Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 901311 times)

0 Members and 8 Guests are viewing this topic.

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 68
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #700 on: February 01, 2019, 09:05:21 am »
I am a little concerned that Rigol are displeased with all the goings on as they attempted a fix by updating the password recently.
The firmware with the new password is rather old and has been released before the hacking started. But I agree that there is no 100% guarantee that future firmwares will be hackable. The current ETA for the next release is sometime this month.
 
The following users thanked this post: JohnT

Offline KeBeNe

  • Regular Contributor
  • *
  • Posts: 73
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #701 on: February 01, 2019, 09:46:14 am »
would you return to the actual topic, but make up its own thread, there you can discuss about it
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #702 on: February 01, 2019, 09:47:29 am »
The firmware with the new password is rather old and has been released before the hacking started. But I agree that there is no 100% guarantee that future firmwares will be hackable. The current ETA for the next release is sometime this month.

For this model, will be hackable. Confidence greater than "six nines".

They stopped the hack on 1 of their spectrum analyzers a while back.

They did? Which one?
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #703 on: February 01, 2019, 10:13:17 am »
Rigol are displeased with all the goings on as they attempted a fix by updating the password recently.

a) You don't know why they did that.

It might simply have been to protect against all the botnets out there that are busy sending "root"/"root" to every single IP address on the internet.

It would have been just as easy (and much more sensible from a security point of view) for them to disable shell access altogether.

All you do is change one line in a text file and no more shell access. Google it.

b) What are the chances of somebody at Rigol thinking, "You know, we're selling too many of these oscilloscopes to hackers. I think we should give our friends at Siglent a chance to sell to them instead..."

and,

C) What else are you going to buy for $1000? Have you made a list? How long is it, and how do the devices on it compare to a hacked MSO5000?
« Last Edit: February 01, 2019, 10:37:55 am by Fungus »
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #704 on: February 01, 2019, 01:10:06 pm »
The firmware with the new password is rather old and has been released before the hacking started. But I agree that there is no 100% guarantee that future firmwares will be hackable. The current ETA for the next release is sometime this month.

For this model, will be hackable. Confidence greater than "six nines".

They stopped the hack on 1 of their spectrum analyzers a while back.

They did? Which one?
The DSA815
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #705 on: February 01, 2019, 01:39:53 pm »
They did? Which one?
The DSA815

So ... if they know hacks happen then why aren't they at war with the hackers? Why was the DS1054Z left open even though it had 11 firmware updates?

The only answer the that is that there is no "war". It's deliberate policy to have some devices hackable and some not (eg. The DS1054Z is hackable, the DS1054Z with signal generator isn't).

I don't know much about the DSA815 or why they might change it but locking up the MSO5000 would be suicide, it isn't competitive with the lower priced SDS1204E-X!

The only way the MSO5000 can sell is if it's hackable (and pressure from other vendors will only increase!)
« Last Edit: February 01, 2019, 01:52:23 pm by Fungus »
 

Offline JohnT

  • Newbie
  • Posts: 8
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #706 on: February 01, 2019, 03:54:52 pm »
Rigol are displeased with all the goings on as they attempted a fix by updating the password recently.

a) You don't know why they did that.

It might simply have been to protect against all the botnets out there that are busy sending "root"/"root" to every single IP address on the internet.

It would have been just as easy (and much more sensible from a security point of view) for them to disable shell access altogether.

All you do is change one line in a text file and no more shell access. Google it.

b) What are the chances of somebody at Rigol thinking, "You know, we're selling too many of these oscilloscopes to hackers. I think we should give our friends at Siglent a chance to sell to them instead..."

and,

C) What else are you going to buy for $1000? Have you made a list? How long is it, and how do the devices on it compare to a hacked MSO5000?
All sound points that contradict my knee jerk assumptions. The MSO5000 series has that hobbyist feel to it; support for only passive probes, no 50ohm termination, all in one functionality, 0.1 inch spacing header digital signal access and hardware changes to reduce cost (ex. crapped-on capacitors...). I suspect that sales for their top end versions of this series will stagnate in industry as the pricing just isn't competitive, but provided the workarounds remain, the low-end versions of the scopes are going to be flying off the shelves.  Rigol is going to foster brand recognition in a new generation of soon to be professionals, so staying the course makes sound business sense. Regarding point C, the MSO5000 is at the top of the list by a long shot, I've wanted a scope like this for many years.
 

Offline ur63

  • Newbie
  • Posts: 2
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #707 on: February 01, 2019, 04:48:47 pm »
People are unhappy that they can buy scope for very little money (compared to what it used to be) that can be hacked to full specs.

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
.

Would you have any link or reference where to get the MSO5074 including the PLA2216 Logic Probe for € 1190.- ?

Thanks in advance
 

Online Martin72

  • Super Contributor
  • ***
  • Posts: 5670
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #708 on: February 01, 2019, 04:51:48 pm »
Hi,

Quote
Option bundle for RTB2000 costs € 1,190.- net (no VAT).

 ;)

Offline ur63

  • Newbie
  • Posts: 2
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #709 on: February 01, 2019, 05:06:14 pm »
Quote

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
.

Hi, see above...
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #710 on: February 01, 2019, 05:12:45 pm »
Quote

Option bundle for RTB2000 costs € 1,190.- net (no VAT).

You can buy MSO5074 + Logic probe for that money and unlock all features.
.

Hi, see above...

this thread is already trashed with OT nonsense now so no harm me adding some more...

Batterfly 1198 Euro (no VAT) for both items. If you wait then sometimes they have a 10% off everything offer
 

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #711 on: February 02, 2019, 09:59:46 am »
So lets get back on track :)

We've been digging around the scope and the software, and found that next to the Zynq (Artix-7) FGPA, Spartan-6 FPGA and ASIC FPGA (for the keyboard) there seems to be 2 more programmable devices, a CPLD and a Kintex 7.

The Spartan 6 has an eeprom with a very basic and simple bin (stripped bit more or less) in it. My edudcated guess is that the spartan stems from the DS1000Z design and 'controls' the frontend (Voltage Scale, timebase etc etc) through simple commands. The eeprom serves two purposes, to store the bitstream and to store the settings, so that when you boot up the scope, it can go into the mode it was in before. Sadly I do not have the scope myself (yet, it's sold out everywhere for the 4chan unit) so haven't confirmed this. There seems to go a bus between the eeprom .

The Spartan-6 has about 4 wires going to the Zynq (spi-ish bus?) 4 tot he eeprom on different pins and some 4 wire bus to the TOP BIG heatsinked chips.

Further more we found that the Zynq has a big wide 8 bits differential bus between the TOP BIG heatsinked chip and it self. So that's probably their main high-speed data path.

Now, the software seems to have 4 tools related to these parts. spi2*. where spi2k7 is the 'upload' tool for 2 fpga's it seems. Looking at that tool there seems to be a new spidev IOCTL which appears to switch between 'chip 0 and chip 1'. whatever that may be. The bitstream gets uploaded to chip1, but chip 0 serves as sort of arbitrarer. spi2cpld seems to interact only with chip 0. Not sure yet what this tool can do other then poke and change registers.

So rigol seems to have added a chipselect through a new IOCTl because ... of reasons. My educated guess is, they did not have enough general purpose GPIO pins, and used some of the zynq pins. Rather then to convert those to general purpose IO pins and connect them to linux, they manually hacked around a bit in the spidev driver. Very sad, but that's how it seems to be. More on that later I guess :)

Anyway, all pictures do not show any of this information due to the big heatsinks.

We do know that we have 4 rigol front end 'controllers' but those are fully analog chips. Those 4 differential analog traces go into the LOWER BIG chip, which we all expect to be the adc. From the ADC, we see balanced traces going to the TOP chip. Those are probably digital signals.

The going theory for now is, that their 'aquisition' chip does not exist (yet) and actually is a Kintex-7 FGPA, which takes those ADC signals, and puts them on a high-speed 8 bits datapath to the zynq. But where is this CPLD then? Is the spartan the CPLD and have they named it as such as it has a dedicated eeprom and should be treated as such? Or do we have more chips under those heatsinks.

So to anyone listening, especially who have a broken scope already (or are experts at removing and re-adding those big phat heatsinks); anybody out there that can remove those heatsinks (under their own accord, nobody here will be responsible of course) and take some high-res foto's of what's underneat?

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #712 on: February 02, 2019, 10:49:04 am »
If people are taking them apart then another thing to look for the manufacturer/model of the screen.

Some people are complaining it's too dark, it would be good to find out if it's being under-driven or not and how the brightness is controlled. Maybe it's possible to make it brighter by swapping a resistor or something like that.
 

Online 2N3055

  • Super Contributor
  • ***
  • Posts: 6447
  • Country: hr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #713 on: February 02, 2019, 11:23:15 am »
Rigol chipset consists of 3 chips:
"the Analog Front End Chip (named Beta Phoenicis) will allow for front end bandwidth of 4GHz with highly integrated capability allowing for simplified and highly reliable front end design.
The Signal Processing Chip (named Ankaa) supports 10GSa/s sampling with bandwidth up to 6GHz.
Also there is the Probe Amplifier Chip (named Gamma Phoenicis) will support a 6GHz Active Differential probe. "

for 5000:
The core of RIGOL's UltraVision II architecture is its Phoenix chip-set. Two custom ASICs provide analog front end and signal processing performance. These chips are surrounded by a high performance hardware design including Xilinx Zync-7000 SoC, Dual Core ARM-9 Processors, a Linux +Qt Operating System, High Speed DDR System Memory and QDRII Display memory.

Signal Processing Chip (named Ankaa) is A/D and first level of DSP. It connects to FPGA that has Ultravision II architecture implemented in it.
Unlike Keysight, they separated first level A/D and waveform engine. That approach is more modular, and  is more flexible and makes it easy to modify and grow. That is also how it is easy for them to add huge memory and such.

They will also have a handful of smaller support chips..
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #714 on: February 02, 2019, 12:25:54 pm »
I've attached pictures of what is visible from the side of the 2 big heatsinks. That adhesive is really strong, there's no way I'm going to risk trying to break those heatsinks off...
 
The following users thanked this post: luma

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #715 on: February 02, 2019, 01:57:42 pm »
If people are taking them apart then another thing to look for the manufacturer/model of the screen.

Some people are complaining it's too dark, it would be good to find out if it's being under-driven or not and how the brightness is controlled. Maybe it's possible to make it brighter by swapping a resistor or something like that.

Here.
« Last Edit: February 02, 2019, 02:08:43 pm by tv84 »
 
The following users thanked this post: thmjpr, luma

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #716 on: February 02, 2019, 02:10:00 pm »
LED backlight voltage is a standard 3 x 3.3v LED string so 9.9v - it's not modulated in any way.

Datasheets seem to indicate 10.2v max is allowed (with reduced life) but it's already plenty bright enough for me anyway.

But young kids do seem to like their phone screens set to 'stun/blind' brightness these days...
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #717 on: February 02, 2019, 02:14:17 pm »
This is the backlight panel. I guess you could replace it with something a bit more 'exciting' if it bothered you at all...
 

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #718 on: February 02, 2019, 02:33:25 pm »
If people are taking them apart then another thing to look for the manufacturer/model of the screen.

Some people are complaining it's too dark, it would be good to find out if it's being under-driven or not and how the brightness is controlled. Maybe it's possible to make it brighter by swapping a resistor or something like that.

I'll update the wiki with pics and text about the display. So far, we know it's a 4 bit + 1 clock differentially driven display, so very likely a MIPI display. The numbers didn't yield any results so far.Signal traces look very simple.

As for the brightness/backlight, So far, I haven't seen wether it's driven via a pin of the SoC, or the 'always on' kind :(

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #719 on: February 02, 2019, 02:35:06 pm »
I wonder if we could find an OLED that's the right size >: )

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #720 on: February 02, 2019, 02:39:06 pm »
Rigol chipset consists of 3 chips:
"the Analog Front End Chip (named Beta Phoenicis) will allow for front end bandwidth of 4GHz with highly integrated capability allowing for simplified and highly reliable front end design.
The Signal Processing Chip (named Ankaa) supports 10GSa/s sampling with bandwidth up to 6GHz.
Also there is the Probe Amplifier Chip (named Gamma Phoenicis) will support a 6GHz Active Differential probe. "

for 5000:
The core of RIGOL's UltraVision II architecture is its Phoenix chip-set. Two custom ASICs provide analog front end and signal processing performance. These chips are surrounded by a high performance hardware design including Xilinx Zync-7000 SoC, Dual Core ARM-9 Processors, a Linux +Qt Operating System, High Speed DDR System Memory and QDRII Display memory.

Signal Processing Chip (named Ankaa) is A/D and first level of DSP. It connects to FPGA that has Ultravision II architecture implemented in it.
Unlike Keysight, they separated first level A/D and waveform engine. That approach is more modular, and  is more flexible and makes it easy to modify and grow. That is also how it is easy for them to add huge memory and such.

They will also have a handful of smaller support chips..
Thanks, but that's mostly the marketing speak :)

Here's the wiki page with all the chips: https://gitlab.com/riglol/rigolee/wikis/MSO5000-teardown

Missing is indeed, the 4x analog frontends; so that would map to Beta Phoenicis chip?

We then have the first BOTTOM BIG heatsinked chip. This is the ADC. So what's that, is that anka? Is that a standard ADC? The TOP BIG heatsinked chip is very likely a Kintex-7; Not something rigol designed. Unless they put an FPGA in there of course.
Finally, again, the spartan-6 is probably is their 'ultravision' platform if anything...

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #721 on: February 02, 2019, 02:39:30 pm »
I wonder if we could find an OLED that's the right size >: )

Well the touchscreen is a separate item so it's just the display needs replacing
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #722 on: February 02, 2019, 02:47:07 pm »
The TOP BIG heatsinked chip is very likely a Kintex-7; Not something rigol designed. Unless they put an FPGA in there of course.

The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #723 on: February 02, 2019, 03:01:50 pm »
The kintex7 packaging documentation shows something that looks very much like the photos I posted earlier...

So, 2 kyntex?
 

Online 2N3055

  • Super Contributor
  • ***
  • Posts: 6447
  • Country: hr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #724 on: February 02, 2019, 03:31:49 pm »
Missing is indeed, the 4x analog frontends; so that would map to Beta Phoenicis chip?
Yes.

We then have the first BOTTOM BIG heatsinked chip. This is the ADC. So what's that, is that anka? Is that a standard ADC?
No, it is not standard A/D. It is Rigol designed ADC with first level of signal processing that is tailored for scopes, as opposed to general purpose ADC.

Rest of chips are different from DS7000 which revolves arround  Zync-7000
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf