New Rigol RSA5000 Real Time Spectrum Analyser

[IRB]

Hello IRB,

Thank you for your feedback.

As I understand, you don't use an Ethernet link but the USB. Right ?

On my side, on the web control page in browser I'm able to use "print screen" button
of the web interface.
Anyway, I'm not able to take control of analyzer by clicking on screen in web browser.
There is always a message on bottom of screen "RESPONSE:NULL".

Are you able to control the RSA with your mouse in the web browser ?
Regards.

Frex

Normal I only use the USB. To try to help I connected the Ethernet, too.

I set up the TCP with a fixed IP to do the testing I noted in the message above, sorry if I wasn't clear.
Yes, I used the web browser called Chrome, and the mouse not the keyboard.

My unit did not go in to RMT until I communicated over the USB.

I was able to send the save screen to the USB drive, I thought that was what you were asking for help with...
 
When using the web browser, my program can not get the screen image, the port is in use by the browser. And vice versa, one has to release the port for the other to run.  I was successful at using my program to get the screen image, I ran my program and connected to the Rigol then I opened the browser, and both are working together.

OK, in the browser I clicked the gears at the to edge of the screen, there you can lock the Keypad and the Touch Screen.
HOWEVER, when I locked the touch screen the browser mouse functions had no affect on the analyzer.   
Also with the keypad locked and the touch screen locked, I had to use the keypad to unlock the keypad first then to unlock the touch screen.

I hope this helps.

I did notice the the "CONNECTED" switches to "NULL" after I click on an option then after it completes the command it returns to "CONNECTED" 

[IRB]

Frex,

Just a thought .. if you connect the USB, it will put the unit in RMT mode. Then close the program and use the Web Browser.

[dmz56]

I want to thank all that have posted here the various ways to hack the RSA.  I want to add my way of enabling all the options on an RSA5000/3000 that I ran into in ghidra:
NOTE: this only works on RSA5000 or RSA3000 series with firmware 3.06.  No other firmware or hardware (such as RSA3000E) is supported.

• Ensure you're on firmware 3.06.  You can get it from RigolNA site under the RSA model page. (The support page still lists 3.05) On this firmware FTP is enabled, but SSH is disabled.  The root password is "jackalde"
• ftp to the RSA, download "/mnt/data/license.lic" and store it in a safe place
• upload the user-config script to /mnt/user/user-config that starts sshd and will start the patched app:

Code: [Select]

#!/bin/sh

echo "Running the custom user-config script"

# Start SSH
/usr/sbin/sshd &

# Find the path of the connected USB disk
# Looks for a file called rsa_run_userapp to run the modified rsa5000 application
USB_DISK=/mnt/user/media/$(ls /mnt/user/media)

cd /mnt/user/
/mnt/app/bin/plctrl spu reset
sleep 3

if [ -f /mnt/user/rsa5000 ]; then
    echo "User-specified rsa5 app exists..."

    if [ -f ${USB_DISK}/rsa_run_stock ]; then
        echo "Stock usb-flag found. Running Running builtin app"
        cd /mnt/app/
        /mnt/app/rsa5000 &
        return 0
    fi
    echo "Stock usb-flag not found. Running user's rsa5000 app"
    /mnt/user/rsa5000 &
    return 0
fi

echo "Running built-in app"
cd /mnt/app/
/mnt/app/rsa5000 &
return 0


• Make sure to set the execute bits 0755 once the file is uploaded
• Restart the RSA and SSH to the box
• Type the following commands to create a patched app in the user directory

Code: [Select]

cp -f /mnt/app/rsa5000 /mnt/user
cd /mnt/user
echo -n -e '\xEA' > 3.06.patch
dd if=3.06.patch of=rsa5000 obs=1 seek=3647727 conv=notrunc
rm 3.06.patch
sync


• Reboot the RSA and make sure everything still works when running the patched app
• SSH to the RSA and rename your original license file:

Code: [Select]

cd /mnt/data/
mv license.lic license.bak
sync


• Upload the following license.lic file to /mnt/data/license.lic
  

Code: [Select]

VERSION=1.0;OPTION=VNA;LICENSE=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
VERSION=1.0;OPTION=PA;LICENSE=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
VERSION=1.0;OPTION=AMK;LICENSE=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
VERSION=1.0;OPTION=B40;LICENSE=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
VERSION=1.0;OPTION=EMI;LICENSE=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
VERSION=1.0;OPTION=EMC;LICENSE=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
VERSION=1.0;OPTION=BW1;LICENSE=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
VERSION=1.0;OPTION=B25;LICENSE=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
VERSION=1.0;OPTION=VSA;LICENSE=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000


• Reboot the RSA and check your options

NOTE: if you mess things (for example by doing a factory reset which will erase your user directory data including the patched app and user-config script) and the app doesn't start (you see the boot progress bar being stuck towards the end for more than 2 min) do not panic.  During boot, the RSA has a hard coded ip address of 192.168.1.10 and FTP still works.  So if you did a factory reset, ftp to that address and restore your license file from the backup you made.

[Bicurico]

Great work! 

[eeX86]

Thanks dmz56 for this great guide.

Does this patch also the model type or the maximum frequency capabilities? (going from 1.5 to 4.5GHz)

I was wondering how to view and change the internal FRAM that contains the model.
The kernel driver was always hanging when accessing the device file from the ssh. 

Did you ever tried this out ?

Thanks 

[dmz56]

Thanks dmz56 for this great guide.

Does this patch also the model type or the maximum frequency capabilities? (going from 1.5 to 4.5GHz)

I was wondering how to view and change the internal FRAM that contains the model.
The kernel driver was always hanging when accessing the device file from the ssh. 

Did you ever tried this out ?

Thanks

Unfortunately that's beyond my capabilities.  I did notice that there is functionality in the app to update the model number as well as the serial number into FRAM, so most likely there is an SCPI secret command perhaps even with a secret USB stick trick that would do that, but I wasn't able to figure it out.

[dmz56]

One other quick note - if you access FRAM and pipe the output to a USB stick it will NOT hang the kernel, but will give you an empty file.  Dzięki.

[dmz56]

So there is a MODel? for querying and a MODel for updating SCPI commands.  No idea on the full SCPI path of those commands or what magic is required to invoke them.

[flamin1q]

Your guide works perfectly! Thank you so much man! <3