I don't believe any of the following is particularly sensitive, but might be of use to someone. This is a small dump of publicly available info, and steps detailed in forums and blog posts around the MSO5k and so on...
As mentioned here:
https://rigol.force.com/support/s/article/rsa3000-rsa3000e-and-rsa5000-alternative-factory-reset-and-firmware-upgradeTo reset to factory settings without using the System menu:
1) Power cycle the instrument,
2) During the boot sequence, quickly and repeatedly press the Back button directly below the keypad on the instrument.
To upgrade the firmware to factory settings without using the System menu:
1) Power cycle the instrument
2) Insert a flash drive into the front of the instrument with the latest firmware version loaded onto the root directory of the drive.
3) During the boot sequence, quickly and repeatedly press the Preset button in the upper right hand corner of the instrument.
Finding the hash as mentioned earlier in the thread can be done by peeking at a firmware file or dump from a unit as described earlier in the thread, then finding the normal linux
rootfs/etc/passwd file.
1. Download the Rigol RSA firmware
2. Unzip rsa3000_FW_v2.zip
3. Tear the bundle apart
unzip rsa3000_FW_v2.zip
cd RSA5000\(ARM\)update_00.03.04.00.03/
tar -xvf rsa5000_updatefile.bin
gunzip *.gz
$ls
app.img fw4linux.sh fw4uboot.sh jac_spu.bin logo.bmp rootfs.img rsa5000_updatefile.bin system.img zynq.bit
Unlike the MSO5000 stuff, the images are CramFS, not UBI. This is where other users generally get stuck with
app.img and
rootfs.img.
4.
not-so-secret cramfs extraction trick - seems like we're leaving this bit as a 'hurdle'...
5. Use hashcat to break the DES hash
hashcat -m 1500 -a 3 roothash.txt -o output.txt
6. SSH should be available for further poking...
There's no reason to flash a firmware update to get access to anything, assuming you have SSH access.
This assumes that a given software update hasn't changed the FPGA bitstream, any of the supporting files in `/mnt/app`, or any specific steps as part of `fw4linux.sh` and friends.
Use of this method is intended to test patched applications without reflashing hardware.
As /mnt/app is read-only without a flash, it's a bit trick to modify the
rsa5000 app, but their app-config script provides a reasonably easy option OOTB.
During the startup process it looks for a development style /mnt/user/user-config script. If it exists, it invokes it instead of the app.
I've been successfully loading modified versions of the main app from the writable section of flash by scp'ing the modified rsa5000 binary into the /mnt/user along with a modified version of their user-config script. Specifically, I check for a specific file I touched on the USB, and use this as a way to 'fallback' to my OEM app by removing the USB.
[ ... normal user-config template ... ]
echo "Running the custom user-config script"
# Find the path of the connected USB disk
# Looks for a file called rsa_run_userapp to run the modified rsa5000 application
USB_DISK=/mnt/user/media/$(ls /mnt/user/media)
cd /mnt/user/
/mnt/app/bin/plctrl spu reset
sleep 3
if [ -f /mnt/user/rsa5000 ]; then
echo "User-specified rsa5 app exists..."
if [ -f ${USB_DISK}/rsa_run_userapp ]; then
echo "User usb-flag found. Running user's rsa5000 app"
/mnt/user/rsa5000 &
return 0
fi
fi
echo "Running builtin app"
cd /mnt/app/
/mnt/app/rsa5000 &
return 1
This is useful for me because I've been working with Ghidra a bit.
Some information about i2c devices:
FRAMThere's Fujitsu MB85RC16 FRAM at `/sys/class/i2c-adapter/i2c-0/0-0050/fram`
DRIVER=at24
OF_NAME=fram
OF_FULLNAME=/amba@0/ps7-i2c@e0004000/fram@50
OF_COMPATIBLE_0=mb85rc16
OF_COMPATIBLE_N=1
MODALIAS=i2c:mb85rc16
And also at `/sys/class/i2c-adapter/i2c-1/1-0050/` apparently?
I also struggled to access this from a shell.
RTCThere's a Renesas ISL1208 RTC at `/sys/class/i2c-adapter/i2c-0/0-006f/rtc`
[root@RSA5000:user]#cat /sys/class/i2c-adapter/i2c-0/0-006f/rtc/rtc0/time
19:34:22
[root@RSA5000:proc]#cat /proc/driver/rtc
rtc_time : 19:45:20
rtc_date : 2022-04-11
alrm_time : 00:00:00
alrm_date : 2022-04-12
alarm_IRQ : no
alrm_pending : no
update IRQ enabled : no
periodic IRQ enabled : no
periodic IRQ frequency : 1
max user IRQ frequency : 64
24hr : yes
status_reg : BAT (0x02)
batt_status : okay
digital_trim : 0 ppm
analog_trim : 12.50 pF
user_data : 0x0000
Touchscreen controllerSSD2543 touchscreen controller at `/sys/class/i2c-adapter/i2c-1/1-0048`