Hacking the Rigol MSO5000 series oscilloscopes

[Martin72]

Yep, here it is:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2682411/#msg2682411

[Urzov]

Hello again to everyone. It seems that something is not right ... After connecting via LAN cable, with the PuTTY program (Windows 10 installed), after entering "root" it writes to enter the password, but does not respond to typing, only to Enter. At the same time, it says "Access denitd" after 5 presses "Enter" is buggy ... I did a reset at startup ... It does not help! Maybe something I'm doing wrong? Thank you very much!

[Martin72]

Hi,

Did you follow the instructions from the post I´ve linked here before ?

[Urzov]

I did everything on points! Updated to version “8”, rebooted (turned it off and on), erased the update from USB, wrote the file to enable SSH, turned on SSH, connected the cable to the PC, launched PuTTY with the address, ... But it doesn’t enter the password!

[PA0PBZ]

after entering "root" it writes to enter the password, but does not respond to typing, only to Enter.

Passwords are (almost) always hidden, so just type the password and hit enter.

[Urzov]

Oh .. It turned out with a password! But he can not find either: "cp / rigol / appEntry / media / sda1 /" nor: "cd / media / sda1" I think and more ...    What can I do? Thank!

[TK]

Oh .. It turned out with a password! But he can not find either: "cp / rigol / appEntry / media / sda1 /" nor: "cd / media / sda1" I think and more ...    What can I do? Thank!

You are doing it wrong... there must be a space after cp.

[Urzov]

Thank you, I realized it! But it is not clear in "Step 7". Do you need to register the path to the USB drive to create a "bspatch" file in it? Can you please for more details. Thank!

[TK]

Thank you, I realized it! But it is not clear in "Step 7". Do you need to register the path to the USB drive to create a "bspatch" file in it? Can you please for more details. Thank!

Every file involved in the bspatch execution must be located in the same directory... I assume appEntry is in your USB drive, so yes... change directory to the USB drive where all the files are located before executing bspatch.

[tv84]

Learning linux commands in a scope's shell is not the best scenario...

[Martin72]

 

[Urzov]

I don’t understand "Step 7" ... How to copy "bspatch" to the root of the USB drive. How to set the address on a USB drive so that it creates a “bspatch” file in it How do I understand after creating a “bspatch” file it needs to be renamed to “appEntry”? Confused ... Thanks!

[TK]

bspatch is the linux/unix command you need to execute on the appEntry application you copied from your scope to the USB drive. 

It is a "Binary patch" tool.  You apply it to the original appEntry using the file that contains the information on what to patch, then you copy the resulted appEntry file back to the scope.

[mabl]

Oh, shit, I saw the same for-ever-boot-screen as Antlanpz, but the trick with pressing "single" with the original firmware (01.01.04.04) from Rigol on USB-stick failed? Are there any other suggestions to restore to factory default?

You should not need to do manual patching if you want to apply a bspatch. You can use my automatic patcher to apply any patch you want. You will have to provide the proper checksums, which will be checked and the patch only applied if everything worked.

I want to again point out, that manual patching, such as described by Angus and others is not required. Especially, if you know what to patch, have the MD5 sums of the binary before and after patch. Just use my new patcher firmware and create a proper configuration file containing the file name of the bspatch file, and the two md5 sums before and after patch. It works with any firmware, does not require SSH and is pretty safe.  Especially, if you have never interacted with Linux on a shell only.

[Urzov]

Hello! I saved the file (appEntry) to the USB drive with the command: "cp / rigol / appEntry / media / sda1 /". I'm trying through Ubuntu with the files "appEntry" and "appEntry_01_01_04_08.bpatch" to create "appEntryPatched". But "bspatch" does not work, nor how it doesn’t work, it isn’t anywhere ... Does anyone have a working "bspatch" utility? Thank you very much!

[NoisyBoy]

You really should pay attention to what mabl has to say, it will save you a lot of headache if you are having trouble with the process.  He has spent a lot of time to create tools to help the less experienced owners to avoid the exact challenges you are facing.

[Urzov]

Good! I'll try as Mabl suggests. There are questions: where to get "name_of_patch.bpatch" What is it? The file: appEntry is mentioned in the patch.txt file. File "appEntry" to take the one that created the command "cp / rigol / appEntry / media / sda1 /" Thank you!

[mabl]

• file_to_patch - do not change, since  /rigol/appEntry is the file you want to patch. No need to put appEntry on the USB
• file_to_patch_md5sum - do not change, if you want to patch firmware version 01.01.04.08 and  its appEntry
• patch_file - change value to the name of your patch file and put this patch file on USB
• after_patch_md5sum - change to value to the expected checksum after  patch_file was applied to file_to_patch.

[texaspyro]

• after_patch_md5sum - change to value to the expected checksum after  patch_file was applied to file_to_patch.

Where/how does one come up with this checksum?

[Urzov]

Hello everybody. Same question! Is it possible not to apply a checksum? Should there be only 2 files on a USB drive? (renamed "patch_file" and "patch.txt") and "DS5000Update.GEL" is not needed on a USB drive?
Need help! I don’t feel like buying another MSO5072 and torturing him too...    Thank you!

[NED88]

• after_patch_md5sum - change to value to the expected checksum after  patch_file was applied to file_to_patch.

Where/how does one come up with this checksum?

The expected md5 checksum is quoted here:  https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2620701/#msg2620701  and the md5 checksum for the original file is generated with this command:  md5 -q appEntry (using a Unix/Linux/Mac terminal).  To check the md5 checksum of the patched file,  run:  echo "3f95cb3236b47826e303de960596f966  appEntry" | md5sum -c from the scope once you've ssh'd into it from Unix.

[seronday]

It is also possible to generate the MD5 checksum in windows, as delfinom pointed out in this message

Also instead of running strange third party software to compute a md5sum of a file on windows just do
  CertUtil -hashfile appEntry MD5
in a command window

[Xtremexp]

Or you can use hxd hex editor to find the md5 hash

[mabl]

It is also possible to generate the MD5 checksum in windows, as delfinom pointed out in this message

Also instead of running strange third party software to compute a md5sum of a file on windows just do
  CertUtil -hashfile appEntry MD5
in a command window

Or you can use hxd hex editor to find the md5 hash

The md5 checksum after patching is usually not available to the user, since the patched file is only on the scope. The md5 should be given together with the patch file. Note that if the md5 does not match, my patcher will output the mismatch checksum values.

[nelson_mendes]

Hello everyone!

I've been following this topic quite often but never broke the ice to present myself, so here it goes...

I'm Nelson, Portuguese and currently living in Sweden.

Owning a Rigol 5072 since some time, I was able to unlock was able to unlock its features thanks to the hard worked information from this topic.
So, a special thank you to Mabi, TV84, NED88 and so many others that made it possible...

The latest firmware got my interest due to fix the overshoot in the 4 channels, something that also seen in my scope in channels 3 and 4.

Being ungodly unblessed with any kind of hacking skills, I tried my best to follow the instructions given to other members and attached You can see what I got.


When I tried to patch the scope 04.08 using Mabi's autopatcher I got the MD5sum error and a whole different MD5sum and at this moment I'm feeling quite lost.
It was only today that I got SSH working (using Putty in windows 10 didn't work for me) and I'm strugling to basically do what needs to be done.

I generated the bpatch file over the firmware file and got a wrong md5sum while atempting to patch the scope.
I also generated the bpatch file over the app_Entry file copied by SSH and tried atempted to patch the scope, but again wrong md5.

Could someone please help?
I really don't have a notion about what I'm doing wrong...

Thank you all.

//Nelson