Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 901363 times)

spanakop and 14 Guests are viewing this topic.

Offline borjam

  • Supporter
  • ****
  • Posts: 908
  • Country: es
  • EA2EKH
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1225 on: August 22, 2019, 02:08:35 pm »
Phoning home would be quite rude.

I hate something like this and specially when it's done by the same guys who are able to create the SMTP vulnerabilities that we saw in the last few days...

Deeply worrisome!!

With all the paranoia about Chinese equipment with backdoors it's extraordinarily dumb to do something like that.

If they are deeply worried about hacking, well, it's not that hard ot make it much more difficult. I can even imagine that they somewhat tolerate some hacking activity in the lower end.

I recall that Siglent dropped an automatic firmware version check from the SDS1202X-E and I wouldn't be surprised if that was the reason.

So is it really just an RSA encrypted packet? If it connects using SSL/TLS it could be possible to try to intercept it. Maybe they won't actually check the certificate (or it's possible to replace certificate trust settings on a firmware file).
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 131
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1226 on: August 22, 2019, 02:34:37 pm »
With all the paranoia about Chinese equipment with backdoors it's extraordinarily dumb to do something like that.

If they are deeply worried about hacking, well, it's not that hard ot make it much more difficult. I can even imagine that they somewhat tolerate some hacking activity in the lower end.


Most of the backdoors I have seen even in examples of the "backdoored" Chinese equipment can be described by Hanlon's razor just like in Rigol's smtp case.

Quote
Never attribute to malice that which is adequately explained by stupidity

People get paranoid because of the "Chinese" boogeyman (not to say there isn't a threat), but I've seen as equivalent stupidity from American equipment vendors, even big names like Cisco are part of it like this, or this, or this, or this (suspicious they keep leaving these backdoors eh?)


Just reinforcing the point that you can't trust any piece of networked hardware from any vendor anywhere in the world.



So is it really just an RSA encrypted packet? If it connects using SSL/TLS it could be possible to try to intercept it. Maybe they won't actually check the certificate (or it's possible to replace certificate trust settings on a firmware file).

SSL/TLS  :-DD
No, they are posting it over http.
« Last Edit: August 22, 2019, 02:42:36 pm by delfinom »
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1227 on: August 22, 2019, 02:38:22 pm »
So is it really just an RSA encrypted packet? If it connects using SSL/TLS it could be possible to try to intercept it. Maybe they won't actually check the certificate (or it's possible to replace certificate trust settings on a firmware file).

The info seems to be packaged and then encrypted with the RSA pubkey. It's not a big deal since we can intercept the info buffer (in realtime) before the encryption and see what is being packaged.

It's mostly info from the /data dir. But this is from what I've seen. There could be other info exchanges that I didnt notice.
 

Offline borjam

  • Supporter
  • ****
  • Posts: 908
  • Country: es
  • EA2EKH
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1228 on: August 22, 2019, 02:46:37 pm »
Most of the backdoors I have seen even in examples of the "backdoored" Chinese equipment can be described by Hanlon's razor just like in Rigol's smtp case.

Quote
Never attribute to malice that which is adequately explained by stupidity

I know, that's why I said "paranoia". ;) That said, lousy security can be a very serious problem in some environments.

Quote
People get paranoid because of the "Chinese" boogeyman (not to say there isn't a threat), but I've seen as equivalent stupidity from American equipment vendors, even big names like Cisco are part of it
Of course. Getting it right in a big company is very hard. Especially when everything was just soooo coool, dude, in happiest times! ;) Straightening poor practices inherited from the past is really difficult.

Quote
Just reinforcing the point that you can't trust any piece of networked hardware from any vendor period.
And indeed you are right. My commment deals with the trust problem that these new manufacturers can face. They are newcomers, they are beginning to sell somewhat mature products and nowadays people pays much more attention to this crap than 30 years ago.

 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 131
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1229 on: August 22, 2019, 03:33:53 pm »
Of course. Getting it right in a big company is very hard. Especially when everything was just soooo coool, dude, in happiest times! ;) Straightening poor practices inherited from the past is really difficult.


Well, I don't see it as an issue about getting it right at a big company. It's the year 2019. A "big company" not auditing it's releases and processes at this point is committing willful negligence at this point (or if I continue my rant about Cisco, increasing outsourcing their development to a patchwork of lowest bidders/it doesn't take "a change in company practices" to learn how to grep your update packages for ssh keys before release).


The optics are just against new/smaller manufacturers like you say.
« Last Edit: August 22, 2019, 04:00:17 pm by delfinom »
 

Offline Sighound36

  • Frequent Contributor
  • **
  • Posts: 549
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1230 on: August 22, 2019, 03:46:44 pm »
Unfortunately a lot of large corporate entities are very much in big company mentality of the left hand is not knowing what the right hand is doing.

In this case Rigol should take a very seriouy look at the cyber security dept and kick a few backsides as this is a fundamental faux par of large proportions. The possibility of looking in on any of Rigol's personal and private files even for a brief period is pretty grim, as a customer it certainly does no favors for their brand image or credibility in the market place, which is a shame.

Looking to trade up to an MSO 8000 very soon, maybe not so sure now  :-\
« Last Edit: August 22, 2019, 07:21:25 pm by Sighound36 »
Seeking quality measurement equipment at realistic cost with proper service backup. If you pay peanuts you employ monkeys.
 

Online Martin72

  • Super Contributor
  • ***
  • Posts: 5670
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1231 on: August 22, 2019, 07:42:54 pm »
I didn´t see a reason to connect my scope to lan at home, at work I would be "killed" for if I connect anything else to lan as my authorized notebook.
So I don´t have problems with things who want to phoning home...they couldn´t.
Or:

Do anyone have a fire-tv stick from amazon ? Or a pc connected to lan ? Or alexa ? Or home automations ?
So why worrying about a scope….

Offline Shodge

  • Contributor
  • Posts: 19
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1232 on: August 23, 2019, 01:30:43 am »
As a FYI, if you are using a somewhat modern router, it is pretty easy to set up a rule to prohibit the scopes nic from going through the router.  You can still access it on your lan, but it can no longer 'call home'.

DD-WRT (router firmware) calls this 'Access Restrictions -> Wan'.


-Stan
« Last Edit: August 23, 2019, 01:35:29 am by Shodge »
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 5121
  • Country: nl
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1233 on: August 23, 2019, 07:37:02 am »
Or just set a fixed IP and leave the gateway out.
Keyboard error: Press F1 to continue.
 
The following users thanked this post: tv84, serg_77

Offline Xtremexp

  • Regular Contributor
  • *
  • Posts: 83
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1234 on: August 24, 2019, 05:58:34 am »
Does this enable all features?

Thanks.
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1235 on: August 24, 2019, 03:07:06 pm »
Here's a new bspatch that should disable two callbacks to rigol. But I could only test that it stopped storing the response in /tmp/firmware.xml right now.

delfinom, what about disabling email capabilities?

sub_273B50
sub_2745AC
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 131
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1236 on: August 25, 2019, 02:15:01 am »
Here's a new bspatch that should disable two callbacks to rigol. But I could only test that it stopped storing the response in /tmp/firmware.xml right now.

delfinom, what about disabling email capabilities?

sub_273B50
sub_2745AC

May be better to just nuke the smtp client at  /rigol/mail/bin/msmtp
I like how in the invocation they are turning off tls.

273B50 creates the config file for it.
2745AC sends mail using it
« Last Edit: August 25, 2019, 02:18:08 am by delfinom »
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1237 on: August 25, 2019, 03:05:08 pm »
My analysis (FW v00.01.01.04.08):

sub_273B50 - load_mail_config_vars
/rigol/mail/etc/Muttrc
/rigol/mail/etc/msmtprc

sub_2745AC - send_mail_test
/rigol/mail/bin/msmtp

sub_274B70 - send_mail
/rigol/shell/send_mail.sh (uses /rigol/mail/bin/mutt)

It seems they use it to send system logs and/or screen snapshots of the scope. Let's assume that with our previous authorization.

To stop mails from the MSO5000:

Option 1
Delete/rename files:
/rigol/mail/bin/msmtp
/rigol/mail/bin/mutt

Option 2
Patch appEntry (sub_275A08):
offset 0x26DA08 - patch: 00 48 2D E9 -> 1E FF 2F E1
 
The following users thanked this post: thm_w, serg_77, Sighound36

Online tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1238 on: August 26, 2019, 06:26:54 pm »
I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

I will have a new look at this claim in the coming days. I have a "feeling"...   ;)

Edit1: I'll start by recreating what is shown in this image. (And, yes, I believe it's a real image...) It should be pretty easy to do (although not by everyone).

These asiatic forum members are extremely volatile and that's why this line of thought has been kept buried somewhere! I'll try to dig it up in plain english...  :)


https://www.eevblog.com/forum/testgear/rigol-mso5000-upgrade-to-500m-bandwidth/msg2316924/#msg2316924

I will then need some external help to test the performance. But that should be easy for some of you guys!

Once we do this step, we step up the game...

Let's see where we'll end.

(Of course, let's hope all of this may be extendable to the 7000, 8000 series.)

PS: And, all in "feature" mode. No "patches" or "hacks".   :popcorn:
« Last Edit: August 26, 2019, 10:40:28 pm by tv84 »
 
The following users thanked this post: Sparky, thm_w, luma, 2N3055, NoisyBoy, serg_77, Xtremexp

Offline luma

  • Regular Contributor
  • *
  • Posts: 130
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1239 on: August 27, 2019, 01:38:47 pm »
That last thread left off with a suggestion that this was an April Fool's thing.  Do we have reason to think the front end on these devices can function past 500MHz?
 

Offline Noy

  • Frequent Contributor
  • **
  • Posts: 361
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1240 on: August 27, 2019, 01:44:23 pm »
Maybe. Same chip like mso8000 but IT will not be interesting because of the missing 50Ohm input. 500MHz is max what can be done with passive probe.
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1241 on: August 29, 2019, 09:30:30 pm »
So, as promised, here is the replication of that accomplishment. And, I will not disappear in the myst...

The tests (done by another forum member) with the new FW version still continue.

But, at first sight, it seems that the BW limit of the MSO5000 is definitely near the 500MHz mark and doesnt go further:

To be continued...

« Last Edit: August 29, 2019, 10:07:26 pm by tv84 »
 
The following users thanked this post: KeBeNe, thm_w, NoisyBoy, Xtremexp

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1242 on: August 29, 2019, 10:43:01 pm »
But, at first sight, it seems that the BW limit of the MSO5000 is definitely near the 500MHz mark and doesnt go further:
Maybe the lack of 50ohm input?
 

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 503
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1243 on: August 29, 2019, 11:25:51 pm »
tv84,

That’s an excellent update, can’t wait to learn more. 

Even if we don’t use all 500MHz, just not having the -3dB drop at 350MHz is a welcomed enhancement.

I agree that not having the 50 Ohm input would limit how high we can go on the hardware without modification.

Have you had a chance to check if heat on the front end increases with the update and how well the existing cooling handles it?
 

Offline thm_w

  • Super Contributor
  • ***
  • Posts: 6272
  • Country: ca
  • Non-expert
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1244 on: August 29, 2019, 11:46:40 pm »
tv84,

That’s an excellent update, can’t wait to learn more. 
Even if we don’t use all 500MHz, just not having the -3dB drop at 350MHz is a welcomed enhancement.
I agree that not having the 50 Ohm input would limit how high we can go on the hardware without modification.
Have you had a chance to check if heat on the front end increases with the update and how well the existing cooling handles it?

Its already been measured at 450-500MHz prior to modifications tv84 is currently working on: https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/
What he could unlock is possibly  >500MHz or >8Gs/s, the second of which would increase power consumption.
Profile -> Modify profile -> Look and Layout ->  Don't show users' signatures
 

Offline nimish

  • Regular Contributor
  • *
  • Posts: 144
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1245 on: August 30, 2019, 03:13:47 am »
tv84,

That’s an excellent update, can’t wait to learn more. 
Even if we don’t use all 500MHz, just not having the -3dB drop at 350MHz is a welcomed enhancement.
I agree that not having the 50 Ohm input would limit how high we can go on the hardware without modification.
Have you had a chance to check if heat on the front end increases with the update and how well the existing cooling handles it?

Its already been measured at 450-500MHz prior to modifications tv84 is currently working on: https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/
What he could unlock is possibly  >500MHz or >8Gs/s, the second of which would increase power consumption.

Is > 8GS/s needed at 500MHz max BW? It looks like the hard analog bw 3dB point is 500MHz, which is likely limited by the actual frontend. So with 4x oversampling that's 2GS/channel and that's enough for 500MHz I guess. But I am not an expert.
 

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 503
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1246 on: August 30, 2019, 04:03:38 am »
thm_w, thanks for pointing that post out. 

Do you happen to know what "correction of the measuring path" means in graph 4.1 for the MSO5000?  In the MSO4000, I believe they upgraded the heat sinks for the FPGA and ADC, I wonder if they perform the same hardware upgrade in the MSO5000 to get this "correction".

I ask because without this correction, it is -2.2dB at 350MHz, vs. -0.6dB with correction, that's a meaningful difference.  And without this correction, the -3dB point is about 450 MHz.

But if tv84 can perform his magic, I would gladly take the extra 100MHz bandwidth  :-+



Its already been measured at 450-500MHz prior to modifications tv84 is currently working on: https://www.eevblog.com/forum/testgear/review-rigol-mso5000-tests-bugs-questions/
What he could unlock is possibly  >500MHz or >8Gs/s, the second of which would increase power consumption.
 

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1247 on: August 30, 2019, 03:20:59 pm »
After an embarrassing long delay, here are the changes for 01.04.08 uploaded to git:
https://gitlab.com/riglol/rigolee/commit/ae77323ac04da753d98ae9a1d99a658e000b9088

for those that care ;)

Offline luma

  • Regular Contributor
  • *
  • Posts: 130
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1248 on: August 30, 2019, 08:19:33 pm »
Using the existing 350MHz license unlock myself and others have tested the MSO5074 up around 450MHz already.  Is the 500MHz unlock just a display thing? Or is there some extra headroom left in these things?
 

Offline rucu

  • Newbie
  • Posts: 2
  • Country: dk
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1249 on: August 31, 2019, 10:39:41 am »
I managed to goof up. I tried following the same lines of the hack in this thread, but managed to get myself in a bad situation.
I was trying as a first step to gain SSH access to my MSO5000 scope, which I did by modding the start.sh file. I appended the following code to the end of the file:

Code: [Select]
/usr/sbin/sshd
/etc/init.d/550sshd restart

However, now after applying the patched firmware to the scope, it correctly goes into the boot loading showing the RIGOL logo, however, when the progress bar reaches the end it stalls - I assume because either of the commands I added are not valid.

I've tried holding down the SINGLE button while booting, but I do not seem to get into the secret menu to be able to re-patch the firmware.
Also, even with the network cable plugged in, the network does not seem to initialise and the Rigol scope does not get assigned an IP, so SSH does not seem like an option to recover as well.

Do you guys have any ideas on how to recover from this?
« Last Edit: August 31, 2019, 10:47:17 am by rucu »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf