Rigol MSO5000 Hacked, Features Unlocked

Rigol’s test gear has something of a history of being hacked. Years ago the DS1022C oscillocope was hacked to increase bandwidth, and more recently the DS1054Z was hacked to unlock licensed features. Now, it’s the MSO5000’s turn.

Over on the EEVBlog forums a group has been working on hacking another Rigol, the MSO5000, a 70 MHz oscilloscope which can be upgraded to 350 MHz via software licensing. Various other features including a two channel, 25 MHz arbitrary waveform generator are also built-in, but locked out unless a license key is purchased. The group have managed to enable all the locked options without license keys.

The hack is quite simple. The Linux system running on the scope has a default root password of, you guessed it, “root”. After logging in over SSH with these credentials, the user just needs to modify the startup file to add the “-fullopt” flag to the “appEntry” application. This starts the application in a fully unlocked state, which gives access to all the features.

The MSO5000 costs about $1000, and the bandwidth option alone adds over $3000 to the price. If you’re willing to risk your warranty, and you have the skills to edit a file with vi, this hack provides a serious upgrade for free.

If you have a DS1022C you’ll find our reporting on its hack here, and likewise DS1054Z owners will find theirs here.

Header image: EEVBlog.

102 thoughts on “Rigol MSO5000 Hacked, Features Unlocked

  1. A few years back when I turned 50, my wife asked what I wanted for my big birthday. I said get me the DS1104 (100MHz, 4 channels). It set her back $850 or so.

    It burns my britches that at $850 I don’t even get the option to decode serial data into a readable stream. Yet I could have spent half as much and had all the bandwidth and all the features if I was willing to hack a cheaper model.

      1. @5:28 One of the frustrations with this scope… The encoders don’t work properly.
        I have the same with my DS1052E After about a year, and the scope being used for <100hours the rotary encoders started giving erroneous results.
        Very annoying if you want to decrease the timebase and it gets increased instead.
        This seems to be a petty common problem with several different Rigol scopes.

        Please do not use an USD14 "Saleae Logic Clone".
        Use an USD 4 cy7C68013a development board instead:
        These work with 16 channels in Sigrok / Pulseview, but they lack any input protection.
        8 channels with input protection and a box costs around USD7

        1. Open it and clean the encoders with isopropyl or similar spray, they are electrical contact not optical. Mine’s been good for over 2 years now, suspect grease put in at build time attacks dirt.

      1. Luxury. We used to have to use unset noclobber ; cat > filename and ^D when we were done. None of your fancy editing malarkey. Not even a copy and paste, or a backup of the file, everything had to be typed right first time from memory. We used to dream of having a ^U.
        But you try and tell the young people today that… and they won’t believe ya’.

  2. ” Various other features including a two channel, 25 MHz arbitrary waveform generator are also built-in, but locked out unless a license key is purchased. The group have managed to enable all the locked options without license keys.”

    Fruitful discussion alone on the business model, and workarounds.

  3. My hunch is that the hackability is a marketing thing to get into the professional market. The low-end models get bought and used by employees for personal use. They hack it and love Rigol for it. Next they bring this Rigol-vibe over to the workplace, influencing purchasing decisions. The smaller shops might still hack them as well, but the sufficiently large companies won’t risk using hacked tooling and pay for the licenses. Mission accomplished.

      1. My assertion is that reputable places will not hack their equipment because they depend on it to be reliable. It’s quite possible the smaller bandwidth scopes that can be hacked to more bandwidth failed testing at that level but passed at the lower level. You have to be able to depend on your bench equipment and it’s not worth hacking it if you’re basing your business around it.

          1. There might be a catch though. Even though the scope seems to be working nominally, what says they didn’t add some fudge factor that distorts the readings without a proper license being present?

            On the ethics point of view, this is just rent-seeking: demanding a ransom for artificially restricting access to something that already exists without further cost; like pulling a chain across a river, or putting a coin operated lock on a private bathroom – charging the owner of the bathroom more for it.

            If on the other hand they’re “subsidizing” the cheaper units with the sales of the more expensive units, then that’s predatory pricing – selling below your cost in the long term and not as a part of temporary promotion campaign is generally a no-no in terms of anti-trust law.

          2. @ Luke
            You do love your “rent seeking”.

            From an ethics and economics standpoint one is getting what one has agreed to. That’s what commerce is, an agreement between two parties on terms which they perceive to be to their own benefit for an exchange. Rigol is selling a particular model with particular qualities spelled out at a particular price. Customers says “I want that” and exchanges money. Anything more than what was originally agreed upon necessitates more money exchanging hands. That’s the business model. The “quandary” for some is the perception that since it’s all already there because…technology, it’s already theirs (ownership). And as DRM failures have already illustrated anything in the public’s hands is in danger of compromise. Rigol is basically betting that the number of honest customers outnumber enough the dishonest ones they can stay in business, and with hardware (especially specialized) they might succeed.

          3. Agree with @Ostacus.

            @Luke you argument assumes you have paid for the full value the scope can deliver. The truth is the low end version is a “loss leader” and sold below a profitable level. The money that funds an ongoing business and R&D is from the money paid for the higher value features. You notion invalidates everything that is done by everyone from Quickbooks to GE.

          1. Meh, not all Chinese companies are trying to con you. Rigol is reputable and respected. You can expect them to cut some corners to optimize costs because they mostly focus on the lower end market, but you can generally rely on their gear to be well made where it matters and deliver on its advertised specs.

    1. Given that this continues to be a repeat thing, I’d agree. Same thing you see with lots of enterprise software vendors providing free versions that may be somewhat feature-limited or licensed for “non production use” only so that people can use them at home all they want legally, and bring the familiarity / preference for a known toolset into the office.

      1. It’s funny how many people forget this is EXACTLY what Microsoft did with windows, and office.

        Getting it bundled on PC’s provided to schools, and those at retail through the 90’s ensured that ‘everyone’ going into the workplace had experience of a windows PC, and knew what to expect when placed in front of one.

        It’s a well known tactic, and it works very well. And to be fair if the equipment works to spec (which it appears to do so) then well done them (unlike windows, which seems to rewrite it’s own spec as it goes along).

          1. Like Raspberry Pi Foundation? Well, not the same I guess. RPi was the next level. Pretend you are making them for schools, then use non-profit status and subsidy from Broadcom to lowball pricing and wipe out hundreds of small Embedded system makers. Maybe thousands.

      2. Autodesk Fusion 360 is available for free with all features enabled as long as you don’t earn more than $100k per year. The only limit it has is their testing and AI based design optimizations that are paid with gold/coins/points like in some freemium MMO. And they hold your files hostage, just in case…

        In late 00’s or early 10’s in Poland there was massive action to check software used by companies. Turned out that
        ~70% of computers had illegal software, including Windows and Office, but also some absurdly expensive software. Even some state-own companies used pirated software. Fortunately for many companies they were given some fines, and weren’t disclosed to the corporations that make that software…

        1. I stopped using any Microsoft product illegally years ago.
          I decided there was no way I was going to let them have a legal recourse to get even more money from me.
          (I still have a couple of machines that dual boot to Windows7, but most of my home time PC use is Linux.)

      3. I really feel like it’s effective, I use fusion 360, and I wanted to open my mind by using other parametric modellers, I used OnShape too, but I couldn’t access any of the famous ones for a reasonable price.

    2. Same idea with regards to giving students “limited” educational only licenses for free or almost free. That do the same things as the full version but maybe have some watermark on it or something similar. So they learn the software then get locked into it. Not as bad as “cloud only” software though in my opinion but it really makes for a much larger number of competent users of your software when you do that.

      ???????????????? ???????????? ???????????? ???????????????? ???????????????? ???????????????????????????????????? ???????????????????? ???????????? ????????????????????????????????????????.

      1. At our work, we have a bunch of Rigol scopes for general use. They are cheap enough that we have like 6 of them. And then we have 1 expensive Agilent if you really need the detail/features.

        1. Same here. I work voluntarily in the lab of my local University and I REALLY like the abundance of cheap lab equipment. When I was there as a student thirty jears ago, fifteen to twenty people had to gather around the ten inch screen of the one and only available HP storage ‘scope.

      2. We build space-going PCBs to feed ourselves. We switched over to Rigol MSOs after 1. all the new engineers kept raving about them and 2. did some testing to confirm that they were functionally equivalent. Infact, this saved so much money they bought each of us a scope each.

  4. After what they saw happen with the DS1054Z, it seems pretty clear that Rigol either doesn’t care that people are unlocking the premium features (since you still end up buying something from them), or else they just consider it free advertising.

    Either way the users win, and it’s hard to complain about that.

      1. Anecdotally, I know 4 or 5 people who own a DS1054Z for personal use and every single one of them has it “hacked” (it’s not really a hack, it’s just a keygen). It’s not a typical consumer product, most people who would buy a bench oscilloscope for personal use are probably savvy enough to do the [entirely trivial] hack. Similarly, I suspect that most people who would be looking to buy a budget oscilloscope are probably the type who would do a decent bit of research beforehand and are looking for maximum value, which is a combination that is going to lead you very quickly to info on Rigol scopes being easily unlockable.

      2. I personally know no one in (private) possession of an un-hacked Rigol scope or an un-hacked Flir E4. I also see absolutely no reason not to do it.
        Except strictly commercial use of the product.
        If I make money with a tool/software or whatever its a question of honour for me to pay for it proper.

      1. Only to the degree that one gains a benefit, by not engaging in the usual exchange of money for it. The fact that the benefit is already there is what complicates it in people’s eyes.

        1. It’s also so in the case of the game.

          Like a book, once written, doesn’t need to be written again – the benefit then exists without further work. What complicates it is the idea that making a copy of that book is somehow producing more value than what already exists, and thereby one should pay something more than the cost of the paper or digital bits for it.

          If one argues that the value is in the access to that book, then one is arguing for rent-seeking. Restricting access to existing resources does not make them more valuable, it only reduces their value by removing access and then charging money to restore it. It’s a waste of effort and a parasitic practice for a living.

          1. Copying does produce value it’s why people engage in it. It’s called mass production and it lowers the costs enough so everyone can afford one. There’s also the ideas of “market will bear” and profit, so market price is only loosely related to what it costs to make. Far as value in controlled access? Happens all the time. Anyone who’s accessed LexisNexis knows that.

          2. It is not a “resource”. It is someone else’s life’s work. You think a couple years work and the education behind it is paid for by one mass market book? Can you afford books if they are one-off? Maybe half a million each?

          3. Kinda late to the party but. The thing is that sales cover the cost of writing the book. If you only sold the book once it would have to cost a ton of money for that 1 copy. So who is to decide at which point the book has been sold often enough to where now it should be free? Writing a book is an investment. Some investments pay better than others and you never know how well a book will sell before hand. It is the same with the scope.

            The features you are unlocking are software licenses. You are purchasing software just as you would on a computer. Logic analyzers from china are cheap as hell because the software is where the real cost comes in. By selling you software for your scope to use it as an analyzer they are saving you the money on buying another HW device.

  5. “If you’re willing to risk your warranty, and you have the skills to edit a file with vi, this hack provides a serious upgrade for free.”

    I wonder if it will let you “touch -m -d” the file back to it’s original lastmod time. If so then I bet they would never even know if you did this, then put it back before returning it for servicing.

  6. The same hack works on the MSO7000 which takes you to 500Mhz.

    There are rumours ( unconfirmed ) that the 5000 can be further hacked to run at 1Ghz, by setting some other options. There are references to MSO8000/9000 in the code base.

  7. I’m surprised Dave Jones allows all these hacking topics (Rigol, Siglent, …) on his forum. I mean it’s great you can get more value out of your device and as long as it is for personal use i don’t see any problem, but law probably has another opinion… So Thank You to Dave Jones and the community!

    1. And yet Dave’s advertising relationship with Rigol is unscathed. It’s almost as if they were doing it on purpose. How careless would they have to be to use root/root?

      Rigol is using this hack as an unofficial feature upgrade that they can offer to the price-sensitive consumers, while preventing businesses from doing the same. It’s like the borderline-legal version of giving student discounts.

      It’s actually Econ 101 material. Ideally (for Rigol) they would be able to figure out exactly how much each potential customer is willing to pay, and charge them that amount, as long as it’s above their costs. When they set a single price, they’re trying to guess how many people will buy it at that price and maximize the take. By setting two prices, they get more sales at the lower price without cannibalizing the sales to customers with a higher willingness to pay. It’s revenue/profit maximization.

      If you’re willing to “break the law” for the features, then you are probably not in the higher-willingness-to-pay category. This puts people who do the hack in a sketchy legal position, though, which is kind of a bummer. I wish they’d just make the entire featureset available to students/hackers, but then there’s the burden of proof thing…

      Which is all to say, I don’t think they’ll go after anyone. They’re doing it on purpose.

      1. Its hard to even say if this is a hack or a feature. There is nothing in the user-manual about it, but then there is nothing saying that you can do it either. root:root was not a guess. The firmware gel file was obtained and the the passwd file opened. It of course only contains password hashes. The password was NOT reverse engineered from the hash, however, putting the hash into google showed up lots of indentical hashes, one of which happened to be a Xilinx tutorial, which said the password was root. ( the 5000/7000 run linux on a Xilinx Zync FPGA ). Password learned in about 3 minutes with no special tools.

  8. It’s a sad day when hackaday encourages theft and piracy. Higher end scopes also ship with full ram and higher frequencies that are also unlocked via paying a license to unlock these features. Is it ok to hack Aligent and Keysight scopes too? FFS people pay for your tools. If you want people to continue to make easy to use tools, pay for it. Otherwise they will add even more intrusive copy protection than will make using these things really crappy.

        1. DRM isn’t a one way street. It’s a contract between two parties. So, the question really is,”…was this action expressly forbidden in any EULA?” Ethics don’t really enter into the arrangement, because the arrangement of the contract simply put is, “That which is not forbidden, is permitted…” Its important to remember that it was the sellers that wanted this arrangement, because it generally benefits them. I’m not stating positively that this action wasn’t detailed in the EULA, merely that this is not the same as piracy if it wasn’t. A company that enters into the DRM game doesn’t get to call mulligan if it screws up its own EULA, and it for sure doesn’t deserve any goodwill from the consumer in the interpretation of the EULA.

          Now, I personally find the DRM model to be odious. I think that at some point in the future DRM might fall into legal issues of it’s own. Theres a lot of businesses out there doing some down right creepy things to consumers that border on predatory acts. The creeps that engage in this sort of thing usually send an armada of legal threats to intimidate people but at some point someone is actually going to dig in their heels and fight back against some of the more predatory practices like changes to the EULA after the point of sale.

      1. Lol although I support this method since I am a broke student, but your analogy isn’t right, it’s like saying fruits are free! you just have to know how to take them without the farmer sees you.

      1. Mike absolutely. Your not copying it, your not selling it. you own it. I did’tn sign a contract, i just paid for it.

        Might be a different question if i was buying cheap ones, and on selling them at high end prices. But not sure about that either to be certain.

        1. The exchange of value for the agreed price for the agreed product IS the contract.

          I guess this is the hacker versus non-hacker audience. Basic ethics and the nature of contracts and agreements is upside-down and inside-out for a good portion of the HaD readership. How has this come to be? How do you expect people to ever trust you?

  9. Is no one but me seeing the potential for a openscope here? it worked great for dd-wrt routers model, adding new features & driving innovation and understanding. On the hack/crack side is it no different than downloading the home/demo version of software and patching it to ignore licence check , yes you own the hardware but does your software licence agreement cover that in terms of the software (dont have one so dont know) , i would rather see a rigol sdk and homebrew support than cracking the software. If we were talking Apple then i would say hack away :-)

    1. The main barrier to attempting this: it would be a whole lot of work to get to the point where you have feature parity with the stock firmware. And unless you can envision new features to implement, there’s nothing to really be gained.

  10. Seems that the next ‘batch’ of Scopes that are shipping are having firmware updates applied to them and the root:root password no longer works. Rigol has struck back, but with 3 hours of that firmware being identifyed it seems that this change has been circumvented.

    1. The ‘changed’ password was obtained, as its possible to get to the console via the serial port, and extract the passwd file. It was then a matter of just reversing it out using hashcat.

      The new root password is ‘Rigol201’

      20 minutes with hashcat on a radeon hd7900 -> Rigol201 :-DD

      for those interested. researching this took longer then 20mins ;-) linux seems to use DES by default for encrypting passwords. 13 chars and no $-signs point to using that default. i copied the hash part into a file (rigol.hash) and here’s the command i used for hashcat:
      Code: [Select]
      hashcat64.exe -a 3 -m 1500 rigol.hash

  11. I have a DS1054Z and I found a web site you could plug in the serial and get the codes. I copied the content of the web site to a local directory on my machine that way if a take down comes about I have the source code on my computer.

  12. It’s a Rigol scope. Would anyone seriously pay the top end for one? The 7000 series I played with had so many flaws and bugs that it was simply unconsiderable for purchase as a tool to rely on. The 5000 is likely to be the same, so even though they may sell lots of base models how much extra revenue will they make from the add ons. Just think for zero cost if they enabled all features how many more scopes they would sell. Even if they needed to hike the price by a few hundred dollars, I wonder if that’s even been considered.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.