Hacking the Rigol MSO5000 series oscilloscopes

[Fungus]

Starting from today, as soon as I connect the LAN cable and boot up the oscilloscope it stops reacting to any input after around 7 seconds.

• I tried it a couple of times, without LAN(with internet) connected, the oscilloscope works fine.
• But WITH LAN connected, it stops reacting to the touch screen, buttons and knobs after around 5-7 seconds.
• It seems like the oscilloscope is deactivating itself because it checks with a server and figures out it got hacked.
• It worked fine yesterday.

I'm using the DS5000Update_01.01.04.04.GEL firmware

Did anybody else notice that?

Hard to believe... but a packet sniffer will confirm it one way or another.

[Martin72]

Hi,

But WITH LAN connected, it stops reacting to the touch screen, buttons and knobs after around 5-7 seconds.

Have a look:

https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2518821/#msg2518821

https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2521134/#msg2521134

Martin

[adras]

Hi,

But WITH LAN connected, it stops reacting to the touch screen, buttons and knobs after around 5-7 seconds.

Have a look:

https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2518821/#msg2518821

https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/msg2521134/#msg2521134

Martin

Ah, ok, thanks for the relief

[serg_77]

Hi people. The site https://cn.rigol.com/Support/SoftDownload/3 has a new firmware MSO5000_00.01.01.04.08. Good luck to all.

[thm_w]

Hi people. The site https://cn.rigol.com/Support/SoftDownload/3 has a new firmware MSO5000_00.01.01.04.08. Good luck to all.

v00.01.01.04.08 2019/08/02

      -Fixed system crashed when clicking Default.
      -Fixed 4CH option bug.
      -Fixed noise signal captured.
      -Improved the measure result updating rate.
      -Fixed accurate measurements not updated in ROLL

Not a big upgrade from the notes, no bode plot or high-res fixes.
"4CH option bug" sounds like if you buy the 4-CH option it doesn't work properly? Which could be what I noticed, but it was resolved with a simple self-cal. Surprised someone actually bought it.
The chinese translation version is worded differently: "Fix version 2.3 of the 4CH option, not activated on version 4.4 and later".

[NoisyBoy]

Well, it would be interesting to see if the "enhancements" still work with this version of the firmware.

Agreed on it being a fairly short list given it takes 5 months to develop, likely all focus was on the MSO8000 scope launch.

[stmcore]

Enhancements "patch" not working with 04.08  but you can downgrade back to 04.04 using the secret menu.  while powering on
keep hitting  single button 

[NoisyBoy]

Good to know, as the install instruction doc states that firmware cannot be downgraded.

[mabl]

Not a big upgrade from the notes, no bode plot or high-res fixes.

Don't forget this should fix the overswings on self-cal for every one.

Enhancements "patch" not working with 04.08

Sure. Somebody will need to patch it again and provide a  updated patch to the general public.

[tv84]

Good to know, as the install instruction doc states that firmware cannot be downgraded.

It has stated that since the beginning. That will only happen when they change the bootloader.

And, of course, if you have a NAND dump backup, you can always restore it fully to a previous version.

[tv84]

MSO5000_00.01.01.04.08:

Code: [Select]

#echo "++ Starting telnet daemon"
#telnetd -l /bin/sh

#echo "++ Starting http daemon"
#httpd -h /var/www

#echo "++ Starting ftp daemon"
#tcpsvd 0:21 ftpd ftpd -w /&

#echo "++ Starting ssh daemon"
#/usr/sbin/sshd
Interesting that the K160 FPGA programming is the same as in the MSO8000 FW released a few days ago.

[stmcore]

Downgrading from 04.08 back to 04.04 is safe . Tested 100% .

[thm_w]

Interesting that the K160 FPGA programming is the same as in the MSO8000 FW released a few days ago.

This makes me think again that 10GS/s is available or actually used on the MSO5000. Not that it would make a huge difference vs 8GS/s, but its interesting thought.
Sort of what I measured in the other rigol thread, but it could just be software weirdness..

[mabl]

Just a heads up. On a hacked latest firmware the Jitter analysis works  (Did not get eye to work though.)

I leave it to others to prepare a general auto patcher this time, though.

[mabl]

MSO5000_00.01.01.04.08:
Interesting that the K160 FPGA programming is the same as in the MSO8000 FW released a few days ago.

Interestingly, the differences to latest MSO5000 firmware are really pretty minimal:

Code: [Select]

Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        deleted:    firmware/kerstrel.config
        deleted:    firmware/kerstrel.dts
        modified:   firmware/logo.png
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/default/cal.hex
        modified:   firmware/rootfs/rigol/drivers/usbtmc_dev.ko
        modified:   firmware/rootfs/rigol/resource/appmeta.xml
        modified:   firmware/rootfs/rigol/resource/boardmeta.xml
        modified:   firmware/rootfs/rigol/resource/dsometa.xml
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/100K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/10K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/10M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/1K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/1M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/25M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/50M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_2g/AUTO
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/100K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/100M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/10K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/10M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/1K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/1M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/25M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/50M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_4g/AUTO
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/100K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/100M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/10K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/10M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/1K
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/1M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/200M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/25M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/50M
        deleted:    firmware/rootfs/rigol/resource/satable/hori_8g/AUTO
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/shell/start.sh
        modified:   firmware/rootfs/rigol/tools/spi2cpld
        modified:   firmware/rootfs/rigol/tools/spi2dev
        modified:   firmware/rootfs/rigol/tools/spi2k7
        modified:   firmware/rootfs/rigol/tools/spi2pll
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcre.a
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcrecpp.a
        modified:   firmware/rootfs/rigol/webcontrol/lib/libpcreposix.a
        modified:   firmware/rootfs/rigol/webcontrol/lib/libz.a
        modified:   firmware/rootfs/rigol/webcontrol/webpages/Help.html
        modified:   firmware/rootfs/rigol/webcontrol/webpages/images/1.jpg
        modified:   firmware/zImage
        modified:   firmware/zynq.bit

Untracked files:
  (use "git add <file>..." to include in what will be committed)

        GEL/DS8000Update_00.01.01.00.00.GEL
        firmware/rootfs/rigol/cups/testPage.bmp
        firmware/rootfs/rigol/resource/satable/hori_10g/
        firmware/rootfs/rigol/resource/satable/hori_20g/
        firmware/rootfs/rigol/resource/satable/hori_2_5g/
        firmware/rootfs/rigol/resource/satable/hori_5g/
        firmware/rootfs/rigol/resource/satable/hori_5g_100m/
        firmware/unknown.config
        firmware/unknown.dts


[Sighound36]

Just a heads up. On a hacked latest firmware the Jitter analysis works  (Did not get eye to work though.)

I leave it to others to prepare a general auto patcher this time, though.

Hi mabl

Would you mind posting some images for this in actual operation, mine always crashes after 60 or so seconds then freezes requiring a hard reset.

I have several work colleagues with an opened up 5000 and they all have the same issue.

Firmware is the 04.04 version unit was purchased in April this year and has the build date on Feb 2019, all of the other MSO 5000 exhibit the same issues with the Jitter measurements (also try and engage the histogram) and the eye pattern will not work due to BW limitations I suspect.

The <SO8000 uses 10G/s and 10Mpts for eye pattern measurements I believe.

[mabl]

Remember, that jitter feature is not officially part of the MSO5000. The patch just blindly enables all features there are, I rigged up a simple test with the internal wave generator and firmware 01.01.04.08. See attached file. It feels stable. I guess they invested some effort for the MSO8000 launch and we just profit from that . Also auto baud rate detection works rather well.

[tv84]

Remember, that jitter feature is not officially part of the MSO5000.

I somewhat disagree. If that was the case, the option wouldn't be in the available options for MSO5000 (inside the code).

Maybe they decided to cut it off when deciding the BW versions of the 5000...

Would you mind posting some images for this in actual operation, mine always crashes after 60 or so seconds then freezes requiring a hard reset.

Maybe temperature comes into play... And that's why they decided to lower the sample rate...

alexvg has been investing hard in improving the temps.

Anyone knows if the DS7000 / MSO8000 has better thermal architecture than the one described by alexvg?

https://www.eevblog.com/forum/blog/new-rigol-scope/msg2552004/#msg2552004

[Shodge]

So the previous patch for SSH should work on the new firmware.  Can anyone confirm that?

Following mabl's lead, all that would be necessary to update the .GEL patch with a new appEntry_01_01_04_04.patch.gz file which locates the same code fragment in the updated appEntry.  Then repack...

Correct?

-Stan

[mabl]

So the previous patch for SSH should work on the new firmware.  Can anyone confirm that?

Confirmed.

Following mabl's lead, all that would be necessary to update the .GEL patch with a new appEntry_01_01_04_04.patch.gz file which locates the same code fragment in the updated appEntry.  Then repack...

You first need a patched appEntry. The license code has changed a bit in wake of the MSO8000 launch I guess. I'm not sure the bit sequences are identical. I just identified the relevant function again and patch it to always return 1. I then copied it over to the scope to /tmp via ssh; marked it executable and then run it. All worked, so I copied it over to /rigol/ on my scope and saved everything with a call to sync.

The patcher is required if others want to have a USB install method. Some pages pack I already provided bspatch/bsdiff compiled with that ancient Xilinx toolchain. That will be a far preferred option than doing that base64 encoding/text patch/decode thingy of my initial patch script. I'm sure based on this others will be able to create a nice solution. I just don't want to commit mass copy right infringements anymore    For now rest assured that hacking the scope is still possible.

On a side node, the self calibration is now absolutely perfect and I can trim the provided probes to a perfectly flat response. Feels even a bit better than the calibration with the (hacked) beta firmware.

[phips]

Hello community,

just signed up to reply to this amazing thread.
I'm a beginner in hardware hacking and want to understand the hack deeply.
At the moment I don't own a MSO5000.
Nevertheless I want to understand what you did to turn on all functions.

Does anyone know a reference to some kind of walk through, what was patched and how the journey went there?


Best

[Sighound36]

Remember, that jitter feature is not officially part of the MSO5000. The patch just blindly enables all features there are, I rigged up a simple test with the internal wave generator and firmware 01.01.04.08. See attached file. It feels stable. I guess they invested some effort for the MSO8000 launch and we just profit from that . Also auto baud rate detection works rather well.

Hi mabl

Thank you for sharing 

The jitter feature which is now working on your machine has to be related to the new FW, your machine has three more options installed on the jitter tab.

Something to attend to at the weekend!

[swansonbroth]

Can anybody share the new firmware (patched ;-)) with the new Options like Jitter??

[delfinom]

I just don't want to commit mass copy right infringements anymore 

I don't blame you with sites like hackaday broadcasting the hack out loud. (Meanwhile hypocritically they censored the Tektronix hacks they had)

Thanks for your work though, easy enough to build upon

[thm_w]

So here are the notes from what I've gathered so far:
- Connect scope to PC/network with ethernet
- Apply patch to enable SSH
- SSH into the scope, backup files if needed, then copy appEntry file to your USB (cp /rigol/appEntry /media/sda1/).
- Apply patch to the binary (this part is known by mabl but not public, needs to be figured out)
- Copy this file back to the scope in temporary location, mark as executable (chmod +x appEntry)
- Test run it by using command: ./appEntry $PowerOn -run
- If it works, replace the original appEntry, and sync


Side note: can run 'top' to see CPU usage:
- All channels on or off 4-5%
- Logic analyzer on 5%
- FFT on 60-70%