Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 181241 times)

apoorv3in, skander36, typoknig and 7 Guests are viewing this topic.

Offline Martin72

  • Frequent Contributor
  • **
  • Posts: 583
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1275 on: September 07, 2019, 01:07:24 pm »
Very interesting, how can I activate this ?

Offline mabl

  • Regular Contributor
  • *
  • Posts: 100
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1276 on: September 07, 2019, 01:31:15 pm »
I have updated my initial post about this above. I think, the project mode is normally enabled by a key combination. I have not found it yet though. So for now, one can add a new SCPI command, which will also trigger project mode (see above post). One can than just use TCP/IP (default port 5555) or USB to send the SCPI command.

In general, I feel that I have not yet found all the user interface definition and logic. The binary has multiple resources inside, such as PNGs and XML data. That is a feature for Qt, see here. However, it also includes compressed artifacts, so just searching is not always successful. I looked at some binary extractors for Qt, but they failed. Possibly one can dump the memory of the appEntry process too...
 

Offline bitseeker

  • Super Contributor
  • ***
  • Posts: 7936
  • Country: us
  • Lots of engineer-tweakable parts inside!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1277 on: September 07, 2019, 05:27:05 pm »
Well after reading all of this thread and half the rest of the forum - bought my first Oscilloscope yesterday from the RigolNA clearance section - MSO5074. Buy once cry once - but I'll update once I get it setup and ... patched ....  :-+

Nice catch. I wouldn't have expected MSO5000 to be in there already.
I TEA.
 

Offline AngusBeef

  • Regular Contributor
  • *
  • Posts: 78
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1278 on: September 07, 2019, 05:31:00 pm »
Well after reading all of this thread and half the rest of the forum - bought my first Oscilloscope yesterday from the RigolNA clearance section - MSO5074. Buy once cry once - but I'll update once I get it setup and ... patched ....  :-+

Nice catch. I wouldn't have expected MSO5000 to be in there already.
They had a 5072 there as well the other day but I wanted 4 probes and factory warranty for four channels
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 928
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1279 on: September 08, 2019, 10:00:25 am »
That code decodes inside the servEdgeTrigger::_cmdEntry  (at 0x0149e634)  to function at 0x0023ccbc. However that function forwards to  the identical code 12073 to "utility" (at 0x014a1f58) to fun at 0x0027839c.  That function returns if the project mode is enabled or not, I would have expected it to route to the project state toggle (cmd  48) defined one entry above. But anyways, it looks like there is a relation between edge trigger mode and project mode. Interestingly, going into edge trigger mode was one of the requirements to manually trigger project mode on older scopes, see also here.

mabl, very nice finds!!!  I'll try to replicate it to see if I can help finding the key sequence as I have some logs from the "not married" investigation. ;)
 

Offline AngusBeef

  • Regular Contributor
  • *
  • Posts: 78
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1280 on: September 09, 2019, 08:59:10 pm »
MSO5000 arrived today. Applied the patched .04.04 GEL and it worked easily. However channel 1 overshoots and channel 2-4 undershoot regardless of probes. I have the self-calibration running right now to see if it resolves it, but after a little reading it seems the self-calibration is mostly focused on ensuring the internal offset to show an accurate 0v is accurate
 

Online TK

  • Super Contributor
  • ***
  • Posts: 1154
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1281 on: September 09, 2019, 09:02:16 pm »
You need firmware 04.08 to have the overshoot-undershoot correction
 

Offline AngusBeef

  • Regular Contributor
  • *
  • Posts: 78
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1282 on: September 09, 2019, 09:15:47 pm »
You need firmware 04.08 to have the overshoot-undershoot correction
Awesome! I may have missed it but I'm assuming there's a different update patch in this thread I can find once I'm back at my PC, or it's back to the ole Putty?
 

Offline Martin72

  • Frequent Contributor
  • **
  • Posts: 583
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1283 on: September 09, 2019, 09:25:03 pm »
Very interesting, how can I activate this ?

Rigol.eu told me, they don´t know about a project mode on the 5000/7000....


Offline tv84

  • Frequent Contributor
  • **
  • Posts: 928
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1284 on: September 09, 2019, 09:39:42 pm »
Rigol.eu told me, they don´t know about a project mode on the 5000/7000....

I believe that. But, refer them to mabl's post and they'll learn how to enable it.  ;D
 

Offline Martin72

  • Frequent Contributor
  • **
  • Posts: 583
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1285 on: September 10, 2019, 07:41:50 pm »
They wouldn´t know about it because they don´t need it for servicing.

Quote
But, refer them to mabl's post and they'll learn how to enable it.

That´s what I replied…. 8)
OK, not directly.. ;)

Offline Martin72

  • Frequent Contributor
  • **
  • Posts: 583
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1286 on: September 11, 2019, 06:52:35 pm »
Hmpf,

After updating to 01.01.04.08, mabl´s usb patch wouldn´t function any more... :(

EDIT:

Downgrade to 01.01.04.04 doesn´t function, too…..

Message in both cases : "Failed to upgrade, check the upgrade file"
« Last Edit: September 11, 2019, 06:57:46 pm by Martin72 »
 

Online TK

  • Super Contributor
  • ***
  • Posts: 1154
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1287 on: September 11, 2019, 07:33:22 pm »
After updating to 01.01.04.08, mabl´s usb patch wouldn´t function any more... :(
What is mabi's usb patch?
 

Offline Martin72

  • Frequent Contributor
  • **
  • Posts: 583
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1288 on: September 11, 2019, 07:43:54 pm »
It´s a little (20kb) GEL.file which enable all options.
Edit : https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251401/#msg2251401

Meanwhile I could downgrade to 04.04, thanks to the secret menu…... ;)
Hope, there will be a new "usb-patch" in the future, which works with newer Firmware ( I´m dependet from the cracks here... :( )

Edit 2 : Could it be patched with the "old" all options file although having the latest Firmware installed, by using the secret menu…..hm-hm...
« Last Edit: September 11, 2019, 07:50:34 pm by Martin72 »
 

Online TK

  • Super Contributor
  • ***
  • Posts: 1154
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1289 on: September 11, 2019, 07:52:31 pm »
mabi said that he doesn't want to create a new usb hack file.  The hack for 01.01.04.08 is applied using a bdiff patch file using the sshd hack
 

Offline Martin72

  • Frequent Contributor
  • **
  • Posts: 583
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1290 on: September 11, 2019, 07:56:53 pm »
I don´t have the skills to do the hack apart from the usb hack file….. :(
So I have to wait until  someone have mercy for users like me.  ;)

Offline AngusBeef

  • Regular Contributor
  • *
  • Posts: 78
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1291 on: September 11, 2019, 10:35:13 pm »
I don´t have the skills to do the hack apart from the usb hack file….. :(
So I have to wait until  someone have mercy for users like me.  ;)
I struggled my way through it and will do a write up shortly, but in the meantime if you don't have a Linux computer I recommend downloading VirtualBox (https://www.virtualbox.org/) and following the instructions to install Linux on your virtual computer running inside virtualbox (https://download.virtualbox.org/virtualbox/6.0.12/UserManual.pdf)

Once you've got Linux installed it will make it possible to accomplish the patch.

For non-Linux nerds this distro is very user friendly  - https://www.linuxmint.com/

It is possible to accommodate the patch using Windows software but it's much easier in Linux
 

Offline furmek

  • Newbie
  • Posts: 2
  • Country: au
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1292 on: September 11, 2019, 11:04:57 pm »
A write-up will be greatly appreciated :)

BTW if you're running any recent version of windows 10 you can use Windows subsystem for linux.
I find it easier than virtual box:
- open Windows Store app
- type "WSL" in search box
- pick your flavor (right now 8 available)
- Hit Get
- profit
 

Offline AngusBeef

  • Regular Contributor
  • *
  • Posts: 78
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1293 on: September 11, 2019, 11:25:32 pm »
This is just a play-by-play of what I did – I struggled my way through it so there are ways to run things more efficiently or better that I wasn’t aware of at the time.

Step 1: Get your Linux workstation functional, either by installing directly or running it within VirtualBox. I’m using a Windows PC so I’m running everything through VirtualBox, which just adds a couple intermediate steps.

Step 2:
Get organized – I made 3 folders, “Upgrade”, “Enable SSH”, and “Patch”.
-   In the Upgrade folder, download the 01.01.04.08 GEL from GitLab and rename it DS5000Update.GEL (https://gitlab.com/riglol/rigolee/blob/MSO5000/GEL/DS5000Update_01.01.04.08.GEL)
-   In the Enable SSH folder, add the GEL file from this post and rename it DS5000Update.GEL (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2234076/#msg2234076)
-   In the Patch folder, download the Bpatch folder from this post and remove the .txt extension (https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701)

Step 3: Upgrade the MSO5000 using the DS5000Update.GEL file from the Upgrade Folder. Put the file onto the root directory of the USB drive and then go to the Utility / System / Help / Local Upgade menu once you’ve put the USB into the MSO5000 and upgrade to 01.01.04.08. Restart the Oscilloscope

Step 4: Now time for the heavy lifting. Put the USB drive back into the computer and remove the update file you just used from the USB stick. Now go to the Enable SSH folder and put that DS5000Update.GEL file onto the USB drive. Put the USB stick into the MSO5000 and run the Local Upgrade again. Oh no, it failed! Except it didn’t, as @mabl stated in his post, it will look like it failed but it works. DO NOT RESTART THE OSCILLOSCOPE, otherwise you will have to run step 4 again. Also, leave the USB stick in the MSO5000 for the next steps.

Step 5: If it’s not already connected, connect your MSO5000 to your LAN or use a crossover cable if you have one to hook it to your computer. If all you have is “normal” LAN cables, you’ll need to use your router and can’t hook directly to your PC. Now go to the Utility/ IO / LAN menu and write down the IP address of your MSO5000.

Step 6: If it’s not already in your distro, go to the software manager and download Putty so that you can SSH (Secure Shell) across the network into your MSO5000. Once it’s downloaded, you’re going to follow some of the instructions from @TopLoser that @TrickTronic posted.  First, run PuTTY and put the IP address into the IP window, use Port 22, and select SSH for your connection type. Then, use “root” as the username and “Rigol201” as the pwd. You’re now connected to the Oscilloscope.

Step 7: In the SSH, type (without quotes) “cp /rigol/appEntry /media/sda1/”. Once it’s finished writing it to the USB stick (although it’s probably not the “best” answer, just pull the USB stick out and put it back into your computer. Copy the bspatch file into the root of the USB stick as well. Right click and open a terminal window starting in the USB stick and type “bspatch appEntry appEntryPatched appEntry_01_01_04_08.bpatch” into the terminal. It will create you a new file called appEntryPatched. Rename the original file to appEntryUnpatched or something similar and then rename the patched file to appEntry. Now remove the USB stick and put it back into the Oscilloscope.

Step 8: I hope you kept your SSH open, if not then open it back up. Type “cd /media/sda1”. If the command fails, replace sda1 with sdb1. My MSO5000 mounted the USB drive into this second location when I put it back in. Type “ls” (LS in lower case if the font here sucks) to see the files in the directory. You should see your files. Now run “chmod +x appEntry” to allow the appEntry file to be an executable, otherwise it will not work. To make this next step easier, move back to the root directory using “cd /”. You can type “pwd” at any time in SSH or Terminal to see the directory you’re currently in at any time. Now copy the file back to the oscilloscope, “cp /media/sda1/appEntry /rigol/” and you should be good to go.

Step 9: Restart your Oscilloscope and don’t forget to thank the dozens of people on this forum who made this possible.
« Last Edit: September 25, 2019, 08:15:18 am by AngusBeef »
 

Online TK

  • Super Contributor
  • ***
  • Posts: 1154
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1294 on: September 12, 2019, 12:30:55 am »
I don´t have the skills to do the hack apart from the usb hack file….. :(
So I have to wait until  someone have mercy for users like me.  ;)
I struggled my way through it and will do a write up shortly, but in the meantime if you don't have a Linux computer I recommend downloading VirtualBox (https://www.virtualbox.org/) and following the instructions to install Linux on your virtual computer running inside virtualbox (https://download.virtualbox.org/virtualbox/6.0.12/UserManual.pdf)

Once you've got Linux installed it will make it possible to accomplish the patch.

For non-Linux nerds this distro is very user friendly  - https://www.linuxmint.com/

It is possible to accommodate the patch using Windows software but it's much easier in Linux
It works on mac osx as well... it should work on windows 10 with WSL (Windows Subsystem for Linux)
 
The following users thanked this post: ForceFed, SimpleOne

Offline Martin72

  • Frequent Contributor
  • **
  • Posts: 583
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1295 on: September 12, 2019, 09:12:24 pm »
@AngusBeef :

Sounds complicating to me, but I will try it at forthcoming weekend....

Offline NED88

  • Contributor
  • Posts: 9
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1296 on: September 12, 2019, 09:30:03 pm »
The step-by-step instructions are very helpful.  I'd make a few additional comments/suggestions...

Before copying back the patched "appEntry" file to "/rigol" (see end of step 8 in AngusBeef's post above), I ran:  echo "3f95cb3236b47826e303de960596f966  appEntry" | md5sum -c   to make sure it had the correct md5sum (see delfinom's post: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701).

Also, one can use the "bspatch" that is contained inside mabl's "DS5000Update_backup.GEL.txt" (see: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380).  Just rename it to "DS5000Update_backup.GEL.gz" and gunzip the file into a temporary folder then gunzip the file "bspatch.gz" to get the bspatch utility. 

I used a Mac OS X terminal (but only for ssh) and copied the bspatch utility onto a USB stick as well as the files listed in step 2 and worked with those successfully.  It's a good idea to run "umount /dev/sda1" , after you have finished using the USB stick.

We do actually have all the information required for creating a single GEL patch file by modifying the previous 04.04 patch (and backup) files after gunzipping them (and the enclosed files) and decrypting the various encrypted shell files enclosed.  It shouldn't take a very long for a unix script programmer to modify them for 04.08.
« Last Edit: September 12, 2019, 09:37:38 pm by NED88 »
 

Offline SpaleKG

  • Newbie
  • Posts: 3
  • Country: cs
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1297 on: September 17, 2019, 10:28:27 pm »
After an embarrassing long delay, here are the changes for 01.04.08 uploaded to git:
https://gitlab.com/riglol/rigolee/commit/ae77323ac04da753d98ae9a1d99a658e000b9088

for those that care ;)

Hi oliv3r. I had to read all 52 pages in this topic to be clear did I miss something about your https://gitlab.com/riglol/rigolee repository.
I have several findings.
- by your README file and instructions about using docker to build image for gal_unpack/pack scripts, I have found that docker build doesn't work because there is some issues in .dockerignore file (about bin/ folder you not ignoring only one .sh file but in Dockerfile you using all files in bin/ folder).
- When I have fixed .dockerignore file, and built image, I discovered that gel_unpack.sh doesnt work too. There is some errors about dumpimage part in script.

My question: Is it because of some way of "kid protection" made errors by some intention or this should be fixed? Or maybe gel_unpack.sh (dumpimage part about unknown -i option) doesnt work because of newer version of linux alpine you using for build docker image.

I have tried to build docker image on my MacOS and also on ubuntu 16.04 and everytime the same errors was happening when I tried to generate docker image by cloning your repo without any modifications.

Also I have forked your repo, so I can commit changes I have made on my fork, and send pull request so you can take a look about them if you want.
I have fixed all issues I have found about creating docker image and gel_unpack.sh now working in docker container.

BTW, this is my 1st post, so hello to all. I have MSO7000 series scope and I will try to perform hacks on this model.

Best regards,
Spale
« Last Edit: September 18, 2019, 12:35:18 am by SpaleKG »
 
The following users thanked this post: thm_w, SimpleOne, luma

Offline Martin72

  • Frequent Contributor
  • **
  • Posts: 583
  • Country: de
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1298 on: September 22, 2019, 10:36:45 am »
@AngusBeef :

Sounds complicating to me, but I will try it at forthcoming weekend....

Still complicated for me....
Today I´ve installed a linux subsystem on win10 (ubuntu).
When I start this, a command line appears…ok and now...I don´t know a thing about  :(
Putty is a program to connect a windows computer to a linux computer - So why must I do the things under a linux system....
I´m really thinking about to buy the optionbundle, but there´s the bandwith upgrade for free in this hack....
Ah, a keygen for dummies like me would be heaven..

Offline mabl

  • Regular Contributor
  • *
  • Posts: 100
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1299 on: September 23, 2019, 12:24:18 pm »
Dear all, I have rigged up a general purpose auto patcher, attached to this post.

It will read a configuration file "patch.txt" from the usb drive and execute according to the specifications within. It does NOT include any patches and is not enough to patch your scope.

As an example, the  "patch.txt"  file should contain something like:

Code: [Select]
file_to_patch=/rigol/appEntry
file_to_patch_md5sum=afe3e7c2d38bdebb66d3f1f11d910743
patch_file=name_of_patch.bpatch
after_patch_md5sum=expected_md5_sum_after_patch

You have to obtain these bspatch files and checksums from somewhere else. (The  file_to_patch_md5sum is correct for 01.01.04.08 firmware). Fill the other fields out accordingly.

On your USB drive, there should then be the following files (obviously name_of_patch must match your configuration):

  • DS5000Update.GEL
  • patch.txt
  • name_of_patch.bpatch

At all points of the firmware patching, the md5 sums will be checked and an error raised if anything does not match. So it should be pretty safe. I have tested it.  :popcorn:
« Last Edit: September 23, 2019, 01:07:14 pm by mabl »
 
The following users thanked this post: thm_w, Vtech, tcottle, testmode, qu1ck, TK, skander36, NoisyBoy, NED88, BitBug, quakeman, serg_77, nelson_mendes, Dremsy, sumect


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf