Hacking the Rigol MSO5000 series oscilloscopes

[BH3XON]

Turn on the device with the left hand, while pushing the single button with the right hand.
Keep pushing it, over and over and over don't stop pushing, don't wait between pushes.
It works, I don't know why you are having problems.

After many attempts, I think I know the problem,
time1: Press the power button, the keyboard light is on, and the screen is dark;
time2: The keyboard light is off and the screen remains dark;
time3: The screen displays RIGOL, and the startup progress...

Just press single at time2, and the mysterious menu will appear.

[flash2b]

Does the hack stay after upgrading the firmware?

[ziDot]

Successful liberated brand new MSO5072. Without any recovery mode downgrades. With local upgrade only.
Firmware installed from store:
FW 0A.01.03.00.01
HW 01.01.000
Boot 2018.06.27
Build 2021-05-04 15:50:32

My actions step-by-step:
1. Download official FW v00.01.03.00.01. Found on Russian Rigol site (registration required):
https://ru.rigol.com/En/Index/listView/catid/28/tp/6/cat/7/xl/24
Google drive mirror:
https://drive.google.com/file/d/1wsz9O9EJmQxzGSD-pm-yF06vw2qoJkRa/view?usp=sharing
2. Prepare USB Disk. I have very old 2Gb flash. Formatted with MiniTool Partition Wizard as FAT32 Primary partition
3. Extract downloaded files to any folder on PC.
4. Copy DS5000Update.GEL file to fresh formatted USB Flash
5. Power on MSO and plug in flash drive.
6. Select local upgrade (press Utility->System->Help->Local upgrade). Confirm upgrade. (there were no errors or warnings about version mismatch)
After upgrade is complete reboot MSO. Now MSO have FW 00.01.03.00.01 and Build 2020-03-30 15:56:36

Then go to:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598
And follow instructions from STEP 2.

After all operations MSO must be recalibrated. Recalibrate instructions can be found in MSO5000 Upgrade Instructions file comes with downloaded firmware.

Note:
After patch I had black screen for 15-20 second (maybe little longer and I pressed Menu key few times in panic))). Just little patience an all will back to screen.

[Matsh]

Does the hack need to be updated to work with firmware 00.01.03.00.03?

[normi]

Does the hack need to be updated to work with firmware 00.01.03.00.03?

Yes a new file needs to be created for each new update, the hack is the same but it needs to be applied to new update.

[Matsh]

I tried to checkout the whole thread how-to create the new file, is that information available here?

[normi]

Information is buried in thread. if a remember correctly; basically there is a file call appentry which is a binary file and you compare the hacked version of the file to the unhacked file and discover the changes. Locate those section of the code in the new firmware and change them to the same values as the hacked version, then copy new file to scope. That is an over simplified description, but I assume someone will build a new patch with the updated firmware and post it.

[bmx]

while you're at it, reinstate sshd (or telnetd or whatever) in the main start script.
The pain point is to extract the package, somewhere with no CRLF/.Trashes involved, then do update what you want on the extracted fs, like if you were on the real scope, and finally, repack everything properly (that is the pain).

the gitlab repository (https://gitlab.com/riglol/rigolee.git) have some helpers to do that properly (in bin/).

hint: unix cmdline needed

[everest159]

For info

When formating the USB make sure it its FAT32 and Cluster size to 4096 bytes (some of my newer USB's has 8192 as default).

I updated to 01.03.00.03 and I can confirm the SSH GEL still worked (but I don't remember where I downloaded the .03 firmware, as I don't find it on Rigols hompeage anymore).

When trying to downgrade using the "secret" menu, pressing SINGLE button twice at boot, I got "Failed to upgrade! Check the upgrade file."
My solution was to use another USB, even tho I knew the first USB worked for upgrade, apparently it didn't work for downgrade.

Hope this helps someone!

[Matsh]

Official FW v00.01.03.00.03 can be downloaded here https://www.rigolna.com/products/digital-oscilloscopes/MSO5000/

[keenox]

Hi guys,

I have version 00.01.03.00.01, but the bspatch doesn't seem to work. This got me reading more into this thread and used the gel file to enable SSH and do a dump.
Looking into the GEL files I saw that they contain binary shell files and was wondering what those files to.

1. Can someone explain how to encrypt and decrypt the binary shell files? Or at least tell me what's in them?
2. Regarding bspatch, can someone explain what it contains? I am interested in terms of assembly so I can adapt it to the firmware on my scope and maybe any future firmware.

It seems to me that the hacking methods here are pretty opaque and would like to learn more about how they work.
Is it because legal issues with Rigol? If that is the case, I would be very thankful if anyone could send me a PM.
Thanks!

[qali.pro]

Hi guys,

I have version 00.01.03.00.01, but the bspatch doesn't seem to work. This got me reading more into this thread and used the gel file to enable SSH and do a dump.
Looking into the GEL files I saw that they contain binary shell files and was wondering what those files to.

1. Can someone explain how to encrypt and decrypt the binary shell files? Or at least tell me what's in them?
2. Regarding bspatch, can someone explain what it contains? I am interested in terms of assembly so I can adapt it to the firmware on my scope and maybe any future firmware.

It seems to me that the hacking methods here are pretty opaque and would like to learn more about how they work.
Is it because legal issues with Rigol? If that is the case, I would be very thankful if anyone could send me a PM.
Thanks!

i think your F.W it's not Build 2020-03-30 15:56:36
to confirm that  press Utility->System->Help->About (see what build you have)
if not follow these steps
https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3829616/#msg3829616


command :  openssl aes-128-cbc -in "./fw4linux.sh" -out "fw.sh" -d -K "BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD" -iv "BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD" -nopad

to unpack GEL file there is a script to do that gel_unpack.sh
https://gitlab.com/riglol/rigolee/firmware/-/tree/MSO5000/bin

if you get any error try to change -i flag
"dumpimage -T flat_dt -i "${GELDIR}/system.img" -p 0 "${OUTDIR}/zImage"" >> "dumpimage -T flat_dt  "${GELDIR}/system.img" -p 0  -o "${OUTDIR}/zImage""

[keenox]

@qali.pro Thanks for the info! I'll try it. I already managed to unzip the GEL files by using 7zip. That's how I found the encrypted shell files
My build is from 18.05, but I wanted to know better how the hack works and also maybe port it the 01.03.00.03

[qali.pro]

here is patch for F.W 01_03_00_03

have fun

---------------------------
The patch file has been deleted for further testing and should be release soon 

[Matsh]

First I updated to FW v00.01.03.00.03. Then used the patch above to activate all options.

Thank you for the work done on the patch!

[qali.pro]

First I updated to FW v00.01.03.00.03. Then used the patch above to activate all options.

Thank you for the work done on the patch!

Glad it works for you.
Your are welcome, i'm here to help.

[BM61]

Hi friends, I’m new here 

I’ve updated my MSO5000 with FW v00.01.03.00.03 and patched it with the patch from qali.pro (Thank you!!), but now I experience a problem using the 20MHz BW limit on the inputs: the trace disappear! 

Have you the same issue?

Trying better, using using the 20M BW Limit (but not the 100 or 200M) a “negative bias” of approximatly 300mV it’s added to the trace.
So with 10mV or less sensitivity the trace “disappear”

[BM61]

Dear friends, I’ve performed another one Self Calibration and the 20M BW problem it’s gone..
Now using the BW Limit I have no signal trace shifting like before.

Excuse me for the “fake alarm”, sorry.

 

[serg_77]

Updated, patched, self-calibrated twice - everything is normal.
Thank you qali.pro for the work done on the patch!

[Wintel]

here is patch for F.W 01_03_00_03

have fun

Thanks!

Have you tried to upgrade the MSO5072 to MSO5504 (BW:500MHz) with firmware 01_03_00_03?

[RobbiTobi]

Hi friends, I’m new here 

I’ve updated my MSO5000 with FW v00.01.03.00.03 and patched it with the patch from qali.pro (Thank you!!), but now I experience a problem using the 20MHz BW limit on the inputs: the trace disappear! 

Have you the same issue?

Trying better, using using the 20M BW Limit (but not the 100 or 200M) a “negative bias” of approximatly 300mV it’s added to the trace.
So with 10mV or less sensitivity the trace “disappear”

I have found same problem! But no success after 2 times self-calibration ... 
Below 2mV/div has become useless ... even averaging
In addition BW-20MHz gives offset problems up to 1V/div ... 

Suggestions? Roll-back?

[serg_77]

The patch works. Everything is fine.

[serg_77]

After two self-calibrations, restart the device and that's it.

[RobbiTobi]

You are perfectly right! 

Did not restart the system! 

Many thanks!


P.S.: should perform an auto-boot after self-calib 

[qali.pro]

Hi friends, I’m new here 

I’ve updated my MSO5000 with FW v00.01.03.00.03 and patched it with the patch from qali.pro (Thank you!!), but now I experience a problem using the 20MHz BW limit on the inputs: the trace disappear! 

Have you the same issue?

Trying better, using using the 20M BW Limit (but not the 100 or 200M) a “negative bias” of approximatly 300mV it’s added to the trace.
So with 10mV or less sensitivity the trace “disappear”

I have found same problem! But no success after 2 times self-calibration ... 
Below 2mV/div has become useless ... even averaging
In addition BW-20MHz gives offset problems up to 1V/div ... 

Suggestions? Roll-back?

Can you post a screenshot to replicate same error in my device ?