can i use it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on June 26, 2020, 03:06:36 am
Hi t4rmo,

Search this thread for the "single" key press on startup. There is a secret boot menu that could get you out of trouble ;-)

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on June 26, 2020, 04:20:25 am
Copy the official firmware to a usb key. Stick it in the scope.
While powering on the scope, keep pressing the single button.
You'll see two options show up and you should be able to flash back to the official firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: t4rmo on June 26, 2020, 08:39:49 am
I' have accesed to the "secret menu" at startup but i can't install the official firmware it appears a meesage saying "Upgrading failed,please check the package."
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: t4rmo on June 26, 2020, 10:05:53 am
Update: I've changed of memory usb and i've achieved install the last version. Thanks for all, now i'm going to install the patched version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on June 26, 2020, 10:33:19 am
Update: I've changed of memory usb and i've achieved install the last version. Thanks for all, now i'm going to install the patched version.
I'm glad you sorted it out. 99% of the time, situations like yours are fixed by using a different USB drive.  I had the same problem a couple of weeks ago.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fotris on June 27, 2020, 08:28:55 pm
I wonder: what is the size of the built in storage C: ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hve on June 29, 2020, 03:24:26 pm
Thank you all for the great work !   :-+ :-+

Small contribution from my side:
Using this method to prepare my USB stick, I did not have problems, or maybe I was just lucky:
(Assuming you have access to a Linux environment)


1: Use fdisk to check/correct the partition
    I used FAT32 LBA as the primary partition.

You might see something like:

Code: [Select]
Command (m for help): p
Disk /dev/sdb: 7.2 GiB, 7756087296 bytes, 15148608 sectors
Disk model: DataTraveler 2.0
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device     Boot Start      End  Sectors  Size Id Type
/dev/sdb1        2048 15148607 15146560  7.2G  c W95 FAT32 (LBA)


2: Format as FAT32 using:

Code: [Select]
mkfs.fat -F 32 -I /dev/sdb1
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fabse on July 07, 2020, 07:14:31 pm
Hey to all that contributed to unlocking the MSO5000 series!
I got my scope (5072) today and the first thing I did was to unlock it. Thanks to this thread all went perfect!
Big thank you to all the smart people that made this possible!  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: deisenberg on July 20, 2020, 04:44:59 pm
Is it possible to revert back to original options assuming you had a warranty issue?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: typoknig on July 20, 2020, 07:12:12 pm
Yes, just reload the firmware and the hacked options will be erased.  You can force reload firmware by repeatedly pressing the SINGLE key during boot.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bveina on July 28, 2020, 02:23:14 pm
has anyone had any luck using the ":SYSTem:TOUCh {x}, {y}" command to simulate a press and drag?
i can do single presses, but afaik to move cursors, and create trigger zones you must click and drag.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on July 28, 2020, 03:19:07 pm
Shouldn't there be a pair of X,Y ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bveina on July 28, 2020, 05:27:14 pm
based on some other work, it seems that the touch command can only take 2 numbers.

SYSTem:TOUCh [IndexesItem(number=4, direction=1, type=<IndexesItemType.INTEGER: 0>, enums={}), IndexesItem(number=4, direction=1, type=<IndexesItemType.INTEGER: 0>, enums={})]

":SYSTEM:TOUCH 575,43" for example will hit the run stop button on the top of the screen.

i have tried things like ":SYSTEM:TOUCH 400,167,472,181" but no response. it may not be possible but it seems silly to implement touch and not touch/drag/ release
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bveina on July 28, 2020, 06:02:30 pm
this is all in service of this project by the way. comments and suggestions welcome.

https://github.com/bveina/Rigol-Scope-Snap

(I've been away from the internet for a while; do you still apologize for double posting? sorry.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on August 11, 2020, 02:36:27 pm
First off, sorry for being afk for such a long time :)

Finally Rigol acknowledging the use of Open Source in their latest products!!!!!!!!!!

MSO5000 example (https://eu.rigol.com/Public/Uploads/uploadfile/files/ftp/DS/MSO5000%20Open%20Source%20Acknowledgment.pdf)

 ::) well let's assume "acknowledgement" is what they meant.

And, if we could access the source code then that would be a killer factor!  :popcorn:

I found this as well while googling 'Rigol GPL' (which I do occasionally :p)

So first thing that's cool; second thing I noticed, apparently that was already released in 2018.11 :) but I don't think they've shared it ...

Has anybody take them up on their offer? It does say it in quite verbatim:
Quote
The open source software is provided for free. RIGOL uses third-party open source
software subject to the specified licenses. You are entitled to use the open source
software subject to their respective license. If you or any third party wants to obtain
the complete corresponding source code for the software from us, please contact:
RIGOL (SUZHOU) TECHNOLOGIES
E-mail: service@rigol.com
Website: www.rigol.com (http://www.rigol.com)
This offer is valid for three years after you received the software.

I did ask them for the software, so lets see what happens next :) (but would be nice to know if others already did this  too)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Xtremexp on August 15, 2020, 03:25:40 am
I am also waiting for the source code  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bveina on August 20, 2020, 05:28:00 pm
Id be surprised if you got appEntry source. i did this for a samsung tv some time ago, all i got was the linux kernel i could have downloaded from the source webpage. none of their derivative works or things that used the Open Source libraries.

Still, id be happy to be wrong :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 2efa4605b83bf1af48bf6736b on August 23, 2020, 03:12:53 am
Just wanted to thank everyone here - the MSO5074 was way outside my budget when I started looking, but I got it based on the work done here. All I needed was the AWG...

FWIW, I bought my scope a couple of weeks ago, it came with FW 00.01.03.00.01 and I was able to update it using this file: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024236/#msg3024236 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024236/#msg3024236)

and these instructions:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598)

I also used an old Sandisk Ultra USB 3.0 16GB thumb drive, I know some have had issues with this. Apparenly Windows 10 will not format anything above 32GB in FAT32. 

EDIT: no sooner had I posted this than my scope stalled on startup every time (the Rigol screen never cleared). I used the secret menu (single key on startup) and used the "restore settings" function. This appears to have fixed the problem and I didn't see this elsewhere in this thread so thought I'd share here.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on August 25, 2020, 04:06:35 am
Just wanted to thank everyone here - the MSO5074 was way outside my budget when I started looking, but I got it based on the work done here. All I needed was the AWG...

FWIW, I bought my scope a couple of weeks ago, it came with FW 00.01.03.00.01 and I was able to update it using this file: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024236/#msg3024236 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024236/#msg3024236)

and these instructions:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598)

I also used an old Sandisk Ultra USB 3.0 16GB thumb drive, I know some have had issues with this. Apparenly Windows 10 will not format anything above 32GB in FAT32. 

EDIT: no sooner had I posted this than my scope stalled on startup every time (the Rigol screen never cleared). I used the secret menu (single key on startup) and used the "restore settings" function. This appears to have fixed the problem and I didn't see this elsewhere in this thread so thought I'd share here.

Meanwhile, would you mind picking up a nicer handle that doesn't uglify the render of that page?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fotris on August 28, 2020, 11:08:15 am
My scope is running and running with our patches from this forum here. No stalls, no problems. I use it at home for my private non-commercial projects and if I had to pay the full price I couldn't have never bought it. So Rigol was able to sell one more device.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DigitalDeath on August 28, 2020, 03:20:53 pm
Is there a way to have the original calibration values active with the hack? I Tested it out of curiosity but the voltages being measured are off so I'm assuming that the cal info is not in there. I did save all the previous info so I can go back to the original but was curious to know if there's a way for this hack to keep the original calibrations.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on August 28, 2020, 03:22:48 pm
Hi!

Did you run the self-calibration after the hack?

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DigitalDeath on August 28, 2020, 03:57:03 pm
I think I did and I think it took a very long time. I'll do it again and see what happens. Thanks for the suggestion.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DigitalDeath on August 28, 2020, 04:38:08 pm
Ran the self calibration again and there's variation in the 10mv-28mv range from a calibrated source among all channels.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Slats on August 29, 2020, 12:24:11 am
Hi

I'm a pristine noob to the blog and oscilloscopes in general.

I received my MSO5074 a few days ago and tried the hack as per the instructions in this thread (at least I think I have), but it isn't working for me. Hopefully someone can help?

The scope came loaded with FW 00.01.03.00.01, so I went straight to applying the appropriate patch, but the script gives me a checksum error. See attached.

Any suggestions?

Thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on August 29, 2020, 07:17:57 am
That is strange. It looks like you are running a 00.01.03.00.01 with a different appEntry? You could try flashing a new 00.01.03.00.01 with the SINGLE button press trick at startup. However, I would rather first like to understand the issue you have. Anybody has any idea? For example, we could create a special upgrade file which copies the rigol part of the code and check for differences to the offical released 00.01.03.00.01 version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on August 29, 2020, 08:08:59 am
However, I would rather first like to understand the issue you have. Anybody has any idea? For example, we could create a special upgrade file which copies the rigol part of the code and check for differences to the offical released 00.01.03.00.01 version.

Slats can execute the NAND dump .GEL. It's somewhere in the thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Slats on August 29, 2020, 10:48:42 pm
Slats can execute the NAND dump .GEL. It's somewhere in the thread.

Thanks for responding.  :-+

Done. What do you need?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ExtreMme on September 07, 2020, 04:51:54 pm
i have fixed this with upload one more time clear firmware 00.01.03.00.01.  And then i unlock all without any errors.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mazayac on September 08, 2020, 07:17:37 pm
i have fixed this with upload one more time clear firmware 00.01.03.00.01.  And then i unlock all without any errors.
Yes, that's right method.
Original MSO5000 Firmware 01.03.00.01 (https://beyondmeasure.rigoltech.com/acton/ct/1579/p-00ac/Bct/-/-/ct19_0/1?sid=TV2%3AQ2jKaGpUj)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Datboi568 on September 14, 2020, 01:20:07 am
I just received a brand new 5072 today and come with the fw ver 01.01.04.08.

Those three files from skander36 are perfectly work.

I encountered a problem while using 16GB USB Drive. But it solved after replace with the 32GB USB Drive. It is highly recommend that you have prepared two or more different brand and size USB Drive before perform the upgrade. My failure one is Sandisk 16GB and workable one is Sandisk 32GB (Tiny one).

Case :
When you found that the USB Drive is empty except the GEL file after the backup process:
   - Attach the USB drive back to the scope, press Storage/Disk
   - If you found there are two or more USB Disk, it means that you may need to try another USB Drive.

Enclosed with all the files from skander36 and backup GEL file from TV84.


My workflow are :
(Please read carefully especially handle the same name GEL files).

1. Format the USB Drive (FAT32 Format);
2. Copy the DS5000Update.GEL.backup.doc to the USB Drive;
3. Rename it by delete the "backup.doc" extension;
4. Attach the USB Drive to scope;
5. Press Utility/System/Help/Local upgrade;
6. After finished the screen will have message told you to reboot the scope;
7. Turn off the scope;
8. Attach the USB drive back to your Mac / PC;
9. Copy all the file except the GEL files and folder back to your Mac / PC for your backup;
10. Format the USB Drive (FAT32 Format);
11. Copy another three files to the USB Drive, rename them by remove the ".doc" extension;
12. Attach the USB Drive back to the Scope, turn it on;
14. Wait for the screen shows that USB Drive was attached.
15. Press Utility/System/Help/Local upgrade
16. The screen will turn to white background and follow the instruction to press any keys.
17. After the upgrade process is finished, the scope will reboot.
18. Done! Enjoy!

Please correct me if any mistake or typo. Thanks!

Thank you so much for all of you to contribute here!

Okay but what files do you mean by “all file” on step 11

11. Copy another three files to the USB Drive, rename them by remove the ".doc" extension;
Title: Thanks
Post by: Khazod on September 15, 2020, 09:59:13 pm
Got my MSO5074 last Friday, I run the patch and it worked at first time without any problems. It’s my first oscilloscope, the MSO5000 series was outside my budget, but after I run across this thread, I took the decision to rise my budget to be able to get the MSO5074.

Want to say thanks to you guys involved in researching and making the patches. As a hobbyist and quite recently got interested in electronics to be able to afford a oscilloscope in this class. I looking forward to explore and learn new things with this.

My MSO5074 come with firmware 00.01.03.00.01, and hardware 01.01.000.
I followed instruction posted by the user srjaynes49 #1811.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: phips on September 17, 2020, 09:49:34 am
I applied the patch to my scope, too.
Today I noticed that my channel 1 and 2 are a bit off.
This means when nothing is connected to the probes one shows a lower voltage then the other channel.

Attached a picture of all four channels without a probe connected, averaged and maximum memory depth set to 1k - to see it clearly.
It is visible that the channels are not exactly zeroed.

Does that mean my scope is damaged?
Or is it working and a difference of up to 300µV is totally fine?


Best,
Philipp


EDIT:
I did a self-calibration of the scope before I took the picture.
It was up and running for around 2 hours before, so should be warmed up enough.


EDIT 2:
The difference scales with the voltage per division setting.
With 2V per division it is around 3mV off.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: S. Petrukhin on September 19, 2020, 01:38:10 pm
I applied the patch to my scope, too.
Today I noticed that my channel 1 and 2 are a bit off.
This means when nothing is connected to the probes one shows a lower voltage then the other channel.

Attached a picture of all four channels without a probe connected, averaged and maximum memory depth set to 1k - to see it clearly.
It is visible that the channels are not exactly zeroed.

Does that mean my scope is damaged?
Or is it working and a difference of up to 300µV is totally fine?


Best,
Philipp


EDIT:
I did a self-calibration of the scope before I took the picture.
It was up and running for around 2 hours before, so should be warmed up enough.


EDIT 2:
The difference scales with the voltage per division setting.
With 2V per division it is around 3mV off.

Rigol is not a precision equipment, don't expect miracles from it.
If you using averaging, the line became clear, but it now shows the average noise value. A shift relative to zero indicates that the noise of the positive level is on average greater.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on September 19, 2020, 02:19:15 pm
I applied the patch to my scope, too.
Today I noticed that my channel 1 and 2 are a bit off.
This means when nothing is connected to the probes one shows a lower voltage then the other channel.

Attached a picture of all four channels without a probe connected, averaged and maximum memory depth set to 1k - to see it clearly.
It is visible that the channels are not exactly zeroed.

Does that mean my scope is damaged?
Or is it working and a difference of up to 300µV is totally fine?


Best,
Philipp


EDIT:
I did a self-calibration of the scope before I took the picture.
It was up and running for around 2 hours before, so should be warmed up enough.


EDIT 2:
The difference scales with the voltage per division setting.
With 2V per division it is around 3mV off.

What you read from the instrument with no probes connected is pretty meaningless. What would you expect to read with nothing connected? (I'd expect to read the Johnson-Nyquist noise of the the 1M terminating impedance. 1M@20ºC, 300MHz => 2.2mV rms, ~13mV ptp).

Remember that this is an 8 bit instrument with a 3% DC gain accuracy specification. So if you've got it set to 2V/div that's a 16V range which gives you an LSB of 16V/2^8 = 16V/256 = 62.5 mV. So that 3mV offset is less than one LSB (the minimum step difference that the instrument can measure) by a factor of twenty - it is well beyond what the instrument is actually capable of resolving even before you take the specified accuracy into consideration. It is nothing more or less than an artefact of the scope trying to calibrate itself by using lots of averaging, in practical measurement terms it means nothing.

Your expectation that 3mV might mean something at 2V/div is a very strong indicator that you don't understand the basics of the instrument or its limitations. I'd suggest a bit more basic study is required or you're in danger of misunderstanding what the scope is really telling you about what you're measuring with it. Don't expect an 8 bit scope (or for that matter, any scope) to deliver much in the way of accuracy or precision.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: diegooo1972 on September 26, 2020, 08:34:01 am
Please correct me if I'm wrong.
I just need to upgrade the scope to v00.01.03.00.01 firmware version and the apply the patch.
Is that right ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: srjaynes49 on September 26, 2020, 06:17:25 pm
As a former Tektronix sales engineer, I spent HOURS with a yellow highlighter pointing out scope specs to users and prospective users. One of my biggest offenders were the semiconductor manufacturers trying to set timing values on the IC testers to 0.5% with 3.0% instruments.  Wrong tool for the job. I finally wrote a white-paper on how to set the timings with an averaging time-interval counter. I also copied the accuracy tables for the most popular scopes, as they varied significantly series to series. I carried a dozen copies with me all the time to educate prospects and customers alike. Tek’s training for sales engineers in those days was 8 hours a day, hands-on for about 4 months at their training center in Beaveron, Or.. I attended the school the summer of 1972. At the time I was the youngest person to have completed the course. Those were THE days my friend.  I still love test and measurement instruments especially my hacked Rigol MSO5074.  Still have a Tek 475 and several TM500 modules including the same type DC503A I recommended to the semiconductor companies.  I also still have my 2nd digital storage scope, an OWON 7102v with the battery option.  It’s great for field use. I wish my Rigol had a battery option!  With the power analysis function it would be THE machine for solar power systems diagnostics!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: srjaynes49 on September 26, 2020, 08:47:39 pm
Oops wrong photo. This image is the “modified sine wave” from a cheap 12v DC to 120v AC inverter.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c_pi on October 06, 2020, 07:25:51 pm
Hello,

I just registered here to ask the following question:

I ordered a MSO5074 to use it with the patch @350MHz and with the options enabled.
Today I received a MSO5104 with FW 00.01.03.00.01 instead of the MSO5074.
I tried to apply the patch via USB-Stick with the files from

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342) and
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3025330/#msg3025330)

... but the Scope shows the "wrong check sum" error.

Am I doing something wrong? Or does the patch not work with the MSO5104?

Thank you for your help!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: riccardo.pittini on October 06, 2020, 07:28:53 pm

I just wanted to highlight one thing (MSO5074):
- I tried patching a scope (v00.01.03.00.01, hw1.01) however checksum was wrong, the scope had a build (v00.01.03.00.01) dated mid may!!!
- Simply re-flashed the original build v00.01.03.00.01 from end of april. Patched and all was good :)

So it seems that they made two different build for v00.01.03.00.01, with different dates/contents. It would be interesting to understand if there are any real/important changes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: riccardo.pittini on October 06, 2020, 07:30:14 pm
just reflash the v00.01.03.00.01 build from end of April, and try again.

Probably you gor a scope with a v00.01.03.00.01 build from mid may, hence the different checksum.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c_pi on October 06, 2020, 07:53:58 pm
Thank you very much for your help!

It's great, that the patches are available - thanks for your great work!

In fact the firmware version 00.01.03.00.01 had a build stamp from 2020-05-18.

I reflashed the Firmware from the Rigol page and now It was possible to run the patches.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: S. Petrukhin on October 08, 2020, 06:30:48 am
I wish my Rigol had a battery option!  With the power analysis function it would be THE machine for solar power systems diagnostics!

Battary for you RIGOL:     :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: neutron on October 22, 2020, 09:02:26 pm
just reflash the v00.01.03.00.01 build from end of April, and try again.

Probably you got a scope with a v00.01.03.00.01 build from mid may, hence the different checksum.

Thanks for posting this info!

I just got a MSO5074 with that same mid-May version of the v00.01.03.00.01 firmware (listed onscreen as Build:  2020-05-18 11:42:06)
The patch checksums didn't work.

After I rolled back to the April version of the v00.01.03.00.01 firmware (listed on-screen as Build:  2020-03-30 15:56:36), the patching worked!   ;D

Thank you to all who contributed to this effort!  It is impressive and apprecitated!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dl9lc on October 24, 2020, 08:09:59 am
Last weeek i bought a 5074 and downgraded the firmware to the state of 2020-03-30.
Thanks to the easy summery everything works as charme.
The scope seems not so bad. The jitter in timebase seem to be around 250ps p/p referenced to a HP 10811 - not to bad for this class.
The genarator is not the best and a bit noisy, but better than nothing.
Many thanks to all how have made this patch possible.
vy 73 dl9lc
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on October 24, 2020, 11:08:39 am
Just for those interested and didn't spot it yet, rigol now has a 'service manual'https://www.rigol.eu/Public/Uploads/uploadfile/files/ftp/%E6%96%B0%E8%B5%84%E6%96%99%E5%BA%93-%E5%90%AB%E6%89%8B%E5%86%8C%E5%9B%BA%E4%BB%B6%E8%BD%AF%E4%BB%B6/%E5%AE%98%E7%BD%91%E8%B5%84%E6%96%99/DS/%E6%89%8B%E5%86%8C/MSO5000-E/EN/MSO5000-E_ServiceGuide_EN.pdf (https://www.rigol.eu/Public/Uploads/uploadfile/files/ftp/%E6%96%B0%E8%B5%84%E6%96%99%E5%BA%93-%E5%90%AB%E6%89%8B%E5%86%8C%E5%9B%BA%E4%BB%B6%E8%BD%AF%E4%BB%B6/%E5%AE%98%E7%BD%91%E8%B5%84%E6%96%99/DS/%E6%89%8B%E5%86%8C/MSO5000-E/EN/MSO5000-E_ServiceGuide_EN.pdf)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on October 24, 2020, 11:12:47 am
Has anybody take them up on their offer? It does say it in quite verbatim:
Quote
The open source software is provided for free. RIGOL uses third-party open source
software subject to the specified licenses. You are entitled to use the open source
software subject to their respective license. If you or any third party wants to obtain
the complete corresponding source code for the software from us, please contact:
RIGOL (SUZHOU) TECHNOLOGIES
E-mail: service@rigol.com
Website: www.rigol.com (http://www.rigol.com)
This offer is valid for three years after you received the software.

I did ask them for the software, so lets see what happens next :) (but would be nice to know if others already did this  too)

So I never received a reply. So yesterday, I've sent a request to the European office, and got a reply promptly. They asked where I've sent the previous request too, and that they would prepare the files I requested (I requested all sources for all products :p)

They said they'd send them to me on november 17th. No idea why it is taking so long, maybe that's the day they'll open their github.com/rigol repo?

Anyway, fingers crossed!

P.S. they moved the GPL pdf to the official download location (the old one yields a 404 now). so the new link for those that don't want to go into the sign-up wall is: https://www.rigol.eu/Public/Uploads/uploadfile/files/ftp/DS/MSO5000%20Open%20Source%20Acknowledgment.pdf (https://www.rigol.eu/Public/Uploads/uploadfile/files/ftp/DS/MSO5000%20Open%20Source%20Acknowledgment.pdf) (looks the same url though? hmm ...)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: S. Petrukhin on October 24, 2020, 02:01:36 pm
Has anybody take them up on their offer? It does say it in quite verbatim:
Quote
The open source software is provided for free. RIGOL uses third-party open source
software subject to the specified licenses. You are entitled to use the open source
software subject to their respective license. If you or any third party wants to obtain
the complete corresponding source code for the software from us, please contact:
RIGOL (SUZHOU) TECHNOLOGIES
E-mail: service@rigol.com
Website: www.rigol.com (http://www.rigol.com)
This offer is valid for three years after you received the software.

I did ask them for the software, so lets see what happens next :) (but would be nice to know if others already did this  too)

So I never received a reply. So yesterday, I've sent a request to the European office, and got a reply promptly. They asked where I've sent the previous request too, and that they would prepare the files I requested (I requested all sources for all products :p)

They said they'd send them to me on november 17th. No idea why it is taking so long, maybe that's the day they'll open their github.com/rigol repo?

Anyway, fingers crossed!

What a turn! You "blew up the bomb" and you will now be feared in Rigol.  :-DD
But, they can provide the code executed by the processor that runs in the OS. And this is just the user interface, if I'm not mistaken. The main work is done in the FPGA and they are not required to publicate this code.

Probably the Rigol guys are reading this thread. Guys, come out, don't be afraid of open source - third-party firmware that will inevitably appear will make your product even more popular.  :clap: I think people will love your product if you become open. This path was followed by PC-giving the opportunity to independently assemble computers and expand them, thereby sharply breaking away from the closed Apple, which is held in the market of show-offs.  :)

If this thread is not read by Rigol specialists, oliv3r, please pass these thoughts on to them. :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on October 25, 2020, 09:33:52 pm
Has anybody take them up on their offer? It does say it in quite verbatim:
Quote
The open source software is provided for free. RIGOL uses third-party open source
software subject to the specified licenses. You are entitled to use the open source
software subject to their respective license. If you or any third party wants to obtain
the complete corresponding source code for the software from us, please contact:
RIGOL (SUZHOU) TECHNOLOGIES
E-mail: service@rigol.com
Website: www.rigol.com (http://www.rigol.com)
This offer is valid for three years after you received the software.

I did ask them for the software, so lets see what happens next :) (but would be nice to know if others already did this  too)

So I never received a reply. So yesterday, I've sent a request to the European office, and got a reply promptly. They asked where I've sent the previous request too, and that they would prepare the files I requested (I requested all sources for all products :p)

They said they'd send them to me on november 17th. No idea why it is taking so long, maybe that's the day they'll open their github.com/rigol repo?

Anyway, fingers crossed!

What a turn! You "blew up the bomb" and you will now be feared in Rigol.  :-DD
But, they can provide the code executed by the processor that runs in the OS. And this is just the user interface, if I'm not mistaken. The main work is done in the FPGA and they are not required to publicate this code.

Probably the Rigol guys are reading this thread. Guys, come out, don't be afraid of open source - third-party firmware that will inevitably appear will make your product even more popular.  :clap: I think people will love your product if you become open. This path was followed by PC-giving the opportunity to independently assemble computers and expand them, thereby sharply breaking away from the closed Apple, which is held in the market of show-offs.  :)

If this thread is not read by Rigol specialists, oliv3r, please pass these thoughts on to them. :)

Course the 4 FPGA's are interesting too; but lets treat those as 'hardware' for now :)

once we know the interfaces between the hardware, FPGA and the software, we could even start to re-write the FPGA software :p

But for now, lets first see Rigol uphold the GPL :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: S. Petrukhin on October 25, 2020, 10:20:01 pm

Course the 4 FPGA's are interesting too; but lets treat those as 'hardware' for now :)

once we know the interfaces between the hardware, FPGA and the software, we could even start to re-write the FPGA software :p

But for now, lets first see Rigol uphold the GPL :)

I don't know much about licensing. If I'm not mistaken, using Linux with a GPL license requires publishing the source code of running programs? Can we apply to R&S in the same way?  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sergey Astakhov on October 25, 2020, 11:57:01 pm
I don't know much about licensing. If I'm not mistaken, using Linux with a GPL license requires publishing the source code of running programs?

Nope. It's depends on the type of use of the GPL code.
It's definitely required only if you include some GPL code or static link them.
Simple using GPL program do not impose publishing.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Alfgan on November 01, 2020, 07:20:40 pm
After a who day I managed to upgrade my MSO, thanks everyone for your hard work so that a young engineer like me could get such an amazing scope.

Whole bunch of projects ahead :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luky315 on November 16, 2020, 11:32:19 am
I tried to "have a look" on my DS7014 FW 01.02.00.05 (newest)
SSH is deactivated in this version, but it was possible to reactivate it with the script from mabl
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076)

unfortunately the root:root login is not working, I only get an acces denied message:
login as: root
root@10.0.0.18's password:
Access denied

admin:rigol won't work either.

Has anyone more infos for this scope?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: S. Petrukhin on November 16, 2020, 11:38:56 am
They said they'd send them to me on november 17th. No idea why it is taking so long, maybe that's the day they'll open their github.com/rigol repo?

Anyway, fingers crossed!


Tomorrow is the scheduled response date.  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes - Battery Power
Post by: srjaynes49 on November 16, 2020, 03:59:36 pm
I have a portable inverter with a fairly large battery.  It's not the same as having an internal battery.  Portable inverter, mine included, are notorious for having very poor A/C waveforms.  They're supposed to be "modified sine-waves" but they look much more like a square-wave when examined.  I hate to subject my equipment to such poor quality mains power.  I have a much older OWON 100MHz, 2-channel scope with battery option.  I'll likely continue to use that instrument in the field for my solar installation consulting.  (http://)/Users/stevenjaynes/Pictures/Inverter Waveforms/IMG_4918.jpg
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sergey Astakhov on November 16, 2020, 04:13:17 pm
unfortunately the root:root login is not working, I only get an acces denied message:
login as: root
root@10.0.0.18's password:
Access denied

admin:rigol won't work either.

Has anyone more infos for this scope?

Try Rigol201
If password is differs from MSO5x, you can try to crack them, like this - https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2072749/#msg2072749 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2072749/#msg2072749)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luky315 on November 16, 2020, 04:48:10 pm
Rigol201 works as password, but the SSH connection is not working: ls is showing an empty root directory.
Something has changed...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes - Battery Power
Post by: S. Petrukhin on November 16, 2020, 06:11:38 pm
I have a portable inverter with a fairly large battery.  It's not the same as having an internal battery.  Portable inverter, mine included, are notorious for having very poor A/C waveforms.  They're supposed to be "modified sine-waves" but they look much more like a square-wave when examined.  I hate to subject my equipment to such poor quality mains power.  I have a much older OWON 100MHz, 2-channel scope with battery option.  I'll likely continue to use that instrument in the field for my solar installation consulting.  (http://)/Users/stevenjaynes/Pictures/Inverter Waveforms/IMG_4918.jpg

An uneven sinusoid is unpleasant to the reactive load, which likes harmonic waves. The oscilloscope has a switching power supply, the task of your inverter is just to charge the capacitors after the rectifier in the high part and maintain their charge, supplying energy.

Yes, the curvature of the sinusoid will also interfere with the charging of capacitors. But you don't do in the field, where there is no outlet, where you can't stretch an extension cord - that is, in the open field, laboratory high-precision measurements.  :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 18, 2020, 03:51:58 am
Hi All! Just joined so I could post, after spending... well, multiple hours reading the history of this amazing journey.

just reflash the v00.01.03.00.01 build from end of April, and try again.

Probably you got a scope with a v00.01.03.00.01 build from mid may, hence the different checksum.

Thanks for posting this info!

I just got a MSO5074 with that same mid-May version of the v00.01.03.00.01 firmware (listed onscreen as Build:  2020-05-18 11:42:06)
The patch checksums didn't work.

After I rolled back to the April version of the v00.01.03.00.01 firmware (listed on-screen as Build:  2020-03-30 15:56:36), the patching worked!   ;D

Thank you to all who contributed to this effort!  It is impressive and apprecitated!

I also just got a MSO5072 with the mid-May firmware, same number and build timestamp listed above.
I went ahead and used the well-worn ssh enabler, ssh in, use the command line to copy the appEntry file onto a USB stick at /media/sda1 and took it to another computer to do the MD5.
If you have any kind of unix computer (linux or Mac) simply type
$ md5 /Volumes/USB_DRIVE/appEntry
or whatever the appropriate path is for you. md5 should be present by default in most unix-like systems.
MD5 (appEntry) = 783a31ebdc0d4acb7b9dc244155ba1c6
From everything I'm seeing here, it seems like this piece of info should be enough to get the patcher to work? Am I misunderstanding?
I'll try it and post a followup.
Thanks for this amazing community effort!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: srjaynes49 on November 18, 2020, 05:59:44 am
The reason I loath "modified sine-wave" inverters:  the crappy wave-form is from a fairly expensive portable inverter with built-in Glass-Mat battery .  It can product 400 watts of crappy 120 volts.  The SMOOTH sine-wave is from my Xantrex 2.0 Pro 2KW inverter.  Cleaner than my local utility!  The Xantrex inverter is accompanied by FOUR 105 Ahr golf-cart batteries and is installed in my 5th wheel trailer with five 100 watt solar panels and associated charge controller, etc.  I HAVE powered my MSO5000 from the Xantrex's output and it is of course happy as a clam.  I won't subject the MSO5000 to the crappy 120 volt "modified sine-wave" inverter's output.

 [attach=2][attach=1]
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on November 18, 2020, 06:32:00 am
Hi All! Just joined so I could post, after spending... well, multiple hours reading the history of this amazing journey.

[..]

I also just got a MSO5072 with the mid-May firmware, same number and build timestamp listed above.
I went ahead and used the well-worn ssh enabler, ssh in, use the command line to copy the appEntry file onto a USB stick at /media/sda1 and took it to another computer to do the MD5.
If you have any kind of unix computer (linux or Mac) simply type
$ md5 /Volumes/USB_DRIVE/appEntry
or whatever the appropriate path is for you. md5 should be present by default in most unix-like systems.
MD5 (appEntry) = 783a31ebdc0d4acb7b9dc244155ba1c6
From everything I'm seeing here, it seems like this piece of info should be enough to get the patcher to work? Am I misunderstanding?

Welcome! Unfortunately, just changing the initial MD5 before patching is not enough. The patch also has to fit the binary, and you need to know the MD5 after the patch. If you want to learn a bit more, I encourage you to try and replicate the patch for your binary.  For that, you have to compare the differences between a patched and unpatched appEntry, and replicate the same patch on your newly downloaded appEntry. Then you created the patch file, enter the correct md5, and you are done. :-) I found it well worth learning myself.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 20, 2020, 05:14:41 am
I'm not sure if it's too subtle or if I read it and not figured that was it.

"Easy way" (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2084152/#msg2084152).

I'm continuing to fine-tooth-comb my re-reading and caught this...
But the license generator from r***n doesn't really seem to exist? Or, I noticed that some of their posts have apparently been deleted, was this license generator posted and then deleted?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on November 20, 2020, 12:19:17 pm
Or, I noticed that some of their posts have apparently been deleted, was this license generator posted and then deleted?

No, such a thing was never made public.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: S. Petrukhin on November 21, 2020, 07:17:12 pm
Hey. I just bought one too. I would like to make backup from current firmware and all the data(as i would make image in windows world) before i try this "hack". How can i make backup and later use that backup as a recovery as well? Im not very familiar with linux backup. Thanks in advance.
The backup copy is stored in the scope.
To return everything as it was, just hold down RUN or SINGLE (don't remember exactly) when you turn it on.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 22, 2020, 02:24:00 am
Hi All! Just joined so I could post, after spending... well, multiple hours reading the history of this amazing journey.

[..]

I also just got a MSO5072 with the mid-May firmware, same number and build timestamp listed above.
I went ahead and used the well-worn ssh enabler, ssh in, use the command line to copy the appEntry file onto a USB stick at /media/sda1 and took it to another computer to do the MD5.
If you have any kind of unix computer (linux or Mac) simply type
$ md5 /Volumes/USB_DRIVE/appEntry
or whatever the appropriate path is for you. md5 should be present by default in most unix-like systems.
MD5 (appEntry) = 783a31ebdc0d4acb7b9dc244155ba1c6
From everything I'm seeing here, it seems like this piece of info should be enough to get the patcher to work? Am I misunderstanding?

Welcome! Unfortunately, just changing the initial MD5 before patching is not enough. The patch also has to fit the binary, and you need to know the MD5 after the patch. If you want to learn a bit more, I encourage you to try and replicate the patch for your binary.  For that, you have to compare the differences between a patched and unpatched appEntry, and replicate the same patch on your newly downloaded appEntry. Then you created the patch file, enter the correct md5, and you are done. :-) I found it well worth learning myself.

OK, well, I've been trying for a few days and could use some pointers. I did quite a bit of searching and learned that although it's (relatively) easy to find the step-by-step instructions and the relevant patch file for your auto-patcher, it's remarkably hard to find anything relevant to making your own patch, in this topic, via searching. I tried searches on "appEntry", "bdiff", "bpatch", "bspatch", "patch file", "patch function", "license check", etc. and after reading a few hundred search results I learned that I need to use a disassembler like IDA or Binary Ninja on appEntry, and then identify the relevant part of code based on the offset address that piskers provided on March 1, 2019 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2233152/?topicseen#msg2233152). In turn it seems like this would require disassembling that same version (01.01.04.04) and then disassembling the current version and manually finding the analogous function at a different address. And then after identifying the right function in the current version, I'd have to understand Xilinx assembler well enough to know how to modify the code, and then do that, and then save it to disk, and then use bdiff to make a patch. And then the rest is just plugging it into the auto-patcher.

So, does that seem all correct? I have a number of questions about details, but I'll just start with one, because I'm blocked at step zero... Namely, IDA for hobbyists is $365/year and the free cloud version of Binary Ninja won't handle files larger than 15Mb. So I am not sure where to begin with the disassembly. Any pointers for how to get started? I suppose in theory I could buy one of these very expensive software packages, considering that it's still way cheaper than buying the fully upgraded scope, but I am loathe to do that as I am probably not switching careers to a firmware reverse engineer any time soon...

I am making a sincere effort to figure this all out as you have encouraged... but the question "is there a free way to get the software I need" is not answerable in bounded time, since there's no way to prove the negative... so I figured I'd just go ahead and ask :)

Thanks again for all the help and hard work!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on November 22, 2020, 07:58:13 am
you don't really need binja or ida at this point:
readelf, objdump are your friends
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sb42 on November 22, 2020, 11:52:41 am
As bmx says, at this point you don't need anything more than a disassembler because the binary still has the same structure.

A simple approach is to take an existing patch, apply it to an appropriate appEntry and diff the asm listings that you obtained with objdump.  This will show you what the patch is doing.  Then look around in your newer appEntry listing and figure out where to make the same changes.  Once you know that, write the replacement byte sequences at the new offsets with a hex editor or gdb and then produce a new binary patch at the end.

When I did a patch (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024236/#msg3024236) for 01.03 I used radare2, but it was more that I wanted an excuse to play with r2 than anything else. :)  I found it useful that it can search for instruction sequences (/ad), and that it has a convenient write command (you can seek to an offset and say "write a nop here" and it will do the right thing), but I didn't need any of its RE features.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Claus1 on November 22, 2020, 04:36:52 pm
Thanks for the hack. It worked. However my Rigol still displays model number under system information as MSO5074. Is it correct? Shouldn't it change to MSO5354?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on November 22, 2020, 05:17:20 pm
Its correct.
I thought about something:  is eye and jitter measurment not functioning HW wise in MSO5000 or is it only "deactivated" in the appentry to be higher class scope only function? Could it simply be reactivated (patch to activate another "if" statement in appentry or something else)? I would like to do "simple" eyemeasurments and thought i can use persistent + pass/fail for this but it looks i cant make a fully custom masks for example for SDIO or so.
So any idea how it can be done? With siglent SDS2000x it looks like fully custom masks are drawable for pass fail? Looks like this in the flyer..
We can play doom on MSO5k why we cant add new features / additional scripts for something tike this?
Or is the issue that we can not talk to the measurment peripherals?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 23, 2020, 04:50:12 pm
As bmx says, at this point you don't need anything more than a disassembler because the binary still has the same structure.

A simple approach is to take an existing patch, apply it to an appropriate appEntry and diff the asm listings that you obtained with objdump.  This will show you what the patch is doing.  Then look around in your newer appEntry listing and figure out where to make the same changes.  Once you know that, write the replacement byte sequences at the new offsets with a hex editor or gdb and then produce a new binary patch at the end.

When I did a patch (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024236/#msg3024236) for 01.03 I used radare2, but it was more that I wanted an excuse to play with r2 than anything else. :)  I found it useful that it can search for instruction sequences (/ad), and that it has a convenient write command (you can seek to an offset and say "write a nop here" and it will do the right thing), but I didn't need any of its RE features.

This is super helpful and so far it's going well. Quick sanity check: I ran objdump on the April and May versions of appEntry and then ran diff between the two files.

The objdump files were about 100 MB, which seems reasonable. But then the diff output was 186MB... the files are almost completely different. Is this normal for two subsequent versions of appEntry to be almost completely different by that indicator?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on November 23, 2020, 05:29:57 pm
Thanks for the hack. It worked. However my Rigol still displays model number under system information as MSO5074. Is it correct? Shouldn't it change to MSO5354?

It's correct. The model only changes if you change the model, not if you do BW upgrades.

Regarding eye/jitter: Those were tested by Sighound and the machine simply doesn't have the horsepower to do such a thing! Not even the DS7000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on November 23, 2020, 05:49:21 pm
This is super helpful and so far it's going well. Quick sanity check: I ran objdump on the April and May versions of appEntry and then ran diff between the two files.

The objdump files were about 100 MB, which seems reasonable. But then the diff output was 186MB... the files are almost completely different. Is this normal for two subsequent versions of appEntry to be almost completely different by that indicator?

If you inspect the two files you're diffing manually, you'll probably find that there's something significantly different near the beginning that's throwing diff off and causing it to lose sync in an unrecoverable way. Try different diff options and you'll probably be able to find a combination that gives a short, sensible diff of the two files. It may be as simple as passing diff the '--minimal' option, or  paradoxically the opposite the '--speed-large-files' option.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sb42 on November 23, 2020, 06:30:51 pm
This is super helpful and so far it's going well. Quick sanity check: I ran objdump on the April and May versions of appEntry and then ran diff between the two files.

The objdump files were about 100 MB, which seems reasonable. But then the diff output was 186MB... the files are almost completely different. Is this normal for two subsequent versions of appEntry to be almost completely different by that indicator?

The diff should be a few dozen lines long if you're comparing listings for the same appEntry binary, before and after applying the patch:

Code: [Select]
% diff -u ae.s ae-mod.s | diffstat
 ae-mod.s |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

If you compare two different builds (and I think there may be two of them floating around for the latest firmware version?), diff will likely be thrown off by all the symbol address differences.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gall on November 23, 2020, 07:23:18 pm
Namely, IDA for hobbyists is $365/year and the free cloud version of Binary Ninja won't handle files larger than 15Mb.
There is Ghidra. Completely free and even better than IDA in some aspects. https://ghidra-sre.org/
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 23, 2020, 08:32:21 pm
This is super helpful and so far it's going well. Quick sanity check: I ran objdump on the April and May versions of appEntry and then ran diff between the two files.

The objdump files were about 100 MB, which seems reasonable. But then the diff output was 186MB... the files are almost completely different. Is this normal for two subsequent versions of appEntry to be almost completely different by that indicator?

The diff should be a few dozen lines long if you're comparing listings for the same appEntry binary, before and after applying the patch:

Code: [Select]
% diff -u ae.s ae-mod.s | diffstat
 ae-mod.s |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

If you compare two different builds (and I think there may be two of them floating around for the latest firmware version?), diff will likely be thrown off by all the symbol address differences.

Yes, I'm comparing the two builds of the latest numerical firmware version, the April build that is available at the firmware download site, and the May build that comes with new scopes.

I ran diff with the -d option that said something like "try very hard to find a minimal set of differences". It ran for six hours!!! but the output was exactly the same. So I think it's the different symbol addresses as you said, and not something near the beginning like Cerebus said.

Thanks for the sanity check, I will continue when I have time...

In case anyone is interested
https://www.dropbox.com/s/pckpka9kqjmqfo3/ae.gz.aes-128?dl=0 (https://www.dropbox.com/s/pckpka9kqjmqfo3/ae.gz.aes-128?dl=0)
use the familiar BAD key
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 24, 2020, 07:56:46 am
Following up... here's the diff from the unpatched objdump to the objdump of the patched appEntry, starting with the April build:

Code: [Select]
appEntry: file format ELF32-arm-little       | appEntryAprilPatched: file format ELF32-arm-little
   c6958: 01 00 00 0a beq #4 <_ZN16searchEventT |    c6958: 00 00 a0 e1 mov r0, r0
   c7210: 88 00 00 1a bne #544 <_ZN16searchEven |    c7210: 88 00 00 ea b #544 <_ZN16searchEven
   c744c: 23 00 00 0a beq #140 <_ZN16searchEven |    c744c: 00 00 a0 e1 mov r0, r0
  18c210: b3 00 00 0a beq #716 <_ZN5QListIPN8me |   18c210: 00 00 a0 e1 mov r0, r0
  18c22c: 1a 00 00 1a bne #104 <_ZN5QListIPN8me |   18c22c: 00 00 a0 e1 mov r0, r0
  3997d0: 71 00 00 0a beq #452 <_ZN12CIRQListen |   3997d0: 00 00 a0 e1 mov r0, r0
  3997ec: 06 00 00 1a bne #24 <_ZN12CIRQListene |   3997ec: 00 00 a0 e1 mov r0, r0
  44c6a4: 03 00 00 1a bne #12 <_ZN7MemFileD1Ev+ |   44c6a4: 00 00 a0 e1 mov r0, r0
  44c6a8: a9 ff ff eb bl #-348 <_ZN7MemFileD1E |   44c6a8: 01 00 a0 e3 mov r0, #1

sb42, your example showed six changes; this has nine, a group of three and then a group of six. I'm guessing that the difference is that I used the patch file from typoknig that includes the phone-home patch: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342)

The md5 checks out before and after the patch, as per that patchfile. Seems like I'm on the right track.

Next I'll see if I can find the corresponding lines in the objdump from the May build. This is where it gets tricky!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sb42 on November 24, 2020, 10:18:40 am
sb42, your example showed six changes; this has nine, a group of three and then a group of six. I'm guessing that the difference is that I used the patch file from typoknig that includes the phone-home patch: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342)

Sounds about right :-+

Quote
The md5 checks out before and after the patch, as per that patchfile. Seems like I'm on the right track.

Next I'll see if I can find the corresponding lines in the objdump from the May build. This is where it gets tricky!

Yup, this is the fun part ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 25, 2020, 01:58:29 am

Quote
The md5 checks out before and after the patch, as per that patchfile. Seems like I'm on the right track.

Next I'll see if I can find the corresponding lines in the objdump from the May build. This is where it gets tricky!

Yup, this is the fun part ;)

OK, so here's the lineup of the lines-to-be-patched from the April build and the May build of 01_03_00_01:

Code: [Select]
   c6958: 01 00 00 0a beq #4 <_ZN16searchEventTable16sigCurrEventTimeEi+0x3650>
   c7210: 88 00 00 1a bne #544 <_ZN16searchEventTable16sigCurrEventTimeEi+0x4124>
   c744c: 23 00 00 0a beq #140 <_ZN16searchEventTable16sigCurrEventTimeEi+0x41cc>
  18c210: b3 00 00 0a beq #716 <_ZN5QListIPN8menu_res8RDsoViewEED1Ev+0x104d8>
  18c22c: 1a 00 00 1a bne #104 <_ZN5QListIPN8menu_res8RDsoViewEED1Ev+0x10290>
  3997d0: 71 00 00 0a beq #452 <_ZN12CIRQListener10sigHandlerEi+0x2dac>
  3997ec: 06 00 00 1a bne #24 <_ZN12CIRQListener10sigHandlerEi+0x2c1c>
  44c6a4: 03 00 00 1a bne #12 <_ZN7MemFileD1Ev+0x2344>
  44c6a8: a9 ff ff eb bl #-348 <_ZN7MemFileD1Ev+0x21e0>

Code: [Select]
   c6958: 01 00 00 0a beq #4 <_ZN16searchEventTable16sigCurrEventTimeEi+0x3650>
   c7210: 88 00 00 1a bne #544 <_ZN16searchEventTable16sigCurrEventTimeEi+0x4124>
   c744c: 23 00 00 0a beq #140 <_ZN16searchEventTable16sigCurrEventTimeEi+0x41cc>
  18c1c8: b3 00 00 0a beq #716 <_ZN5QListIPN8menu_res8RDsoViewEED1Ev+0x104d8>
  18c1e4: 1a 00 00 1a bne #104 <_ZN5QListIPN8menu_res8RDsoViewEED1Ev+0x10290>
  399770: 71 00 00 0a beq #452 <_ZN12CIRQListener10sigHandlerEi+0x2dac>
  39978c: 06 00 00 1a bne #24 <_ZN12CIRQListener10sigHandlerEi+0x2c1c>
  44c644: 03 00 00 1a bne #12 <_ZN7MemFileD1Ev+0x2344>
  44c648: a9 ff ff eb bl #-348 <_ZN7MemFileD1Ev+0x21e0>



That worked surprisingly well.
For the benefit of future generations, rather than giving verbal step-by-step instructions I'll just include the bash script I used to get this comparison. This should serve as completely comprehensible instructions for anyone comfortable with the Unix command line while not making it *too* easy for a beginner to get themselves into deep trouble. Edit: see my newer message for the complete version of this shell script and some info about it, as well as the final patch itself. https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3344172/#msg3344172 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3344172/#msg3344172)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on November 25, 2020, 05:59:38 am
add a pinch of c++filt, and you're set
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on November 25, 2020, 06:57:44 pm
BTW, you can SCP your patched binary for testing to /tmp and mark it executable. appEntry runs from everywhere. That prevents any chance of bricking the device.  ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 26, 2020, 01:26:44 am
add a pinch of c++filt, and you're set

Huh, interesting idea, would make it more pleasant for sure... but doesn't seem to work? Any idea why?

Code: [Select]
(base) omgoleus@slick-biscuit 01_03_00_01_May % c++filt <appEntryApril_diffpre
01 00 00 0a beq #4 <_ZN16searchEventTable16sigCurrEventTimeEi+0x3650>
88 00 00 a bne #544 <_ZN16searchEventTable16sigCurrEventTimeEi+0x4124>
23 00 00 0a beq #140 <_ZN16searchEventTable16sigCurrEventTimeEi+0x41cc>
b3 00 00 0a beq #716 <_ZN5QListIPN8menu_res8RDsoViewEED1Ev+0x104d8>
a 00 00 a bne #104 <_ZN5QListIPN8menu_res8RDsoViewEED1Ev+0x10290>
71 00 00 0a beq #452 <_ZN12CIRQListener10sigHandlerEi+0x2dac>
06 00 00 a bne #24 <_ZN12CIRQListener10sigHandlerEi+0x2c1c>
03 00 00 a bne #12 <_ZN7MemFileD1Ev+0x2344>
a9 ff ff eb bl #-348 <_ZN7MemFileD1Ev+0x21e0>
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 26, 2020, 01:33:36 am
BTW, you can SCP your patched binary for testing to /tmp and mark it executable. appEntry runs from everywhere. That prevents any chance of bricking the device.  ;)

Huh wow, that's kind of amazing, I didn't think of that. If you execute it at the command line does it simply take over from the currently running instance, or do you have to kill the process first?

I am very curious what it will look like on the scope screen when I kill appEntry... lol
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on November 26, 2020, 05:36:22 am
$ objdump ... file | sed ... | awk ... | whatever ... | c++filt

   c6958:       01 00 00 0a     beq     #4 <searchEventTable::sigCurrEventTime(int)+0x3650>
   c7210:       88 00 00 1a     bne     #544 <searchEventTable::sigCurrEventTime(int)+0x4124>
   c744c:       23 00 00 0a     beq     #140 <searchEventTable::sigCurrEventTime(int)+0x41cc>
  18c210:       b3 00 00 0a     beq     #716 <QList<menu_res::RDsoView*>::~QList()+0x104d8>
  18c22c:       1a 00 00 1a     bne     #104 <QList<menu_res::RDsoView*>::~QList()+0x10290>
  3997d0:       71 00 00 0a     beq     #452 <CIRQListener::sigHandler(int)+0x2dac>
  3997ec:       06 00 00 1a     bne     #24 <CIRQListener::sigHandler(int)+0x2c1c>
  44c6a4:       03 00 00 1a     bne     #12 <MemFilqe::~MemFile()+0x2344>
  44c6a8:       a9 ff ff eb     bl      #-348 <MemFile::~MemFile()+0x21e0>

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: simogi on November 26, 2020, 11:01:54 pm

Good evening,

I just bought a 5000 series rigol, which hasn't arrived yet by the way.

And I came across this forum.

I have read a few things but I have some doubts.

Obviously they are easy doubts.

The rigol will have a linux distribution for ARM how do you use objdump etc. on linux x86 or x64 (should you use a cross-compiled )?

Another question, since there is the option to allow backup (I saw "backup.doc" among your files)
isn't it easier to download everything and decrypt the root pass in passwd? (always with the method given by you "hashcat64.exe")

Regards

Simogi
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 26, 2020, 11:12:33 pm
$ objdump ... file | sed ... | awk ... | whatever ... | c++filt

   c6958:       01 00 00 0a     beq     #4 <searchEventTable::sigCurrEventTime(int)+0x3650>
   c7210:       88 00 00 1a     bne     #544 <searchEventTable::sigCurrEventTime(int)+0x4124>
   c744c:       23 00 00 0a     beq     #140 <searchEventTable::sigCurrEventTime(int)+0x41cc>
  18c210:       b3 00 00 0a     beq     #716 <QList<menu_res::RDsoView*>::~QList()+0x104d8>
  18c22c:       1a 00 00 1a     bne     #104 <QList<menu_res::RDsoView*>::~QList()+0x10290>
  3997d0:       71 00 00 0a     beq     #452 <CIRQListener::sigHandler(int)+0x2dac>
  3997ec:       06 00 00 1a     bne     #24 <CIRQListener::sigHandler(int)+0x2c1c>
  44c6a4:       03 00 00 1a     bne     #12 <MemFilqe::~MemFile()+0x2344>
  44c6a8:       a9 ff ff eb     bl      #-348 <MemFile::~MemFile()+0x21e0>


I piped that same text into c++filt and it didn't do what you're showing. Looking at the documentation, as well as your example, it does not appear that there should be any special tricks or command line options needed; it should take this objdump text as input and spit out a demangled output.

Edit: I figured it out. Mac OS X comes with objdump from llvm and also c++filt that claims to be gnu. Neither of them work. However, if I install gnu binutils with homebrew, then the new gnu versions both work.  :wtf:

Also, the version of grep in Mac OS X has had a bug for ten years that hasn't been fixed: https://unix.stackexchange.com/questions/8892/trouble-with-grep-o-regex
yikes! careful if you're doing Unix development on a Mac!

Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 27, 2020, 08:09:36 am
Woot, at the stroke of midnight the beast came to life!
This was my hand-edited appEntry running out of /tmp. I have to say, I was a little disappointed. when I did kill -9 of the appEntry process, nothing happened... It should be cool like in Tron when they shut down the Master Control Program...

The patch file and patch.txt for the May build of firmware 01.03.00.01 is attached. These are used with mabl's autopatcher. They are based on the version of the patch in this message (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342) from typoknig which includes the patch to disable phone-home.

Here's the contents of the patch.txt file:

Code: [Select]
file_to_patch=/rigol/appEntry
file_to_patch_md5sum=783a31ebdc0d4acb7b9dc244155ba1c6
patch_file=mayBuildPatch.bspatch
after_patch_md5sum=7e39040bfb086c666be3e7cc87dd73b0

I'm also attaching the final version of my shell script that uses objdump and diff to find the difference between the original and patched version of an older executable, and then figures out what file offsets need to be hex-edited in the newer executable to manually recreate the patch. Doing this in a shell script was way more complicated than doing it manually and in fact I made the patch and then went back and spent a full day making a shell script to recreate exactly what I did manually... but for me, this feels better than writing out step-by-step instructions. It only took so long because (repeating what I said before) the included version of various command line utilities on Mac... kind of suck...

If you want to use this script, be sure to read the comments carefully. I refer to gobjdump and gsed for the gnu versions, gnu would probably be the default versions if you're on Linux, so you'd have to fix that. Also I use associative arrays and the syntax is slightly different in zsh versus bash4 but I included both in comments. Also note that this script just finds the file offsets you need to edit; you have to do the editing yourself with a hex editor. I had to draw the line somewhere!

I'd like to thank the people in the last few days of messages who offered help... you can see who they are by scrolling back. I probably could have got it to work simply based on the info that already existed in the thread, but it would have taken a lot longer and involved a lot more trial and error and a lot more anxiety about flying blind and worrying that I was going to brick my scope. I especially want to observe, for the benefit of anyone else thinking about doing this from scratch, that the most useful piece of information was sb42 telling me the number of lines of diff to expect between patched and unpatched and clarifying my misunderstanding about diff between different versions. A close second was bmx and sb42 pointing me in the direction of objdump rather than a full reverse engineering tool.

Finally, mabl you were totally right that this was rewarding to figure out!

For completeness, here's the instructions for someone who just wants to patch:
1. In this message (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640) mabl posted the "auto patcher".
2. Download that and rename it to remove the .txt (Make sure you actually remove the .txt extension, don't be fooled by your stupid gui.)
3. Check the "About" menu on your scope to see what version and build of firmware you have. If you have a new scope as of the date of this message it probably has 01.03.00.01 with a build date of May. For that version/build you can use the patch file and patch.txt attached to this message. Otherwise you have to search.
4. Follow the instructions in mabl's message. You will know it works because the screen will turn white with text and give you some "hit any key" prompts.
5. If it doesn't get to that screen, it's probably because you're using too large of a flash drive or it's formatted wrong or the file still has a .txt extension.
6. If the black on white text tells you that it worked, it takes a pretty long time (1 minute) for anything else to happen. that's normal.
7. If it got that far but then the licenses don't show up, then you'll have to do some deeper troubleshooting.
8. If your scope becomes non-functional try turning it off and then back on again. If that doesn't work, then you will have to use the "secret menu" and restore the firmware. This is not that hard, but you'll have to search through the thread if it comes to that.
9. At the present time the collective wisdom of this community seems to agree that it is impossible to permanently brick your scope. Restoring firmware via secret menu is the worst case scenario.
10. I think, maybe, you're supposed to use the scope's menus to run its auto-calibration routine once you've done the upgrade?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: calippo on November 27, 2020, 09:41:02 pm
Hello guys, I know I am not the first and I won't be last asking this... so try to understand.... probably some of you went already through the pain of reading this massive thread...  :scared:

Is there a comprehensive tutorial or sticky post that collects all steps to update the fw in order to unlock all the features of the MSO5074 I am planning to buy?

Again, my apologies to ask again, but due the lack of the sticky post on page #1... is quite hard to find where to start or a proper howto.  ^-^

Cheers mates and stay safe!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on November 27, 2020, 10:10:01 pm
Hello guys, I know I am not the first and I won't be last asking this... so try to understand.... probably some of you went already through the pain of reading this massive thread...  :scared:

Is there a comprehensive tutorial or sticky post that collects all steps to update the fw in order to unlock all the features of the MSO5074 I am planning to buy?

Again, my apologies to ask again, but due the lack of the sticky post on page #1... is quite hard to find where to start or a proper howto.  ^-^

Cheers mates and stay safe!

See my message above yours, I edited it to include everything you need.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: calippo on November 27, 2020, 10:14:18 pm
For instance, this part, right?

Truly appreciated for the quick help. Thanks again! :)

Quote
For completeness, here's the instructions for someone who just wants to patch:
1. In this message mabl posted the "auto patcher".
2. Download that and rename it to remove the .txt (Make sure you actually remove the .txt extension, don't be fooled by your stupid gui.)
3. Check the "About" menu on your scope to see what version and build of firmware you have. If you have a new scope as of the date of this message it probably has 01.03.00.01 with a build date of May. For that version/build you can use the patch file and patch.txt attached to this message. Otherwise you have to search.
4. Follow the instructions in mabl's message. You will know it works because the screen will turn white with text and give you some "hit any key" prompts.
5. If it doesn't get to that screen, it's probably because you're using too large of a flash drive or it's formatted wrong or the file still has a .txt extension.
6. If the black on white text tells you that it worked, it takes a pretty long time (1 minute) for anything else to happen. that's normal.
7. If it got that far but then the licenses don't show up, then you'll have to do some deeper troubleshooting.
8. If your scope becomes non-functional try turning it off and then back on again. If that doesn't work, then you will have to use the "secret menu" and restore the firmware. This is not that hard, but you'll have to search through the thread if it comes to that.
9. At the present time the collective wisdom of this community seems to agree that it is impossible to permanently brick your scope. Restoring firmware via secret menu is the worst case scenario.
10. I think, maybe, you're supposed to use the scope's menus to run its auto-calibration routine once you've done the upgrade?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: simogi on November 30, 2020, 09:18:58 pm
Good evening,

Today my rigol MSO5074-A arrived.

I tried so right away (if you can tell) to expand it.


So I used your previous mail files, placed in root of a 16GB fat32 formatted usb key.

Inserted in the rigol, the oscilloscope turns on without doing the self-update.

I go to a local update menu and it worked.

after a few presses of any key (indicated by the display cmq).

My firmware was version 01.03.00.01 from May.

I thank everyone for their help.

I would like to understand more, than being a performer.

I hope you will let me, even if my questions may be considered simple for you.

Regards
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 05, 2020, 04:47:29 pm
Id be surprised if you got appEntry source. i did this for a samsung tv some time ago, all i got was the linux kernel i could have downloaded from the source webpage. none of their derivative works or things that used the Open Source libraries.

Still, id be happy to be wrong :)
I think I mentioned this before, but 'obviously'. But one can always seem to amaze you ;)

Anyway, the request went through, and I got the sources. It was a painful experience. The first time, the archive was corrupted and could not be extracted, so a week went over that. I did get a new download (same archive, but the date inside was 2 days later, so for sure this was a new archive, and it worked. It was a 100 GiB vmware disk image :S Inside there was nothing useful. Just gcc and stuff to actually make the build work I suppose. I never ran the VM, just mounted the disk image and extracted the juicy bits.

So first up, is U-Boot (https://gitlab.com/riglol/rigolee/u-boot), the bootloader used. The bootloader is involved when you do the SINGLE key press trick. I'm not convinced it is the correct version, as the fw4uboot.sh update script uses a function called 'showMessage' which I haven't found. Maybe it gets silently ignored? Could someone produce some screenshots with the 'SINGLE' key being in affect and the update messages when doing an update via that way? I recall that when pushing SINGLE, you get a menu to the left of the right key-columns, right?

Anyway, I wrote a wiki page explaining the work and branches, best to refer to that page rather then talking to much about it here: wiki (https://gitlab.com/riglol/rigolee/u-boot/-/wikis/Rigol-U-Boot).

Secondly, the Linux kernel (https://gitlab.com/riglol/rigolee/linux). I haven't done the work there yet, need a bit more time for that, but have started on it locally ;) There's a wiki too, but not filled with data yet. Linux kernel wiki (https://gitlab.com/riglol/rigolee/linux/-/wikis/Rigol-Linux).

Finally, I moved the previous 'firmware dumps' into a new location/name. Those are now rigol (https://gitlab.com/riglol/rigolee/firmware), sorry for breaking any links :(. The analysis wiki (https://gitlab.com/riglol/rigolee/firmware/-/wikis/home)) still lives there too.

Finally, I've started a new thread, as this one is being abused and really only is about 'help, unlock my rigol' now a days :) so focus on software development, Reverse engineering etc, is now moved to here: Zynq 7000 based rigol software development (https://www.eevblog.com/forum/testgear/zynq-700-based-rigol-software-development-(mso5k-ds7k-mso8k-and-probably-more)/) (Need to get a permalink for that as I probably will change the title :p)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 05, 2020, 06:07:28 pm
Still, id be happy to be wrong :)
I think I mentioned this before, but 'obviously'. But one can always seem to amaze you ;)

:clap: As we say in portuguese: "quem não chora, não mama"

Edit:  |O Corrected the saying...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on December 06, 2020, 01:52:23 am
Still, id be happy to be wrong :)
I think I mentioned this before, but 'obviously'. But one can always seem to amaze you ;)

:clap: As we say in portuguese: "quem não pede, não mama"
Hmmm, Google translate give that as... "who does not ask, does not breast"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: S. Petrukhin on December 06, 2020, 09:15:11 pm
Anyway, the request went through, and I got the sources.

Rigol kept its promises and was open the source code?  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on December 06, 2020, 11:00:26 pm
No, that wasn't a promise. And its not the full source code.
Only the stuff which are GPL based. They had to give it to him otherwise the possibility for law penalities  will be opened up.
Same thing did a work colleage for the "Thermomix" ;-)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 07, 2020, 08:36:06 am
No, that wasn't a promise. And its not the full source code.
Only the stuff which are GPL based. They had to give it to him otherwise the possibility for law penalities  will be opened up.
Same thing did a work colleage for the "Thermomix" ;-)

If you go back in the long long history of this thread, it is indeed mentioned that we're only have the u-boot and kernel sources as those are the most important part. So they kept their contractual promise.

Not sure if they ever promised to release 'appEntry' or anything, and that would have been so unexpected, it wasn't even on my radar :) But you never know.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luky315 on December 10, 2020, 02:24:12 pm
I have two small question:
How are the .bspatchfiles created?
Is it possible to read the content of a .bspatch file in a human readable format or are they binary files?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on December 10, 2020, 03:23:30 pm
diff and patch are standard unix utilities that respectively (1) figure out the differences between two text files and produce a [semi-]readable listing of the differences sometimes called a patch file (2) take the difference output of diff and one of the original files as input and produces the other original file as output.

bsdiff and bspatch are analogous non-standard utilities for binary files, with bsdiff producing a binary patch file that can be used as input to bspatch. The contents of the output of bsdiff are binary and opaque. I don't know if anyone has produced a utility to print out the intentions of a binary patch file; it would probably be relatively trivial to do, reverse-engineering the source for bsdiff.

You can find the home page for bdiff and bspatch here (http://www.daemonology.net/bsdiff/).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luky315 on December 10, 2020, 03:36:11 pm
It would be interesting what exactly will be changed by this patch and in a second step it would be interesting to write my own patch.
"unfortunately" I have bought a DS7014 and not a MSO5000 :-(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on December 10, 2020, 03:55:02 pm
I don't know if anyone has produced a utility to print out the intentions of a binary patch file; it would probably be relatively trivial to do, reverse-engineering the source for bsdiff.

I take that back. I had a quick search for a utility to print bspath files and couldn't find one, so I though I'd take my own advice and see if one could be run up quickly. So I grabbed the source for bsdiff. Yuck! For anyone who wants an example of how to take a short program (it's only 404 lines) and write it in such a bad style that it's incomprehensible, then take a look at the bsdiff source. Only comment things that are almost obvious, don't comment the things that are opaque, use single letter variable names, embed magic numbers in the code and so on, the list of coding sins is almost endless.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on December 11, 2020, 05:27:34 am
That's not how it works. You don't learn from the bspatch file.
If you want to know what it's doing:
 1/ patch the old binary
 2/ compare by yourself old bin vs new bin (hexdiff, whatever)

It will show you the expanded vision of the bspatch, but still nonsense to people nonsensitive to binary.

So you can go one step below:
 convert each machine language keywords to assembly keywords or binary blob to organized structures
 then manually diff the files produced against the old and new binary.

or have a look at riglol gitlab repo.

--upd:
take a breath... dive (https://github.com/WerWolv/ImHex)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luky315 on December 11, 2020, 04:00:32 pm
Just to be clear: The "old" way with (reactivating) SSH and -fullopt is definitively closed?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 11, 2020, 04:24:16 pm
Just to be clear: The "old" way with (reactivating) SSH and -fullopt is definitively closed?

If you use the "old" FW the way is open. If you use "newer" FWs, the way is definitely closed and you have to emulate that behavior.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Julian.Berk on December 16, 2020, 05:11:23 pm
ive tried it but it gives this message. any clue to what im doing wrong?
using the files supplied by omgoleus
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: toeeks on December 17, 2020, 09:56:06 am
I can confirm that the instructions by omgoleus worked for me on a brand-new MSO5074 with the May 2020 firmware build. :-+

@Julian.Berk: Are you sure you've actually removed the .txt extension from your downloaded patch file and unzipped it first? Can you share a screenshot of the root directory of the USB drive?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Julian.Berk on December 17, 2020, 10:30:52 am
@toeeks thanks a bunch. i was incorrectly unzipping the file but now it works!!!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: carlitos49 on December 19, 2020, 07:19:46 pm
Hello I have the MSO5074 (70MHz) which I purchased a little over one year ago and through this forum I was able to get all the options and features, 350MHz and all other options.  However they have now added a new Bode plotter feature with the latest firmware (V00.01.03.00.01 released on April of 2019) My current version installed version is V00.01.01.04.04.  I imagine that if I tried to update to the latest I would lose my previous hack and end-up with a lot of missing features and options but my real worry is if you do an update to their latest firmware release, is there any way to go back to what I had (my hacked firmware)??? or will it totally lock me out?  Any answers or suggestions to this dilemma would be greatly appreciated.
Thank you so much!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 19, 2020, 11:02:53 pm
Siglent owners doesn´t have these problems.. ;)
Once the (generated) license keys are installed, they remaining every firmware update because of it´s nature, being "real" license keys.
I´m not up to date what the 5000 rigol concerns, as I´ve changed to siglent early in this year.
So it´s still a problem when updating to a newer firmware, all the hacks are gone ?
There´s no keygen avaible, generating "true" license keys ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sergey Astakhov on December 19, 2020, 11:39:51 pm
my real worry is if you do an update to their latest firmware release, is there any way to go back to what I had (my hacked firmware)??? or will it totally lock me out?

Don't worry, the latest firmware can be hacked just like the old one. You just need to choose the correct patch file (it has its own for each firmware).

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sergey Astakhov on December 19, 2020, 11:42:35 pm
So it´s still a problem when updating to a newer firmware, all the hacks are gone ?
There´s no keygen avaible, generating "true" license keys ?

Yep, still no keygen, only by patching.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on December 19, 2020, 11:57:27 pm
Hm-Hm....
I´ve owned the rigol over a year, bought it in Nov. 2018.
And got a close conversation to the rigol support in that time.
Finally they thanked me for it in form as they giving me the full options license key for free.. 8)
This key and what it does I´ve send to a member here.
And it doesn´t have an impact on the hacking thing here since ?
Interesting...

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: x-tro on December 20, 2020, 08:44:45 am
Guys, outstanding work!

I have MSO5104 with MSO5000(ARM)Update v00.01.03.00.01 with 2020-03-30 build. Does anyone have patch for this or maybe somebody can share May update with me ?

ps.
March MSO5000(ARM)Update v00.01.03.00.01 GEL MD5: C85C5F4A64A8C9D435B589835225D527
March appEntry MD5: 2EFA4605B83BF1AF48BF6736BFAE3255

best regards
X-Tro
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: omgoleus on December 29, 2020, 06:47:08 am
Hello I have the MSO5074 (70MHz) which I purchased a little over one year ago and through this forum I was able to get all the options and features, 350MHz and all other options.  However they have now added a new Bode plotter feature with the latest firmware (V00.01.03.00.01 released on April of 2019) My current version installed version is V00.01.01.04.04.  I imagine that if I tried to update to the latest I would lose my previous hack and end-up with a lot of missing features and options but my real worry is if you do an update to their latest firmware release, is there any way to go back to what I had (my hacked firmware)??? or will it totally lock me out?  Any answers or suggestions to this dilemma would be greatly appreciated.
Thank you so much!

Go ahead and update to the newest firmware from April 2019, and then install the patch as per the instructions that have worked out over the course of this thread. If you go back about 20 messages from here, my message has a summary of what others worked out, which is focused strictly on the newest version. Then you will have the bode plotting and the unlock!

The procedure is easy enough, you will just need to download the firmware onto a USB key to update, and then erase that and put the patcher and patch file on the USB key to patch. Thanks to mabl and others it’s really very smooth.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rogersstuart on December 30, 2020, 09:44:34 am
Does the print function work for anyone? I upgraded to the latest firmware and applied a patch from a post that said it's supposed to stop the scope from "phoning home." Networking does work. I can access the scope through my browser. But when I try to print to my LaserJet the scope always says "Printer Busy."
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: zzzox on December 31, 2020, 05:04:21 am
Hi

My scope : MSO5072   01.03.00.01   hw 01.01.000 2018.06.27 2020-05-18
Omgoleus files worked.All option is unlocked forever.
Simply local upgrade from flash drive.(Kingston Data Traveler 100 G3 32GB Fat32).

MSO5000 with all option is great  oscilloscope.

Thanks to Dave and everyone on the forum  :)

B.R.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luky315 on January 02, 2021, 11:12:36 am
I find still interesting that a lot of people are installing a script "from the internet" without any idea what this script is changing or how.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 02, 2021, 12:41:36 pm
I find still interesting that a lot of people are installing a script "from the internet" without any idea what this script is changing or how.

See the definition here (https://www.merriam-webster.com/dictionary/trust).

Did you create your own software? BTW, with tools "from the internet"?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on January 02, 2021, 02:16:49 pm
I find still interesting that a lot of people are installing a script "from the internet" without any idea what this script is changing or how.

Many people are driving "cars from a garage" while being blissfully ignorant of the operation of internal combustion engines. Not everybody knows, or even wants to know, or is capable of knowing, the exact internal workings of everything they use. There are risks in that ignorance at all levels and there are opportunity costs in acquiring the knowledge to make any action relatively risk free. Between the two extreme states, people make trade-offs.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nh90wxr on January 13, 2021, 09:48:12 am
After heavy struggling the last days I have got success at the end, but only when I re-installed the already available fw 00.01.03.00.01 into my MSO5074, which I freshly received in the cw 1/2021. The fw in the item with build date 2020-05-18 (e.g. missing sshd) did not accept the 1301 patch - see picture with error message. But re-installed fw with the same version number 00.01.03.00.01 as prerequisite , taken from rigolna.com with build date 2020-03-30, made the significant difference to my approach. I would like to thank all contributors and their effort for making this nice enhancement to my item happen.  8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PT_Dreamer on January 13, 2021, 11:18:31 am
Hi, just wanted to thank all the work put into this "tune".
I was able to shift some bits to the MSO7024 firmware and got all the "Forevers".
No overshoots, in fact it is shooting just fine as the attached image shows.
I wasn't able to use the patchFinder script (it didn't find the appropriate sections) so I used IDA and the previous posted patches to find the required modifications.
I also changed the bootscreen but had to use mtd3 instead of mtd7 (probably depends on the current shadow image being used).
It is a shame about all the OT though, an "Hide all the BS button" would make things much less painful.

Cheers,
José 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luky315 on January 13, 2021, 11:30:28 am
That's amazing, could you please share your work?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PT_Dreamer on January 13, 2021, 02:02:36 pm
That's amazing, could you please share your work?
What do you want me to share?
I'm attaching the IDA diff for the 00.01.02.00.05 appEntry, you can apply it with idadif.py script.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ineedds on January 15, 2021, 09:16:33 am
I'm struggling now.
You have same model and F/W with my 5072.
If you could, let me know the hacking procedures you've done and files.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tweini on January 15, 2021, 10:41:15 pm
Hi

My scope : MSO5072   01.03.00.01   hw 01.01.000 2018.06.27 2020-05-18
Omgoleus files worked.All option is unlocked forever.
Simply local upgrade from flash drive.(Kingston Data Traveler 100 G3 32GB Fat32).
[...]

Your attachment "01_03_00_01.zip" is  according to the chesums for the march firmware and it differs from the file from Omgoleus.

Best Regards
tweini
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PT_Dreamer on January 16, 2021, 09:36:58 am
I'm struggling now.
You have same model and F/W with my 5072.
If you could, let me know the hacking procedures you've done and files.
What exactly are you struggling with?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MoriDove on January 24, 2021, 01:57:06 pm
Hi, is MSO5074 Hacking the same as MSO5072 ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on January 24, 2021, 02:54:05 pm
Hi, is MSO5074 Hacking the same as MSO5072 ?

Yes, they're the exact same scope, the 72 comes with all four physical channels but 2 are disabled in software.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on January 26, 2021, 03:57:55 pm
Hi, just wanted to thank all the work put into this "tune".
I was able to shift some bits to the MSO7024 firmware and got all the "Forevers".
No overshoots, in fact it is shooting just fine as the attached image shows.
I wasn't able to use the patchFinder script (it didn't find the appropriate sections) so I used IDA and the previous posted patches to find the required modifications.
I also changed the bootscreen but had to use mtd3 instead of mtd7 (probably depends on the current shadow image being used).
It is a shame about all the OT though, an "Hide all the BS button" would make things much less painful.

Cheers,
José

The DOOM tradition continues!

Agreed on hacking the 7k series. I did the same with one we have at work for "educational purposes" (but actually this time!) after cracking my own MSO5000 once seeing some work done by mabl. In my case this was right when the NSA had released Ghirdra. Works quite well especially considering it's free. I would think HexRays should be a little worried. I've thought about selling my 5k to get a 7k, if only for the logic head being easier to deal with than the 5k. That said, folks seem to have done a decent job reversing the 5k's logic head into something less silly than the factory offering!

Only beef I ran into is I had to manually make changes to the binary with okteta, as at the time Ghirdra had a bug where it wouldn't correctly apply memory offsets when repacking the binary with your changes. This may be fixed now, been a while since I looked.

Was a lot of fun and a great opportunity to knock rust off my reversing skillset :D I'd recommend trying it to anyone else in here. It's not a super difficult challenge if you know a little assembly and your way around IDA Pro or Ghidra. Mostly just pointer redirection and some changing of JMP instructions.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nichrist on February 04, 2021, 08:34:29 pm
Hi
I am thinking to upgrade my old LAB Oscilloscope (a Rigol DS1052E bought back in2009) and to buy a DSO5000. The idea is of course to buy a base model and hack for the full power. I am currently between MSO5074 and MSO5072. MSO5074 is 100euro more expensive, is it worth the extra money? Can I hack MSO5072 to 4 channels?
Thank you
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Noy on February 04, 2021, 08:41:02 pm
Yes you can hack the MSO5072 to 4 channel.
But consider the price of 2 additional 350MHz passive probes.. So 100€ more for 5074 with 4 probes are worth the money. Except you have already 2 additional probes (350MHz)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cnoob on February 13, 2021, 03:53:43 pm
Just like to thank every one involved in working out how to hack the mso5000.
I've just hack my mso5104 which arrived yesterday.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Commodore8888 on February 18, 2021, 10:11:29 pm
Went to pop my Dec 2018 MSO5000 open to swap in a little higher volume fan and made a not so nice discovery....

The metal inserts Rigol used to provide threads for their screws, might end up being so friendly to the ABS plastic the scope is made of  :palm: This thing has lived its whole life on a bench too.

The bigger issue is if this starts, you may one day find your scope feet are now stuck.

Still have a year of warranty left, so maybe I can get a new front cover :/[attach=1][attach=2]
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Ogawa Mitsuaki on February 19, 2021, 04:11:05 am
Everyone who is working hard.
I am always grateful for your help.

I also made 70-> 350!
I bought the other options.

The MSO5000 gets very hot.
I installed a 5V fan and filter on the back panel.
5V is taken from the front USB of the MSO5000, but even with the hacked MSO5000, there are no problems so far.
If there is a problem, I will supply it from a USB HUB.

The parts for mounting were created with a 3D printer and attached with double-sided adhesive tape. The probe holder was also created with a 3D printer.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jeffjmr on February 19, 2021, 01:55:45 pm
Oh that probe holder is just what I need to keep my rat’s nest of probe cables off my bench.

How did you attach it and can I buy one?

Jeff
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Ogawa Mitsuaki on February 21, 2021, 02:45:05 am
Thank you everyone!

I made it as a hobby, so I don't sell it.
I can provide data for 3D printing.
Download the file and print it in 3D.
Since it is divided into 3 parts, please bond the parts with a solvent-based adhesive after printing.
It can be used with only two parts, MSO500_Holder.stl and MSO500_L-ShapedConnection.stl.
Attach it to MSO5000 with double-sided adhesive tape.

Also, this is the place for MSO5000 hacks, so let's end this topic.

If there is a place with such a topic, we will cooperate as much as possible, so please make a place. Or please tell me the location.

Thank you.

*postscript:
I put the modified 3D data on the next page.
There are 3D data for left side installation and 3D data for right side installation dedicated to MSO5000.
There is also general-purpose 3D data.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on February 21, 2021, 10:35:31 am
If there is a place with such a topic, we will cooperate as much as possible, so please make a place. Or please tell me the location.

Nice work!  It looks like it should work with many brands of scopes & probes.

There is a thread for 3D printed parts, and although it is mainly for replacement parts, I think this fits in there as well.
https://www.eevblog.com/forum/testgear/replacement-knobs-feet-and-fittings-for-test-equipment/ (https://www.eevblog.com/forum/testgear/replacement-knobs-feet-and-fittings-for-test-equipment/)
Or you could create a post specifically for your design at https://www.eevblog.com/forum/3d-printing/ (https://www.eevblog.com/forum/3d-printing/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Ogawa Mitsuaki on February 22, 2021, 11:18:26 am
I went to the place where I was taught, but it wasn't what I envisioned ...

The parts (L-ShapedConnection) have been redesigned with a general-purpose shape so that they can be used with various oscilloscopes.
However, there are loose corners on the sides of the oscilloscope.
When pasting with double-sided adhesive tape, adjust the thickness before pasting.

If there is no request, this is the end.

Thank you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TDA7056 on February 28, 2021, 11:33:56 pm
Thanks folks! I can confirm that procedure described in the post #1901 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3344172/#msg3344172) worked flawlessly for May 2020 build.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Deckardsvr on March 02, 2021, 05:29:58 pm
Same here, my MSO5074 is fully unlocked, great job people :-+

Fw : 00.01.03.00.01
Hw : 01.01.000
Boot  : 2018.06.27
Build : 2020-05-18 11:42:06

here's what i did, 3 files on a USB Key :
- 'DS5000Update.GEL' file from post #1298
- 'mayBuildPatch.bspatch' and 'patch.txt' files from post #1901 (inside the archive 01_03_00_01_MayBuild_patch.tar.gz)

On the Scope : Utility, System, Help, Local Upgrade
White screen : Success, reboot, Self Cal and voila, nice and easy !
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sjm on March 04, 2021, 10:43:04 am
Haha I actually printed these parts, without the "box", black PLA and aligned the probe holder part horizontally on the heatbed!
My CR-6 SE was able to do the overhangs quite okay.

Also, in my opinion, the accessory box should have a thin (1mm?) bottom just to make attaching it easier.
Now it only has side walls, right?

[attach=1]
[attach=2]

 :)

BR, -sjm
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on March 04, 2021, 11:18:19 am
Perhaps these holders are also suitable instead of 3D printing.

https://www.aliexpress.ru/item/-/1005001885003766.html (https://www.aliexpress.ru/item/-/1005001885003766.html)
https://www.aliexpress.ru/item/-/1005001364376185.html (https://www.aliexpress.ru/item/-/1005001364376185.html)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Gandalf_Sr on March 05, 2021, 10:55:37 am
@sjm

Nice job on the 3D prints, they look really clean.  What printer did you use?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sjm on March 05, 2021, 01:26:45 pm
(Where the heck did my previous reply disappear...)

Anyway, the 3D printer is Creality CR-6 SE and I would NOT recommend it for the faint of heart.
At least, check this out:  https://gist.github.com/Sebazzz/030d21c606413e22cbd77d8df9fb8b17
...aaand this one too:  https://gist.github.com/Sebazzz/ff4d716c8d2ad9bab1e87b3fc4238281

While the printer's overall design and mechanics are well done, there are quite a few problems, quality issues, overlooks, sorta kinda design flaws and all that.
You better prepare for heavy checking, adjusting, disassemblind and maybe some modifications.
That being said, I am happily running the Community Firmware in my printer.

***

Pics of the assembled & attached probe holder follow.

[attach=1]
[attach=2]

BR, -sjm
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Ogawa Mitsuaki on March 05, 2021, 03:05:28 pm
Hello everyone.

I also created a type that can be assembled on the right side of the MSO5000.
Please use "Right-MSO5000_ProbeHolder".

In the JPEG image, the size seems to be different, but the actual size is the same on the left and right.

I also modified him to:
1) Corrected the size of the part that fits in the gap.

2) A 1mm bottom plate has been added to the accessory box. Since the general-purpose type has the same shape, please use the file "Right-MSO5000_AccessoryCase.stl" or "Left-MSO5000_ShapedConnection.stl" if you need it.

Thank you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mvn on March 06, 2021, 08:45:46 pm
Hey!
Does the rising time decrease after unlocking? Or is it determined by the hardware of the model? (In datasheet: MSO5074≤5 ns, MSO5354≤1 ns). I see a 10 MHz square wave on an old oscilloscope(Bandwidth 100 MHz,rising time≤3.5 ns)  and on the MSO5074 after unlocking, there is no difference.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on March 07, 2021, 01:30:16 am
Hey!
Does the rising time decrease after unlocking? Or is it determined by the hardware of the model? (In datasheet: MSO5074≤5 ns, MSO5354≤1 ns). I see a 10 MHz square wave on an old oscilloscope(Bandwidth 100 MHz,rising time≤3.5 ns)  and on the MSO5074 after unlocking, there is no difference.
What is the source of the 10MHz signal?  If it has 3.5ns it will not get any faster looking at it with a 350MHz or a GHz scope
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mrTheWheel on March 13, 2021, 09:19:46 am
I just received a brand new 5072 today and come with the fw ver 01.01.04.08.

Those three files from skander36 are perfectly work.

Enclosed with all the files from skander36 and backup GEL file from TV84.

My workflow are :
(Please read carefully especially handle the same name GEL files).

1. Format the USB Drive (FAT32 Format);
2. Copy the DS5000Update.GEL.backup.doc to the USB Drive;
3. Rename it by delete the "backup.doc" extension;
4. Attach the USB Drive to scope;
5. Press Utility/System/Help/Local upgrade;
6. After finished the screen will have message told you to reboot the scope;
7. Turn off the scope;
8. Attach the USB drive back to your Mac / PC;
9. Copy all the file except the GEL files and folder back to your Mac / PC for your backup;
10. Format the USB Drive (FAT32 Format);
11. Copy another three files to the USB Drive, rename them by remove the ".doc" extension;
12. Attach the USB Drive back to the Scope, turn it on;
14. Wait for the screen shows that USB Drive was attached.
15. Press Utility/System/Help/Local upgrade
16. The screen will turn to white background and follow the instruction to press any keys.
17. After the upgrade process is finished, the scope will reboot.
18. Done! Enjoy!

Please correct me if any mistake or typo. Thanks!

Thank you so much for all of you to contribute here!

Hi All, I did exactly the above but now I have a Scope with all the same options I already had .. but no longer FOREVER but only for a very limited time!

After the first update I did not check but the firmware is still 00.01.03.00.01 (also I can not find a newer firmware version on the Rigol download site..).

I run the backupscript by TV84 but do not have a backup of the original appEntry file ...

Where did I go wrong and is the recoverable?

Please help :-(

Here's a patch for 01.03.00.01.

Before: 2efa4605b83bf1af48bf6736bfae3255
After: 965a689e7e5f29c180db4a2aaf21ce6b

Here is another flavor of patch for 01.03.00.01 that will disable the "phone home" firmware upgrade check in addition to enabling options.

Found this reply and the (01_03_00_01.bspatch file) .. it worked!!!

Thank you all so much!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hve on March 15, 2021, 05:36:08 pm
I have sshd by default enabled on the Rigol scope would be interesting to see if we can improve on the external data collection interface.

Currently I use python (pyvisa) to collect traces via the 1Gb ethernet interface and then use pulseview or sigrok to analyse and view the traces. But the process is rather cumbersome due to the amount of data and the inefficiency of the "VISA: virtual instrument software architecture" protocol I assume.

Using the Zync development tools the installation additional software should be possible, maybe for a data collection deamon of some sort...

Are there already people working on some open source extentions to the firmware for this scope?



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: realswift on March 17, 2021, 07:42:58 am
Can confirm patched successfully my brand new MSO5074 with firmware versionn 1.03.00.01 using instructions from post #1901

Thanks to everyone for your efforts.

I will add to the instructions of post #1901 that you need to extract the tar.gz file and put the patch.txt and mayBuildPatch.bspatch into the root of the drive along with DS5000.gel for it to work.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ytterligare on March 18, 2021, 08:12:28 pm

Found this reply and the (01_03_00_01.bspatch file) .. it worked!!!


Thank you, I too was stuck with an md5 error, then I found YOUR message and now everything is ok !   :-+

Thanks to all the people that worked hard for this !

A.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Grippy on March 21, 2021, 12:22:47 am
I think one thing this was missing was a badge fix.

Comic Sans since it's mildly sketchy of course, along with Ultravision II,  but you can change that yourself in the PSD attached.

Printed on a normal inkjet on glossy self-adhesive paper off Amazon.
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quakeman on March 27, 2021, 12:44:46 pm
Currently I use python (pyvisa) to collect traces via the 1Gb ethernet interface and then use pulseview or sigrok to analyse and view the traces. But the process is rather cumbersome due to the amount of data and the inefficiency of the "VISA: virtual instrument software architecture" protocol I assume.

I wrote a little Python Script which can access the scope and control it directly via the SCPI commands. For the moment i can only get a screenshot, the complete buffer of sampled data as bin-file with all relevant settings or do some tests. Instead of pyvisa i use raw socket communication with the scope. My script optionally converts the bin-file in the VCD/CSV format and i mostly use the VCD format to analyze the signal in gtkwave.

But the transfer rate from scope to pc via ethernet ist quite low. I get at max 5MB/s and when continously transfering a large amount of data i get ~3,6MB as mean value. When i transfer the whole 200 MPoints buffer it takes around 55s.

One problem is that i have to split the data into segments if they are larger than a specific amount of Bytes. I experienced that the transfer gets very instable when transferring data larger than  ~13800000 Bytes (try&error). Don't know if this problem ist on the scope or my pc side. So i split the data into segments of 10000000 Bytes and get them from the scope which works reliable.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: biased-cold on March 28, 2021, 01:55:47 am
mso7k bspatch for fw 00.01.02.00.06 appEntry based on the typoknig no "phone home" mso5k bspatch.

md5 before patch: b4f877d515927afa48de4c33171eccc2
md5 after patch: 17b882c2bfd08f4e8ec0456916137f7d

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mironex on March 31, 2021, 10:25:13 pm
Hi, I have some questions:
1. This patch is relate to certain version of firmware?
Or it could be use for each version?
What about when Rigol release new version?
2. To rollback patch I should just install once ageing current firmware?
3. Do you now what are these files:
a)  DS5000Update.GEL
b)  appEntry_01_01_04_08.bpatch
are there these files are licenses or executables
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MartinMajewski on April 08, 2021, 10:11:53 am
Hi there,

would it be possible to summarize the modding process on the first page? I have modded my first MSO5074 a year ago and want to do the same on another one. However, it is a real burden to find the correct post where the files are linked. Please, don't make me and others go through 79 Pages again. Thank you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MartinMajewski on April 08, 2021, 10:18:44 am
Okay, so to get more bookmarks into this overly long thread, this is what I've found:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/?topicseen#msg3105598 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/?topicseen#msg3105598)

This seems like the proper "how-to" summary with links to all files.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on April 08, 2021, 01:01:58 pm
Hi there,

would it be possible to summarize the modding process on the first page?

No. The way SMF (the forum software) works basically means that the thread's OP needs to edit the 1st message and keep it updated as the thread develops. The thread's OP is a '10 poster' who is barely active and last on in Feb 2021, so the chances of them (1) noticing a PM asking them to do that, and (2) being engaged enough to put the work in, are I'm sorry to say, small.

There are several posts scattered through the thread that summarise the state of the art at that point, but of course you have to go and find those.

Sorry, I know it's not what you wanted to hear. I'm not up to speed on the current state or I'd post a summary. If I get time in the next few days I will, but don't hold your breath.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 08, 2021, 02:06:00 pm
However, it is a real burden to find the correct post where the files are linked. Please, don't make me and others go through 79 Pages again. Thank you.

 :wtf: Do you prefer to develop the process yourself???

I must be on a good day... here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3344172/#msg3344172)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on April 08, 2021, 03:31:50 pm
However, it is a real burden to find the correct post where the files are linked. Please, don't make me and others go through 79 Pages again. Thank you.

 :wtf: Do you prefer to develop the process yourself???

I must be on a good day... here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3344172/#msg3344172)

Oh, c'mon. In any of these threads where something useful develops over a long time the useful nuggets get scattered throughout the thread. This thread is almost 2000 messages long, to berate someone because they find trawling through that burdensome (which it is)  is unfair and unreasonable. Just because you know where the good stuff is buried without having to search for it doesn't give you the right to be rude to those who don't and demonstrates a severe lack of empathy - pray that if you have to rely on the kindness of strangers you don't encounter the same attitude.

Props however, for also providing a useful pointer.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 08, 2021, 05:28:57 pm
FYI to discover the kind of information that the user demanded being handed in a plate requires the equivalent of reading this whole thread dozen of times.

Also, I didn't know where the info was, i just surfed back a few pages. Something that the user finds a real burden to do.

I always hope to rely on the kindness of strangers that, as I, help others without expecting or demanding nothing in exchange.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: db6178 on April 09, 2021, 08:12:51 am
I just liberated my new MSO5074 yesterday, FW 01.03.00.01 build 2020-05-18, easy peasy and purring like a pussy.

I've attached the necessary files and describe below what I did for the convenience of others. Nothing new, it all comes from previous posts.

Steps I took to liberate the scope:
I suppose I shiouuld recalibrate now too, which according to Olliver goes like this:

I verified that all options were upgraded ...forever... (notwithstanding what the effects may be of any future official FW updates I may decide to apply). I did not verify that the patch disables the "phone home" firmware upgrade check, but I have no reason to think it doesn't. This patch does not enable the sshd daemon. To ssh as root into the scope, follow mabl's instructions - which needs to be reapplied after each scope reboot whenever you want SSH access.

This is not going to work for you if your installed FW is not version 01.03.00.01 and having build date May 18, 2020. In that case you will need to adjust the patch.txt file in accordance with instructions that can be found in other posts.

Where the files and info came from:

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: db6178 on April 09, 2021, 08:38:36 am
Again just for convenience the SSH GEL from mabl is here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: keenox on April 09, 2021, 08:57:49 am
Hi guys!
I just received my MSO5074. I also got the offer with included MSO5000-BND (which I understand I will receive as a separate license). If I want to try the hack will I lose the included licence? What happens if I switch back to the original firmware? Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 09, 2021, 10:07:36 am
Hi guys!
I just received my MSO5074. I also got the offer with included MSO5000-BND (which I understand I will receive as a separate license). If I want to try the hack will I lose the included licence? What happens if I switch back to the original firmware? Thanks!

The license will be in effect every time you are on stock FW. Every time you have a patch it'll override the license.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on April 09, 2021, 12:17:59 pm
I have few questions, possible they have been answered before but I can't find it.

1. If I want to switch back to the stock firmware, is the only option to do that is the secret menu (single key)
2. Is this the same method used to downgrade a stock firmware.
3. I read somewhere that using the secret menu option will erase the factory calibration, is that true and how is this calibration different from the self calibration.
4. is there a method of restoring factory calibration.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MartinMajewski on April 11, 2021, 02:40:11 pm
It tells me that the checksum is wrong.

Does your summary rely on a previous stock upgrade to 01_03_00_01 or does it include that update? The first bullet point is a bit misleading.

Thanks for your effort!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MartinMajewski on April 11, 2021, 03:13:34 pm
So the "Liberator" archive didn't work for me.

I went with the files I mentioned in my own post #1971 on page 79. They worked flawlessly!

However, because of all the checksum confusion, I've firstly upgraded the MSO5074 with the official GEL from RIGOL to version 01.03.00.01 and did the patch with the three files (of which one is also a GEL file, but somehow I think this was not even needed?!) from the post mentioned above.

I think the biggest confusion comes from the purpose of these three files.

The GEL file is the firmware image, right?
The patch.txt file is the entry point containing the path to the actual patch, which is the bspatch file, as well as the checksums.

Is the GEL file considered anyway when the white screen appears? If you patch with only the GEL file you get a GUI message with a progress bar. If the patch.txt and .bspatch files are present you end up in the white CLI window.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on April 12, 2021, 01:37:10 pm
While I have not applied the patch, from going through the thread I noted the following. There are 2 versions of the 01.03.00.01 firmware, one with a May build date and another I think April. Although they share the same firmware number, it appears there is some difference in the contents and so another patch had to be done for the later build date. That's why the checksum error is received.

The GEL file for the hack is used to automate the procedure to  modify the appEntry file and is not a firmware. The bspatch.txt allows the GEL file to check that the appEntry image on the scope is correct for the patch being installed  and also that the produced patched appEntry file matches the expected checksum before being copied to the scope. The bspatch contains the changes to be applied, it is the patch.

Persons can correct me if I am incorrect.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 12, 2021, 03:49:57 pm
Persons can correct me if I am incorrect.

That's basically correct.

The .GEL includes the bspatch application and is mandatory to trick the scope's update process. It could contain the .txt and the .diff files (like people are used to have only a FW .GEL packed file) BUT that would make us have to build a new .GEL every time there is a new update.

With this logic, the .GEL is always the same and, people just adjust the MD5 checks .txt file and the .diff file for the patching.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Vespamike on April 19, 2021, 08:50:51 am
hello everyone..thank you toraunaoper for the excellent work! a question hoping not to go off topic: I found that at each start of the oscilloscope the LAN settings and the display of the background grid with the values ​​of the scales are reset ... as they are settings it seems strange to me that at each start need to reset ... to you it turns out?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on April 19, 2021, 08:53:30 am
Have you enabled the option to save settings after power off?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Vespamike on April 19, 2021, 06:45:23 pm
you were right .. I missed the option of "Power ON" to "Last"!  |O thanks!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Panerist on April 24, 2021, 05:26:04 pm
Does the print function work for anyone? I upgraded to the latest firmware and applied a patch from a post that said it's supposed to stop the scope from "phoning home." Networking does work. I can access the scope through my browser. But when I try to print to my LaserJet the scope always says "Printer Busy."

I have the same problem. "Printer is busy" all the time.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BarsMonster on May 01, 2021, 10:33:58 pm
Do I understand it correctly that only MSO5000 series are unlockable, and 7000 or any higher series (7000/8000) are not?
There are very few mentions that 7000 might be similar....
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on May 02, 2021, 05:12:03 pm
https://www.eevblog.com/forum/testgear/new-rigol-ds7000/250/ (https://www.eevblog.com/forum/testgear/new-rigol-ds7000/250/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: metro on May 15, 2021, 01:47:31 am
When reading this megathread, I was left curious if all of this works with the brand new scope as well, as compared to the scopes that were sold a year, or two, or four ago.

In the interest of documenting this: the procedure does work as of May 2021 with a brand new MSO5072 scope directly shipped from rigol's official aliexpress shop.

Before getting my scope I really wasn't sure if a newly sold scope could also be unlocked like this. Interpreting the life-story of hacking an oscilloscope in an 80page thread that started 4 years ago can be difficult at times. In the interested of the next one walking down the path that I just did in the past week or so, I thought I'd assert a few things. As of May 2021:

Thank you kindly dear Sirs and Madams involved in this process. Saved my butt. Hope this helps whoever comes after me.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brunortt on May 20, 2021, 11:09:40 am
Good afternoon,

Today my rigol MSO5072 arrived.

So I used your previous mail files, placed in root of a 16GB fat32 formatted usb key.

Inserted in the rigol, the oscilloscope turns on without doing the self-update.

I go to a local update menu and it worked.

after a few presses of any key, All full

My firmware was version 01.03.00.01 from May.

I thank everyone for their help.



Regards
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stmcore on May 22, 2021, 10:23:18 pm
RIGOL Starts 2021 with a Rebrand.

https://int.rigol.com/NEWS/Blog/113.html
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 23, 2021, 08:35:42 am
RIGOL Starts 2021 with a Rebrand.

Maybe this will ensure some FW updates...  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on May 24, 2021, 10:58:34 am
There are two different FW 01_03_00_01:
  -March 2020
  -May 2020

Does any one know the inners difference? I can't find anywhere the May package. The rigolee repo does contain the March one, not the May one.
I checked on every known to me rigol.xx site. na has march, eu march, com march.
That's also why so many people were confused, and freaking out.
Add to that the incompetency of rigol staff in zip/rar management/name convention...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on May 25, 2021, 04:21:45 pm
There are two different FW 01_03_00_01:
  -March 2020
  -May 2020

Does any one know the inners difference? I can't find anywhere the May package. The rigolee repo does contain the March one, not the May one.
I checked on every known to me rigol.xx site. na has march, eu march, com march.
That's also why so many people were confused, and freaking out.
Add to that the incompetency of rigol staff in zip/rar management/name convention...

The May version is shipped with new scopes, I am not aware of a download for it. For the MSO7000 the firmware shipped is also newer than what's on the website. It won't hurt to call or send and email and ask them for the May version, worst they can say is no. As to whether they are the same; I have not heard anyone notice a difference.
There are newer versions of the firmware which are available but have not been published, you can also ask for those if you have an issue which is fixed by that firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on May 27, 2021, 04:53:53 am
Well, calling them is a no-no to me.
The usual way to look for differences is not to ask the developers what they did but look inside de bits and bytes or what they produced.
So, since a patch.txt was made for the May version, my guess is that someone have dumped the May GEL (or at least the AppEntry), and only forgot to commit it somewhere?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on May 27, 2021, 06:44:35 pm
Well, calling them is a no-no to me.
The usual way to look for differences is not to ask the developers what they did but look inside de bits and bytes or what they produced.
So, since a patch.txt was made for the May version, my guess is that someone have dumped the May GEL (or at least the AppEntry), and only forgot to commit it somewhere?

They most likely ssh to the scope and pulled the AppEntry, then compared changes to previous versions patched, they would then create a bspatch for the difference. Without the complete firmware GEL  file you would not be able to reinstall the May version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bibbbi on July 07, 2021, 11:08:21 am
Hi,

Today my Rigol MSO5072 arrived as well.
I have formatted a 64GB USB Stick via RUFUS to FAT32. ( https://rufus.ie/en/ )
After that I copied the 3 files from the May Update to the root of the USB Stick.
I plugged the USB stick into the front of the Rigol, powered on, and ran the self-update.
Everything worked fine. My firmware was version 01.03.00.01 from May.

I thank everyone for their help.

Best regards
Bibbbi
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: h2oo on July 08, 2021, 09:12:59 am
Soooooo, I have to ask some seriously dumb question. Rigol did it again, just selling the EXACT same hardware as 6 different devices? Just by disabling some features in the firmware. I was reading a lot of post, is it correct that there is only one ADC in the device therefore the Samplebandwith gets split up within the active probe channels? ---> channel 3/4 are working flawless even with a bought MSO5072?

MSO5072    70 MHz (aufrüstbar)    2    < 5 ns          Option    Option
MSO5074    70 MHz (aufrüstbar)    4    < 5 ns          Option    Option
MSO5102    100 MHz (aufrüstbar)    2    < 3.5 ns           Option    Option
MSO5104    100 MHz (aufrüstbar)    4    < 3.5 ns           Option    Option
MSO5204    200 MHz (aufrüstbar)    4    < 1.75 ns    Option    Option
MSO5354    350 MHz                    4    < 1.75 ns    Option    Option

So I'm really upvoting this to be my Rigol 1052E successor (and I'm not going to buy the 1054Z)......

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on July 08, 2021, 09:16:04 am
Rigol did it again, just selling the EXACT same hardware as 6 different devices? Just by disabling some features in the firmware.
Yes!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on July 08, 2021, 09:16:33 am
Soooooo, I have to ask some seriously dumb question. Rigol did it again, just selling the EXACT same hardware as 6 different devices? Just by disabling some features in the firmware. ......
No different to several other brands.....you should do some more research.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sighound36 on July 08, 2021, 09:35:24 am
Welcome to the reality of mass production, sales and margins  :) A great many manufacturers will  be using this modular approach to for the HW & SW, its not just the test & Measurment industry that uses these models.

How on do you think a Rigol or any other brand at these price points makes money on a £400 scope?  it's shipped, import charges and any vat is added you need to a lot of the low end models to start making any kind of profit. So by spreading the load across numerous models they can recoup the R&D costs.

Do you think Tek, R&S and Keysight are not the same with the lower and mid priced scopes?. The only reason the more high end scopes are not 'unlocked' to such a degree is purely cost and physically getting your grubby mits on an actual unit!

You do have the added issue of if you drop a boo boo and its totally bricks up  :-BROKE your £50K+ test gear, somehow the manufacturer *may* not cover this under warranty  :-//

If you wish to purchase quite complex and reasonably accuracte bench test equipment for what 'back in the day lad' would have cost the equivlient of close to 10 years salarly in the mid 80's to under £500 then you have to understand the laws of what we affectionately 'banging 'em cheap'

So nothing new here at all.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on July 08, 2021, 01:24:07 pm
So nothing new here at all.

Back in the 1970s the difference between two models of Burroughs B1700 mainframe computers was the presence of a single link that signalled to the microcode which model it was. The price difference between the two models at the time would have bought several suburban houses.

Indeed, there's "nothing new under the sun".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on July 09, 2021, 05:33:21 am
Has nobody else moved the little resistors on the chip of a graphics chip around to unlock extra features?  8)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kkol on July 26, 2021, 07:03:15 pm
Hi to all,
Today I have received my scope.

Firmware: 0A.01.03.00.01
Boot:        2018.06.27
Build: 2021-05-04

Tell me please - will be work the "Liberator" with this FW ?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on July 27, 2021, 09:04:06 am
Firmware: 0A.01.03.00.01

That is a Beta package. Let's hope it doesn't change only the version number...  ::)

The patching method (and others) should work but you need to get your hands on the app file and adapt the diffs.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kkol on July 27, 2021, 09:48:12 am
The patching method (and others) should work but you need to get your hands on the app file and adapt the diffs.

Thank you tv84!!!
If really - I not understood what I need to change and where....
Also I do not understand - do I need to backup calibrate file or not?
Sorry for stupid questions.
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on July 27, 2021, 10:40:30 am
Also I do not understand - do I need to backup calibrate file or not?

You can do a backup of your files. I think there are scripts in the forum for such.

From an "upgrade" PoV, you'll have to have until the new software gets released and someone patches the app. Or you can extract the app and pass it to some of the guys that find the new patch addresses, if they are willing to do it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kkol on July 27, 2021, 04:15:50 pm
Or you can extract the app and pass it to some of the guys that find the new patch addresses, if they are willing to do it.

Where I can read how to extract the new FW ?
I will put it here.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on July 27, 2021, 05:29:10 pm
Where I can read how to extract the new FW ?
I will put it here.

Backup scripts for Rigol MSO5000 and MSO/DS7000 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kkol on July 27, 2021, 08:00:31 pm
Backup scripts for Rigol MSO5000 and MSO/DS7000 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)

Many thanks tv84!!!
Here is a link to arhive.
From my scope with Firmware: 0A.01.03.00.01
                              Boot:        2018.06.27
                              Build:        2021-05-04
It was made with NAND_backup_script and I hope that all was done correctly.
https://mega.nz/file/fNUgFDYJ#YHPpsyy9kMLVtM5DjM-Qz6hXufBU4I4EMdIXFdIc7lA (https://mega.nz/file/fNUgFDYJ#YHPpsyy9kMLVtM5DjM-Qz6hXufBU4I4EMdIXFdIc7lA)

Just not found how to backup the calibrating value....

Forgot to add - USB stick - 4Gb FAT32 4Kb
Total time about 8 minutes. Plus minus 30 second.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kkol on July 29, 2021, 12:58:01 pm
What will happen if I will try to apply the old patch for 00.01.03.00.01 on to 0A.01.03.00.01 version?
Can the scope fully die?
Is there possibility to reanimate?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on July 29, 2021, 01:09:47 pm
What will happen if I will try to apply the old patch for 00.01.03.00.01 on to 0A.01.03.00.01 version?
Can the scope fully die?
Is there possibility to reanimate?

1. It won't work because of the apply validation.
2. no
3. yes
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kkol on July 29, 2021, 01:50:37 pm
Thank you!
Other way - downgrade the verison from 0A.01.03.00.01 to 00.01.03.00.01 with FW update from oficial store? Yesterday I dowloaded this version - v00.01.03.00.01 2020/04/13.
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilya_z on July 29, 2021, 05:30:45 pm
Hi all,
Today received my scope MSO5072

Firmware: 0A.01.03.00.01
Boot:        2018.06.27
Build: 2021-05-04

1. Downgrade to official version from Rigol site v00.01.03.00.01 2020/04/13
2. Used recipe from post #1811   https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598)

Everything works fine
Thanks to the community!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kkol on July 29, 2021, 05:35:24 pm
Thanks to all the people who made this opportunity available!
Thank you tv84 - for giving me confidence!!!

All options are works!!!!
I am happy.
This is a nice gift for me in day of 32 years of my life with my loved woman!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: eurofox on July 31, 2021, 06:10:19 pm
I just wonder what is the future of this oscilloscope, is now out for 2 years and most of the bugs are not fixed yet.

Could be as well that the protection system change and that the patches are not working anymore.

It is sad because the harware looks promising but the firmware/software not really.  :horse:

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hafrse on August 02, 2021, 06:55:31 am
Hello,

is it possible to revert a hacked MSO5072 to original ? do I need to save somthing before the hack?
Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on August 02, 2021, 08:29:05 am
Hello,

is it possible to revert a hacked MSO5072 to original ? do I need to save somthing before the hack?
Thanks!

Yes, you can reinstall the factory firmware if needed and the scope goes back to normal, just like you took it out of the box.

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105996/#msg3105996 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105996/#msg3105996)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on August 03, 2021, 05:41:07 am
Hello,

is it possible to revert a hacked MSO5072 to original ? do I need to save somthing before the hack?
Thanks!

Yes, you can reinstall the factory firmware if needed and the scope goes back to normal, just like you look it out of the box.

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105996/#msg3105996 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105996/#msg3105996)

Well done, that's the POST of the YEAR. Congrats :clap:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hafrse on August 04, 2021, 01:28:45 pm
Received my 5072 today, patch worked fine :) thanks for all the contributers. :) :) :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Andrei1978 on August 08, 2021, 06:26:15 am
Please tell me I rolled back from 01.03.00.01 Build date May 18, 2020 to 01.03.00.01 date March 30, 2020 . Where to download the original GEL on May 18, 2020
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on August 08, 2021, 02:40:47 pm
Please tell me I rolled back from 01.03.00.01 Build date May 18, 2020 to 01.03.00.01 date March 30, 2020 . Where to download the original GEL on May 18, 2020

I don't think this was ever released, if you ask Rigol they will likely tell you there is no real difference between the versions. There are updated beta  firmware with fixes but if Rigol gives you a copy you will have to create your own hack.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mick B on August 09, 2021, 06:29:58 am
Hello: Do you or anyone know if this will work on a Rigol DS7000? using the DS7000 .GEL files found here?  I have never hacked anything but Im getting a new scope 5000 or 7000 and going to upgrade one. Thanks Mick
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on August 09, 2021, 01:47:57 pm
check the "New Rigol DS7000" thread, unfortunately when it comes to patching you will have to do a lot of reading as the threads are just too long, but I do recall someone recently supplying info on hacking MSO7000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sem21 on August 12, 2021, 04:32:11 am
Good day. I need help, bought MSO5104 all options are disabled, I want to unlock. I tried it as written here, put 3 files on a USB flash drive, then plugged it in and clicked install. Then a white screen appeared with inscriptions, after which it was not possible to unlock the functions. Please, help!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sem21 on August 12, 2021, 07:10:40 am
I can't get a certificate for activation through the official website. Did anyone succeed? there is a promotion until 09/31/21
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on August 12, 2021, 08:11:47 am
DSO5104
This topic is about another oscilloscope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sem21 on August 12, 2021, 09:04:16 am
Sorry, I made a mistake with the name MSO5104.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on August 12, 2021, 09:23:52 am
Then a white screen appeared with inscriptions, after which it was not possible to unlock the functions. Please, help!
What is your version of the device?
What is written on a white screen?
By pressing the "Single" button on the boot time, you can get into the secret menu and restore everything as it was.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sem21 on August 12, 2021, 11:12:45 am
version 00.01.03.00.01
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on August 12, 2021, 11:28:22 am
version 00.01.03.00.01
The error is written on the screen: the device does not see the USB flash drive. You need to search another flash drive of a small size. (1-4GB)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sem21 on August 12, 2021, 11:41:08 am
Here I changed the flash drive, and what happened in the photo.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on August 12, 2021, 12:11:11 pm
It looks like your file has a newer version and other checksum. And you need a new file "Patch.txt". Unfortunately, I do not know how to do it :(

One way to install the firmware from Rigol. Hack is designed for it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kkol on August 17, 2021, 12:48:27 pm
Here I changed the flash drive, and what happened in the photo.

Sem21.
Before all you need to check what version FW is installed on your device.
And after this you will "dance" from this point.
Make the screenshot of your FW and show it here.

Сначала проверь какая версия фирмваре установлена на твоем устройстве.
От этой точки и плясать.
Сделай скрин и покажи здесь. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nix239 on August 18, 2021, 01:13:08 pm
Anybody have problems with zeropoint.
After downgrade firmware and open 350mhz some problems with zeropoint. Show dc -160mv. Calibration not help.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sem21 on August 20, 2021, 10:17:26 am
Thank you for responding. Here is a screen.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Tiak on August 20, 2021, 10:33:58 am
I just liberated my new MSO5074 yesterday, FW 01.03.00.01 build 2020-05-18, easy peasy and purring like a pussy.

I've attached the necessary files and describe below what I did for the convenience of others. Nothing new, it all comes from previous posts.

Steps I took to liberate the scope:
  • Verified installed FW is version 01.03.00.01 build date May 18, 2020 (Utility => System => About)
  • Copied three files, that can be extracted from attached .7z archive, to root of empty 8GB FAT32 USB drive
  • Started up scope
  • Inserted drive to front panel USB port
  • Utility => System => Help => Local upgrade
  • "Upgrade system firware?" => OK
  • Let the scope do its thing - takes a minute or two, or five, go with the flow
  • Reboot scope
  • Verified all options now licensed ...forever... (Utility => System =>  Help => Option list)
  • Bob's your uncle
I suppose I shiouuld recalibrate now too, which according to Olliver goes like this:

  • Make sure that the instrument has been operating for at least 30 minutes
  • Disconnect all input channels (including probes)
  • Utility => System => Self-Cal => Start
  • Self calibration takes ~ 35 minutes to complete
  • When complete, reboot the scope
I verified that all options were upgraded ...forever... (notwithstanding what the effects may be of any future official FW updates I may decide to apply). I did not verify that the patch disables the "phone home" firmware upgrade check, but I have no reason to think it doesn't. This patch does not enable the sshd daemon. To ssh as root into the scope, follow mabl's instructions - which needs to be reapplied after each scope reboot whenever you want SSH access.

This is not going to work for you if your installed FW is not version 01.03.00.01 and having build date May 18, 2020. In that case you will need to adjust the patch.txt file in accordance with instructions that can be found in other posts.

Where the files and info came from:
  • Basic GEL file from mabl https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640)
  • Modification to disable "call home" FW updates from typoknig https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342)
  • Modification for FW version 01.03.00.01 May 2020 build from omgoleus https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3344172/#msg3344172 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3344172/#msg3344172)
Hi do i need to do any backup before upgrading with this method?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ultranalog on August 20, 2021, 05:04:55 pm
Thanks to all the usual suspects for their knowledge and work.

I got my 5074 with a voucher for the BND option (all except bandwidth and 200 mpt memory). I did go and get the official .lic file which unlocked the BND options.
Anyone interested in analyzing that file (for... educational purposes...) send me a PM.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilya_z on August 20, 2021, 07:18:56 pm
Anybody have problems with zeropoint.
After downgrade firmware and open 350mhz some problems with zeropoint. Show dc -160mv. Calibration not help.

After downgrade the problem of the zero point appeared. Calibration worked well for me
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: h2oo on August 22, 2021, 11:38:36 am
@my fellow Europeans (especially Germany, because who'd guessed I am from Germany  :-DD):

which Distributor can you recommend and do you know which Firmware they are shipping with their devices (hopefully a not to0oo stupid question)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justme1968 on August 22, 2021, 12:40:33 pm
i got mine (mso5000) mid june from batronix. i can absolutely recommend them. super fast delivery, payment on invoice and they will match the price if you find anything cheaper. and you probably get a (small) additional discount if you ask via e-mail.

the firmware then was the correct version for the latest patch. but maybe they ship never versions now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mick B on August 26, 2021, 09:53:53 pm
After applying the liberator to my 5072 everything is forever. Has anyone tried using UltraSigma/UltraScope after doing this? and does your HDMI out work?
Thanks to everyone involved in this endeavor for all your hard work and time. I'm sure I speak for everyone that took advantage of your work. YOU ARE ALL GREATLY APPRECIATED! :clap: :clap: :clap:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Peter_the_diver on August 29, 2021, 05:10:18 pm
Hi guys and thank you for that great stuff here!
Got my MSO5074 last week from BATRONIX - a good choice! As justme1968 wrote, don't put it to your shopping cart directly, ask for an offer. I got 3% discount without any diskussion. I have liberated and calibrated the scope today as described here - everything's fine (Firmware: 00.01.03.00.00 Build:2020-05-18)! If you like, here a few lable files for your "new" device. Print it out on self-adhesive foil and stick it on your liberated MSO.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: justme1968 on August 29, 2021, 05:55:41 pm
thanks for the labels. i was already thinking about making some. yours will be a good start. for printing them: have a look at the dm photo sticker print service (probably germany only). they are very good quality, at least water resistant and quite durable. (the idea is not mine, but comes from the bosch power tools forum where they use them to create third party l-boxx labels to blend in with the manufacturer ones.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on August 30, 2021, 08:12:43 am
Here's another sample sticker that was in this thread earlier.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Peter_the_diver on August 30, 2021, 12:38:41 pm
....and here a version, made for sticker sevice of Kaufland, DM, CEWE,..... Choose sticker-format 4pieces 57mm × 82mm  - diagonal but fitts!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Crenwick on September 02, 2021, 08:53:27 am
Hi all,

Just ordered my scope :)

Can you please give me the exact sticker size needed ?

Bernard
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dreamcat4 on September 16, 2021, 10:19:10 pm
ok so it's a simple quick question: purely from the prospects of unlocking as far as possible. what would be the best specific model to get new these days? can it be mso5072 ? or should it be something higher up in the range, eg the mso5074?

 :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on September 16, 2021, 10:38:26 pm
ok so it's a simple quick question: purely from the prospects of unlocking as far as possible. what would be the best specific model to get new these days? can it be mso5072 ? or should it be something higher up in the range, eg the mso5074?


If you order the 5072, you only get two probes. Makes sense, it's only a 2 channel scope.
If it was me, I would order the 5074. Yes it costs a little extra, but you don't have to worry about buying extra probes and you always have 4 channels to fall back on if you want to sell it later and remove the patched firmware.
Considering you are not paying for any options (as you can just unlock them), just spend the extra for the 5074. Surely your time is worth more than the extra messing around to get more probes.

But to answer your actual question, there is zero difference between the 5072 and 5074 as far as unlocking is concerned. Part of the unlocking process will enable channel 3 and 4 if you have the 5072.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on September 16, 2021, 10:55:17 pm
Hi All,

Just a quick note that the MSO5000 free options bundle that includes:

    MSO5000-COMP - Computer Serial Triggering and Analysis (RS232/UART)
    MSO5000-EMBD - Embedded Serial Triggering and Analysis (I2C, SPI)
    MSO5000-AUTO - Automotive Serial Triggering and Analysis (CAN/LIN)
    MSO5000-FLEX - FlexRay serial bus trigger and analysis (FlexRay)
    MSO5000-AUDIO - Audio Serial Triggering and Analysis (I2S)
    MSO5000-AERO - MIL-STD 1553 Serial Triggering and Analysis
    MSO5000-AWG - Dual Channel 25MHz Waveform Generator
    MSO5000-PWR - Integrated Power Analysis

Ends at the end of this month (30th of September).
Who knows if this offer will be extended (probably will, but I have zero contact/idea if that'll happen).

So if you are thinking of getting the MSO5000 series scopes, I'd get one before the end of the month so you can get your free (legitimate) license for these options.
Obviously, this isn't really needed because you can just unlock the features, but it's always nice to have the "real" license for these options in case you want to sell it, or need to restore the factory firmware for some reason.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Howardlong on September 18, 2021, 03:48:12 pm
Hmmm.... switched on my MSO5000 to check something about it for someone (it only has about 20 hours of use), after about ten minutes on it powered itself down and I was left with a repeating click and short LED panel flash every second or two.

Took it apaaaart, there's a near short (0.4 ohms) on the PSU connector's 5V pins to ground on the main board.

PSU seems to supply voltages fine.

After giving it a visual, there was not much to be seen so I made up a cable to my bench PSU to power all the 3 supplies (5V, +7.5V, -7.5V), sure enough the 5V was shorting. By the way, the connector is the same as a normal PC ATX connector cut in half, so I made up a cable.

After a bit of manual probing of the obvious power supplies, I got nowhere, the Schottkys all seemed fine.

Got out the IR cam, and the perp showed up like a Christmas tree. Looks like the ISL8203M 3.3V SMPS is dead. I didn't immediately look at this because #1 eyeball was looking for inductors: this device interestingly enough has integrated inductors, quite a feat, I've not seen this before.

So a replacement device is on order.

Anyone else had a similar problem?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Howardlong on September 19, 2021, 11:38:07 am
Here's the ISL8203M 3.3V SMPS I'm referring to, as you can see, no meaty inductors to be seen as they're integrated into the device itself.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: voltsandjolts on September 19, 2021, 01:33:47 pm
On the bright side, you found stock :)
https://www.digikey.co.uk/en/products/detail/ISL8203MIRZ/ISL8203MIRZ-ND/4958418 (https://www.digikey.co.uk/en/products/detail/ISL8203MIRZ/ISL8203MIRZ-ND/4958418)
Ooo, yuk, package looks like fun.

Couldn't it be that, say, a ceramic cap has shorted on the rail, and the ISL8203M shows up on IR because it's trying to chuck current into the short?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Howardlong on September 19, 2021, 02:20:14 pm
On the bright side, you found stock :)
https://www.digikey.co.uk/en/products/detail/ISL8203MIRZ/ISL8203MIRZ-ND/4958418 (https://www.digikey.co.uk/en/products/detail/ISL8203MIRZ/ISL8203MIRZ-ND/4958418)
Yes, already ordered a couple. Even Farnell had them in stock but they were more expensive, and I had a production order ready to go to Digikey anyway.
Quote
Ooo, yuk, package looks like fun.

At least it's not a BGA, more like a QFN, however warming up the board might prove challenging for removal & reflow.

Quote
Couldn't it be that, say, a ceramic cap has shorted on the rail, and the ISL8203M shows up on IR because it's trying to chuck current into the short?

Possibly, but I took the decision to get the chip in stock first before engaging further. The ceramic caps I'll already have in stock. If they'd been tants I'd have been more concerned bearing in mind their propensity to fail short.

A bigger concern based on the failure mode is if it managed to dump 5V as it came up onto the 3.3V rail or the other rail (presumably somewhere between 1 and 1.8v).

https://www.youtube.com/watch?v=RlWIhsjXf8E (https://www.youtube.com/watch?v=RlWIhsjXf8E)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on September 20, 2021, 01:24:42 pm
ok so it's a simple quick question: purely from the prospects of unlocking as far as possible. what would be the best specific model to get new these days? can it be mso5072 ? or should it be something higher up in the range, eg the mso5074?

If you order the 5072, you only get two probes. Makes sense, it's only a 2 channel scope.
If it was me, I would order the 5074. Yes it costs a little extra, but you don't have to worry about buying extra probes and you always have 4 channels to fall back on if you want to sell it later and remove the patched firmware.

If you get the 4-channel version then you get two extra probes but you don't get the cute little BNC caps that come with the two channel version.

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=1277422;image)

Apart from that the only difference is the sticker on the front.

There's people up there^ making their own stickers.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sem21 on September 21, 2021, 05:10:04 am
Hello everyone. Who ever got the license? I have been sending a request for 3 months and no one is answering me. And he did not receive a license, although they say that it is paid for.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on September 22, 2021, 02:33:49 am
Hello everyone. Who ever got the license? I have been sending a request for 3 months and no one is answering me. And he did not receive a license, although they say that it is paid for.

I did not get a license with my shipment, but I called the support number on Rigol site and they requested some information and emailed me the free license update. Although I have heard a lot about support issues, the US support seams very responsive, they have answered both my calls and emails.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Howardlong on September 22, 2021, 12:16:22 pm
Hmmm.... switched on my MSO5000 to check something about it for someone (it only has about 20 hours of use), after about ten minutes on it powered itself down and I was left with a repeating click and short LED panel flash every second or two.

Took it apaaaart, there's a near short (0.4 ohms) on the PSU connector's 5V pins to ground on the main board.

PSU seems to supply voltages fine.

After giving it a visual, there was not much to be seen so I made up a cable to my bench PSU to power all the 3 supplies (5V, +7.5V, -7.5V), sure enough the 5V was shorting. By the way, the connector is the same as a normal PC ATX connector cut in half, so I made up a cable.

After a bit of manual probing of the obvious power supplies, I got nowhere, the Schottkys all seemed fine.

Got out the IR cam, and the perp showed up like a Christmas tree. Looks like the ISL8203M 3.3V SMPS is dead. I didn't immediately look at this because #1 eyeball was looking for inductors: this device interestingly enough has integrated inductors, quite a feat, I've not seen this before.

Success!

Turns out the ISL8203M is configured as 2 x 3.3v in parallel two phase mode.

I lifted the device with flux & hot air alone, it wasn't too hard to achieve. I cleaned up the lands with full fat solder, and wicked off the excess, leaving just enough solder for the device's pads to adhere. Added pen flux to the PCB lands & device pads, and placed the device. A bit more hot air and the device was placed. I then cleaned up the edge castellations. It's a three minute job once the scope's disassembled and you have access to the PCB.

I didn't go to the effort of disconnecting the LCD display, but I did unscrew the PCB from the chassis so I could check what was underneath the package (not much). When applying heat, I lifted up the PCB from the chassis with a wedge to allow airflow underneath.

Take care with the LCD, there's nothing holding it into the chassis except light friction once the front panel's off, so there's a risk of wrecking the flat flex cables if care isn't taken.

One thing I noticed after the repair was that there was a very large offset on channel one immediately after this fix (about a couple of volts). I am pretty sure this is due to flux cleaner solvent creeping into the channel one can: after leaving it switched on for an hour or two, the offset gradually disappeared as the solvent evaporated.

Edit: Postmortem measurements showed that there were shorts on the device between PGND, SW1 and VOUT1 on the ISL8203M device I removed.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on September 22, 2021, 12:42:09 pm
Well done on the repair Howard.
I think I'm finally ordering one of these tomorrow while there is the above mentioned special on them.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: spiff72 on September 23, 2021, 04:32:47 pm
I just got my new MSO5074 delivered yesterday, but haven't had a ton of time to mess with it yet.  It is (probably) replacing my DS1054Z (hacked), but I want to give it some more time before deciding whether I intend to keep it for sure.  This prompts a few questions...

- My understanding is that applying the hacks to enable all the options is reversible, correct?  Is it just a matter of downloading the offical firmware and doing a local upgrade with that firmware file on a USB drive?

- Would the unit still be returnable if I go through the process of registration for the official "bundle" of options that was being offered by Rigol until the end of this month (this offer is mentioned a few posts earlier on this page).

- If I were to register to get the upgrades from the bundle offer, should those be applied prior to applying the hack?  Or doesn't this matter?  Obviously I wouldn't apply them to the hacked version, but if they are applied PRIOR to the hack, would reverting back to the OG firmware (assuming that is the way to undo the hack) restore me back to the state with the bundle upgrades, or would I have to reapply the bundle upgrades after reverting?

Thanks in advance!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 23, 2021, 05:43:47 pm
1. Yes.
2. Good question. Don't think so.
3. Doesn't matter.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: spiff72 on September 23, 2021, 07:45:22 pm
Thanks!

I got impatient and applied the hack to mine over my lunch hour.  Also registered for the bundle, but that web page seems flakey.  I entering my info, clicked submit, and the button disappeared with no confirmation message.  I guess if I don't get a notice in a day or two I will try again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hafrse on September 24, 2021, 08:46:05 am
Hi All,

Just a quick note that the MSO5000 free options bundle that includes:

    MSO5000-COMP - Computer Serial Triggering and Analysis (RS232/UART)
    MSO5000-EMBD - Embedded Serial Triggering and Analysis (I2C, SPI)
    MSO5000-AUTO - Automotive Serial Triggering and Analysis (CAN/LIN)
    MSO5000-FLEX - FlexRay serial bus trigger and analysis (FlexRay)
    MSO5000-AUDIO - Audio Serial Triggering and Analysis (I2S)
    MSO5000-AERO - MIL-STD 1553 Serial Triggering and Analysis
    MSO5000-AWG - Dual Channel 25MHz Waveform Generator
    MSO5000-PWR - Integrated Power Analysis

Ends at the end of this month (30th of September).
Who knows if this offer will be extended (probably will, but I have zero contact/idea if that'll happen).

So if you are thinking of getting the MSO5000 series scopes, I'd get one before the end of the month so you can get your free (legitimate) license for these options.
Obviously, this isn't really needed because you can just unlock the features, but it's always nice to have the "real" license for these options in case you want to sell it, or need to restore the factory firmware for some reason.

where can I get this bundle? I purchased the mso5072 from Conrad, and there is nothing mentioned there , thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: eurofox on September 24, 2021, 09:06:59 am
Hi All,

Just a quick note that the MSO5000 free options bundle that includes:

    MSO5000-COMP - Computer Serial Triggering and Analysis (RS232/UART)
    MSO5000-EMBD - Embedded Serial Triggering and Analysis (I2C, SPI)
    MSO5000-AUTO - Automotive Serial Triggering and Analysis (CAN/LIN)
    MSO5000-FLEX - FlexRay serial bus trigger and analysis (FlexRay)
    MSO5000-AUDIO - Audio Serial Triggering and Analysis (I2S)
    MSO5000-AERO - MIL-STD 1553 Serial Triggering and Analysis
    MSO5000-AWG - Dual Channel 25MHz Waveform Generator
    MSO5000-PWR - Integrated Power Analysis

Ends at the end of this month (30th of September).
Who knows if this offer will be extended (probably will, but I have zero contact/idea if that'll happen).

So if you are thinking of getting the MSO5000 series scopes, I'd get one before the end of the month so you can get your free (legitimate) license for these options.
Obviously, this isn't really needed because you can just unlock the features, but it's always nice to have the "real" license for these options in case you want to sell it, or need to restore the factory firmware for some reason.

where can I get this bundle? I purchased the mso5072 from Conrad, and there is nothing mentioned there , thanks

https://www.batronix.com/shop/oscilloscopes/Rigol-MSO5074.html (https://www.batronix.com/shop/oscilloscopes/Rigol-MSO5074.html)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: spiff72 on September 25, 2021, 09:15:01 pm
Thanks!

I got impatient and applied the hack to mine over my lunch hour.  Also registered for the bundle, but that web page seems flakey.  I entering my info, clicked submit, and the button disappeared with no confirmation message.  I guess if I don't get a notice in a day or two I will try again.

Quick update on the "flakey" registration web page for the bundle.  I think that my issue was uBlock Origin ad-blocker.  I remembered that I was getting some messages from some of the Rigol web pages, so I tried filling out the form again with the adblocker disabled, and it worked correctly (I got a confirmation page instead of the 'submit' button just disappearing).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: K9DTV on September 26, 2021, 05:41:47 am
I applied the patch to unlock my scope and this unlocked everything.
However, I am unable to run selfcal, as it never starts.
Channel one goes rail to rail, so it will never start selfcal.

Scope channel is working fine otherwise.

Any ideas?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: spiff72 on September 26, 2021, 04:48:02 pm
Hmmm - you reminded me that I didn't run the self-cal after I hacked mine this week.  I will try running on mine after it warms up for 30 minutes.

This is my version info:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: spiff72 on September 26, 2021, 05:51:30 pm
I applied the patch to unlock my scope and this unlocked everything.
However, I am unable to run selfcal, as it never starts.
Channel one goes rail to rail, so it will never start selfcal.

Scope channel is working fine otherwise.

Any ideas?

Mine just ran successfully (first one post-hack).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Yury on September 26, 2021, 06:47:44 pm
Quote
Fine just ran successfully (first one post-hack).

spiff72  what  FW version/date did you have in your scope ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: d86d1864 on September 26, 2021, 07:51:15 pm
Would someone be willing to share their /rigol/data/Key.data file?

You should be able to extract it with for instance mabl's backup script from:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380)

As a reminder, Key.data contains the curve and public key used to verify the signature in the *.lic file, and does not contain actual licensing information.

What I'd like to verify is whether the public key is the same across all devices, or if different public keys are used across different devices/serials.

Cheers!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 26, 2021, 09:05:18 pm
Different keys.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: spiff72 on September 26, 2021, 09:55:39 pm
Quote
Fine just ran successfully (first one post-hack).

spiff72  what  FW version/date did you have in your scope ?

See my prior post image, it is shown there.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: d86d1864 on September 27, 2021, 08:00:19 pm
Different keys.

Great. Then I'm all the more interested if someone could share their Key.data!

tv84, sounds like you already looked into this - how many did you get a chance to compare and did you find anything interesting?

I'd love to hear if someone already looked for nonce reuse.
(https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Security)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 27, 2021, 08:26:17 pm
Great. Then I'm all the more interested if someone could share their Key.data!

tv84, sounds like you already looked into this - how many did you get a chance to compare and did you find anything interesting?

I'd love to hear if someone already looked for nonce reuse.
(https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Security)

Why do you want to see them? They are different keys of the same type. Just that.

They most probably use an ID of the scope to seed the key generation. Never truly investigated that although it has crossed my mind.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luis garcia on September 27, 2021, 11:23:03 pm
Hi.
I have realized the 50 Mpts /4 channel feature is optional even on the MSO5354. Can this feature be enabled? Is it perhaps enabled with the "upgrade" patch?

L.
Title: MSO5000 Application Option Bundle
Post by: oelapaloma on September 28, 2021, 12:14:31 pm
I bought a MSO5074 and I'm planning to hack it. Due to a promotion, I received the Application Bundle Option, which I don't need if I hack it anyway. If I get it right, I could generate a license for any Rigol MSO5000 by entering its serial number. Could I sell my bundle license on ebay or is that forbidden? There's no legal information on that sheet of paper.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: d86d1864 on September 28, 2021, 06:11:21 pm
Why do you want to see them? They are different keys of the same type. Just that.

They most probably use an ID of the scope to seed the key generation. Never truly investigated that although it has crossed my mind.

With access to two public keys it's trivial to check for nonce reuse, and with more keys it's possible to check for weak key generation.
This of course is only possible if the keys are in fact different (albeit different in a specific way).

In either case such weaknesses would potentially allow for private key recovery, which I'd like to attempt.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oelapaloma on September 28, 2021, 06:20:37 pm
It seems I have a new build and a different checksum. Now what?

System Information:
Firmware: 0A.01.03.00.01
Boot: 2018.06.27
Build: 2021-05-04 15:50:32


Checksum:
<root@rigol>md5sum appEntry
4669caa3cfb3d19f98adff7833e321db  appEntry


I have successfully created a backup, I am able to activate SSH, I can connect with WinSCP and provide files for analysis, if needed. I think I understood how to hack the scope, but the checksums will not match (I have not tried, but that's why I created the MD5 hash to know in advance).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: d86d1864 on September 28, 2021, 07:12:52 pm
Firmware: 0A.01.03.00.01

Curious. That does not match any version, or even naming scheme, I have ever seen.

I had a quick look at all the usual places Rigol publishes firmware but they all point to 00.01.03.00.01.

The stock 00.01.03.00.01 does not come with ssh enabled, so I assume you ran some USB script to enable it - did you by any chance run a script that might've modified your appEntry?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oelapaloma on September 28, 2021, 07:31:38 pm
Quote
did you by any chance run a script that might've modified your appEntry?

I created USB Sticks with GEL files on it. I'm not sure whether one of these modified appEntry, but the Firmware version was like that all the time. I recorded it when I bought the scope. The GEL files I used were those for backing up files (no need to modify appEntry, I hope) and running the SSH server (also no need to modify appEntry, I hope).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: d86d1864 on September 28, 2021, 07:57:31 pm
I'm not sure whether one of these modified appEntry, but the Firmware version was like that all the time.

I just went through the six patches I have on file and I was not able to find any that matched the MD5 you gave.
It is of course possible I've missed several patches, but if you say the factory fresh version had the 0A, then it's entirely possible you're running some as-yet-unpublished version of the firmware.

It's easiest to put together a patch if we have the full firmware, but if you can attach your appEntry that's likely enough.
(Unfortunately I can't personally promise I'll have time to have a look, but perhaps someone else out there can.)

Good luck!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on September 29, 2021, 08:30:32 am
It seems I have a new build and a different checksum. Now what?

System Information:
Firmware: 0A.01.03.00.01
Boot: 2018.06.27
Build: 2021-05-04 15:50:32


Checksum:
<root@rigol>md5sum appEntry
4669caa3cfb3d19f98adff7833e321db  appEntry


I have successfully created a backup, I am able to activate SSH, I can connect with WinSCP and provide files for analysis, if needed. I think I understood how to hack the scope, but the checksums will not match (I have not tried, but that's why I created the MD5 hash to know in advance).

I'm very curious in that release :)

Did you do a 'full nand backup'? Would you mind sharing that one so I can add it to the gitlab repo?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on September 29, 2021, 08:31:49 am
While the promo still appears to be running (I'll check again okt. 1st to see if it was extended again :p) I can't actually reach the form.

https://www.rigolna.com/promos/ (https://www.rigolna.com/promos/) does list the link, but the link is dead, from the EU and the USA :(
https://beyondmeasure.rigoltech.com/acton/ct/1579/p-0080/Bct/-/-/ct20_0/1/fu?sid=TV2%3AKt5oPeWlY (https://beyondmeasure.rigoltech.com/acton/ct/1579/p-0080/Bct/-/-/ct20_0/1/fu?sid=TV2%3AKt5oPeWlY)

can anybody confirm it is indeed, dead?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on September 29, 2021, 09:18:26 am
While the promo still appears to be running (I'll check again okt. 1st to see if it was extended again :p) I can't actually reach the form.

Both the link on the rigolna site and the direct one work fine for me (Netherlands IP)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on September 30, 2021, 06:44:15 pm
While the promo still appears to be running (I'll check again okt. 1st to see if it was extended again :p) I can't actually reach the form.

Both the link on the rigolna site and the direct one work fine for me (Netherlands IP)

That is so sad :( I also have a Netherlands IP and get:
Quote
This site can’t be reached
beyondmeasure.rigoltech.com refused to connect.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oelapaloma on September 30, 2021, 06:59:19 pm
Quote
I can't actually reach the form.

Same issue here right at the moment. I had problems on September 28th as well, but 2 hours later it worked again.

Quote
'full nand backup'

I don't know what that is. Is there a GEL file to create that kind of backup? Ok, got that one as well from https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356). Will try.
At the moment I only have a calibration backup. But I can connect to the scope using WinSCP and I can access /rigol/appEntry and likely other files if needed.

Find appEntry (22 MB) for a few days on http://37.120.179.6/appEntry-0A.01.03.00.01 (http://37.120.179.6/appEntry-0A.01.03.00.01)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on September 30, 2021, 07:07:09 pm
Just checked again and it still works for me, very strange
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on September 30, 2021, 07:26:06 pm
Quote
I can't actually reach the form.

Same issue here right at the moment. I had problems on September 28th as well, but 2 hours later it worked again.

Quote
'full nand backup'

I don't know what that is. Is there a GEL file to create that kind of backup? Ok, got that one as well from https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356). Will try.
At the moment I only have a calibration backup. But I can connect to the scope using WinSCP and I can access /rigol/appEntry and likely other files if needed.

Find appEntry (22 MB) for a few days on http://37.120.179.6/appEntry-0A.01.03.00.01 (http://37.120.179.6/appEntry-0A.01.03.00.01)

Heh, you found the link faster then I did :p I was looking for that link from our very own @tv84 :) but the script only does a simple `dd if=/dev/mdX of=/media/usb/mdX` so nothing super special :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on September 30, 2021, 07:33:48 pm
Just checked again and it still works for me, very strange
Didn't work in the NL; used a USA proxy; worked this time around ... weirdness.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PabloSanchez on September 30, 2021, 08:44:40 pm
Hi!
I have the firmware 00.01.03.00.01 from 30.03.2020
can someone tell me where to download the firmware FW 01.03.00.01 build 2020-05-18
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on September 30, 2021, 09:11:33 pm
Hi!
I have the firmware 00.01.03.00.01 from 30.03.2020
can someone tell me where to download the firmware FW 01.03.00.01 build 2020-05-18

Nowhere. Up till now it's only flashed at factory.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PabloSanchez on September 30, 2021, 09:24:30 pm
And what versions do you recommend to do ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: K9DTV on September 30, 2021, 09:48:29 pm
I applied the patch to unlock my scope and this unlocked everything.
However, I am unable to run selfcal, as it never starts.
Channel one goes rail to rail, so it will never start selfcal.

Scope channel is working fine otherwise.

Any ideas?

Mine just ran successfully (first one post-hack).

See attachment

[attach=1]
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PabloSanchez on September 30, 2021, 10:48:41 pm
I applied the patch to unlock my scope and this unlocked everything.
However, I am unable to run selfcal, as it never starts.
Channel one goes rail to rail, so it will never start selfcal.

Scope channel is working fine otherwise.

Any ideas?

Mine just ran successfully (first one post-hack).

See attachment

(Attachment Link)

what exactly did you use, I have the same firmware version and nothing works, please describe in more detail where to start and what files?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: K9DTV on September 30, 2021, 11:55:46 pm
what exactly did you use, I have the same firmware version and nothing works, please describe in more detail where to start and what files?

Download the attached files
01_03_00_01.bspatch.txt  rename to  01_03_00_01.bspatch
DS5000Update.GEL.txt      rename to  DS5000Update.GEL
patch.txt


Copy to root directory of usb flash drive
insert into front scope usb
run update



Now can some one help me with my problem?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kean on October 01, 2021, 07:54:38 am
I just noticed that while the free bundle is apparently still available for purchases until 31 March 2022, it is now only offfered for 4 channel models.
Not really a big deal for those wanting to hack their scope, unless you wanted those features to increase un-hacked resale value.

From: https://beyondmeasure.rigoltech.com/acton/form/1579/0065:d-0001/0/-/-/-/-/index.htm
Quote
Valid Models: MSO5074, MSO5104, MSO5204, MSO5354

note: Other models no longer qualify for the free bundle offer when purchased after 9/30/2021. For purchases of any UltraVision II Oscilloscope that occurred before 10/1/2021 please fill out the form below and your bundle will still be sent per the previous promotion.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on October 01, 2021, 02:35:10 pm
Hi!
I have the firmware 00.01.03.00.01 from 30.03.2020
can someone tell me where to download the firmware FW 01.03.00.01 build 2020-05-18

Nowhere. Up till now it's only flashed at factory.
Do we have a nand-backup of someone with that firmware? we can generate it then if really needed.
Has anybody reached out to rigol to request the GEL file from them?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kc55 on October 02, 2021, 08:09:29 am
I have same problem especially on channel 1 of my MSO5074. When I switch on only that channel the offset is smaller. around -70 mV. With at least one other analog channel also switched on, the offset becomes larger at around -160 mV at 1 V/div scale setting.
I ran self calibration a few times but it didn ‘t fix the offset.
Anyboby here have similar observation? Is the amount of offset to be expected?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oelapaloma on October 02, 2021, 08:16:10 pm
I have created a Full NAND Backup and a Data FRAM Backup of the scope with 0A.01.03.00.01 firmware. Please PM on how to procede. I don't want to see my full dump on the Internet.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: d86d1864 on October 03, 2021, 12:10:15 pm
Find appEntry (22 MB) for a few days on http://37.120.179.6/appEntry-0A.01.03.00.01 (http://37.120.179.6/appEntry-0A.01.03.00.01)

Thank you for sharing the binary.

Curiosity got the better of me so I had a crack at porting the previous patches to the new binary (attached below).

It's a little harder to test when we don't have the firmware available, but I managed to get the binary running on 00.01.03.00.01 with a little fiddling, and it appears to work.
But as always, use at own risk and naturally only for educational purposes. :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: flash2b on October 05, 2021, 12:02:15 pm
My scope came with this:

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=1290262;image)

Is this hackable and what do I need to do?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: atembedded on October 07, 2021, 02:13:34 pm
Hello, newbie here.  Received my MSO5074 the other day and have been trying to apply the hack.

Downloaded the files as listed in the earlier post on page 85.  Last list with attached files I believe.

FW version is  00.01.03.00.01

HW version is 01.01.000

Boot               2018.06.27

Build               2020-05-18  11:42:06

Can't get the scope to recognize any of 3 different USB sticks.

Just says "No Package Found" From local Upgrade and "Upgrading Failed, please check the package"

Probably doing something dumb.  Any specific formatting requirements?

Thanks.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: atembedded on October 09, 2021, 03:37:10 am
Thanks Bibbbi!  Followed your instructions.  Patch wouldn't work when formatted from Win10, worked fine from Rufus.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oelapaloma on October 15, 2021, 03:45:17 pm
@flash2b
Quote
My scope came with this: 0A.01.03.00.01
Is this hackable and what do I need to do?

You seem to have the same Beta firmware that I have.
From my understanding, the hack is in research state. ~64 people have downloaded it since it was published, but nobody left feedback yet, whether it worked or not.
As far as I understood, the DS5000Update.GEL was built in a way that it can be used for any firmware, so just use the latest one you can find. Then get the two files attached by @d86d1864 which contain the hack.
Before doing that, you might want to backup /rigol/appEntry using SCP so you can rollback, just in case.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on October 15, 2021, 05:18:10 pm
One question that has not been answered is what's the difference between the firmware, are there any improvements. Before upgrading can someone test the scope first and compare to see difference after patch. Check X-Y mode and see if there is any difference in thickness of trace. I had called support asking for copy but they said this was just a version used at the factory and was related to calibration, not sure what that means.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oelapaloma on October 15, 2021, 07:12:34 pm
Hi normi,
I can't compare to the previous official firmware because my scope never had that version. But I think there are quite a of bugs and issues.
Bear in mind that I'm not a professional electonics engineer, so some issues may just be misunderstanding, misconfiguration or wrong setup on my side.
At the moment I'm testing with the built-in function generator. Maybe I should not do that.
1. the function generator needs to be turned off and on after changing the function (not always, but often). Depending on your horizontal scale, you might not even notice that the curve is broken
2. the function generator may need to be turned off and on even when changing the same functions' properties (e.g. ramp symmetry)
3. the line thickness in XY and XYZ mode is indeed very thick
4. counter min/max may display nonsense after turning on and after changing horizontal scale (turn statistics off and on to reset)
5. counter may display a higher value than the maximum in the statistics
6. trigger triggers at wrong edge, even with noise reject (might actually be caused by very small but high peaks of the built-in function generator as it seems)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on October 15, 2021, 07:58:38 pm
 I am assuming you are still on the Beta version that came with your scope, and you have not patched scope.
 The XY thickness exists in the official version so it appears that it has not been fixed in this 0A version.
 I have not come across any issues with the function generator so not sure what's causing that, others can report if they see similar issues.
 The counter has to start somewhere so its best to reset it once the signal is stable, I have not used the counter a lot so can't say how it compares to statistics.
 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: klen_s on October 16, 2021, 11:16:37 pm
Hello!
Many thanks for the work done!
some time ago i upgrade new device A0.01.03.00.01 -> 00.01.03.00.01 and unlock.  all is well.
now, i want to rollback to check the patch for for A0.01.03.00.01 and test new patch.

how to properly rollback. I only have a full backup  /rigol  for new A0.01.03.00.01 device

over ssh I delete all files  /rigol/*   but it is not clean full :(
I cannot write a full /rigol/* backup.    /dev/ubi6_0 partition not claned after files deleting ( 35% space is use )
How to clear a /rigol space?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Dan_F on October 18, 2021, 04:40:43 pm
Hello,
    After using the methods described in post   « Reply #2106  :-+      I was able to upgrade the MSO 5074 to a working MSO5354 with the
 factory new device 0A.01.03.00.01 firmware.

0A_01_03_00_01.bspatch.txt      rename to  0A_01_03_00_01.bspatch
DS5000Update.GEL.txt      rename to  DS5000Update.GEL
patch.txt

Copy to root directory of usb flash drive
insert into front scope usb
run update

Above is statements from other posts - but I have inserted the current data to show what worked for me.
It added the upgrades I needed but not extra.. Example.. I had a 4 channel scope from factory so it didn't add the upgrade code for 4 channel from 2 channel.
Use the files from previous post and use the DS5000update.gel file located a few post above post 2106.
I have rebooted a few times and everything seemed normal.. I have not fully tested all functions but the normal one seem ok.
Good luck. 
Dan
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rmaranhao on November 04, 2021, 03:24:12 am
Encouraged by your post I tried it, and can also confirm it worked.
Thanks all!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Matsh on November 15, 2021, 03:01:13 pm
Did upgrade a RIGOL MSO5074 to 350 MHz and also the rest of the options. 

Thank you to Agne who started this thread and the others here who put all the effort into this project.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gdombi on November 18, 2021, 05:30:42 am
Help Please!!!

MS5000 came with 01_03_00_01 firmware. I followed the "upgrade" steps using zip file included in https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342. (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342.) I had to update checksums to match what Rigol was expecting (based on what it said when I tried to run the upgrade). After updating both checksums the upgrade said successful. Restarted and now I have a Rigol screen with the progress bar reaching to the end but nothing happens. In the web UI I see a message saying "Loading ... Please Waiting".

Did I just brick it? How can I revert this?????

Please help!!! :D
TIA,
Gaston
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on November 18, 2021, 05:53:03 am
MS5000 came with 01_03_00_01 firmware. I followed the "upgrade" steps using zip file included in https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342. (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342.) I had to update checksums to match what Rigol was expecting (based on what it said when I tried to run the upgrade). After updating both checksums the upgrade said successful. Restarted and now I have a Rigol screen with the progress bar reaching to the end but nothing happens. In the web UI I see a message saying "Loading ... Please Waiting".

You updated firmware with version 01.03.00.01 using the instructions and patches for 01.02.00.02.
I'm not suprised it's bricked.

However, you are lucky as you can get back to factory.
Go here:
https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/ (https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/)
Download the firmware, extract the GEL file.

Copy the official firmware to a usb key. Stick it in the scope.
While powering on the scope, keep pressing the single button.
You'll see two options show up and you should be able to flash back to the official firmware.

Let's get you back to normal before we do anything else.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gdombi on November 18, 2021, 06:28:14 am
@ToThePub, I owe you a beer!!!! I'm back with an operational scope.

Which files should I use for the "upgrade"? I keep reading this thread and see so many files.... I have firmware 00.01.03.00..1 now installed.

Thanks for your help,
Gaston
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on November 18, 2021, 06:35:19 am
Instead of posting again, just follow K9DTV's info here:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gdombi on November 18, 2021, 06:37:22 am
I used https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423) and I'm all good. All options are available and still same firmware version.  >:D

Thanks for your help!!! I can now relax that scope is not bricked and operational++ !!!

Gaston
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on November 18, 2021, 06:42:11 am
I used https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423) and I'm all good. All options are available and still same firmware version.  >:D

Thanks for your help!!! I can now relax that scope is not bricked and operational++ !!!

Good to hear. Enjoy the scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BH3XON on November 18, 2021, 07:42:53 am
damn! I got the latest build version, who can help me? |O
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilya_z on November 18, 2021, 08:56:21 am
damn! I got the latest build version, who can help me? |O

You may downgrade software
post # 2017  https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3617041/#msg3617041 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3617041/#msg3617041)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BH3XON on November 18, 2021, 09:20:51 am
damn! I got the latest build version, who can help me? |O

You may downgrade software
post # 2017  https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3617041/#msg3617041 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3617041/#msg3617041)

I tried to use MSO5000(ARM)Update (V00.01.03.00.01) to downgrade, but it prompts:

Failed to upgrade! Check the upgrade file. 

File from Rigol 。
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilya_z on November 18, 2021, 09:43:16 am
try using other  USB flash, try format Flash FAT32 in RUFUS
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on November 19, 2021, 01:03:49 am
To downgrade the firmware I think you have to use the recovery process.
Use the process here:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3820085/#msg3820085 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3820085/#msg3820085)

Then patch using:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BH3XON on November 19, 2021, 07:17:53 am
To downgrade the firmware I think you have to use the recovery process.
Use the process here:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3820085/#msg3820085 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3820085/#msg3820085)

Then patch using:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423)

thank!
Have tried,
Put DS5000Update.GEL into the U disk,
Keep pressing "single", then press the power button to start,
But it did not enter the mysterious menu, just the usual splash screen.
Nothing happened.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BH3XON on November 19, 2021, 07:22:52 am
try using other  USB flash, try format Flash FAT32 in RUFUS

Thanks
I don’t think it’s the USB flash drive.
Because my other old Rigol oscilloscope uses the same USB flash drive for operation.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on November 20, 2021, 02:53:00 am
Turn on the device with the left hand, while pushing the single button with the right hand.
Keep pushing it, over and over and over don't stop pushing, don't wait between pushes.
It works, I don't know why you are having problems.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: idolclub on November 20, 2021, 12:56:25 pm
Rigol MSO5000 Firmware v00.01.03.00.03 :

[Updated Contents]
--------------------

v00.01.03.00.03 2021/10/18

      - Optimized waveform display in XY mode.
      - Optimized the DC gain calibration algorithm.
      - The La channel is decoded in parallel, which solved the problem of decoding error in negative polarity.


v00.01.03.00.01 2020/03/27

      - Solved the error of recording function when the time base is 10ns/div.
      - Optimized the auto function after adjusted the offset cal of analog channel.
      - Supported dragging the math waveform by dragging the icon of the math.


v00.01.02.00.03 2020/02/27

      - Solved the error of reading LA channel memory data by SCPI commonds.


v00.01.02.00.02 2020/02/25

      - Solved the problem of starting the oscilloscope under HDMI connection.
      - Solved the error of channel offset cal function when adjusting the vertical scale.
      - Unified the naming of CLK and SDA in SPI protocol analysis.
      - Optimized the display of waves under zoom mode of 2s/div time base.
      - Added command to get pass / fail times.
      - Deleted the default email account and password.
      - Optimized some problems in SCPI commonds.
      - Optimized the problem of software crash when there are too many decoding events.


Download:
https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/ (https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BH3XON on November 22, 2021, 03:22:27 am
Turn on the device with the left hand, while pushing the single button with the right hand.
Keep pushing it, over and over and over don't stop pushing, don't wait between pushes.
It works, I don't know why you are having problems.

After many attempts, I think I know the problem,
time1: Press the power button, the keyboard light is on, and the screen is dark;
time2: The keyboard light is off and the screen remains dark;
time3: The screen displays RIGOL, and the startup progress...

Just press single at time2, and the mysterious menu will appear.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: flash2b on November 22, 2021, 03:08:05 pm
Does the hack stay after upgrading the firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ziDot on November 22, 2021, 05:37:22 pm
Successful liberated brand new MSO5072. Without any recovery mode downgrades. With local upgrade only.
Firmware installed from store:
FW 0A.01.03.00.01
HW 01.01.000
Boot 2018.06.27
Build 2021-05-04 15:50:32

My actions step-by-step:
1. Download official FW v00.01.03.00.01. Found on Russian Rigol site (registration required):
https://ru.rigol.com/En/Index/listView/catid/28/tp/6/cat/7/xl/24 (https://ru.rigol.com/En/Index/listView/catid/28/tp/6/cat/7/xl/24)
Google drive mirror:
https://drive.google.com/file/d/1wsz9O9EJmQxzGSD-pm-yF06vw2qoJkRa/view?usp=sharing (https://drive.google.com/file/d/1wsz9O9EJmQxzGSD-pm-yF06vw2qoJkRa/view?usp=sharing)
2. Prepare USB Disk. I have very old 2Gb flash. Formatted with MiniTool Partition Wizard as FAT32 Primary partition
3. Extract downloaded files to any folder on PC.
4. Copy DS5000Update.GEL file to fresh formatted USB Flash
5. Power on MSO and plug in flash drive.
6. Select local upgrade (press Utility->System->Help->Local upgrade). Confirm upgrade. (there were no errors or warnings about version mismatch)
After upgrade is complete reboot MSO. Now MSO have FW 00.01.03.00.01 and Build 2020-03-30 15:56:36

Then go to:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598)
And follow instructions from STEP 2.

After all operations MSO must be recalibrated. Recalibrate instructions can be found in MSO5000 Upgrade Instructions file comes with downloaded firmware.

Note:
After patch I had black screen for 15-20 second (maybe little longer and I pressed Menu key few times in panic))). Just little patience an all will back to screen.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Matsh on November 23, 2021, 10:48:01 am
Does the hack need to be updated to work with firmware 00.01.03.00.03?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on November 23, 2021, 06:47:22 pm
Does the hack need to be updated to work with firmware 00.01.03.00.03?

Yes a new file needs to be created for each new update, the hack is the same but it needs to be applied to new update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Matsh on November 24, 2021, 06:35:50 pm
I tried to checkout the whole thread how-to create the new file, is that information available here?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on November 25, 2021, 03:27:34 am
Information is buried in thread. if a remember correctly; basically there is a file call appentry which is a binary file and you compare the hacked version of the file to the unhacked file and discover the changes. Locate those section of the code in the new firmware and change them to the same values as the hacked version, then copy new file to scope. That is an over simplified description, but I assume someone will build a new patch with the updated firmware and post it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on November 25, 2021, 05:24:20 am
while you're at it, reinstate sshd (or telnetd or whatever) in the main start script.
The pain point is to extract the package, somewhere with no CRLF/.Trashes involved, then do update what you want on the extracted fs, like if you were on the real scope, and finally, repack everything properly (that is the pain).

the gitlab repository (https://gitlab.com/riglol/rigolee.git) have some helpers to do that properly (in bin/).

hint: unix cmdline needed
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: everest159 on November 27, 2021, 10:12:06 am
For info

When formating the USB make sure it its FAT32 and Cluster size to 4096 bytes (some of my newer USB's has 8192 as default).

I updated to 01.03.00.03 and I can confirm the SSH GEL still worked (but I don't remember where I downloaded the .03 firmware, as I don't find it on Rigols hompeage anymore).

When trying to downgrade using the "secret" menu, pressing SINGLE button twice at boot, I got "Failed to upgrade! Check the upgrade file."
My solution was to use another USB, even tho I knew the first USB worked for upgrade, apparently it didn't work for downgrade.

Hope this helps someone!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Matsh on November 27, 2021, 11:21:07 pm
Official FW v00.01.03.00.03 can be downloaded here https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/ (https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: keenox on November 29, 2021, 04:59:28 pm
Hi guys,

I have version 00.01.03.00.01, but the bspatch doesn't seem to work. This got me reading more into this thread and used the gel file to enable SSH and do a dump.
Looking into the GEL files I saw that they contain binary shell files and was wondering what those files to.

1. Can someone explain how to encrypt and decrypt the binary shell files? Or at least tell me what's in them?
2. Regarding bspatch, can someone explain what it contains? I am interested in terms of assembly so I can adapt it to the firmware on my scope and maybe any future firmware.

It seems to me that the hacking methods here are pretty opaque and would like to learn more about how they work.
Is it because legal issues with Rigol? If that is the case, I would be very thankful if anyone could send me a PM.
Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on November 29, 2021, 06:17:15 pm
Hi guys,

I have version 00.01.03.00.01, but the bspatch doesn't seem to work. This got me reading more into this thread and used the gel file to enable SSH and do a dump.
Looking into the GEL files I saw that they contain binary shell files and was wondering what those files to.

1. Can someone explain how to encrypt and decrypt the binary shell files? Or at least tell me what's in them?
2. Regarding bspatch, can someone explain what it contains? I am interested in terms of assembly so I can adapt it to the firmware on my scope and maybe any future firmware.

It seems to me that the hacking methods here are pretty opaque and would like to learn more about how they work.
Is it because legal issues with Rigol? If that is the case, I would be very thankful if anyone could send me a PM.
Thanks!

i think your F.W it's not Build 2020-03-30 15:56:36
to confirm that  press Utility->System->Help->About (see what build you have)
if not follow these steps
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3829616/#msg3829616 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3829616/#msg3829616)


command :  openssl aes-128-cbc -in "./fw4linux.sh" -out "fw.sh" -d -K "BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD" -iv "BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD" -nopad

to unpack GEL file there is a script to do that gel_unpack.sh
https://gitlab.com/riglol/rigolee/firmware/-/tree/MSO5000/bin (https://gitlab.com/riglol/rigolee/firmware/-/tree/MSO5000/bin)

if you get any error try to change -i flag
"dumpimage -T flat_dt -i "${GELDIR}/system.img" -p 0 "${OUTDIR}/zImage"" >> "dumpimage -T flat_dt  "${GELDIR}/system.img" -p 0  -o "${OUTDIR}/zImage""
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: keenox on November 29, 2021, 08:04:27 pm
@qali.pro Thanks for the info! I'll try it. I already managed to unzip the GEL files by using 7zip. That's how I found the encrypted shell files :)
My build is from 18.05, but I wanted to know better how the hack works and also maybe port it the 01.03.00.03
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 01, 2021, 11:00:50 pm
here is patch for F.W 01_03_00_03

have fun ;)

---------------------------
The patch file has been deleted for further testing and should be release soon  :palm:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Matsh on December 02, 2021, 01:39:06 pm
First I updated to FW v00.01.03.00.03. Then used the patch above to activate all options.

Thank you for the work done on the patch!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 02, 2021, 04:43:38 pm
First I updated to FW v00.01.03.00.03. Then used the patch above to activate all options.

Thank you for the work done on the patch!

Glad it works for you.
Your are welcome, i'm here to help.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BM61 on December 02, 2021, 08:36:35 pm
Hi friends, I’m new here  :)

I’ve updated my MSO5000 with FW v00.01.03.00.03 and patched it with the patch from qali.pro (Thank you!!), but now I experience a problem using the 20MHz BW limit on the inputs: the trace disappear!  :o

Have you the same issue?

Trying better, using using the 20M BW Limit (but not the 100 or 200M) a “negative bias” of approximatly 300mV it’s added to the trace.
So with 10mV or less sensitivity the trace “disappear”
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BM61 on December 02, 2021, 09:48:27 pm
Dear friends, I’ve performed another one Self Calibration and the 20M BW problem it’s gone..
Now using the BW Limit I have no signal trace shifting like before.

Excuse me for the “fake alarm”, sorry.

  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: serg_77 on December 03, 2021, 10:51:45 am
Updated, patched, self-calibrated twice - everything is normal.
Thank you qali.pro for the work done on the patch!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Wintel on December 03, 2021, 11:44:43 am
here is patch for F.W 01_03_00_03

have fun ;)
Thanks!

Have you tried to upgrade the MSO5072 to MSO5504 (BW:500MHz) with firmware 01_03_00_03?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobbiTobi on December 03, 2021, 12:31:20 pm
Hi friends, I’m new here  :)

I’ve updated my MSO5000 with FW v00.01.03.00.03 and patched it with the patch from qali.pro (Thank you!!), but now I experience a problem using the 20MHz BW limit on the inputs: the trace disappear!  :o

Have you the same issue?

Trying better, using using the 20M BW Limit (but not the 100 or 200M) a “negative bias” of approximatly 300mV it’s added to the trace.
So with 10mV or less sensitivity the trace “disappear”

I have found same problem! But no success after 2 times self-calibration ...  |O
Below 2mV/div has become useless ... even averaging
In addition BW-20MHz gives offset problems up to 1V/div ...  :--

Suggestions? Roll-back?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: serg_77 on December 03, 2021, 12:32:26 pm
The patch works. Everything is fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: serg_77 on December 03, 2021, 12:34:31 pm
After two self-calibrations, restart the device and that's it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobbiTobi on December 03, 2021, 01:12:07 pm
You are perfectly right!  :-+

Did not restart the system!  :palm:

Many thanks!


P.S.: should perform an auto-boot after self-calib  >:D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 03, 2021, 05:05:40 pm
Hi friends, I’m new here  :)

I’ve updated my MSO5000 with FW v00.01.03.00.03 and patched it with the patch from qali.pro (Thank you!!), but now I experience a problem using the 20MHz BW limit on the inputs: the trace disappear!  :o

Have you the same issue?

Trying better, using using the 20M BW Limit (but not the 100 or 200M) a “negative bias” of approximatly 300mV it’s added to the trace.
So with 10mV or less sensitivity the trace “disappear”

I have found same problem! But no success after 2 times self-calibration ...  |O
Below 2mV/div has become useless ... even averaging
In addition BW-20MHz gives offset problems up to 1V/div ...  :--

Suggestions? Roll-back?

Can you post a screenshot to replicate same error in my device ?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 03, 2021, 08:13:39 pm
Thanks!

Have you tried to upgrade the MSO5072 to MSO5504 (BW:500MHz) with firmware 01_03_00_03?
You are welcome.
I'll try (BW:500MHz) as soon as possible .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 03, 2021, 09:15:51 pm
I'll try (BW:500MHz) as soon as possible .

 :-// Why? (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2663334/#msg2663334)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 04, 2021, 03:13:02 am

 :-// Why? (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2663334/#msg2663334)

Thank you for your work and the work of others people on this topic.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BM61 on December 04, 2021, 11:08:57 pm
@ qali.pro
I haven’t take a screenshoot when the problematic trace display ,using the 20M BW Limit, occoured!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 05, 2021, 03:04:19 pm
@ qali.pro
I haven’t take a screenshoot when the problematic trace display ,using the 20M BW Limit, occoured!

I am sure 20M BW Limit problem , Cause by Stock firmware (01.03.00.03) not from patch file.

To solve the problem, please follow these steps :

Self-calibration
Make sure that the oscilloscope has been warmed up or operating for more than 30 minutes before
performing self-calibration.
1. Disconnect all the input channels.
2. Press Utility > System > SelfCal, and the press Start to execute self-calibration. The
self-calibration lasts for about 45 minutes.
3. Restart the oscilloscope.
,,,,
best regards
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on December 06, 2021, 06:12:31 pm
If anybody is interested, the SCPI command changes between version 01_03_00_01 and 01_03_00_03 are as follows:

Code: [Select]
diff 01_03_00_01.txt  01_03_00_03.txt
637a638,643
> CALibration:INIT:ADC:DATa                  selfcal    72 -1 ('INTEGER',) ()
> CALibration:INIT:ADC:DATa?                 selfcal    72 -1 () ('INTEGER',)
> CALibration:INIT:ADC:TCMP                  selfcal    71 -1 ('INTEGER',) ()
> CALibration:INIT:ADC:TCMP?                 selfcal    71 -1 () ('INTEGER',)
> CALibration:INIT:ADC:TDMX                  selfcal    70 -1 ('INTEGER',) ()
> CALibration:INIT:ADC:TDMX?                 selfcal    70 -1 () ('INTEGER',)
652c658
< CALibration:SAVE                           selfcal     2 -1 (['CHDelay', 'DDELay', 'GGND', 'MLF', 'PRECision'],) ()
---
> CALibration:SAVE                           selfcal     2 -1 (['CHDelay', 'DDELay', 'GGND', 'MLF', 'PRECision', 'SER'],) ()
1748a1755,1762
> SYSTem:KEEP:ACQuire                        utility  12093 -1 (['AVERages', 'HRESolution', 'NORMal', 'PEAK'],) ()
> SYSTem:KEEP:ACQuire?                       utility  12093 -1 () (['AVER', 'HRES', 'NORM', 'PEAK'],)
> SYSTem:KEEP:AVERages                       utility  12092 -1 ('INTEGER',) ()
> SYSTem:KEEP:AVERages?                      utility  12092 -1 () ('INTEGER',)
> SYSTem:KEEP:BWLimit                        utility  12091 -1 (['100M', '10G', '150M', '1G', '200M', '20G', '20M', '250M', '25M', '2G', '300M', '350M', '4G', '500M', '50M', '5G', '600M', '70M', 'OFF'],) ()
> SYSTem:KEEP:BWLimit?                       utility  12091 -1 () (['100M', '10G', '150M', '1G', '200M', '20G', '20M', '250M', '25M', '2G', '300M', '350M', '4G', '500M', '50M', '5G', '600M', '70M', 'OFF'],)
> SYSTem:KEEP:IMPedance                      utility  12090 -1 ('BOOL',) ()
> SYSTem:KEEP:IMPedance?                     utility  12090 -1 () ('BOOL',)
1752,1753d1765
< SYSTem:KIMPedance                          utility  12090 -1 ('BOOL',) ()
< SYSTem:KIMPedance?                         utility  12090 -1 () ('BOOL',)

So mostly new commands related to calibration, and new SYSTem:KEEP commands. Maybe related to saving the current setup?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on December 06, 2021, 07:10:08 pm
here is patch for F.W 01_03_00_03

have fun ;)

Thanks :-) But are you sure this patch is good? My scope crashes when the licenses are queried over SCPI or the web interface.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 07, 2021, 04:48:34 am

Thanks :-) But are you sure this patch is good? My scope crashes when the licenses are queried over SCPI or the web interface.

Hi mabl,

Thank you so much for your hard work and other contributors work .
Dose Issue came from original F.W or from patch F.W ?
I'm now testing LA and decoder .
I'll test SCPI today and  post my result .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 07, 2021, 09:08:16 pm
Thank you mabl .

MSO5000 webcontrol (WEB Application) InstrumentUtilities page  call options.cgi to load Instrument License and Options and causes freeze screen.
/rigol/webcontrol/cgi-bin/options.cgi

SCPI it's work fine.

Patch appEntry causes freeze when you invoke options.cgi

I'll try fix this problem as soon as possible.

This is a diff between Orginal and Patch appEntry
Code: [Select]
2c2
< appEntry:     file format elf32-littlearm
---
> appEntry2:     file format elf32-littlearm
142769c142769
*<    c8498: 0a000001 beq c84a4 <_ZN16searchEventTable16sigCurrEventTimeEi@@Base+0x3650>
---
>    c8498: e1a00000 nop ; (mov r0, r0)
143327c143327
<    c8d50: 1a000088 bne c8f78 <_ZN16searchEventTable16sigCurrEventTimeEi@@Base+0x4124>
---
>    c8d50: ea000088 b c8f78 <_ZN16searchEventTable16sigCurrEventTimeEi@@Base+0x4124>
143470c143470
<    c8f8c: 0a000023 beq c9020 <_ZN16searchEventTable16sigCurrEventTimeEi@@Base+0x41cc>
---
>    c8f8c: e1a00000 nop ; (mov r0, r0)
345451c345451
<   18e1f0: 0a0000b3 beq 18e4c4 <_ZN5QListIPN8menu_res8RDsoViewEED1Ev@@Base+0x104d8>
---
>   18e1f0: e1a00000 nop ; (mov r0, r0)
345458c345458
<   18e20c: 1a00001a bne 18e27c <_ZN5QListIPN8menu_res8RDsoViewEED1Ev@@Base+0x10290>
---
>   18e20c: e1a00000 nop ; (mov r0, r0)
886012c886012
<   39db6c: 0a000000 beq 39db74 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2bb8>
---
>   39db6c: ea000000 b 39db74 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2bb8>
886018c886018
<   39db84: 0a000071 beq 39dd50 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2d94>
---
>   39db84: e1a00000 nop ; (mov r0, r0)
886025c886025
<   39dba0: 1a000006 bne 39dbc0 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2c04>
---
>   39dba0: e1a00000 nop ; (mov r0, r0)
886147c886147
<   39dd88: 0a00000d beq 39ddc4 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2e08>
---
>   39dd88: eb00000d bl 39ddc4 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2e08>
886274c886274
<   39df84: 1afffee5 bne 39db20 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2b64>
---
>   39df84: eafffee5 b 39db20 <_ZN12CIRQListener10sigHandlerEi@@Base+0x2b64>
1074304,1074305c1074304,1074305
<   45594c: 1a000003 bne 455960 <_ZN7MemFileD1Ev@@Base+0x244c>
<   455950: ebffffa9 bl 4557fc <_ZN7MemFileD1Ev@@Base+0x22e8>
---
>   45594c: e1a00000 nop ; (mov r0, r0)
>   455950: e3a00001 mov r0, #1
1074312c1074312
<   45596c: ebffffa8 bl 455814 <_ZN7MemFileD1Ev@@Base+0x2300>
---
>   45596c: e1a00000 nop ; (mov r0, r0)




,,,,
Best regards
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TomManaged on December 07, 2021, 09:43:45 pm
Hi everyone.

I nearly bought the MSO5204. Now I changed my mind and I'm about to buy an MSO5074 instead. Is there anything special to consider with regard to patch compatibility?
Is the firmware and required "patch" the same for MSO5072 and MSO5074, or are there differences or special considerations?

I am totaly new to this topic and the thread seems to be very long :(.
So i hope someone can give me a quick reply to help me out so i can buy the scope and get into topic deeper.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on December 07, 2021, 10:59:15 pm
Hi everyone.

I nearly bought the MSO5204. Now I changed my mind and I'm about to buy an MSO5074 instead. Is there anything special to consider with regard to patch compatibility?
Is the firmware and required "patch" the same for MSO5072 and MSO5074, or are there differences or special considerations?

I am totaly new to this topic and the thread seems to be very long :(.
So i hope someone can give me a quick reply to help me out so i can buy the scope and get into topic deeper.

The software is the same, the patch will enable all 4 channels on the MSO5072. The difference in cost between MSO5072 and 5074 is the cost of the 2 probes, plus you get the warranty to cover all 4 channels. This is why most persons buy the 5074 vs the 5072.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TomManaged on December 07, 2021, 11:15:45 pm
The software is the same, the patch will enable all 4 channels on the MSO5072. The difference in cost between MSO5072 and 5074 is the cost of the 2 probes, plus you get the warranty to cover all 4 channels. This is why most persons buy the 5074 vs the 5072.
Thanks. Yes that was my intention, to get 2 additional 350MHz probes. Good to hear that there is only one software and patch for all family members of the MSO5000 line.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: imoko on December 10, 2021, 12:07:09 am
Hi all,

I'm absolutly new to this forum and to oszis. I bought a MSO5072 because
I work with it at my student job and really like the controlling.

I just found this great forum and its huge informations, so I first wanted to ask if
my device with the following software informations can be hacked and if
somebody can give me some tips and information where to start?

I have following data read out of mine:
Firmware:     0A.01.03.00.01
Hardware:    01.01.000
Boot:            2018.06.27
Build:            2021-05-04 15:50:32

Thanks for any help.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ziDot on December 10, 2021, 12:19:35 am
Hi all,

I'm absolutly new to this forum and to oszis. I bought a MSO5072 because
I work with it at my student job and really like the controlling.

I just found this great forum and its huge informations, so I first wanted to ask if
my device with the following software informations can be hacked and if
somebody can give me some tips and information where to start?

I have following data read out of mine:
Firmware:     0A.01.03.00.01
Hardware:    01.01.000
Boot:            2018.06.27
Build:            2021-05-04 15:50:32

Thanks for any help.

My actions step-by-step with same device and firmware:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3829616/#msg3829616 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3829616/#msg3829616)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 10, 2021, 07:52:25 pm
Hello,

Dont patch yet more testing is needed.
New Patch and workaround options.cgi  crashes MSO  |O
Problem is in 0x0039da74 Function  :(
For all the issues new and old Patch
----------------------
There is a new issue in this patch (no decode option) old patch  decode is fine>:(
----------------------
The patch file has been deleted for further testing and should be release soon  :palm:
,,,,
Best regards
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 10, 2021, 08:09:53 pm
Sharing SCPI testing tool might help someone.
First install Python3 and pip3 ,
And install pyvisa ,
Code: [Select]
pip install pyvisa-py
Change IP variable to your MSO IP (SCPIcmd.py)


Example in Command line :
Code: [Select]
python3  SCPIcmd.py -p ':SYSTem:MODules?' 
Result:
Code: [Select]
python3 SCPIcmd.py -p ':SYSTem:MODules?'
1,1,0,0,0
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 12, 2021, 11:38:40 am
Hello everybody,




I apologize to everyone for the previous problems.
Here is a new patch for real fix all previous problems (finish tested it's working perfectly well for me).


FW:01_03_00_03
Build: 2021-10-18

1. Backup everything (optional)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
- get and unzip the first script file, put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade
- wait until 100%, then turn off/on
- repeat for the second script

2. Install the official F.W v00.01.03.00.03 2021/10/18
- get the official firmware and unzip

https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-f24095b5-cc11-4e8d-8df9-d2bfdffd5efc/0/-/-/-/-/MSO5_FW_V1_1_4_4.zip (https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-f24095b5-cc11-4e8d-8df9-d2bfdffd5efc/0/-/-/-/-/MSO5_FW_V1_1_4_4.zip)

-  Put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade

3. Patch the F.W

- Download (attachment below) and unzip the file Patch.zip and put the three files on USB stick, then Utility/Help/Local upgrade


4. Calibration - very important
- remove the input probes
- Utility/System/SelfCal
- then turn off/on



Most asked questions :
1- Dose this patch still work?
Yes, only on F.W v00.01.03.00.03 2021/10/18.
2- Can you undo the patch with the factory reset ?
Yes , download official firmware and put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade it will be factory reset.

Have, Fun  :-+

(http://[attach=1])
(http://[attachimg=2])
(http://[attach=3])
(http://[attach=4])


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobbiTobi on December 14, 2021, 12:00:03 pm
I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore.  |O
Do I am missing something?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dreamcat4 on December 14, 2021, 12:22:24 pm
this why people keeps saying 'all bugs are fixed now' on the firmware

 :palm:

its these type of thing which Dave was complaining about in his initial review. when it first came out. i have been hoping for a re-review. like an update bug hunt with the newest firmware. but it has not happen yet?

but you would think so. given how many people have bought this scope. there are not others competing much close to it in the raw price / performance. once you figure out the per $ dollar value (per mhz / per msps / per channel). what with all the extra features like the signal gen, spectrum analyzer etc. included too
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 14, 2021, 03:53:44 pm
I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore.  |O
Do I am missing something?

Hi RobbiTobi,
Is problem come from a patch or original F.W?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobbiTobi on December 14, 2021, 04:30:01 pm
I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore.  |O
Do I am missing something?

Hi RobbiTobi,
Is problem come from a patch or original F.W?

The device has been upgraded with patch.
But can not tell whether it is a FW bug or patch - i.m.h.o. presumingly a FW issue.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on December 17, 2021, 12:06:15 am
Does this patch also block the calling home to Rigol, or does it just enable the license.

I would suggest persons test the new FW before they patch it to see if the FW has any bugs, if we don't test the FW then it will be difficult to report a bug to Rigol. I think there is a general resistance to report issues to support and therefore a number of issues don't get resolved or included in firmware fix. I see the Siglent guys report issues to Tautech instead of calling Siglent support, so this may be related to persons fearing support will discover they have hacked the scope. The manufactures are fully aware the scopes  are hacked, if they made them un-hackable they would lose a lot of business.

Some bugs may take years to be reported as scopes have so many options that many people never use all of them and so bugs go undiscovered.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: imoko on December 20, 2021, 05:21:55 pm
Hello everybody,



I apologize to everyone for the previous problems.
Here is a new patch for real fix all previous problems (finish tested it's working perfectly well for me).


FW:01_03_00_03
Build: 2021-10-18

(http:// (Attachment Link) )
(http:// (Attachment Link) )
(http:// (Attachment Link) )
(http:// (Attachment Link) )

Hi quali.pro,

thanks for all your effort and congrats  ;)

"zidot" already showed me how to patch my actual firmware.
Can you tell me if you would recommend to update my firmware to yours
(if this is possible?) and afterwards patch it or should I stay and patch it as it is?

I have following data read out of mine:
Firmware:     0A.01.03.00.01
Hardware:    01.01.000
Boot:            2018.06.27
Build:            2021-05-04 15:50:32

Thanks in advance.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: imoko on December 20, 2021, 05:25:55 pm
Does this patch also block the calling home to Rigol, or does it just enable the license.

I would suggest persons test the new FW before they patch it to see if the FW has any bugs, if we don't test the FW then it will be difficult to report a bug to Rigol. I think there is a general resistance to report issues to support and therefore a number of issues don't get resolved or included in firmware fix. I see the Siglent guys report issues to Tautech instead of calling Siglent support, so this may be related to persons fearing support will discover they have hacked the scope. The manufactures are fully aware the scopes  are hacked, if they made them un-hackable they would lose a lot of business.

Some bugs may take years to be reported as scopes have so many options that many people never use all of them and so bugs go undiscovered.

Hi normi,

I have still a non patched version and can test some features if you tell me what
to do?

regards
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ultranalog on December 20, 2021, 09:47:34 pm
I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore.  |O
Do I am missing something?
I noticed this last week.

I got out of it without pressing default, but don't know exactly how I did it. Probably disabled recording and re-enabled it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on December 20, 2021, 11:57:59 pm
Does this patch also block the calling home to Rigol, or does it just enable the license.

I would suggest persons test the new FW before they patch it to see if the FW has any bugs, if we don't test the FW then it will be difficult to report a bug to Rigol. I think there is a general resistance to report issues to support and therefore a number of issues don't get resolved or included in firmware fix. I see the Siglent guys report issues to Tautech instead of calling Siglent support, so this may be related to persons fearing support will discover they have hacked the scope. The manufactures are fully aware the scopes  are hacked, if they made them un-hackable they would lose a lot of business.

Some bugs may take years to be reported as scopes have so many options that many people never use all of them and so bugs go undiscovered.

Hi normi,

I have still a non patched version and can test some features if you tell me what
to do?

regards

You could test RobbiTobi's problem and see if it exist without the hack.
I have found a bug regarding the Recording mode in my MSO5000.
The calculated max. number of frames to be recorded decreases only with rising memory-depth but never increases again when lowering memory-depth.
I need to push Default button to get a reset, otherwise the max. frame number can not be changed anymore.  |O
Do I am missing something?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 21, 2021, 05:19:54 am
Does this patch also block the calling home to Rigol, or does it just enable the license.

I would suggest persons test the new FW before they patch it to see if the FW has any bugs, if we don't test the FW then it will be difficult to report a bug to Rigol. I think there is a general resistance to report issues to support and therefore a number of issues don't get resolved or included in firmware fix. I see the Siglent guys report issues to Tautech instead of calling Siglent support, so this may be related to persons fearing support will discover they have hacked the scope. The manufactures are fully aware the scopes  are hacked, if they made them un-hackable they would lose a lot of business.

Some bugs may take years to be reported as scopes have so many options that many people never use all of them and so bugs go undiscovered.

I did some testing I have confirmed it's blocking all outside requests , (Because of that the online upgrade Button does not work any more).


Hello everybody,



I apologize to everyone for the previous problems.
Here is a new patch for real fix all previous problems (finish tested it's working perfectly well for me).


FW:01_03_00_03
Build: 2021-10-18

(http:// (Attachment Link) )
(http:// (Attachment Link) )
(http:// (Attachment Link) )
(http:// (Attachment Link) )

Hi quali.pro,

thanks for all your effort and congrats  ;)

"zidot" already showed me how to patch my actual firmware.
Can you tell me if you would recommend to update my firmware to yours
(if this is possible?) and afterwards patch it or should I stay and patch it as it is?

I have following data read out of mine:
Firmware:     0A.01.03.00.01
Hardware:    01.01.000
Boot:            2018.06.27
Build:            2021-05-04 15:50:32

Thanks in advance.


Yes i  recommend to update (if you like), it is somewhat safe, to be on the safe side , (if you do crazy stuff ) you must make a backup "rigol/data". (check  #879 https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2241168/#msg2241168 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2241168/#msg2241168))
You can go to the original F.W anytime you want.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on December 21, 2021, 10:39:13 pm
its these type of thing which Dave was complaining about in his initial review. when it first came out. i have been hoping for a re-review. like an update bug hunt with the newest firmware. but it has not happen yet?

but you would think so. given how many people have bought this scope. there are not others competing much close to it in the raw price / performance. once you figure out the per $ dollar value (per mhz / per msps / per channel). what with all the extra features like the signal gen, spectrum analyzer etc. included too

Because it just does not matter. Don't waste your time waiting for one. Most of the original bugs were related to the logic analyzer, which 99% of people never use (and should not use, unless you just need time corelation). There were never any "showstoppers".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Howardlong on December 23, 2021, 05:11:34 pm
Most of the original bugs were related to the logic analyzer, which 99% of people never use (and should not use, unless you just need time corelation).

I use the LA at the very least half the time I switch on the scope.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dreamcat4 on December 23, 2021, 06:34:58 pm
lol yeah... it's a core feature for me too. I am not at all sure what the other guy was talking about there...

So this is just a speculation. But maybe he meant that we should use the 4 scope channels instead of the LA channels connector, to avoid whatever that specific lag issue is that makes the LA problematic from a timings standpoint?

But how in the world is that not some major bug!?!?!?! For example what if you need more than only 4 digital channels

* Or he only meant 'scope scope its only a scope' features. Instead of the other additional side features?
* Or maybe the LA issues all is fixed now? Which was my original quesitron here and entirely my point

Because blindly assuming this stuff is fixed. Is a completely different thing from actually having somebody go back and prove / demonstrate that an issue really is fixed now, and in the latest firmware(s). The 2nd being far more reassuring for a new buyer. It also includes checking for things like regressions or newly introduced bugs etc. Which might not have existed in earlier versions. Or simply at least showing people that there really are none.

Or am I missing something else here?  :-BROKE
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Howardlong on December 23, 2021, 07:30:44 pm
lol yeah... it's a core feature for me too. I am not at all sure what the other guy was talking about there...

So this is just a speculation. But maybe he meant that we should use the 4 scope channels instead of the LA channels connector, to avoid whatever that specific lag issue is that makes the LA problematic from a timings standpoint?

But how in the world is that not some major bug!?!?!?! For example what if you need more than only 4 digital channels

* Or he only meant 'scope scope its only a scope' features. Instead of the other additional side features?
* Or maybe the LA issues all is fixed now? Which was my original quesitron here and entirely my point

Because blindly assuming this stuff is fixed. Is a completely different thing from actually having somebody go back and prove / demonstrate that an issue really is fixed now, and in the latest firmware(s). The 2nd being far more reassuring for a new buyer. It also includes checking for things like regressions or newly introduced bugs etc. Which might not have existed in earlier versions. Or simply at least showing people that there really are none.

Or am I missing something else here?  :-BROKE

The only LA specific problem I'm aware of is the 1ns trigger delay.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dreamcat4 on December 23, 2021, 07:34:52 pm
ah ok... so can this be worked around? For example by setting up the trigger on an analog channel instead? (but to be triggering for the LA capture)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Howardlong on December 23, 2021, 07:53:59 pm
ah ok... so can this be worked around? For example by setting up the trigger on an analog channel instead? (but to be triggering for the LA capture)

Well, you could do, but you'd need to deskew the channels anyway, whether there's a 1ns delay or not: on mine I need around a -2ns delay on the analogue channel to the LA with the stock probes.

In practice, it's no biggie to be honest. You get used to it, and while 1ns resolution on the LA is great, it's not all that often you're zoomed in that far that it makes a real difference. Furthermore, it's more typical you'd be using a serial trigger rather than a simple edge anyway.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on December 25, 2021, 10:01:17 pm
Hello,
Have anyone emulate this oscilloscope with QEMU, please share with me?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2021, 01:18:41 pm
Hello,
Have anyone emulate this oscilloscope with QEMU, please share with me?

What are you trying to accomplish? Emulating the application in qemu probably isn't hard, but you still have to write the code for the peripherial. As this scope heavily relies on the zynq's FPGA, it'll be quite limited what you can emulate ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on December 28, 2021, 02:04:37 pm
Rigol MSO5000 Firmware v00.01.03.00.03 :

[Updated Contents]
--------------------

v00.01.03.00.03 2021/10/18

      - Optimized waveform display in XY mode.
      - Optimized the DC gain calibration algorithm.
      - The La channel is decoded in parallel, which solved the problem of decoding error in negative polarity.

Download:
https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/ (https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/)
Thanks, puhsed those to https://gitlab.com/riglol/rigolee/firmware/ (https://gitlab.com/riglol/rigolee/firmware/)
Sorry for the delay :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on December 29, 2021, 02:20:47 am
Most of the original bugs were related to the logic analyzer, which 99% of people never use (and should not use, unless you just need time corelation).

I use the LA at the very least half the time I switch on the scope.

Have you tested the new firmware to see if there are any improvements on the LA, I had seen the 1ns delay on an a few occasions but was not able to reproduce, I was on a beta firmware so not sure if that made a difference.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on December 29, 2021, 03:44:16 am
Hi
I'm new here.
I recently bought an MS05074. And I applied the FW from qali.pro, message 2175. It worked ok. Thankful qali.pro.
I am new to using Digital Oscilloscope. I am learning to use my MSO5074. I don't know if it's a BUG or not, as follows:
1. I want to do the Measuring the Modulation Index of AM Signal using an FFT, using the signal generated in G1 or G2 AWG, and then FFT - Math function in MSO5074.
2. For Unmodulated Signals (Sine/Square) I got a satisfactory result using the FFT function in Math of MSO5074.
3. And then, I want to measure the Deviation Meter for FM modulated signal, using the signal generated in G1 or G2 AWG, and then FFT - Math function in MSO5074.
4. For Measuring the Modulation Index of an AM Signal using an FFT, I found an application note for the SIGLENT SDS 1204X-E, here:
https://siglentna.com/application-note/measuring-the-modulation-index-of-an-am-signal-using-an-fft/?pdf=9065

And that's exactly what I want to do, but using MSO5074. I tried it in different ways, but I couldn't get a satisfactory result. Commands on both MSOs are different.
I ask for your help to find a satisfactory solution, as in the case of SIGLENT SDS 1204X-E.

5. To generate in AWG G1 or G2, Carrier Sine Signal f = 1MHz, with Vpp = 500mV, and Audio Modulator Sine f = 10 KHz, with AM Depth = 80%. I suggest the quick commands on MSO5000:
(Enter G2 SINE WAVE Signal 1 MHz with Modulation to CH-1)
(G2)  (Wave  Sine)  (Frequency)  (Set on Touch Screen  1 MHz)  (Amplitude)  (Set on Touch Screen  500 mV) 
 (AUTO)  (G2) 
(Settings)  (Type  Modulation)  (Type  AM)  (Waveform  Sine)  (Frequency)  (Set on Touch Screen  10 KHz)  (AM Depth  80%)   (Impedance  50R)  (Menu off)
6. I ask to do the sequence of commands on the MSO5000, which it does as shown above. In order to be easily reproduced.
7. Congratulations to all who contribute to the topic.

Possible you should have raised a new post for this, however not sure what issue you are having why you say the results are different. I am getting the same ~80%. The difference you may find are related to the attenuation caused by the cabling being used and the fact that the Siglent scope is averaging the results which the Rigol does not, so the numbers will move up an down by tiny amounts. They are also using a dedicated signal generator which is likely far more accurate than one coming from an oscilloscope. if you use 50ohm output you will need a 50 ohm termination on the scope.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on December 30, 2021, 06:08:39 am
The 80% index is correct as the difference in the sidebands and the carrier is around the 7.9dbV mark. The issue you are having is that the modulated carrier appears to be half of the unmodulated carrier, is that correct.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on December 31, 2021, 12:37:29 am
I relooked at this with a different generator, a cheap one. I noticed that the modulated carrier dropped in amplitude only for the SG from the MSO5000, the external SG maintained its amplitude. From your screen I can see that the modulated carrier was no longer .5V P-P, not sure if anyone else had observed this as an issue. Will have to check.

The RMS voltage is a real measurement while the FFT is calculated so there will be small differences, you can turn on the Vrms units instead of the DB in the FFT and those should align with each other. The large gap you are seeing is primarily due to you comparing the RMS value  of the entire signal vs the signal of the carrier. Remember there a 3 signals with their own Vrms voltage, 106vrms is the combined wave.

The maths does imply that the carrier should go both higher and lower than its peak when modulated, so I am not sure if some generators vary the way they do AM modulation, and the document you attached does not show details of the modulated wave so I am not able to make comparison to that. May have to search for some you tube videos with examples.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on December 31, 2021, 08:46:25 am
Hi BRZ,

I have both oscilloscopes (MSO5074 and SDS 1104X-E), so I have replied your experiment.
But instead the built-in generator, I have used the Siglent SDG2042X.

So please find the pictures I have from the experiment. For me it seems that there is no problem, the oscilloscopes are very close.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on December 31, 2021, 08:56:06 am
Tip, it seems that the DMV measurement is not very reliable for this experiment.
The current value is changing, the average value is more stable, but the DVM value is none of them - is very stable but way off.
See the picture below.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: quakeman on December 31, 2021, 03:16:41 pm
Maybe we should stay a bit more at the topic in this much too long thread which is hacking the MSS5000 and not analyzing it's performance.
It's hard enough to find the related posts for the patches and co without having to scroll unrelated messages. I think another thread for discussing the MSO5000 functions would be helpful. But these are only my thoughts concerning this thread to stay a bit more at it's topic. :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Cerebus on December 31, 2021, 06:04:28 pm
Maybe we should stay a bit more at the topic in this much too long thread which is hacking the MSS5000 and not analyzing it's performance.
It's hard enough to find the related posts for the patches and co without having to scroll unrelated messages. I think another thread for discussing the MSO5000 functions would be helpful. But these are only my thoughts concerning this thread to stay a bit more at it's topic. :)

My thoughts exactly. Please, just keep the discussion in this thread to "Hacking the Rigol MSO5000 series oscilloscopes", just like it says in the thread title. This kind of thread is enormously valuable to a large number of people, thus it's one of those places where the margin of tolerance for off-topic posting should be quite small.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on December 31, 2021, 06:34:34 pm
If you noted in my post I stated that he should raise this as a new post, however I was wondering whether this was a bug due to firmware so I felt it was necessary to check. I am going to put my last post that I deleted below as this is an easy check that others can do in another thread and produce something conclusive.

"Thanks Core.
You have confirmed what I suggested, the issue is with the SG and the way it generates the signal, as I mentioned the math says the modulated carrier will be larger than the carrier. Your picture shows that the modulated carrier is closer to 1Vp-p vs 500mvp-p. Rigol could be asked to look at the drop in voltage when the modulation starts but the rest is part of the design. My Feeltech SG also does not produce a higher voltage when modulated so this is a form of design. If they don't follow the math in how they implement the AM modulation then the results will be different. "

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BRZ.tech on January 01, 2022, 12:21:12 am
@quakeman, @Cerebus, @Megavolt, @normi.
I understood your opinions.
That way, just like @normi, I'll delete my posts relating to this subject. Not to detract from the main purpose of the discussion on this Thread: "Hacking the Rigol MSO5000 series oscilloscopes".
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 01, 2022, 01:52:12 am
When I see the pic with the fft....Do the rigol STILL have one colour for all math traces ??  ::) :P
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on January 01, 2022, 02:24:47 pm
@quakeman, @Cerebus, @Megavolt, @normi.
I understood your opinions.
That way, just like @normi, I'll delete my posts relating to this subject. Not to detract from the main purpose of the discussion on this Thread: "Hacking the Rigol MSO5000 series oscilloscopes".
I had deleted the previous post because I felt that the conclusions I made were wrong since I later got the correct results, however I realized that the results were affected by the settings related to the impedance and therefore the conclusion could still be correct. Since the issue I doubt is related to the new firmware hack, it would require its own thread. You can raise a support question to Rigol and have them confirm if this is by design, which I suspect it is.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BRZ.tech on January 01, 2022, 06:45:22 pm
@normi.
1. Following your suggestion, I start a new Thread, summarizing what we talked about in this thread. Here:
https://www.eevblog.com/forum/testgear/rigol-mso5000-fft-scripts-and-bugs/ (https://www.eevblog.com/forum/testgear/rigol-mso5000-fft-scripts-and-bugs/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kn4ycd on January 04, 2022, 08:14:59 pm
Hey there!

I have all the files on a 4gb, fat32 formated jump drive, in the root directory.  I just got my scope today, it has the 0A.01.03.00.01 build 2021-05-04 firmware.

Every time I try to install the patch, I get an error message that 'patch.txt' not found.  Are there files that are supposed to be in a sub-folder?  The zip had everything in one folder.

THanks!

Jim

UPDATE - Win 11 formatting fat32 on the jump drive is no good.  Re-formatted with Rufus, and now I am past that error.  However, getting checksum errors.  Is there a patch file for this version of firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rgry on January 05, 2022, 06:56:01 am
Can I use this firmware and still get all the features turned on with the software hack? Do I need to modify anything?

[Supported Model]    All the MSO5000 Series Digital Oscilloscopes
[Latest Revision Date]  2021/10/18
v00.01.03.00.03 2021/10/18
      - Optimized waveform display in XY mode.
      - Optimized the DC gain calibration algorithm.
      - The La channel is decoded in parallel, which solved the problem of decoding
         error in negative polarity.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ktro on January 05, 2022, 08:54:36 am
You can. XY is just perfect.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: savytechlover on January 12, 2022, 02:55:33 am
guys i have mso5074 for about 3 months now...

i stumble across mso 5000 hacking... and i did watch few videos... from imsaiguy... i think the name...

also some of russian do the hacking... im still abit confused though...

anyone can give a little clearer guides or something on how to do it... what should i do and whats not...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ON4FI on January 12, 2022, 07:26:45 am
Not a specialist here...
for you   see post https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3721423/#msg3721423)

Regards
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: fengwumu on January 12, 2022, 09:33:44 am
Turn on the device with the left hand, while pushing the single button with the right hand.
Keep pushing it, over and over and over don't stop pushing, don't wait between pushes.
It works, I don't know why you are having problems.

After many attempts, I think I know the problem,
time1: Press the power button, the keyboard light is on, and the screen is dark;
time2: The keyboard light is off and the screen remains dark;
time3: The screen displays RIGOL, and the startup progress...

Just press single at time2, and the mysterious menu will appear.

 :-+Your operation method is correct! I have the same problem. Demote successfully in your way. Thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on January 15, 2022, 06:14:13 pm
I have upgraded from v00.01.03.00.01 to v00.01.03.00.03, then hacked.
Everything seems to be fine.

Steps I've followed :

1. Backup everything just in case
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
- get and unzip the first script file, put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade
- wait until 100%, then turn off/on
- repeat for the second script

2. Install the official firmware v00.01.03.00.03
- get the official firmware and unzip
- same steps like above, with the firmware file of course

3. Hack
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852)
- get and unzip the file Patch.zip and put the three files on USB stick
- same steps like above

4. Calibration - very important
- remove the input probes
- Utility/System/SelfCal
- then turn off/on

Thanks everybody !

P.S. XY mode it's OK.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ON4FI on January 16, 2022, 07:38:34 pm
Super all OK

upgraded scoop first from 0A.01.03.00.03 to 00.01.03.00.03

above patch is ok

I measure more than 400 MHz bandwidth now

Thanks everybody


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kc55 on January 17, 2022, 12:53:46 pm
Hello everybody,



I apologize to everyone for the previous problems.
Here is a new patch for real fix all previous problems (finish tested it's working perfectly well for me).


FW:01_03_00_03
Build: 2021-10-18

(http:// (Attachment Link) )
(http:// (Attachment Link) )
(http:// (Attachment Link) )
(http:// (Attachment Link) )

Hello qali.pro, thanks for the updated patch. I had previosly applied your first patch (i think from post #2142). How can I update to this patch? Thanks in advance
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on January 18, 2022, 08:34:13 am
Hello everybody,



I apologize to everyone for the previous problems.
Here is a new patch for real fix all previous problems (finish tested it's working perfectly well for me).


FW:01_03_00_03
Build: 2021-10-18

(http:// (Attachment Link) )
(http:// (Attachment Link) )
(http:// (Attachment Link) )
(http:// (Attachment Link) )

Hello qali.pro, thanks for the updated patch. I had previosly applied your first patch (i think from post #2142). How can I update to this patch? Thanks in advance



Just install the official firmware v00.01.03.00.03, then patch it again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Wintel on January 18, 2022, 02:50:26 pm
Any new bug in firmware v00.01.03.00.03 now?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skes71 on January 21, 2022, 11:37:35 am
Hello,

I’ve just got the MSO5074 with the free MSO5000-BND for the serial protocols, the signal generators etc.
I just wanted to ask if the firmware patch enables the sshd.
If so, are the credentials still root/root or have they changed?
Thank you!

Firmware: 0A.01.03.00.01
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Wintel on January 24, 2022, 10:46:49 am
Thanks!

Have you tried to upgrade the MSO5072 to MSO5504 (BW:500MHz) with firmware 01_03_00_03?
You are welcome.
I'll try (BW:500MHz) as soon as possible .

Hi qali.pro,

Have you try to upgrade to 500MHz and get 500ps/div?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Bax on January 28, 2022, 11:21:24 pm

Just wondering.

Has anyone from Rigol ever admitted that they design their test equipment to be hackable by the hobby community? A modified scope looses it's warranty and that saves them support costs although the original firmware can be re-flashed.

Thanks.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hafrse on January 29, 2022, 07:08:03 am

Just wondering.

Has anyone from Rigol ever admitted that they design their test equipment to be hackable by the hobby community? A modified scope looses it's warranty and that saves them support costs although the original firmware can be re-flashed.

Thanks.

Probably true, in that way they sell >100X  more 5072 units
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on January 31, 2022, 11:51:01 pm
I think the question to ask is whether anyone has been refused warranty because their scope was software hacked.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on February 01, 2022, 04:55:00 am
Thanks!

Have you tried to upgrade the MSO5072 to MSO5504 (BW:500MHz) with firmware 01_03_00_03?
You are welcome.
I'll try (BW:500MHz) as soon as possible .

Hi qali.pro,

Have you try to upgrade to 500MHz and get 500ps/div?




Hi Wintel ,

straight answer No, it's not worth the effort .

To know Why? please check msg2663334 https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2663334/#msg2663334  (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2663334/#msg2663334)



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on February 01, 2022, 08:03:49 am
Has anyone from Rigol ever admitted that they design their test equipment to be hackable by the hobby community? A modified scope looses it's warranty and that saves them support costs although the original firmware can be re-flashed.

It's probably true but they'll never admit it in public because they're making plenty of full-price sales to companies, education, and other people who worry about "warranties". They need to maintain a certain level of FUD around anybody with money to spend.

Simple proof: They make models which can't be easily hacked, eg. the DS1000X models with signal generators (https://www.batronix.com/shop/oscilloscopes/Rigol-DS1074Z-S-Plus.html).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jemp on February 17, 2022, 01:22:46 pm
Upgraded, like described before... tnx to everybody !

The telnet, or SSH option is not enabled after upgrade..

IS there any script that enables it ? So I could Putty into it..  I searched, but can not find

Jemp
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sergey Astakhov on February 18, 2022, 02:40:06 pm
The telnet, or SSH option is not enabled after upgrade..

IS there any script that enables it ? So I could Putty into it..  I searched, but can not find

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: aprusek on February 22, 2022, 12:56:47 am
I did the upgrade as per instructions and cannot get Self Cal to get the scope to measure voltages properly.

Does anyone know the location of a GEL file to upgrade to FW 0A.01.03.00.01 so I can try to get back to where I started from?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on February 23, 2022, 12:10:12 am
Without the upgrade does the FW work
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: aprusek on February 24, 2022, 05:23:03 am
Managed to get things working.

Get the Firmware
Download FW 00.01.03.00.01 from message 1810
Put DS5000Update.GEL on a USB stick.
Make sure it is the only file.

Load the Firmware
 Upgrade via "Secret Menu"
(Other options failed)

Power On
Wait for lights out (Before “Rigol” and progress bar)
Press [Single]

Two options are displayed
Upgrade or Restore

Select Upgrade.

Scope should now show FW 00.01.03.00.01

Get the Patch
Download zip file from message 1665
put 01_03_00_01.bspatch
and patch.txt  on a usb stick

Get DS5000Update.GEL from message 1669
Put this with the two other files

Only 3 files should be on the USB stick.

Load the Patch
Select:
Utility>System>Help>Local Upgrade>Ok

Scope should show all options:
Utility>System>Help>Option list

Self Calibration
Utility>System>Self Cal>Start

If you are checking calibration
Make sure probes are decent and are set to x1



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on March 02, 2022, 01:14:23 pm
Managed to get things working.

Get the Firmware
Download FW 00.01.03.00.01 from message 1810
Put DS5000Update.GEL on a USB stick.
Make sure it is the only file.

Load the Firmware
 Upgrade via "Secret Menu"
(Other options failed)

Power On
Wait for lights out (Before “Rigol” and progress bar)
Press [Single]

Two options are displayed
Upgrade or Restore

Select Upgrade.

Scope should now show FW 00.01.03.00.01

Get the Patch
Download zip file from message 1665
put 01_03_00_01.bspatch
and patch.txt  on a usb stick

Get DS5000Update.GEL from message 1669
Put this with the two other files

Only 3 files should be on the USB stick.

Load the Patch
Select:
Utility>System>Help>Local Upgrade>Ok

Scope should show all options:
Utility>System>Help>Option list

Self Calibration
Utility>System>Self Cal>Start

If you are checking calibration
Make sure probes are decent and are set to x1

I thought you were using the new firmware FW:01_03_00_03
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: aprusek on March 04, 2022, 06:21:47 am
No, scope originally came with FW 0A.01.03.00.01.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Tonkabot on March 09, 2022, 03:08:33 am
I just put 00.01.03.00.03 on my 5074, because I couldn't find the 1.03.00.01 version.  Will the patch still work?  Or do I have to get the 01 version first?
 :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sergey Astakhov on March 09, 2022, 11:06:40 am
I just put 00.01.03.00.03 on my 5074, because I couldn't find the 1.03.00.01 version.  Will the patch still work?  Or do I have to get the 01 version first?
 :-//

The patch is individual for each version. You need to select the correct patch for the firmware version you have installed.
Firmware update resets all changes and the patch will need to be installed again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ziDot on March 09, 2022, 11:33:12 am
I just put 00.01.03.00.03 on my 5074, because I couldn't find the 1.03.00.01 version.  Will the patch still work?  Or do I have to get the 01 version first?
 :-//

Instructions here::
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042)

Skip step 2 in your case.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Tonkabot on March 09, 2022, 05:26:12 pm
Got it all working.   used the right patch everything is happy.
It's sitting running the self Cal right now.

Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pr_cpp on April 03, 2022, 02:48:13 pm
Hello

I'm wondering how to rollback the original configuration from backup I have just made using your scripts. Just in case. Is there some kind of procedure (cli commands) or script doing it automaticly ? Did someone do it before and in the worse scenario is there a chance that Rigol service will notice the scope was patched / modified.

Thanks.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sergey Astakhov on April 03, 2022, 03:12:51 pm
Hello

I'm wondering how to rollback the original configuration from backup I have just made using your scripts. Just in case. Is there some kind of procedure (cli commands) or script doing it automaticly ? Did someone do it before and in the worse scenario is there a chance that Rigol service will notice the scope was patched / modified.

Just install the latest firmware and all changes will be reverted.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Atila on April 20, 2022, 06:40:54 pm
hello, has anyone tried to use this hacker this on MSO5152-e?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: SpacedCowboy on April 22, 2022, 02:58:41 am
This could be a stupid question, given the name of the thread, but does this work for the MSO8000 series as well ? Or is there any way of making that work ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: purpleTurtle on May 27, 2022, 07:24:42 pm
Hello,

I'm currently thinking of buying a oscilloscope for myself and got quite interested in the MSO5000 series. I wanted to ask a few questions regarding and hope you could help :).

Did I understood correctly that the patch can unlock every feature and can "create" a MSO5354 out of an MSO5074?

Is internet access still possible after the patch or do I need to watch out because of some communication between the oscilloscope and the Rigol server?

Can you undo the patch with the factory reset in case something happened and it needs to be send back to Rigol?

Many thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on May 27, 2022, 07:45:27 pm
Did I understood correctly that the patch can unlock every feature and can "create" a MSO5354 out of an MSO5074?

Yes.

Can you undo the patch with the factory reset in case something happened and it needs to be send back to Rigol?

Yes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ahmedik83 on May 27, 2022, 09:58:01 pm
I just put 00.01.03.00.03 on my 5074, because I couldn't find the 1.03.00.01 version.  Will the patch still work?  Or do I have to get the 01 version first?
 :-//

Instructions here::
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042)

Skip step 2 in your case.
Hi
I tried this method and it is failed. In this zip we have DS5000Update.GEL file only 130 kb is it normal? I tried to copy another one 60mb from github - it is upgrading but not patching. What am i doing wrong
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on May 27, 2022, 10:40:51 pm
Hi
I tried this method and it is failed. In this zip we have DS5000Update.GEL file only 130 kb is it normal? I tried to copy another one 60mb from github - it is upgrading but not patching. What am i doing wrong

Read the instructions again, follow them line by line, one at a time.
Post here again if you are not sure what it is telling you to do.

After step 2, go to your info page and it should say "firmware version v00.01.03.00.03"
Patch is 130kB yes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ahmedik83 on May 28, 2022, 05:36:50 pm
i ordered oscil with latest FW and skipped 2 steps. downloaded patch within 3 files inside. extracted them and puted into usb. it show error no usb mounted (attaching photo). but when i changed DS5000Update file to other with 60 mb it is updating without patching. And also whrn you reject usb from oscil to PC it show that usb has errors)need to correct them no matter tried different usb flashes.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ahmedik83 on May 29, 2022, 03:00:51 pm
solved th problem. The problem was that when i unziped  this files 01_03_00_03.bspatch file unziped uncorrectly. do not why. when it is correct it shows like txt file when not - like file.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: liteyear on May 30, 2022, 04:11:24 pm
Worked perfectly. Note both the FW version and the date must match:

Quote
FW:01_03_00_03
Build: 2021-10-18

For some reason I had a MSO5074 with the same FW but a slightly older date. The patch failed on the checksum match and I had to "update" to the official FW. I downloaded that from https://gitlab.com/riglol/rigolee/firmware/-/tree/MSO5000/GEL because two different links on the Rigol site kept timing out.

Otherwise, piece of cake. Didn't need to wipe the USB stick in between either. Just make sure the correct files are at root level.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: AFremont on June 12, 2022, 02:23:33 pm
Wife got me a 5074 for my birthday.  I really want the increased bandwidth, but I am terrified of bricking the scope.   I haven't let it update itself over the internet yet, for fear of it loading a version of FW that isn't hackable.  I'll do a lot more reading of this thread before I do anything, but is there any last minute stuff I need to know before trying this?  It looks like this process is continually evolving as each newer firmware
version comes out.  Thanks for reading.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on June 12, 2022, 04:01:07 pm
I'm not sure it's possible to brick it. You can reset it to the factory firmware with a suitable USB stick.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: vutt on June 18, 2022, 10:05:28 am
Bought my MSO5074 this month from Batronix with 2022/01/22 factory calibration date

I actually applied included promo bundle (all options except memory and bandwidth upgrade) first.
Then followed this guide: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042) (skipped FW upgrade because I had already latest one)

Everything worked as described!

Now any ideas how to patch tastefully RIGOL sticker label on unit? 
Edit: It looks we have: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3522284/#msg3522284 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3522284/#msg3522284)  8)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gb243 on June 26, 2022, 06:21:58 am
My hacked 70MHZ MSO5702 shows all the options as permanent. Yet I measure a 3db bandwidth of 106MHZ. This sounds about right for a 70MHZ model.

The FW was 01.03.00.01 build 2020-05-18. I used the Liberator .7z archive and everything ran in with no issues. This was followed by a Self Cal. Everything else seems to work. Any ideas???
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on June 27, 2022, 11:59:07 pm
My hacked 70MHZ MSO5702 shows all the options as permanent. Yet I measure a 3db bandwidth of 106MHZ. This sounds about right for a 70MHZ model.

The FW was 01.03.00.01 build 2020-05-18. I used the Liberator .7z archive and everything ran in with no issues. This was followed by a Self Cal. Everything else seems to work. Any ideas???

What device are you using to measure the bandwidth, do you have a 150MHz+ signal generator?
You don't have 100MHz bandwidth filter on?
Same on another channel right?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: olafnew on June 28, 2022, 01:05:24 am
Is it just me, or maybe a more thorough overall controll of the unit after the hack... but - i've seemed to notice that a scope after a hack to full options upgrade runs way more hotter than as it was before the upgrade. Did anyone else noticed something similar?

Perhaps it has something to do with fan speed profile in the firmware?

P.S. Do i understand correctly that there is NO brightness control? I have an old analogue scope that has brighter CRT...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on June 28, 2022, 01:10:46 am
Is it just me, or maybe a more thorough overall controll of the unit after the hack... but - i've seemed to notice that a scope after a hack to full options upgrade runs way more hotter than as it was before the upgrade.

The only thing the bandwidth hack does is disconnect a capacitor from the input.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ResistorRob on June 28, 2022, 06:02:09 am

P.S. Do I understand correctly that there is NO brightness control? I have an old analog scope that has a brighter CRT...

I do not think there is brightness control. I know one issue when this scope first was released was the screen was really dim. Supposedly one of the firmware updates fixed this issue. I keep hearing mixed feedback as to whether this scope is now bright enough. It's the one thing holding me back from buying one.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gb243 on June 28, 2022, 08:44:25 am
Thanks for the reply. I am using a TGF-4242 240MHZ function generator. Also a bnc to bnc patch cable through a Rigol ADP0150BNC 50Ω Impedance Adapter. This should match the 50ohm output of the function generator. I have the scope set for full bandwidth. There are 20,100,200MHZ options but none of these are selected.
In a couple of weeks I hope to get a Rigol DSG821  2.1GHz RF Signal Generator. This will give a second RF source just in case I am doing anything really dumb with the TGF-4242. I am always ready to admit to doing dumb things now and again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hussamaldean on June 28, 2022, 09:55:55 am
I just liberated my new MSO5074 yesterday, FW 01.03.00.01 build 2020-05-18, easy peasy and purring like a pussy.

I've attached the necessary files and describe below what I did for the convenience of others. Nothing new, it all comes from previous posts.

Steps I took to liberate the scope:
  • Verified installed FW is version 01.03.00.01 build date May 18, 2020 (Utility => System => About)
  • Copied three files, that can be extracted from attached .7z archive, to root of empty 8GB FAT32 USB drive
  • Started up scope
  • Inserted drive to front panel USB port
  • Utility => System => Help => Local upgrade
  • "Upgrade system firware?" => OK
  • Let the scope do its thing - takes a minute or two, or five, go with the flow
  • Reboot scope
  • Verified all options now licensed ...forever... (Utility => System =>  Help => Option list)
  • Bob's your uncle
I suppose I shiouuld recalibrate now too, which according to Olliver goes like this:

  • Make sure that the instrument has been operating for at least 30 minutes
  • Disconnect all input channels (including probes)
  • Utility => System => Self-Cal => Start
  • Self calibration takes ~ 35 minutes to complete
  • When complete, reboot the scope
I verified that all options were upgraded ...forever... (notwithstanding what the effects may be of any future official FW updates I may decide to apply). I did not verify that the patch disables the "phone home" firmware upgrade check, but I have no reason to think it doesn't. This patch does not enable the sshd daemon. To ssh as root into the scope, follow mabl's instructions - which needs to be reapplied after each scope reboot whenever you want SSH access.

This is not going to work for you if your installed FW is not version 01.03.00.01 and having build date May 18, 2020. In that case you will need to adjust the patch.txt file in accordance with instructions that can be found in other posts.

Where the files and info came from:
  • Basic GEL file from mabl https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2704640/#msg2704640)
  • Modification to disable "call home" FW updates from typoknig https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3024342/#msg3024342)
  • Modification for FW version 01.03.00.01 May 2020 build from omgoleus https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3344172/#msg3344172 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3344172/#msg3344172)
Will this hack work with Rigol MSO5074?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gb243 on June 28, 2022, 01:55:09 pm
If you meet the prerequisite FW and build versions then quite likely yes. I am investigating a bandwidth issue that may or may not be real. Everything else for me worked out ok. I think a lot of others have also had no issues. I would recommend doing a backup first though.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on June 28, 2022, 02:15:48 pm
Will this hack work with Rigol MSO5074?

Yes.

If you meet the prerequisite FW and build versions then quite likely yes.

You know about the secret menu, right?

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2248542/#msg2248542 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2248542/#msg2248542)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: baggerbole on July 19, 2022, 05:57:40 am
Hi all,
I´m new to this forum and have been trying to find my way around this thread. This is not so easy, the thread is miles long....
I have a Rigol MSO5074 and would like to use the frequency expansion and function generator. Can someone please summarize the current state of the hack and explain it to me for dummies?
I am still a virgin as far as Linux is concerned....
Is post #2251 the latest hack?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on July 19, 2022, 08:38:27 am
Lesson #1 for dummies: if 91 pages of thread is too much to read then you don't need to "hack" your scope just yet.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: baggerbole on July 19, 2022, 09:19:23 am
That is very wise.
Thank you tv84  ::)

Are there any more helpful tips?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on July 19, 2022, 01:38:32 pm
Tip: On long threads, it is usually a good idea to read a few pages starting from the end. People keep asking the same questions because they didn't read the whole thread. The answers are usually repeated a few times.

Still, there's nuggets of useful information across the whole thread that go unnoticed unless you give it a good read.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Ogawa Mitsuaki on July 20, 2022, 11:51:32 pm
Tip: For example, it's a good idea to search for "patch" and read the search results carefully from behind and read them over and over again.
I think there are various search terms.
The latest firmware is "01_03_00_03", so you can skip it before that.

Then you will be grateful for the power and effort of everyone in this threads.
(But everything is at your own risk.)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Parzival on July 23, 2022, 06:59:06 am
This is my first post to the forum. I have been a lurker for far too long so I thought it best to, at the very least, provide some positive feedback to this thread!

I recently purchased a Rigol MSO5074 from Amazon in the UK, with the intention of unleashing it's full potential.

It arrived with the following setup: -

Model   MSO5074
Firmware   00.01.03.00.03
Hardware   01.01.000
Boot   2018.06.27
Build   18/10/2021  14:14:08



I am very happy to say that I was successful and it took no time at all by following the instruction provided by qali.pro in the following post: -

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852)

Thanks to all concerned! I hope this success of mine, through the vast expertise of others, gives more people the confidence to upgrade.

 :-+ :D

PS: Can't believe my username wasn't already taken! No "Ready Player One" fans out there?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: brainiac94 on July 27, 2022, 07:27:38 pm
I cannot thank you all enough for making this possible. I bought the scope after finding out about this thread, and it really was as easy as installing a single patch (Same parameters as Parzival). Unbelievable!

While the self cal is running: Does anyone else have coil whine in their scope?


-brain
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: empo on July 30, 2022, 03:20:08 pm
Hmm...  What am I doing wrong  |O

I can download the Patch.zip file, but I get an error when trying to open it, and then somehow Windows removes it from my disk 🙈

How did you guys manage to unzip the patch? ???
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on July 30, 2022, 03:24:04 pm
Check your antivirus logs, I expect a false positive or some malware from somewhere else...

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: empo on July 30, 2022, 03:29:53 pm
Thanks mate !

It was the "real time antivirus protection" in windows.

I at least would have expected Win11 to notify me if it interfered with actions started by me.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on July 30, 2022, 05:05:57 pm
... with actions started by me.

How does it distinguish them??  ::) :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: empo on July 31, 2022, 03:49:46 pm
Quote
How does it distinguish them??  ::) :-//

I'd Imagine the OS knows that a double click from the mouse is user initiated, and from there it goes down the rabbit hole until it tries to open winrar. But the red thread should remain through on the whole journey :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jjoonathan on July 31, 2022, 04:40:18 pm
Yeah, but messing with engineers is the favorite hobby of most antivirus.

Seriously, though, this is why 1st party antivirus is so much better than 3rd party: the OS vendors are in a position to make cross-cutting changes while 3rd party AV has to hook everything. I'm not familiar with the Windows stack, but on Mac OS typing into a password field actually activates a separate event pathway that is more difficult to snoop. Imagine the number of coordinated changes needed to make that happen, and now imagine if you had to inject and maintain those changes on top of someone else's codebase -- someone else who has no obligation to move slowly or notify you if they change things. Yuck.

Unfortunately 1st party AV can be made to look like "doing nothing" by rivals in the Game of Aeron Chairs, so many businesses unwisely choose to use 3rd party AV and everyone suffers.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: crgarcia on August 02, 2022, 08:29:38 am
Quote
How does it distinguish them??  ::) :-//

I'd Imagine the OS knows that a double click from the mouse is user initiated, and from there it goes down the rabbit hole until it tries to open winrar. But the red thread should remain through on the whole journey :)

I don't think so, I think mouse clicks are coming from a driver, and can be done from software by somebody that has full admin rights.
Anyways, I checked the file (https://www.virustotal.com/gui/file/8d5c76efa07d9030c76ff467ec091ca61e3ba361a5f784b40c73615a10e30ab0?nocache=1 (https://www.virustotal.com/gui/file/8d5c76efa07d9030c76ff467ec091ca61e3ba361a5f784b40c73615a10e30ab0?nocache=1)) and nobody detects anything strange, only Defender for windows (I had the same issue)

Thanks!

PS: If you just want to patch your Rigol but got lost in the thread, here all what you need: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TK on August 06, 2022, 04:34:28 am
Rigol has a back to school promo on the MSO 5074 for just $799 through 9/30/2022.  It can be purchased at saelig with the EEVBLOG coupon for an extra 6% discount.  On tequipment I guess you need to request quote asking for the 6% discount.



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TerminatorBetaTester on August 08, 2022, 10:20:45 pm
Hi all,

Thanks for the great work in this thread.

I'm trying to upgrade my recently purchased MSO5240 with the auto-patcher per posts:
It shipped with:

I'm having trouble getting the scripts to execute.  The backup scripts finished far too quickly to be copying any data and I found no additional directories on the flash afterward. The auto patcher also fails with a "'patch.txt' not found" similar to post 2202 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3918230/?topicseen#msg3918230). Is my problem with the flash formatting? I formatted with macOS diskutil with the default parameters.


edit: UPDATE

I resolved the issue, and the explanation is consistent with behavior indicated with post 2202 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3918230/?topicseen#msg3918230).

The partition table MUST be MBR. By default, in macOS, it's GUID. I suspect that's also the case in W11.  All scripts executed successfully once I reformatted the drive:

Code: [Select]
sudo diskutil eraseDisk FAT32 USB MBRFormat /dev/diskX
Where X is the USB disk number.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on August 08, 2022, 10:23:38 pm
The format of the USB storage has to be FAT or FAT32, nothing else.

Practically, this limits the usable MSD size but 16/32GB should be ok.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tdftdf on August 21, 2022, 09:50:02 am
hi everybody.
latest firmware v00.01.03.00.03 downloaded from    https://www.rigolna.com/firmware/ (https://www.rigolna.com/firmware/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on August 22, 2022, 08:25:43 am
This is an old version. Since last year.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on August 24, 2022, 10:32:22 pm
I hack my mso5104, now all options are licensed forever, but the rise time is not god, about 3.5ns not 1.7ns
wat is your rise time after hack ?  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on August 24, 2022, 10:39:39 pm
I hack my mso5104, now all options are licensed forever, but the rise time is not god, about 3.5ns not 1.7ns
wat is your rise time after hack ?  :popcorn:

tv84 was getting ~440ps. Seems slow, but, probably an issue with your source no? Do you have anything to verify the source is capable of 1.7ns?
Also make sure you've run the self-calibration.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on August 25, 2022, 08:27:32 am
I hack my mso5104, now all options are licensed forever, but the rise time is not god, about 3.5ns not 1.7ns
wat is your rise time after hack ?  :popcorn:

tv84 was getting ~440ps. Seems slow, but, probably an issue with your source no? Do you have anything to verify the source is capable of 1.7ns?
Also make sure you've run the self-calibration.

Splain this video: https://www.youtube.com/watch?v=E2gPPSxbopY (https://www.youtube.com/watch?v=E2gPPSxbopY) and this is the diagram cicuit: https://drive.google.com/drive/folders/1__66ZhlC1BKuy__uELK9CTNxm6QUgCCk (https://drive.google.com/drive/folders/1__66ZhlC1BKuy__uELK9CTNxm6QUgCCk)
Is a simple schmitt trigger oscillator.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on August 27, 2022, 11:12:46 am
The hack not open bw on my mso5104 :-(

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Nx-1997 on September 01, 2022, 02:28:16 am
Got the scope last week (MSO5074, Build 2021, Boot 2018, FW 1.03.00.03). I was also concerned about the bandwidth after the hack. So, I decided to test it using my signal generator, 1Vrms. I forgot to reset the statistics for the before images. The before images (before applying the patch) and after images (after applying the patch and selfcal). The hack works fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on September 01, 2022, 02:34:18 am
So, I decided to test it using my signal generator, 1Vrms. I forgot to ............
terminate into 50 Ohms.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Nx-1997 on September 01, 2022, 05:54:58 am
It is terminated using a 50 Ohm feed-through terminator. The before 100MHz image only shows 665mVrms as the scope's bandwidth is only 70MHz. After the hack, the scope accurately shows 1Vrms @ 100MHz as the bandwidth has been increased.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on September 01, 2022, 07:41:25 am
It is terminated using a 50 Ohm feed-through terminator. The before 100MHz image only shows 665mVrms as the scope's bandwidth is only 70MHz. After the hack, the scope accurately shows 1Vrms @ 100MHz as the bandwidth has been increased.
OK, sorry in the many times I have checked BW it is always with a 1V p-p signal not RMS.
So glancing at graticules...yes excuse me as that was the only way to measure with old CRO's, a 1V/div setting should be only 2 graticules amplitude but it was 4 which is the normal displayed output when the ARB is not terminated.
Please carry on.  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on September 01, 2022, 07:44:21 am
Got the scope last week (MSO5074, Build 2021, Boot 2018, FW 1.03.00.03). I was also concerned about the bandwidth after the hack. So, I decided to test it using my signal generator, 1Vrms. I forgot to reset the statistics for the before images. The before images (before applying the patch) and after images (after applying the patch and selfcal). The hack works fine.

What is your signal generator?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Nx-1997 on September 01, 2022, 08:14:08 am
WaveTek 3510.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Alekkomi on September 04, 2022, 08:09:30 pm
Have a nice day to everyone! I recently bought myself such an oscilloscope and hacked it as you have described everything. Everything went well. The only thing that bothers me is the heating of the oscilloscope. Is this normal? Below I attach the pictures taken with a thermal imager. Sorry for my English. (http://)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on September 05, 2022, 11:22:49 am
Yes, the temperature is normal. So is everyone. Somewhere there was a theme of refinement to reduce the temperature.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 06, 2022, 07:39:55 pm
+1.

Temperatures have increased since the fan noise was reduced(by lowering the rpm).
Asked the support and they answered this is OK and tested before.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Ogawa Mitsuaki on September 07, 2022, 11:08:25 pm
Hello
I also faced heat issues.
See my photo on page 78.
A USB5V powered fan was attached to the rear exhaust.
(It is installed in the direction of discharging to the outside)
This will dramatically reduce the temperature of the MSO5000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 08, 2022, 09:39:18 pm
See my photo on page 78.

Here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3471660/#msg3471660).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: crgarcia on September 18, 2022, 08:45:40 pm
Hello
I also faced heat issues.
See my photo on page 78.
A USB5V powered fan was attached to the rear exhaust.
(It is installed in the direction of discharging to the outside)
This will dramatically reduce the temperature of the MSO5000.

Any chance you can share the files and the fan you are using?  :D
I have no clue how to do a 3d model, but I can send it to print online I guess

Thanks!

PS: If you just want to patch your Rigol but got lost in the thread, here all what you need: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3943042/#msg3943042)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Robertkopp on September 22, 2022, 11:55:17 am
Hey buds,
I got the Rigol 5104 and it gave me a checksum error, so I cancelled the update.
In the posts I found that there are 2 versions of the firmware update.
I searched the web and only found these dumps https://gitlab.com/riglol/rigolee/firmware
I can not find the may version, only the march one.

2 questions

Do I need to change something in the patch because I got the 5104?

Can I do the 2021 update after the hack?


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on September 22, 2022, 02:26:45 pm
You must install version v00.01.03.00.03. Then hack it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MathWizard on September 29, 2022, 05:10:39 pm
So does this hack turn the 70MHz 4-ch scope into the 350MHz version ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on September 29, 2022, 08:51:57 pm
So does this hack turn the 70MHz 4-ch scope into the 350MHz version ?

No, 500MHz, somewhere between 450-500MHz real world.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 29, 2022, 09:05:34 pm
So does this hack turn the 70MHz 4-ch scope into the 350MHz version ?

Yepp, in the official 5354 version.. ;)
Actually, the 5074 is real cheap to get including option bundle:

https://www.batronix.com/versand/oszilloskope/Rigol-MSO5074.html (https://www.batronix.com/versand/oszilloskope/Rigol-MSO5074.html)

For this price there is no alternative in sight.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on September 29, 2022, 09:10:27 pm
So does this hack turn the 70MHz 4-ch scope into the 350MHz version ?

No, 500MHz, somewhere between 450-500MHz real world.
Really, please tell where a 500 MHz model is advertised ?

Instead the max for this range is 350 MHz.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on September 29, 2022, 10:33:51 pm
So does this hack turn the 70MHz 4-ch scope into the 350MHz version ?

No, 500MHz, somewhere between 450-500MHz real world.
Really, please tell where a 500 MHz model is advertised ?

Instead the max for this range is 350 MHz.

It was never sold, for various reasons. But the software option was partially implemented (ctrl-f in this thread for 500MHz).
Same thing Dave saw on one of the Keysights.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on September 29, 2022, 10:41:32 pm
Quote
It was never sold, for various reasons.

Main reason was, there is no 500Mhz bandwith avaible.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tautech on September 29, 2022, 11:20:14 pm
Quote
It was never sold, for various reasons.

Main reason was, there is no 500Mhz bandwith avaible.
Yep and SW code bears no relation to the models actually available. The code in these modern scopes is Cut/Paste into several models but the deeper SW commands are those that actually set the model #/BW.

The only way to be sure what any model series is capable of is to do a full investigation of what the manufacturers actually market, be it in their own marketplace and worldwide.

Wanna know the real truth then ask the Toy Wonder tv84.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Caliaxy on September 30, 2022, 12:03:58 am
Have a nice day to everyone! I recently bought myself such an oscilloscope and hacked it as you have described everything. Everything went well. The only thing that bothers me is the heating of the oscilloscope. Is this normal? Below I attach the pictures taken with a thermal imager. Sorry for my English. (http://)

Nice thermal images. 69.3C?! You can pasteurize milk at that temperature... Why are BNC inputs 2 and 4 hotter than 1 and 3?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on September 30, 2022, 12:15:08 am
Quote
It was never sold, for various reasons.

Main reason was, there is no 500Mhz bandwith avaible.

Yes as I noted, 450-500Mhz real world, which is not enough for a "500M badged" scope which would have to be ~550+. So if you had to slap a badge on it, maybe "420"?

Yep and SW code bears no relation to the models actually available. The code in these modern scopes is Cut/Paste into several models but the deeper SW commands are those that actually set the model #/BW.

The only way to be sure what any model series is capable of is to do a full investigation of what the manufacturers actually market, be it in their own marketplace and worldwide.

Wanna know the real truth then ask the Toy Wonder tv84.

The information is already provided by tv84 and others in this thread.

Reading comprehension here is really going downhill.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on September 30, 2022, 07:51:46 am
The information is already provided by tv84 and others in this thread.
I have read this thread from the very beginning. And then again I specifically looked for how to make 500 MHz. I found many references to this. But there I did not find a working recipe that can be repeated :(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: m4l490n on October 01, 2022, 02:16:59 am
I am very happy to say that I was successful and it took no time at all by following the instruction provided by qali.pro in the following post: -

What instruction? The post you link is only a link to download the patch. I just bought mine yesterday and I'm having a hard time doing the hack. I haven't found the straightforward instructions to do this  :(
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on October 01, 2022, 02:31:13 am
The instructions are in the last three pages of this thread. Go read a few pages back. It's repeated every few pages.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: m4l490n on October 01, 2022, 02:52:45 am
Yeah, it turns out my USB stick was not properly formatted.

It is really as simple as downloading the patch.zip file here https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852) and perform a local upgrade. That's it!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on October 01, 2022, 05:10:53 pm
I specifically looked for how to make 500 MHz. I found many references to this. But there I did not find a working recipe that can be repeated

I'm guessing that references to a hacked MSO5074 being a "500MHz scope" are from measured performance.  There are several youtubes that show people measuring the bandwidth performance (https://youtu.be/eaoHYWYLRV0?t=231) (where a 3dB drop is detected) before the hack and after.  Those vids often show that after the hack the scope gets to a 3bD drop at around 500MHz - at least when you're only using one channel (the 3dB drop is before 500MHz if you're using more than one channel).

I imagine you will find similar results for many 350MHz scopes - the vendor guarantees 350Mhz, but the scope can actually be pushed further in many cases.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on October 01, 2022, 05:19:44 pm
I'm guessing that references to a hacked MSO5074 being a "500MHz scope" are from measured performance.

It's definitely not an official option.

I imagine you will find similar results for many 350MHz scopes - the vendor guarantees 350Mhz, but the scope can actually be pushed further in many cases.

Yes. Many 'scopes seem to manage 30-40% extra in practice.

(350*1.4) = 490 ... near enough "500Mhz"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on October 01, 2022, 06:14:27 pm
I have read this thread from the very beginning. And then again I specifically looked for how to make 500 MHz. I found many references to this. But there I did not find a working recipe that can be repeated :(

The "baked cake" is here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2656659/#msg2656659). The recipe was never published.

You have no need to change the model because, AFAIR, with the MSO5354 model gives you the BW up to the scope's limit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Esamon on October 01, 2022, 09:38:11 pm
After applying the liberator to my 5072 everything is forever. Has anyone tried using UltraSigma/UltraScope after doing this? and does your HDMI out work?
Thanks to everyone involved in this endeavor for all your hard work and time. I'm sure I speak for everyone that took advantage of your work. YOU ARE ALL GREATLY APPRECIATED! :clap: :clap: :clap:

Mick B has already asked it and i could not finde an answer eithe.

Does someone know whether it is safe to use Ultra Sigma and UltraScope after the "Update"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Exeu on October 02, 2022, 04:53:55 am
Hello!

so i ended up patching my rigol with the newest FW out there. So far it works. But i can not access the WebControl anymore.. It is asking me always for a PW which i dont have.
I tried using "admin:rigol" but without success..

Do you know anything about it? Most likely it is also here in the thread but i can not find it...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on October 02, 2022, 06:17:16 am
The recipe is trivial when you know how to manipulate the ingredients. We also discuss a bit about it at the start of the thread. The gitlab repository also have the recipe. And the recipe can be rediscovered when you know how to unpack the think from scratch. But yes, it's hard to explain in simple words how to do it, when it's already hard for many  to put the baked cake on a key.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: amri_amin on October 02, 2022, 03:37:46 pm
Hi,

I have successfully patched my MSO5074 but it is impossible to do a self calibration. the process stop at 6% with a message "Status : Error: Data line".
Do you have an idea what is causing this?
All channels are disconnected of course and the oscilloscope was on for more than 30 minutes as recommended.
Thanks.

Update:
by fast pressing buttons MENU MENU FORCE MENU UTILITY->System->SelfCal  , hidden menus appear where you can choose the items you want to calibrate and you have a more verbose mode (screenshot below)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on October 03, 2022, 06:17:58 am
Looks linke you found the official way to the "project mode"! https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2671677/#msg2671677 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2671677/#msg2671677)

How did you manage this?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: amri_amin on October 03, 2022, 08:53:56 pm
found here:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-series-buglist-continued-(from-fw-00-04-04-03-02)/msg1190818/#msg1190818 (https://www.eevblog.com/forum/testgear/rigol-ds1000z-series-buglist-continued-(from-fw-00-04-04-03-02)/msg1190818/#msg1190818)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on October 03, 2022, 09:12:11 pm
found here:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-series-buglist-continued-(from-fw-00-04-04-03-02)/msg1190818/#msg1190818 (https://www.eevblog.com/forum/testgear/rigol-ds1000z-series-buglist-continued-(from-fw-00-04-04-03-02)/msg1190818/#msg1190818)

 :-DD   :clap:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Kahooli on October 07, 2022, 11:09:10 pm
I think this is displayed at the bottom of the network config pages. root / rigol default.

Also, I just 'patched' my new scope up to max options, which for the current promotion added mem depth and bandwidth unlock.
Thanks again to all that made this possible. I hope I will be able to return the favor with some FOSHW I've been working on to share.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Greid on October 21, 2022, 11:31:51 pm
With soany pages and so much information here was there ever a step by step post or document made of how to do the hack? If so can someone direct me to where it is? I've read about the first 10 pages and see lots of pieces or information but get confused because it's all broken up across multiple posts.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on October 22, 2022, 02:57:37 am
Just read the last few pages, the post was linked recently.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Alekkomi on October 22, 2022, 11:24:12 am
With soany pages and so much information here was there ever a step by step post or document made of how to do the hack? If so can someone direct me to where it is? I've read about the first 10 pages and see lots of pieces or information but get confused because it's all broken up across multiple posts.

I did it this way.

Get the Firmware
Download FW 00.01.03.00.01 from message 1808
Put DS5000Update.GEL on a USB stick.
Make sure it is the only file.

Load the Firmware
Upgrade via "Secret Menu"
(Other options failed)

Power On
Wait for lights out (Before “Rigol” and progress bar)
Press [Single]

Two options are displayed
Upgrade or Restore

Select Upgrade.

Scope should now show FW 00.01.03.00.01

Get the Patch
Download zip file from message 1663
put 01_03_00_01.bspatch
and patch.txt on a usb stick

Get DS5000Update.GEL from message 1667
Put this with the two other files

Only 3 files should be on the USB stick.

Load the Patch
Select:
Utility>System>Help>Local Upgrade>Ok

Scope should show all options:
Utility>System>Help>Option list

Self Calibration
Utility>System>Self Cal>Start

If you are checking calibration
Make sure probes are decent and are set to x1
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on October 22, 2022, 02:53:13 pm
Quote
Self Calibration
Utility>System>Self Cal>Start

If you are checking calibration
Make sure probes are decent and are set to x1

Probes must be disconnected when performing self-cal...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: py-bb on October 22, 2022, 03:12:46 pm
Let's not be paranoid. The only thing that could stop (meaning: make it sufficiently difficult) an attack is activating secure boot. All other things are within reach.

@lukier, SHA1 is an hash algorithm, not a digital signing algo! The fact that the NAND blocks are hashed doesn't mean much.

I don't think we have reached the secure boot point but, if we did, this is an electronics community forum so, something like this:
How to Break Secure Boot on FPGA SoCs through Malicious Hardware (https://eprint.iacr.org/2017/625.pdf) would be possible with the right guys...

SHA1 is broken anyway so that helps right?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: qali.pro on October 23, 2022, 06:15:37 am
Hello everybody,
Here is new modified post with detailed instructions to patch mso5000 and most asked questions for new users.

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3866693/#msg3866693 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3866693/#msg3866693)
Have Fun  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BRZ.tech on October 23, 2022, 11:38:44 am
Hello everybody,
Here is new modified post with detailed instructions to patch mso5000 and most asked questions for new users.

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3866693/#msg3866693 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3866693/#msg3866693)
Have Fun  :-+

Hello qali.pro and other readers.
Qali.pro, the MSO5000 has in its two AWG the maximum frequency in sine wave of 25MHz. And in square wave of 15MHz.
The question is to extend the maximum frequency of the two AWGs.
The suggestion is a minimum of 60MHz in sine mode.
For square wave, whatever is possible.


Also the frequency meter has a maximum resolution of 6 digits. It will be very good to extend the resolution to 8 digits or more.

These  will be very good if it is put in the next update.
All good.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ve2mrx on October 23, 2022, 02:42:16 pm
@BRZ.tech,

If I understand your post correctly, you should ask Rigol, not us. The patch only exposes the work of Rigol. We don't modify the operation of the scope beyond activating what is already present.

Martin
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JeremyC on October 23, 2022, 05:16:23 pm
+1.

Temperatures have increased since the fan noise was reduced(by lowering the rpm).
Asked the support and they answered this is OK and tested before.

Martin72, you owned the SDS2104X Plus. Was this scope running so hot as the MSO5074?
68.8C/155.8F it’s little bit scary.

Howardlong have had problem with his, I’m wondering if the high temperature contributed to that(?)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3704050/#msg3704050 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3704050/#msg3704050)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JeremyC on October 23, 2022, 05:22:43 pm
Have a nice day to everyone! I recently bought myself such an oscilloscope and hacked it as you have described everything. Everything went well. The only thing that bothers me is the heating of the oscilloscope. Is this normal? Below I attach the pictures taken with a thermal imager. Sorry for my English. (http://)

It's hot.
Could you repeat your test when running FFT for ~30 minutes?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Alekkomi on October 23, 2022, 06:23:40 pm
Have a nice day to everyone! I recently bought myself such an oscilloscope and hacked it as you have described everything. Everything went well. The only thing that bothers me is the heating of the oscilloscope. Is this normal? Below I attach the pictures taken with a thermal imager. Sorry for my English. (http://)

It's hot.
Could you repeat your test when running FFT for ~30 minutes?

I upgraded the cooling system, as they wrote in another forum thread. I turned the fan to blow out the air. I made a box, a casing over the radiators under the fan, because they are the most heated. I put an additional fan in the next grate, which blows air inside from the outside.  I don't understand why the engineers who made this oscilloscope made it so that the hot air had to pass through the entire body and come out by itself, and the whole board was greatly affected by this. After upgrading, my oscilloscope is practically not heated, the external connectors have become slightly warm. This upgrade has made a huge difference to the cooling system. I am very happy about it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JetForMe on October 28, 2022, 12:18:20 am
I'm trying to follow the steps to upgrade my newly-arrived MSO5074, but it keeps eating my USB drives. That is, I put a new, never-used USB thumb drive in my Mac. Copy the DS5000Update.GEL file to it, stick that in the front USB port on the Rigol. The default menu has a "local update" option, so I choose that. It says "No package found."

I pull the drive out (I see no "eject" option anywhere), stick it back in the Mac…and it doesn't mount as a drive. It also doesn't show up as a disk device in /dev or Disk Utility.app.

I figured something died with that thumb drive, so I try another new one…same issue. The Rigol is severely altering my USB thumb drives (although they still enumerate on the Mac, as "IOUSBHubDevice").

Any suggestions? Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on October 28, 2022, 01:18:37 am
I'm trying to follow the steps to upgrade my newly-arrived MSO5074, but it keeps eating my USB drives. That is, I put a new, never-used USB thumb drive in my Mac. Copy the DS5000Update.GEL file to it, stick that in the front USB port on the Rigol. The default menu has a "local update" option, so I choose that. It says "No package found."

I pull the drive out (I see no "eject" option anywhere), stick it back in the Mac…and it doesn't mount as a drive. It also doesn't show up as a disk device in /dev or Disk Utility.app.

I figured something died with that thumb drive, so I try another new one…same issue. The Rigol is severely altering my USB thumb drives (although they still enumerate on the Mac, as "IOUSBHubDevice").

Any suggestions? Thanks!

Did you format the USB key as FAT32?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JetForMe on October 28, 2022, 01:30:35 am
I'm trying to follow the steps to upgrade my newly-arrived MSO5074, but it keeps eating my USB drives. That is, I put a new, never-used USB thumb drive in my Mac. Copy the DS5000Update.GEL file to it, stick that in the front USB port on the Rigol. The default menu has a "local update" option, so I choose that. It says "No package found."

I pull the drive out (I see no "eject" option anywhere), stick it back in the Mac…and it doesn't mount as a drive. It also doesn't show up as a disk device in /dev or Disk Utility.app.

I figured something died with that thumb drive, so I try another new one…same issue. The Rigol is severely altering my USB thumb drives (although they still enumerate on the Mac, as "IOUSBHubDevice").

Any suggestions? Thanks!

Did you format the USB key as FAT32?

Yes, finally, on a hunch, I tried that, and all is well, with the third USB drive (and thanks for the suggestion, which I didn't see until I came back to update my post). The other two appear to be toast; I don't know how to get them recognized by macOS or Windows in Parallels (they do show up as Disk drives, but no volumes mount) in order to reformat them.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on October 28, 2022, 03:11:40 pm
The other two appear to be toast; I don't know how to get them recognized by macOS or Windows in Parallels (they do show up as Disk drives, but no volumes mount) in order to reformat them.

fdisk (or whatever the Mac equivalent is) might be able to create new partition(s).  This would wipe whatever data is on the device, but it sounds like that's already gone.

If the disk shows up in the Windows "Drive Management" control panel thing in the Parallels VM, it should definitely be able to partition and format it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Tommy_Vercetti on October 30, 2022, 01:51:00 am
Hello everybody!

My MSO5074 arrived Thursday and I spent the last 2 nights reading through all the posts.

The scope came with:

FW: 00.01.03.00.03
Build: 2021-10-18


From what I can tell, all I need to do is follow qali.pro's instructions from post 2167, specifically downloading the three files on the "Patch.zip" file he attached to his post and loading them onto a FAT32 or FAT usb stick and plugging that stick into the scope, correct? Since I already have 00.01.03.00.03 right out of the box, I do not need to install the "official firmware" first. I can skip to installing the patch and doing the calibration (after waiting 30 min). Am I correct here?

This is the post I'm referring to: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Tommy_Vercetti on October 30, 2022, 05:12:25 pm
The hack worked! Thanks everybody!

Only issue now is that (I actually noticed this before the hack) I am getting some sort of sound coming from what might be my power supply. Best way to describe it is that it sounds like bugs chirping at night. Sort of a mixture of static and chirping/screeching. It might be a piezoelectric sound from a ceramic cap. The sounds pauses if I hit the “Run-stop” button and is only present when the waveforms are present on the screen. Anyways, long story short, I am probably going to contact amazon and exchange the scope.

I wanted to put the stock firmware back on. Can I just essentially repeat the hack but without the hacked firmware, use the firmware from the Rigol site?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on October 31, 2022, 10:50:10 pm
The hack worked! Thanks everybody!

Only issue now is that (I actually noticed this before the hack) I am getting some sort of sound coming from what might be my power supply. Best way to describe it is that it sounds like bugs chirping at night. Sort of a mixture of static and chirping/screeching. It might be a piezoelectric sound from a ceramic cap. The sounds pauses if I hit the “Run-stop” button and is only present when the waveforms are present on the screen. Anyways, long story short, I am probably going to contact amazon and exchange the scope.

I wanted to put the stock firmware back on. Can I just essentially repeat the hack but without the hacked firmware, use the firmware from the Rigol site?

Yes just install the firmware from Rigol website, and maybe do a "load default settings" to reset everything.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: esel on November 21, 2022, 03:28:17 pm


Only issue now is that (I actually noticed this before the hack) I am getting some sort of sound coming from what might be my power supply. Best way to describe it is that it sounds like bugs chirping at night. Sort of a mixture of static and chirping/screeching. It might be a piezoelectric sound from a ceramic cap. The sounds pauses if I hit the “Run-stop” button and is only present when the waveforms are present on the screen. Anyways, long story short, I am probably going to contact amazon and exchange the scope.


Thanks for the nice summary. My MSO5074 just arrived a few days ago with the 00.01.03.00.03 firmware. I also noticed the same high-pitched chirping before any hacking of the scope. I'm worried about the upgrade in case the scope fails in a few weeks due to a manufacturing defect.

Steps to reproduce the noise: The noise is noticeable without any probe connected, the vertical range set to mV or so, and the trigger set too high to actually trigger. It stops with "Run-stop" or single shot. It needs a few minutes to warm up. In the cold state I don't hear anything. I think the fan is louder then the noise. One of my colleagues didn't even hear the noise due to its high pitch.

Is this something to worry about before hacking, like getting a replacement, or should it be fine?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: TitusPullo on December 02, 2022, 11:06:38 am
I'd like to thank all contributors for the effort they put in. Great job!

My MSO5074 just arrived and is now liberated to the extend of  its hardware capabilities.

I did already have a Rigol DS2072, which was also successfully modified a few years back with the help of this forum.
Two channels are just not very convenient in many cases, so when I discovered this thread, in combination with a special offer from the local distributor, I decided to give myself an early Christmas present.

The MSO 5072 does have some quirks and I need to get used to it. The DS2072 worked flawlessly in comparison.
I already managed to get the MSO5074 to completely freeze when checking the input bandwidth. A power cycle was needed.
Also, I had some trouble getting it to display an input signal without pressing the AUTO button. It sometimes seems like the display only updates if the timebase is changed.

The bandwidth (using a 50 Ohms feedthrough) is indeed >400 MHz. I used an HP8133 with 100ps risetime to check it.


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on December 02, 2022, 11:34:03 pm
Reset to defaults, and the scope should be set to auto trigger, and it should be showing an input signal. Then tweak the trigger level, and voltage ratio if needed.
Since you have a DS2000 I would assume you know all this already though.

Could be defective hardware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Catinate on December 03, 2022, 05:45:49 pm
And another one done. Just followed Qual.pro's instructions and it all happened.
Many thanks to all the folks here who have sent time and effort to achieve this!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: adrianza on December 04, 2022, 12:52:41 pm
Unfortunately, I found this discussion after ordering an MSO5104. Does this patch also work for MSO5104?
I am interested in the update to 350MHz. Thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on December 04, 2022, 04:18:33 pm
Yes. Will work for all 5000 versions.
As long as Rigol want this ... :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oldjackbob on December 05, 2022, 07:40:53 pm
After applying the liberator to my 5072 everything is forever. Has anyone tried using UltraSigma/UltraScope after doing this? and does your HDMI out work?
Thanks to everyone involved in this endeavor for all your hard work and time. I'm sure I speak for everyone that took advantage of your work. YOU ARE ALL GREATLY APPRECIATED! :clap: :clap: :clap:

Mick B has already asked it and i could not finde an answer eithe.

Does someone know whether it is safe to use Ultra Sigma and UltraScope after the "Update"
I just received my new MSO5074 last Friday and did the "Update" over the weekend.

Both Ultra Sigma and UltraScope appear to be working fine (at least for me) after the Update.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ballsystemlord on December 06, 2022, 03:12:34 am
Hello,
My scope is an MSO5074 scope. My FW version is: v00.01.03.00.03

I did the backup specified in this post:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)

Following the upgrade instructions in this post.
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852)

The upgrade was successful. The backup is kinda successful.

The backup scripts are supposed to reboot the scope, but do not. I ended up having to just pull the USB flash drive. I waited an hour for each of the two backup scripts to complete. This didn't appear to cause any major problems, but of course the FAT32 FS had it's dirty bit set and the boot loader backup and the original differed.

I'd like to know, is there a better way to power down the scope (the power switch appears to just cut power without giving the system any time to unmount the USB flash drive), when doing a backup or just eject the USB flash drive?
The backup scripts are obviously broken in this respect (it's explicitly stated that they will reboot the scope), can they be fixed?
I did try to inspect them, but I'm unsure how to hack them. They are something inside of a tar archive which is then named .GEL.

Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on December 06, 2022, 12:30:48 pm
I'd like to know, is there a better way to power down the scope (the power switch appears to just cut power without giving the system any time to unmount the USB flash drive), when doing a backup or just eject the USB flash drive?
The backup scripts are obviously broken in this respect (it's explicitly stated that they will reboot the scope), can they be fixed?

I'm currently in lazy mode so you have to go with alternative ways: open a telnet session before doing the backup and use it to reboot the machine once the backup is done.

Regarding the "explicitly stated that they will reboot": the readme.txt says explicitly "After execution, the scope should reboot, showing that the script ran successfully." The "should" indicates what is probable to happen and NOT what will happen.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: techneut on December 06, 2022, 08:46:23 pm
:-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ballsystemlord on December 07, 2022, 01:44:10 am
I'm currently in lazy mode so you have to go with alternative ways: open a telnet session before doing the backup and use it to reboot the machine once the backup is done.
So Rigol disabled SSH but left telnet running?! It's no wonder the internet has such large scale DDOS attacks.

Thanks for the tip.
Quote
Regarding the "explicitly stated that they will reboot": the readme.txt says explicitly "After execution, the scope should reboot, showing that the script ran successfully." The "should" indicates what is probable to happen and NOT what will happen.
Which brings up the question, "Did the script run successfully if it did not reboot the scope?"

I mean, there's no other indicator to say that it did or did not succeed. I accepted that it succeeded based on that it wrote something to the USB stick and some blind faith. There's no way to verify the contents of the binary files it dumps are 100% correct.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on December 07, 2022, 04:01:36 pm
The project mode (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4444330/#msg4444330 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4444330/#msg4444330)) also enables SSH, last I looked. So it's just some key presses away.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BeamDump on December 24, 2022, 09:46:36 am
Just got mine yesterday. Shipped with 00.01.03.00.03 2021-10-18. Backup/update worked like a charm.  ;D Huge thanks qali and every who put in the effort.

Merry Christmas everyone! 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Howardlong on January 01, 2023, 09:07:06 pm
Regulars may remember that my unit experienced an SMPS regulator (Renesas ISL8203M) failure back in September 2021.

Post #2053 https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3697885/#msg3697885 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3697885/#msg3697885)
Post #2057 https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3704050/#msg3704050 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3704050/#msg3704050)

Well, about ten days or so ago the same thing happened.

It'd been switched on for a short while, about five or ten minutes, and suddenly switched itself off. The symptom this time was that the entire unit appeared dead, no LEDs or screen, however every second or two the fan attempted to spin up, so similar enough that I could say it was the main PSU going into over current protection and trying to recover.

The TL;DR is that I replaced the same chip again, and the unit is back to working again.

Thankfully as I already had a spare chip in stock, and knew what to do, it only took an hour or so to fix this time.

You only need to take the plastic back off and the first main metal shield, and then rework the chip with hot air. You don't need to unscrew the PCB, you can leave it screwed to the chassis. There's nothing underneath the chip to be concerned with when reworking it with hot air. However, take care to avoid any flux or cleaning agents getting underneath the analogue cans: I used kapton tape.

I don't know if I just have a Friday scope: I'm not aware of anyone else encountering this problem.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kelemvor on January 05, 2023, 05:50:36 pm
I just got an MSO5074 from tequipment this week and applied the updates.  Thanks to everyone who participated, especially @qali.pro who posted the necessary stuff with easy instructions.

For others who just bought one, This is the post you want to read: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852)


In short:
Quote from: qali.pro
Download (attachment in the linked post) and unzip the file Patch.zip and put the three files on the USB stick, then Utility/Help/Local upgrade


Calibration - very important
- remove the input probes
- Utility/System/SelfCal
- then turn off/on

Since others have already done the heavy lifting, it's that simple.  Actually, it's more simple than the 1054z hack was to apply.  The only "hard" part is finding the right post.

Thanks again, mr. pro.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: idolclub on January 09, 2023, 10:55:18 am
Rigol releases new firmware v00.01.03.02.02 for MSO5000 ~ 2023.01.09

Firmware v00.01.03.02.02 Release Notes:

[Supported Model]    All the MSO5000 Series Digital Oscilloscopes
[Latest Revision Date]  2023/01/04

[Updated Contents]
--------------------

v00.01.03.02.02 2023/01/04
   
    - Add shortcut button and VNC remote function
    - Waveform, cursor movement, gesture operation vertical and horizontal gear switching speed optimization
    - Cursor optimization: cursor jump optimization, ZOOM area and main time base cursor linkage, etc
    - The color of the CH4 waveform is modified, and the brightness of the waveform is improved
    - ZOOM mode optimization: mask color adjustment, switching speed, area movement optimization
    - SCPI instruction response speed optimization: reset, measurement, waveform read instruction response optimization


v00.01.03.00.03 2021/10/18

      - Optimized waveform display in XY mode.
      - Optimized the DC gain calibration algorithm.
      - The La channel is decoded in parallel, which solved the problem of decoding error in negative polarity.



Download:
https://supportcn.rigol.com/Public/Uploads/uploadfile/files/ftp/Firmware/MSO5000(ARM)Updatev00.01.03.02.02.zip



Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: markone on January 09, 2023, 01:14:46 pm
Rigol releases new firmware v00.01.03.02.02 for MSO5000 ~ 2023.01.09

Firmware v00.01.03.02.02 Release Notes:

[Supported Model]    All the MSO5000 Series Digital Oscilloscopes
[Latest Revision Date]  2023/01/04

[Updated Contents]
--------------------

v00.01.03.02.02 2023/01/04
   
    - Add shortcut button and VNC remote function
    - Waveform, cursor movement, gesture operation vertical and horizontal gear switching speed optimization
    - Cursor optimization: cursor jump optimization, ZOOM area and main time base cursor linkage, etc
    - The color of the CH4 waveform is modified, and the brightness of the waveform is improved
    - ZOOM mode optimization: mask color adjustment, switching speed, area movement optimization
    - SCPI instruction response speed optimization: reset, measurement, waveform read instruction response optimization


v00.01.03.00.03 2021/10/18

      - Optimized waveform display in XY mode.
      - Optimized the DC gain calibration algorithm.
      - The La channel is decoded in parallel, which solved the problem of decoding error in negative polarity.



Download:
https://supportcn.rigol.com/Public/Uploads/uploadfile/files/ftp/Firmware/MSO5000(ARM)Updatev00.01.03.02.02.zip

How did you get there ?

If I follow Rigol support web pages (Europe, Cn, USA) I do not find that FW upgrade, so I wonder if any update for HDO1000 is hidden somewhere in the same server.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on January 09, 2023, 03:13:18 pm
Hi there, same question. I'm located in Spain.

If I go to https://www.rigol.eu/products/oscillosopes/MSO5000%20series.html (https://www.rigol.eu/products/oscillosopes/MSO5000%20series.html) it only shows 00.01.03.00.03 version (which it's already installed in my device)

However, in this page, https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/MSO5074/ (https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/MSO5074/) (I assume NA stands for North America) it points to a 1.1.4.4 version file, which is different of the one you posted, but with the same publish date.

It is possible to apply a NA firmware on a EU Device? For the time being, I will keep 00.01.03.00.03 before update.

Thank you! Regards!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: markone on January 09, 2023, 03:55:02 pm
Hi there, same question. I'm located in Spain.

If I go to https://www.rigol.eu/products/oscillosopes/MSO5000%20series.html (https://www.rigol.eu/products/oscillosopes/MSO5000%20series.html) it only shows 00.01.03.00.03 version (which it's already installed in my device)

However, in this page, https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/MSO5074/ (https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/MSO5074/) (I assume NA stands for North America) it points to a 1.1.4.4 version file, which is different of the one you posted, but with the same publish date.

It is possible to apply a NA firmware on a EU Device? For the time being, I will keep 00.01.03.00.03 before update.

Thank you! Regards!

The mystery deepens ...

EDIT : the content of NA FW 1.1.4.4 version is way older, 18.10.2021
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on January 09, 2023, 05:56:54 pm
Yes you are right it's only the file name... v00.01.03.00.03 2021/10/18

That file is in chinese? As it came from Rigol CN maybe it would result in chinese characters on my oscilloscope  :palm:
Please confirm and also confirm if the """upgrade""" still works. Thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on January 10, 2023, 11:27:31 pm
I upgrade the firmware to 00.01.03.02.02, and bye the hack :-(

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on January 11, 2023, 12:16:59 am
That's because the patch literally patches the firmware. So whenever there is a new firmware, a new patch has to be created.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on January 11, 2023, 04:30:04 am
That's because the patch literally patches the firmware. So whenever there is a new firmware, a new patch has to be created.

Has there ever been a post explaining what gets patched?  I've poked around, but there are literally more than 2000 posts in the thread.

I'm pretty sure the answer is no, and I can understand why.  But I figured I'd ask - just in case the info is out there.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on January 11, 2023, 04:44:37 am
To massively over simply the process: You have to patch the firmware file (It's actually just software but anyway by patching the assembly code) so when the software internally says "is this scope licensed for 350Mhz" the returned value is always "Yes". Likewise when the scope queries itself to say "Is this scope licensed for XXXX (feature/function)" the answer is "Yes".
If you know what you are doing, you can take the information that's already in this thread, compare the before and after patched file, and see what's changed.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on January 11, 2023, 10:22:12 am
OK succesfully updated to the latest version. English menu, everything all right.

Regarding the patch: It does not work (as expected). Because the md5 hash for the AppEntry file is 349b25b8653bbeb7849527425c2fca03 and the the scripts waits for 8902f64eff40eff094af1dbeccfd461a which is the md5 for the older version AppEntry file.

Assuming that the patch does something like sed command to add -All option to the file, we would need to recalculate also the resulting md5. But if my assumption it's not correct, it will not work xD.

Also I can confirm that both backups scripts work as expected with the new firmware.

Thanks to all for your efforts.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on January 11, 2023, 10:24:44 am
Files with different update dates have the same content. (MD5)

974b1cababda14c92d94d0077b8760eb *DS5000Update_17.10.2021.GEL
974b1cababda14c92d94d0077b8760eb *DS5000Update_18.10.2021.GEL
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on January 11, 2023, 11:29:02 am
OK, so it will be as easy to modify the patch.txt with the new md5 but keeping the resulting md5 file as it is?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on January 11, 2023, 10:03:38 pm
I doubt it is a matter of simply modifying the checksum, you need a new bpatch file.  Hopefully someone will be kind enough to create one in the near future.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on January 11, 2023, 10:13:45 pm
OK, so it will be as easy to modify the patch.txt with the new md5 but keeping the resulting md5 file as it is?

MegaVolt was responding to your earlier post, mentioning multiple firmwares. The same MD5 means that the two files are identical, eg the same version.
Changing the patch.txt would work only if the "bpatch" step is the same, which it is unlikely to be. Someone has to go in and figure out that .bpatch

Anyway the rigolcn link doesn't work for me, it looks like they pulled the download. Could you upload the v00.01.03.02.02 file somewhere?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 11, 2023, 10:18:59 pm
That's because the patch literally patches the firmware. So whenever there is a new firmware, a new patch has to be created.

You get the scope with all options except bandwith and memory today, I remember I´ve get the options from rigol for free, enter the codes on the website, getting then the generated licenses.
So the scope remains the options after firmware upgrade - What´s the problem to generate(hack) license keys for bandwith and memory?
Is there still no solution after 5yrs the scope is on the market?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on January 11, 2023, 11:05:59 pm
Is there still no solution after 5yrs the scope is on the market?

The license key I was given for the MSO5000 bundle was 140 characters long as opposed to 28 characters for the DS1054z or 16 characters for the SDS1104X-E

I'm not a hash or crypto expert, so I don't know if this is an indication of how much effort would need to go into brute force cracking the key generator, but maybe it is?

Or if the key generators weren't brute forced, were they leaked and that didn't happen for the MSO5000?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on January 11, 2023, 11:09:12 pm
I went to the US Rigol site, and it is just the same 03.00.03 version as it has been for the past year.  If they pulled it from the China site already and it is not available anywhere else, I wonder if they found some new issues with it.  I would recommend those who found their scope to operate satisfactorily wait until an update is available globally so you don't end up with the extra effort of downgrading to the previous version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on January 11, 2023, 11:29:56 pm
It's not uncommon for firmware updates to only be on some regional sites and not all of them - particularly early on. And Rigol seems to have an update release process that's more challenged than most (for example, the fact that the filename on the Rigol NA site for the MSO5000  01.03.00.03 update comes in a file named MSO5_FW_V1_1_4_4.zip).

Also, it seems that the 01.03.02.02 update is downloadable from Rigol's China support site, but not from that website's UI (at least it wasn't on Jan 9). You have to get it using the direct link.


I see the direct link goes 404 now...  An indication that people should probably not install it unless they are really OK with risk.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 11, 2023, 11:37:10 pm
I went to the US Rigol site, and it is just the same 03.00.03 version as it has been for the past year.  If they pulled it from the China site already and it is not available anywhere else, I wonder if they found some new issues with it.  I would recommend those who found their scope to operate satisfactorily wait until an update is available globally so you don't end up with the extra effort of downgrading to the previous version.

It is a little bit ago I had the scope but when I remember it right, having a new firmware only in china avaible is somekind of beta-status.
I wouldn´t take this...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dhyddr on January 12, 2023, 02:04:13 am
chinese guy here

the new MSO5000 FW from Rigol china Website v00.01.03.02.02 is on trouble now

rename the gel file to DS5000update.GEL use to update the scope will be stuck on the Rigol logo 

Don't download that

I contact the Rigol TS team give me a Demo version of  v00.01.03.02.02 can be successful uptdate

Use the v00.01.03.02.02 appEntry bsdiff from the older one generate the bspatch,  No success still stuck on the Rigol logo 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dhyddr on January 12, 2023, 03:22:07 am
 I also can Use HXD to modify the scope's bandwidth to 350MHZ

but I can't enable the all option

any post here?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on January 12, 2023, 08:31:14 am
>>Anyway the rigolcn link doesn't work for me, it looks like they pulled the download. Could you upload the v00.01.03.02.02 file somewhere?<<

At the moment the new firmware is not public, only youtubers have this.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: markone on January 12, 2023, 12:10:44 pm
I went to the US Rigol site, and it is just the same 03.00.03 version as it has been for the past year.  If they pulled it from the China site already and it is not available anywhere else, I wonder if they found some new issues with it.  I would recommend those who found their scope to operate satisfactorily wait until an update is available globally so you don't end up with the extra effort of downgrading to the previous version.

It is a little bit ago I had the scope but when I remember it right, having a new firmware only in china avaible is somekind of beta-status.
I wouldn´t take this...

Martin, here things are a little different because the "direct" link to FW update on chinese server that was published in this thread was not present in ANY Rigol support pages in the world, reason why I asked explanation some posts ago without receive any answer,  as a result I would never use that file.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on January 12, 2023, 03:50:23 pm
I installed it and not have any problems. Also I saw a video (it is in spoken Spanish) https://www.youtube.com/watch?v=kGYsmTFGob0&ab_channel=NaserElectronica-Chile (https://www.youtube.com/watch?v=kGYsmTFGob0&ab_channel=NaserElectronica-Chile) with a guy installing it and working with it. I just renamed MSO5000 to DS5000 and started working. For the time being, I will revert back and apply the patch and wait until this version (and the patch) came publicly available again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: markone on January 12, 2023, 08:21:39 pm
I installed it and not have any problems. Also I saw a video (it is in spoken Spanish) https://www.youtube.com/watch?v=kGYsmTFGob0&ab_channel=NaserElectronica-Chile (https://www.youtube.com/watch?v=kGYsmTFGob0&ab_channel=NaserElectronica-Chile) with a guy installing it and working with it. I just renamed MSO5000 to DS5000 and started working. For the time being, I will revert back and apply the patch and wait until this version (and the patch) came publicly available again.

I have a question : apart the hack disruption, there are other negative aspects with this upgrade ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on January 12, 2023, 08:38:42 pm
I installed it and not have any problems. Also I saw a video (it is in spoken Spanish) https://www.youtube.com/watch?v=kGYsmTFGob0&ab_channel=NaserElectronica-Chile (https://www.youtube.com/watch?v=kGYsmTFGob0&ab_channel=NaserElectronica-Chile) with a guy installing it and working with it. I just renamed MSO5000 to DS5000 and started working. For the time being, I will revert back and apply the patch and wait until this version (and the patch) came publicly available again.

I have a question : apart the hack disruption, there are other negative aspects with this upgrade ?

No.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: markone on January 12, 2023, 11:59:44 pm
I installed it and not have any problems. Also I saw a video (it is in spoken Spanish) https://www.youtube.com/watch?v=kGYsmTFGob0&ab_channel=NaserElectronica-Chile (https://www.youtube.com/watch?v=kGYsmTFGob0&ab_channel=NaserElectronica-Chile) with a guy installing it and working with it. I just renamed MSO5000 to DS5000 and started working. For the time being, I will revert back and apply the patch and wait until this version (and the patch) came publicly available again.

I have a question : apart the hack disruption, there are other negative aspects with this upgrade ?

No.

Great  :-+.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on January 13, 2023, 12:59:46 am
So that everyone is clear on this, all patch updates will erase the hack and will require the patch image to be modified.

The solution would be to create a license key generator which would be independent of the changes made by patching, no one has come forward with that solution most likely because someone eventually creates a hack for the new patch.

The Chinese patch could be a beta version, but Rigol releases the patches at different times in the various markets. I have received beta versions which had fixes that were only released 8 months after, and Rigol was confident that there were no issues with the beta. See a video in English from someone who tested it, the patch seems to be solely related to items required for the VNC feature to work.

https://www.youtube.com/watch?v=jRR7smjDE-c (https://www.youtube.com/watch?v=jRR7smjDE-c) 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on January 13, 2023, 01:37:07 am
If you take a careful look at the original download link for the new firmware,
https://supportcn.rigol.com/Public/Uploads/uploadfile/files/ftp/Firmware/MSO5000(ARM)Updatev00.01.03.02.02.zip

It is not the same link that you would download official firmware from the China Rigol website.  It appears to be a file located in the public upload directory of the support website.  My guess is it is a test firmware someone in Rigol uploaded to their support site, so the people they are working with can download it for testing, or to address a certain problem.  Someone noted the existence of this file and published the link, which Rigol subsequently took down (not uncommon for test firmware).

So while this version of the firmware does deliver some additional capabilities, it may be premature to treat this as an next version of the firmware update.  Depending on your intention, you may, or may not want to use it.  I noticed the original link was never brought up in the discussion, and I just want everyone to be aware of it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: markone on January 13, 2023, 07:10:01 am
If you take a careful look at the original download link for the new firmware,
https://supportcn.rigol.com/Public/Uploads/uploadfile/files/ftp/Firmware/MSO5000(ARM)Updatev00.01.03.02.02.zip

It is not the same link that you would download official firmware from the China Rigol website.  It appears to be a file located in the public upload directory of the support website.  My guess is it is a test firmware someone in Rigol uploaded to their support site, so the people they are working with can download it for testing, or to address a certain problem.  Someone noted the existence of this file and published the link, which Rigol subsequently took down (not uncommon for test firmware).

So while this version of the firmware does deliver some additional capabilities, it may be premature to treat this as an next version of the firmware update.  Depending on your intention, you may, or may not want to use it.  I noticed the original link was never brought up in the discussion, and I just want everyone to be aware of it.

This is exactly what I tried to explain a couple of times in my previous posts, just to clarify that in this case Rigol has no responsibility about that peculiar version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on January 13, 2023, 09:39:13 am
Extract of Release Notes.txt

v00.01.03.02.02 2023/01/04
   
     - Add shortcut button and VNC remote function
    - Waveform, cursor movement, gesture operation vertical and horizontal gear switching speed optimization
    - Cursor optimization: cursor jump optimization, ZOOM area and main time base cursor linkage, etc
    - The color of the CH4 waveform is modified, and the brightness of the waveform is improved
    - ZOOM mode optimization: mask color adjustment, switching speed, area movement optimization
    - SCPI instruction response speed optimization: reset, measurement, waveform read instruction response optimization
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kelemvor on January 13, 2023, 11:39:41 pm
I decided my scope needed a new label...
[attach=2]
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on January 14, 2023, 11:21:17 pm
Riglol, nice idea !  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gmaker on January 15, 2023, 01:58:26 pm
followed this instructions https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852)
and got this once tried to apply the patch.. USB stick formatted in FAT32.. so any idea on what's happaning?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gmaker on January 15, 2023, 04:44:19 pm
followed this instructions https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3869852/#msg3869852)
and got this once tried to apply the patch.. USB stick formatted in FAT32.. so any idea on what's happaning?

Solved. Just found third USB stick.. the most older one.. and it worked for some reason.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: OHR on January 19, 2023, 06:37:42 pm
I just completed following the instructions in post "Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #2206 on: January 15, 2022, 06:14:13 pm »" to upgrade my MSO5074 I bought from Amazon in December for $799.00 (it had the exact software and firmware needed) and everything worked perfect! I'm now the proud owner of a MSO5074 which functions exactly as a MSO5354!

Thank you so much for this thread!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: OHR on January 23, 2023, 12:33:36 am
Wanted to share what I did for a case. Instead of putting out $165.00 for the Rigol case I went with a Harbor Freight protective case (Apache 4800) for $65.00. After plucking the foam for a good fit I added a high quality Nashua ducting tape on the top and bottom sides of the remaining pluckable foam to keep it from pulling loose. Everything fits perfectly and it's super protected now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilyxa on January 26, 2023, 07:18:26 pm
Thank you very much for a great job.

MSO5072 + LA, Everything needed (hack + backups)  working very well.

I'll buy this Rigol also to use with sigrok/pulseview (as linux user), also using hw with lxi-tools (NI/VISA-independent tool, very nice sometimes), before a had a lot of trouble with some Hantek and Owon (not sure) equipment which costs much less money and was much less predictable (one of strong point to buy rigol/siglent/R&S/etc - I need repeatability every time I'm using an equipment).

Small "bug" (not really) - sigrok/pulseview (btw libsigrok) recognise fully-featured MSO5072 per IDN? string, which returns MSO5072 (2ch model) thus make additional 2 channels unavailable under libsigrok-based application (not a big deal in my scenario as I'm using LA with sigrok, very nice after fx2law in some my home "application" :)

Also keep in mind sometimes after doing  work with pulseview/sigrok/lxi-tool MSO didn't come up (power on) next boot (stuck on Rigol logo with red stop/run button - normally it's green while come up), solution is power off, power on, press Single button, Restore defaults (work well for me), recalibrate (it tooks about 25 minutes). After that every time I completed my job with this application  I'll just prefer set Defaults before powering off - and everything fine now.

I understand exactly wrong to discuss any linux/non-hw staff here, again, thank you, very nice job!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on January 29, 2023, 07:29:52 pm
Guys, I installed the latest firmware v00.01.03.02.02, the one who it's not available anymore. Now I can't rollback to v00.01.03.00.03. The oscilloscope tells me that "the file package is wrong" (despite the fact I downloaded it from rigol support site). I have tried with the menu at boot, and the regular upgrade menu. Any hint on this? I sent an email to the rigol support too. Thank you! Regards!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BRZ.tech on January 29, 2023, 11:34:00 pm
Hi. faktorqm.
You can enter through the Secret Menu, through the buttons:
1) Power off and then power on your MSO.
2) During the boot sequence, quickly and repeatedly press the Single button in the upper right hand corner of the instrument.
3) Reset to the initial version of your FW.

Then do a self-calibration, even on the old FW.
Turn off and then turn on your MSO.

After that, place the original *.GEL file on the pendrive, without the FW v00.01.03.00.03 hack, and execute the update through the Secret Menu in the Single button.
Then do a self calibration even in FW v00.01.03.00.03
Turn off and then turn on your MSO.

After that, put the original *.GEL file on the pendrive, and without FW v00.01.03.02.02 hack and execute the update through the Secret Menu in the Single button and execute the update through the Secret Menu in the Single button.
Then do a self calibration in FW v00.01.03.02.02
Turn off and then turn on your MSO.

Finally, say your prayers that it works out.
Good luck.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on January 30, 2023, 09:21:48 pm
Rigol just released a version of the 1.03.02.02 on the US website.  When you do the actual download, the file name is MSO5_FW_V1_1_4_4, the upgrade instruction.txt file is still gibberish, likely in a different language.  For the actual GEL file, the checksum was exactly the same as the one in the Chinese site which disappeared earlier.  They never had a professional discipline in managing firmware update when the MSO5000 came out, sadly this trend continues years later. 

Here is the change log, also the same as before:
v00.01.03.02.02 2023/01/04
   
     - Add shortcut button and VNC remote function
    - Waveform, cursor movement, gesture operation vertical and horizontal gear switching speed optimization
    - Cursor optimization: cursor jump optimization, ZOOM area and main time base cursor linkage, etc
    - The color of the CH4 waveform is modified, and the brightness of the waveform is improved
    - ZOOM mode optimization: mask color adjustment, switching speed, area movement optimization
    - SCPI instruction response speed optimization: reset, measurement, waveform read instruction response optimization

While the file is the same as before, at least now you are downloading this patch from the official firmware download site.  So hopefully we will get some support from Rigol in case the upgrade fails. 

Until someone come up with a new patch file, you will lose the "enhancements" if you apply this firmware.  Let's hope this wonderful community can come up with a new patch file soon to share with everyone.

https://www.rigolna.com/firmware/ (https://www.rigolna.com/firmware/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on January 31, 2023, 09:07:50 am
Rigol just released a version of the 1.03.02.02 on the US website.  When you do the actual download, the file name is MSO5_FW_V1_1_4_4, the upgrade instruction.txt file is still gibberish, likely in a different language.  For the actual GEL file, the checksum was exactly the same as the one in the Chinese site which disappeared earlier.  They never had a professional discipline in managing firmware update when the MSO5000 came out, sadly this trend continues years later. 

It's pretty unbelievable.

the upgrade instruction.txt file is still gibberish, likely in a different language.

The file "MSO5000 Upgrade Instructions.txt" has a header that indicates it's a text file that has been encrypted with E-SafeNet encryption (https://rp.os3.nl/2013-2014/p32/presentation.pdf).  It seems that the encryption isn't too strong so there's a decent chance the original file (or a large portion of it) could be recovered.  At least if the plaintext is a plain ASCII file.  But I doubt it's worth the trouble - it's almost certain a byte-for-byte copy of riglol's copy of "MSO5000 Upgrade Instructions.txt" file (https://gitlab.com/riglol/rigolee/firmware/-/blob/MSO5000/GEL/MSO5000%20Upgrade%20Instructions.txt).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: beatman on January 31, 2023, 02:52:27 pm
i have instaled the new firmware to my 5104 scope start and to the end of one minute stuck on rigol logo.i wait few minutes and power of.i try two times to update no luck.i instal the version i had before and scope starts normaly.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on January 31, 2023, 03:00:32 pm
I have seen some people upgraded successfully, but others have failed. I wonder if hardware version may play a role, what is your hardware version?  They were two versions last time I checked.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on January 31, 2023, 07:06:12 pm
This happened on an MSO5074 that I recently installed this new firm ware on.

I solved the issue by bringing up the special boot menu at power on (using the "Single" key) and selecting the option to restore factory defaults.
The unit then started up correctly with the new FW version.

Regards.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on February 01, 2023, 12:45:33 am
Perhaps this is the secret step in the upgrade instruction that they encrypted  :).

mwb1100 was correct, the MSO5000 Upgrade Instructions.txt file is the same as the original one from the Chinese download site. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: beatman on February 01, 2023, 04:22:26 am
try again with factory def.and then do the new updt.no luck.stay with 2021 version for now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on February 01, 2023, 05:19:35 pm
This is concerning, but not entirely unexpected given Rigol's careless approach to firmware and updates.  To help all in the community who wants the upgrade, can we start a log of:

* Upgrade successful vs. upgrade failed
* Reset to factory default required, vs. not required.
* Hardware version
* Any extra steps taken to perform upgrade

I don't think troubling-shooting Rigol firmware should stay in this thread as it is not related to hacking.  I will suggest those who respond jump over to the hardware/software revisions discussion so we can keep this thread dedicated to hacking.  I hope someone will kindly start looking into a new patch file while we investigate how to install the firmware.

https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg3868508/#msg3868508 (https://www.eevblog.com/forum/testgear/rigol-mso-5000-hardwaresoftware-revisions/msg3868508/#msg3868508)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Arturete on February 01, 2023, 08:12:54 pm
Greetings, I found this forum because I tried to update my rigol from the version v00.01.03.00.03 hack to the original version v00.01.03.02.02 and now I have a brick, I entered the secret menu but it doesn't let me select restore firmware or upgrade firmware, simply It does not activate anything, I have the backup from when I did the hack. Can someone help me please

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Arturete on February 01, 2023, 09:57:21 pm
I already managed to solve it, try several times the secret menu and as quickly as possible select restore defaults until it reboots itself and it's working again, updated and without hack
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on February 02, 2023, 12:55:13 am
Glad to see you get it back up and running. 

Given some of the failure we have seen here, if it persists and if I were Rigol, I would have pulled the update and figure out what's going on.  Clearly more testing and a set of update instruction are needed.  No customer should have to jump through hoops just to get a firmware upgrade like what we are witnessing here.   :palm:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Arturete on February 02, 2023, 01:22:13 am
I agree, for my part I already sent an email to technical support mentioning the problem I had without mentioning the hack obviously
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MYlol5374 on February 03, 2023, 04:00:34 am
Quick question:
How do we know there aren't 2 completly diffent IC's under those 2 big heat spreaders?

Let's pretend it's not a 4ch x 2GS/s 8bit ADC and instead it's an 8ch x 200MS/s 6bit ADC
also it's not a Kintex K7 160 but instead maybe a more like a Spartan 7...
you know...
more like...
like...
IC's we''ll find in hardware in the same ballpark.

At around 1.6GS/s this scope would IMHO max out at around 400, maybe 430 MHz  ;)
and if I'd be the in the marketing department and the tec guys are telling me the new fancy schmancy homebrew ADC is an 8 channel, 10 x timesampling, 6bit ADC I would go balls out and just call it X8106A, in yaaaa face!!!

And for the FPGA, if the customer can tell the modell only by looking in the binary... I wonder why they chose a Kintex-7 160, I'd make a Virtex XC7VX1140T  ;)

I maybe just made up a conspiricy theory here,
or Rigol isn't selling this scope at a big loss at all?!?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on February 04, 2023, 12:53:42 pm
Thanks a lot for your advice BRZ.tech, unfortunately it's not working. It's look like I'm unable to rollback  :'( I regret a lot todid the upgrade because I bought this device solely because reading this thread I knew I can use plenty of the functions. And now...

I will wait until some of the true hackers here provides a patch, if possible to made. In the mean time, I will continue investigating why I can't go back. Thank you! Regards!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on February 04, 2023, 04:22:45 pm
unfortunately it's not working. It's look like I'm unable to rollback

Are you able to get to the "secret" menu and select "Upgrade Firmware" by the button just under the "Menu Off" button?  What message(s) does the oscilloscope display when you try to do the rollback update from that menu?

It's known that the oscilloscope can be picky about what USB stick is used.  Make sure any USB sticks you use are FAT32 formatted and try more than one of different brands.  Also I'd suggest that the .GEL file be the only file on the stick and make sure the .GEL file is named: "MSO5000Update.GEL"
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on February 04, 2023, 05:56:12 pm
Hi sir! thanks a lot for your suggestions.

Are you able to get to the "secret" menu and select "Upgrade Firmware" by the button just under the "Menu Off" button? 

Yes I can do that.

What message(s) does the oscilloscope display when you try to do the rollback update from that menu?

Update failed. Check your package file (or something like that)

It's known that the oscilloscope can be picky about what USB stick is used.  Make sure any USB sticks you use are FAT32 formatted and try more than one of different brands.  Also I'd suggest that the .GEL file be the only file on the stick and make sure the .GEL file is named: "MSO5000Update.GEL"

OK, you are right. I'm using one Kingston pendrive which is the one I have been using to update to the last firmware and so on. I have tried 3 pendrives (2 Kingston and one Sandisk, all different models) and nothing. The fourth one did the job (sandisk). Now I'm back to the 1.3.0.3 and the patch applied. I will not move until a new patch is released and tested.

THANKS A LOT for the hint!

I have learn the lesson: Not do a firmware upgrade until you read the 96 pages of this forum thread :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on February 04, 2023, 07:12:08 pm
The fourth one did the job (sandisk).

Wow! Having that many fail to work is pretty terrible luck.

Actually not terrible luck - terrible testing diligence on Rigol's part.  If the MSO5000 is so particular about USB drives, Rigol really should give some guidance on what the scope can (or won't) work with.  Leaving users to a 50/50 chance (or worse) that the USB stick will work is pretty bad.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on February 04, 2023, 07:34:10 pm
With my kingston DataTraveler 4GB the update works fine, all this is very strange.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on February 05, 2023, 06:51:50 am
I guess you can  test first if your thumbdrive is working with the regular scope file i/o. i'm wondering if a failing usb device for update is indeed working fine with the regular scope storage functions.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lujji on February 06, 2023, 02:09:00 pm
I'm considering buying either this scope or HDO1k and I have a few questions to better understand current state of things:
1. Is everyone still using patched firmware from 2021? Has something changed in recent firmwares that breaks the current approach for unlocking the scope?
2. Did anyone try suspend to ram? Boot time is ridiculous and having a leaf-blower on my desk all the time doesn't seem very appealing, so I was hoping that it's possible to get some form of 'soft power-off' working
3. Has anyone tried compiling native applications for the scope? It would be nice having some shortcuts accessible within the scope as opposed to usb/lan.

Btw, I'm slightly confused by the patches posted here - there seems to be one 'real' change and the rest is just forcing the menu screen to display 'Forever'. I don't know why this was done, probably to make people feel better when they're posting screenshots of their menus. Either way, I can't do any better since I don't have a scope to debug on, so I just made similar changes while poking around at 01.03.02.02 firmware. Once again, I have no way of testing the patch, so use at your own risk.

Edit: reportedly, it works - download the official firmware (https://www.rigolna.com/firmware/) and enjoy. Attached the update.gel from previous posts.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on February 06, 2023, 07:02:12 pm
lujji works fine, thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on February 06, 2023, 07:55:54 pm
1. Is everyone still using patched firmware from 2021?

I haven't patched my scope yet so I'm not 100% sure, but I believe so.  I believe the most recent hacked firmware is based on firmware v00.01.03.00.03 from Oct 2021.

Has something changed in recent firmwares that breaks the current approach for unlocking the scope?

The most recent released official firmware is v00.01.03.02.02 from Jan 2023.  It has not been patched, so as of today if you install it you will lose any improvements/updates that the hacked firmware provides.  I've heard no word on whether anyone is working on hacking that firmware or how similar a hack might be to the hack done for the Oct 2021 firmware.

Note that there are several reports of people having various problems with the Jan 2023  v00.01.03.02.02, one of which is that some have had trouble reverting to older firmware once the v00.01.03.02.02 is installed.

As of today, if you want the improvements the hacked firmware brings, do not install the Jan 2023 firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stmcore on February 06, 2023, 09:51:00 pm

Btw, I'm slightly confused by the patches posted here - there seems to be one 'real' change and the rest is just forcing the menu screen to display 'Forever'. I don't know why this was done, probably to make people feel better when they're posting screenshots of their menus. Either way, I can't do any better since I don't have a scope to debug on, so I just made similar changes while poking around at 01.03.02.02 firmware. Once again, I have no way of testing the patch, so use at your own risk.

Thanks lujji  tested working 100%
uploaded the patch files i've used .
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lujji on February 06, 2023, 10:09:49 pm

Btw, I'm slightly confused by the patches posted here - there seems to be one 'real' change and the rest is just forcing the menu screen to display 'Forever'. I don't know why this was done, probably to make people feel better when they're posting screenshots of their menus. Either way, I can't do any better since I don't have a scope to debug on, so I just made similar changes while poking around at 01.03.02.02 firmware. Once again, I have no way of testing the patch, so use at your own risk.

Thanks lujji  tested working 100%
uploaded the patch files i've used .

Good. Can you also test if you can suspend by doing "echo mem > /sys/power/state"?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on February 07, 2023, 07:23:59 pm
Thanks lujji and stmcore (I didn't tried the patch yet).

It is possible to have ssh enabled permanently? I have tried modifyng by myself the start.sh script but it's not working.
Also, the IP address (I set it to manual) cannot remember the changes, and get lost every time I reboot the scope.
This behaviour is similar in your devices? Do you lost network config when you restart/poweroff the scope?

Thank you! Regards!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ToThePub on February 07, 2023, 09:56:37 pm
Unless you change it, the scope always starts with defaults. That includes the IP address settings (which is dumb, but whatever).
You have to tell the scope to keep the last settings (which includes IP info).
Utility > System > Power ON > Last
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on February 08, 2023, 06:05:09 pm
I want to give a shoutout to lujji for his excellent work in providing our community with the bspatch file.  I thought I would give everyone an update on my upgrade experience.

Frankly, given so many failed attempts posted here with regard to the Rigol firmware (not the patch), I was hesitant to proceed with the upgrade until there are more positive feedbacks.  Anyhow, I had some time this morning so I proceeded with the upgrade anyway.  I used the one 16GB USB drive I have always used for all firmware upgrades, and I was able to apply the new firmware successfully, no reset or secret button required (I also do not have any special saved setting on my scope, it is set to go back to default at each boot, as I rarely ever use the MSO5000).  All I did was to push the button for the update, once it finished, reboot, and everything was up and running - without any enhancements as expected.  But the upgrade process was smooth, my hardware is the original 1.00.00 if that matters. 

I then proceed to apply the bspatch file lujji kindly provided, and everything worked just as expected, all the enhancements returned. :-+  I ran a self-cal after the upgrade after the scope is fully warmed up as a best practice.

Given all the issues I read MSO5000 has with different USB drives, I may just tape the drive to the back of the scope for future updates.

I can't say this will work for everyone, but hopefully this gives one more datapoint for those who may be on the fence.  Good luck.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: V42bis on February 10, 2023, 11:35:51 am
When I download the firmware using the link above “official firmware” I don’t get 01.03.02.02 I get V1_1_4_4 (Rigol download page says 01.03.02.02. seems like the text does not match the file.
Since the patch is for 01.03.02.02, where can I get the correct the matching 01.03.02.02 firmware to the patch?
I wasn’t careful, and now have a scope without a matching  patch which isn’t out yet!

Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Finity on February 10, 2023, 03:34:43 pm
I am not sure what country you are in, but Rigol NA (North America) site hase the download for the latest firmware and is at

https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-f24095b5-cc11-4e8d-8df9-d2bfdffd5efc/0/-/-/-/-/MSO5_FW_V1_1_4_4.zip

When unzipped it will give you the 01.03.02.02 firmware properly labeled as well as upgrade instructions  and release notes (3 files total). I think if you just unzip the file you have it will give you the correct firmware.

It is labeled as "MSO5000 scope family latest firmware" on the official site.

 I am most likely going to try the upgrade and patch over the weekend for another data point, hopefully it will work on my scope. :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on February 10, 2023, 05:06:00 pm
When I download the firmware using the link above “official firmware” I don’t get 01.03.02.02 I get V1_1_4_4 (Rigol download page says 01.03.02.02. seems like the text does not match the file.

Rigol's practices for handling of firmware updates is terrible (at least for the MSO5000 - can't say if it's the same across the board)

The version number in the filename is meaningless for some time now.  Actually worse than meaningless - it's downright confusing.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 11, 2023, 10:11:47 pm
Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

Code: [Select]
<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
!!!rom head fail
!!!rom inl fail
!!!rom head fail
!!!rom inl fail
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Finity on February 12, 2023, 02:18:32 am
Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

Code: [Select]
<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
!!!rom head fail
!!!rom inl fail
!!!rom head fail
!!!rom inl fail

When sent as SCPI code here is the response I get:

 * Connected to: USB0::0x1AB1::0x0515::MS5AXXXXXXXXX1::INSTR
-> *IDN?
<- (Return Count:56)
RIGOL TECHNOLOGIES,MSO5074,MS5AXXXXXXXXX,00.01.03.00.03

-> *IDN?
<- (Return Count:56)
RIGOL TECHNOLOGIES,MSO5074,MS5XXXXXXXXX,00.01.03.00.03

-> pkill -9 appEntry; /rigol/appEntry -run
<- (Return Count:0)

 * Error!!!
VISA:  (Hex 0xBFFF0015) Timeout expired before operation completed.

But this is above my (non)coding ability. Hopefully this is helpful, can try other things if you are willing to walk me thru it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 12, 2023, 09:18:07 am
Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

Code: [Select]
<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
!!!rom head fail
!!!rom inl fail
!!!rom head fail
!!!rom inl fail

I somewhat remember seeing those errors in the old days... So, I think there is no reason to worry.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 12, 2023, 11:28:34 am
Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

Code: [Select]
<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
!!!rom head fail
!!!rom inl fail
!!!rom head fail
!!!rom inl fail

When sent as SCPI code here is the response I get:

 * Connected to: USB0::0x1AB1::0x0515::MS5AXXXXXXXXX1::INSTR
-> *IDN?
<- (Return Count:56)
RIGOL TECHNOLOGIES,MSO5074,MS5AXXXXXXXXX,00.01.03.00.03

-> *IDN?
<- (Return Count:56)
RIGOL TECHNOLOGIES,MSO5074,MS5XXXXXXXXX,00.01.03.00.03

-> pkill -9 appEntry; /rigol/appEntry -run
<- (Return Count:0)

 * Error!!!
VISA:  (Hex 0xBFFF0015) Timeout expired before operation completed.

But this is above my (non)coding ability. Hopefully this is helpful, can try other things if you are willing to walk me thru it.

Well, SCPI is handled by appEntry AIUI. So, when you kill appEntry, SCPI won't work (and you won't get the response back). I guess this can be only tested via SSH.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 12, 2023, 12:31:19 pm
Well, SCPI is handled by appEntry AIUI. So, when you kill appEntry, SCPI won't work (and you won't get the response back). I guess this can be only tested via SSH.

It's much worse than that.

A SCPI "shell" (the usual port 5xxx) won't accept linux commands. So, if you want to send linux commands you must previously get yourself a SSH or telnet connection.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Finity on February 12, 2023, 01:12:58 pm
Yes, figured that out last night, will install and use PUTTY today.

EDIT: Need help in enabling SSH. Looking thru all the posts to find the right one is getting frustrating. Will keep at it, but a guide would be helpful. Just not finding it right now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 12, 2023, 03:14:58 pm
Yes, figured that out last night, will install and use PUTTY today.

EDIT: Need help in enabling SSH. Looking thru all the posts to find the right one is getting frustrating. Will keep at it, but a guide would be helpful. Just not finding it right now.

This is how I do it:

I have created a generic update file that simply calls mod.sh on the usb stick, like this:

Code: [Select]
cat <<"EOF" >fw4linux.sh.plain
#!/bin/sh
. /media/sda1/mod.sh
EOF

openssl aes-128-cbc -K BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD -iv BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD -in "fw4linux.sh.plain" >fw4linux.sh

tar -cf DS5000Update.GEL fw4linux.sh

Then I can make mod.sh do whatever I want, e.g.:
Code: [Select]
#!/bin/sh

# enable ssh
echo '/usr/sbin/sshd &' >>/rigol/shell/start.sh

sync

# run ssh
/usr/sbin/sshd &


Put both files (DS5000Update.GEL, mod.sh) on a usb stick and do a "local upgrade" on the scope. Configure your LAN interface correctly, then connect via SSH to the scope (root : Rigol201).

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on February 12, 2023, 04:56:58 pm
I did the upgrade this morning.  It did not go without hiccups so I thought I would report my findings

1. My scope HW version is 01.00.000 and was updated and patched to the previous release
2. I'm using a 4GB USB drive formatted as Fat32.  The drive is empty except for the FW files or patch files (not at the same time).  I'm pretty sure that I have used this drive before for updates
3. I downloaded and extracted MSO5_FW_Update to the flash drive
4. Updated using the local upgrade options feature
5. On reboot the startup gas gage goes to full and then stalls.  Dang
6. Second reboot - no change
7. Enter the secret menu by pressing Single button during reboot.  Two options presented: Upgrade Firmware and Restore Defaults
8. Tried Upgrade Firmware - scope reports a FW error
9. Tried Restore Defaults - the scope boots and shows FW 00.01.03.02.02(!)
10. Ran the patch using the local upgrade option.  Can confirm that the patch does not reboot the scope upon completion
11. Reboot scope, all options show forever  8)

Thanks to lujji and everyone else who has worked enhancing this scope
Unlike NoisyBoy, my scope was not running using default settings
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on February 12, 2023, 05:42:18 pm
That is a good observation.  So my hypothesis is the new firmware may not handle migrations of some stored configurations properly, while the upgrade of AppEntry was actually performed, the new firmware does not know how to handle some stored configs, and that cause the scope to hang.  With Restore Default, it wipes any stored configs, and allow the scope to have a clean boot.

If that's the case, perhaps one extra step to do prior to the upgrade is to remove any stored config, and make sure the scope boot in default state rather than restoring the state from last boot.  That may save the extra the headache from hangs and having to go into the secret menu.

If this is the cure, Rigol should have stated it in the upgrade instruction in bold (may be they did, except they encrypted it  :palm:).  Better yet, to include a config migration in the upgrade, so it is transparent to the user.    That's what any good equipment vendor would have done to handle firmware upgrades. 

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Finity on February 12, 2023, 06:51:56 pm
Another successful upgrade to a MSO5074 using the 00.01.03.02.02 GEL file from RigolNA build date 2022-12-05.

Then applied patch by Lujji, manual power cycle and good to go. Forever upgrades for all options (or at least that is what is on the screeen).

Hardware version 01.01.000. My setup was close to defaults, but not the LAN settings. LAN settings were preserved for me.

Zooming is much less laggy, very noticeable difference and much less frustrating.

Many thanks to Lujji.

Thanks also to c0d3z3r0 for the SSH files, they work great. Will be testing later.  :-+

EDIT: Hmm, the SSH enabling coding "upgrade" from c0d3z3r0 now fails with the new firmware. :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilyxa on February 12, 2023, 09:27:12 pm

EDIT: Hmm, the SSH enabling coding "upgrade" from c0d3z3r0 now fails with the new firmware. :-//

just reboot scope and you got perfectly working sshd, ignore error.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on February 12, 2023, 09:34:38 pm
Hi, with that patch, ssh will remain available at next boot? I want to have it permanently. Thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 13, 2023, 12:08:41 am

EDIT: Hmm, the SSH enabling coding "upgrade" from c0d3z3r0 now fails with the new firmware. :-//

just reboot scope and you got perfectly working sshd, ignore error.

Ignore the error (this is normal bc it's not a real fw update). SSH gets started right away. Only network settings have to be checked.
Oh SSH is pretty slow on the first connection (~30sec).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 13, 2023, 12:09:27 am
Hi, with that patch, ssh will remain available at next boot? I want to have it permanently. Thank you!

Yes
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Finity on February 13, 2023, 12:57:05 am
Excellent work. Successful permanent (ish) SSH communication with PUTTY. Thanks again! :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 13, 2023, 11:31:17 am
Excellent work. Successful permanent (ish) SSH communication with PUTTY. Thanks again! :-+

Great! Could you test the appEntry thing? :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Finity on February 13, 2023, 11:40:58 am
Hopefully will have some time after work tonight to run the appentry thing and give some results.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: beatman on February 13, 2023, 02:23:02 pm
today try again the update and it works.i only disable the startup/ last to default and after update and reboot scope works normaly.very nice optimizations.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Finity on February 14, 2023, 01:18:56 am
Alright, here is the result of entering "/rigol/appEntry -run" at the <root@rigol> prompt while connected to MSO5000 via SSH:

<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
servscpi.cpp 120 "The bound address is already in use"
Cal Data: "/rigol/data/cal_1.hex"
default setting by user set
insmod: can't insert '/rigol/drivers/libcomposite.ko': File exists
insmod: can't insert '/rigol/drivers/usbtmc_dev.ko': File exists
usbtmc.cpp 129 error:can not open /dev/usbtmc_dev,fd:-1

insmod: can't insert '/rigol/drivers/usb_gpib.ko': File exists
!!!!!!!!!!!!!!!!!!!CCU wait stop fail---------------------

Reads quite dramatic at the end, like a computer's dying words. It made me go look at the scope in the garage to make sure it hadn't caught on fire while I was telnetting from upstairs. Of course it was fine ;)

Hope this info is helpful to those that know what it means :D
Quote
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilyxa on February 14, 2023, 08:23:02 am
Reads quite dramatic at the end, like a computer's dying words. It made me go look at the scope in the garage to make sure it hadn't caught on fire while I was telnetting from upstairs. Of course it was fine ;)

You forgot to kill "old" appEntry (e.g. something like pkill appEntry) and tried to run new instance, nothing scare.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gharac on February 14, 2023, 09:53:12 am
Another successful upgrade to a MSO5074 using the 00.01.03.02.02 GEL file from RigolNA build date 2022-12-05.

I always get "error: no patch file 'patch.txt' found on drive" when patching. But patch.txt, ds5000Update.GEL and 01_03_02_02.bspatch are available on the stick. And the firmware is of course 00.01.03.02.02 with build date 2022-12-05.
What am I missing?


Update: Works fine. It was an usb stick issue (as usual)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 14, 2023, 10:00:58 am
Alright, here is the result of entering "/rigol/appEntry -run" at the <root@rigol> prompt while connected to MSO5000 via SSH:

<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
servscpi.cpp 120 "The bound address is already in use"
Cal Data: "/rigol/data/cal_1.hex"
default setting by user set
insmod: can't insert '/rigol/drivers/libcomposite.ko': File exists
insmod: can't insert '/rigol/drivers/usbtmc_dev.ko': File exists
usbtmc.cpp 129 error:can not open /dev/usbtmc_dev,fd:-1

insmod: can't insert '/rigol/drivers/usb_gpib.ko': File exists
!!!!!!!!!!!!!!!!!!!CCU wait stop fail---------------------

Reads quite dramatic at the end, like a computer's dying words. It made me go look at the scope in the garage to make sure it hadn't caught on fire while I was telnetting from upstairs. Of course it was fine ;)

Hope this info is helpful to those that know what it means :D
Quote

ilyxa is right, could you try once again like this? pkill -9 appEntry; /rigol/appEntry -run

Edit: nevermind, errors appear here even without pkill, so it doesn't matter. Thanks for testing!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Finity on February 14, 2023, 11:06:40 am
Here are the errors using the "pkill -9 appEntry; /rigol/appEntry _run


7 2048 16 2 "/dev/fb0"
Cal Data: "/rigol/data/cal_1.hex"
default setting by user set
insmod: can't insert '/rigol/drivers/libcomposite.ko': File exists
insmod: can't insert '/rigol/drivers/usbtmc_dev.ko': File exists
insmod: can't insert '/rigol/drivers/usb_gpib.ko': File exists
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 14, 2023, 11:30:02 am
Here are the errors using the "pkill -9 appEntry; /rigol/appEntry _run


7 2048 16 2 "/dev/fb0"
Cal Data: "/rigol/data/cal_1.hex"
default setting by user set
insmod: can't insert '/rigol/drivers/libcomposite.ko': File exists
insmod: can't insert '/rigol/drivers/usbtmc_dev.ko': File exists
insmod: can't insert '/rigol/drivers/usb_gpib.ko': File exists

Found another thing... my /rigol/data/vendorlog.txt reads "vendor data invalid". What does yours say?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: salviador on February 14, 2023, 12:29:03 pm
Hi,

i have a problem i installed original firmware "v00.01.03.02.02 2023/01/04"
but maybe I haven't finished upgrading, now when I start the MSO it freezes almost at the end of loading and stays block

Now I tried reinstalling the firmware with secret menu Start MSO and press Hold Single
but nothing  continues to boot normally until it block

[attach=1]
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilyxa on February 14, 2023, 12:40:39 pm
Hi,

i have a problem i installed original firmware "v00.01.03.02.02 2023/01/04"
but maybe I haven't finished upgrading, now when I start the MSO it freezes almost at the end of loading and stays block

Now I tried reinstalling the firmware with secret menu Start MSO and press Hold Single
but nothing  continues to boot normally until it block

(Attachment Link)

for clarification, Start/Stop - is it Red or Green (to clarify some staff)? imho this hang seems not specific f/w update but for not default settings while boot.

It's a bit tricky, you don't need hold Single button, just switch unit off, then press power button, right after momentary press Single button few times until menu appears, try "Default Settings" (not fw upgrade) first.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: salviador on February 14, 2023, 12:46:49 pm
ohhhh wow thank you so much , Now I try to reinstall the original firmware
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ilyxa on February 14, 2023, 12:56:35 pm
ohhhh wow thank you so much , Now I try to reinstall the original firmware

)

1st - which color of Start/Stop button after unsucsessful boot (green or red)?
2nd - try to set defaults in hidden menu before reinstalling  microcode, it can help.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: salviador on February 14, 2023, 01:21:22 pm
ohhhh wow thank you so much , Now I try to reinstall the original firmware

)

1st - which color of Start/Stop button after unsucsessful boot (green or red)?
2nd - try to set defaults in hidden menu before reinstalling  microcode, it can help.

start/stop is orange

I try restore defaul in hidden menu and now work! , now try patch
thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Sharp on February 14, 2023, 03:29:41 pm
I did the upgrade this morning.  It did not go without hiccups so I thought I would report my findings

1. My scope HW version is 01.00.000 and was updated and patched to the previous release
2. I'm using a 4GB USB drive formatted as Fat32.  The drive is empty except for the FW files or patch files (not at the same time).  I'm pretty sure that I have used this drive before for updates
3. I downloaded and extracted MSO5_FW_Update to the flash drive
4. Updated using the local upgrade options feature
5. On reboot the startup gas gage goes to full and then stalls.  Dang
6. Second reboot - no change
7. Enter the secret menu by pressing Single button during reboot.  Two options presented: Upgrade Firmware and Restore Defaults
8. Tried Upgrade Firmware - scope reports a FW error
9. Tried Restore Defaults - the scope boots and shows FW 00.01.03.02.02(!)
10. Ran the patch using the local upgrade option.  Can confirm that the patch does not reboot the scope upon completion
11. Reboot scope, all options show forever  8)

Thanks to lujji and everyone else who has worked enhancing this scope
Unlike NoisyBoy, my scope was not running using default settings

Did the update - selected "Restore Defaults" - but I want to add to tcottle's good list above - Keep the USB stick in the MSO until the update boot has finished ( FW 00.01.03.02.02)
My update worked fine and are now running  FW 00.01.03.02.02 with all options active  :popcorn:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on February 14, 2023, 05:18:04 pm
Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

with FW 00.01.03.00.01

Code: [Select]
/rigol/appEntry _run
7 2048 16 2 "/dev/fb0"
messageExchange.cpp 172 pCurrentIntf == NULL
insmod: can't insert '/rigol/drivers/libcomposite.ko': File exists
insmod: can't insert '/rigol/drivers/usbtmc_dev.ko': File exists
insmod: can't insert '/rigol/drivers/usb_gpib.ko': File exists

So, since I now can ssh and sftp (very helpful!), does anybody have a cross-compiler set up for this scope (LF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16) ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 14, 2023, 05:20:50 pm
Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

Code: [Select]
<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
!!!rom head fail
!!!rom inl fail
!!!rom head fail
!!!rom inl fail

with FW 00.01.03.00.01

Code: [Select]
/rigol/appEntry _run
7 2048 16 2 "/dev/fb0"
messageExchange.cpp 172 pCurrentIntf == NULL
insmod: can't insert '/rigol/drivers/libcomposite.ko': File exists
insmod: can't insert '/rigol/drivers/usbtmc_dev.ko': File exists
insmod: can't insert '/rigol/drivers/usb_gpib.ko': File exists

Thank you! Is there anything in your /rigol/data/vendorlog.txt?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on February 14, 2023, 05:27:58 pm

Thank you! Is there anything in your /rigol/data/vendorlog.txt?

same text as in yours.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: c0d3z3r0 on February 14, 2023, 05:40:57 pm

Thank you! Is there anything in your /rigol/data/vendorlog.txt?

same text as in yours.

weird, but probably a bug then...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on February 14, 2023, 05:57:25 pm
Did anyone try DOOM ( https://github.com/Spritetm/prboom-mso5k ) with a later version of the firmware? Did the  firmware upgrades so far only change the application software or also more fundamental stuff like libc or the kernel?

Update: Tried it and it worked with my firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sjm on February 14, 2023, 08:51:36 pm
I can confirm success.

a) from system settings, set it to always boot up with default settings and power cycle
b) upgrade firmware with the official image available at Rigol NA
c) reboot, check that new version is actually running, and some of the software options are gone as expected
d) run a local upgrade with the patch files available here, wait patiently for the scope to wake up again -- and then power cycle
e) check that software version is the latest one and with all the options enabled, yes they are.

Now the scope is running self-calibration. Everything seems fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Crambone on February 15, 2023, 01:31:04 pm
Sticker for your scope. I had some stickers made up to upgrade scope model if anyone is interested just send $2 PayPal and I will mail out to address on your PayPal. CONUS only please.
They need to have the white trimmed off and they don’t fit side to side perfect but with a little care they will look good, I rushed on this one just to try it. I’m going to make the next one exact fit with a bit of white showing on each end and just use a permanent black marker to rid the dreaded black.

PayPal: KB2LMN@gmail.com
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lmamakos on February 15, 2023, 07:30:04 pm
Thanks for the list of steps to do this upgrade.   One thing I'll note is that if you elect to do the other process to enable ssh access, it will complain about a failed update but it does the thing.   Don't be like me and try it one or two more times as the same thing gets added to the start-up file.

While fixing that, it occurs to me that in addition to (or maybe instead of) starting sshd from the startup.sh file, one could add a line like:

[ -f /media/sda1/init.sh ] && . /media/sda1/init.sh

to the end of the file that would just include and run a shell script from the USB stick plugged into the scope.  My intention was to use this to add a .ssh directory to the root user's home directory (which is initialized from scratch when the scope boots) so password authentication wasn't going to be necessary.

I'm also going to see why sshd takes so long to start the session; likely it's trying to do some reverse DNS lookup of the address of the remote end of the ssh session.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: luma on February 15, 2023, 08:00:13 pm
Thanks to everyone for the info in this thread, scope is now up to latest and the VNC support is great!

(https://i.imgur.com/hKjGKRv.gif)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on February 16, 2023, 06:31:51 pm
Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: MegaVolt on February 17, 2023, 09:20:22 am
I made a guide to help all the users to get through the upgrade process.

You have a new firmware in the archive that is different from all that I have seen here. Where did you get it?

b84331279e96a0cba499dcb9d447b048 *DS5000Update.GEL

Size: 71 669 760 byte
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on February 17, 2023, 11:22:41 am
I think it is the one uploaded in first place in Rigol china site, and then they removed the firmware and published again. It's not the same file?

Anyway the "firmware package" is only for users comodity, I posted all the links to download the files by themselves.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Protegimus on February 17, 2023, 06:05:20 pm
v00.01.03.02.02 2023/01/04

Successful firmware update with default setting on boot (reverted from Last for the purpose of the update).

Observations:
1. 500uV range is no longer available on CH1
(listed under page 18, Overview of the MSO5000 Series Technical Specifications > Vertical System Analog Channel > Vertical Sensitivity Range)

2. Selecting 1mV range automatically engages 20MHz bandwidth limit, with B indicated in the channel status label

If someone can confirm that would be appreciated.

@luma what do you use to create the animated .gifs - they are incredibly helpful to include.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 17, 2023, 08:08:36 pm
I can confirm 1 mV limit on all channels instead of 500 uV.
Corner menu is also extended/rearanged.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 17, 2023, 11:16:50 pm
While scouring my old notes (lots of stuff on this MSOs endeavour...) I just saw this small pic that I did while testing the several Models, by changing the FRAM contents.

Light green - officially released
Dark green - possible but not officially released (as the BW wasn't fully reached)
Red - unrecognized

I leave it here just for reference.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lmamakos on February 18, 2023, 06:19:16 am
I've been doing a little more hacking around to improve the SSH access, and a bit more flexible way to play with the scope.  I did two things to make the SSH experience much snappier

It involves just a few steps.  First, once you've enabled the SSH server as described previously, you can SSH into the scope and modify the last line that was added to the /rigol/shell/start.sh file on the scope to look like this instead:

/usr/sbin/sshd &  [ -f /media/sda1/init/init.sh ] && sh /media/sda1/init/init.sh

This just appends that latter conditional expression which checks for a file called init.sh in the init directory on the USB stick plugged into the scope.  The embedded Linux in there has an old-school "ed" UNIX line editor that works just fine.  Or you could just append that new bit to the file for the same effect from the shell with a command like

echo >> /rigol/shell/start.sh  '[ -f /media/sda1/init/init.sh ] && sh /media/sda1/init/init.sh'

Make sure you use two >> characters to append and not overwrite the file!  Because of the risk of screwing up that file, it was better to change that start.sh file just once and experiment elsewhere with a separate script.

Now you need to create some files on the USB stick that you'll leave plugged into the scope.   This is intended to be the same one that you might leave in there for saving screenshots or configurations.   An init directory is created on the USB stick.  Then you then put a file in the init directory called init.sh, like the one that I've attached.  (Note I had to attach a .txt suffix to enable it to be attached to this post.)  Also, you can put an authorized_keys file next to the shell script in the same directory with your SSH public key(s) in there.  If the authorized_keys file is missing, it just skips that step.

So now, each time your scope starts, it starts with checking to see if that init directory and init.sh script are present and then it will fix the SSH server's DNS lookup and install your authorized_keys file.  It's necessary to do these fixes the scope boots as the root file system is RAM based and changes don't persist over reboots.

The other alternative I looked at was making an init directory in the /user directory on the scope.   This is the "C" drive and where screenshots and save configurations land if you don't put them on a USB stick.   I chose to do the USB stick instead, so if something went stupid, you could just unplug it when starting the scope and skip this.  The script that I wrote looks for the various files in the same directory it was started from.

I'm sure this can be merged into a more general process like was used to install the sshd as an "upgrade" as described earlier in the thread.  I thought it might be useful for others with some Linux experience to test-drive this before going that far.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: CosteC on February 19, 2023, 08:03:12 pm
v00.01.03.02.02 2023/01/04

Successful firmware update with default setting on boot (reverted from Last for the purpose of the update).
So hack disappears, like others reported?
Observations:
1. 500uV range is no longer available on CH1
(listed under page 18, Overview of the MSO5000 Series Technical Specifications > Vertical System Analog Channel > Vertical Sensitivity Range)
CH1 only or all channels?
2. Selecting 1mV range automatically engages 20MHz bandwidth limit, with B indicated in the channel status label
Previous software version engaded 20 MHz limit on 0.5 mV/1 mV / 2 mV if I remember correcly. Datasheet mentions those ranges are software created from 4 mV/div (which is not directly available - as there is 5 mV/div step, so seems HW is more binary with some VGA too)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: blubillcanada on February 21, 2023, 03:26:33 pm
How did you get VNC to function?

Nevermind, it was my network cable wasn't connected lol.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lmamakos on February 21, 2023, 07:11:15 pm
How did you get VNC to function?

Just one thing that I bumped up against...  I couldn't get the VNC interface to work with "Screen Sharing" on my macOS computer.  In the past, I've used this as a VNC client with success.  However, when pointed at the MSO5000, it would connect; then ask for username/password and then sit there.  No display window, nothing.  I tried diddling around with various options (add a password, or not, etc.)

Eventually I tried a VNC client from a Linux computer and it work just fine and display popped up immediately!  It works wonderfully, and I think it'll probably be easier to do screen captures from the VNC window than finding the file the MSO5000 creates.

Maybe this will save someone some time.. I haven't investigated the macOS side of things yet to see WTF was going on.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 21, 2023, 08:27:13 pm
v00.01.03.02.02 2023/01/04

Successful firmware update with default setting on boot (reverted from Last for the purpose of the update).
So hack disappears, like others reported?
Observations:
1. 500uV range is no longer available on CH1
(listed under page 18, Overview of the MSO5000 Series Technical Specifications > Vertical System Analog Channel > Vertical Sensitivity Range)
CH1 only or all channels?
2. Selecting 1mV range automatically engages 20MHz bandwidth limit, with B indicated in the channel status label
Previous software version engaded 20 MHz limit on 0.5 mV/1 mV / 2 mV if I remember correcly. Datasheet mentions those ranges are software created from 4 mV/div (which is not directly available - as there is 5 mV/div step, so seems HW is more binary with some VGA too)

1. After every upgrade hacked options dissapear and need a new hack.
2. All channels
3. Correct
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Trax on February 22, 2023, 07:52:47 am
So are the hacks stil working with the newest hardware revisions?
And what to get as a basic model?
Rigol MSO5074 and for the LA probes Rigol PLA2216 ?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on February 22, 2023, 11:33:52 pm
So are the hacks stil working with the newest hardware revisions?
And what to get as a basic model?
Rigol MSO5074 and for the LA probes Rigol PLA2216 ?

Yes, MSO5074 if you want 4 probes. 5072 if you only need 2.
I wouldn't bother with LA feature, unless you need the extreme sample rates. A more user friendly PC LA can be had for less.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lmamakos on February 23, 2023, 03:11:20 am
For about $80, you can buy a alternative logic analyzer pod from ebay, based on a design that was posted in another thread on the forums.  It doesn't have the adjustable threshold that the Rigol pod has, but works for 3.3v/5v logic levels.  Just search for PLA2216.

https://www.eevblog.com/forum/testgear/low-cost-logic-analyzer-probe-for-rigol-mso5000-easyeda-project/ (https://www.eevblog.com/forum/testgear/low-cost-logic-analyzer-probe-for-rigol-mso5000-easyeda-project/) which seems to be based on https://eltguy.de/en/selbstbauprojekte-elektronik-technik-hobbytechnologien/logic-probe-ein-digitaler-16-kanal-tastkopf-fuer-oszilloskop/ (https://eltguy.de/en/selbstbauprojekte-elektronik-technik-hobbytechnologien/logic-probe-ein-digitaler-16-kanal-tastkopf-fuer-oszilloskop/)

There's another project where you can build your own after ordering some boards.  You'd need to be comfortable doing surface mount assembly, etc.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gharac on February 23, 2023, 11:28:54 am

https://www.eevblog.com/forum/testgear/low-cost-logic-analyzer-probe-for-rigol-mso5000-easyeda-project/ (https://www.eevblog.com/forum/testgear/low-cost-logic-analyzer-probe-for-rigol-mso5000-easyeda-project/) which seems to be based on https://eltguy.de/en/selbstbauprojekte-elektronik-technik-hobbytechnologien/logic-probe-ein-digitaler-16-kanal-tastkopf-fuer-oszilloskop/ (https://eltguy.de/en/selbstbauprojekte-elektronik-technik-hobbytechnologien/logic-probe-ein-digitaler-16-kanal-tastkopf-fuer-oszilloskop/)

It the other way around, but both work fine and are only slightly different in design.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Landys on March 03, 2023, 09:38:04 am
Thanks a lot everyone, the latest hack for Update v00.01.03.02.02 works fine again.  :-+

Here is full update and hack package in one zip: https://ulozto.cz/tamhle/ZetrB98R0FaJ#!ZJV1MwR2AmR5ZJD2MQVjBGOvZQyyA0cuEwOyLyAnMxABnQV3Aj==
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mosafet on March 04, 2023, 01:51:13 pm
For anyone looking for a pseudo-OEM looking label (the fonts are similar at best). PNG, SVG, and PDF.

All of my printers are broken at the moment so if someone tries this, let me know how it fits and I can make adjustments as needed. Colour matching may take some effort too.

(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=1730744;image)


The Rigol logo and designs are owned by RIGOL TECHNOLOGIES CO., LTD. and I have no affiliation or intent to infringe.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: klen_s on March 05, 2023, 06:23:21 pm
another good confirmation!
update was from 1.3.0.3 + patch -> 1.3.2.2
after the reboot, the device did not rise ... after entering the boot menu, I repeated the procedure - the result is the same.
as we now assume that the fault is the configuration data from the previous firmware.
performed the update with the previous firmware 1.3.0.3 + patch -> 1.3.0.3 and the device came to life :)
then everything was as described above - update to 1.3.2.2 and apply the patch
enjoy!
thank you very much for your work!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: cuestalf on March 05, 2023, 07:55:47 pm
Just to confirm yet another successful modification, as of March 5th, 2023, following faktorqm's document/guide step by step.
In about 1hour (I know, very slow, patience is key ) it has now a full licensed option list.
Only one, at least for me, not so clear detail: "root/Rigol201" refers to the Login (root) AND Password (Rigol201) for the SSH interface (I used Putty).
One (unnecessary) thing I did differently: before starting the whole process (even the back up) I did a factory reset (explained later on, at some point, in the guide) and I preferred to re-enter LAN's settings twice rather than to change to "Power On->Last"
All in all, I am very thankful that I found this well written guide.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: lmamakos on March 05, 2023, 09:11:55 pm
When I did the latest update, I didn't reset the network configuration, but simply changed the "Power On" setting from "Last" to "Default" which seemed to do the trick for me.  My network settings survived.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on March 07, 2023, 12:01:21 am
Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!

Veo que eres Español, yo hackee mi rigol al principio en cuanto aparecio el hack valido, pero viendo tu guia intuyo que se puede seguir otro metodo, seria mucho problema ponerla tambien en castellano, mi dominio del ingles deja mucho que desear, gracias en cualquier caso.

I see that you are Spanish, I hacked my rigol at the beginning as soon as the valid hack appeared, but seeing your guide I sensed that another method could be followed, it would be a lot of trouble to also put it in Spanish, my command of English leaves much to be desired, thanks in any case case.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 07, 2023, 10:02:51 am
This is an english forum!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on March 07, 2023, 10:22:52 am
OK, sorry

I see that you are Spanish, I hacked my rigol at the beginning as soon as the valid hack appeared, but seeing your guide I sensed that another method could be followed, it would be a lot of trouble to also put it in Spanish, my command of English leaves much to be desired, thanks in any case case.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: williamlee on March 17, 2023, 10:26:15 pm
I can't find any 1.3.2.2 FW upgrade file on the Rigol website????  :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on March 18, 2023, 12:23:01 am
I can't find any 1.3.2.2 FW upgrade file on the Rigol website????  :-//

Its mislabeled on some of the rigol sites, you can also find it a few posts back.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: apolkosnik on March 20, 2023, 04:19:47 pm
Is there a way to unbrick the scope without opening it up? I took out my MSO5102 out of a box lately (it was working perfectly before), and powered it on. It hangs with a black screen without showing a boot screen now, any clues? Thanks in advance!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on March 20, 2023, 09:17:33 pm
Is there a way to unbrick the scope without opening it up? I took out my MSO5102 out of a box lately (it was working perfectly before), and powered it on. It hangs with a black screen without showing a boot screen now, any clues? Thanks in advance!

So pressing "single" does nothing then? Everything other than power unplugged from the unit?
Is it still under warranty?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mandragora on March 22, 2023, 06:07:13 pm
Hello guys, I was going to share my experiences of upgrading my "brand new" MSO5074 for more data points. but before that I stumbled on...

I've ordered my scope from Batronix on 29.12.2022, roughly 3 months ago. Yea, that is long...
Today I powered the scope for 1st time after delivery (today). To check my firmware version I opened "System Information". Firmware is 1.3.0.3, but to my surprise bottom text says -> "Build: 2021-10-18"
Did I really waited 3 months to receive 17 month old scope? Should call out about that to Batronix and request replacement? Or just leave it be?

P.S. Is there an easy way to remove Warranty Void sticker to replace fan for a Noctua?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on March 22, 2023, 06:34:36 pm
This is the firmware version build(compilation) date.
Most important is the calibration date, which should not be more than 6 month old.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: apolkosnik on March 22, 2023, 08:20:47 pm
So pressing "single" does nothing then? Everything other than power unplugged from the unit?
Is it still under warranty?
Thanks! It seems like the flash memory kicked the bucket. Thankfully, it was still under the warranty.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mandragora on March 22, 2023, 08:36:30 pm
Thanks skander36, It is same date and time as on System Info of others users with 1.3.0.3 firmware. I just remembered that I saw newer build date (around 12.2022) but it turns out to be 1.3.2.2 firmware.
My calibration date is 06.01.2023 so not that old. I was worried that I got old stock as a "new" device.
It is a little weird to me that firmware build =/= firmware version (aka one firmware version shouldn't have more than one build date? so there would be no reason to differentiate those). But I am not a software developer.

Thanks again.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: shoehorn81 on March 23, 2023, 10:48:16 pm
I would be interested in sending my MSO5074 to someone to have them hack it for me.  Paying of course.  Any interest?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mandragora on March 24, 2023, 11:04:58 am
Hello guys,

I've successfully updated firmware and applied upgrade to my scope yesterday, no hiccup's.
I used brand new SanDisk 3.1 Flash Drive (32GB) which was formatted as FAT32 as default.

@shoehorn81 hack is fairly simple, if you need guidance I could walk you trough it, for example on Discord. PM me if you want to.

Regards
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: shoehorn81 on March 25, 2023, 07:31:06 pm
@Mandragora I was able to install the patch.  I must admit I was a bit intimidated by 100 pages in this forum.  About 1/2 way through there is a patch download.  Simple as putting that on a thumb drive and and installing.  Big thanks to all that made this possible.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mcalderon on March 26, 2023, 06:34:35 am
Hello, Can you guys help pointing me to how to upgrade the firmware. I want to hack this oscilloscope but I am scared to do it wrong. Is faktorqm guide the best/most recent guide to follow? If now is it possible to give some guidance?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: williamlee on March 29, 2023, 05:15:45 pm
"Hello, Can you guys help pointing me to how to upgrade the firmware. I want to hack this oscilloscope but I am scared to do it wrong. Is faktorqm guide the best/most recent guide to follow? If now is it possible to give some guidance?"

1. upgrade the official FW at the first moment to the last ver.
2. After you upgraded the new official FW as the base on your upgraded version number to go to the "Local" to upgrade your "hack version".

Simple and easy. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: vadimcreates on April 01, 2023, 12:27:25 pm
Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!

Hi faktorqm,

Great work done sorting it out and do such a detailed explanation.
Just one question to clarify from the guide at the beginning:
Quote
"Have an ethernet network wire to connect it directly to your computer. "

Do you connect ethernet cable to the oscilloscope through router or the connection was done directly - from oscilloscope to PC? If it is direct connection to PC without router, did you use LAN crossover cable or LAN straight through cable?

Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on April 01, 2023, 01:49:49 pm
Do you connect ethernet cable to the oscilloscope through router or the connection was done directly - from oscilloscope to PC? If it is direct connection to PC without router, did you use LAN crossover cable or LAN straight through cable?

Thanks!

Consider it just as a computer. Use a regular cable, if you connect it to a router or a crossed one, if you connect it do your PC directly. I did the direct connection with a crossed cable, because I wanted to make it harder for it to call home.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on April 01, 2023, 05:56:58 pm
Most network interfaces today support "Auto MDI-X" so a crossover cable should almost never be necessary (Gigabit Ethernet links don't need crossover by design)

  - https://en.wikipedia.org/wiki/Medium-dependent_interface#Auto_MDI-X
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ytterligare on April 02, 2023, 02:45:58 pm
Hello there,
I read through quite a lot of messages, but still not sure about this, as most of you seems to be "fixing" a "virgin" MSO5K...

My MSO5K is a 5072 at :
 
Firmware : 00.01.03.00.01
Hardware: 01.01.000
Boot: 2018.06.27
Build: 2020-03-30

And it is already "hacked" to get full power "Forever"

Is the method in "faktorqm" guide ok also for already modified device ? I feel I'm a couple of version behind with the software but I wouldn't want to lose all the gained perks, so to speak...  8)

Thanks
A.

*** EDIT ***
Nevermind, I read better the documentation : the procedure reset temporarily the MDSO5K to the default, ( hence losing all the pre-existing "fixes" ) before applying the final patch

Anyhow I successfully upgraded and re-enabled the Rigol "fixes", following the guide : many thanks !!!   :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Andrey_Ak on April 05, 2023, 09:41:33 am
Hello comrades!

I want to purchase Rigol MSO5072, are there any ways to hack it before MSO5354? And will all 4 channels work?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 05, 2023, 10:11:52 am
Hello comrades!

I want to purchase Rigol MSO5072, are there any ways to hack it before MSO5354? And will all 4 channels work?

Yes, read the thread.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ytterligare on April 05, 2023, 02:49:50 pm
I want to purchase Rigol MSO5072, are there any ways to hack it before MSO5354? And will all 4 channels work?

Yes, mine was precisely a MSO5072 and got it working as an MSO5354, see my post below/after...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Andrey_Ak on April 06, 2023, 02:38:44 am
Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!

Hi!  The link is no longer working, who has this information on the link?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on April 06, 2023, 03:31:34 am
Hello comrades!

I want to purchase Rigol MSO5072, are there any ways to hack it before MSO5354? And will all 4 channels work?

Yes.

The 5074 has two more probes in the box though, if you don't have any then a couple of 350MHz probes will cost about the same as the difference.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Andrey_Ak on April 06, 2023, 05:01:14 am
I didn't think about it, I ordered 5072.
But I would like to buy 1:100 probes on the 250MHz
https://aliexpress.ru/item/32350679999.html?
But I would like to buy 1:10 probes on the 500MHz
https://aliexpress.ru/item/1005004828373989.html?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: idolclub on April 11, 2023, 02:08:32 pm
Rigol releases new firmware v00.01.03.03.00 for MSO5000 ~ 2023.04.10

Firmware v00.01.03.03.00 Release Notes:

[Supported Model]    All the MSO5000 Series Digital Oscilloscopes
[Latest Revision Date]  2023/02/22

[Updated Contents]
--------------------

v00.01.03.03.00  2023/02/22

  - Patch for MSO5000 nand-flash new material
  - add function operation Gain and offset setting query command in symbol AX+B
  - the vertical minimum gear is restored to 500 microvolts



v00.01.03.02.02  2023/01/04
   
    - Add shortcut button and VNC remote function
    - Waveform, cursor movement, gesture operation vertical and horizontal gear switching speed optimization
    - Cursor optimization: cursor jump optimization, ZOOM area and main time base cursor linkage, etc
    - The color of the CH4 waveform is modified, and the brightness of the waveform is improved
    - ZOOM mode optimization: mask color adjustment, switching speed, area movement optimization
    - SCPI instruction response speed optimization: reset, measurement, waveform read instruction response optimization



Download:
https://supportcn.rigol.com/Public/Uploads/uploadfile/files/ftp/Firmware/DS5000(ARM)Update%20v00.01.03.03.00.zip
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: NoisyBoy on April 11, 2023, 03:09:19 pm
The link shows it is again their public file upload site in China, not their official firmware site.  I would highly recommend folks to wait for official firmware to show up in their home country before doing upgrade.  For two reasons, so you can get support  from Rigol if the upgrade goes south.  Second, I would never download firmware from a dubious site in China, let alone running it.

This happened once with the existing firmware 01.03.02.02, when it showed up in the exact same site, then disappeared, then it showed up on the official download site weeks later. I would wait.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 13, 2023, 09:36:30 am
It seem to be a legit location.
Firmware work very well after upgrade.
Anyone remember how to generate bspatch file?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on April 13, 2023, 09:56:59 am
It seem to be a legit location.

Sure it is. Can't understand why people find it more trustful to use a forum patched FW than to use the Rigol's official FW, just because it's on a chinese server/domain...  :-//
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hve on April 13, 2023, 06:52:12 pm
I didn't think about it, I ordered 5072.
But I would like to buy 1:10 probes on the 500MHz
https://aliexpress.ru/item/1005004828373989.html?

Hi Andrey

These 1:10 probes have indeed a bigger bandwidth than the original 350MHz Rigol ones.
But they seem are also a tiny bit more noisy
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Felo2023 on April 14, 2023, 12:05:23 am
Succesful upgrade here! Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 14, 2023, 08:16:51 am
Succesful upgrade here! Thanks!

Did you mean upgrade with patching?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mironex on April 14, 2023, 09:06:07 pm
How does it look now patching for this version: Firmware v00.01.03.03.00?
Thank you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Ede on April 15, 2023, 12:40:51 pm
Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!

Hi!  The link is no longer working, who has this information on the link?


I just tried the link above. There are two files for download. A word document and a file with the patched firmware.
I checked for viruses, all clear. Now I am reading the word document. I didn't patch it until now.

Update: I just did the firmware upgrade and patch according to above. It all works. Now I have the newest firmware and all options.
Thanks a lot to everybody!

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 15, 2023, 12:56:11 pm
This is for previous fw. version.
Every new version need a proper bspatch file created just for that version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Andrey_Ak on April 18, 2023, 02:04:20 am
Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!

Hi!  The link is no longer working, who has this information on the link?


I just tried the link above. There are two files for download. A word document and a file with the patched firmware.
I checked for viruses, all clear. Now I am reading the word document. I didn't patch it until now.

Update: I just did the firmware upgrade and patch according to above. It all works. Now I have the newest firmware and all options.
Thanks a lot to everybody!

This link does not work, does not open..
https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)

you can email me admin@tis.kz

I will be deeply grateful
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mopra on April 18, 2023, 09:38:27 am

I have RIGOL mso 5072, updated to 5074. But I noticed that some options in the menu are still not available. What can be wrong? Firmware 00,01,03,00,03
(https://i.postimg.cc/B6ndMxb6/Whats-App-Image-2023-04-18-at-14-30-18.jpg)
these options are not enabled.
(https://i.postimg.cc/ncMT0nxn/18-04-2023-143557.jpg)
can you tell me how to turn it on.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on April 18, 2023, 10:08:45 am
I think they are only informative. I don't remember to see them anytime active.
CH SampleRate is changing while the sample rate vary. Also the rest of them while you increase Horizontal scale.
Maybe if you attach original logic probe interface, I don't know.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ken830 on April 18, 2023, 10:22:55 am
Fairly new here. Obviously, lujji was able to read through this thread and create a patch for the previous fw version even before owning the scope, so I started to read too... I'm only up to mid-2019 when the ideal of using a patch file surfaced after SSH was removed by Rigol... Surely, there's got to be a better way to summarize the knowledge of this thread and how to create patch files without having to read the entire history, right?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Andrey_Ak on April 18, 2023, 05:28:38 pm
I asked a friend from Canada to download files from the link:
https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)
Now I have these files. Apparently this hosting does not work in our country.

Also, I got the MSO5072 the other day, firmware
in the device is: 00.01.03.02.02

(https://tis.kz/temp/Rigol/About5000.jpg)

(https://tis.kz/temp/Rigol/Options5000.jpg)

I noticed that the fan is very quiet, much quieter than in the DS1054Z,
I really did not like it, since it is quiet, it means cooling is worse.


In the instructions, from the link above, I understood that you can unlock
all the options of the device with firmware 00.01.03.02.02 ?

Will SSH work with this firmware 00.01.03.02.02?

For the firmware 00.01.03.03.00 there is no hacking yet?
Is there a chance that SSH will not work with it?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: OliverHB on April 18, 2023, 06:47:54 pm
Just switched my MSO5074 off. I can confirm that SSH works after applying the SSH enabler from faktorqm.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: albedo on April 18, 2023, 08:31:44 pm
Hello to all :D. I am new to this forum and honestly it has been very complicated to find information on a specific subtopic in hundreds of posts :-BROKE. I think something should be done about this, maybe synthesize all the really useful info and create a software style manual or documentation  :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on April 18, 2023, 09:58:33 pm
Fairly new here. Obviously, lujji was able to read through this thread and create a patch for the previous fw version even before owning the scope, so I started to read too... I'm only up to mid-2019 when the ideal of using a patch file surfaced after SSH was removed by Rigol... Surely, there's got to be a better way to summarize the knowledge of this thread and how to create patch files without having to read the entire history, right?

You can click Print in the top right, and ctrl-f to find posts, here are some examples:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3339974/#msg3339974 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3339974/#msg3339974)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3341214/#msg3341214 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3341214/#msg3341214) (same page, keep reading down)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3577757/#msg3577757 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3577757/#msg3577757)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: faktorqm on April 19, 2023, 08:07:24 am
Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!

Hi faktorqm,

Great work done sorting it out and do such a detailed explanation.
Just one question to clarify from the guide at the beginning:
Quote
"Have an ethernet network wire to connect it directly to your computer. "

Do you connect ethernet cable to the oscilloscope through router or the connection was done directly - from oscilloscope to PC? If it is direct connection to PC without router, did you use LAN crossover cable or LAN straight through cable?

Thanks!

Hi! it's the same. it's just for practical purposes, I mean, if you connect it to a switch or router and it did not work, you will not know if the problem is the router, the switch, or the cable. Just for clarification, always is better to avoid failure points. At networking level, it's transparent.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ken830 on April 19, 2023, 10:48:40 am
Okay... I've gotten as far as extracting the appEntry from the V00.01.03.03.00 GEL file.

It's got an MD5 checksum of AD018912E3D9BA19809EB3A44B63FEA0

But I don't know what to edit. Are people just patching the appEntry back to the previously patched appEntry or something?? I'm still trying to read through the whole thread.

EDIT: After a lot more reading, I found that back in 2020, omgoleus pretty much went through the same thought process and asked the same questions that I have and I'm asking today. I even started down the path of disassembling appEntry. omgoleus did write a nifty script to do partially automate the comparison process of the previously-patched appEntry. I'll attempt to try this later... it's 4:30am and I have to wake up for an 8am daily stand-up meeting for my day job soon.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: trixy on April 19, 2023, 01:44:57 pm
You can't use the old bspatch with the latest firmware because one of the functions moved. Try this one.

This is the same as the old patch except modified for the 00.01.03.03.00 firmware.

I don't know why you guys are using the hard method like objdump to figure out patches when there is Ghidra.

-----------------------------------

Edited for clarity.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ken830 on April 19, 2023, 04:20:45 pm
Thanks.

I did start to go down the path with Ghidra, but I didn't know which specific changes needed to be made. I'm definitely not trying the hard way. I just haven't gotten through the entire thread yet to find the most recent, easiest way, I guess.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: trixy on April 19, 2023, 04:59:08 pm
I did start to go down the path with Ghidra, but I didn't know which specific changes needed to be made. I'm definitely not trying the hard way. I just haven't gotten through the entire thread yet to find the most recent, easiest way, I guess.

For a quick start you can add both an original binary and a patched binary to a project. Fully analyze both then close and save one of them. Then in the open CodeBrowser go to Tools --> Program Differences and select the other binary. Then you can step through the differences and code using the blue arrows.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: reztek on April 19, 2023, 05:18:05 pm
You can't use the old bspatch with the latest firmware because one of the functions moved. Try this one. Be warned I have not tried it myself so if someone that knows what they are doing (ie. you can recover) can verify first that would be great.

I don't know why you guys are using the hard method like objdump to figure out patches when there is Ghidra.

-----------------------------------
Tried the patch here. Seems to work OK, will report back if/when something changes, but so far everything good.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: trixy on April 19, 2023, 11:23:47 pm
Tried the patch here. Seems to work OK, will report back if/when something changes, but so far everything good.

I finally had a chance to try it myself and I can also confirm it seems to work fine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ken830 on April 19, 2023, 11:59:16 pm
Tried the patch here. Seems to work OK, will report back if/when something changes, but so far everything good.

I finally had a chance to try it myself and I can also confirm it seems to work fine.

I just patched mine and it works! Thanks!! Now I will slowly go through the analysis with Ghidra and try to work out the process for myself thanks to your help!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: reztek on April 20, 2023, 07:27:25 pm
Okay... I've gotten as far as extracting the appEntry from the V00.01.03.03.00 GEL file.

It's got an MD5 checksum of AD018912E3D9BA19809EB3A44B63FEA0

But I don't know what to edit. Are people just patching the appEntry back to the previously patched appEntry or something?? I'm still trying to read through the whole thread.

EDIT: After a lot more reading, I found that back in 2020, omgoleus pretty much went through the same thought process and asked the same questions that I have and I'm asking today. I even started down the path of disassembling appEntry. omgoleus did write a nifty script to do partially automate the comparison process of the previously-patched appEntry. I'll attempt to try this later... it's 4:30am and I have to wake up for an 8am daily stand-up meeting for my day job soon.

Would you mind sharing the process/tools used to unpack the scope`s firmware?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ken830 on April 20, 2023, 10:59:50 pm
Okay... I've gotten as far as extracting the appEntry from the V00.01.03.03.00 GEL file.

It's got an MD5 checksum of AD018912E3D9BA19809EB3A44B63FEA0

But I don't know what to edit. Are people just patching the appEntry back to the previously patched appEntry or something?? I'm still trying to read through the whole thread.

EDIT: After a lot more reading, I found that back in 2020, omgoleus pretty much went through the same thought process and asked the same questions that I have and I'm asking today. I even started down the path of disassembling appEntry. omgoleus did write a nifty script to do partially automate the comparison process of the previously-patched appEntry. I'll attempt to try this later... it's 4:30am and I have to wake up for an 8am daily stand-up meeting for my day job soon.

Would you mind sharing the process/tools used to unpack the scope`s firmware?

The GEL is a TAR, and inside of that, is a GZIP (app.img.gz), and inside of that is app.img, which is a UBI image... I used UBI Reader (https://github.com/jrspruitt/ubi_reader (https://github.com/jrspruitt/ubi_reader)) to extract the files. Took a little bit of work to get it to work in my Ubuntu WSL on my Windows10 machine.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Tabovl on April 29, 2023, 09:39:20 am
I found a nice blog where there is a detailed analysis of the update files, their modification and recompilation. The procedure for unlocking restrictions is not described here, but I believe that it can still help.

https://mensi.ch/blog/articles/playing-around-with-the-rigol-mso5074 (https://mensi.ch/blog/articles/playing-around-with-the-rigol-mso5074)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tcottle on May 09, 2023, 04:25:57 pm
The link shows it is again their public file upload site in China, not their official firmware site.  I would highly recommend folks to wait for official firmware to show up in their home country before doing upgrade.  For two reasons, so you can get support  from Rigol if the upgrade goes south.  Second, I would never download firmware from a dubious site in China, let alone running it.

This happened once with the existing firmware 01.03.02.02, when it showed up in the exact same site, then disappeared, then it showed up on the official download site weeks later. I would wait.

01.03.03.00 is available on the MSO5000 downloads page https://www.rigolna.com/products/digital-oscilloscopes/mso5000/ (https://www.rigolna.com/products/digital-oscilloscopes/mso5000/)
but on the support/firmware page still shows 01.03.02.02 ...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: eutectique on May 09, 2023, 10:37:44 pm
For the record, GEL files from supportcn.rigol.com and rigolna.com web sites have the same SHA256 hash:

Code: [Select]
> sha256sum cn/DS5000\(ARM\)Update\ v00.01.03.03.00/DS5000Update.GEL na/DS5000\(ARM\)Update\ v00.01.03.03.00/DS5000Update.GEL
f89cdf7816b0467e6ebe46d4f5da1cf0a95fffd93b83a245911026520d66b794  cn/DS5000(ARM)Update v00.01.03.03.00/DS5000Update.GEL
f89cdf7816b0467e6ebe46d4f5da1cf0a95fffd93b83a245911026520d66b794  na/DS5000(ARM)Update v00.01.03.03.00/DS5000Update.GEL

Though, the .zip files differ in size.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on May 10, 2023, 12:03:48 pm
FW 01.03.03.00 also avalable at https://www.rigol.eu/En/Index/listView/catid/28/tp/6/cat/7/xl/24 (https://www.rigol.eu/En/Index/listView/catid/28/tp/6/cat/7/xl/24)

sha256sum is the same as the others :
f89cdf7816b0467e6ebe46d4f5da1cf0a95fffd93b83a245911026520d66b794  DS5000Update.GEL
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on May 10, 2023, 01:17:43 pm
Everything was fine here too.

I will use my previous upgrade post, updated for v00.01.03.00.03 -> v00.01.03.03.00.

Steps I've followed :

1. Backup everything just in case (optional but recommended)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
- get and unzip the first script file, put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade
- wait until 100%, then turn off/on
- repeat for the second script

2. Install the official firmware v00.01.03.03.00; I have used the above link from rigol.eu
- get the official firmware and unzip
- same steps like above, with the firmware file of course

3. Hack
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650)
- get and unzip the file 01_03_03_00.zip and put the three files on USB stick
- same steps like above
- there will be some messages on the screen. You will be asked to press a key, two times. At the end the oscilloscope will reboot, just wait.
- all the options will be activated

4. Calibration - very important
- remove the input probes
- Utility/System/SelfCal
- then turn off/on

Thanks everybody !

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oldjackbob on May 11, 2023, 12:27:04 pm
Is there a change log for v00.01.03.03.00?

Or, put another way, why should I upgrade?

TIA,

Mark
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on May 11, 2023, 12:45:27 pm
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4808120/#msg4808120 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4808120/#msg4808120)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ultranalog on May 11, 2023, 02:20:42 pm
I was a few versions behind, but the VNC server is truly a game changer for me. It is so much faster than the HTTP interface. This will be great for working with customers or recording video without HDMI grabbers.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on May 11, 2023, 05:21:19 pm
Indeed, the VNC server is very fast, the screen update and also the commands response.
The menu is changed, and there is an additional operator in Math, AX+B.
Also, the touch screen response seems to be faster.
Regarding the CH4 colour, I'm not sure that it's a significant changes.

The attached pictures are from VNC.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on May 11, 2023, 05:26:03 pm
I cannot attach more than one picture, I will try one by one.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on May 11, 2023, 05:26:40 pm
And the third.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Tabovl on May 11, 2023, 06:50:11 pm
I tried to update FW 00.01.03.03.00 according to the given method:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4856702/#msg4856702 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4856702/#msg4856702)

All options are unlocked, SSH unlocking works in the same way as for previous versions.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: olfrei on May 14, 2023, 02:18:48 pm
People, help

all three files are in the root of usb stick. Tried to apply 2GB -32GB USB Sticks. Firmware version 01_03_03_00
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on May 14, 2023, 08:03:22 pm
Check for hidden characters in the name of the file (patch.txt).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rpro on May 15, 2023, 10:15:53 am
Make sure you unzip the zip file first and copy  the contained 3 files unzipped. (Do not copy these files by dragging from a zipped folder view of the zip file contents).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: sjm on May 20, 2023, 08:01:22 am

Yes, I also confirm success in upgrading to FW 00.01.03.03.00 and applying the patch/hack.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: codesurfer on May 21, 2023, 11:29:33 am
Many thanks to all who have given their time and energy to make this patch/hack!

I originally ran into issues because I was using the wrong patch for my current FW version, but once I caught that it worked like a charm!!!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: supertrabuco on May 21, 2023, 08:03:15 pm
Hello, hack working very well, thanks to all colleagues who have helped has to work and be so easy to do ..... I have to admit that I was a little nervous until I saw it running again  :D, Greetings
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: HellKern on May 22, 2023, 04:24:47 pm
Thank You! Worked as a charm on my new MSO5074, also thanks to @mosafet for label files(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4735574/#msg4735574 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4735574/#msg4735574)), it fits very nice :-+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Varz on May 30, 2023, 09:02:24 am
Hello to all!

I became the owner of Rigol MSO5074
Firmware: 0A.01.03.00.01
Hardware: 01.01.000
Boot: 2018.06.27
Build: 2021-05-04 15:50:32

I made a backup in three different ways

Method №1 - Through SSH
Opened an SSH channel in the oscilloscope
described here #878 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2241168/#msg2241168)
Now you can connect a PC to the oscilloscope via LAN
this feature remains until the oscilloscope is rebooted

To connect, you need to install the PuTTY program on your PC
Used the commands:
Create a backup (copy all files, including licenses)
Code: [Select]
mkdir /media/sda1/calib_backup
cp -v /rigol/data/* /media/sda1/calib_backup
sync
Copy Calibration (Calibration files only)
Code: [Select]
cp -v /media/sda1/calib_backup/*.hex /rigol/data/
sync

calib_backup folder will appear on the USB drive (27 files) - size 2Mb
//*********************************
Method №2
The method is described here #1384 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
The process lasts 60 seconds.
folder and file will appear on the USB stick:
- backup folder (28 files) - size 2MB
- memdump file - size 469 762 048 bytes
//*********************************
Method №3 - NAND
The method is described here #1384 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
The process lasts 04m. 19 sec. (259 sec.)
The following files will appear on the USB drive:
- file mtd0_Env.bin - size 262 144 bytes
- file mtd1_DATA.bin - size 67 108 867 bytes
- file mtd10_App2.bin - size 104 857 600 bytes
- file mtd11_Reserved.bin - size 70 254 592 bytes
- file mtd12_User.bin - size 628 621 312 bytes
- file mtd2_Bmp.bin - size 4 194 304 bytes
- file mtd3_Bmp1.bin - size 4 194 304 bytes
- file mtd4_Bit1.bin - size 8 388 608 bytes
- file mtd5_Sys1.bin - size 35 554 432 bytes
- file mtd6_App1.bin - size 104 857 600 bytes
- file mtd7_Bmp2.bin - size 4 194 304 bytes
- file mtd8_Bit2.bin - size 8 388 608 bytes
- file mtd9_Sys2.bin - size 33 554 432 bytes
Total capacity 1,047,296,000 bytes (1 GB)
//*********************************

We see that the result of work in each method is different

which method is the most correct?

How can I restore the oscilloscope based on the files from each method?

Thank you!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on May 30, 2023, 09:20:14 pm
How can I restore the oscilloscope based on the files from each method?

Since you are not able to see the differences between the different procedures/backups, it's better to not attempt any restore yourself.

You should attempt restore as a last resort and, then, ask a friend to do it for you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on May 31, 2023, 04:21:17 am
or do not attemp the backup yourself anyway, that's very dangerous. Please at least delete the post so no people will overwrite their cal data by doing a '' backup ''  :palm:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Varz on May 31, 2023, 04:59:50 am
Since you are not able to see the differences between the different procedures/backups, it's better to not attempt any restore yourself.
You should attempt restore as a last resort and, then, ask a friend to do it for you.

:) The circle is closed
A friend advised to read this forum, the forum sent back to a friend :)

I am asking as a last resort
why make backups in three different ways if you can't use them?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Varz on May 31, 2023, 05:27:26 am
or do not attemp the backup yourself anyway, that's very dangerous. Please at least delete the post so no people will overwrite their cal data by doing a '' backup ''  :palm:
there is nothing dangerous in my message, it's all on the forum, I just collected it all in one place
if the administrator considers your recommendation correct, he will delete my message :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: normi on June 01, 2023, 11:51:56 am
Indeed, the VNC server is very fast, the screen update and also the commands response.
The menu is changed, and there is an additional operator in Math, AX+B.
Also, the touch screen response seems to be faster.
Regarding the CH4 colour, I'm not sure that it's a significant changes.

The attached pictures are from VNC.

From my recollection the AX + B operator was always present.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: onelectron on June 08, 2023, 09:58:00 am
Hello,
Firstly, I want to apologize for creating such a long post. I would be grateful if someone can assist me. I recently joined the EEVBlog Forum. I just purchased a Rigol MSO5074 oscilloscope. After reading the forum thread on "Hacking the Rigol MSO5000 series oscilloscopes," I came to the conclusion that there are several methods for enhancing the scope's functions, each of which depends on the scope's firmware version. To be completely honest, I'm not sure which process to use and feel a little lost. due to the fact that every process I have seen so far references another. If someone could point me in the direction of the hacking procedure designed for the scope firmware I have, I would be very thankful. Is there a website or page where I can get the entire procedure outlined in such a way that even someone like me who lacks experience may follow step by step to complete this task? 😅 Here is some information about my scope:

Model: MSO5074
Firmware: 00.01.03.02.02
Harwdare: 01.01.000
Boot: 2018.06.27
Build: 2022-12-05 10:31:33


I find it puzzling that the Rigol website lists the most recent firmware version as 00.01.00.00.01.

https://www.rigol.eu/SUPPORTS/software-firmware-download.html (https://www.rigol.eu/SUPPORTS/software-firmware-download.html)

but
The firmware of my scope is version 00.01.03.02.02.
However, a different Rigol website states that the most recent version is 00.01.03.03.00.

https://www.rigolna.com/products/digital-oscilloscopes/mso5000/ (https://www.rigolna.com/products/digital-oscilloscopes/mso5000/)

Additionally, I've read a few threads that claim the hack is no longer workable if the firmware version is newer than "01.03.00.01."

I'm a little confused and puzzled right now. It's also possible that I haven't discovered the appropriate blog post. Any help would be greatly appreciated 🙏🙏
In addition, is it possible to back up the current firmware, the licensing key, and all other required data so that, in the event that the hacking attempt fails, I may revert to the default settings?


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on June 08, 2023, 11:58:16 am
Additionally, I've read a few threads that claim the hack is no longer workable if the firmware version is newer than "01.03.00.01."

As far as I know, hacks are reported to work fine up to version 00.01.03.03.00 by now. Maybe it is a good idea to upgrade to the latest firmware, which should be in the scope of things the manufacturer expects you to do and gives you some confidence in the process and your flash-drive. After this, you can use the latest patch, if want to. As far as I understand, the checksum of the installed version is verified before patching to avoid applying incompatible patches. I've also read about a procedure, which is intended to reset the scope back to some stable state, in case something goes wrong. A backup might be a good idea, anyway. The scope basically runs with a arm-linux. For the updating procedure, I would recommend to use instructions from younger parts of this thread, which were confirmed to be working. Good luck if you decide to go that way!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Fungus on June 08, 2023, 01:42:56 pm
I came to the conclusion that there are several methods for enhancing the scope's functions, each of which depends on the scope's firmware version.

The hack has to change every time Rigol releases a new firmware.

To be completely honest, I'm not sure which process to use and feel a little lost.

Simple: Install the latest firmware, use the latest hack.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on June 08, 2023, 02:46:28 pm
I find it puzzling that the Rigol website lists the most recent firmware version as 00.01.00.00.01.

https://www.rigol.eu/SUPPORTS/software-firmware-download.html (https://www.rigol.eu/SUPPORTS/software-firmware-download.html)


Make sure you are looking at the right model's firmware.  The most recent I see on that site for the MSO5000 is v00.01.03.03.00. (there also firmware for an MSO5000-E model oscilloscope on that site - a crippled version of the MSO5000).

That said, Rigol's firmware download management can be a mess.  For example, the Rigol NA download page (https://www.rigolna.com/firmware/ (https://www.rigolna.com/firmware/)) shows the most recent firmware as 1.03.02.02 but when you download it the name of the file you get is MSO5_FW_V1_1_4_4.zip.  However, the contents of the file currently do contain v00.01.03.02.02.  And the version numbers sometimes are given a  leading "00" and are sometimes use single digits sometimes double digits.  Also some of the filenames call the device "MSO5000" and some use "DS5000".

So confusion is the natural state of Rigol's firmware update process.  The release notes in the zip file seem to always accurately describe the version that is inside the archive.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: supertrabuco on June 08, 2023, 08:52:12 pm
Everything was fine here too.

I will use my previous upgrade post, updated for v00.01.03.00.03 -> v00.01.03.03.00.

Steps I've followed :

1. Backup everything just in case (optional but recommended)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
- get and unzip the first script file, put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade
- wait until 100%, then turn off/on
- repeat for the second script

2. Install the official firmware v00.01.03.03.00; I have used the above link from rigol.eu
- get the official firmware and unzip
- same steps like above, with the firmware file of course

3. Hack
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650)
- get and unzip the file 01_03_03_00.zip and put the three files on USB stick
- same steps like above
- there will be some messages on the screen. You will be asked to press a key, two times. At the end the oscilloscope will reboot, just wait.
- all the options will be activated

4. Calibration - very important
- remove the input probes
- Utility/System/SelfCal
- then turn off/on

Thanks everybody !

Hello, I have used the instructions of the Nucleo companion and it has worked great for me
greetings
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mick B on June 27, 2023, 12:38:55 am
I'm using the v00.01.03.03.00 MSO5000 firmware and the Trixy 01.03.03.00 PATCH. and just noticed the frequency measurement does not work on any channel. BUT it works in the counter app.
any one else having this problem?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on June 27, 2023, 12:55:23 am
I'm using the v00.01.03.03.00 MSO5000 firmware and the Trixy 01.03.03.00 PATCH. and just noticed the frequency measurement does not work on any channel. BUT it works in the counter app.
any one else having this problem?

Did you run the self cal yet?
Maybe you can take a screenshot with the specific waveform you are trying to measure.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: dracotonisamond on June 27, 2023, 04:24:05 am
(https://i.imgur.com/s1fNFED.png)
running the latest firmware patch, looks good here.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hafrse on June 28, 2023, 11:08:37 am
Hello,



I have tried to upgrade to the lastest version 01_03_03_00 after completetion, the scope stucks on boot, restarted many times, same problem, how do I proceed? Please Help!!
Thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on June 28, 2023, 11:32:53 am
the scope stucks on boot, restarted many times, same problem, how do I proceed? Please Help!!

Dig in the past of this thread. Somewhere, there is a description to reset into known working state by pushing a button (RUN/STOP??) while starting or so.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hafrse on June 28, 2023, 11:58:11 am
I did a Restore Defaults after pressing Single during the boot process, and it worked!
Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on June 28, 2023, 01:18:04 pm
I did a Restore Defaults after pressing Single during the boot process, and it worked!
Thanks!
O.K. Single not RUN/STOP. Glad to hear that it worked!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hafrse on June 28, 2023, 02:43:25 pm
Yes, SINGLE button where you get the option to do a "firmware install" or "reset to factory defaults" suddenly after pressing the power button.
It could be the case that it is needed if I had an older patched version :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mick B on June 29, 2023, 02:23:56 pm
When I first installed the patch as always, I did a selfCal. But I did another one now that you mentioned it. VOILA!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 3PinFanHeader on July 01, 2023, 07:04:03 pm
Hi all. I recently got a really good deal on the MSO5072. Got everything enabled except the 4 last items (4CH and bandwidth).

Used the 01.03.03 patch and it worked wonders. Thanks to all that helped create it  :clap: :-+

There's just one thing I'm wondering that I can't find an answer to using goOGLE - the width and fuzziness of the vectors on all channels feels... weird. My old (and very simple) FNIRSI scope had a much cleaner 1px thick vector. Is this a setting I can change - or is it something I'll just have to learn to live with?

Best from 66° north.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on July 01, 2023, 09:05:52 pm
There's just one thing I'm wondering that I can't find an answer to using goOGLE - the width and fuzziness of the vectors on all channels feels... weird. My old (and very simple) FNIRSI scope had a much cleaner 1px thick vector. Is this a setting I can change - or is it something I'll just have to learn to live with?
Hi and welcome to this forum.
I guess belongs to the category "it's not a bug, it's a feature", so what is called "digital phosphor" etc. resembling analog osci feeling, which gives you some kind of statistical impression of the signal by relative intensity in the traces. So I would say, I'm not aware of eliminating it by settings, try to get used to it.  :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rpro on July 01, 2023, 10:26:14 pm
You can try "Color Grade" (under "Display"), which indicates more clearly the intensity or frequency distribution of the samples along the waveform. Also try averaging or high resolution modes (under "Acquire") to reduce the noise on the traces.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 3PinFanHeader on July 01, 2023, 10:58:04 pm
That was a big starting point - thanks! Display->Type->Dots, Acquire->Acquisition->High Res - now it looks more familiar  ;D

The Color Grade option however  reminded me of fish finders or marine depth meters  :o I guess this tool has a few getting used-to's, but regardless of differences (not going to call them "flaws") from my old el-cheapo, it's still an awesome tool (from _my_ point of view :) )
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stevec5000 on July 03, 2023, 09:52:53 pm
So has anyone come up with a hack yet for the latest firmware, 00.01.03.02.02?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 3PinFanHeader on July 03, 2023, 10:02:14 pm
01.03.03.00 is the latest firmware and that has already been fixed

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stevec5000 on July 03, 2023, 11:27:47 pm
Wrong, 00.01.03.02.02 is the latest on the Rigol site that I just downloaded and installed.  If there is another version such as 01.03.03.00 it doesn't seem to be available.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stevec5000 on July 03, 2023, 11:34:39 pm
01.03.03.00 is available on the MSO5000 downloads page https://www.rigolna.com/products/digital-oscilloscopes/mso5000/ (https://www.rigolna.com/products/digital-oscilloscopes/mso5000/)
but on the support/firmware page still shows 01.03.02.02 ...
Ver 01.03.03.00 is not available on the download page.  Does anyone have a copy or was it pulled because of being too buggy to use or something?
Anyway back to my original question is there a hack for ver. 00.01.03.02.02?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on July 03, 2023, 11:51:25 pm
01.03.03.00 is available on the MSO5000 downloads page https://www.rigolna.com/products/digital-oscilloscopes/mso5000/ (https://www.rigolna.com/products/digital-oscilloscopes/mso5000/)
but on the support/firmware page still shows 01.03.02.02 ...
Ver 01.03.03.00 is not available on the download page.  Does anyone have a copy or was it pulled because of being too buggy to use or something?
Anyway back to my original question is there a hack for ver. 00.01.03.02.02?

Please read a few pages of the thread https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4808120/#msg4808120 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4808120/#msg4808120)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: perseverance8 on July 04, 2023, 02:15:58 am
I updated to FW V00.01.03.03.00 then successfully unlocked my MSO5074.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stevec5000 on July 04, 2023, 05:42:59 am
You guys can argue about it with Rigol if you want but the latest version they have is 00.01.03.02.02!
https://www.rigolna.com/firmware/ (https://www.rigolna.com/firmware/)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: stevec5000 on July 04, 2023, 05:44:34 am
I updated to FW V00.01.03.03.00 then successfully unlocked my MSO5074.
How could you when that version is not out?
This is starting to look like Youtube and Amazon where most of the reviews and videos are fakes!+
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: supertrabuco on July 04, 2023, 05:47:54 am
The FW 00.03.03.00 already works and the Hack also
Also works great on my MSO5104
Greetings
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PeterG on July 04, 2023, 06:23:05 am
For those who missed the above post by thm_w. Here is a direct link to the latest firmware.

https://supportcn.rigol.com/Public/Uploads/uploadfile/files/ftp/Firmware/DS5000(ARM)Update%20v00.01.03.03.00.zip (https://supportcn.rigol.com/Public/Uploads/uploadfile/files/ftp/Firmware/DS5000(ARM)Update%20v00.01.03.03.00.zip)

regards
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 3PinFanHeader on July 04, 2023, 07:22:01 am
Wrong, 00.01.03.02.02 is the latest on the Rigol site that I just downloaded and installed.  If there is another version such as 01.03.03.00 it doesn't seem to be available.

Considering the number of posts before you showing that it does indeed exists, a different level of courtesy would probably be appropriate.

The fact that you are unable to find it doesn't mean it doesn't exist - it only means you are unable to find it.

Source: https://www.rigol.eu (https://www.rigol.eu)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Codebotjoe on July 04, 2023, 09:17:56 am
Apologies if this has been repeated too many times. I'm wondering if anyone is still selling the labels to go over the original mso5xxx sticker. I live in Canada and would make it worth their while. I'd pay shipping plus 25 usd. Or a link to a printable label if they are not being sold like I read a while back. Thanks in advance.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 3PinFanHeader on July 04, 2023, 10:59:02 am
Apologies if this has been repeated too many times. I'm wondering if anyone is still selling the labels to go over the original mso5xxx sticker. I live in Canada and would make it worth their while. I'd pay shipping plus 25 usd. Or a link to a printable label if they are not being sold like I read a while back. Thanks in advance.

This ought to help :)

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4735574/#msg4735574 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4735574/#msg4735574)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on July 04, 2023, 08:00:46 pm
You guys can argue about it with Rigol if you want but the latest version they have is 00.01.03.02.02!
https://www.rigolna.com/firmware/ (https://www.rigolna.com/firmware/)

That is currently the latest from the rigolna.com site.  However, the supportcn.rigol.com site has the latest (as of June 2023) 00.01.03.03.00 firmware.

Rigol's firmware download management is a mess.  For example, the Rigol NA download page (https://www.rigolna.com/firmware/ (https://www.rigolna.com/firmware/)) shows the most recent firmware as 1.03.02.02 but when you download it the name of the file you get is MSO5_FW_V1_1_4_4.zip.  However, the contents of the file currently do contain v00.01.03.02.02.  And the version numbers sometimes are given a  leading "00" and are sometimes use single digits sometimes double digits.  Sometimes the device is called "MSO5000" and sometimes "DS5000".  Sometimes a .txt file in the download archive might be in some encrypted (or otherwise undecipherable) like E-SafeNet or "%TSD-Header-###%".

So confusion is the natural state of Rigol's firmware update process.  The release notes in the zip file seem to always accurately describe the version that is inside the archive (if they are readable at all).

The "DS5000(ARM)Update v00.01.03.03.00" archive contains the following files:

Quote
DS5000Update.GEL
MSO5000 Release Notes.txt
MSO5000 Upgrade Instructions.txt
MSO5000 升级说明.txt
MSO5000 版本说明.txt


The attached file ("MSO5000 版本说明.translated.txt") is a Google Translate for the "MSO5000 版本说明.txt" since ""MSO5000 Release Notes.txt" is unreadable garbage.  The translation looks fine.

Finally, if you want to use the patch for v00.01.03.02.02 post #2470 in this thread has a link (note:  I have not downloaded or tried that link, and the person who posted the download link has made exactly one post to EEVBlog):

  - https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4733246/#msg4733246 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4733246/#msg4733246)


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rpro on July 04, 2023, 11:03:31 pm
Frankly, I can’t understand why Rigol is simply unable, after years of complaints, to straighten out their firmware release process. There are enough support people working at Rigol NA and EU that would know, at a minimum, that to have unreadable release notes and out of wack numbering for their releases is at best a nightmare to support, and at worse makes their company look hopelessly unprofessional.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: hafrse on July 06, 2023, 07:51:58 pm
Apologies if this has been repeated too many times. I'm wondering if anyone is still selling the labels to go over the original mso5xxx sticker. I live in Canada and would make it worth their while. I'd pay shipping plus 25 usd. Or a link to a printable label if they are not being sold like I read a while back. Thanks in advance.

This ought to help :)

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4735574/#msg4735574 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4735574/#msg4735574)
Whay do you needed it?  the original model number is still visible in the information menu... , the options listed shows upgrade to 350 bandwidth + 4 channels  and thanks to all in this forum who made that possible ! :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mopra on July 11, 2023, 01:38:30 pm
Hello. RIGOL MSO5072 cracked. Question: What settings should I make so that the sensitivity in NORMAL and SINGLE modes is the same as in AUTO mode
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: 3PinFanHeader on July 12, 2023, 09:31:49 pm
Interestingly, after... liberating... the MSO5072, I tried the Rigol "Ultra" apps (not so ultra, but if someone hands over a free cookie...)

The UltraScope app doesn't see more than 2 channels even though the scope has all 4 channels enabled.

Since I don't have a 5xx4 scope to test, I don't know if the 2-channel limit is a limitation of the software - or a product of the scope being 2-chan originally.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bmx on July 17, 2023, 04:10:09 am
lol, https://tortel.li/post/insecure-scope/

For all of those who still wonder how the hack works, that's a good sum up.
Sidenote, they went a bit too quick on the "download the gel" part, because we all know it doesn't work like that.
Finally, the conclusion confirms how rigol cares.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on July 17, 2023, 09:05:40 am
lol, https://tortel.li/post/insecure-scope/

For all of those who still wonder how the hack works, that's a good sum up.
Sidenote, they went a bit too quick on the "download the gel" part, because we all know it doesn't work like that.
Finally, the conclusion confirms how rigol cares.

What do you mean with 'how the hack works'? The guy just dissasembled a cgi-bin script in the end and found a remote exploit (nice to have, but not very interesting imo).

I saw it on hackernews and as I wrote there, I'm a bit dissapointed by the lack of research that was done.

On a more personal note, i'll try to update the gel archives with 2.2 and 3.3 :p
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mick B on July 30, 2023, 02:40:59 pm
Using the modified 3.3 updated firmware. I have noticed sometimes it won't go into sleep / screensaver mode, like it used to. Anyone else noticed this?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: perseverance8 on August 01, 2023, 08:55:31 pm
I updated to FW V00.01.03.03.00 then successfully unlocked my MSO5074.
How could you when that version is not out?
This is starting to look like Youtube and Amazon where most of the reviews and videos are fakes!+

LOL! yes I did & was able to download V00.01.03.03.00 as described/posted earlier in this thread & used the intended "hack"/unlock posted on same, after doing so, all options on my MSO5074 show "forever". So far I've only used one of the unlocked option(s), the RS232 signal analysis feature while, so far, able to measure a ~1.2ns rise time on my unlocked MSO5k with a home brew 74AC14 based TDR long described online & in numerous forums, I'll soon use a PECL oscillator to get a faster edge to see what the MSO5k can measure, sure looks like my scope is unlocked while showing FW 00.01.03.03.00, Build 2023-02-22 13:51:46 in Utility>System>About.   
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BlueBill on August 03, 2023, 02:39:30 pm
Using the modified 3.3 updated firmware. I have noticed sometimes it won't go into sleep mode, like it used to. Anyone else noticed this?

Sleep mode? My MSO5000 stays on as long as it’s turned on.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: beatman on August 03, 2023, 06:19:33 pm
Sleep mode? My MSO5000 stays on as long as it’s turned on. I think he means  the screen saver mode
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mick B on August 11, 2023, 01:58:06 pm
Thanks, I got frequency display in the measurement setting working again by restoring the default settings, I guess it just lost it way for a minute.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on August 14, 2023, 03:48:10 pm
It is possibly a bug ?

At this point fails.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: std on August 22, 2023, 04:14:42 pm
I confirm success upgrade 2 pieces RIGOL MSO5074.
(arrived with Firmware 00.01.03.02.02  upgraded to 00.01.03.03.00, all options patch)

P.S. The fan is noisy, ordered Xilence XF037 for replacement.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Tom620 on August 31, 2023, 05:11:22 pm
For a more high quality fan replacement, you can use the Noctua NF-A8 FLX, 80mm fan. It is dead silent and has a six year warranty.

https://noctua.at/en/products/fan/nf-a8-flx
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: YZEPT on September 04, 2023, 02:04:10 pm
I took the previous posts advice on the Noctua NF-A8 FLX and aside from soldering the 2 pin connector from the original fan to the replacement it is a simple upgrade. At full speed it is dramatically quieter but moves sufficient air to keep temperatures similar to the much noisier factory fan. I am really pleased with the almost silent outcome and for $32 AUD it is a worthwhile upgrade. I used the flexible mounts supplied with the Noctua. I’m not sure how much difference solid mounting it with screws would make but the soft mounting, while a little fiddly to get set in the bracket initially works well and the fan fits without interfering with the back cover.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DigitalAura on September 07, 2023, 05:02:58 pm
I'm just about to buy one of these scopes, the MSO5074 and would appreciate it very much if it can be confirmed that this scope can still be hacked. This might not be much money for some, but is a hell of a lot for me and I can't afford to buy it and then find out the hack no longer works.

I hope you can understand my predicament and I really don't wish to appear to be a pain in the ass for asking.

Thanks for all your help.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: snik on September 07, 2023, 05:22:58 pm
I bought an MSO5072 here in Germany three weeks ago and successfully hacked it into an MSO5354 with the latest firmware as described here in a few posts above.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mike_Rg on September 10, 2023, 04:00:27 am
MSO5074 - Only a few months old that I had updated to 01.03.03.00:

So with great trepidation, I took the plunge and followed the simple instructions of initiating a full backup first..

The Data backup, Fram  dump and Memory dump worked fine, but Nand backup never appeared to complete, after 15 minutes I restarted, removed the Flash drive and found it populated with around 1.4GB of files from the Nand backup, so it appears to work but gives no indication of completing.

Lastly I loaded the 3 patch files, bspatch was 01_03_03_00, process took a few seconds and everything was enabled. 

Finalized with calibrate.

A big thanks to all who made this possible.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on September 10, 2023, 09:05:09 am
There is no more need to backup that files. Just apply the correct patch files and everything is ok.
It is very unlikely to brick this scope. There was a time when the crack was in development and backup has been a recommendation.
In a rare case when scope does not boot, press "Single" key at the very beggining of the boot phase and press "Restore defaults" or "Upgrade firmware" to re-apply the original Fw.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: pcxmac on September 14, 2023, 06:41:32 pm
Everything was fine here too.

I will use my previous upgrade post, updated for v00.01.03.00.03 -> v00.01.03.03.00.

Steps I've followed :

1. Backup everything just in case (optional but recommended)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
- get and unzip the first script file, put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade
- wait until 100%, then turn off/on
- repeat for the second script

2. Install the official firmware v00.01.03.03.00; I have used the above link from rigol.eu
- get the official firmware and unzip
- same steps like above, with the firmware file of course

3. Hack
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650)
- get and unzip the file 01_03_03_00.zip and put the three files on USB stick
- same steps like above
- there will be some messages on the screen. You will be asked to press a key, two times. At the end the oscilloscope will reboot, just wait.
- all the options will be activated

4. Calibration - very important
- remove the input probes
- Utility/System/SelfCal
- then turn off/on

Thanks everybody !

Thanks alot guys, worked for me great on this day Sep 14th 2023. The meter was built in (this year) April/Calibrated in August. No issues with different firmwares, or the directions, most of the time is spent just being safe. Highly recommend editing the start file to keep ssh open.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: khva89 on September 17, 2023, 04:21:09 pm
Hello.
Could you help me to resolve my problem. I was fail when I try to update firmware in my MSO5000. I got v00.01.03.03.00 from rigol.eu put it to my flashdrive, then I select "Local Upgrade". When updating completed I reboot my MSO5000, and it "not working". The progressbar changing from 0 to 100% and nothing is changed. What I need to do, please help.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on September 17, 2023, 05:51:15 pm
What I need to do, please help.

look two posts above:

In a rare case when scope does not boot, press "Single" key at the very beggining of the boot phase and press "Restore defaults" or "Upgrade firmware" to re-apply the original Fw.

Or do you mean the scope is still running, but still with the previous firmware version?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: khva89 on September 17, 2023, 08:28:17 pm
Thank you. I pressed "single" button at the very beginning of the boot and loaded v00.01.03.00.01 firmware, then I tried to load v00.01.03.03.00 once again, but I used old 4GB flash drive. At this time it's succesful. I think, this problem caused by flash drive.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on September 17, 2023, 09:09:54 pm
... then I tried to load v00.01.03.03.00 once again, but I used old 4GB flash drive. At this time it's succesful. I think, this problem caused by flash drive.
Yes, the scope can be a bit picky with flash drives.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: saltfishboi on September 20, 2023, 06:56:22 pm
New MSO5042 user, went for the cheapest option. Just tried the hack today, as of 20230920, the instruction put together by core back from May still works. There are a couple technical difficulties I encountered through the process, i.e., .GEL ran but nothing happen, "Error, no USB mounted..." message. They are all due to USB problem. Once I switched to a newer thumb drive, everything ran as expected. Many thanks to the community. ;)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: SPFXEngineer on October 04, 2023, 03:26:32 am
I just purchased this scope, 9/27/2023, from Rigol's website it came with

Firmware: 00.01.03.02.02
Hardware: 01.01.000
Boot: 2018.06.27
Build: 2022-12-05 10:31:33

Completed the ritual, 10/03/2023, successfully and quite easily. I will admit that the price and the difficulty of hacking seemed intimidating at first but the process was extremely simple and satisfying. There is little that can go wrong assuming the scope does not disconnect from power. Some small issues I ran into were setting my IP for the LAN connection using IPv4. The other issue I had was setting my file system to FAT32 on the usb drive; it would default to exFAT due to the size of the drive. I ended up changing the partition size to a smaller value until I got the option. Using the terminal to do an SSH session was also a bit confusing because I did not initially realize you set the username to root and then when typing in the password, Rigol201, it does not show it in the terminal but what you type does get input. I hope this helps and thank you all for making this possible.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DigitalAura on October 06, 2023, 12:19:25 pm
Does anybody know if this hack once applied is permanent?

For example a new firmware releases and I update, will the scope still be hacked or will it revert to previous settings?

Only asking as I just updated the firmware yesterday and noted a spelling error in one of the menus, lable instead of label and was thinking it'll need another update at some point.

I was also wondering if the hack can be undone should the scope require repair?

Not applied the hack as yet.

Thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on October 06, 2023, 01:53:04 pm
Hi!
No, the hack is not permanent. On every fw. update a new hack need to be created and applied. Old one is not valid (read in the thread about bspatch creation).
Spelling errors is something permanent :)  "Lable" is already notorious.
Yes the hack can be undone by applying official firmware alone.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on October 07, 2023, 12:01:29 am
I drew out part of the front end for the MSO5000:
(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=1893108;image)


The major difference seen between the MSO5000 (350MHz) and MSO7000 (500MHz+) was the populated RLC filter across one of the input resistors. This does extend the bandwidth in simulation, but, I don't know if what I'm simulating is accurate because that is already past 350MHz. So software limit might be employed.
Also seems to have less of an effect on the higher voltage taps. I assume the IC can switch those tap inputs based on what voltage range is selected.

Of course there is the 50 ohm stuff as well, it looks like there might be another 50 ohm path directly into the ASIC. Not much you'd be able to do about that. It looks like it might be grounded on the 5000, need to check.

I don't know what RLC values are used for the MSO7000, the only one I'm sure of is is the inductor Lx is around 2-4nH (it has 4 turns). Any recommendations for values or ideas let me know.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Earlonics on October 09, 2023, 12:03:00 am
Can confirm the Hack still works, as of 09/10/2023. My MSO5104 is now fully upgraded.
Many thanks to those involved in sharing the files and guidance.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: jag on October 14, 2023, 01:34:45 pm
Hello everyone
Just received my MSO5074 and did exactly what is said here on this forum
My oscilloscope is now an MSO5374, 350 MHz with two function generators and all options have been activated forever. Overjoyed.
I would just like to take the time to thank everyone who provided the information on this site which I have bookmarked in order to study it more deeply and also shared my discoveries which could help others,

Thank you so much

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: james_fr on October 18, 2023, 08:11:54 pm
Hello everyone,

I am about to buy the MSO5104, but I would like to know if there is a difference with the MSO5074...
For sure, I will then make it to 350 MHz!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on October 18, 2023, 09:42:22 pm
Hello everyone,

I am about to buy the MSO5104, but I would like to know if there is a difference with the MSO5074...
For sure, I will then make it to 350 MHz!
Hi,
No difference, just buy the 5074 model and apply the patch.
You can also buy the 5072 model but you will get only 2 probes instead of 4.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on October 18, 2023, 11:49:52 pm
You can also buy the 5072 model but you will get only 2 probes instead of 4.

At the moment the MSO5074 is on promotion for less than the MSO5072.  That might be a US only deal. If so, shipping and duty to other countries would likely wipe out any benefit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: james_fr on October 19, 2023, 02:38:40 pm
Thanks for tour answers. In fact, the MSO5104 has the FREE MSO5000-BND included. Is it worth to get it or can I hack to get all the functions?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on October 19, 2023, 06:10:27 pm
Thanks for tour answers. In fact, the MSO5104 has the FREE MSO5000-BND included. Is it worth to get it or can I hack to get all the functions?

The hack gets you all the MSO5000-BND functions and more (350MHz bandwidth, enabling the AWG, increase memory depth to 200Mpts - can't remember if there are more).

The drawback of the hack is that it has to be reworked by someone for each firmware update - using the official Rigol firmware update will remove the hack.  But the MSO5000 has been out long enough that I think firmware updates will be very infrequent (possibly even no more).

(edit: AWG is included in MSO5000-BND)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: james_fr on October 24, 2023, 04:16:50 pm
Thanks for your message.
I will get my MSO5104 in a few days :)
I am trying to get newest hackfiles. can someone help me finding them so I don't fuck up the scope...
Thanks in advance!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on October 29, 2023, 01:38:53 pm
Of course there is the 50 ohm stuff as well, it looks like there might be another 50 ohm path directly into the ASIC. Not much you'd be able to do about that. It looks like it might be grounded on the 5000, need to check.

I don't know what RLC values are used for the MSO7000, the only one I'm sure of is is the inductor Lx is around 2-4nH (it has 4 turns). Any recommendations for values or ideas let me know.
Have you considered measuring output circuit of frontend(above ic on your pictures)? It seems that bw limit is not located at input. Just look at fft attached. The noise has roll off with corner freq around 500M. Noise of adc converter is uniform, so this should be frontend amp noise after low pass filter.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on October 31, 2023, 02:33:02 pm
Noise of adc converter is uniform, so this should be frontend amp noise after low pass filter.
Made some additional shots. They seem coherent with what I read on different bandwidths of channels. Fastest two in my case is Ch 3 and Ch 4, and Ch 2 is crippled,  Ch 1 is average ~500M.
Good news is that this noise distribution corner frequency is not dependent on gain as far as i can see, thus it should be signal path from frontend to A/D converter.

I also plan to install OCXO instead of reference oscillator in my unit. Does anybody know if additional 0,5 amps at 5V rail at startup will do any harm or not?

Thanks in advance!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on November 02, 2023, 02:04:26 pm
Ok, I just found something. There is an LC filter in front of adc with corner frequency of around 500M. I removed it from channel 4 (no caps and inductors replaced with 0 Ohm resistors ) , and rise time dropped from 725ps to 594ps. Not much gain but it could be signal source or coax cable limited.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on November 03, 2023, 10:54:32 pm
Well you are way faster than me, nice work. But I don't know if completely removing it is ideal, as you could get aliasing from the front end amp noise? The MSO7000 also has a filter in this location, though Dave's photos don't show it clearly so I can't tell what component values might be.

From my measurements the CLC was something like 1pF -> 47nH -> 1pF? But I did not remove the components to verify yet. This might be around the 300MHz range.
For MSO7000 I would assume the capacitors are the same and the inductance is decreased to filter at ~700MHz.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Martin72 on November 04, 2023, 12:15:26 am
Quote
I removed it from channel 4 (no caps and inductors replaced with 0 Ohm resistors )

Guess why they have implemented these filters...
Little hint, not to artificially limit it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on November 04, 2023, 07:36:05 am
Well, I rebuilt connection to scope and took different oscillator, now rise rime is ~530ps. Probe construction is from https://jahonen.kapsi.fi/Electronics/DIY%201k%20probe/ with feed through termination. Some cable reflections thus seen from 17pF @ oscilloscope input, but bearable.

Well you are way faster than me, nice work. But I don't know if completely removing it is ideal, as you could get aliasing from the front end amp noise? The MSO7000 also has a filter in this location, though Dave's photos don't show it clearly so I can't tell what component values might be.

From my measurements the CLC was something like 1pF -> 47nH -> 1pF? But I did not remove the components to verify yet. This might be around the 300MHz range.
According to my measurements, you are right, 1pF+47nH. Regarding noise, there is some <1db noise rise in an area of 500-1000MHz, but this not visible on a trace, rms noise measures same values  on modified and not modified channels.

Little hint, not to artificially limit it.
I know several reasons why this lowpass could be there , as well as why it could be remover or used by rigol for other purposes, here little hint for you:
- Aliasing.  With 8Gsps adc it has to be 4G+ signals to create aliased signals. This frontend will struggle to pass such signals nor own distortions to output. Moreover, for oscilloscope as a time domain device aliasing is actually a good thing, every equivalent sampling oscilloscope uses analog BW which is greater than sampling.
- Noise . There is some concern that frontend in this scope is noisy, so reducing BW before sampling will reduce jitter etc. However as far as i can judge by fft , most noise above 500M is not coming from frontend, it is adc noise so it could not be removed with such a lowpass placed before adc ( and removing filter will not bring much additional noise )
- Matching. Matching network is placed near frontend ic, before transmission line, otherwise it makes no sense.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on November 07, 2023, 07:29:20 pm
This scope is not an equivalent time sampling scope, so I don't see the value of allowing signals above the sample rate into the ADC.
Though as you have explained, the sample rate being 8Gsps (10 in hardware), would mean the filter could drop to 10-20nH.

Its interesting that they also have the output filter directly on the frontend tweaked to boost some ranges as well. Here is the full schematic of this section:
(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=1923441;image)

Why they are boosting the ~300M range I'm not sure (10p/4.6R). And the effect of 770p/560R would seem to be near nothing.

KJC = BAW56 (https://www.diodes.com/assets/Datasheets/BAW56W.pdf) diode array on the MSO7000, some overload protection. Maybe not present on the 5000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on November 08, 2023, 04:31:19 pm
Why they are boosting the ~300M range I'm not sure (10p/4.6R). And the effect of 770p/560R would seem to be near nothing.
Are you sure that 750p is a capacitance? I thought it is a small inductance, white caps are rare.
ADC input impedance should be ~110 Ohm.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on November 09, 2023, 07:31:50 pm
Why they are boosting the ~300M range I'm not sure (10p/4.6R). And the effect of 770p/560R would seem to be near nothing.
Are you sure that 750p is a capacitance? I thought it is a small inductance, white caps are rare.
ADC input impedance should be ~110 Ohm.

Thanks, I updated the schematic above with 110 ohm.

The white cap is the lower value one on the inside, 10pF, those are commonly used on the input section in the same way (RC series).
The darker colored cap is 770pF. Usually the darker the brown dielectric, the higher the capacitance.

Simulation with 47nH, 15nH, 5nH:
(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=1923480;image)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: kelemvor on November 10, 2023, 08:50:27 pm
Thanks lujji and stmcore (I didn't tried the patch yet).

Also, the IP address (I set it to manual) cannot remember the changes, and get lost every time I reboot the scope.

Thank you! Regards!
Log into your network router and create a DHCP reservation for the scope by mac address.  Then you don't have to configure the scope manually and you always get the same ip.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on November 16, 2023, 11:29:01 pm
There is some slight oddity with bandwidth vs. range. I was expecting bandwidth to drop as voltage in gets higher, but, its not that straightforward. These are the stock hardware results:

Code: [Select]
Range Bandwidth (MHz)
1V 605
500mV 610
200mV 620
100mV 630
50mV 580
20mV 590
10mV 590

So if you are testing standardize on what range you are going to use. 100mV gave the greatest bandwidth for me.

I played with 12nH, 15nH, 0R swap in place of 47nH. The 15nH does give a boost in frequency range but not nearly what you would expect. From -3dB of 630MHz to maybe 670MHz or so. As demonstrated above, you do see the ADC noise extend out further:
(https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=1930155;image)

Notes:
- There was no difference in bandwidth with 12nH over 15nH, so the limitation does not lie there.
- Using 0R resistors across the inductors gave me no significant improvement over stock (odd).
- Removing the 1pF at the front of the CLC made things either slightly worse or did nothing.
- Adding a MSO7000 style RCL filter at the front end did improve bandwidth up to ~700MHz but at the cost of ~3dB of peaking at 400MHz. Too much IMO.

The 400MHz peak might be due to poor choice of components (4.7nH, 17pF, 22R), or due to another filter further down the chain.
The signal generator used was rated 6GHz, 15dBm +/-1.5dBm.

I don't have a FET probe to look at the signal along the way, that might be useful. Also could be some external passives on the AFE used to set something.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on November 17, 2023, 02:20:47 pm
- There was no difference in bandwidth with 12nH over 15nH, so the limitation does not lie there.
- Using 0R resistors across the inductors gave me no significant improvement over stock (odd).
- Removing the 1pF at the front of the CLC made things either slightly worse or did nothing.
- Adding a MSO7000 style RCL filter at the front end did improve bandwidth up to ~700MHz but at the cost of ~3dB of peaking at 400MHz. Too much IMO.

With 0R resistors caps sould be removed, if you left them this probably explains the result.
Also for lower values of L, should the caps be replaced with new values so impedance of CLC filter is not changed?


Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: drhex on November 17, 2023, 07:10:06 pm
I built an appEntry for MSO7000 v00.01.04.00.00 in case anybody needs it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on November 17, 2023, 11:19:24 pm
With 0R resistors caps sould be removed, if you left them this probably explains the result.
Also for lower values of L, should the caps be replaced with new values so impedance of CLC filter is not changed?

Yeah that could explain it as I left them in, giving a 2pF load.
I don't have any values less than 1pF, but, I guess I can try some 0402 0.5pF in the future. Didn't even know they were a thing.

I built an appEntry for MSO7000 v00.01.04.00.00 in case anybody needs it.

Have you tested your MSO7000 max bandwidth at all?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on November 18, 2023, 10:52:22 am
Yeah that could explain it as I left them in, giving a 2pF load.
I don't have any values less than 1pF, but, I guess I can try some 0402 0.5pF in the future. Didn't even know they were a thing.
I tried to calculate lc filter and with 110 ohm adc load filter with 1pf & 47nH makes no sense, corner frequency should be too high. We need to guess a new value for adc input impedance.
You right that completely removing this filter is bad idea, it interacts with match components on frontend side. Also there are spurs as i can see on my zero ohm replacement filter ).

PS take a look at fft options on screenshots, it could get up to 2.5GHz , which is better for our purposes. CH1 with stock lc filter. CH4 with LC removed and L replaced with zero ohm.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on November 18, 2023, 03:34:06 pm
Well, I've adjusted a spice model according to 750MHz peaking for 15nH and calculated values so peak should appear at ~1G. This gave 0.5pF+1pF & 10nH  for filter.  After some soldering i got no peaking at 1G , this probably means that at 1G there is no noise from frontend, and likely BW limit lies in its configuration bits. Rise time for modded channel is ~600ps , bit more than for zero resistors replacing filter.

Having scope open, I also covered TCXO with some foam, so it will not drift on any slight air flows around the scope. Now it is possible to look at OCXO at trigger shifts 0.1s and more. Appears as a useful modification.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Mountaincat on November 19, 2023, 12:14:58 am
Thanks to very one involved, another 5074 hacked! :horse:
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on November 19, 2023, 09:53:15 am
this probably means that at 1G there is no noise from frontend, and likely BW limit lies in its configuration bits.

I'm not sure if you are doing all this stuff with a 7000 device. But if you are, and you want to try a vendor.bin for DS7104 or MSO7104, pm me.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on November 19, 2023, 11:32:13 am
I'm not sure if you are doing all this stuff with a 7000 device.
No, I only have an mso5k.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on November 19, 2023, 12:00:59 pm
In that case, we can't do much more "officially" as the FW doesn't have the "5104" model.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on November 19, 2023, 01:00:25 pm
In that case, we can't do much more "officially" as the FW doesn't have the "5104" model.
Not sure what do you mean by officially. My scope has same features as anybody elses , ie unlocked to 350mhz model.
There is no 1GHz model of course, but mso5k shares frontend ic with 7k scopes, that is why we have expectations to have at least same bw as on 7k.
Bw limit could be different because of schematics as well as different frontend registers configurations , in latter case changing models within mso5k will not help and some more serious patching will be needed to copy configuration code from 7k line software.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: zhongzuocheng520 on November 21, 2023, 01:54:51 pm
Is there a way to restore the oscilloscope that has been stuck in the RIGOL display window due to an operational error? I have backed up the data, and there is a way to tell me. Thank you very much.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on November 21, 2023, 02:59:53 pm
There is no 1GHz model of course, but mso5k shares frontend ic with 7k scopes, that is why we have expectations to have at least same bw as on 7k.

That is all HW-wise. What I meant is that, if you have a SW limitation, you'll only be able to use it up to the highest model Rigol considered for it in the SW - MSO5104, unless you would do a MAJOR SW patch. Or, forcing the MSO7000 SW to run in the 5000...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rpro on November 21, 2023, 04:07:32 pm
Is there a way to restore the oscilloscope that has been stuck in the RIGOL display window due to an operational error? I have backed up the data, and there is a way to tell me. Thank you very much.
Try "restoring defaults". Immediately after power on, wait for the power-on lights to go out (for the Single key to stop glowing orange) and press the "Single" key once. Choose the "Restore Defaults" option. Hope it helps.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: zhongzuocheng520 on November 22, 2023, 03:42:18 am
Thank you very much. I have time to give it a try, but I'm not sure if it will succeed
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: drhex on November 22, 2023, 02:00:31 pm
Think it was good to about 600MHz - been a while, can recheck if you need the information.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: zhongzuocheng520 on November 22, 2023, 02:30:50 pm
Is there a way to restore the oscilloscope that has been stuck in the RIGOL display window due to an operational error? I have backed up the data, and there is a way to tell me. Thank you very much.
Try "restoring defaults". Immediately after power on, wait for the power-on lights to go out (for the Single key to stop glowing orange) and press the "Single" key once. Choose the "Restore Defaults" option. Hope it helps.
You can enter the operation and prompt for recovery failure after the operation.What additional files do I need to add and what folders do I need,Can you tell me? Thank you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: rpro on November 22, 2023, 03:00:35 pm
Is there a way to restore the oscilloscope that has been stuck in the RIGOL display window due to an operational error? I have backed up the data, and there is a way to tell me. Thank you very much.
Try "restoring defaults". Immediately after power on, wait for the power-on lights to go out (for the Single key to stop glowing orange) and press the "Single" key once. Choose the "Restore Defaults" option. Hope it helps.
You can enter the operation and prompt for recovery failure after the operation.What additional files do I need to add and what folders do I need,Can you tell me? Thank you.

I have done this in the past without needing to add additional files. Just choosing the "Restore Defaults" option and rebooting cleared a similar problem (stuck on RIGOL boot screen) for me. 
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: comeau on November 23, 2023, 04:09:33 am
Okay so I'm pretty new to the MSO5000 club, but I think it was a pretty good purchase. I do embedded firmware for off-highway vehicles professionally. I really would like to expand the CAN decode/trigger to the search function. An alternative goal would be to store things in the same file format (.arb/.ref/.bin etc) that it reads or have a converter on the scope. Has anybody made any serious effort for tweaking the firmware? I noticed that there was a repo on gitlab that had the appEntry file. https://gitlab.com/riglol/rigolee/firmware/-/tree/MSO5000/firmware/rootfs/rigol?ref_type=heads
I popped it open in Ghidra, but before I go down the rabbit hole of teaching myself Ghidra/RE, does anybody know of an active project to reverse the source code for this?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: demoss on November 25, 2023, 06:05:53 pm
Hello! Yep, now i have MSO5072 with full functions! Thanks a lot!
But i have a question, from what device or file rigol read information about model, serial,firmware,hardware... When we press "About" botton?
And else... How i can enable ssh permanently ? I need rewrite ssh and sshd config or \ and /etc/init.d script's?

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on November 27, 2023, 10:36:18 pm
Hello! Yep, now i have MSO5072 with full functions! Thanks a lot!
But i have a question, from what device or file rigol read information about model, serial,firmware,hardware... When we press "About" botton?
And else... How i can enable ssh permanently ? I need rewrite ssh and sshd config or \ and /etc/init.d script's?

Press the Print button top right and search through the thread. https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2245083/#msg2245083)

Okay so I'm pretty new to the MSO5000 club, but I think it was a pretty good purchase. I do embedded firmware for off-highway vehicles professionally. I really would like to expand the CAN decode/trigger to the search function. An alternative goal would be to store things in the same file format (.arb/.ref/.bin etc) that it reads or have a converter on the scope. Has anybody made any serious effort for tweaking the firmware? I noticed that there was a repo on gitlab that had the appEntry file. https://gitlab.com/riglol/rigolee/firmware/-/tree/MSO5000/firmware/rootfs/rigol?ref_type=heads (https://gitlab.com/riglol/rigolee/firmware/-/tree/MSO5000/firmware/rootfs/rigol?ref_type=heads)
I popped it open in Ghidra, but before I go down the rabbit hole of teaching myself Ghidra/RE, does anybody know of an active project to reverse the source code for this?

Makes no sense to spend effort on this, IMO, when you can get a decent logic analyzer for ~$100 that can be used with open source pulseview. Or dedicated CAN analyzers are probably available as well.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: comeau on November 28, 2023, 03:33:12 am
I already have tools for analyzing CAN messages. However, there is a real benefit to having the device input signals, CAN bus analog signal shape and CAN messages all on the same device. Synchronizing the inputs/outputs and messages takes time and slows down the process. Also, 12V logic analyzers are rarer and more expensive so I need the scope for I/O even if I had a logic analyzer for the CAN bus. Basically, the scope is sometimes the best tool for the job. I'm not trying to find a new tool. I just want to improve the tool that I'm using. I want to see every trigger condition that is present in the buffer.
Is it practical to add this function to the scope, maybe not. Either way I'll learn something.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: comeau on November 28, 2023, 05:28:35 am
I didn't see it posted here, or couldn't find it:
To cross-compile a binary for the MSO5000 you just need to follow the directions to install the toolchain found here: https://www.acmesystems.it/arm9_toolchain (https://www.acmesystems.it/arm9_toolchain)
You'd be using the arm-linux-gnueabi-gcc command version.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: macboy on November 28, 2023, 04:40:25 pm
I already have tools for analyzing CAN messages. However, there is a real benefit to having the device input signals, CAN bus analog signal shape and CAN messages all on the same device. Synchronizing the inputs/outputs and messages takes time and slows down the process. Also, 12V logic analyzers are rarer and more expensive so I need the scope for I/O even if I had a logic analyzer for the CAN bus. Basically, the scope is sometimes the best tool for the job. I'm not trying to find a new tool. I just want to improve the tool that I'm using. I want to see every trigger condition that is present in the buffer.
Is it practical to add this function to the scope, maybe not. Either way I'll learn something.
It's unclear what you want to do. Is the CAN Decode event table not good enough? You can also export this to .csv file then import into a spreadsheet for more detailed analysis on a computer. What about the waveform recording? This can record many separately triggered waveforms ("frames") into the memory buffer, and you can then go back and view each frame, I assume with decoding if desired. The manual describes waveform recording as capturing on an interval, but you need to interpret that as re-arming the trigger on that interval. Then, when the trigger fires (which could be some condition on the CAN bus), a waveform/frame is recorded. The trigger is re-armed after the delay which can be set as low as 10 ns (effectively nil for CAN).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EJC on December 02, 2023, 07:49:09 pm
Thanks so much to everyone who worked on this!!!  So happy to get my MSO5074 unlocked, AWESOME!
For anyone looking for the instructions/correct patch in this giant thread like I was, here is the patch for FW 01.03.02.02, taken from stmcore's post:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4685945/#msg4685945 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4685945/#msg4685945)

Instructions I followed:
-Freshly formatted 16GB Nextech USB to FAT32
-Unzipped "01.03.02.02_patch.zip" onto USB (loose files into root directory)
-put USB in scope, do local upgrade (Utility->System->Help->Local Upgrade)
-press keys when prompted on scope
-don't panic when screen goes black for a minute
-re-calibrate unit (Utility->System->SelfCal)
-reboot and enjoy all the sweet sweet bandwidth!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mosafet on December 03, 2023, 05:47:22 pm
For anyone looking for the instructions/correct patch in this giant thread like I was, here is the patch for FW 01.03.02.02, taken from stmcore's post:

00.01.03.03.00 is the latest firmware AFAIK
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: core on December 03, 2023, 07:03:50 pm
Thanks so much to everyone who worked on this!!!  So happy to get my MSO5074 unlocked, AWESOME!
For anyone looking for the instructions/correct patch in this giant thread like I was, here is the patch for FW 01.03.02.02, taken from stmcore's post:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4685945/#msg4685945 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4685945/#msg4685945)

Instructions I followed:
-Freshly formatted 16GB Nextech USB to FAT32
-Unzipped "01.03.02.02_patch.zip" onto USB (loose files into root directory)
-put USB in scope, do local upgrade (Utility->System->Help->Local Upgrade)
-press keys when prompted on scope
-don't panic when screen goes black for a minute
-re-calibrate unit (Utility->System->SelfCal)
-reboot and enjoy all the sweet sweet bandwidth!


Why don't you try to install the latest firmware and patch (00.01.03.03.00) ?
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4856702/#msg4856702 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4856702/#msg4856702)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: EJC on December 05, 2023, 05:58:44 am
Oh my scope came with 01.03.02.02 and that is the only one available for download from rigolcanada.com where I bought the scope.  Just assumed it was the latest  :palm:
I'll have to look into that thank you!

Edit:  Got 01.03.03.00 from Rigol.eu and patched!  Thanks guys  ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: comeau on December 05, 2023, 09:04:11 pm
I already have tools for analyzing CAN messages. However, there is a real benefit to having the device input signals, CAN bus analog signal shape and CAN messages all on the same device. Synchronizing the inputs/outputs and messages takes time and slows down the process. Also, 12V logic analyzers are rarer and more expensive so I need the scope for I/O even if I had a logic analyzer for the CAN bus. Basically, the scope is sometimes the best tool for the job. I'm not trying to find a new tool. I just want to improve the tool that I'm using. I want to see every trigger condition that is present in the buffer.
Is it practical to add this function to the scope, maybe not. Either way I'll learn something.
It's unclear what you want to do. Is the CAN Decode event table not good enough? You can also export this to .csv file then import into a spreadsheet for more detailed analysis on a computer. What about the waveform recording? This can record many separately triggered waveforms ("frames") into the memory buffer, and you can then go back and view each frame, I assume with decoding if desired. The manual describes waveform recording as capturing on an interval, but you need to interpret that as re-arming the trigger on that interval. Then, when the trigger fires (which could be some condition on the CAN bus), a waveform/frame is recorded. The trigger is re-armed after the delay which can be set as low as 10 ns (effectively nil for CAN).
No, the CAN Decode table is insufficient for two reasons. 1) The CAN decode doesn't work if you zoom out very far even though the sample rate is adequate or even the waveform is saved in memory 2) The event table shows all events, not just certain events.
The idea is to trigger off a very infrequent analog event, then look at how that analog event is related to selected CAN messages in time. So for instance nothing happens for 2 minutes, Ch1 goes high for 20ms, when was the last 0x18EAFFBE message? For SPI this is easy, you use the search function. The search function doesn't work for CAN. That's the problem.
As an aside I tried using PulseView and found it to be worse than using the scope. It just didn't work very well, missed frames, couldn't handle partial frames etc.
Please keep in mind I'm not asking for advice on how to use the scope, I just wanted to know if anybody was actively reversing the firmware.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: demoss on December 22, 2023, 06:30:38 pm
How does one enable this mystical 500MHz mode?

I won't go into details because the benefits are residual compared to the possible headaches when executing the procedure wrongly. I leave that as homework for the ones who are not faint of heart.

But, as general knowledge, I'll add the following:

These equipments keep their config in a FRAM memory. In that FRAM, among other possible things, usually there are the following params (specific to the unit):
- E_CFG_MODEL_RAW
- E_CFG_SN_RAW
- E_CFG_MAC
- ECC Public key of the scope
- Option's licenses

These fields are replicated in the sysvendor.bin, Key.data and the *.LIC files (for "external" consumption).

So, to change the Model, you just have to change the contents of the param E_CFG_MODEL_RAW, in the FRAM, and the scope will adjust everything else accordingly.
Hello, has anyone managed to make these changes as well?  Did you manage to work with Fram?  If someone has repeated this feat, can you write or direct me?  I'll be with the device soon and want to give it a try.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Vancouver_Kid on December 30, 2023, 11:32:11 pm
Thanks so much to everyone who worked on this!!!  So happy to get my MSO5074 unlocked, AWESOME!
For anyone looking for the instructions/correct patch in this giant thread like I was, here is the patch for FW 01.03.02.02, taken from stmcore's post:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4685945/#msg4685945 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4685945/#msg4685945)

Instructions I followed:
-Freshly formatted 16GB Nextech USB to FAT32
-Unzipped "01.03.02.02_patch.zip" onto USB (loose files into root directory)
-put USB in scope, do local upgrade (Utility->System->Help->Local Upgrade)
-press keys when prompted on scope
-don't panic when screen goes black for a minute
-re-calibrate unit (Utility->System->SelfCal)
-reboot and enjoy all the sweet sweet bandwidth!

Hi EJC, thank you for summarizing but can you further clarify what what features and apparent BW we are gaining by doing what you have summarized?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on December 31, 2023, 02:00:27 am
The MSO5000 hack enables: 350MHz bandwidth, arbitrary waveform generator, increases memory depth to 200Mpts, and all serial decodes
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Papa58 on January 02, 2024, 02:53:25 pm
Thank you Vancouver_Kid
Couple of questions I am hoping you can help with.

1) I believe the latest patch is 01_03_03_00
2) Do I need to do a back up before I follow you programing instructions. Almost seems to simple.
3) All three files only total 132kB. Do we need 32g USB stick? There seems to be some questions about which ones will actually work. Do you have a recommendation for the one you used.

Thank you for posting the very good instructions. My machine will be here in a few days. Really looking forward to putting it through some tests.

Thank you..
David
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thermotto on January 02, 2024, 09:33:46 pm
Everything was fine here too.

I will use my previous upgrade post, updated for v00.01.03.00.03 -> v00.01.03.03.00.

Steps I've followed :

Thanks everybody !

Thanks for outlining the steps! I have successfully upgraded my new MSO5074.

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mironex on January 03, 2024, 11:35:35 am
Everything was fine here too.

I will use my previous upgrade post, updated for v00.01.03.00.03 -> v00.01.03.03.00.

Steps I've followed :

1. Backup everything just in case (optional but recommended)
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356)
- get and unzip the first script file, put DS5000Update.GEL on USB stick, then Utility/Help/Local upgrade
- wait until 100%, then turn off/on
- repeat for the second script

2. Install the official firmware v00.01.03.03.00; I have used the above link from rigol.eu
- get the official firmware and unzip
- same steps like above, with the firmware file of course

3. Hack
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650)
- get and unzip the file 01_03_03_00.zip and put the three files on USB stick
- same steps like above
- there will be some messages on the screen. You will be asked to press a key, two times. At the end the oscilloscope will reboot, just wait.
- all the options will be activated

4. Calibration - very important
- remove the input probes
- Utility/System/SelfCal
- then turn off/on

Thanks everybody !

I have 2 questions:
1. Where could I find procedure to recover from this backup  :-//?
Which scenarios could require this?
2. How could I recover firmware to original in case when I need to send oscilloscope to service  :-BROKE?
3. What about my original additional license? Could I use it after recovering to original firmware?

Thanks :-)
M.S.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on January 03, 2024, 11:31:38 pm
I have 2 questions:
1. Where could I find procedure to recover from this backup  :-//?
Which scenarios could require this?
2. How could I recover firmware to original in case when I need to send oscilloscope to service  :-BROKE?
3. What about my original additional license? Could I use it after recovering to original firmware?

Thanks :-)
M.S.

Its all in this thread. But if there is any issue, press "Single" during boot, load the stock Rigol FW that is unmodified, hit reset to defaults. Everything should be back to stock so you can send in for service.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BitBug on January 09, 2024, 03:16:10 pm
Anybody have any issues with their "Scale" encoder jumping/glitching around?

I have one of the earlier 5074s... Just started getting very "touchy" lately when scaling-up or down... Just wondering if the newer firmware did a better job of de-bouncing the encoder output?

BB
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on January 09, 2024, 03:58:45 pm
Anybody have any issues with their "Scale" encoder jumping/glitching around?

I have one of the earlier 5074s... Just started getting very "touchy" lately when scaling-up or down... Just wondering if the newer firmware did a better job of de-bouncing the encoder output?

BB
I think I've read about issues with the quality of the encoders. So I would rather consider it as an hardware issue of the encoders. If you ask about software de-bouncing in the firmware, you could just give a later version a try.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: beatman on January 09, 2024, 04:38:44 pm
The encoders are no good.I change both on 1054 and 5104 and is far better the response.The stock pots is smd i by 24 clicks through hole encoders cut and bend carefully  the legs and solder on place.Two years now run the scopes flawlessly.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BitBug on January 09, 2024, 11:08:13 pm
The encoders are no good.I change both on 1054 and 5104 and is far better the response.The stock pots is smd i by 24 clicks through hole encoders cut and bend carefully  the legs and solder on place.Two years now run the scopes flawlessly.

Wouldn't happen to have the part numbers you replaced them with, would you ?  :) ...I guess I'll need a quality "upgrade"...  >:(

BB
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on January 10, 2024, 11:41:13 am
So, this is it! I was able to reverse-engineer and understand how the license keys check works. And I'm glad to present this Fully automatic license activator.
Use it carefully. Trying to switch off your device during activation may brick it.

Usage:
python rigol_kg.py 192.168.1.1
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 10, 2024, 12:49:12 pm
Now you just have to replace the loading of the FRAM's pubkey with the correct SCPI command. That makes life easier and the code simpler.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on January 10, 2024, 12:58:41 pm
I'm doing so, but using fram tool.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 10, 2024, 02:27:45 pm
I'm doing so, but using fram tool.

Definitely not so elegant or failure proof.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on January 10, 2024, 02:35:53 pm
Thanks. I'll check another way to do that via SCPI protocol.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on January 11, 2024, 06:38:37 am
I'm doing so, but using fram tool.

Definitely not so elegant or failure proof.
I cannot find how to write to FRAM via SCPI. Could you help?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 11, 2024, 11:53:28 am
I cannot find how to write to FRAM via SCPI. Could you help?

Sure you can. Compared to what you already did, this one should be a piece of cake since you are delimited to the SCPI commands space.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mwb1100 on January 11, 2024, 08:19:34 pm
I was able to reverse-engineer and understand how the license keys check works.

Awesome!

I'm glad to present this Fully automatic license activator.

Thanks very much!

These are probably dumb questions, but just to be sure I understand: this means that the MSO5000 will be hacked to 350MHz (and all other available options) without having to installed hacked firmware?  In other words a completely different approach to hacking the MSO5000 - more akin to the DS1054Z key hack?  So the 'hacked' options will remain in place even after a unhacked firmware update?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on January 12, 2024, 05:14:51 am
Exactly. No usb flash required, not a single executable modified, so it's a persistant options installator. (Sure, restoring to defaults via SINGLE button will clear a new key and options installed)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Tabovl on January 12, 2024, 04:06:01 pm
So, this is it! I was able to reverse-engineer and understand how the license keys check works. And I'm glad to present this Fully automatic license activator.
Use it carefully. Trying to switch off your device during activation may brick it.

Usage:
python rigol_kg.py 192.168.1.1


Is it just my problem or is anyone else unable to download this script? It gives me a 404 error.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: PA0PBZ on January 12, 2024, 04:40:44 pm
Is it just my problem or is anyone else unable to download this script? It gives me a 404 error.

https://www.eevblog.com/forum/chat/website-error-reports/msg5274616/#msg5274616 (https://www.eevblog.com/forum/chat/website-error-reports/msg5274616/#msg5274616)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Erronous99 on January 12, 2024, 09:40:51 pm
Hoban new and I am looking to buy the Rigol, I was wondering if this code still works? I am looking into buy a Rigol 5074, and upgrade it to 5354. does it also have the software for debugging RS232, SPI, and other protocols switched free?

Are there more hidden functions?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on January 12, 2024, 11:59:50 pm
Hoban new and I am looking to buy the Rigol, I was wondering if this code still works? I am looking into buy a Rigol 5074, and upgrade it to 5354. does it also have the software for debugging RS232, SPI, and other protocols switched free?

Are there more hidden functions?

Yes. You can look at the options list for what is available. Jitter, power, etc.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nemitom on January 21, 2024, 03:53:39 pm
So, this is it! I was able to reverse-engineer and understand how the license keys check works. And I'm glad to present this Fully automatic license activator.
Use it carefully. Trying to switch off your device during activation may brick it.

Usage:
python rigol_kg.py 192.168.1.1

Hello, how to use/run?
or not work for me?
Thanks

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: edward-p on January 22, 2024, 01:29:24 am
So, this is it! I was able to reverse-engineer and understand how the license keys check works. And I'm glad to present this Fully automatic license activator.
Use it carefully. Trying to switch off your device during activation may brick it.

Usage:
python rigol_kg.py 192.168.1.1

Hello, how to use/run?
or not work for me?
Thanks

I got the same result with my MSO5072 (fw version: 01.03.03).
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobbiTobi on January 23, 2024, 09:40:43 am
Hi guys,

could anybody help me out on finding an encoder replacement part for my MSO5000?
I have a defective dented encoder which is annoying me so much  |O

Many thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on January 25, 2024, 10:44:31 am
I'll check it on 5072 later, and will update the script if required.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: nemitom on January 27, 2024, 04:47:42 pm
unlocking the old way works for me... (using a flash drive)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on January 27, 2024, 05:13:06 pm
I'll check it on 5072 later, and will update the script if required.
Also for 5074 does not work. It does not activate BW and Deep memory. Tried with the scope unlocked and also with original fw (locked). Also after procedure the scope sometimes does not boot, need to recover with  "Single" key method.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on January 27, 2024, 05:42:24 pm
I guess the keygen way of inserting the info into the FRAM is bad. I have suggested doing it with official SCPI way.

@DrMefistO probably is looking into it...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on January 27, 2024, 05:57:03 pm
I guess the keygen way of inserting the info into the FRAM is bad. I have suggested doing it with official SCPI way.

@DrMefistO probably is looking into it...

@DrMefistO Can you make the script to output the keys as text?
Thanks!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BRZ.tech on January 28, 2024, 12:19:34 am
Anybody have any issues with their "Scale" encoder jumping/glitching around?

I have one of the earlier 5074s... Just started getting very "touchy" lately when scaling-up or down... Just wondering if the newer firmware did a better job of de-bouncing the encoder output?

BB

Hi
Bit Bug.
I have the same problem on my MSO5074, the Horizontal Scale (Time Adjustment) keeps jumping non-linearly when turning the control, left and right.
Here is a set of photos of the internal part of the MSO5000 taken by Dave:
https://www.flickr.com/photos/eevblog/45756741562/in/photostream/ (https://www.flickr.com/photos/eevblog/45756741562/in/photostream/)

I think the name for this component is Rotary Encoder, it seems that there are 12 identical parts in the MSO5000, all are SMD type, and with the same type of finish. I think that of all of them, H-SCALE is the most used, maybe that's the reason it's failing, and it could get worse.
Dave made a video and disassembled a Rotary Encoder:
https://www.youtube.com/watch?v=UgpHZisG1PQ (https://www.youtube.com/watch?v=UgpHZisG1PQ)

On Aliexpress I found a similar Rotary Encoder, from ALPS model EC11J1524413, but the finish is not exactly the same as the one used in the MSO5000, I don't know how many positions it uses in the MSO5000, and also the Axis Length.
If the Original Part has a Manufacturing Code printed on it, it will be easier to find it, or a similar one.
See the detail in the corners of the ALPS piece:
https://pt.aliexpress.com/item/32867473208.html?spm=a2g0o.productlist.main.7.3f5d2322YoHetL&algo_pvid=d610dbe4-ecf6-4a49-a39c-f9368b1980d8&algo_exp_id=d610dbe4-ecf6-4a49-a39c-f9368b1980d8-3&pdp_npi=4%40dis%21BRL%2121.17%2121.17%21%21%214.10%214.10%21%402101fb0d17063969934018481e45e0%2165479190088%21sea%21BR%210%21AB&curPageLogUid=mRyoZjHUQIVJ&utparam-url=scene%3Asearch%7Cquery_from%3A (https://pt.aliexpress.com/item/32867473208.html?spm=a2g0o.productlist.main.7.3f5d2322YoHetL&algo_pvid=d610dbe4-ecf6-4a49-a39c-f9368b1980d8&algo_exp_id=d610dbe4-ecf6-4a49-a39c-f9368b1980d8-3&pdp_npi=4%40dis%21BRL%2121.17%2121.17%21%21%214.10%214.10%21%402101fb0d17063969934018481e45e0%2165479190088%21sea%21BR%210%21AB&curPageLogUid=mRyoZjHUQIVJ&utparam-url=scene%3Asearch%7Cquery_from%3A)

There's this one too:
https://pt.aliexpress.com/item/1005001701253298.html?spm=a2g0o.productlist.main.23.3f5d2322YoHetL&algo_pvid=d610dbe4-ecf6-4a49-a39c-f9368b1980d8&algo_exp_id=d610dbe4-ecf6-4a49-a39c-f9368b1980d8-11&pdp_npi=4%40dis%21BRL%2122.20%2118.22%21%21%214.30%213.53%21%402101fb0d17063969934018481e45e0%2112000017211540311%21sea%21BR%210%21AB&curPageLogUid=UQRmvg11R9cI&utparam-url=scene%3Asearch%7Cquery_from%3A (https://pt.aliexpress.com/item/1005001701253298.html?spm=a2g0o.productlist.main.23.3f5d2322YoHetL&algo_pvid=d610dbe4-ecf6-4a49-a39c-f9368b1980d8&algo_exp_id=d610dbe4-ecf6-4a49-a39c-f9368b1980d8-11&pdp_npi=4%40dis%21BRL%2122.20%2118.22%21%21%214.30%213.53%21%402101fb0d17063969934018481e45e0%2112000017211540311%21sea%21BR%210%21AB&curPageLogUid=UQRmvg11R9cI&utparam-url=scene%3Asearch%7Cquery_from%3A)

I don't know which of these will fit the MSO5000, and it will require very rigorous work to replace the defective part, so as not to damage the solder islands and tracks.
As long as you do not replace the defective part, you can change the H-SCALE using the TOUCH SCREEN on the screen, in the upper left corner.

This here is a specific topic for MSO5000 Hack, so that we can analyze the solution to the defect in more depth, and how it was you who gave the idea to the subject,

  I suggest that you open a NEW specific TOPIC for discussion:
RIGOL MSO5000 ROTARY Encoder H-SCALE Replace
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: beatman on January 28, 2024, 08:50:05 am
Hi guys,

could anybody help me out on finding an encoder replacement part for my MSO5000?
I have a defective dented encoder which is annoying me so much  |O

Many thanks!    I have replaced the encoders on dz1054 and mso5104 with through hole pots  from BI part numb.EN12HS1L. I just cut carefully the legs and solder on the pads.Both scops working as it should"t last two years.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BRZ.tech on January 28, 2024, 11:10:15 am
Hi
Beatman
With this Rotary Encoder EN12HS1L code I did not find the datasheet.

I think that in this type of Rotary Encoder component, the External and Internal Parameters must be STANDARDIZED, and a cross-reference of brands and models will help everyone. Perhaps you can change the Height of the Axis, and its Format, but the Pitch and Functions are the same. This is better than nothing.

I think it's productive, if any of the participants have a DSO from Tektronix or Keysight or Teledyne-Lecroy or Rohde-Schuarz, which have a LIST OF PARTS, and Spare Parts, check the Original Rotary Encoder Code, and inform the link here in this Topic of the datasheet. And check if it is similar, and if it is easy to buy.

The defect in the Rotary Encoder on the MSO5000 may occur in any of the 12 positions on the MSO5000. It's a matter of time when symptoms appear...

I don't know if RIGOL can indicate to Brands the Rotary Encoder models that can be used, and also sell them at a low price to users.

If someone has the symptoms on the MSO5000 during the Warranty Period, they can uninstall the HACK and send it for Free Repair, if the warranty seal has not been broken. It means spending some time without your MSO5000.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on January 28, 2024, 11:28:22 am
With this Rotary Encoder EN12HS1L code I did not find the datasheet.

https://www.ttelectronics.com/TTElectronics/media/ProductFiles/Datasheet/EN12.pdf (https://www.ttelectronics.com/TTElectronics/media/ProductFiles/Datasheet/EN12.pdf)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BRZ.tech on January 28, 2024, 04:04:19 pm
With this Rotary Encoder EN12HS1L code I did not find the datasheet.

https://www.ttelectronics.com/TTElectronics/media/ProductFiles/Datasheet/EN12.pdf (https://www.ttelectronics.com/TTElectronics/media/ProductFiles/Datasheet/EN12.pdf)

Hi
w.v.s.
Tks for the contribution.
This EN12 model you sent is for PTH mounting.
I checked the TT Electronics website, and they do not manufacture Rotary Encoder for SMD Mounting. Check here:
https://www.ttelectronics.com/site-search?k=rotary%20encode (https://www.ttelectronics.com/site-search?k=rotary%20encode)

The manufacturer ALPS has the EC11 line for SMD mounting:
https://tech.alpsalpine.com/e/products/category/encorder/sub/01/series/ec11n/ (https://tech.alpsalpine.com/e/products/category/encorder/sub/01/series/ec11n/)

I think the MSO5000's Rotary Encoder is very sensitive, maybe it has 30 detents or more.
I think ALPS model EC11N152504 can work well, it has the Pressure Switch and Push-on Switch Travel of 1.5mm, and NO THREAD, and it is for SMD mounting. You have to check if the welding feet Islands Pitch and Axis Height are the same on the MSO5000:
https://tech.alpsalpine.com/e/products/detail/EC11N1525404/ (https://tech.alpsalpine.com/e/products/detail/EC11N1525404/)

When searching on Google, I didn't find the ALPS EC11N152504 to buy.

ALPS does not manufacture the EC12 model for SMD Mounting.

Maybe the @Bit bug didn't throw the defective part in the trash, and can inform the measurements of the MSO5000's ORIGINAL Rotary Encoder:
Shaft Length, Width and Height.

On Aliexpress, I found another Rotary Encoder for SMD Mounting, and WITHOUT THREAD, more similar to the Original MSO5000: but it doesn't have a datasheet, maybe you can use it on the MSO5000, you need to adjust the Shaft Height:
“5Pcs Rotary Encoder Code Switch EC11 30 Position Push Button Switch SMD 5Pin Handle Length 12.5mm 17mm Middle Shaft”
https://pt.aliexpress.com/item/1005001713654182.html?spm=a2g0o.productlist.main.31.36d084e9mL4an8&algo_pvid=e07b3c9e-8d7a-46d1-bd01-ff8afd5e8cb0&algo_exp_id=e07b3c9e-8d7a-46d1-bd01-ff8afd5e8cb0-15&pdp_npi=4%40dis%21BRL%2122.20%2118.22%21%21%214.30%213.53%21%402101c59117064475434413434e5d2e%2112000017260108848%21sea%21BR%210%21AB&curPageLogUid=oIiA39ZHpEZB&utparam-url=scene%3Asearch%7Cquery_from%3A (https://pt.aliexpress.com/item/1005001713654182.html?spm=a2g0o.productlist.main.31.36d084e9mL4an8&algo_pvid=e07b3c9e-8d7a-46d1-bd01-ff8afd5e8cb0&algo_exp_id=e07b3c9e-8d7a-46d1-bd01-ff8afd5e8cb0-15&pdp_npi=4%40dis%21BRL%2122.20%2118.22%21%21%214.30%213.53%21%402101c59117064475434413434e5d2e%2112000017260108848%21sea%21BR%210%21AB&curPageLogUid=oIiA39ZHpEZB&utparam-url=scene%3Asearch%7Cquery_from%3A)

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: RobbiTobi on January 29, 2024, 08:47:03 am
Hi guys,

could anybody help me out on finding an encoder replacement part for my MSO5000?
I have a defective dented encoder which is annoying me so much  |O

Many thanks!    I have replaced the encoders on dz1054 and mso5104 with through hole pots  from BI part numb.EN12HS1L. I just cut carefully the legs and solder on the pads.Both scops working as it should"t last two years.

Hi beatman,

the encoder on my MSO5000 has 30 detents, but what about the pulses/rev?
Is it a 15 or 30 pulses/rev?
The replacement part you used is about how many detents and pulses?

Many thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: beatman on January 29, 2024, 09:46:22 am
With this Rotary Encoder EN12HS1L code I did not find the datasheet.

https://www.ttelectronics.com/TTElectronics/media/ProductFiles/Datasheet/EN12.pdf (https://www.ttelectronics.com/TTElectronics/media/ProductFiles/Datasheet/EN12.pdf)
It is 24 klicks pots and works perfect in booth scops 5104 and 1054 on my DHO804 don't need to replace nothing.I try to upload photo from the encoder.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: beatman on January 29, 2024, 10:06:06 am
(http://)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BRZ.tech on January 30, 2024, 01:10:25 am
In the RIGOL models below, you can use the Rotary Encoder (ALPS EC12E2424407) PTH assembly, perhaps suitable for adaptation to the MSO5000.

This ALPS EC12E2424407 model can be found easily.

Datasheet:
https://www.farnell.com/datasheets/1685514.pdf (https://www.farnell.com/datasheets/1685514.pdf)

MSO1074Z-S:
https://www.eevblog.com/forum/testgear/rigol-ds1054z-rotary-encoder-mod/msg737852/#msg737852 (https://www.eevblog.com/forum/testgear/rigol-ds1054z-rotary-encoder-mod/msg737852/#msg737852)

MSO4000:
https://www.eevblog.com/forum/testgear/rigol-mso4000-and-ds4000-tests-bugs-firmware-questions-etc/msg951428/#msg951428 (https://www.eevblog.com/forum/testgear/rigol-mso4000-and-ds4000-tests-bugs-firmware-questions-etc/msg951428/#msg951428)

DS1054Z:
https://www.youtube.com/watch?v=Hj5tfN3cCXQ&t=4s (https://www.youtube.com/watch?v=Hj5tfN3cCXQ&t=4s)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on January 31, 2024, 05:02:20 pm
So much exiting stuff happening here!

Okay so I'm pretty new to the MSO5000 club, but I think it was a pretty good purchase. I do embedded firmware for off-highway vehicles professionally. I really would like to expand the CAN decode/trigger to the search function. An alternative goal would be to store things in the same file format (.arb/.ref/.bin etc) that it reads or have a converter on the scope. Has anybody made any serious effort for tweaking the firmware? I noticed that there was a repo on gitlab that had the appEntry file. https://gitlab.com/riglol/rigolee/firmware/-/tree/MSO5000/firmware/rootfs/rigol?ref_type=heads (https://gitlab.com/riglol/rigolee/firmware/-/tree/MSO5000/firmware/rootfs/rigol?ref_type=heads)
I popped it open in Ghidra, but before I go down the rabbit hole of teaching myself Ghidra/RE, does anybody know of an active project to reverse the source code for this?
You'd have to 'patch' the firmware with your features, Would be a big pain, but sure, possible yes.

OR, write a whole new GUI application that does all that and more :) Would be perfect. Someone tried to do this once on one of the older rigols. Was it related to http://codenaschen.de/tichyblog/index.php?action=blog&entry=10_Rigol%20DS1052e%20Homebrew%204%20All (http://codenaschen.de/tichyblog/index.php?action=blog&entry=10_Rigol%20DS1052e%20Homebrew%204%20All) ? i don't remember ... was an EEVBlog thread about it as well afaik.

But with regards with Ghidra, don't bother, read below ;)

So, this is it! I was able to reverse-engineer and understand how the license keys check works. And I'm glad to present this Fully automatic license activator.
Use it carefully. Trying to switch off your device during activation may brick it.

Usage:
python rigol_kg.py 192.168.1.1
Amazing!! very cool,

I guess the keygen way of inserting the info into the FRAM is bad. I have suggested doing it with official SCPI way.

@DrMefistO probably is looking into it...
can't wait for V2 which uses scpi commands instead :)

But modifying the FRAM is ereased with a 'factory reset', I suppose you could go the extra mile and replace the 'vendor.bin' or whatever it was called as well? Food for thought for V3?

Anyway, during your RE work, did you try to google for some of the strings? There's a roomer that the actual software was leaked ...

Accidentally posted something here that was intended for https://www.eevblog.com/forum/testgear/another-low-cost-la-probe-for-rigol-mso5000-by-oliv3r/ (https://www.eevblog.com/forum/testgear/another-low-cost-la-probe-for-rigol-mso5000-by-oliv3r/) sorry for the noise :)
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: std on February 09, 2024, 07:59:58 pm
For a more high quality fan replacement, you can use the Noctua NF-A8 FLX, 80mm fan. It is dead silent and has a six year warranty.
https://noctua.at/en/products/fan/nf-a8-flx

Thank you for suggestion. 
Received the Xilence XF037, connected it to the power supply, and realized it’s impulsive to believe different people from Youtube without doing an engineering check of specs. The Xilence XF037 has a low RPM (1500) and its airflow is not even comparable to a stock fan. That's why I didn't install it.

Well, ordered Noctua NF-A8 FLX, 80mm from Chinese. (Almost $20 for a fan to be a 20-fold overpayment, if not 40). Still don’t know what the airflow of the standard Rigol fan, but Noctua promise higher RPM with airflow than Xilence. 


If take into account that I also need to change Rigol DS1054 fan, C1-99 oscilloscope fan, and also 120mm CPU fan began to creak somehow, this flutter in eggsfans will bring me to bankruptcy :)))
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: std on February 09, 2024, 08:22:09 pm
When updating completed I reboot my MSO5000, and it "not working". The progressbar changing from 0 to 100% and nothing is changed. What I need to do, please help.
In a rare case when scope does not boot, press "Single" key at the very beggining of the boot phase and press "Restore defaults" or "Upgrade firmware" to re-apply the original Fw.
A lot of time has passed.
1. Before flashing the oscilloscope, be sure to perform settings reset to factory defaults from the menu. This has been confirmed several times and if you reset the settings (in the menu) before flashing, you do not get into reboot freezing problem. (Remember that settings reset changes probe divider).
2. Oscilloscope is sensitive to USB Flash Drive. My old 2Gb/8Gb flash drives was not accepted, only the new Samsung one. I haven’t checked, but perhaps it possible to check before; from the oscilloscope menu you can try to view flash drive file system.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Houseman on February 12, 2024, 10:25:06 am
Me too.  |O |O |O
Had the unglory brilliant idea today to flash latest firmware MSO5000(ARM)Update v01.03.02.02 from here: https://www.rigolna.com/firmware/ (https://www.rigolna.com/firmware/)and now I am lost into the 100% progress bar frozen state.
Have tried pressing single button at boot without effort...
No options appears
Please help

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 12, 2024, 12:04:24 pm

Have tried pressing single button at boot without effort...

That is very unlikely ...
Start presing repeating imediatelly after start button is pressed..
You will see the menu.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Houseman on February 12, 2024, 02:57:38 pm
Yeah, You are right, thanks. I started pressing it before the power button repeatedly. Now it is upgraded at least... but with all options gone...
I have the 01_03_00_03.bspatch, it's 2 years old. Will navigate through the forum to see if there are any news relative to this patch.
Thank You
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 12, 2024, 05:41:58 pm
The latest is 01.03.03.00
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650)
This is I'm using now.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on February 13, 2024, 10:35:12 pm
Yeah, You are right, thanks. I started pressing it before the power button repeatedly. Now it is upgraded at least... but with all options gone...
I have the 01_03_00_03.bspatch, it's 2 years old. Will navigate through the forum to see if there are any news relative to this patch.
Thank You

There was a keygen just a few posts ago ... :p
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: vishay on February 21, 2024, 09:56:13 am
Hi, I need some help. I updated my oscilloscope with a patch from "trixy" (thanks), from firmware 00.01.03.03.00. All options became available and I also managed to make a self-cal without any problems. After that, I did not check the oscilloscope and used it extremely rarely, measuring signals mainly up to 1 MHz. Next, with the built-in generator, I set a rectangular pulse with a maximum frequency of 15 MHz and saw the following picture (is this such a bad oscillator or an oscilloscope channel ? An oscilloscope with a frequency of 350 MHz cannot normally display a 15 MHz rectangle ?). Yesterday I tried to do auto-calibration and it stops at 6% giving an error. Today I turned on the oscilloscope again and turned on self-cal 30 minutes later (and it's a miracle) it was completed successfully. I repeated the test again with the measurement of the rectangular signal, but the picture did not change, the signal was also strongly distorted. Can anyone tell if this is normal or not? What could be the problem? Can anyone do the same experiment?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 21, 2024, 11:21:45 am
It is correct.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: macboy on February 21, 2024, 01:11:27 pm
Vishay,
What you see is normal. The deficiency is with the generator, it can't produce the very high frequencies needed for fast edges. If you want to see the real limit of the scope, then you need a signal with very fast edges. Search the forum for Leo Bodnar Pulser for an example of a device.

The manual clearly states to warm up the scope before starting the auto cal, so that failure was expected as well.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: JCS666 on February 21, 2024, 04:02:32 pm
Or this https://tinyurl.com/2aaek95c
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ivonenand on February 27, 2024, 08:29:10 pm
Hi Guys,
I just updated my 5074 to 01.03.03.00 and patched it. I now have all options, including the deep memory option (2RL, 200Mpots Deep Memory Option). For some reason though, I don't think I'm actually getting this option. The most I see in the horizontal division is 20-25Mpts, with only CH 1 enabled. For example:

10ms/div, 200MSa/s, 20Mpts
5ms/div, 500MSa/s, 25Mpts
2ms/div 1GSa/s, 20Mpts

Is this normal? Shouldn't I be getting 200Mpts?

Regards,
Ivo
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: skander36 on February 27, 2024, 08:38:11 pm
There is the 200 M option in the aquire menu?

LE - If you leave it on Auto, the scope will allocate only the right amount of memory. You can force using all memory by choosing manually the value.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gbix on February 29, 2024, 04:30:19 pm
I was able to parse sysvendor.bin

The block with the model has additional fields

Does anyone know what these fields are?
Can anyone post their sysvendor.bin file for statistics?

thx!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on February 29, 2024, 09:58:34 pm
Does anyone know what these fields are?
Can anyone post their sysvendor.bin file for statistics?

Here's a full parsing example.

You can't parse another guy's sysvendor.bin without knowing it's own XXTEA key.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gbix on February 29, 2024, 11:38:32 pm
Does each device have a unique key?

Do you have a link to this project? May be its project by @DrMefistO?
I seem to have missed this one)))The example is incomplete. There is also data after the model number, serial number and mac address
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on March 01, 2024, 02:52:01 pm
Hi,

As I saw during RE, firmware only uses FRAM to load a key, and doesn't use sysvendor.bin, as before. Or I haven't found that. By the way, I tried to patch sysvendor.bin previously, but the oscillo doesn't load it from there.
SCPI commands don't allow to change FRAM, I haven't found any available command for that.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gbix on March 01, 2024, 03:31:51 pm
Hi,

As I saw during RE, firmware only uses FRAM to load a key, and doesn't use sysvendor.bin, as before. Or I haven't found that. By the way, I tried to patch sysvendor.bin previously, but the oscillo doesn't load it from there.
SCPI commands don't allow to change FRAM, I haven't found any available command for that.

Do you tried usb drive with crypted key "RIGOL TECHNOLOGIES,DS1000Z,SPARROW,201212" for SCPI commands as for other some models?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 01, 2024, 07:57:57 pm
An example of parsing for a FRAM beginning (all "fields" are stored in FRAM):

Code: [Select]
00000000 BLOCK0 CRC32
00000004        BLOCK0 size
00000008        BLOCK0 data (0084 - 132 bytes)  Practically all zeros  (0x13 - maybe "Boot times")

00000100        BLOCK1 size + checksum            option:       checksum:     datasize:     checksum:     CRC32:        data:
00000108        Key.dat                           A0 11 00 00 | 60 EE FF FF | 94 00 00 00 | 6C FF FF FF | 1F 37 29 92 | Key.dat
000001B0 lic_COMP  + timer + fail counter  8A 11 00 00 | 76 EE FF FF | 04 00 00 00 | FC FF FF FF | C7 05 DB E7 | 4A 00 02 00
000001C8 lic_EMBD  + timer + fail counter  8B 11 00 00 | 75 EE FF FF | 04 00 00 00 | FC FF FF FF | C7 05 DB E7 | 4A 00 02 00
000001E0 lic_AUTO  + timer + fail counter  8C 11 00 00 | 74 EE FF FF | 04 00 00 00 | FC FF FF FF | C7 05 DB E7 | 4A 00 02 00
000001F8 lic_FLEX  + timer + fail counter  8E 11 00 00 | 72 EE FF FF | 04 00 00 00 | FC FF FF FF | C7 05 DB E7 | 4A 00 02 00
00000210 lic_AUDIO + timer + fail counter  8D 11 00 00 | 73 EE FF FF | 04 00 00 00 | FC FF FF FF | C7 05 DB E7 | 4A 00 02 00
00000228 lic_AERO  + timer + fail counter  90 11 00 00 | 70 EE FF FF | 04 00 00 00 | FC FF FF FF | C7 05 DB E7 | 4A 00 02 00
00000240        sysvendor.bin                     40 08 00 00 | C0 F7 FF FF | 18 01 00 00 | E8 FE FF FF | 64 A2 39 9C | sysvendor.bin

00000800 BLOCK2 CRC32
00000804        BLOCK2 size
00000808        BLOCK2 data (0EC2 - 3778 bytes)  License data most certainly... (if you erase the FRAM, the scope basically recreates most of this area)

Then follows some other structures that I never considered interesting...

All of this was made 5 years ago, so only just my notes...

Regarding SCPI commands for the FRAM: they are real.

Does each device have a unique key?

... The example is incomplete. There is also data after the model number, serial number and mac address

Sure they have. The example is complete and it's similar to yours.  pm me your sysvendor and your XXTEA key and I'll prove it
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 02, 2024, 11:23:29 am
For the deviant ones that like to see how the little details go, here is a MSO5000 FRAM parsing (up to the best of my investigations in the good ol' days).

There is a Block1 with licensing, sysvendor file and key.dat and there is a Block2 composed of a bunch of zlib structures that store all the settings of the machine. I never pursued all the fieldnames inside this block, as most of them don't have any values.

I would be surprised if current DHO FRAM structures are much different from this one although, with Rigol in tha house, everything is possible...
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on March 03, 2024, 08:33:27 am
Has anyone tried to activate 500M option on our scopes?

'BW07T1', 'BW07T2', 'BW07T3' are activated by patch but the option 'BW07T5' is not
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: oliv3r on March 03, 2024, 08:53:02 am
Has anyone tried to activate 500M option on our scopes?

'BW07T1', 'BW07T2', 'BW07T3' are activated by patch but the option 'BW07T5' is not
search this thread an you willl find your answer :p

For the deviant ones that like to see how the little details go, here is a MSO5000 FRAM parsing (up to the best of my investigations in the good ol' days).

There is a Block1 with licensing, sysvendor file and key.dat and there is a Block2 composed of a bunch of zlib structures that store all the settings of the machine. I never pursued all the fieldnames inside this block, as most of them don't have any values.

I would be surprised if current DHO FRAM structures are much different from this one although, with Rigol in tha house, everything is possible...

I seem to remember, one was a 'copy' of the other, but fram was leading. The scope would take sysvendor.dat if fram was corrupt/missing, but write to sysvendor when fram was modified? Or was sysvendor the 'factory-default' and never written to? It's been a while, but I'm sure it's in the leaked code :p
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on March 03, 2024, 09:08:18 am
Has anyone tried to activate 500M option on our scopes?

'BW07T1', 'BW07T2', 'BW07T3' are activated by patch but the option 'BW07T5' is not
search this thread an you willl find your answer :p
This option mentioned twice without explanation on why whould it not work. There is a speculation that we have a bw limiting settings enabled in frontend ic, maybe activating BW07T5 even partially will disable this limit.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: ebastler on March 03, 2024, 09:46:39 am
This option mentioned twice without explanation on why whould it not work. There is a speculation that we have a bw limiting settings enabled in frontend ic, maybe activating BW07T5 even partially will disable this limit.

The option list includes options for all Rigol scopes which are based on the same software platform. But that does not imply that all options will work with all members of that scope family. The 500 MHz bandwidth option is apparently supported by the DS7000 and MSO7000 only.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 03, 2024, 10:17:52 am
This option mentioned twice without explanation on why whould it not work. There is a speculation that we have a bw limiting settings enabled in frontend ic, maybe activating BW07T5 even partially will disable this limit.

Why do you make a question and then don't follow the answer to what you asked?

Here (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2656659/#msg2656659) with 30 seconds search.

If there was anything that could be done in HW, Rigol would easily have released the 5504 model. They had the software prepared for it.

BTW, all that analysis have been done years ago. Nothing has changed.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on March 03, 2024, 11:50:57 am
Why do you make a question and then don't follow the answer to what you asked?
I do follow. As you may have noticed, some time ago i made my measurements replacing low pass filter at ADC. This filter could explain your results even if you changed a model to 500M one. Don't you think it is worth to reconsider again?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 03, 2024, 11:57:18 am
I do follow. As you may have noticed, some time ago i made my measurements replacing low pass filter at ADC. This filter could explain your results even if you changed a model to 500M one. Don't you think it is worth to reconsider again?

How much BW you achieved? Remind me please.

But as you can read in the thread, the 470-480 MHz are available to anyone despite not having the 5504 model configured, so I guess if you open the BW a little more you don't need any other software hack.

Of course you cant go to eyes&jitter world because the machine simply doesnt have the horsepower for it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Neekeetos on March 03, 2024, 12:13:56 pm
How much BW you achieved? Remind me please.

But as you can read in the thread, the 470-480 MHz are available to anyone despite not having the 5504 model configured, so I guess if you open the BW a little more you don't need any other software hack.

Of course you cant go to eyes&jitter world because the machine simply doesnt have the horsepower for it.
I got around 100ps of rise time reduction. You can start by looking near my post , where i made my conclusions https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg5175111/#msg5175111 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg5175111/#msg5175111)  , there are also many actual BW measurements which are missing in your description for 500M model.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: tv84 on March 03, 2024, 12:45:31 pm
Oh, I see. And we have talked in the past...  :palm:

Well, my advice (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg5180451/#msg5180451) still stands.

Although, this is "beyond infinity" territory. Personally I don't think you can get anything more from the software. Unless you go to 7000 FW. BUT the differences should be plenty which might prove that the 7000 won't work anyway.

With a FRAM and NAND backups you can test everything and, if all fails, rollback. But you'll be definitely on your own because nobody will be able to accompany you.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gbix on March 03, 2024, 01:11:56 pm
I found that the device has project mode with ssh and ftp daemon

Code: [Select]
    if ( flagInSSHDandTFTPD != 1 )
    {
      system("/usr/sbin/sshd");
      system("tcpsvd 0:21 ftpd ftpd -w /&");
      flagInSSHDandTFTPD = 1;
    }

All that remains is to find which button to launch it  :-DD
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Retired2 on March 03, 2024, 05:43:26 pm
Hi,
I have just received a MSO5354 and would like to unlock the “options”.
I received and it is 00.01.03.00.03 and installed from Rigol MSO5000 01.03.03.00 
Firmware: 00.01.03.03.00 Hardware: 01.01.000 Boot: 2018.6.27 Build 2023-02-22

I am using a Windows 11 OS. I used Putty on a Windows Vista connected directly to the RJ45 of each unit. I got into the Rigol web page OK.

I need some help with this.

I have read many of the post and the one I am using is the post on page 105 Reply #2604 on September 14, 2023. I backed up NAND and FRAM –ok.
I installed SSH, removed the pendrive and installed the patch with the gel file, patch.txt and bspatch. Then I got the results below and pressed any key the unit rebooted -- ignoring the gel file as the file has the wrong checksum.
 
I am not sure what I am doing wrong as this fix worked for others.
Can anyone offer suggestions?
Thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: Retired2 on March 03, 2024, 06:44:08 pm
My mistake, sorry.
I said "I used Putty on a Windows Vista connected directly to the RJ45 of each unit. I got into the Rigol web page OK."
What i should have said I connected to the rigol web page with the RJ45 on Vista. I used putty to do a SSH connection but got blank results no command lines. So no real results.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gbix on March 03, 2024, 08:20:29 pm
you used wrong patch
fw version is 01.03.03.00, but patch is for 01.03.02.02

you must downgrade fw or use patch for your fw

Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: seronday on March 03, 2024, 10:06:54 pm
I found that the device has project mode with ssh and ftp daemon

Code: [Select]
    if ( flagInSSHDandTFTPD != 1 )
    {
      system("/usr/sbin/sshd");
      system("tcpsvd 0:21 ftpd ftpd -w /&");
      flagInSSHDandTFTPD = 1;
    }

All that remains is to find which button to launch it  :-DD

See  Reply #2307
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: gbix on March 03, 2024, 11:06:46 pm
I found that the device has project mode with ssh and ftp daemon

Code: [Select]
    if ( flagInSSHDandTFTPD != 1 )
    {
      system("/usr/sbin/sshd");
      system("tcpsvd 0:21 ftpd ftpd -w /&");
      flagInSSHDandTFTPD = 1;
    }

All that remains is to find which button to launch it  :-DD

See  Reply #2307

Its only for calibration menu, not for ssh
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: mabl on March 04, 2024, 05:20:08 am
It's the project mode. See #2308.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on March 04, 2024, 09:55:29 pm
For those, who asked: this is a new version of rigol_kg.py. Now it can activate MSO5072, enable SSH or uninstall all options.

Code: [Select]
usage: rigol_kg2.py [-h] [-i] [-r] [-u] [-s] ip_addr

positional arguments:
  ip_addr          Rigol MSO5072/MSO5074 IP-address

options:
  -h, --help       show this help message and exit
  -i, --info       Print options status, model and serial then exit
  -r, --regen      Regenerate private key
  -u, --uninstall  Uninstall all options
  -s, --ssh        Activate SSH
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: The Doktor on March 04, 2024, 11:42:16 pm
What version of Python does this use? When I tried to run it, a window flashes up very quickly, and then disappears.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thm_w on March 05, 2024, 01:54:43 am
What version of Python does this use? When I tried to run it, a window flashes up very quickly, and then disappears.

Never run random python scripts without looking at them and understanding what they do.
Use powershell or similar to run the script and view its output: https://realpython.com/run-python-scripts/
"py .\rigol_kg2.py"

It will probably complain about a module you don't have installed.
"py -m pip install requests"
etc.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: zauberpilz on March 10, 2024, 02:03:53 am
I'm sorry to disappoint you, but the keygen still doesn't work. 2RL and the bandwidth options are not activated for me. The other options are activated by the BND bundle. With the patch it is no problem to unlock the other options.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on March 10, 2024, 05:40:53 pm
Try to uninstall all options first, wait for reboot, then install with regen private key flag.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: zauberpilz on March 10, 2024, 11:33:25 pm
Does not work too. I also noticed that the display shows "remaining attempts" while attempting to activate. My original BND license can no longer be used, which is why I will always have to rely on the one working patch for an update. "good job"  :palm:

Hmmm, ok. I just noticed that your script saves the priv.pem on the PC. But how can I restore this now?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on March 11, 2024, 05:27:38 am
priv.pem is not a backup from the rigol. It's just your own private key for the generation process, like you're the rigol guy itself. Wrote you in pm.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: zauberpilz on March 11, 2024, 02:13:57 pm
Excellent! Thanks to your short help, everything is now permanently activated. Even after a firmware update. This time it wasn't meant to be sarcastic

GOOD JOB! ;D
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: bulba99 on March 11, 2024, 02:47:54 pm
Excellent! Thanks to your short help, everything is now permanently activated. Even after a firmware update. This time it wasn't meant to be sarcastic

GOOD JOB! ;D

What was causing the problem?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: reztek on March 11, 2024, 09:01:30 pm
No matter if I run the script on a Windows or Linux machine, and what options I use, I always get this:

Code: [Select]
Traceback (most recent call last):
  File "C:\Users\myuser\Downloads\rigol_kg2.py", line 431, in <module>
    main()
  File "C:\Users\myuser\Downloads\rigol_kg2.py", line 380, in main
    model, ser = read_rigol_model_serial(args.ip_addr)
    ^^^^^^^^^^
TypeError: cannot unpack non-iterable NoneType object
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on March 12, 2024, 10:40:07 am
No matter if I run the script on a Windows or Linux machine, and what options I use, I always get this:

Code: [Select]
Traceback (most recent call last):
  File "C:\Users\myuser\Downloads\rigol_kg2.py", line 431, in <module>
    main()
  File "C:\Users\myuser\Downloads\rigol_kg2.py", line 380, in main
    model, ser = read_rigol_model_serial(args.ip_addr)
    ^^^^^^^^^^
TypeError: cannot unpack non-iterable NoneType object
Ip addr is correct? Can you ping the device?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: reztek on March 12, 2024, 02:24:33 pm
Quote
Ip addr is correct? Can you ping the device?
Yes, no problem accessing the device whatsoever.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: DrMefistO on March 12, 2024, 03:54:56 pm
Can you add more details? Is that your first time running? V2 or v1 of the script, used flags?
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: reztek on March 12, 2024, 07:41:56 pm
Okay, after connecting the scope and the pc ethernet directly and using a static IP address on both, the script ran OK. Don't know what was the causing the problem before, but now everything is fine. Sorry for the trouble.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: BTO on March 15, 2024, 11:52:26 pm
The latest is 01.03.03.00
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650 (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg4821650/#msg4821650)
This is I'm using now.

Me too and i updated AGESSSSS Ago
Still running on 00.01.03.03.00
all options unlocked

No  real issues to speak off

IF ANYONE NEEDS HELP UPGRADING.... LET ME KNOW
i can organize to connect with you guys on zoom , i'll supply my email, all good, and show you personally.
i have all the files needed. and
- if you're a newb i can run through how to use the scope and some cool measuring stuff
- If you're not new, i can show you setup options and startup options and a few bells and whistles that i had to work out.

In any case, Let me know
EDIT : Actually, i just remembered, This forum doesn't Auto update me when a new post is created .
so, Here is my email address

support@btotechnicalexperts.com.au
BE SURE TO MENTION YOUR NAME AND THAT YOU NEED YOUR RIGOL SCOPE UPDATED (i get a lot of spam) if the subject is not clear, i'll delete it.
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: w.v.s. on March 16, 2024, 07:40:09 am
EDIT : Actually, i just remembered, This forum doesn't Auto update me when a new post is created .

There is a notify button. It basically works, but sometimes I don't receive notifications on changes.
Have a nice weekend, everyone!
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thorstormlord on March 23, 2024, 08:14:11 pm
does anyone know if this still works?

thanks
Title: Re: Hacking the Rigol MSO5000 series oscilloscopes
Post by: thorstormlord on March 23, 2024, 09:40:54 pm
Hi guys, I upgraded my oscilloscope perfectly well and smooth. I made a guide to help all the users to get through the upgrade process.

I hope you can find it useful and of course, any suggestion to improve the guide will be very welcome.

https://www.mediafire.com/folder/zh1uiu3umgoai/Documents (https://www.mediafire.com/folder/zh1uiu3umgoai/Documents)

I uploaded to mediafire because I can't share them here. The firmware.rar files contains all the files needed to work with the guide. The Word file is the guide with images.

Thanks a lot!!!!



thanks to Faktorqm and his fikes my 5104 is now suoerpowered.. thanks to all