Hacking the Rigol MSO5000 series oscilloscopes

[Howardlong]

Here's the ISL8203M 3.3V SMPS I'm referring to, as you can see, no meaty inductors to be seen as they're integrated into the device itself.

[voltsandjolts]

On the bright side, you found stock
https://www.digikey.co.uk/en/products/detail/ISL8203MIRZ/ISL8203MIRZ-ND/4958418
Ooo, yuk, package looks like fun.

Couldn't it be that, say, a ceramic cap has shorted on the rail, and the ISL8203M shows up on IR because it's trying to chuck current into the short?

[Howardlong]

On the bright side, you found stock
https://www.digikey.co.uk/en/products/detail/ISL8203MIRZ/ISL8203MIRZ-ND/4958418

Yes, already ordered a couple. Even Farnell had them in stock but they were more expensive, and I had a production order ready to go to Digikey anyway.

Ooo, yuk, package looks like fun.

At least it's not a BGA, more like a QFN, however warming up the board might prove challenging for removal & reflow.

Couldn't it be that, say, a ceramic cap has shorted on the rail, and the ISL8203M shows up on IR because it's trying to chuck current into the short?

Possibly, but I took the decision to get the chip in stock first before engaging further. The ceramic caps I'll already have in stock. If they'd been tants I'd have been more concerned bearing in mind their propensity to fail short.

A bigger concern based on the failure mode is if it managed to dump 5V as it came up onto the 3.3V rail or the other rail (presumably somewhere between 1 and 1.8v).

[Fungus]

ok so it's a simple quick question: purely from the prospects of unlocking as far as possible. what would be the best specific model to get new these days? can it be mso5072 ? or should it be something higher up in the range, eg the mso5074?

If you order the 5072, you only get two probes. Makes sense, it's only a 2 channel scope.
If it was me, I would order the 5074. Yes it costs a little extra, but you don't have to worry about buying extra probes and you always have 4 channels to fall back on if you want to sell it later and remove the patched firmware.

If you get the 4-channel version then you get two extra probes but you don't get the cute little BNC caps that come with the two channel version.



Apart from that the only difference is the sticker on the front.

There's people up there^ making their own stickers.

[sem21]

Hello everyone. Who ever got the license? I have been sending a request for 3 months and no one is answering me. And he did not receive a license, although they say that it is paid for.

[normi]

Hello everyone. Who ever got the license? I have been sending a request for 3 months and no one is answering me. And he did not receive a license, although they say that it is paid for.

I did not get a license with my shipment, but I called the support number on Rigol site and they requested some information and emailed me the free license update. Although I have heard a lot about support issues, the US support seams very responsive, they have answered both my calls and emails.

[Howardlong]

Hmmm.... switched on my MSO5000 to check something about it for someone (it only has about 20 hours of use), after about ten minutes on it powered itself down and I was left with a repeating click and short LED panel flash every second or two.

Took it apaaaart, there's a near short (0.4 ohms) on the PSU connector's 5V pins to ground on the main board.

PSU seems to supply voltages fine.

After giving it a visual, there was not much to be seen so I made up a cable to my bench PSU to power all the 3 supplies (5V, +7.5V, -7.5V), sure enough the 5V was shorting. By the way, the connector is the same as a normal PC ATX connector cut in half, so I made up a cable.

After a bit of manual probing of the obvious power supplies, I got nowhere, the Schottkys all seemed fine.

Got out the IR cam, and the perp showed up like a Christmas tree. Looks like the ISL8203M 3.3V SMPS is dead. I didn't immediately look at this because #1 eyeball was looking for inductors: this device interestingly enough has integrated inductors, quite a feat, I've not seen this before.

Success!

Turns out the ISL8203M is configured as 2 x 3.3v in parallel two phase mode.

I lifted the device with flux & hot air alone, it wasn't too hard to achieve. I cleaned up the lands with full fat solder, and wicked off the excess, leaving just enough solder for the device's pads to adhere. Added pen flux to the PCB lands & device pads, and placed the device. A bit more hot air and the device was placed. I then cleaned up the edge castellations. It's a three minute job once the scope's disassembled and you have access to the PCB.

I didn't go to the effort of disconnecting the LCD display, but I did unscrew the PCB from the chassis so I could check what was underneath the package (not much). When applying heat, I lifted up the PCB from the chassis with a wedge to allow airflow underneath.

Take care with the LCD, there's nothing holding it into the chassis except light friction once the front panel's off, so there's a risk of wrecking the flat flex cables if care isn't taken.

One thing I noticed after the repair was that there was a very large offset on channel one immediately after this fix (about a couple of volts). I am pretty sure this is due to flux cleaner solvent creeping into the channel one can: after leaving it switched on for an hour or two, the offset gradually disappeared as the solvent evaporated.

Edit: Postmortem measurements showed that there were shorts on the device between PGND, SW1 and VOUT1 on the ISL8203M device I removed.

[Kean]

Well done on the repair Howard.
I think I'm finally ordering one of these tomorrow while there is the above mentioned special on them.

[spiff72]

I just got my new MSO5074 delivered yesterday, but haven't had a ton of time to mess with it yet.  It is (probably) replacing my DS1054Z (hacked), but I want to give it some more time before deciding whether I intend to keep it for sure.  This prompts a few questions...

- My understanding is that applying the hacks to enable all the options is reversible, correct?  Is it just a matter of downloading the offical firmware and doing a local upgrade with that firmware file on a USB drive?

- Would the unit still be returnable if I go through the process of registration for the official "bundle" of options that was being offered by Rigol until the end of this month (this offer is mentioned a few posts earlier on this page).

- If I were to register to get the upgrades from the bundle offer, should those be applied prior to applying the hack?  Or doesn't this matter?  Obviously I wouldn't apply them to the hacked version, but if they are applied PRIOR to the hack, would reverting back to the OG firmware (assuming that is the way to undo the hack) restore me back to the state with the bundle upgrades, or would I have to reapply the bundle upgrades after reverting?

Thanks in advance!

[tv84]

1. Yes.
2. Good question. Don't think so.
3. Doesn't matter.

[spiff72]

Thanks!

I got impatient and applied the hack to mine over my lunch hour.  Also registered for the bundle, but that web page seems flakey.  I entering my info, clicked submit, and the button disappeared with no confirmation message.  I guess if I don't get a notice in a day or two I will try again.

[hafrse]

Hi All,

Just a quick note that the MSO5000 free options bundle that includes:

    MSO5000-COMP - Computer Serial Triggering and Analysis (RS232/UART)
    MSO5000-EMBD - Embedded Serial Triggering and Analysis (I2C, SPI)
    MSO5000-AUTO - Automotive Serial Triggering and Analysis (CAN/LIN)
    MSO5000-FLEX - FlexRay serial bus trigger and analysis (FlexRay)
    MSO5000-AUDIO - Audio Serial Triggering and Analysis (I2S)
    MSO5000-AERO - MIL-STD 1553 Serial Triggering and Analysis
    MSO5000-AWG - Dual Channel 25MHz Waveform Generator
    MSO5000-PWR - Integrated Power Analysis

Ends at the end of this month (30th of September).
Who knows if this offer will be extended (probably will, but I have zero contact/idea if that'll happen).

So if you are thinking of getting the MSO5000 series scopes, I'd get one before the end of the month so you can get your free (legitimate) license for these options.
Obviously, this isn't really needed because you can just unlock the features, but it's always nice to have the "real" license for these options in case you want to sell it, or need to restore the factory firmware for some reason.

where can I get this bundle? I purchased the mso5072 from Conrad, and there is nothing mentioned there , thanks

[eurofox]

Hi All,

Just a quick note that the MSO5000 free options bundle that includes:

    MSO5000-COMP - Computer Serial Triggering and Analysis (RS232/UART)
    MSO5000-EMBD - Embedded Serial Triggering and Analysis (I2C, SPI)
    MSO5000-AUTO - Automotive Serial Triggering and Analysis (CAN/LIN)
    MSO5000-FLEX - FlexRay serial bus trigger and analysis (FlexRay)
    MSO5000-AUDIO - Audio Serial Triggering and Analysis (I2S)
    MSO5000-AERO - MIL-STD 1553 Serial Triggering and Analysis
    MSO5000-AWG - Dual Channel 25MHz Waveform Generator
    MSO5000-PWR - Integrated Power Analysis

Ends at the end of this month (30th of September).
Who knows if this offer will be extended (probably will, but I have zero contact/idea if that'll happen).

So if you are thinking of getting the MSO5000 series scopes, I'd get one before the end of the month so you can get your free (legitimate) license for these options.
Obviously, this isn't really needed because you can just unlock the features, but it's always nice to have the "real" license for these options in case you want to sell it, or need to restore the factory firmware for some reason.

where can I get this bundle? I purchased the mso5072 from Conrad, and there is nothing mentioned there , thanks

https://www.batronix.com/shop/oscilloscopes/Rigol-MSO5074.html

[spiff72]

Thanks!

I got impatient and applied the hack to mine over my lunch hour.  Also registered for the bundle, but that web page seems flakey.  I entering my info, clicked submit, and the button disappeared with no confirmation message.  I guess if I don't get a notice in a day or two I will try again.

Quick update on the "flakey" registration web page for the bundle.  I think that my issue was uBlock Origin ad-blocker.  I remembered that I was getting some messages from some of the Rigol web pages, so I tried filling out the form again with the adblocker disabled, and it worked correctly (I got a confirmation page instead of the 'submit' button just disappearing).

[K9DTV]

I applied the patch to unlock my scope and this unlocked everything.
However, I am unable to run selfcal, as it never starts.
Channel one goes rail to rail, so it will never start selfcal.

Scope channel is working fine otherwise.

Any ideas?

[spiff72]

Hmmm - you reminded me that I didn't run the self-cal after I hacked mine this week.  I will try running on mine after it warms up for 30 minutes.

This is my version info:

[spiff72]

I applied the patch to unlock my scope and this unlocked everything.
However, I am unable to run selfcal, as it never starts.
Channel one goes rail to rail, so it will never start selfcal.

Scope channel is working fine otherwise.

Any ideas?

Mine just ran successfully (first one post-hack).

[Yury]

Fine just ran successfully (first one post-hack).

spiff72  what  FW version/date did you have in your scope ?

[d86d1864]

Would someone be willing to share their /rigol/data/Key.data file?

You should be able to extract it with for instance mabl's backup script from:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2251380/#msg2251380

As a reminder, Key.data contains the curve and public key used to verify the signature in the *.lic file, and does not contain actual licensing information.

What I'd like to verify is whether the public key is the same across all devices, or if different public keys are used across different devices/serials.

Cheers!

[tv84]

Different keys.

[spiff72]

Fine just ran successfully (first one post-hack).

spiff72  what  FW version/date did you have in your scope ?

See my prior post image, it is shown there.

[d86d1864]

Different keys.

Great. Then I'm all the more interested if someone could share their Key.data!

tv84, sounds like you already looked into this - how many did you get a chance to compare and did you find anything interesting?

I'd love to hear if someone already looked for nonce reuse.
(https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Security)

[tv84]

Great. Then I'm all the more interested if someone could share their Key.data!

tv84, sounds like you already looked into this - how many did you get a chance to compare and did you find anything interesting?

I'd love to hear if someone already looked for nonce reuse.
(https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Security)

Why do you want to see them? They are different keys of the same type. Just that.

They most probably use an ID of the scope to seed the key generation. Never truly investigated that although it has crossed my mind.

[luis garcia]

Hi.
I have realized the 50 Mpts /4 channel feature is optional even on the MSO5354. Can this feature be enabled? Is it perhaps enabled with the "upgrade" patch?

L.

[oelapaloma]

I bought a MSO5074 and I'm planning to hack it. Due to a promotion, I received the Application Bundle Option, which I don't need if I hack it anyway. If I get it right, I could generate a license for any Rigol MSO5000 by entering its serial number. Could I sell my bundle license on ebay or is that forbidden? There's no legal information on that sheet of paper.