Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 321137 times)

0 Members and 6 Guests are viewing this topic.

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11388
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1025 on: April 18, 2019, 07:23:52 pm »
Is there a USB stick to automatically switch between the two firmwares in the machine?

That would be cool for testing things.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1839
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1026 on: April 18, 2019, 10:23:30 pm »
Is there a USB stick to automatically switch between the two firmwares in the machine?

That would be cool for testing things.

See Olliver's repo.
 

Offline timber23

  • Contributor
  • Posts: 47
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1027 on: April 19, 2019, 11:43:12 pm »
Which password is this?

root:qkiAP.hEBSnSY:0:0:root:/root:/bin/sh
20 minutes with hashcat on a radeon hd7900 -> Rigol201  :-DD

for those interested. researching this took longer then 20mins ;-) linux seems to use DES by default for encrypting passwords. 13 chars and no $-signs point to using that default. i copied the hash part into a file (rigol.hash) and here's the command i used for hashcat:
Code: [Select]
hashcat64.exe -a 3 -m 1500 rigol.hash
Thank you very much for your explenation how to crack the password from hash. I downloaded hashcat and tryed it on my machine:
Code: [Select]

qkiAP.hEBSnSY:Rigol201

Session..........: hashcat
Status...........: Cracked
Hash.Type........: descrypt, DES (Unix), Traditional DES
Hash.Target......: qkiAP.hEBSnSY
Time.Started.....: Sat Apr 20 01:34:19 2019 (2 mins, 38 secs)
Time.Estimated...: Sat Apr 20 01:36:57 2019 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2?2?3 [8]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 8/8 (100.00%)
Speed.#1.........:   876.7 MH/s (11.41ms) @ Accel:2 Loops:1024 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 139148328960/5533380698112 (2.51%)
Rejected.........: 0/139148328960 (0.00%)
Restore.Point....: 1730560/68864256 (2.51%)
Restore.Sub.#1...: Salt:0 Amplifier:8192-9216 Iteration:0-1024
Candidates.#1....: lnitsorl -> Lurghbou
Hardware.Mon.#1..: Temp: 77c Fan: 60% Util: 97% Core:1898MHz Mem:4513MHz Bus:16

Started: Sat Apr 20 01:31:31 2019
Stopped: Sat Apr 20 01:36:58 2019
It took only 5 minutes on an i7-8700K with GTX 1080.
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 113
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1028 on: May 02, 2019, 07:35:18 am »
Changes for the beta firmware 03.01.01.04.04

Code: [Select]
        deleted:    firmware/env.cmd
        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        modified:   firmware/kerstrel.dts
        deleted:    firmware/kerstrel.its
        modified:   firmware/rootfs/rigol/K160M_TOP.bit
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/mail/etc/Muttrc
        modified:   firmware/rootfs/rigol/mail/etc/msmtprc
        modified:   firmware/rootfs/rigol/resource/appmeta.xml
        modified:   firmware/rootfs/rigol/resource/dsometa.xml
        modified:   firmware/rootfs/rigol/resource/help/b/cursor.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/display.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/la.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/quick.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/ref.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/storage.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/trigger.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/utility.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/vdecode.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/eyejit.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/quick.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/trigger.hlp
        modified:   firmware/rootfs/rigol/resource/menu/b.hex
        modified:   firmware/rootfs/rigol/resource/menu/c.hex
        modified:   firmware/rootfs/rigol/resource/menu/d.hex
        modified:   firmware/rootfs/rigol/resource/menu/desc.hex
        modified:   firmware/rootfs/rigol/resource/menu/h.hex
        modified:   firmware/rootfs/rigol/resource/menu/i.hex
        modified:   firmware/rootfs/rigol/resource/menu/j.hex
        modified:   firmware/rootfs/rigol/resource/menu/k.hex
        modified:   firmware/rootfs/rigol/resource/menu/l.hex
        modified:   firmware/rootfs/rigol/resource/menu/m.hex
        modified:   firmware/rootfs/rigol/resource/menu/menu.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ch.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ext.hex
        modified:   firmware/rootfs/rigol/resource/menu/msg.h
        modified:   firmware/rootfs/rigol/resource/menu/n.hex
        modified:   firmware/rootfs/rigol/resource/menu/o.hex
        modified:   firmware/rootfs/rigol/resource/menu/res.hex
        modified:   firmware/rootfs/rigol/resource/menu/t.hex
        modified:   firmware/rootfs/rigol/resource/menu/u.hex
        modified:   firmware/rootfs/rigol/resource/scpi/ACQuire.xml
        modified:   firmware/rootfs/rigol/resource/scpi/BUS1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/BUS2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/BUS3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/BUS4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CALibration.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/JITTer.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SEARch.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/TIMebase.xml
        modified:   firmware/rootfs/rigol/resource/scpi/TRIGger.xml
        modified:   firmware/rootfs/rigol/resource/scpi/scpiConfig.xml
        modified:   firmware/rootfs/rigol/shell/send_mail.sh
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcre.so.0.0.1
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcrecpp.so.0.0.0
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcreposix.so.0.0.0
        modified:   firmware/rootfs/rigol/webcontrol/lib/libz.so.1.2.7
        modified:   firmware/rootfs/rigol/webcontrol/sbin/lighttpd
        modified:   firmware/rootfs/rigol/webcontrol/sbin/lighttpd-angel
        modified:   firmware/zImage
        modified:   firmware/zynq.bit


Looking at just the text based changes,
  • a lot of work went into jitter measurements, defining many more scpi commands.
  • The mail stuff got changed (new default sender email and password, possibly that is an open mail relay, brr).
  • New commands like :SYSTEM:PWDCLEAR, :SYSTEM:ROM, SYSTEM:AUTCLEAR. Whatever these do.
  • Thai and Indonesian are now supported languages.
 
The following users thanked this post: thm_w, mrpackethead, luma, offmar

Offline mabl

  • Regular Contributor
  • *
  • Posts: 113
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1029 on: May 02, 2019, 01:50:04 pm »
Looking at the disassambled appEntry file, it looks to me like it's only able to start a ssh and ftp daemon, but not to stop any of them.
I'm not sure how to start it though. The start command is close to other UI stuff, and the string "Enter Project mode" is used close to it. I could imagine there is something like a maintenance menu we don't know about yet.

The corresponding function (0x275c30 in 4.4 stable firmware) has a single branch. Only in one branch does it go and print "Enter Project Mode". I have experimentally patched the branch to always branch here.

The message "Enter Project Mode" is subsequently shown when the Default button is pressed and the scope becomes available over SSH.

I still need to figure out how to trigger that branch manually though. Other Rigol scopes also have a project mode. See e.g. https://assets.tequipment.net/assets/1/26/Documents/Rigol/DS6064/ds6064_doc_7.pdf

EDIT: In the experimental beta firmware, the function is at 00272d0c. It is called by 00272f1c which toggels the state in the passed data structure with 220 bytes offset.
« Last Edit: May 02, 2019, 02:21:55 pm by mabl »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1839
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1030 on: May 02, 2019, 01:55:22 pm »
It's should be easily reproducible with the "specific" USB vendor disk inserted.

 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 113
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1031 on: May 02, 2019, 02:24:53 pm »
Do you have more info on that vendor disk? I have found references to /user/data and "#*@RIGOL*#" but have yet to find how to put it together.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1839
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1032 on: May 02, 2019, 02:35:30 pm »
Do you have more info on that vendor disk?

I'm not sure yet if this is the case in this specific functionality but what I'm talking is here:

https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 113
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1033 on: May 02, 2019, 02:40:34 pm »
 :wtf:

Wow indeed. I came across this magic. I even named function 001de418 in the beta as mount_usb. And this is exactly where that string comes up and magic is done. Cool!
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1839
  • Country: pt
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 113
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1035 on: May 02, 2019, 03:04:39 pm »
:D  You didn't complete your homework...

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2064766/#msg2064766

Ok thanks. I cannot wrap my head around how exactly this disk must look like. But anyways  ;D

The project mode is pretty close to other gui stuff and on older scopes it was just some random key combination. I guess it is the same here. I'll give up for now though  :-//
 

Offline KC0PPH

  • Supporter
  • ****
  • Posts: 117
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1036 on: May 03, 2019, 03:06:21 am »
UPS dropped mine off today. I got a 5072. Within about 5 minutes of opening it, I had all options.

Thanks Mabl and company for the hard work to make hacking this thing easy.

 

Online bdunham7

  • Super Contributor
  • ***
  • Posts: 1245
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1037 on: May 03, 2019, 05:04:04 pm »
UPS dropped mine off today. I got a 5072. Within about 5 minutes of opening it, I had all options.

Thanks Mabl and company for the hard work to make hacking this thing easy.

Does that include a bandwidth upgrade?  If so, to what level?
A 3.5 digit 4.5 digit 5 digit 5.5 digit 6.5 digit DMM is good enough for most people.
 

Offline MegaVolt

  • Frequent Contributor
  • **
  • Posts: 366
  • Country: by
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1038 on: May 03, 2019, 05:10:14 pm »
Does that include a bandwidth upgrade?  If so, to what level?
Full (350 MHz)
 

Offline typoknig

  • Regular Contributor
  • *
  • Posts: 53
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1039 on: May 03, 2019, 05:33:28 pm »
UPS dropped mine off today. I got a 5072. Within about 5 minutes of opening it, I had all options.

Thanks Mabl and company for the hard work to make hacking this thing easy.

Are they still shipping with the 00.01.04.04 firmware?
 

Offline KC0PPH

  • Supporter
  • ****
  • Posts: 117
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1040 on: May 03, 2019, 07:27:07 pm »
Yes they are still shipping (or at least mine arrived with .04.04 FW.)

As far as upgrading, steps were simple and easy (thanks to the talented individuals here)

1) Put Backup GEL file on Thumb Drive (Rename it to correct name)
2) Put in Scope and do FW upgrade
3) Save files Off of Thumb Drive to PC, and Put Hack FW on ThumbDrive
4) Put in Scope and do FW upgrade

I can confirm that the CHEAPEST model 5072 can be hacked to 350Mhz 4 Channels, all Options Perm with the hack FW. I just wish they would give more of those "Optional" BNC covers for the AWG.

It should take you longer to Format the USB drive to FAT32 than it does to hack the scope :)
 

Offline alank2

  • Super Contributor
  • ***
  • Posts: 2120
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1041 on: May 03, 2019, 08:46:06 pm »
Has anyone tested the rise/fall time in 350 Mhz mode with the Leo Bodnar pulser?  I'd like to see what those numbers are...
 

Offline Martin72

  • Super Contributor
  • ***
  • Posts: 1533
  • Country: de
  • Testfield Technician

Offline alank2

  • Super Contributor
  • ***
  • Posts: 2120
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1043 on: May 03, 2019, 09:39:10 pm »
750ps average, very nice.
 

Offline angelo

  • Contributor
  • Posts: 32
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1044 on: May 06, 2019, 04:31:21 pm »
If I go to measurement, analysis, and jitter analysis. In PLL mode with a 1MHz FM modulated 10MHz carrier my scope freezes.

I emailed rigol support and they said this feature is not available to North America. I don't understand why this would be the case.

Can anyone else replicate, confirm, or offer advice?
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 113
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1045 on: May 06, 2019, 05:51:07 pm »
 :wtf: :clap:

Because it is an unofficial feature which is not yet released and only available because you hacked your scope... Don't complain to rigol about stuff which you should not even have...
 
The following users thanked this post: thm_w

Offline imo

  • Super Contributor
  • ***
  • Posts: 2653
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1046 on: May 06, 2019, 06:32:47 pm »
I emailed rigol support and they said this feature is not available to North America. I don't understand why this would be the case.
Tariffs war? :)
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11388
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1047 on: May 06, 2019, 06:37:34 pm »
If I go to measurement, analysis, and jitter analysis. In PLL mode with a 1MHz FM modulated 10MHz carrier my scope freezes.

I emailed rigol support and they said this feature is not available to North America. I don't understand why this would be the case.

Did they ask for your serial number so they could blacklist your 'scope's warranty?  :popcorn:
 

Offline angelo

  • Contributor
  • Posts: 32
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1048 on: May 06, 2019, 08:07:11 pm »
Didn't realize that was one of the unlocked features.

For sake of completeness is there a list of unlocked features that are not the typically advertised features?

Then if there is trouble with them I can suspect them being unsupported rather than malfunctioning.
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1604
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1049 on: May 06, 2019, 08:12:31 pm »
BW > 70MHz
Serial Decode (all of them)
Waveform Generators
MSO
200Mpts
Power analysis
Channels 3 & 4 if you have MSO5072
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf