Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 360836 times)

sjm, ToThePub and 4 Guests are viewing this topic.

Offline Martin72

  • Super Contributor
  • ***
  • Posts: 1746
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #825 on: March 01, 2019, 09:11:02 pm »
Wow  :o

I understand nothing about, but.....wow  ;D
 
The following users thanked this post: tcottle

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #826 on: March 01, 2019, 10:05:14 pm »
I understand nothing about, but.....wow  ;D

Ok, so the scope basically has two file systems. The root file system is created in memory upon each boot, so it is hard to change. That is one of the reasons Rigol added a special additional partition of the /rigol/ folder. Changes here will be permanent.

We had three problems:
  • The update script is symmetrically encrypted. Was broken early on (by oliv3r?). Anyways, he built a nice script with which we can generate simple update files.
  • SSH was disabled in recent firmwares.
  • -fullopt was dropped in recent appEntry (the main program)

The SSH problem, we can solve with a neat trick: Just run a fake upgrade, which actually does nothing but execute the SSH daemon. And we are in.

The last problem was solved by piskers who pointed me to the right direction. So I did my very first binary assembler patch in my life, and here we are.


Now, what we can finally do is generate  a small upgrade file which will only patch appEntry. I would like to be as legally correct as possible, hence only provide a binary patch instead of the full file. Unfortunately, I cannot get a binary patcher to run on the scope.... So that is stalled for now. Hence it's not convenient yet.
« Last Edit: March 01, 2019, 10:13:01 pm by mabl »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #827 on: March 01, 2019, 10:16:28 pm »
Now, what we can finally do is generate  a small upgrade file which will only patch appEntry. I would like to be as legally correct as possible, hence only provide a binary patch instead of the full file. Unfortunately, I cannot get a binary patcher to run on the scope.... So that is stalled for now. Hence it's not convenient yet.

Please continue. That's a chicken-egg problem. So you better change tactics. Do the patch in GEL and flash the whole thing.

If you go that way, there's no urgent need for the ssh daemon...

BTW, another important/alternative feature was dropped: the ability to insert the USB Vendor Disk and enable all Options automatically (no need for fullopt). ;)
« Last Edit: March 01, 2019, 10:19:53 pm by tv84 »
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #828 on: March 01, 2019, 10:22:37 pm »
You misunderstood me.

I propose the user flashes the original firmware upgrade, and we just flash a small additional patch-GEL over it. I basically have it running right now, but it contains the full >20MB appEntry program, instead of just 172B of binary patches. I don't feel confident in sharing such a file. Others might want to create it though.

Once I find a patcher which runs, the user just needs to plug in the USB stick and he is done. Easiest hack ever. We even check if the versions match our patch.  ^-^
 

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 59
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #829 on: March 01, 2019, 10:53:29 pm »
Does anybody know if something "critical" has been changed in system.img? I've created a gel with the system.img.gz of 00.01.01.02.04 to have the usual access and have currently running a patched version of 00.01.01.04.04 appEntry and everything looks fine at first glance.
 

Offline luma

  • Regular Contributor
  • *
  • Posts: 91
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #830 on: March 01, 2019, 10:57:25 pm »
Once I find a patcher which runs, the user just needs to plug in the USB stick and he is done. Easiest hack ever. We even check if the versions match our patch.  ^-^

Is dd available?  Would something like this work?

edit: looks like it is.  With some leg work you should be able to convert a patch file into a bash script using dd to manually write each byte.  Not pretty (and not fun), but it seems like it should do the trick.
« Last Edit: March 02, 2019, 02:17:47 am by luma »
 

Offline KeBeNe

  • Regular Contributor
  • *
  • Posts: 50
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #831 on: March 02, 2019, 06:52:34 am »

Hello,

the SSH patch works, but the "-fullopt" in start.sh does not bring any extension
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #832 on: March 02, 2019, 08:31:46 am »
You misunderstood me.

I propose the user flashes the original firmware upgrade, and we just flash a small additional patch-GEL over it. I basically have it running right now, but it contains the full >20MB appEntry program, instead of just 172B of binary patches. I don't feel confident in sharing such a file. Others might want to create it though.

Once I find a patcher which runs, the user just needs to plug in the USB stick and he is done. Easiest hack ever. We even check if the versions match our patch.  ^-^

I'm missing something... how do you plan to patch the app file that is currently running?? The system allows it?
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #833 on: March 02, 2019, 09:22:51 am »
edit: looks like it is.  With some leg work you should be able to convert a patch file into a bash script using dd to manually write each byte.  Not pretty (and not fun), but it seems like it should do the trick.

In order to patch, dd seems ok. You only have 1st kill the appEntry process and then do the patch. I'm currently in voyeur mode...

This patching process is prone to errors because someone may run the script with another version of the app file in the system.

I think it's safer to copy the full file.
 

Offline dren.dk

  • Regular Contributor
  • *
  • Posts: 53
  • Country: dk
  • Software developer, dabbling in electronics
    • Dren.dk
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #834 on: March 02, 2019, 09:38:22 am »
The safest bet would be to hash the entire binary before modifying it, having a hash would also allow selection of the correct patch if one wanted to support several versions with the same update file.
 

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #835 on: March 02, 2019, 09:46:22 am »
Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.

So it's actualy interesting then how this is triggered :) Who'll take ont hat challange?
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #836 on: March 02, 2019, 09:58:31 am »
Dear all,

please find a patching upgrade attached to this post. It does not contain the actual appEntry, but only patches it. So no copyrighted data here ;).
You first need to upgrade to 00.01.01.04.04. After that, apply the update attached to this file.


Care has been taken to make sure to make it fails as early as possible if any errors occur. Checksums and version checks are applied all the time, before and after patching. A backup copy of the appEntry is made into the usb drive. Only if all checks apply, the actual appEntry gets replaced. You will have ssh access whenever you start the patch (until the next reboot). The patching process is very inefficient, but reliable. Do not worry, it takes around 5 minutes to apply all the patches.

Afterwards, you can just reboot the scope (you will be asked to do so) and you are done. (Files are synced to nand, so do not worry about corruption).  Since GEL is not an allowed forum extension, just rename the file.


I'm missing something... how do you plan to patch the app file that is currently running?? The system allows it?
Sure, an upgrade is just a shell script like any other. Under linux you can modify used files. No issue here.

the SSH patch works, but the "-fullopt" in start.sh does not bring any extension
That is because you need to additionally patch the scope. See this post.

EDIT2: File has been changed to use the usb drive for intermediate storage of the patched files. Makes it faster also. My slow usb drive gives around 2 minutes update time.
EDIT3: It currently looks like the rigol firmware upgrade (not the patch) can damage your calibration data, and self-calibration will not fix this. So for now, I recommand you ssh into your scope and backup the /rigol/data/*.hex files. If you have issues afterwards, just copy them back. Self-calibration should work then.
« Last Edit: March 13, 2019, 07:17:29 pm by mabl »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #837 on: March 02, 2019, 10:08:49 am »
Do not worry, it takes around 5 minutes to apply all the patches.

5 mins???? Are you mining in between???  :-DD
 
The following users thanked this post: tcottle

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #838 on: March 02, 2019, 10:11:21 am »
Do not worry, it takes around 5 minutes to apply all the patches.

5 mins???? Are you mining in between???  :-DD

Good idea :-D, but no. The easiest solution i found was to just convert the binary file to hexadecimal representation, patch it as text, and reverse the process. It looks like the busybox patch command is very slow though. But as an advantage you get the context sensitivity of patch, so it will also fail if the "surroundings" of the binary do not exactly match.
 

Offline piskers

  • Contributor
  • Posts: 11
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #839 on: March 02, 2019, 10:13:02 am »
Very nicely done! Thank you so much for your work!   :D

One more thing that we should look for is whether the device contacts rigol when it's connected to the internet and possibly transfers the S/N and licenses. I didn't find anything yet in the appEntry.
At least when checking for an update it doesn't transmit anything else.

Again, nice work!
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #840 on: March 02, 2019, 10:16:28 am »
One more thing that we should look for is whether the device contacts rigol when it's connected to the internet and possibly transfers the S/N and licenses. I didn't find anything yet in the appEntry.
At least when checking for an update it doesn't transmit anything else.

Thanks you! You are the reason I did my first binary patch.  :popcorn:

I also looked for that, and did not see anything. As you said, the update procedure looks rather sane, and I did not see any other obvious strings. We could probably add a host entry to prevent it from contacting rigol...
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #841 on: March 02, 2019, 10:17:56 am »
Patch the domain string.
 

Offline oliv3r

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #842 on: March 02, 2019, 10:18:07 am »
I would guess so. Still waiting for the scope to be delivered. You can also use oliv3r's packer I think: https://gitlab.com/riglol/rigolee/#gel-packer
But I'm not sure if this is tested at all.
It was only tested to generate small GEL files that do, for example, backup the calibration partition etc. using the scripts here; https://gitlab.com/riglol/rigolee/tree/MSO5000/target
You simple build a GEL file by using one of the scripts as the update scripts. They have been tried and used, but not tested and validated :)

Yes, 00.01.01.02.06 was the first version having the the start of the ssh daemon commited away in /etc/init.d/rcS
You could try an earlier version or be the first person to try oliv3r's packer  :D
Or did someone already test the packaging function?

EDIT: Oh okay, I guess downgrading is not possible?

You can downgrade, but you have to fake the version number.

|O Anyways. I don't know if downgrading is a good idea with calibration data and such. I think i also saw a check against it in fw4linux.sh.

oliv3r's packer will only do the firmware flash encryption (so i could batch out the downgrade stop). It will not generate the image files etc.

No, it will generate GEL update files. It will not however, generate filesystem images (such as initramfs and ubifs). It is afterall only a packer :)

@Oliv3r, I had to add --owner=rigolee --group=rigolee to the tar commands.
Sure, but why? Then again, I've only run the scripts so far, so the change does seem sensible of course.

So next step is to pack the rootfs/rigol folder as an UBIFS image
Yeah, but that's a little trickier with the permissions, git doesn't like the users much. I do add them with the proper permissions I think (root:root 600 for example) but haven't check what happens to this on check-out.

So generating an accurate ubifs would be harder (but far from impossible :)

This means hacking is now as easy as inserting a USB key and pressing "Go!" (or whatever it says on screen).

No need to mess around with SSH or Vi.

Once we can create the update files. I'm not the best in shell scripts, so somebody else might be faster. Oliv3r?

I've written the packer a few months ago :p and posted links here; nobody took up to challange to write scripts to do these things :) (such as adding the -fullopt for example, and now patching the appEntry).

I hadn't gotten around to do doing it myself yet; and probably not going to yet. I probably will add a 'start ssh' update :)

Thank you!
So packaging should be possible with:
Code: [Select]
mkfs.ubifs -m 2048 -e 128KiB -c 800 -r /rootfs/rigol app.imgNot sure about the compression type (-x param)..
Then gzip it and run oliv3r's script. Can't try it till tomorrow though..

Sure, but why would you want to? You can also just add the patched appEntry; and write a simple update script that does 'cp appEntry /rigol/appEntry' no? :)

With regards to ubifs, i did use one of those python ubi unpackers. So repacking it with the same tool should be possible. A version check should be added though (md5sum of the original file) as you otherwise overwrite 'any' version.

I'm missing something... how do you plan to patch the app file that is currently running?? The system allows it?
Should work just fine, the file is read into memory and executed from there. App-entry should never try to rewrite itself anyway. So copy file, reboot scope, profit :)

Good idea :-D, but no. The easiest solution i found was to just convert the binary file to hexadecimal representation, patch it as text, and reverse the process. It looks like the busybox patch command is very slow though. But as an advantage you get the context sensitivity of patch, so it will also fail if the "surroundings" of the binary do not exactly match.
Little sledge-hammer method. Just be sure not to write the HEX file to the NAND filesystem. NAND is already super sensitive to wear and tear. Writing so much data just for the patch, just wears the NAND unessaserly. Write to tmpfs/ramfs instead. (/ and probably /tmp should be ramfs).

BUT monday/tuesday I should finally receive my own scope. Now if someone can free up some time on my calander :D
« Last Edit: March 02, 2019, 10:20:16 am by oliv3r »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #843 on: March 02, 2019, 10:20:57 am »
The easiest solution i found was to just convert the binary file to hexadecimal representation, patch it as text, and reverse the process. It looks like the busybox patch command is very slow though. But as an advantage you get the context sensitivity of patch, so it will also fail if the "surroundings" of the binary do not exactly match.

Use dd as luma suggested. It should work beautifully and cleanly.

Nonetheless, "it will cut!".
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #844 on: March 02, 2019, 10:28:40 am »
BUT monday/tuesday I should finally receive my own scope. Now if someone can free up some time on my calander :D

How I missed an Olliver's analysis...   :popcorn:

Good point about NAND wearout!
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #845 on: March 02, 2019, 10:40:43 am »
Good idea :-D, but no. The easiest solution i found was to just convert the binary file to hexadecimal representation, patch it as text, and reverse the process. It looks like the busybox patch command is very slow though. But as an advantage you get the context sensitivity of patch, so it will also fail if the "surroundings" of the binary do not exactly match.
Little sledge-hammer method. Just be sure not to write the HEX file to the NAND filesystem. NAND is already super sensitive to wear and tear. Writing so much data just for the patch, just wears the NAND unessaserly. Write to tmpfs/ramfs instead. (/ and probably /tmp should be ramfs).

I indeed wrote to /user/ NAND, since the file is very big. I did not assume it to be *that* sensitive. But to alleviate your fear, i moved it to the USB drive now. Thanks for the hint!
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11910
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #846 on: March 02, 2019, 10:44:33 am »
Write to tmpfs/ramfs instead. (/ and probably /tmp should be ramfs).

Question: How much free 'disk' and RAM have these things got?

I'd have thought it would be just enough for the firmware plus a bit extra, but here we are using up megabytes of space for temporary files, etc., as if it has no limit.

 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #847 on: March 02, 2019, 10:47:42 am »
Question: How much free 'disk' and RAM have these things got?


Code: [Select]
<root@rigol>df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                31.0M     21.8M      9.2M  70% /
devtmpfs                213.6M         0    213.6M   0% /dev
none                    100.0M    292.0K     99.7M   0% /tmp
/dev/ubi6_0              85.1M     71.1M     14.1M  83% /rigol
/dev/ubi1_0              37.2M    244.0K     35.0M   1% /rigol/data
/dev/ubi12_0            516.6M      1.6M    510.4M   0% /user


<root@rigol>free -m
             total         used         free       shared      buffers
Mem:           437          154          283            0            0
-/+ buffers:                153          283
Swap:            0            0            0
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #848 on: March 02, 2019, 10:53:42 am »
NAND map
 
The following users thanked this post: kwinz

Offline mabl

  • Regular Contributor
  • *
  • Posts: 115
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #849 on: March 02, 2019, 12:27:28 pm »
Btw, the appEntry also seems to have support for (jitter) eye diagrams..

The patch enables "Power analyzer", "Eye trigger" and "jitter" in the measurement analyze menu. Previously -fullopt still had one additional check, which I bypassed too. Would be interesting if these also exist with the old fullopt command.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf