Author Topic: New Rigol RSA5000 Real Time Spectrum Analyser  (Read 53566 times)

0 Members and 2 Guests are viewing this topic.

Offline eleguy

  • Regular Contributor
  • *
  • Posts: 54
  • Country: fi
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #150 on: February 21, 2021, 07:13:41 pm »
Another interesting random mistake:

RSA3015N running as RSA5032N

Could you elaborate how this mistake happened?
 
The following users thanked this post: tonykara

Offline qip

  • Newbie
  • Posts: 4
  • Country: 00
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #151 on: March 01, 2021, 08:33:49 am »
Hi Sighound36, can you please perhaps provide a BOM for the PSU modification? Or same values, just lower ESR? BOM would be nice nevertheless, so I can order the parts. tia! qip
« Last Edit: March 06, 2021, 09:22:36 am by qip »
 

Offline qip

  • Newbie
  • Posts: 4
  • Country: 00
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #152 on: March 01, 2021, 08:39:32 am »
Hi tv84, thanks for your great work already, I am also looking at the firmware, but currently stuck at the cramfs images. I see that this might me a non standard cramfs format, quite similar but the inodes are 1 block (4 bytes) longer than the spec. Having already mapped a few of the additional bytes, but not there yet. How are you unpacking the rom images?
 

Offline qip

  • Newbie
  • Posts: 4
  • Country: 00
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #153 on: March 04, 2021, 03:47:12 am »
Well I got it, and looks like the RSA3030-TG got the -E treatment, or maybe I am missing something with my method. :-//

After doing some convincing for 6.5GHz, there is a sharp cutoff at exactly 3.2GHz, guess there is some HW path not populated like in post #101 https://www.eevblog.com/forum/testgear/new-rigol-real-time-spectrum-analyser/msg2833482/#msg2833482. Don't think they have redesigned the board in such a short time and haven't had a look inside yet.

Caldata freq ranges are the same as in the already mentioned excel sheets for RSA3030-TG.

If someone would be willing to compare HW revisions or upgrade methods, let's work on it.
 
The following users thanked this post: grothendieck

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: pt
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #154 on: March 04, 2021, 10:22:42 am »
If someone would be willing to compare HW revisions or upgrade methods, let's work on it.

AFAIK, you're in the right track. What you see should be the result of unpopulated areas. At least, I've been unable to overcome that via software.

So far I've only seen a unit that allowed the full 6.5Ghz upgrade. Sadly, never saw its internals...
 

Offline qip

  • Newbie
  • Posts: 4
  • Country: 00
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #155 on: March 04, 2021, 11:21:06 am »
Quote
AFAIK, you're in the right track. What you see should be the result of unpopulated areas. At least, I've been unable to overcome that via software.

Yea I just realized the HW Version: 00.01.02 vs. your 00.01.01. So they might have not placed the components in the newer versions, guess end of the line without knowing U307.
 

Offline chrismholt

  • Newbie
  • Posts: 7
  • Country: ca
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #156 on: March 31, 2021, 02:02:05 am »
I just ordered an rsa3015n. Im excited to try upgrading it. I was wondering where to start learning. Is the method similar to an oscilloscope outlined in another thread?  Where should I start reading?
 
The following users thanked this post: tonykara

Offline EE-digger

  • Frequent Contributor
  • **
  • Posts: 318
  • Country: us
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #157 on: April 01, 2021, 03:03:37 am »
I've just stopped short of ordering either a 3015N or 3030N after watching the Rigol videos.  It's probably unfair to compare it to a high end brand A unit.

One thing I found interesting is that their DTF (distance to fault) seems to only have around 50mm resolution.  The brand A unit can get down to 1- 2mm or better.  Since both are set to 3GHz, this limitation would seem to be in their transform math or sampling resolution in hardware.

On cabling that's 10s or 100s of feet, this may not be much of an issue but on more compact assemblies it is.

Has anyone performed an SOLT cal with a good quality cal kit?  What do you see for return loss when re-examining the load?  What do the open and short look like?

« Last Edit: April 08, 2021, 03:11:46 pm by EE-digger »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: pt
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #158 on: May 04, 2021, 07:36:02 pm »
Comparing the inside of these equipments:

It's not possible to convert Rigol RSA30xxE to RSA30xxN.

BTW, RSA3000E is even different from RSA3000, so 100% upgrade is not possible. There are some missing parts.
 

Offline mysol

  • Contributor
  • Posts: 12
  • Country: ru
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #159 on: May 05, 2021, 08:04:04 pm »
What about 50% upgrade?) At least unlock features or maybe getting 3 GHz from 1.5
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: pt
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #160 on: May 06, 2021, 09:38:53 am »
What about 50% upgrade?) At least unlock features or maybe getting 3 GHz from 1.5

That has already been demonstrated in this thread.
 
The following users thanked this post: grothendieck

Offline mysol

  • Contributor
  • Posts: 12
  • Country: ru
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #161 on: May 19, 2021, 08:36:28 pm »
But how to do this?)
 
The following users thanked this post: tonykara

Offline mysol

  • Contributor
  • Posts: 12
  • Country: ru
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #162 on: June 21, 2021, 08:05:53 am »
There seems to be a new firmware for RSA3000E from 06/21/2021 ver 00.01.00.00.14, but without patch notes
https://int.rigol.com/En/Index/listView/catid/28/tp/6/wd/rsa3000e
 

Offline grothendieck

  • Newbie
  • Posts: 1
  • Country: cn
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #163 on: September 14, 2021, 11:16:39 am »
So have you figured it out? :D
 

Offline hcglitte

  • Regular Contributor
  • *
  • Posts: 137
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #164 on: October 30, 2021, 03:47:11 pm »
Hi,

Going through this thread it seems that an upgrade is possible, but no mention of how to do this.
There is one attachement which is named full backup, but the contents says update.
However, how is this file used?

I don't understand why someone has the desire to demonstrate that it is possible, but do not want to share how they do it.
 
The following users thanked this post: tonykara

Offline mysol

  • Contributor
  • Posts: 12
  • Country: ru
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #165 on: October 30, 2021, 05:20:49 pm »
Hi!
Dear sirs tv84 and qip said that it is still quite difficult and there is no single recipe and requires good knowledge in ebedded linux
 

Offline hcglitte

  • Regular Contributor
  • *
  • Posts: 137
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #166 on: October 30, 2021, 05:39:55 pm »
Hi mysol,

Ok, thanks for clarifying :-)
 

Offline mysol

  • Contributor
  • Posts: 12
  • Country: ru
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #167 on: November 02, 2021, 09:31:59 am »
No problem)
 

Offline scottapotamas

  • Newbie
  • Posts: 3
  • Country: au
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #168 on: March 30, 2022, 01:58:11 pm »
Just got a 3015N and have started trying to familiarise myself with the fw. I've hit the same cramfs roadblock that qip mentioned and haven't found a way through it quite yet...



Rigol released a new 00.03.04 fw update early March 2022, notes below:

Code: [Select]
[Model Supported] RSA5065,RSA5065-TG,RSA5065N
                            RSA5032,RSA5032-TG,RSA5032N
                            RSA3015N,RSA3030,RSA3030-TG,RSA3030N
                            RSA3045,RSA3045-TG,RSA3045N
[Latest Revision Date] 2022-03-02


[Updated Contents]
00.03.04

- Solve the corrected value of the meter in EMI mode related problems.

For general reference, my 3015N unit shipped with these versions (+free BW40+EMI options):

Code: [Select]
HW Version
    Main Board:     00.01.03
    Keyboard:       00.01.00
    TG Board:       00.01.00

FW Version
    CPU:            00.01.00
    SPU:            00.01.06
    WPU:            00.01.02

SW Version
    BOOT:           00.01.00
    OS:             00.01.00
    Firmware:       00.03.03



I haven't committed to a particular SOTL kit yet, but noticed that there are no preloaded values for their 1.5G kit (CK106E). Thoughts?
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: pt
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #169 on: March 30, 2022, 03:07:37 pm »
I've hit the same cramfs roadblock that qip mentioned and haven't found a way through it quite yet...

What you say about the cramfs, although not fully "officially supported", is a mere evolution of the cramfs format that allows bigger files. The original format has a limitation in the size of files inside the filesystem and in the size of the cramfs filesystem file itself.

AFAIR there are a few websites that talk about the differences. And it's used in many cramfs systems that have bigger filesystems.
 
The following users thanked this post: 龚平

Offline scottapotamas

  • Newbie
  • Posts: 3
  • Country: au
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #170 on: March 31, 2022, 03:14:59 pm »
Yeah I got it shortly after you posted. Is there some unspoken reason for why we're not talking about the details?

I don't want to overstep, but I've previously appreciated the transparency in other Rigol threads.



I've run out of time to play with licence related 'features' this evening, but for anyone wondering, SSH and FTP are enabled out of the box.

Code: [Select]
[root@RSA5000:]#uname -a
Linux RSA5000 3.12.0-xilinx #1 SMP PREEMPT Tue Dec 25 17:30:27 CST 2018 armv7l GNU/Linux

[root@RSA5000:]#ls
bin      dev      home     linuxrc  opt      rigol    run      sys      usr
boot     etc      lib      mnt      proc     root     sbin     tmp      var

The "root" user hash is DES (Unix), which took about 3 minutes to break on GPU via hashcat.
There is also a "RSA5000" user, but the hash is SHA512 (UNIX), didn't brute-force under 6 character length, and doesn't matter anyway...
 
The following users thanked this post: tonykara, MegaVolt

Offline eeX86

  • Newbie
  • Posts: 1
  • Country: pl
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #171 on: May 16, 2022, 08:40:03 pm »
Good work guys.

Yes, so figuring out the specifics of that modified CRAMFS can be annoying. Could someone share the modifications?

So the more lazy approach in this case was to modify the firmware upgrade sh script.
Just put in some commands e.g. copying some interesting files to the USB stick. passwd, process list,  ssh config for example. With the root and ssh working, there is
the way open to explore more. I basically think the device specifics are in the internal fram.

dmesg:
at24 1-0050: 2048 byte mb85rc16 EEPROM, writable, 128 bytes/write
xi2cps e0005000.ps7-i2c: 400 kHz mmio e0005000 irq 80   

It should be possible to read the 2048 byte with : cat /sys/devices/amba.0/e0005000.ps7-i2c/i2c-1/1-0050/fram
or : cat /sys/devices/amba.0/e0004000.ps7-i2c/i2c-0/0-0050

-rw-------    1 root     root          2048 Feb 15 20:24 fram

However the kernel does probe the at24 driver for this, it crashes all the time when I do it. ??


 

Offline scottapotamas

  • Newbie
  • Posts: 3
  • Country: au
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #172 on: May 17, 2022, 03:04:04 pm »
I don't believe any of the following is particularly sensitive, but might be of use to someone. This is a small dump of publicly available info, and steps detailed in forums and blog posts around the MSO5k and so on...



As mentioned here: https://rigol.force.com/support/s/article/rsa3000-rsa3000e-and-rsa5000-alternative-factory-reset-and-firmware-upgrade

To reset to factory settings without using the System menu:

1) Power cycle the instrument,
2) During the boot sequence, quickly and repeatedly press the Back button directly below the keypad on the instrument.

To upgrade the firmware to factory settings without using the System menu:

1) Power cycle the instrument
2) Insert a flash drive into the front of the instrument with the latest firmware version loaded onto the root directory of the drive.
3) During the boot sequence, quickly and repeatedly press the Preset button in the upper right hand corner of the instrument.



Finding the hash as mentioned earlier in the thread can be done by peeking at a firmware file or dump from a unit as described earlier in the thread, then finding the normal linux rootfs/etc/passwd file.

1. Download the Rigol RSA firmware
2. Unzip rsa3000_FW_v2.zip
3. Tear the bundle apart
Code: [Select]
unzip rsa3000_FW_v2.zip
cd RSA5000\(ARM\)update_00.03.04.00.03/
tar -xvf rsa5000_updatefile.bin
gunzip *.gz

Code: [Select]
$ls
app.img  fw4linux.sh  fw4uboot.sh  jac_spu.bin  logo.bmp  rootfs.img  rsa5000_updatefile.bin  system.img  zynq.bit

Unlike the MSO5000 stuff, the images are CramFS, not UBI. This is where other users generally get stuck with app.img and rootfs.img.

4. not-so-secret cramfs extraction trick - seems like we're leaving this bit as a 'hurdle'...
5. Use hashcat to break the DES hash
Code: [Select]
hashcat -m 1500 -a 3 roothash.txt -o output.txt6. SSH should be available for further poking...



There's no reason to flash a firmware update to get access to anything, assuming you have SSH access.

Quote
This assumes that a given software update hasn't changed the FPGA bitstream, any of the supporting files in `/mnt/app`, or any specific steps as part of `fw4linux.sh` and friends.

Use of this method is intended to test patched applications without reflashing hardware.

As /mnt/app is read-only without a flash, it's a bit trick to modify the rsa5000 app, but their app-config script provides a reasonably easy option OOTB.

During the startup process it looks for a development style /mnt/user/user-config script. If it exists, it invokes it instead of the app.

I've been successfully loading modified versions of the main app from the writable section of flash by scp'ing the modified rsa5000 binary into the /mnt/user along with a modified version of their user-config script. Specifically, I check for a specific file I touched on the USB, and use this as a way to 'fallback' to my OEM app by removing the USB.

Code: [Select]
[ ... normal user-config template ... ]

echo "Running the custom user-config script"

# Find the path of the connected USB disk
# Looks for a file called rsa_run_userapp to run the modified rsa5000 application
USB_DISK=/mnt/user/media/$(ls /mnt/user/media)

cd /mnt/user/
/mnt/app/bin/plctrl spu reset
sleep 3

if [ -f /mnt/user/rsa5000 ]; then
echo "User-specified rsa5 app exists..."

if [ -f ${USB_DISK}/rsa_run_userapp ]; then
echo "User usb-flag found. Running user's rsa5000 app"
/mnt/user/rsa5000 &
return 0
fi
fi

echo "Running builtin app"
cd /mnt/app/
/mnt/app/rsa5000 &
return 1

This is useful for me because I've been working with Ghidra a bit.





Some information about i2c devices:

FRAM

There's Fujitsu MB85RC16 FRAM at  `/sys/class/i2c-adapter/i2c-0/0-0050/fram`

Code: [Select]
DRIVER=at24
OF_NAME=fram
OF_FULLNAME=/amba@0/ps7-i2c@e0004000/fram@50
OF_COMPATIBLE_0=mb85rc16
OF_COMPATIBLE_N=1
MODALIAS=i2c:mb85rc16

And also at `/sys/class/i2c-adapter/i2c-1/1-0050/` apparently?

I also struggled to access this from a shell.

RTC

There's a Renesas ISL1208 RTC at `/sys/class/i2c-adapter/i2c-0/0-006f/rtc`

Code: [Select]
[root@RSA5000:user]#cat /sys/class/i2c-adapter/i2c-0/0-006f/rtc/rtc0/time
19:34:22

Code: [Select]
[root@RSA5000:proc]#cat /proc/driver/rtc
rtc_time : 19:45:20
rtc_date : 2022-04-11
alrm_time : 00:00:00
alrm_date : 2022-04-12
alarm_IRQ : no
alrm_pending : no
update IRQ enabled : no
periodic IRQ enabled : no
periodic IRQ frequency : 1
max user IRQ frequency : 64
24hr : yes
status_reg : BAT (0x02)
batt_status : okay
digital_trim : 0 ppm
analog_trim : 12.50 pF
user_data : 0x0000

Touchscreen controller

SSD2543 touchscreen controller at `/sys/class/i2c-adapter/i2c-1/1-0048`
« Last Edit: May 17, 2022, 03:06:24 pm by scottapotamas »
 
The following users thanked this post: tonykara, drew23

Offline 龚平

  • Newbie
  • Posts: 4
  • Country: cn
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #173 on: June 23, 2022, 12:42:11 pm »
I do not know software system, but I have a RSA3030E, need to crack the option, can you help me
 

Offline 龚平

  • Newbie
  • Posts: 4
  • Country: cn
Re: New Rigol RSA5000 Real Time Spectrum Analyser
« Reply #174 on: June 23, 2022, 12:57:35 pm »
RSA3030E HOW TO CRACK? Can you help me
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf