Hacking the Rigol MSO5000 series oscilloscopes

[faktorqm]

Hi sir! thanks a lot for your suggestions.

Are you able to get to the "secret" menu and select "Upgrade Firmware" by the button just under the "Menu Off" button? 

Yes I can do that.

What message(s) does the oscilloscope display when you try to do the rollback update from that menu?

Update failed. Check your package file (or something like that)

It's known that the oscilloscope can be picky about what USB stick is used.  Make sure any USB sticks you use are FAT32 formatted and try more than one of different brands.  Also I'd suggest that the .GEL file be the only file on the stick and make sure the .GEL file is named: "MSO5000Update.GEL"

OK, you are right. I'm using one Kingston pendrive which is the one I have been using to update to the last firmware and so on. I have tried 3 pendrives (2 Kingston and one Sandisk, all different models) and nothing. The fourth one did the job (sandisk). Now I'm back to the 1.3.0.3 and the patch applied. I will not move until a new patch is released and tested.

THANKS A LOT for the hint!

I have learn the lesson: Not do a firmware upgrade until you read the 96 pages of this forum thread

[mwb1100]

The fourth one did the job (sandisk).

Wow! Having that many fail to work is pretty terrible luck.

Actually not terrible luck - terrible testing diligence on Rigol's part.  If the MSO5000 is so particular about USB drives, Rigol really should give some guidance on what the scope can (or won't) work with.  Leaving users to a 50/50 chance (or worse) that the USB stick will work is pretty bad.

[JCS666]

With my kingston DataTraveler 4GB the update works fine, all this is very strange.

[bmx]

I guess you can  test first if your thumbdrive is working with the regular scope file i/o. i'm wondering if a failing usb device for update is indeed working fine with the regular scope storage functions.

[lujji]

I'm considering buying either this scope or HDO1k and I have a few questions to better understand current state of things:
1. Is everyone still using patched firmware from 2021? Has something changed in recent firmwares that breaks the current approach for unlocking the scope?
2. Did anyone try suspend to ram? Boot time is ridiculous and having a leaf-blower on my desk all the time doesn't seem very appealing, so I was hoping that it's possible to get some form of 'soft power-off' working
3. Has anyone tried compiling native applications for the scope? It would be nice having some shortcuts accessible within the scope as opposed to usb/lan.

Btw, I'm slightly confused by the patches posted here - there seems to be one 'real' change and the rest is just forcing the menu screen to display 'Forever'. I don't know why this was done, probably to make people feel better when they're posting screenshots of their menus. Either way, I can't do any better since I don't have a scope to debug on, so I just made similar changes while poking around at 01.03.02.02 firmware. Once again, I have no way of testing the patch, so use at your own risk.

Edit: reportedly, it works - download the official firmware and enjoy. Attached the update.gel from previous posts.

[JCS666]

lujji works fine, thanks

[mwb1100]

1. Is everyone still using patched firmware from 2021?

I haven't patched my scope yet so I'm not 100% sure, but I believe so.  I believe the most recent hacked firmware is based on firmware v00.01.03.00.03 from Oct 2021.

Has something changed in recent firmwares that breaks the current approach for unlocking the scope?

The most recent released official firmware is v00.01.03.02.02 from Jan 2023.  It has not been patched, so as of today if you install it you will lose any improvements/updates that the hacked firmware provides.  I've heard no word on whether anyone is working on hacking that firmware or how similar a hack might be to the hack done for the Oct 2021 firmware.

Note that there are several reports of people having various problems with the Jan 2023  v00.01.03.02.02, one of which is that some have had trouble reverting to older firmware once the v00.01.03.02.02 is installed.

As of today, if you want the improvements the hacked firmware brings, do not install the Jan 2023 firmware.

[stmcore]

Btw, I'm slightly confused by the patches posted here - there seems to be one 'real' change and the rest is just forcing the menu screen to display 'Forever'. I don't know why this was done, probably to make people feel better when they're posting screenshots of their menus. Either way, I can't do any better since I don't have a scope to debug on, so I just made similar changes while poking around at 01.03.02.02 firmware. Once again, I have no way of testing the patch, so use at your own risk.

Thanks lujji  tested working 100%
uploaded the patch files i've used .

[lujji]

Btw, I'm slightly confused by the patches posted here - there seems to be one 'real' change and the rest is just forcing the menu screen to display 'Forever'. I don't know why this was done, probably to make people feel better when they're posting screenshots of their menus. Either way, I can't do any better since I don't have a scope to debug on, so I just made similar changes while poking around at 01.03.02.02 firmware. Once again, I have no way of testing the patch, so use at your own risk.

Thanks lujji  tested working 100%
uploaded the patch files i've used .

Good. Can you also test if you can suspend by doing "echo mem > /sys/power/state"?

[faktorqm]

Thanks lujji and stmcore (I didn't tried the patch yet).

It is possible to have ssh enabled permanently? I have tried modifyng by myself the start.sh script but it's not working.
Also, the IP address (I set it to manual) cannot remember the changes, and get lost every time I reboot the scope.
This behaviour is similar in your devices? Do you lost network config when you restart/poweroff the scope?

Thank you! Regards!

[ToThePub]

Unless you change it, the scope always starts with defaults. That includes the IP address settings (which is dumb, but whatever).
You have to tell the scope to keep the last settings (which includes IP info).
Utility > System > Power ON > Last

[NoisyBoy]

I want to give a shoutout to lujji for his excellent work in providing our community with the bspatch file.  I thought I would give everyone an update on my upgrade experience.

Frankly, given so many failed attempts posted here with regard to the Rigol firmware (not the patch), I was hesitant to proceed with the upgrade until there are more positive feedbacks.  Anyhow, I had some time this morning so I proceeded with the upgrade anyway.  I used the one 16GB USB drive I have always used for all firmware upgrades, and I was able to apply the new firmware successfully, no reset or secret button required (I also do not have any special saved setting on my scope, it is set to go back to default at each boot, as I rarely ever use the MSO5000).  All I did was to push the button for the update, once it finished, reboot, and everything was up and running - without any enhancements as expected.  But the upgrade process was smooth, my hardware is the original 1.00.00 if that matters. 

I then proceed to apply the bspatch file lujji kindly provided, and everything worked just as expected, all the enhancements returned.   I ran a self-cal after the upgrade after the scope is fully warmed up as a best practice.

Given all the issues I read MSO5000 has with different USB drives, I may just tape the drive to the back of the scope for future updates.

I can't say this will work for everyone, but hopefully this gives one more datapoint for those who may be on the fence.  Good luck.

[V42bis]

When I download the firmware using the link above “official firmware” I don’t get 01.03.02.02 I get V1_1_4_4 (Rigol download page says 01.03.02.02. seems like the text does not match the file.
Since the patch is for 01.03.02.02, where can I get the correct the matching 01.03.02.02 firmware to the patch?
I wasn’t careful, and now have a scope without a matching  patch which isn’t out yet!

Thanks!

[Finity]

I am not sure what country you are in, but Rigol NA (North America) site hase the download for the latest firmware and is at

https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-f24095b5-cc11-4e8d-8df9-d2bfdffd5efc/0/-/-/-/-/MSO5_FW_V1_1_4_4.zip

When unzipped it will give you the 01.03.02.02 firmware properly labeled as well as upgrade instructions  and release notes (3 files total). I think if you just unzip the file you have it will give you the correct firmware.

It is labeled as "MSO5000 scope family latest firmware" on the official site.

 I am most likely going to try the upgrade and patch over the weekend for another data point, hopefully it will work on my scope.

[mwb1100]

When I download the firmware using the link above “official firmware” I don’t get 01.03.02.02 I get V1_1_4_4 (Rigol download page says 01.03.02.02. seems like the text does not match the file.

Rigol's practices for handling of firmware updates is terrible (at least for the MSO5000 - can't say if it's the same across the board)

The version number in the filename is meaningless for some time now.  Actually worse than meaningless - it's downright confusing.

[c0d3z3r0]

Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

Code: [Select]

<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
!!!rom head fail
!!!rom inl fail
!!!rom head fail
!!!rom inl fail


[Finity]

Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

Code: [Select]

<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
!!!rom head fail
!!!rom inl fail
!!!rom head fail
!!!rom inl fail


When sent as SCPI code here is the response I get:

 * Connected to: USB0::0x1AB1::0x0515::MS5AXXXXXXXXX1::INSTR
-> *IDN?
<- (Return Count:56)
RIGOL TECHNOLOGIES,MSO5074,MS5AXXXXXXXXX,00.01.03.00.03

-> *IDN?
<- (Return Count:56)
RIGOL TECHNOLOGIES,MSO5074,MS5XXXXXXXXX,00.01.03.00.03

-> pkill -9 appEntry; /rigol/appEntry -run
<- (Return Count:0)

 * Error!!!
VISA:  (Hex 0xBFFF0015) Timeout expired before operation completed.

But this is above my (non)coding ability. Hopefully this is helpful, can try other things if you are willing to walk me thru it.

[tv84]

Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

Code: [Select]

<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
!!!rom head fail
!!!rom inl fail
!!!rom head fail
!!!rom inl fail


I somewhat remember seeing those errors in the old days... So, I think there is no reason to worry.

[c0d3z3r0]

Could someone please check on their MSO5 if these errors appear there as well, when running "pkill -9 appEntry; /rigol/appEntry -run"? FW version doesn't matter, but would be good to know which one.

Code: [Select]

<root@rigol>/rigol/appEntry -run
7 2048 16 2 "/dev/fb0"
!!!rom head fail
!!!rom inl fail
!!!rom head fail
!!!rom inl fail


When sent as SCPI code here is the response I get:

 * Connected to: USB0::0x1AB1::0x0515::MS5AXXXXXXXXX1::INSTR
-> *IDN?
<- (Return Count:56)
RIGOL TECHNOLOGIES,MSO5074,MS5AXXXXXXXXX,00.01.03.00.03

-> *IDN?
<- (Return Count:56)
RIGOL TECHNOLOGIES,MSO5074,MS5XXXXXXXXX,00.01.03.00.03

-> pkill -9 appEntry; /rigol/appEntry -run
<- (Return Count:0)

 * Error!!!
VISA:  (Hex 0xBFFF0015) Timeout expired before operation completed.

But this is above my (non)coding ability. Hopefully this is helpful, can try other things if you are willing to walk me thru it.

Well, SCPI is handled by appEntry AIUI. So, when you kill appEntry, SCPI won't work (and you won't get the response back). I guess this can be only tested via SSH.

[tv84]

Well, SCPI is handled by appEntry AIUI. So, when you kill appEntry, SCPI won't work (and you won't get the response back). I guess this can be only tested via SSH.

It's much worse than that.

A SCPI "shell" (the usual port 5xxx) won't accept linux commands. So, if you want to send linux commands you must previously get yourself a SSH or telnet connection.

[Finity]

Yes, figured that out last night, will install and use PUTTY today.

EDIT: Need help in enabling SSH. Looking thru all the posts to find the right one is getting frustrating. Will keep at it, but a guide would be helpful. Just not finding it right now.

[c0d3z3r0]

Yes, figured that out last night, will install and use PUTTY today.

EDIT: Need help in enabling SSH. Looking thru all the posts to find the right one is getting frustrating. Will keep at it, but a guide would be helpful. Just not finding it right now.

This is how I do it:

I have created a generic update file that simply calls mod.sh on the usb stick, like this:

Code: [Select]

cat <<"EOF" >fw4linux.sh.plain
#!/bin/sh
. /media/sda1/mod.sh
EOF

openssl aes-128-cbc -K BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD -iv BAD8CFFEBBAAB5C4C3D8D4BFCAFDBEDD -in "fw4linux.sh.plain" >fw4linux.sh

tar -cf DS5000Update.GEL fw4linux.sh

Then I can make mod.sh do whatever I want, e.g.:

Code: [Select]

#!/bin/sh

# enable ssh
echo '/usr/sbin/sshd &' >>/rigol/shell/start.sh

sync

# run ssh
/usr/sbin/sshd &


Put both files (DS5000Update.GEL, mod.sh) on a usb stick and do a "local upgrade" on the scope. Configure your LAN interface correctly, then connect via SSH to the scope (root : Rigol201).

[tcottle]

I did the upgrade this morning.  It did not go without hiccups so I thought I would report my findings

1. My scope HW version is 01.00.000 and was updated and patched to the previous release
2. I'm using a 4GB USB drive formatted as Fat32.  The drive is empty except for the FW files or patch files (not at the same time).  I'm pretty sure that I have used this drive before for updates
3. I downloaded and extracted MSO5_FW_Update to the flash drive
4. Updated using the local upgrade options feature
5. On reboot the startup gas gage goes to full and then stalls.  Dang
6. Second reboot - no change
7. Enter the secret menu by pressing Single button during reboot.  Two options presented: Upgrade Firmware and Restore Defaults
8. Tried Upgrade Firmware - scope reports a FW error
9. Tried Restore Defaults - the scope boots and shows FW 00.01.03.02.02(!)
10. Ran the patch using the local upgrade option.  Can confirm that the patch does not reboot the scope upon completion
11. Reboot scope, all options show forever 

Thanks to lujji and everyone else who has worked enhancing this scope
Unlike NoisyBoy, my scope was not running using default settings

[NoisyBoy]

That is a good observation.  So my hypothesis is the new firmware may not handle migrations of some stored configurations properly, while the upgrade of AppEntry was actually performed, the new firmware does not know how to handle some stored configs, and that cause the scope to hang.  With Restore Default, it wipes any stored configs, and allow the scope to have a clean boot.

If that's the case, perhaps one extra step to do prior to the upgrade is to remove any stored config, and make sure the scope boot in default state rather than restoring the state from last boot.  That may save the extra the headache from hangs and having to go into the secret menu.

If this is the cure, Rigol should have stated it in the upgrade instruction in bold (may be they did, except they encrypted it  ).  Better yet, to include a config migration in the upgrade, so it is transparent to the user.    That's what any good equipment vendor would have done to handle firmware upgrades. 

[Finity]

Another successful upgrade to a MSO5074 using the 00.01.03.02.02 GEL file from RigolNA build date 2022-12-05.

Then applied patch by Lujji, manual power cycle and good to go. Forever upgrades for all options (or at least that is what is on the screeen).

Hardware version 01.01.000. My setup was close to defaults, but not the LAN settings. LAN settings were preserved for me.

Zooming is much less laggy, very noticeable difference and much less frustrating.

Many thanks to Lujji.

Thanks also to c0d3z3r0 for the SSH files, they work great. Will be testing later. 

EDIT: Hmm, the SSH enabling coding "upgrade" from c0d3z3r0 now fails with the new firmware.