Hacking the Rigol MSO5000 series oscilloscopes

[d86d1864]

Why do you want to see them? They are different keys of the same type. Just that.

They most probably use an ID of the scope to seed the key generation. Never truly investigated that although it has crossed my mind.

With access to two public keys it's trivial to check for nonce reuse, and with more keys it's possible to check for weak key generation.
This of course is only possible if the keys are in fact different (albeit different in a specific way).

In either case such weaknesses would potentially allow for private key recovery, which I'd like to attempt.

[oelapaloma]

It seems I have a new build and a different checksum. Now what?

System Information:
Firmware: 0A.01.03.00.01
Boot: 2018.06.27
Build: 2021-05-04 15:50:32

Checksum:
<root@rigol>md5sum appEntry
4669caa3cfb3d19f98adff7833e321db  appEntry


I have successfully created a backup, I am able to activate SSH, I can connect with WinSCP and provide files for analysis, if needed. I think I understood how to hack the scope, but the checksums will not match (I have not tried, but that's why I created the MD5 hash to know in advance).

[d86d1864]

Firmware: 0A.01.03.00.01

Curious. That does not match any version, or even naming scheme, I have ever seen.

I had a quick look at all the usual places Rigol publishes firmware but they all point to 00.01.03.00.01.

The stock 00.01.03.00.01 does not come with ssh enabled, so I assume you ran some USB script to enable it - did you by any chance run a script that might've modified your appEntry?

[oelapaloma]

did you by any chance run a script that might've modified your appEntry?

I created USB Sticks with GEL files on it. I'm not sure whether one of these modified appEntry, but the Firmware version was like that all the time. I recorded it when I bought the scope. The GEL files I used were those for backing up files (no need to modify appEntry, I hope) and running the SSH server (also no need to modify appEntry, I hope).

[d86d1864]

I'm not sure whether one of these modified appEntry, but the Firmware version was like that all the time.

I just went through the six patches I have on file and I was not able to find any that matched the MD5 you gave.
It is of course possible I've missed several patches, but if you say the factory fresh version had the 0A, then it's entirely possible you're running some as-yet-unpublished version of the firmware.

It's easiest to put together a patch if we have the full firmware, but if you can attach your appEntry that's likely enough.
(Unfortunately I can't personally promise I'll have time to have a look, but perhaps someone else out there can.)

Good luck!

[oliv3r]

It seems I have a new build and a different checksum. Now what?

System Information:
Firmware: 0A.01.03.00.01
Boot: 2018.06.27
Build: 2021-05-04 15:50:32

Checksum:
<root@rigol>md5sum appEntry
4669caa3cfb3d19f98adff7833e321db  appEntry


I have successfully created a backup, I am able to activate SSH, I can connect with WinSCP and provide files for analysis, if needed. I think I understood how to hack the scope, but the checksums will not match (I have not tried, but that's why I created the MD5 hash to know in advance).

I'm very curious in that release

Did you do a 'full nand backup'? Would you mind sharing that one so I can add it to the gitlab repo?

[oliv3r]

While the promo still appears to be running (I'll check again okt. 1st to see if it was extended again :p) I can't actually reach the form.

https://www.rigolna.com/promos/ does list the link, but the link is dead, from the EU and the USA
https://beyondmeasure.rigoltech.com/acton/ct/1579/p-0080/Bct/-/-/ct20_0/1/fu?sid=TV2%3AKt5oPeWlY

can anybody confirm it is indeed, dead?

[PA0PBZ]

While the promo still appears to be running (I'll check again okt. 1st to see if it was extended again :p) I can't actually reach the form.

Both the link on the rigolna site and the direct one work fine for me (Netherlands IP)

[oliv3r]

While the promo still appears to be running (I'll check again okt. 1st to see if it was extended again :p) I can't actually reach the form.

Both the link on the rigolna site and the direct one work fine for me (Netherlands IP)

That is so sad I also have a Netherlands IP and get:

This site can’t be reached
beyondmeasure.rigoltech.com refused to connect.

[oelapaloma]

I can't actually reach the form.

Same issue here right at the moment. I had problems on September 28th as well, but 2 hours later it worked again.

'full nand backup'

I don't know what that is. Is there a GEL file to create that kind of backup? Ok, got that one as well from https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356. Will try.
At the moment I only have a calibration backup. But I can connect to the scope using WinSCP and I can access /rigol/appEntry and likely other files if needed.

Find appEntry (22 MB) for a few days on http://37.120.179.6/appEntry-0A.01.03.00.01

[PA0PBZ]

Just checked again and it still works for me, very strange

[oliv3r]

I can't actually reach the form.

Same issue here right at the moment. I had problems on September 28th as well, but 2 hours later it worked again.

'full nand backup'

I don't know what that is. Is there a GEL file to create that kind of backup? Ok, got that one as well from https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2757356/#msg2757356. Will try.
At the moment I only have a calibration backup. But I can connect to the scope using WinSCP and I can access /rigol/appEntry and likely other files if needed.

Find appEntry (22 MB) for a few days on http://37.120.179.6/appEntry-0A.01.03.00.01

Heh, you found the link faster then I did :p I was looking for that link from our very own @tv84 but the script only does a simple `dd if=/dev/mdX of=/media/usb/mdX` so nothing super special

[oliv3r]

Just checked again and it still works for me, very strange

Didn't work in the NL; used a USA proxy; worked this time around ... weirdness.

[PabloSanchez]

Hi!
I have the firmware 00.01.03.00.01 from 30.03.2020
can someone tell me where to download the firmware FW 01.03.00.01 build 2020-05-18

[tv84]

Hi!
I have the firmware 00.01.03.00.01 from 30.03.2020
can someone tell me where to download the firmware FW 01.03.00.01 build 2020-05-18

Nowhere. Up till now it's only flashed at factory.

[PabloSanchez]

And what versions do you recommend to do ?

[K9DTV]

I applied the patch to unlock my scope and this unlocked everything.
However, I am unable to run selfcal, as it never starts.
Channel one goes rail to rail, so it will never start selfcal.

Scope channel is working fine otherwise.

Any ideas?

Mine just ran successfully (first one post-hack).

See attachment

[PabloSanchez]

I applied the patch to unlock my scope and this unlocked everything.
However, I am unable to run selfcal, as it never starts.
Channel one goes rail to rail, so it will never start selfcal.

Scope channel is working fine otherwise.

Any ideas?

Mine just ran successfully (first one post-hack).

See attachment

(Attachment Link)

what exactly did you use, I have the same firmware version and nothing works, please describe in more detail where to start and what files?

[K9DTV]

what exactly did you use, I have the same firmware version and nothing works, please describe in more detail where to start and what files?

Download the attached files
01_03_00_01.bspatch.txt  rename to  01_03_00_01.bspatch
DS5000Update.GEL.txt      rename to  DS5000Update.GEL
patch.txt


Copy to root directory of usb flash drive
insert into front scope usb
run update



Now can some one help me with my problem?

[Kean]

I just noticed that while the free bundle is apparently still available for purchases until 31 March 2022, it is now only offfered for 4 channel models.
Not really a big deal for those wanting to hack their scope, unless you wanted those features to increase un-hacked resale value.

From: https://beyondmeasure.rigoltech.com/acton/form/1579/0065:d-0001/0/-/-/-/-/index.htm

Valid Models: MSO5074, MSO5104, MSO5204, MSO5354

note: Other models no longer qualify for the free bundle offer when purchased after 9/30/2021. For purchases of any UltraVision II Oscilloscope that occurred before 10/1/2021 please fill out the form below and your bundle will still be sent per the previous promotion.

[oliv3r]

Hi!
I have the firmware 00.01.03.00.01 from 30.03.2020
can someone tell me where to download the firmware FW 01.03.00.01 build 2020-05-18

Nowhere. Up till now it's only flashed at factory.

Do we have a nand-backup of someone with that firmware? we can generate it then if really needed.
Has anybody reached out to rigol to request the GEL file from them?

[kc55]

I have same problem especially on channel 1 of my MSO5074. When I switch on only that channel the offset is smaller. around -70 mV. With at least one other analog channel also switched on, the offset becomes larger at around -160 mV at 1 V/div scale setting.
I ran self calibration a few times but it didn ‘t fix the offset.
Anyboby here have similar observation? Is the amount of offset to be expected?

[oelapaloma]

I have created a Full NAND Backup and a Data FRAM Backup of the scope with 0A.01.03.00.01 firmware. Please PM on how to procede. I don't want to see my full dump on the Internet.

[d86d1864]

Find appEntry (22 MB) for a few days on http://37.120.179.6/appEntry-0A.01.03.00.01

Thank you for sharing the binary.

Curiosity got the better of me so I had a crack at porting the previous patches to the new binary (attached below).

It's a little harder to test when we don't have the firmware available, but I managed to get the binary running on 00.01.03.00.01 with a little fiddling, and it appears to work.
But as always, use at own risk and naturally only for educational purposes.

[flash2b]

My scope came with this:



Is this hackable and what do I need to do?