Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 284730 times)

patty.o.furniture and 3 Guests are viewing this topic.

Offline bmx

  • Contributor
  • Posts: 15
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1550 on: February 29, 2020, 06:51:17 am »
i didn't noticed before but wtf rigol, zip != rar
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 56
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1551 on: February 29, 2020, 02:52:40 pm »
     - Delete the default email account and password

Ah yes ... that one
 :-DD
 
The following users thanked this post: NoisyBoy, Fluffhamster

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 361
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1552 on: February 29, 2020, 03:05:19 pm »
I afraid they are referring to the email feature documented in the manual, not the undocumented phone home feature.  Who knows, they might actually have fixed the undocumented one  :-DD

Any chance you can work on a new patch file for this version?
 

Offline core

  • Contributor
  • Posts: 11
  • Country: ro
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1553 on: February 29, 2020, 04:10:14 pm »
If we take it as a new major firmware version (upgrade from 01.01.xx.xx to 01.02.xx.xx),  it seems that Rigol have no intention to add some new useful features (like Bode Plot, a better hi-res implementation, etc).

I suppose in the future there will be only incremental improvements for bugs.

Still, MSO5000 is a funny brute force beast. And hackable  :)
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 56
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1554 on: February 29, 2020, 04:16:54 pm »
I afraid they are referring to the email feature documented in the manual, not the undocumented phone home feature.  Who knows, they might actually have fixed the undocumented one  :-DD

Any chance you can work on a new patch file for this version?

No, they are referring to the default username and password that I used to log into their IBM Notes system because :woops: it wasn't just a placeholder.
 
The following users thanked this post: thm_w, NoisyBoy

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 361
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1555 on: February 29, 2020, 04:24:57 pm »
So perhaps your last email to them using the hidden ID actually made it through.

When you create the patch, it would definitely be a good idea to create a version with disabled ET phone home, it just opens such a security hole in the lab network.  The scope should have no business emailing Rigol anything without a user’s knowledge.
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 56
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1556 on: February 29, 2020, 05:13:15 pm »
So perhaps your last email to them using the hidden ID actually made it through.

When you create the patch, it would definitely be a good idea to create a version with disabled ET phone home, it just opens such a security hole in the lab network.  The scope should have no business emailing Rigol anything without a user’s knowledge.
I actually attached a patch just like that for the .08 firmware miles back. It just seems everyone ignored it.  :-//
 
The following users thanked this post: NoisyBoy

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 361
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1557 on: March 01, 2020, 02:36:38 am »
I got that patch, I am not sure if others have the same security concern like we do.  I put it on an isolated network regardless.
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 56
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1558 on: March 01, 2020, 05:30:08 am »
1.02.00.02 patch

Before: 78d71292a1828ee597a341bd14797e18
After: 86d162a29297ae03af88a6d8f7c40247
« Last Edit: March 04, 2020, 04:47:56 pm by delfinom »
 
The following users thanked this post: thm_w, ve2mrx, skander36, NoisyBoy, serg_77, Sergey Astakhov, sb42, sjm

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 361
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1559 on: March 01, 2020, 05:39:19 am »
Hey delfinom,

A big thank as usual, did you notice any new options or notable changes in the firmware?
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 56
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1560 on: March 01, 2020, 05:42:24 am »
Hey delfinom,

A big thank as usual, did you notice any new options or notable changes in the firmware?

Wasn't looking. That would take actual effort :P
 
The following users thanked this post: NoisyBoy

Offline skander36

  • Regular Contributor
  • *
  • Posts: 236
  • Country: ro
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1561 on: March 01, 2020, 07:16:06 am »
No warranties.

Before: 78d71292a1828ee597a341bd14797e18
After: 86d162a29297ae03af88a6d8f7c40247


Thank you !
It works perfect !
 

Offline mabl

  • Regular Contributor
  • *
  • Posts: 111
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1562 on: March 02, 2020, 08:10:02 pm »
Changes to the file system:
Code: [Select]
Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   firmware/fw4linux.sh
        modified:   firmware/fw4uboot.sh
        modified:   firmware/logo.png
        modified:   firmware/rootfs/rigol/K160M_TOP.bit
        modified:   firmware/rootfs/rigol/appEntry
        modified:   firmware/rootfs/rigol/resource/help/b/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/display.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/email.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/storage.hlp
        modified:   firmware/rootfs/rigol/resource/help/b/trigger.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/chan1.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/display.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/help.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/horizontal.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/storage.hlp
        modified:   firmware/rootfs/rigol/resource/help/d/trigger.hlp
        modified:   firmware/rootfs/rigol/resource/menu/b.hex
        modified:   firmware/rootfs/rigol/resource/menu/c.hex
        modified:   firmware/rootfs/rigol/resource/menu/d.hex
        modified:   firmware/rootfs/rigol/resource/menu/desc.hex
        modified:   firmware/rootfs/rigol/resource/menu/h.hex
        modified:   firmware/rootfs/rigol/resource/menu/i.hex
        modified:   firmware/rootfs/rigol/resource/menu/j.hex
        modified:   firmware/rootfs/rigol/resource/menu/k.hex
        modified:   firmware/rootfs/rigol/resource/menu/l.hex
        modified:   firmware/rootfs/rigol/resource/menu/m.hex
        modified:   firmware/rootfs/rigol/resource/menu/menu.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ch.hex
        modified:   firmware/rootfs/rigol/resource/menu/modelconfig_ext.hex
        modified:   firmware/rootfs/rigol/resource/menu/msg.h
        modified:   firmware/rootfs/rigol/resource/menu/n.hex
        modified:   firmware/rootfs/rigol/resource/menu/o.hex
        modified:   firmware/rootfs/rigol/resource/menu/pic.hex
        modified:   firmware/rootfs/rigol/resource/menu/res.hex
        modified:   firmware/rootfs/rigol/resource/menu/t.hex
        modified:   firmware/rootfs/rigol/resource/menu/u.hex
        modified:   firmware/rootfs/rigol/resource/scpi/ACQuire.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/CHANnel4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/COMMon.xml
        modified:   firmware/rootfs/rigol/resource/scpi/DISPlay.xml
        modified:   firmware/rootfs/rigol/resource/scpi/LA.xml
        modified:   firmware/rootfs/rigol/resource/scpi/LAN.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MASK.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/MATH4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/REF.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SAVE.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SOURce.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SOURce1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SOURce2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/TIMebase.xml
        modified:   firmware/rootfs/rigol/resource/scpi/TRIGger.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/BUS1.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/BUS2.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/BUS3.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/BUS4.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/DISPlay.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/LA.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/MEASure.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/REF.xml
        deleted:    firmware/rootfs/rigol/resource/scpi/compatible/Ref.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/SYSTem.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/TIMebase.xml
        modified:   firmware/rootfs/rigol/resource/scpi/compatible/TRIGger.xml
        deleted:    firmware/rootfs/rigol/resource/scpi/compatible/common.xml
        deleted:    firmware/rootfs/rigol/resource/scpi/compatible/cursor.xml
        deleted:    firmware/rootfs/rigol/resource/scpi/compatible/quick.xml
        modified:   firmware/rootfs/rigol/resource/scpi/scpiConfig.xml
        deleted:    firmware/rootfs/rigol/webcontrol/config/conf.d/Makefile
        deleted:    firmware/rootfs/rigol/webcontrol/config/conf.d/Makefile.am
        deleted:    firmware/rootfs/rigol/webcontrol/config/conf.d/Makefile.in
        deleted:    firmware/rootfs/rigol/webcontrol/include/openssl/ui_compat.h
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/AUTHORS
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/COPYING
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/ChangeLog
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/LICENCE
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/NEWS
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/README
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/index.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre-config.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_compile.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_compile2.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_config.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_copy_named_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_copy_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_dfa_exec.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_exec.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_free_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_free_substring_list.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_fullinfo.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_named_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_stringnumber.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_stringtable_entries.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_substring.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_get_substring_list.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_info.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_maketables.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_refcount.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_study.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcre_version.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcreapi.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrebuild.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrecallout.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrecompat.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrecpp.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcredemo.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcregrep.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrematching.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrepartial.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrepattern.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcreperform.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcreposix.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcreprecompile.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcresample.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcrestack.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcresyntax.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/html/pcretest.html
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/pcre-config.txt
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/pcre.txt
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/pcregrep.txt
        deleted:    firmware/rootfs/rigol/webcontrol/share/doc/pcre/pcretest.txt

Untracked files:
  (use "git add <file>..." to include in what will be committed)
        firmware/rootfs/rigol/cups/testPage.bmp
        firmware/rootfs/rigol/resource/help/b/CVS/
        firmware/rootfs/rigol/resource/help/d/CVS/
        firmware/rootfs/rigol/resource/help/picture/CVS/
        firmware/rootfs/rigol/resource/help/picture/autoset/CVS/
        firmware/rootfs/rigol/resource/help/picture/chan1/
        firmware/rootfs/rigol/resource/help/picture/counter/
        firmware/rootfs/rigol/resource/help/picture/cursor/CVS/
        firmware/rootfs/rigol/resource/help/picture/display/
        firmware/rootfs/rigol/resource/help/picture/dvm/
        firmware/rootfs/rigol/resource/help/picture/email/
        firmware/rootfs/rigol/resource/help/picture/eyejit/CVS/
        firmware/rootfs/rigol/resource/help/picture/help/
        firmware/rootfs/rigol/resource/help/picture/horizontal/
        firmware/rootfs/rigol/resource/help/picture/ioset/
        firmware/rootfs/rigol/resource/help/picture/la/CVS/
        firmware/rootfs/rigol/resource/help/picture/mask/CVS/
        firmware/rootfs/rigol/resource/help/picture/math/CVS/
        firmware/rootfs/rigol/resource/help/picture/mathsel/
        firmware/rootfs/rigol/resource/help/picture/measure/CVS/
        firmware/rootfs/rigol/resource/help/picture/print/
        firmware/rootfs/rigol/resource/help/picture/quick/
        firmware/rootfs/rigol/resource/help/picture/record/
        firmware/rootfs/rigol/resource/help/picture/ref/CVS/
        firmware/rootfs/rigol/resource/help/picture/search/
        firmware/rootfs/rigol/resource/help/picture/selfcal/
        firmware/rootfs/rigol/resource/help/picture/source/CVS/
        firmware/rootfs/rigol/resource/help/picture/trigger/CVS/
        firmware/rootfs/rigol/resource/help/picture/upa/CVS/
        firmware/rootfs/rigol/resource/help/picture/utility/
        firmware/rootfs/rigol/resource/help/picture/vdecode/CVS/
        firmware/rootfs/rigol/resource/help/picture/vdecodesel/
        firmware/rootfs/rigol/resource/help/picture/wifi/
        firmware/rootfs/rigol/tools/cfg_gtp



Quick things I saw:

New commands:
  • :ACQuire:MEMDepth
  • :CHANnel1/2/3/4:PSN (?)
  • :CHANnel1/2/3/4:Taurus
  • :ULTRalab:Server
  • :MASK:FAILed?
  • :MASK:PASSed?
  • :MASK:TOTal?
  • :SAVE:CSV:CHANnel?
  • :SAVE:IMAGe:DATA?
  • :TRACe1:DATA:DAC16
 
The following users thanked this post: thm_w, tcottle, luma, serg_77, sjm

Offline sb42

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1563 on: March 02, 2020, 09:29:15 pm »
Changes to the file system:

Noticed much the same while looking at the app.img contents. They got rid of some random cruft that should never have been there in the first place (pcre html docs), added some more (CVS data :palm:), kept the rest intact (full installation of openssl with headers and manpages). Another case of a hardware vendor struggling to meet software development deadlines and grok FOSS toolchains and platforms, I suppose :horse:.
 

Offline mindy

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1564 on: March 02, 2020, 10:44:22 pm »
Did anyone noticed a new script added on the latest FW ("/rigol/tools/cfg_gtp")?
Checked MSO7000 / 5000 / 8000 series & this script exists on all.

Checked on IDA & it looks very suspicious as on execution it writes to /dev/i2c-0 with an increment constant data.
Worth writing a small script to backup this registry (just in case) as it may contain valuable data which would be overwritten by this script.
It does have a getter method but it's never called.
On nandboot there is a call to "checkGTP".

Can this all mean that this script may be included for a purpose of locking down hacked scopes ?
Can somebody check this theory, or brave enough try to run it ? :)
« Last Edit: March 03, 2020, 10:27:29 am by mindy »
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 56
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1565 on: March 03, 2020, 12:34:10 pm »
Did anyone noticed a new script added on the latest FW ("/rigol/tools/cfg_gtp")?
Checked MSO7000 / 5000 / 8000 series & this script exists on all.

Checked on IDA & it looks very suspicious as on execution it writes to /dev/i2c-0 with an increment constant data.
Worth writing a small script to backup this registry (just in case) as it may contain valuable data which would be overwritten by this script.
It does have a getter method but it's never called.
On nandboot there is a call to "checkGTP".

Can this all mean that this script may be included for a purpose of locking down hacked scopes ?
Can somebody check this theory, or brave enough try to run it ? :)

A little strong on the tinfoil.

GTP would most likely be referring to the touch screen controller IC which is a Goodix-TS part but in linux kernel sources is referred to as "GTP".
« Last Edit: March 03, 2020, 12:35:55 pm by delfinom »
 

Offline mindy

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1566 on: March 03, 2020, 02:22:13 pm »
An interesting line found on MSO8000 fw4linux.sh script:

Chinese (Original):
#checkGTP;金手指里面已经执行了GTP配置,普通启动取消该配置,由于8000一台机器发现这里导致无法启动

Translation:
#checkGTP; GTP configuration has been performed in cheat. Normal configuration cancels the configuration. 8000 machines found it and failed to start.

So "checkGTP" is disabled on MSO8000 because it fails to start due to a false trigger on GTP configuration.
This increase my concerns on a new added script.
 

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 56
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1567 on: March 03, 2020, 02:39:53 pm »
An interesting line found on MSO8000 fw4linux.sh script:

Chinese (Original):
#checkGTP;金手指里面已经执行了GTP配置,普通启动取消该配置,由于8000一台机器发现这里导致无法启动

Translation:
#checkGTP; GTP configuration has been performed in cheat. Normal configuration cancels the configuration. 8000 machines found it and failed to start.

So "checkGTP" is disabled on MSO8000 because it fails to start due to a false trigger on GTP configuration.
This increase my concerns on a new added script.

checkGTP has been part of the firmware from the beginning from at least 01.01.01.07
Seriously, if Rigol wanted to lock down the scope, it wouldn't require "extra super secret scripts" to do so. Especially ones you would have to SSH into and run yourself.

I also ran cfg_gtp, nothing happened.

Here's a better translation
Quote
#Checkgtp: GTP configuration has been executed in goldfinger. It is cancelled during normal startup. Because 8000 machines find this, they cannot start
GoldFinger is simply their name for the ASIC I think, they even have a JTAG header for it named Goldfinger
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/?action=dlattach;attach=586343;image


This new MSO5000 firmware simply includes all the changes they had to make for the MSO8000.

« Last Edit: March 03, 2020, 03:18:18 pm by delfinom »
 

Offline mindy

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1568 on: March 03, 2020, 04:24:44 pm »
I think we should raise a petition to Google for misleading translation from Chinese, thanks for clarification & testing.
It's still unclear what's the purpose of this script on Boot as it does not make any sense to me.

Regarding "extra super secret scripts" - it would not surprise me, as this would be not the first case, few examples: root:root, SMTP passwords :-DD
/dev/i2c-0 brought my attention as it's used for FRAM access as well, just on a different registry.
The question is does it (cfg_gtp) update on memory or persist it. If the later than it might be an initialisation script, but so far have not found any usage cases (calls).

Just don't forget that scope have a magic "call home" function & capability to execute any shell command i.e. sshd.
This combination can lead to a locked scope. It's better to be cautious & be critical on the changes found on new FW's.
 

Offline NoisyBoy

  • Frequent Contributor
  • **
  • Posts: 361
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1569 on: March 03, 2020, 05:16:13 pm »
I don't trust their firmware when it comes to security.  Mine is sitting in a physically isolated network, so it is not sending anything to China. 
 
The following users thanked this post: thm_w, Sighound36

Offline delfinom

  • Regular Contributor
  • *
  • Posts: 56
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1570 on: March 03, 2020, 05:34:06 pm »
Just don't forget that scope have a magic "call home" function & capability to execute any shell command i.e. sshd.
This combination can lead to a locked scope. It's better to be cautious & be critical on the changes found on new FW's.

Eh, they disabled SSHD, we are the ones enabling it. Even enabling it does nothing to give them access on a standard network.
 

Offline Sighound36

  • Regular Contributor
  • *
  • Posts: 242
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1571 on: March 03, 2020, 06:09:07 pm »
Mine to  8) totally isolated network
« Last Edit: March 03, 2020, 06:23:35 pm by Sighound36 »
Seeking quality measurement equipment at realistic cost with proper service backup. If you pay peanuts you employ monkeys.
 

Offline tonywood

  • Contributor
  • Posts: 5
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1572 on: March 03, 2020, 08:32:09 pm »
So, can we use the current patch for the new firmware? Do we need to edit the patch file? Thanks - I'm on firmware 00.01.02.00.02
Do I need to downgrade firmware?

Thank you
 

Offline mindy

  • Contributor
  • Posts: 20
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1573 on: March 04, 2020, 03:20:52 pm »
So, can we use the current patch for the new firmware? Do we need to edit the patch file? Thanks - I'm on firmware 00.01.02.00.02
Do I need to downgrade firmware?

Thank you

The only safe option is to buy a license.
So regarding recently discussed GTP thing would say it's something to look at in more details, but it should be safe as #delfinom already tested & confirmed that no "fireworks" had been rendered on the scope after execution.

I own MSO7000 so the patch is not available for my device yet & as I can't see any major improvement on the new FW I'll postpone upgrade on my device.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1507
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #1574 on: March 04, 2020, 03:36:51 pm »
The only safe option is to buy a license.

So regarding recently discussed GTP thing would say it's something to look at in more details, but it should be safe as #delfinom already tested & confirmed that no "fireworks" had been rendered on the scope after execution.

I own MSO7000 so the patch is not available for my device yet & as I can't see any major improvement on the new FW I'll postpone upgrade on my device.

That's not true. In any device that is disconnected from the internet, any license can be used. The scope doesn't have any mechanism to check if it's an "official" or "unofficial" license.

I've looked at the GTP a while back. It didn't look suspicious. It's just their way for configure/validate things at boot time.

Use your time to migrate the 7000 patch (it should be kiddy stuff using simple pattern search - no need to open IDA...) and don't create unsubstantiated panic over the FW scripts.

BTW, with a full NAND backup you can reflash any of theses MSOs from scratch as long as you have your bootloader healthy.
 
The following users thanked this post: thm_w, mindy, sjm


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf