Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 384201 times)

Photoman and 5 Guests are viewing this topic.

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #550 on: January 07, 2019, 07:13:37 am »
Does anybody know where the scope stores configuration settings?

I've tried altering stuff like the email configuration and then looked for modified files using: find / -type f -mmin -1 but I did not find any files with interesting content, so it seems there's no simple config file that stores the settings.

There are two 16 MB QSPI flashes and an 8 KB I2C FRAM EEPROM. There are likely some (unique) configuration options in one of these.
 

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2827
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #551 on: January 07, 2019, 08:16:29 am »


There is the very real risk that in future software updates all the 'bonus' features will disappear. Only you can decide if you want to take that risk.


For about 24-48 hours while rigolhack does its work no doubt.
On a quest to find increasingly complicated ways to blink things
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 12173
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #552 on: January 07, 2019, 11:32:12 am »
So if I bought a rigol mso5000 in next week, can it then be hacked?
Sorry I am asking, it's because I am a noob and all those 22 pages of informations and comments confuse me.

Don't worry, people are still asking this about the DS1054Z.

Answer: Yes!
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 12173
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #553 on: January 07, 2019, 11:35:33 am »
There is the very real risk that in future software updates all the 'bonus' features will disappear. Only you can decide if you want to take that risk.

We now know so much about the MSO5000 that whatever Rigol does will be re-hacked in a few hours.

(and nobody is *forcing* you to install updates)
« Last Edit: January 07, 2019, 02:19:47 pm by Fungus »
 

Offline rgwan

  • Contributor
  • Posts: 24
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #554 on: January 07, 2019, 11:39:04 am »
These annoying bug will force you to install further updates.
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 12173
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #555 on: January 07, 2019, 11:44:52 am »
These annoying bug will force you to install further updates.

The trick is not to install them two seconds after they're released.

Wait a few days until other people have done it.  :popcorn:

 

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2827
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #556 on: January 07, 2019, 11:50:13 am »
These annoying bug will force you to install further updates.

Have you relocated from China to the USA rgwan?
On a quest to find increasingly complicated ways to blink things
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2138
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #557 on: January 07, 2019, 02:11:20 pm »
We now know so much about the MSO5000 that whatever Rigol does will be re-hacked in a hours.

(and nobody is *forcing* you to install updates)

And future-proof solutions already exist...
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 12173
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #558 on: January 07, 2019, 02:23:58 pm »
I'm not sure why Rigol changed the password. The new password was obviously weak and if they want to keep people out they could just disable shell access completely (there's no reason to enable it, it's not useful to anybody except hackers).

I think they just didn't want it to be root/root to avoid basic IOT malware scanners.

 

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2827
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #559 on: January 07, 2019, 06:28:06 pm »
I'm not sure why Rigol changed the password. The new password was obviously weak and if they want to keep people out they could just disable shell access completely (there's no reason to enable it, it's not useful to anybody except hackers).

I think they just didn't want it to be root/root to avoid basic IOT malware scanners.

I had an interesting chat ( face to face ) with another eevblog member last week ( who is well known and respected ) about the entire rigol thing.     He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly. Not suprizingly, so many 'devices' these days that are network attached, are just so insecure.. The IoT will be the finish of us all!
On a quest to find increasingly complicated ways to blink things
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 12173
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #560 on: January 07, 2019, 08:04:50 pm »
He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly.

Complete bollocks.

Even the cheapo DS1000Z line can't be hacked easily once you get above the base model (eg. the DS1074Z Plus)

In the new 5000/7000 models? Xilinx secure boot is hardly a secret, they freely document it on their web site.

Whatever the reasons are, it's not incompetence.
 
The following users thanked this post: theirishscion

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #561 on: January 07, 2019, 09:31:04 pm »
I'm not sure why Rigol changed the password. The new password was obviously weak and if they want to keep people out they could just disable shell access completely (there's no reason to enable it, it's not useful to anybody except hackers).

I think they just didn't want it to be root/root to avoid basic IOT malware scanners.

I had an interesting chat ( face to face ) with another eevblog member last week ( who is well known and respected ) about the entire rigol thing.     He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly. Not suprizingly, so many 'devices' these days that are network attached, are just so insecure.. The IoT will be the finish of us all!

I tend to agree; Though with the DS1054 and its predecessor I would have thought; maybe they did it on purpose, as it is being speculated for years now. But I have seen their firmware up close for the MSO5000 now; and what I see, makes me cry horribly.
and
He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly.

Complete bollocks.

Even the cheapo DS1000Z line can't be hacked easily once you get above the base model (eg. the DS1074Z Plus)

In the new 5000/7000 models? Xilinx secure boot is hardly a secret, they freely document it on their web site.

Whatever the reasons are, it's not incompetence.
I beg to differ.
So maybe they have a mandate to make it easily hackable. Sure, I won't deny that.

But secure-boot is hard and expensive. Getting the fuses set is something (I guess) will have to be done by xilinx in the factory, which is an extra service, not cheap.

Understanding how it all works and comes together, is also; not for the fait of heart. So if you are 'basically skilled', this will be daunting. Also, they very much likely started from a devkit (which doesn't come with the fuses set for obvious reasons) and designed the scope around that as a reference. Half way down the development train; secureboot is long forgotten and you are just busy getting the damn thing to work reliably. Once you are that far, you'll be thinking twice making a major change like that (then again, if you are incompetent, you easily would do that ;) ...)

Finally, they started development around 2013, based on all the sources I've seen so far. Back then; a) you really had to know what you where looking at/for and b) I'm sure hacking was not their main issue while doing the bringup from the whole system. These are engineers, they care about a working system.

Again, this is just my 2 cents worth of speculation based on the extremely poor quality of software.

P.S. I wonder if these old libraries they are using will not have quite a few (remote) exploits lingering. 3.12 wasn't an LTS was it? Let alone in their application (appEntry) which runs as root and does have remote access (via lighthttp and rpc)
 

Offline rgwan

  • Contributor
  • Posts: 24
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #562 on: January 08, 2019, 01:52:37 am »
These annoying bug will force you to install further updates.

The trick is not to install them two seconds after they're released.

Wait a few days until other people have done it.  :popcorn:

In fact, Rigol actually have some solution to counterattack, Zynq itself has some security features, and I believe there are some hidden features (reverse engineering work by myself) in their ASICs as well. If they want to do some proper anti-hacking solution, it will be harder to hack. Btw, Rigol is a big customer of Xilinx, so...
« Last Edit: January 08, 2019, 01:56:24 am by rgwan »
 

Offline rgwan

  • Contributor
  • Posts: 24
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #563 on: January 08, 2019, 02:06:21 am »
He ( and I ) remain unconvinced that Rigol are deliberately making their devices 'hackable'.    Its just they dont' know how to secure them properly.

Complete bollocks.

Even the cheapo DS1000Z line can't be hacked easily once you get above the base model (eg. the DS1074Z Plus)

In the new 5000/7000 models? Xilinx secure boot is hardly a secret, they freely document it on their web site.

Whatever the reasons are, it's not incompetence.

From some information I got from Rigol's distributor, It is not true at all. They're actually want to completely block these holes away. So, watch out guys.

Btw, the unofficial new firmware claims that it is released at 9, November 2018. We have started our reverse engineering at about 15, November 2018. I believe that they changed password is not related to hacking, but I think the next firmware they will totally disable the SSH.
 

Online asmi

  • Super Contributor
  • ***
  • Posts: 1800
  • Country: ca
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #564 on: January 08, 2019, 04:10:56 am »
But secure-boot is hard and expensive. Getting the fuses set is something (I guess) will have to be done by xilinx in the factory, which is an extra service, not cheap.
This is BS. No extra service is needed, everything can be done via JTAG just like regular programming/configuration.

Understanding how it all works and comes together, is also; not for the fait of heart.
Reading documentation is all it takes. But even if we suppose they are somehow too stupid to figure it out (yet somehow manage a several orders of magnitude more complicated task of designing an actual system in FPGAs), they could always enlist Xilinx FE to help them out.
I suggest you stop projecting. They clearly can read documentation, and I'm 99,(9)% sure they leave devices open on purpose.

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #565 on: January 08, 2019, 06:55:50 am »
But secure-boot is hard and expensive. Getting the fuses set is something (I guess) will have to be done by xilinx in the factory, which is an extra service, not cheap.
This is BS. No extra service is needed, everything can be done via JTAG just like regular programming/configuration.
There there no need to be cross.

But please lets remain civilized. For one, enabling the feature via the fuse is easy, sure yes. But I cannot find any indication in the manual about the secure vault (other then the graph) where the _private_ key is stored. Or how to set it. I'll agree I have not studied the manual in depth of course.

Now I know how this works a little on Texas Instruments HS parts (High Secure) and there it's simple. Encryption is a chain of trust, and TI says 'we will program the keys securely, nobody else has access to the keys, but you need to trust us'. Trusting some factory floor employ not to leak the key is of course, a risk.

So I would assume it works the same way here. But sure, maybe a user can program the fuses for the RSA key themselves, or maybe they can store the key in Battery Backed RAM themselves. Surely possible.

Just one problem I can imagine if the user can burn the RSA key fuses themselves, what stops you from burning ALL key fuses, effectively turning the fuse into 0xfffffff? Or worse, use jtag to read back the fuses? So again, it would surprise me that a user (developer) gets to write into the actual vault, and would imagine this to be left to xilinx only. Just like you do not have any access whatsoever to the BootROM (access is disabled after execution).

But please do point me to the page where they have this information; I'd love to read up on it, I do.

Understanding how it all works and comes together, is also; not for the faint of heart.
Reading documentation is all it takes. But even if we suppose they are somehow too stupid to figure it out (yet somehow manage a several orders of magnitude more complicated task of designing an actual system in FPGAs), they could always enlist Xilinx FE to help them out.
I suggest you stop projecting. They clearly can read documentation, and I'm 99,(9)% sure they leave devices open on purpose.
Different task, different people, different skill. They are a _hardware_ company, and while *I* feel that VHDL/Verilog programming is just a different skill of programming; it tends to be done by EE's. As such bringing up a secure linux with UI is not their problem.
But sure, this is only projecting and suggesting, I never claimed otherwise. But since you have inside details; please do share more. We can all learn from that.
 

Offline Daixiwen

  • Regular Contributor
  • *
  • Posts: 243
  • Country: no
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #566 on: January 08, 2019, 07:36:40 am »
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12469
  • Country: gb
    • Mike's Electric Stuff
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #567 on: January 08, 2019, 09:09:48 am »
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
I think it boils down to the Chinese mentality of making a product just good enough to ship.
Security is a very complex issue, and needs some imaginitive thinking (something that is very rare in China due to the educational system),  to consider and pre-empt possible entry points.
You can put the best lock in the world on the front door but that's no good if you can open a window with  screwdriver.
FPGA systems and tools are very complex, and so is Linux, and the designers need to have a far better grasp on it all to make it secure, than they do to ship a working product.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 
The following users thanked this post: mrpackethead, Andrew McNamara, oliv3r

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #568 on: January 08, 2019, 09:12:44 am »
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
Of course; but the work I see is extremely sloppy and lazy and very unexperienced. Even if it is an engineer who does not dare to push back to the manager; There's quality, and there's ... well this :)
 
The following users thanked this post: extide, Amgard

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2827
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #569 on: January 08, 2019, 09:15:17 am »
Rather than incompetence, it could just be laziness, or not enough time. The engineer just does the bare minimum that the manager asks.
The manager finds on the net that you can log in with root/root and hack the scope, he asks the engineer to fix it ASAP. 5 minutes later he tries again to log in, he gets an error message, he is happy. Everyone is happy. Problem solved.
I think it boils down to the Chinese mentality of making a product just good enough to ship.
Security is a very complex issue, and needs some imaginitive thinking (something that is very rare in China due to the educational system),  to consider and pre-empt possible entry points.
You can put the best lock in the world on the front door but that's no good if you can open a window with  screwdriver.
FPGA systems and tools are very complex, and so is Linux, and the designers need to have a far better grasp on it all to make it secure, than they do to ship a working product.

"working" being defined as mostly working with a few 'quirks'  :-)
On a quest to find increasingly complicated ways to blink things
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2138
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #570 on: January 08, 2019, 11:32:49 am »
I'm sure Rigol does as best as it can, and as time permits.

We must not forget that this is a tough market, and time to market is essential. If the product gains traction, they can later try to solve the problems but putting the system on the street must be one of their primary goals.

Sales can later compensate the investment needed do pay for the correction of the flaws.

So, stop bashing Rigol people. Let them do their job and we'll continue to do our explorations.

Now, let's go back on topic:

The system is already broken and, in my opinion, beyond repair. Licensing it is perfectly possible.

 
The following users thanked this post: sparkv

Offline sparkv

  • Newbie
  • Posts: 4
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #571 on: January 08, 2019, 11:33:42 am »
Maybe I misunderstood the topic of this thread. I thought we were trying to hack the MSO5000, not advise Rigol on how to make it unhackable

:-DD
Code: [Select]
Firmware 01.01.03.05 Patch Notes:
- Incorporated all security features/approaches discussed on eevblog forums (thnx u)
 
The following users thanked this post: tv84, mrpackethead, oliv3r, Simon_RL

Online TK

  • Super Contributor
  • ***
  • Posts: 1646
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #572 on: January 08, 2019, 11:55:46 am »
Maybe I misunderstood the topic of this thread. I thought we were trying to hack the MSO5000, not advise Rigol on how to make it unhackable

:-DD
Code: [Select]
Firmware 01.01.03.05 Patch Notes:
- Incorporated all security features/approaches discussed on eevblog forums (thnx u)
EEVBLOG hacker's moto: No challenge, no fun
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1913
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #573 on: January 08, 2019, 11:56:33 am »
Somebody asked me to post a photo of my 'system information' screen.

Here it is:
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2138
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #574 on: January 08, 2019, 12:09:00 pm »
Somebody asked me to post a photo of my 'system information' screen.

Were you a beta tester???   :-DD
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf