Author Topic: New Rigol DS7000  (Read 66771 times)

0 Members and 1 Guest are viewing this topic.

Offline memeruiz

  • Contributor
  • Posts: 12
  • Country: de
Re: New Rigol DS7000
« Reply #300 on: April 19, 2021, 09:43:01 pm »
Looks like they are changing the license portion of the appEntry, I have seen a similar thing on a later version of the 5000 firmware.

The mentioned function from here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2233152/#msg2233152 I guess is just an address really. Checked on my MSO7000 appEntry file and there is no function there. (As expected, quite unlikely that these two software compilations (one for 5000 and one for 7000) will have the same memory position for all functions). That commentary is not really giving any useful information to find it in the rest of the code. So just do from scratch rev. eng. ...

I have to look more into all the comments of that thread to see if I find someone giving more details.
 

Offline memeruiz

  • Contributor
  • Posts: 12
  • Country: de
Re: New Rigol DS7000
« Reply #301 on: April 19, 2021, 09:50:26 pm »
Not likely.

@memeruiz,

My guess is that the patches were wrong.

Are you sure you reflashed the stock FW?

Have you re-inserted the licenses via the usual method?

If that doesn't work, it means you somehow corrupted your FRAM's pubkey.

Not likely what part?

The patches are sure wrong (but it was not a patch really, just a manually modified appEntry version)! It would be working otherwise!

Why do I have to reflash the FW? I changed the appEntry file temporarily and then just recover with the original one. No changes anywhere else (except start.sh for sshd).

I tried copying the .lic files back again to data dir. but didn't work. I'm not sure if that is the "usual method" .... I will have to look for the "usual method" on the MSO5000 thread probably then.

Well, if I changed a bin executable file by hand incorrectly, anything can happen, even corrupting something I guess. But I find that highly unlikely. My guess is that maybe the software detects that something changed in the binary itself and then invalidates all licenses. (like a protection). Not really sure.

I didn't play with FRAM. Except maybe your backup script did something bad there, if it somehow touches that.
« Last Edit: April 19, 2021, 09:53:38 pm by memeruiz »
 
The following users thanked this post: natman69

Online tv84

  • Super Contributor
  • ***
  • Posts: 2252
  • Country: pt
Re: New Rigol DS7000
« Reply #302 on: April 20, 2021, 08:39:45 am »
Not likely what part?

The patches are sure wrong (but it was not a patch really, just a manually modified appEntry version)! It would be working otherwise!

Why do I have to reflash the FW? I changed the appEntry file temporarily and then just recover with the original one. No changes anywhere else (except start.sh for sshd).

I tried copying the .lic files back again to data dir. but didn't work. I'm not sure if that is the "usual method" .... I will have to look for the "usual method" on the MSO5000 thread probably then.

Well, if I changed a bin executable file by hand incorrectly, anything can happen, even corrupting something I guess. But I find that highly unlikely. My guess is that maybe the software detects that something changed in the binary itself and then invalidates all licenses. (like a protection). Not really sure.

I didn't play with FRAM. Except maybe your backup script did something bad there, if it somehow touches that.

The "not likely" was an answer to @normi's post.

 :wtf: is a "manually modified appEntry version" if not a patch?

The "usual method" is the way Rigol tells us how licenses must be inserted. Have you seen any official method of inserting licenses through copying files in a telnet session?

"Well, if I changed a bin executable file by hand incorrectly, anything can happen, even corrupting something I guess. But I find that highly unlikely... Except maybe your backup script did something bad there, if it somehow touches that."

With these comments, I'm out.
 

Offline normi

  • Contributor
  • Posts: 34
  • Country: 00
Re: New Rigol DS7000
« Reply #303 on: April 20, 2021, 11:48:26 am »

The "usual method" is the way Rigol tells us how licenses must be inserted. Have you seen any official method of inserting licenses through copying files in a telnet session?

.

I agree you should use the method Rigol recommends to add the license, it is likely that after the license is copied to the scope it then gets processed and a changes made elsewhere. The license file is probably not used after, so you will have to do over the adding by inserting the USB stick with the keys and then do a option install.
@memeruiz
What was the build date on that firmware?
 

Offline memeruiz

  • Contributor
  • Posts: 12
  • Country: de
Re: New Rigol DS7000
« Reply #304 on: April 21, 2021, 04:26:51 am »

The "not likely" was an answer to @normi's post.

 :wtf: is a "manually modified appEntry version" if not a patch?

The "usual method" is the way Rigol tells us how licenses must be inserted. Have you seen any official method of inserting licenses through copying files in a telnet session?

"Well, if I changed a bin executable file by hand incorrectly, anything can happen, even corrupting something I guess. But I find that highly unlikely... Except maybe your backup script did something bad there, if it somehow touches that."

With these comments, I'm out.

I used vbindiff between an original appEntry and a patched appEntry for the MSO5000. That way I found the data changed by the patch. Not only the offsets but also the particular changed data and also its context (data before and after).

Then, I used a binary editor ghex. This tool has a binary search function. I looked for similar data before and after the patched data in my appEntry MSO7000 file. Then I applied the same changes to the data between. I did a manual patching basically. I have done this before, when files haven't changed much this works fine. In this case the data on the last offset was not that similar on the MSO7000 to the MSO5000.

With respect to the licenses thing. I have never inserted any Rigol licenses yet. This Oscilloscope is very new to me.  I will be asking for the license updates they are giving now for free, then I will discover this license activation method. I don't know how to do it. I did try to scp the .lic files back to the /rigol/data dir. from my backup. That didn't work. I guess it is not the right method. Didn't know this oscilloscope has a telnet port open (it seems very obsolete to be using telnet for anything now a days).

If you are sure your backup script works fine then ignore the message. I was pointing out, it is the only other way I could see any corruption there. I never imagined people could get offended (apparently) by pointing out all possibilities, in technical conversations. I will be more careful from now on ... avoiding getting people unintentionally offended.
 
The following users thanked this post: natman69

Offline memeruiz

  • Contributor
  • Posts: 12
  • Country: de
Re: New Rigol DS7000
« Reply #305 on: April 21, 2021, 04:31:54 am »

The "usual method" is the way Rigol tells us how licenses must be inserted. Have you seen any official method of inserting licenses through copying files in a telnet session?

.

I agree you should use the method Rigol recommends to add the license, it is likely that after the license is copied to the scope it then gets processed and a changes made elsewhere. The license file is probably not used after, so you will have to do over the adding by inserting the USB stick with the keys and then do a option install.
@memeruiz
What was the build date on that firmware?

The licenses came with the Oscilloscope already. So I don't have any license files, nor instructions to do this license activation. I will be asking Rigol for the free licenses they are currently offering. I will then discover how to do this and I will have the necessary files. I don't know if the .lic files are the same as the "keys" you are mentioning.

The build date on the firmware I will send it to you privately, I'm afraid there are eyes around here that could use that for blacklisting me.
« Last Edit: April 21, 2021, 04:35:45 am by memeruiz »
 

Offline memeruiz

  • Contributor
  • Posts: 12
  • Country: de
Re: New Rigol DS7000
« Reply #306 on: April 21, 2021, 10:37:14 am »
A bit of more updates:

I modified the patchfinder.sh for working in Linux.

I ran this script using appEntry_01_01_04_08.bpatch using appEntry.ori.01.01.04.08 against the following appEntries:

appEntry.ori.5k.01.02.00.02   Finds proper offsets
appEntry.ori.5k.01.02.00.03  Finds proper offsets
appEntry.ori.5k.01.03.00.01   Finds proper offsets
appEntry.ori.7k.00.01.01.09.02   No results
appEntry.ori.7k.00.01.02.00.05   No results

Maybe some things must be tweaked in patchfinder.sh to "search better or more" ....

Manually I was able to find most changes against my firmware version (01.01.02.00.06). Except the last binary change. But it didn't work.

Is there a newer patch file than this one:  appEntry_01_01_04_08.bpatch ?
Is there a patch file specifically made for the 7k?

I haven't found any on the forums.
 

Offline memeruiz

  • Contributor
  • Posts: 12
  • Country: de
Re: New Rigol DS7000
« Reply #307 on: April 21, 2021, 12:13:07 pm »
Good news :)

Got my MSO7014 totally upgraded. Thanks to everybody that contributed so many details of the Osc.

I had to objdump three files:

appEntry.5k.01.01.04.08
appEntry.5k.01.01.04.08_patched  (with appEntry_01_01_04_08.bpatch)
appEntry.ori.7k.01.01.02.00.06

With the object dumps I was able to get a better context on the things I was changing by hand. I think the problem from my first attempt was the last 8byte change. It was a bit more different on the 7k than the other changes.

patchfinder.sh was not able to find these changes between 5k and 7k. Maybe it has to be tweaked to force a stronger lookup for more far away address. I'm not sure how exactly patchfinder looks for the changes. Find attached patchfinder.sh modifed for linux. You still have to install zsh in linux to run it! You also need binutils-arm-linux-gnueabi

Code: [Select]
zsh patchfinder.sh appEntry.ori bsdiff patch.txt appEntry.new
Also find attached the bspatch for MSO7000 firmware version 01.01.02.00.06 (which is not on the Rigol webpage yet for some reason). It could be that this patch also works for older firmware versions. Please check!
« Last Edit: April 21, 2021, 12:21:37 pm by memeruiz »
 
The following users thanked this post: BarsMonster, mindcrime, djidji

Offline drhex

  • Contributor
  • Posts: 7
  • Country: gb
Re: New Rigol DS7000
« Reply #308 on: May 01, 2021, 11:01:39 pm »
Thanks @memeruiz, this worked like a charm!
 

