Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 901299 times)

0 Members and 6 Guests are viewing this topic.

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2845
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #500 on: January 02, 2019, 09:36:15 am »
Wow, that's impressive. How did you guys do it? Did they mess up in the key validation/generation and leave the priv key exposed somehow? Or, knowing Rigol, something dumber :D I wouldn't put these scopes on the internet, given that they have SSH exposed. Best to keep them isolated!
It would be impressive if it was verified.  What is impressive is olivers repo,  and tv84s infomation. This is the internet, been around way too long and am probably very cynical, but seen lots of claims of things, and have learned until you can actually verify things,  you can't put much weight on them.
On a quest to find increasingly complicated ways to blink things
 

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #501 on: January 02, 2019, 09:47:33 am »
Wow, that's impressive. How did you guys do it? Did they mess up in the key validation/generation and leave the priv key exposed somehow? Or, knowing Rigol, something dumber :D I wouldn't put these scopes on the internet, given that they have SSH exposed. Best to keep them isolated!
It would be impressive if it was verified.  What is impressive is olivers repo,  and tv84s infomation. This is the internet, been around way too long and am probably very cynical, but seen lots of claims of things, and have learned until you can actually verify things,  you can't put much weight on them.
Thanks :) Just dropping a nother note here however, it is all WiP and any damages to your scope are not my responsibility nor fault. Can't iterate this often enough, as I have not tested everything very well yet (the scripts on the scope) as I do not have one yet :)

What I really want at some point however is (broken scope anyone :D) is to desolder all parts and 'sand down' the PCB with pictures, as I want to know where all the ZYNQ pins connect too :p

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2845
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #502 on: January 02, 2019, 10:01:26 am »
What I really want at some point however is (broken scope anyone :D) is to desolder all parts and 'sand down' the PCB with pictures, as I want to know where all the ZYNQ pins connect too :p

This might be a job for an Xray inspection?   Not sure how many layers the PCB is of course.. 
On a quest to find increasingly complicated ways to blink things
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #503 on: January 02, 2019, 10:12:15 am »
If you want to see something funny, try this:
Connect generator 1 to CH1, enable and change to square. Manually enter 999kHz as frequency then observe the waveform change when increasing to 1MHz.
Not worth 269$.

Interesting watch.... changed the frequency halfway through and some nasty jitter disappeared
https://www.dropbox.com/s/93mhrk51i9q0ubh/IMG_7637.MOV?dl=0
« Last Edit: January 02, 2019, 10:25:59 am by TopLoser »
 

Offline bmx

  • Contributor
  • Posts: 30
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #504 on: January 02, 2019, 10:56:57 am »
We should start a new thread for those numerous bugs.

I have quite a few:
- Generator, the knob to change the frequency: turn left -> -10 , turn right +1

and some severe ones
- CH1, probe to ground: never read 0V, but depends on vertical scale:
acquisition Normal
  10V  ~10V
   5V   ~ 8V
   2V   ~ 5V
   1V   ~ 1V
500mV ~ 1.3V
200mV ~ 280mV
100mV ~ 320mV
 50mV  ~ -20mV
 20mV  ~ 4mV
 10mV  ~ 12mV
  5mV   ~ 15mV
  2mV   ~ out of scale
  1mV   ~ out of scale

- CH1: the thickness of the trace is almost 1 scale large
  CH1+CH2: the thickness is divided by 2
that's almost impossible to read a value.

And I have a lot more.  :-BROKE
 
The following users thanked this post: mrpackethead

Offline justanothername

  • Regular Contributor
  • *
  • Posts: 143
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #505 on: January 02, 2019, 11:10:35 am »

- Generator, the knob to change the frequency: turn left -> -10 , turn right +1

- CH1, probe to ground: never read 0V, but depends on vertical scale:


Generator Knob behaves like this only when decrasing from like 1MHz to sub 1Mhz (or 1kHz to Hz).
This is because the increments above 1Mhz are in 10kHz steps and the first decrement therefore is as well. If you are then in the kHz-range the decrements are 1kHz. I don't think this is a bug.

For your CH1 problem, this does not happen on my scope, probe to GND always reads 0V (more or less).

Also you have to adjust the scale of the math channel, this normally would be the larger scale setting of the two channels (when operation A+B is chosen).
« Last Edit: January 02, 2019, 11:14:46 am by justanothername »
 

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #506 on: January 02, 2019, 12:14:49 pm »
What I really want at some point however is (broken scope anyone :D) is to desolder all parts and 'sand down' the PCB with pictures, as I want to know where all the ZYNQ pins connect too :p

This might be a job for an Xray inspection?   Not sure how many layers the PCB is of course..
Well its worth a try sure; but it's a 4 or probably 6 layer board, with chips ontop. So it can give you an indication, very roughly. Best way is to just the PCB down layer for layer and scan the PCB.

But first a scope needs to break  >:D  or we raid the PCB factory's trash-bin where they dump broken PCB's  :-DD

Online TurboTom

  • Super Contributor
  • ***
  • Posts: 1388
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #507 on: January 02, 2019, 12:37:28 pm »
Well its worth a try sure; but it's a 4 or probably 6 layer board, with chips ontop. So it can give you an indication, very roughly. Best way is to just the PCB down layer for layer and scan the PCB.

But first a scope needs to break  >:D  or we raid the PCB factory's trash-bin where they dump broken PCB's  :-DD

Access to an industrial X-ray tomography machine anyone? That should do the trick non-destructively.
 

Offline bmx

  • Contributor
  • Posts: 30
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #508 on: January 02, 2019, 01:04:30 pm »

- Generator, the knob to change the frequency: turn left -> -10 , turn right +1

- CH1, probe to ground: never read 0V, but depends on vertical scale:


Generator Knob behaves like this only when decrasing from like 1MHz to sub 1Mhz (or 1kHz to Hz).
This is because the increments above 1Mhz are in 10kHz steps and the first decrement therefore is as well. If you are then in the kHz-range the decrements are 1kHz. I don't think this is a bug.

For your CH1 problem, this does not happen on my scope, probe to GND always reads 0V (more or less).

Also you have to adjust the scale of the math channel, this normally would be the larger scale setting of the two channels (when operation A+B is chosen).

I took my old trusted DS1052E, connected MSO5.CH1 to DS1052E.TestSignal:
 (RigolDS1.png)
1V offset from ground.
(exact same behaviour as the MSO5.TestSignal)

I then plugged DS1052E.CH1 to MSO5.TestSignal:
 (NewFile0.bmp)
The test signal is perfect, ground aligned.

When I unplug every channel on the MSO, no one goes to gnd.
 (RigolDS0.png)

And with the math(A+B), it just confirms the numbers, the crap B is reading.
 (rigolDS2.png)

I really don't understand what's going on, bad scope?
 

Offline Noy

  • Frequent Contributor
  • **
  • Posts: 361
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #509 on: January 02, 2019, 01:09:10 pm »
Did you use the same probe in both scopes?
 

Offline bmx

  • Contributor
  • Posts: 30
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #510 on: January 02, 2019, 01:13:05 pm »
yes, even swapped every probes (2x100MHz, 4x350MHz), always the same result.

[edit] I'm now running the self cal procedure (manual didn't ask that, but meh, let's see)
« Last Edit: January 02, 2019, 01:21:04 pm by bmx »
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 28136
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #511 on: January 02, 2019, 01:23:05 pm »
I'm now running the self cal procedure
Please record how long it takes.
Avid Rabid Hobbyist
Siglent Youtube channel: https://www.youtube.com/@SiglentVideo/videos
 

Offline bmx

  • Contributor
  • Posts: 30
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #512 on: January 02, 2019, 01:49:37 pm »
Much better after a self cal.

All channels properly aligned on gnd now.

It took almost one hour.
 

Offline rgwan

  • Contributor
  • Posts: 24
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #513 on: January 02, 2019, 02:03:49 pm »
That's pretty embarrassing, self-cal won't work, it still produces that overshoot on measuring the 1khz square wave signal. Not only my scope like that, but we also have about four scopes have the same problem, this 4 scope contains one scope that is currently not patched. The not patched scope has the same behavior.
« Last Edit: January 02, 2019, 02:06:25 pm by rgwan »
 

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 68
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #514 on: January 02, 2019, 02:21:51 pm »
Are you using the probe in x1 oder x10 config? I can see a little overshoot in x1 mode but it can be perfectly flattened in x10.
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #515 on: January 02, 2019, 02:38:16 pm »
That's pretty embarrassing, self-cal won't work
Have you disconnected all probes from the inputs before running self-cal?
 

Offline rgwan

  • Contributor
  • Posts: 24
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #516 on: January 02, 2019, 02:55:02 pm »
I disconnected all input, absolutely.
 

Offline rgwan

  • Contributor
  • Posts: 24
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #517 on: January 02, 2019, 02:57:11 pm »
That is no difference between x10 and x1. No matter how you adjust the probe, the little overshoot won't disappear.
 

Offline bmx

  • Contributor
  • Posts: 30
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #518 on: January 02, 2019, 03:19:08 pm »
And now, average(64) + fine + aliasing does something : a very fine trace (1px). To All: Do run a self cal.
 

Offline Vtech

  • Regular Contributor
  • *
  • Posts: 58
  • Country: pl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #519 on: January 02, 2019, 04:38:55 pm »
Coming back to the logic probe pod, I've created separate thread with teardown photos of RPL1116 pod for MSO1000Z series. It seems to be very similar to PLA2216  for MSO5000.
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451

Not too difficult to replicate.
 
The following users thanked this post: Swap_File, bmx

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #520 on: January 02, 2019, 04:55:42 pm »
TopLoser is playing with Photoshop...
 
The following users thanked this post: thm_w, supercilious, sparkv

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2845
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #521 on: January 02, 2019, 04:58:58 pm »
We should start a new thread for those numerous bugs.

So we did.  Here you go.  Bugs away!

https://www.eevblog.com/forum/testgear/rigol-5000-bugs/
On a quest to find increasingly complicated ways to blink things
 
The following users thanked this post: TopLoser

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #522 on: January 02, 2019, 05:10:11 pm »
TopLoser is playing with Photoshop...

That's a 4 or 6 layer board with the big heatsink still attached to the zynq.

Just for laughs I stitched 9 images together, some detail gets lost where they overlap, but it's better than nothing.

https://www.dropbox.com/s/aq11wb21pueidod/MSO5074%20big%20xray.zip?dl=0
 
The following users thanked this post: FireBird, _Wim_

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #523 on: January 02, 2019, 06:32:27 pm »
Coming back to the logic probe pod, I've created separate thread with teardown photos of RPL1116 pod for MSO1000Z series. It seems to be very similar to PLA2216  for MSO5000.
https://www.eevblog.com/forum/testgear/rpl1116-active-logic-probe-pod-for-1000z-series-teardown/msg2085451/#msg2085451

Not too difficult to replicate.
Considering they also use the LMH7322 I think they are identical (in the schematic form) on page 6? TopLoser took some xray foto's. But yes, lets keep the conversation focused in your thread instead.

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #524 on: January 02, 2019, 06:33:41 pm »
We should start a new thread for those numerous bugs.

So we did.  Here you go.  Bugs away!

https://www.eevblog.com/forum/testgear/rigol-5000-bugs/
awesome great idea; we can talk about hacking here then :)


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf