Hacking the Rigol MSO5000 series oscilloscopes

[mabl]

The patch enables "Power analyzer", "Eye trigger" and "jitter" in the measurement analyze menu. Previously -fullopt still had one additional check, which I bypassed too.

That isn't correct. fullopt had no further checks. It enabled all the Options.

I meant the previous ifs surrounding it, which I did not know what they did. Nice decompiled code btw. Is that IDA then? I'm still learning here. Btw. The function at 0x3d898c looks interesting too, exports readable calibration data to the usb drive. No idea how to call into it though...

EDIT: Looks to me like the addition codes for option 6 & 18 check for hardware features like LA and WG. So bypassing them should not matter since currently all scopes have all features.

[Fungus]

Code: [Select]

<root@rigol>df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                31.0M     21.8M      9.2M  70% /
devtmpfs                213.6M         0    213.6M   0% /dev
none                    100.0M    292.0K     99.7M   0% /tmp
/dev/ubi6_0              85.1M     71.1M     14.1M  83% /rigol
/dev/ubi1_0              37.2M    244.0K     35.0M   1% /rigol/data
/dev/ubi12_0            516.6M      1.6M    510.4M   0% /user


<root@rigol>free -m
             total         used         free       shared      buffers
Mem:           437          154          283            0            0
-/+ buffers:                153          283
Swap:            0            0            0


Much more free space/RAM than is in use!   

(...although a single 400Mb memory dump could use up most of that /user partition)

[orion242]

Thanks to all the guys that keep making this a great buy!

[TopLoser]

For when people brick their scopes there is an easy way to recover them...

Serial port is disabled in the latest version so no playing about with Uboot now.

[offmar]

For when people brick their scopes there is an easy way to recover them...

Serial port is disabled in the latest version so no playing about with Uboot now.

How do you enter into that menu?

[tv84]

How do you enter into that menu?

"Not married" key while ubooting.

[justanothername]

After that, apply the update attached to this file.

Has anyone done this already without the need of re-calibration? I seem to be one of the lucky ones with no overcompensation on any channel and I've read that after re-calibration overcompensation will occur.

[Noy]

Did they a U-Boot Update from inside Linux? Or why is serial disabled?
This is Bad.. If you Brick anything you can't recover it even with opening the case 😔 we should try to reenable serial with our "inofficial" update.

[Martin72]

I seem to be one of the lucky ones with no overcompensation on any channel and I've read that after re-calibration overcompensation will occur.

In my case, I´m a lucky one too, I did the firmware upgrade, after this a selfcal - And everything went fine.

[tv84]

Uboot commands.

[Noy]

I'm not common with uboot, more with barebox.
What ist boot from Gold-Finger? Is it a common uboot command or rigol specific?

[TopLoser]

Did they a U-Boot Update from inside Linux? Or why is serial disabled?
This is Bad.. If you Brick anything you can't recover it even with opening the case 😔 we should try to reenable serial with our "inofficial" update.

Serial is disabled immediately after the 'Hit any key' prompt, so you can still enter uboot at that point. Not available when the scope is up and running though.

You can always use the secret menu to reinstall scope firmware. That secret menu allows you to downgrade as well.

[Noy]

Ah okay. I interpreted your Post Like they disabled serial completly (muxing Not done or so on)
Which one is the "Not married" Key?

[2N3055]

LOL  man, when you are not married that means you are SINGLE....

[Noy]

Okay got it. I read it in english and thought in German... Sometimes its hard... 


I even googled for "not married key" and was confused of the results. Thought it is a english name for any special sign on a key...

[2N3055]

Okay got it. I read it in english and thought in German... Sometimes its hard... 

Yep foreign language to me too...

[helmy]

The patch enables "Power analyzer", "Eye trigger" and "jitter" in the measurement analyze menu. Previously -fullopt still had one additional check, which I bypassed too.

That isn't correct. fullopt had no further checks. It enabled all the Options.

Would you please share how have you arrived to this nicely decompiled code? I tried using IDA pro v7 didn't get that nice result!
what does get_IsUsbKey_Ready() do?

[tv84]

Would you please share how have you arrived to this nicely decompiled code? I tried using IDA pro v7 didn't get that nice result!
what does get_IsUsbKey_Ready() do?

As a matter of fact, it's IDA 6 but you should get it with IDA 7 also.

That check is precisely where they verify the insertion of the USB Rigol's Vendor Disk. If it's detected they would automatically license all the Options 6 to 25, while the Disk is inserted. This feature has been removed in the new FW.

Code: [Select]

00    "BW1T2"           DS7000
01    "BW1T3"           DS7000
02    "BW1T5"           DS7000
03    "BW2T3"           DS7000
04    "BW2T5"           DS7000
05    "BW3T5"           DS7000
06    "MSO"   (LA)
07    "2RL"    MSO5000  DS7000
08    "5RL"             DS7000
09    "BND"    = COMP + EMBD + AUTO + FLEX + AUDIO + AERO + PWR + AWG
10    "COMP"   MSO5000  DS7000
11    "EMBD"   MSO5000  DS7000
12    "AUTO"   MSO5000  DS7000
13    "FLEX"   MSO5000  DS7000
14    "AUDIO   MSO5000  DS7000
15    "SENSOR
16    "AERO"   MSO5000  DS7000
17    "ARINC"
18    "AWG"    MSO5000  (DG)
19    "JITTER"
20    "MASK"
21    "PWR"    MSO5000  DS7000
22    "DVM"
23    "CTR"
24    "EDK"
25    "4CH"
26    "BW07T1" MSO5000
27    "BW07T2" MSO5000
28    "BW07T3" MSO5000
29    "BW07T5"

[Fungus]

How do you enter into that menu?

"Not married" key while ubooting.

So ... the 'scope keeps a copy of the factory-installed firmware somewhere, and you can restore it by pressing a button at startup?

That's awesome if true. It means hacking new firmwares is risk-free.

[TopLoser]

So ... the 'scope keeps a copy of the factory-installed firmware somewhere, and you can restore it by pressing a button at startup?

That's awesome if true. It means hacking new firmwares is risk-free.

No. It just restores default scope settings.

[mabl]

Anyways. I don't know if downgrading is a good idea with calibration data and such.

I wanted to first backup the calibration data.

Ummm... isn't that what self-cal is for - to generate some new data? 

It turns out that the new firmware has troubles with auto-calibration. Using my backuped calibration files the spikes also reported by others are gone 

EDIT: See also here

[Fungus]

Ummm... isn't that what self-cal is for - to generate some new data? 

It turns out that the new firmware has troubles with auto-calibration. Using my backuped calibration files the spikes also reported by others are gone 

EDIT: See also here

Let's hope our friend with contacts at Rigol can pass that information along to them...

[Shodge]

Anyone have a negative experience with the patch?  If not I’ll try it in a couple of hrs...

-Stan

[Shodge]

OK,

My experience.

I have a 5072 - so I had a lot to loose by upgrading...  I put a FAT32 formatted flash drive in and copied the calibration data.  Just in case...

Just a note - moving the drive between the Rigol and the PC was not a happy thing.  Win10 almost always has an issue with the drive after being in the scope.

I put the 01.01.04.04 firmware on the drive and the scope said it was corrupted....  Reformatted the drive, reloaded the firmware - all was well and it updated to 01.01.04.04.

As reported - I lost 2 channels, the AWGs....  Interestingly enough, in the acquisition menu it still showed 200M, but when changed - the 200M option disappeared.

I played with the SSH enable .GEL.  Upon installing - my scope always says its corrupt.  Tried and re-tried many times.  I did finally checked, after it failed - and sure enough - it was working.  So maybe the corrupt file warning is normal for this patch?  I have not tried to go in and make it permanent - it appears that the patch just turns it on for this boot...

The patch for the license...  I reformatted the drive again, Put the file on the USB drive, and selected it on the scope.  No errors - it updated perfectly.  Then it asked me to reboot - which I did......

My scope is back...!!!!  All 4 channels, the 2 AWGs, 200M samples.  I went to the license page - looks just as shown -- all enabled and permanent.

So bottom line - it worked here although I have some more work to do to make SSH on permanently.

FYI...

-Stan

[mabl]

As reported - I lost 2 channels, the AWGs....  Interestingly enough, in the acquisition menu it still showed 200M, but when changed - the 200M option disappeared.

Yes, I also noted that my license files were gone after upgrade. But who cares, truely 

I played with the SSH enable .GEL.  Upon installing - my scope always says its corrupt.  Tried and re-tried many times.  I did finally checked, after it failed - and sure enough - it was working.  So maybe the corrupt file warning is normal for this patch?  I have not tried to go in and make it permanent - it appears that the patch just turns it on for this boot...

True, this is by design. I've added a warning to the post. I somehow like how ssh is only there if I truly need it. I find no need to make it permanent.

The patch for the license...  I reformatted the drive again, Put the file on the USB drive, and selected it on the scope.  No errors - it updated perfectly.  Then it asked me to reboot - which I did......

My scope is back...!!!!  All 4 channels, the 2 AWGs, 200M samples.  I went to the license page - looks just as shown -- all enabled and permanent.

First confirmed successful patch after my scope. Nice!