Offline mindcrime

  • Supporter
  • ****
  • Posts: 332
  • Country: us
Re: New Rigol DS7000
« Reply #309 on: May 02, 2021, 12:47:49 am »
Awesome, now I just need to go back through this entire thread, re-read it all, really digest / understand what's going on here, and then I can take a stab at hacking my MSO70204.  ;D

I'm hoping it goes more smoothly, since I get the benefit of learning from the pains you guys have had already!  :-+
 

Offline drhex

  • Contributor
  • Posts: 7
  • Country: gb
Re: New Rigol DS7000
« Reply #310 on: May 02, 2021, 12:53:23 am »
And managed to brick the scope. Somehow it didn't persist settings through reboot, so tried to install the latest from the website (v00.01.02.00.06), no change. The patched appEntry from v01.01.02.00.06 doesn't work with that, patching it with the same patch bricks the scope - ssh doesn't come up when it gets stuck at appEntry, at least for me. Now I can't reinstall from the bootloader after pressing "single" on power on, says the package is invalid? Doesn't seem to use the USB really, at least not for an extended time before complaining about the package. Does anybody have an idea?
 

Offline drhex

  • Contributor
  • Posts: 7
  • Country: gb
Re: New Rigol DS7000
« Reply #311 on: May 02, 2021, 10:25:35 pm »
OK, not being able to reinstall from the hidden menue was apparently due to a too big USB stick, a 2GB one worked fine in the end. Does anybody have the v01.01.02.00.06 install file?
Patch for v00.01.02.00.06 attached, please use bspatch to apply.
« Last Edit: May 03, 2021, 05:53:03 pm by drhex »
 

Offline memeruiz

  • Contributor
  • Posts: 12
  • Country: de
Re: New Rigol DS7000
« Reply #312 on: May 03, 2021, 03:44:46 am »
OK, not being able to reinstall from the hidden menue was apparently due to a too big USB stick, a 2GB one worked fine in the end. Does anybody have the v01.01.02.00.06 install file?
Patch for v00.01.02.00.06 attached, please use bsdiff to apply.

Awesome @drhex that you could get your scope working again and upgraded.

I'm at a loss with my scope firmware version. It is not on any website for downloading. Apparently is newer than all the downloadable ones.

When you applied bspatch, did the patching gave any errors or warnings? (Like patch not applied or failed)

The last binary data chunk is tricky. I think the binary asm instruction may change from firmware to firmware because it is a branch execution and the branch address is different. (This is what I noticed comparing with the 5k). Not sure really.

I hope this doesn't mean a different binary patch is necessary for each version.
 

Offline drhex

  • Contributor
  • Posts: 7
  • Country: gb
Re: New Rigol DS7000
« Reply #313 on: May 03, 2021, 05:52:27 pm »
I created the patch from a diff based on the 01.01.02.00.06 version. The symbols to be patched are the same in 00.01.02.00.06.
bspatch didn't complain when applying the 01 patch to the 00 version (think it would only complain if the target file is too small). Bit of a pity that patchfinder.sh doesn't display the actual offsets in the file - may figure that out at some point, I just searched with a hex editor and patched accordingly.
My scope came with the 01 version, too - so your original patch was very handy! Don't think the last change is an issue as such as there are no hard addresses in there. Worked without any change for me (but I haven't really looked for side effects).
« Last Edit: May 03, 2021, 05:55:20 pm by drhex »
 

Offline wat

  • Contributor
  • Posts: 11
  • Country: it
Re: New Rigol DS7000
« Reply #314 on: May 06, 2021, 09:02:00 am »
hi drhex,
I had the same problem of the persistance of the settings after rebbot,
this solves it: https://www.eevblog.com/forum/testgear/new-rigol-ds7000/msg1863522/#msg1863522

And managed to brick the scope. Somehow it didn't persist settings through reboot, so tried to install the latest from the website (v00.01.02.00.06), no change. The patched appEntry from v01.01.02.00.06 doesn't work with that, patching it with the same patch bricks the scope - ssh doesn't come up when it gets stuck at appEntry, at least for me. Now I can't reinstall from the bootloader after pressing "single" on power on, says the package is invalid? Doesn't seem to use the USB really, at least not for an extended time before complaining about the package. Does anybody have an idea?
 

Offline drhex

  • Contributor
  • Posts: 7
  • Country: gb
Re: New Rigol DS7000
« Reply #315 on: May 09, 2021, 11:42:22 am »
Thanks for mentioning, I did work that out in the end - I did expect this setting to influence scope channel setup but not basics like the IP configuration. Seems it resets EVERYTHING.
 

Offline normi

  • Contributor
  • Posts: 34
  • Country: 00
Re: New Rigol DS7000
« Reply #316 on: May 13, 2021, 12:28:31 am »
Thanks for mentioning, I did work that out in the end - I did expect this setting to influence scope channel setup but not basics like the IP configuration. Seems it resets EVERYTHING.

The default setting looks like its there to ensure that all scopes will have a standard setting, so if you report an issue support can be sure that they are comparing a scope with a known configuration. The missing feature is to allow you to add your custom setup as an option to boot the scope. You can manually  store and load your settings though, sometimes it takes a while to get all the triggering correct for a decode so I have to store the config to prevent having to repeat process.
 

Offline normi

  • Contributor
  • Posts: 34
  • Country: 00
Re: New Rigol DS7000
« Reply #317 on: May 26, 2021, 12:57:52 am »
Worked without any change for me (but I haven't really looked for side effects).

Did you see jitter analysis enabled under measure > Analyze
 

Offline drhex

  • Contributor
  • Posts: 7
  • Country: gb
Re: New Rigol DS7000
« Reply #318 on: June 03, 2021, 03:48:52 pm »
Yes, that is there and can be enabled - it isn't showing any results though (which may be entirely to me not using it correctly).
 

Offline BarsMonster

  • Contributor
  • Posts: 23
  • Country: ch
    • Microchips internals
Re: New Rigol DS7000
« Reply #319 on: June 12, 2021, 10:48:41 pm »
Also find attached the bspatch for MSO7000 firmware version 01.01.02.00.06 (which is not on the Rigol webpage yet for some reason). It could be that this patch also works for older firmware versions. Please check!

This week I got MSO7014.
I am glad to report that patch files from memeruiz worked with no issues. Factory firmware version was matching. 8)
Thanks to everyone involved in enabling this path :)
Microchips internals: http://zeptobars.com/
 

Offline Sighound36

  • Frequent Contributor
  • **
  • Posts: 351
  • Country: gb
Re: New Rigol DS7000
« Reply #320 on: June 13, 2021, 03:05:15 pm »
Yes, that is there and can be enabled - it isn't showing any results though (which may be entirely to me not using it correctly).

drhex

This is the position were found ourselves in two years (with the 5000 we even had the eye feature accessable (after opening up) BUT non functioning as with the 7000 as well. We managed to stretch the BW upto around 3/4 of a Ghz as well thaks to Tv84

One of the reasons I went over to an MSO8000 at that time.

The 7000 offers some great features 10G/s, 500Mpt memory, some nifty analysis tools, hdmi output 10 inch screen etc.
The chaps in the main lab still use a couple of these, but not for really low noise measurments.

Nice to see interested still in this under rated scope.
Seeking quality measurement equipment at realistic cost with proper service backup. If you pay peanuts you employ monkeys.
 

Offline BarsMonster

  • Contributor
  • Posts: 23
  • Country: ch
    • Microchips internals
Re: New Rigol DS7000
« Reply #321 on: June 13, 2021, 08:28:06 pm »
Yes, that is there and can be enabled - it isn't showing any results though (which may be entirely to me not using it correctly).

I can confirm that both jitter & eye are there, but not showing anything for any clock recovery methods.
Only histogram is there working as crude jitter tool.
Microchips internals: http://zeptobars.com/
 
The following users thanked this post: sslupsky

Online tv84

  • Super Contributor
  • ***
  • Posts: 2252
  • Country: pt
Re: New Rigol DS7000
« Reply #322 on: June 13, 2021, 08:50:08 pm »
We did some experiments here with a MSO5000.
 

Offline BarsMonster

  • Contributor
  • Posts: 23
  • Country: ch
    • Microchips internals
Re: New Rigol DS7000
« Reply #323 on: June 14, 2021, 09:23:06 am »
We did some experiments here with a MSO5000.

This is the position were found ourselves in two years

On your screenshots I see that something is working better, than for me...
I see measurements of Jitter. Is it not correct, or they are deficient on some way? What settings you used to get these?

Microchips internals: http://zeptobars.com/
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2252
  • Country: pt
Re: New Rigol DS7000
« Reply #324 on: June 14, 2021, 10:44:32 am »
I see measurements of Jitter. Is it not correct, or they are deficient on some way? What settings you used to get these?

I just forced the MSO5000 to 500 MHz BW. Sighound36 did the rest with the settings.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf