Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 360606 times)

Ogawa Mitsuaki and 4 Guests are viewing this topic.

Offline gedong

  • Contributor
  • Posts: 18
  • Country: id
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #775 on: February 28, 2019, 12:46:17 pm »
does MSO5000 have bode plot  features ? can't seems to find any info about this.

 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 3800
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #776 on: February 28, 2019, 12:46:30 pm »
the firmware ZIP file contains a physical 12-bit ADC
Please explain what you mean by this.

Just kidding. I don't know where to find the smiley icons when posting from my mobile's "Tapatalk" client...
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11910
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #777 on: February 28, 2019, 01:02:49 pm »
Its likely just enhanced resolution mode by adding samples, Add up 16x 8 bit values, and you can get a not very reliable 12 bit value. You will likely find the sample rate it cut down by an equivalent amount.

You can do stuff like that when you have 8Gigasamples/sec.
« Last Edit: February 28, 2019, 01:05:34 pm by Fungus »
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1617
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #778 on: February 28, 2019, 01:17:04 pm »
/ rigol / appEntry $ PowerOn -run -fullopt&

The space after fullopt shouldn't matter.  The ampersand '&' is indicating the shell that we want the command to be executed in the background.

What is wrong is all the spaces after the slash '/'.  It is probably taking the line as an invalid command and failling to execute the appEntry application.
 

Offline satlars

  • Contributor
  • Posts: 9
  • Country: dk
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #779 on: February 28, 2019, 01:34:23 pm »
sorry translate error

this is the line from the file

/rigol/appEntry $PowerOn  -run -fullopt&


is ther not at factor  default switch ?? or key combination

satlars
 

Offline mindy

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #780 on: February 28, 2019, 01:45:11 pm »
sorry translate error
this is the line from the file
/rigol/appEntry $PowerOn  -run -fullopt&
is ther not at factor  default switch ?? or key combination

Most likely you put something wrong on startup.sh file and now it terminates at the main app startup line.
The problem is that network services are started only after the main app is completely started. But as it terminates just before it, it never gets executed.

Your best bet right now is to push a new firmware (can be the same version you have already, or the latest one available).
Put an update file on USB drive, formatted as Fat32 and boot up your device.
Hope UBoot picks up your Update & starts an upgrade process.

if that does not help your next bet is on Serial Connection, but will require opening your device.
« Last Edit: February 28, 2019, 01:46:44 pm by mindy »
 

Offline satlars

  • Contributor
  • Posts: 9
  • Country: dk
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #781 on: February 28, 2019, 01:49:15 pm »
thanks sounds like a good idea but where can i download it ??
I can't find the hosa rigol.
does anyone know where it is?
 

Offline mindy

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #782 on: February 28, 2019, 01:50:49 pm »
thanks sounds like a good idea but where can i download it ??
I can't find the hosa rigol.
does anyone know where it is?

Unofficial place works better ;)
https://gitlab.com/riglol/rigolee/tree/MSO5000/GEL

Just don't forget to rename Update file to the following: "DS5000Update.GEL"
« Last Edit: February 28, 2019, 01:53:01 pm by mindy »
 
The following users thanked this post: ve2mrx

Offline satlars

  • Contributor
  • Posts: 9
  • Country: dk
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #783 on: February 28, 2019, 02:10:57 pm »
it does not seem to work

I have formatted a 16gb stick for fat32

and tried with both my old firmware version 01.01.02.04
and with the new 01.01.04.04 but there really doesn't happen any boot bar just drive up to 100% and there is not really any more

you have to tap something special to make it look at usb
 

Offline drieg

  • Regular Contributor
  • *
  • Posts: 85
  • Country: cz
    • Silcon Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #784 on: February 28, 2019, 02:16:28 pm »
A new Firmware is now available for MSO5000!

http://int.rigol.com/File/ProductSoftWare/20190227/DS5000(ARM)Update.rar
Release notes for FW v00.01.01.04.04:

[Latest Revision Date]  2019/02/27

[Updated Contents]
--------------------

v00.01.01.04.04  2019/02/20

     - Optimized the operating experience of the local upgrade.
     
     - Added the 12-bit high resolution mode.
     - Added 500uV/div in vertical scale.
     - Added the SCPI command :MEASure:STATistic:ITEM CNT,<item>[,<src>[,<src>]]
       to reading the count of measure statistics.
     - The waveform can zoom out by drawing a rectangle. If you draw a rectangle
       from the top left to the bottom right, the waveform will zoom in. If you
       draw it from the bottom right to the top left(the opposite direction),
       the waveform will zoom out.
     - Added the GND coupling in channel.
     - Enriched the color options of the LA channels.
     - If the newest version is detected, a red dot will display in the Online
       upgrade menu.
       
     - Modified the waveform freeze problem in slow scan mode.
     - The boot time is reduced to less than 1 minute.
     - Improve the touch experience in the lower half of the touch screen.
     - Reduced the noise amplitude of the waveform.
     - Modified the problem of decode vanishing after moving signals.
     - Modified the error of digital waveform when adjusting the timebase after
       stop the sampling.
     - The :SYSTEM:SETUP command can successfully save and upload setting
       information in remote.

Bricked Rigol? This thread might be of any help.
 

Offline satlars

  • Contributor
  • Posts: 9
  • Country: dk
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #785 on: February 28, 2019, 02:39:02 pm »
I have tried both the files that mindy linked to and the rar file that drieg had linked to

with the same result the scop comes with the boot bar again and no more happens.

on the old scopes I can see you have to press the help button to activate usb upload but it does not appear to be 5000 ?? It may be another button
 

Offline satlars

  • Contributor
  • Posts: 9
  • Country: dk
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #786 on: February 28, 2019, 03:29:33 pm »
what about serial connection.
 s that a way to fix the file on the way maybe ?? and where should it be soldered on the motherboard ?? if there is one
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 3800
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #787 on: February 28, 2019, 03:36:56 pm »
@satlars, did you do this?

Just don't forget to rename Update file to the following: "DS5000Update.GEL"
 

Offline satlars

  • Contributor
  • Posts: 9
  • Country: dk
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #788 on: February 28, 2019, 03:44:00 pm »
hi eblaster

yes i dit just what DS5000Update.GEL
 
but nothing happens :-(
 

Offline 0xdeadbeef

  • Super Contributor
  • ***
  • Posts: 1552
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #789 on: February 28, 2019, 04:28:38 pm »
You could try formatting the USB stick with a dedicated USB stick formatting tool or use a smaller stick (<=4GB). Since Win7 or so, the Windows formatter chooses rather large block sizes for USB sticks (depedend on size) and most simple implementations of FAT32 systems are limited to 4k block size. At least I had issues like this with several non-Windows scopes in the past.
Trying is the first step towards failure - Homer J. Simpson
 

Offline satlars

  • Contributor
  • Posts: 9
  • Country: dk
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #790 on: February 28, 2019, 04:41:43 pm »
just tried to format a 2gb stick

and put the .gel file on that

it flashes just twice and otherwise the same result
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #791 on: February 28, 2019, 05:00:13 pm »
The uboot won't do the update automatically. It needs human intervention.
 

Offline mindy

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #792 on: February 28, 2019, 06:16:25 pm »
yes i dit just what DS5000Update.GEL
but nothing happens :-(

You can try one more thing:
If you are lucky & network is actually initialised you could try to connect your scope to the router (or switch) which have DHCP service running and issues IP automatically.
Check if you can see what IP address is issued and try to SSH.

Another way is to use "nmap" script & scan your subnet for active IP addresses.
It could be that by default network interface sets to an IP address to something like "169.254.123.123" with a subnet "255.255.0.0", so you could set your laptop / pc IP to a static one and than run "NMAP" to scan for your scope one.
Edit1: In this case scope should be connected directly with your PC and NOT via Router.

Code: [Select]
nmap -sn 169.254.0.0/16
« Last Edit: February 28, 2019, 06:51:46 pm by mindy »
 

Online Martin72

  • Super Contributor
  • ***
  • Posts: 1745
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #793 on: February 28, 2019, 07:14:11 pm »

Release notes for FW v00.01.01.04.04:

[Latest Revision Date]  2019/02/27

[Updated Contents]


Tested some of the changes here:

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2231781/#msg2231781

( To get this Topic "clean" )


Offline velikigrizli

  • Contributor
  • Posts: 6
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #794 on: February 28, 2019, 08:37:51 pm »
So whats the conclusion? Seems that new firmware can't be hacked? :)
 

Offline seronday

  • Regular Contributor
  • *
  • Posts: 64
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #795 on: February 28, 2019, 11:07:32 pm »
@ satlars,
   You will need to use the UART serial interface at 115200 bits/sec, to access the file system.

I have done this to solve a similar issue on an MSO5074  when there was a power failure at the exact time the modified start.sh file was being saved .  This resulted in the file being corrupted .

Read this message.  https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2114902/#msg2114902

Good Luck.
 
The following users thanked this post: ve2mrx, helmy, furmek

Offline sparkv

  • Newbie
  • Posts: 4
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #796 on: March 01, 2019, 05:08:55 am »
So whats the conclusion? Seems that new firmware can't be hacked? :)

 ??? I didn't see anybody make a claim that it can't be hacked. We only know they removed -fullopt from appEntry and put in the code to kill sshd, which is trivial to bypass if they're looking for it by process name, and it seems they do based on what others have said. I didn't look at the new executable yet. As for a proper hack, maybe the mystery keygen will finally grace us with its appearance :-DD

It will be hacked, it just may require binary patching as a quick-fix way to bring -fullopt back in and disable sshd nuker.

Personally, I would have spent a lot more time working on it if I had the actual device. I stopped RE work because I hit a point where I would have to ask others to run my tests on their scopes, or wait for my own scope to arrive. I chose the latter. My scope shipped today, next week when it arrives should be fun  >:D
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11910
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #797 on: March 01, 2019, 06:23:40 am »
So whats the conclusion? Seems that new firmware can't be hacked? :)

Where do you get that idea from? Not one person here has said that.

 

Offline piskers

  • Contributor
  • Posts: 11
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #798 on: March 01, 2019, 09:17:44 am »
With the right timing, something like
Code: [Select]
ssh -p Rigol201 root@host "nohup /usr/bin/sshd -p 22"

Should give you ssh on port 22  >:D Haven't tried it though.

Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.
I'm not sure how to start it though. The start command is close to other UI stuff, and the string "Enter Project mode" is used close to it. I could imagine there is something like a maintanance menu we don't know about yet.

I can't test anything yet either because I'm also still waiting for my scope to arrive..
Good news is that it looks like the "-fullopt" checking instructions can easily be merged into the new appEntry version.

This is my first post btw, so a big hello to everybody here!
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #799 on: March 01, 2019, 09:49:43 am »
Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.

I believe you are right. I did not notice earlier, but rootfs/etc/init.d/rcS was modified such that sshd is not run.

Code: [Select]
diff --git a/firmware/rootfs/etc/init.d/rcS b/firmware/rootfs/etc/init.d/rcS
index f3559f1..a8f3117 100755
--- a/firmware/rootfs/etc/init.d/rcS
+++ b/firmware/rootfs/etc/init.d/rcS
@@ -30,10 +30,10 @@ mount -t devpts devpts /dev/pts
 #httpd -h /var/www
 
 #echo "++ Starting ftp daemon"
-tcpsvd 0:21 ftpd ftpd -w /&
+#tcpsvd 0:21 ftpd ftpd -w /&
 
 #echo "++ Starting ssh daemon"
-/usr/sbin/sshd
+#/usr/sbin/sshd
 
 echo "rcS Complete"

Can we still flash firmware traditionally? If so ssh is easily brought back.

Good news is that it looks like the "-fullopt" checking instructions can easily be merged into the new appEntry version.

That's fantastic news!

This is my first post btw, so a big hello to everybody here!
Welcome! May I ask what tools you use for disassembly?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf