Hacking the Rigol MSO5000 series oscilloscopes

[tv84]

So if someone can get such a dump (from the lucky ones having the real device already on their benches), it will inform my analysis. I know this information is rather fragmented and incomplete, but I'm still putting the pieces together and have more juicy bits for future posts.

Attached is the contents of the 256 kB  file env.bin. (It starts with a CRC32, the file attached, and the rest is 0x00...)

What would be interesting to know, is if the AES_KEY is the same for all machines, or if each one is unique.

It's the same since it's embedded in the cfger app. You can see the decrypted_scripts of the DS7000 using the same key in my updated DS7000 msg.


BTW, interesting that the memdump contains these references:

200MHz to 350MHz Bandwidth Upgrade Option
200MHz to 500MHz Bandwidth Upgrade Option
350MHz to 500MHz Bandwidth Upgrade Option
600MHz to 1GHz Bandwidth Upgrade Option
600MHz to 2GHz Bandwidth Upgrade Option
1GHz to 2GHz Bandwidth Upgrade Option

[mrpackethead]

I received an unsolicted Private message last night.  It was from a user with NO posts, and just registered yesterday.   I'm sure they are reading the thread.   Their github profile suggests they are in China. but who knows.    I checked the github repo, and i coud'nt find anything relevent.. Anyone else get this message.



Hello, I have cracked the MSO5074 into 350MHz model version, and I will publish it to my github (http://github.com/__deleted__) until all option unlocked. But I did a wrong thing: I erased my scope's option FRAM. So If you have buy a MSO5074, I can upgrade it's bandwidth, and I want a FRAM dump from your scope to reverse the option part for this scope. Thanks!

You can contact me by this mail:  deleted@gmail.com

[maginnovision]

I received an unsolicted Private message last night.  It was from a user with NO posts, and just registered yesterday.   I'm sure they are reading the thread.   Their github profile suggests they are in China. but who knows.    I checked the github repo, and i coud'nt find anything relevent.. Anyone else get this message.



Hello, I have cracked the MSO5074 into 350MHz model version, and I will publish it to my github (http://github.com/__deleted__) until all option unlocked. But I did a wrong thing: I erased my scope's option FRAM. So If you have buy a MSO5074, I can upgrade it's bandwidth, and I want a FRAM dump from your scope to reverse the option part for this scope. Thanks!

You can contact me by this mail:  deleted@gmail.com

Did you contact him? Did the github have anything relevant?

[mrpackethead]

The GitHub repo, didtn appear to have anything relevant in it, no and no i've not contacted him. 

[Carrington]

LOL ... What a funny and weird situation. 

[mrpackethead]

A unconfirmed claim of of the MSO5000 has been made by a chinese student.   

"Well, I have patched the firmware, let it jump out license verify produce. But I can't make it public until next year March. Because Rigol sold out about less than 300 units now.

In fact I'm working on my friend's scope and I havent ordered yet (lack of money...Im just a ungraduated). I m wonder if I make it public prematurely, maybe they will fix it and it can't be cracked anymore.

Btw, there's no keygen for 5000 series oscilloscope because it cant be realize. The only way to crack it is to patch firmware.

The detail of crack this scope I will
publish it to my github when my scope is successfully cracked."

Sadly he does not want to provide the info, I think he is worried that Rigol will patch the issue before he has collected enough money to buy his own.      If he was able to crack it, i'm sure that others will be able to do it as well, pretty quickly.   if he wants the 'claim to fame' of being the guy who cracked it, he will need to publish it before anyone else does i guess.   though it seems he just wants the 350Mhz scope for the 70Mhz price.

[EEVblog]

I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

[BravoV]

I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

I guess this mark the beginning of gigantic pages ahead for this thread. 

[Fungus]

I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

Rigol is now one firmware update away from completely owning the non-pro 'scope market? 

[maginnovision]

I just got an email from someone (who is not anonymous) that claims to have cracked the scope and is seeing performance up to 1GHz after setting the front end chip to 4GHz bandwidth.

If they aren't anonymous who was it? Or are they planning on sharing later?

[mrpackethead]

The problem with claims is that they are just claims untill there is something to substainate them.

[JPortici]

so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?

[Fungus]

The problem with claims is that they are just claims untill there is something to substainate them.

From what we've seen so far it doesn't look like it will be difficult for somebody who really knows the Xilinx system.

OTOH if it can be unlocked to 1GHz then Rigol has a real problem on its hands: How on earth are they going to manufacture enough of them?

[TheSteve]

If the scopes can do 1 GHz and are reasonably flat I'd consider adding a 50 ohm termination internally on one channel. It would be permanently 50 ohms but could perform well. Pretty easy to power an HP 1152a active probe externally.

[tautech]

so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?

Quite possibly, we've seen this happen before. 

[Monkeh]

Im quite suprized.  They certainly dont' seem to have made too much effort 'so far' to secure things.

Why are you surprised? According to Dave a lot of functionality needs at least some attention. Securing things usually is last on the list. Get the product out first. Rigol can always choose to plug holes in later firmware releases if necessary.

Which is a bass ackwards way of developing and shipping an appliance with a network connection no matter how you look at it.

so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?

Quite possibly, we've seen this happen before. 

And the next big Siglent release will probably come with a buttload of shilling and aggressive forum posts from people with a financial stake in their sales, what's new?

[tautech]

so does this mean that we're going to have another big wave of scopes with shitty hardware design choices (such as the 2mV/div and 1mV/div which are zoomed 8 bit data) and shitty software design choices (such as how decoding is displayed) where no complaints are allowed because shut up they're cheap and hackable?

Quite possibly, we've seen this happen before. 

And the next big Siglent release will probably come with a buttload of shilling and aggressive forum posts from people with a financial stake in their sales, what's new?

Ok so you missed the member being banned for daring to question the capabilities of the forums favorite DSO.
Go have a look in the Supporters lounge for links that can point you to those events.

[FireBird]

Gentlemen, please discuss this in the generic MSO5000 thread.

[mrpackethead]

Gentlemen, please discuss this in the generic MSO5000 thread.

And leave moderation to the moderators.. Thats their job.

[mrpackethead]

The problem with claims is that they are just claims untill there is something to substainate them.

From what we've seen so far it doesn't look like it will be difficult for somebody who really knows the Xilinx system.

OTOH if it can be unlocked to 1GHz then Rigol has a real problem on its hands: How on earth are they going to manufacture enough of them?

But we have not 'seen' anything other than claims. 

[nctnico]

The problem with claims is that they are just claims untill there is something to substainate them.

From what we've seen so far it doesn't look like it will be difficult for somebody who really knows the Xilinx system.

OTOH if it can be unlocked to 1GHz then Rigol has a real problem on its hands: How on earth are they going to manufacture enough of them?

Even at a low price having 1GHz of bandwidth without real 50 Ohm inputs is going to be a problem. Then again the same hack may work on the MSO7000.

[Mr. Scram]

Which is a bass ackwards way of developing and shipping an appliance with a network connection no matter how you look at it.

And the next big Siglent release will probably come with a buttload of shilling and aggressive forum posts from people with a financial stake in their sales, what's new?

It's always the same people singing the same song, isn't it? 

[Carrington]

Obviously I'm not going to say who they are ...

I wonder if Banksy has anything to do with all this. 

[maginnovision]

We actually plan to release it after the RIGOL fix their bugs...

I can not believe you're refusing to release the hack method.

[mrpackethead]

Screen shots are one thing.  However untill a method is published and is verified independently it's unconfirmed.   The first party to publish it, will be able to 'claim' it.. It seems there are several parties all claiming to have done it so far.   I would guess its only going to be a matter of days before the first hacks are published.