Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 382195 times)

0 Members and 5 Guests are viewing this topic.

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #400 on: December 28, 2018, 07:49:03 am »
Can we patch the update script so that it thinks that it is at least the same version?
I would assume so; we can re-crypt it with cfger I believe and they can't/shouldn't change the keys easily, as they'd want the 'new' keys to still be accepted by old scopes
 

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #401 on: December 28, 2018, 07:49:43 am »
anyone tried logging in with firmware version 00.01.01.02.04? Build: 2018-11-09 19:49:21

i ordered the mso5074 after reading about the "hack" on hackaday. received it an hour ago, but can't log in over the lan interface & ssh...

Same here. The distributor thought it was a nice thing to update the firmware before shipping.  |O
I wonder where they are getting it from ... Or even more importantly, if they are telling their users to upgrade; where should we get it from?
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 12155
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #402 on: December 28, 2018, 08:17:01 am »
Same here. The distributor thought it was a nice thing to update the firmware before shipping.  |O
I wonder where they are getting it from ...

Same place they get the 'scopes they're selling....
 

Offline TrickTronic

  • Contributor
  • Posts: 13
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #403 on: December 28, 2018, 08:32:46 am »
CONFIRMATION

Hey Guys! Thx a million times you crafty geniuses!!  ;D :-+ :-+ :-+

Type: MSO5074
Firmware: 00.01.01.02.04

Successful SSH Login via Putty:
USR: root
PWD: Rigol201


I followed the instructions from @TopLoser:
##################################
Download and install PuTTY on your PC
On your scope find its IP address by UTILITY, IO, LAN
Run PuTTY and connect using that IP address and SSH with port 22
Login as ‘root’ password ‘root’
Enter ‘cd /rigol/shell’
Enter ‘vi start.sh’

Change line 82 to read:
‘/rigol/appEntry  $PowerOn -run -fullopt &’

Google vi commands to find out how to insert text into the file
Basically press ‘i’ to enter edit mode then move cursor, insert text and then ESC to exit edit mode.

Save the file and quit ‘:wq’

Reboot.
##################################

Rock on guys! Great work!
 
The following users thanked this post: nugglix

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 12155
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #404 on: December 28, 2018, 09:09:53 am »
What's "wifi.sh"?  :popcorn:

(and "send_mail.sh"...do these things send email?)
 

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7325
  • Country: 00
  • +++ ATH1
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #405 on: December 28, 2018, 09:29:44 am »
Noob question, assuming Rigol does not want to screw up existing early buyers/adopters for future firmware upgrades, also with assumption there will be no major hardware change/revision for newly produced scopes.

With current state of hacks done, will they able to lock this opening permanently if they want to thru newer firmware "only"  ?

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #406 on: December 28, 2018, 09:43:22 am »
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
20 minutes with hashcat on a radeon hd7900 -> Rigol201  :-DD

for those interested. researching this took longer then 20mins ;-) linux seems to use DES by default for encrypting passwords. 13 chars and no $-signs point to using that default. i copied the hash part into a file (rigol.hash) and here's the command i used for hashcat:
Code: [Select]
hashcat64.exe -a 3 -m 1500 rigol.hash

I'm surprised that it took you that long; this looks like a very weak password :) I wonder how long it would have taken john the ripper without GPU acceleration...
So john automatically detects the password type and everything and starts to go right away. The 8 chars from the password do just happen to fit inside johns default 8 chars, so that's lucky :). Now on a single threaded i7 its taking its sweet time. After 1h30 I am not waiting on it anymore (but will let it runs it course out of curiosity).
 

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 59
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #407 on: December 28, 2018, 09:55:23 am »
With current state of hacks done, will they able to lock this opening permanently if they want to thru newer firmware "only"  ?
It’s hard to say if it is impossible to open future firmware updates but a lot of knowledge has been collected in the meantime which makes it easier for us. But as we learn from their changes, they will learn from our hacks and there is a possibility that a future version is not hackable and you’re stuck at a specific version if you don’t want to give up fullopt.
 

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #408 on: December 28, 2018, 09:59:23 am »
What's "wifi.sh"?  :popcorn:

(and "send_mail.sh"...do these things send email?)
Yes, there are a few supported wifi modules (not sure if there is a UI element to configure them however)
The following drivers + firmwares are installed:
rtl8192cufw_A.bin  rtl8192cufw_B.bin  rtl8192cufw.bin  rtl8192cufw_TMSC.bin  rtl8812aufw.bin
So those wifi modules should work out of the box.

And yes, these can in theory send e-mails :)
« Last Edit: December 28, 2018, 10:02:01 am by oliv3r »
 

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #409 on: December 28, 2018, 10:00:59 am »
Noob question, assuming Rigol does not want to screw up existing early buyers/adopters for future firmware upgrades, also with assumption there will be no major hardware change/revision for newly produced scopes.

With current state of hacks done, will they able to lock this opening permanently if they want to thru newer firmware "only"  ?
Yes, remote access they can. But best keep quiet so we don't give them idea's.

Ultimately however, with a screwdriver and other tools you can still bypass that; but even that's lockable.

In the end however, they will need to be able to do firmware updates themselves as well ...
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2123
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #410 on: December 28, 2018, 11:50:43 am »
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1913
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #411 on: December 28, 2018, 11:54:17 am »
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 20927
  • Country: nl
    • NCT Developments
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #412 on: December 28, 2018, 12:30:09 pm »
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??
Some oscilloscopes can send an e-mail as part of a data logging feature. If a trigger occured an e-mail notice will be send (and in some cases it is also possible to have a screendump or data send as an attachement).
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #413 on: December 28, 2018, 01:17:15 pm »
 :-+
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #414 on: December 28, 2018, 01:56:26 pm »
:-+
I wonder if you'd notice this thread :)
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 3514
  • Country: hr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #415 on: December 28, 2018, 02:14:35 pm »
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

Keysight 3000T can E-mail anything that it can save to USB file....
 

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2827
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #416 on: December 28, 2018, 02:42:22 pm »
it will be placed on a isolated vlan, with no internet access, and not attached to anything thats important.   given the poor security posture that Rigol takes,  these become a real possiblity for a security breech.   
On a quest to find increasingly complicated ways to blink things
 

Offline Rerouter

  • Super Contributor
  • ***
  • Posts: 4676
  • Country: au
  • Question Everything... Except This Statement
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #417 on: December 28, 2018, 02:49:16 pm »
you can run an email server on a vlan if you needed the functionality....
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 12155
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #418 on: December 28, 2018, 02:55:49 pm »
it will be placed on a isolated vlan, with no internet access, and not attached to anything thats important.   given the poor security posture that Rigol takes,  these become a real possiblity for a security breech.   

Maybe that's the reason they changed the password, not to stop hacking.

If they were after security they'd have used a longer hash function.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2123
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #419 on: December 28, 2018, 03:04:13 pm »
Some oscilloscopes can send an e-mail as part of a data logging feature. If a trigger occured an e-mail notice will be send (and in some cases it is also possible to have a screendump or data send as an attachement).

Sorry for my ignorance in these modern features.  :-[

But, in the other day, I saw so much worries about the fact that the Siglent WIFI key wouldn't allow 63 chars and now I see scopes having the explicit capability of sending mails.... and everyone think that's a normal thing.

Well, life is good.
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1913
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #420 on: December 28, 2018, 03:14:45 pm »
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....

"The system will COLLECT and JUDGE the following information"
"The working state of the key components and user defined function"

 :-DD
 
The following users thanked this post: tv84

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #421 on: December 28, 2018, 05:51:42 pm »
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....

"The system will COLLECT and JUDGE the following information"
"The working state of the key components and user defined function"

 :-DD

So that's why I need that touchscreen! :p

While I would not trust them to connect to the internet, it is so easy and happens before you know it; plug-in bam; problems. So if you are not tech-savvy, and do want to locally connect to your scope (ds-remote, lsi tools etc) but don't want it to poke on the internet ... without firewalling or network isolation, the scope just became a ... god knows what.
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1913
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #422 on: December 28, 2018, 05:56:55 pm »
And yes, these can in theory send e-mails :)

I had seen that and it seems very complete.

Which raises the questions:

Why would one need to have a mail client in a scope? Does ET need to phone home??

You need to read the terms and conditions and small print on the online update screen....

"The system will COLLECT and JUDGE the following information"
"The working state of the key components and user defined function"

 :-DD

So that's why I need that touchscreen! :p

While I would not trust them to connect to the internet, it is so easy and happens before you know it; plug-in bam; problems. So if you are not tech-savvy, and do want to locally connect to your scope (ds-remote, lsi tools etc) but don't want it to poke on the internet ... without firewalling or network isolation, the scope just became a ... god knows what.

Yes they can check any installed licence keys (if a keygen becomes available) and check them against a list of official paid for keys... and disable them! Owner can obviously reinstall them unless Rigol nuke your scope remotely for being a bad boy!
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2123
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #423 on: December 28, 2018, 06:02:48 pm »
We'll have to add "remove email client" to the to-do list...

BTW, does it have a camera?   :-DD
 

Offline orion242

  • Supporter
  • ****
  • Posts: 745
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #424 on: December 28, 2018, 06:38:46 pm »
While I would not trust them to connect to the internet, it is so easy and happens before you know it; plug-in bam; problems. So if you are not tech-savvy, and do want to locally connect to your scope (ds-remote, lsi tools etc) but don't want it to poke on the internet ... without firewalling or network isolation, the scope just became a ... god knows what.

Next batch of zombies in the mirai botnet with root/root as the login.  Vlan it off with the rest of the untrusted crap in its own little safe space.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf