Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1825212 times)

0 Members and 1 Guest are viewing this topic.

Offline true

  • Frequent Contributor
  • **
  • Posts: 329
  • Country: us
  • INTERNET
Re: Sniffing the Rigol's internal I2C bus
« Reply #650 on: July 25, 2013, 01:07:22 am »
I have tried all options and permutations of LLLLLLL DSAx / VSAx with one+power cycle, two with uninstall in-between+power cycle, both with no uninstall+power cycle and no matter what, I still have 2202. So this does not appear to be a way to change the reported model back (and remove 2ns option added with 2202), only possibly setting the bits and moving it forward.
 

Offline olsenn

  • Frequent Contributor
  • **
  • Posts: 993
Re: Sniffing the Rigol's internal I2C bus
« Reply #651 on: July 25, 2013, 01:36:08 am »
Quote
I've sent you PM

I replied to this message with the information you need
 

Offline bmwnomad

  • Contributor
  • Posts: 22
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #652 on: July 25, 2013, 01:44:30 am »
I should have caught that, feel like an idiot, thanks! Fixed version attached.

EDIT: I shouldn't do this when tired. To the 3 who downloaded, please re-download, it was still bugged :(

I think its still bugged, the code I generate with this version doesn't match the very first version.  The first version code (brute-forced, no checks, etc.) worked fine on my 2072, I'm just keeping my keygen up to date.

BTW, using Cygwin, so if something broke from the first version to this version and its caused by cygwin, my apologies.
 

Offline synapsis

  • Regular Contributor
  • *
  • Posts: 140
  • Country: us
    • Blackcow
Re: Sniffing the Rigol's internal I2C bus
« Reply #653 on: July 25, 2013, 02:00:26 am »
Does the Windows version work for you?
 

Offline bleckers

  • Contributor
  • Posts: 35
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #654 on: July 25, 2013, 02:07:06 am »
I should have caught that, feel like an idiot, thanks! Fixed version attached.

EDIT: I shouldn't do this when tired. To the 3 who downloaded, please re-download, it was still bugged :(

I think its still bugged, the code I generate with this version doesn't match the very first version.

The current version should just be randomising/changing the seed so you will indeed get different codes on this version. Nothing to be alarmed at, it will still activate correctly.
 

Offline jonese

  • Contributor
  • Posts: 26
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #655 on: July 25, 2013, 02:12:42 am »
I have tried all options and permutations of LLLLLLL DSAx / VSAx with one+power cycle, two with uninstall in-between+power cycle, both with no uninstall+power cycle and no matter what, I still have 2202. So this does not appear to be a way to change the reported model back (and remove 2ns option added with 2202), only possibly setting the bits and moving it forward.

What is your native model of your scope?

Are you saying you have a native 2202 and you can't make it a 2072 by any method?
Or are you saying you have a native 2072 and can't revert to back to a 2072?
 

Offline true

  • Frequent Contributor
  • **
  • Posts: 329
  • Country: us
  • INTERNET
Re: Sniffing the Rigol's internal I2C bus
« Reply #656 on: July 25, 2013, 03:21:33 am »
The latter. Is a 2072, only applied generated valid DSAZ license, turned into 2202 with 14digit SN 0001, upgraded FW set it back to 2072, another DSAZ put it back as a 2202 and it now never changes from being a 2202.
 

Online ve7xen

  • Super Contributor
  • ***
  • Posts: 1192
  • Country: ca
    • VE7XEN Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #657 on: July 25, 2013, 03:34:51 am »
I should have caught that, feel like an idiot, thanks! Fixed version attached.

EDIT: I shouldn't do this when tired. To the 3 who downloaded, please re-download, it was still bugged :(
I've updated the binaries at my site as well if anyone has been using those. Not that anyone needs it once you've generated a key :P
73 de VE7XEN
He/Him
 

Offline tlu

  • Regular Contributor
  • *
  • Posts: 145
Re: Sniffing the Rigol's internal I2C bus
« Reply #658 on: July 25, 2013, 05:04:36 am »
Does the current RiGen-1 for windows in http://gotroot.ca/rigol/ directory up to date and can we leave seed at 1 when generating?
 

Offline synapsis

  • Regular Contributor
  • *
  • Posts: 140
  • Country: us
    • Blackcow
Re: Sniffing the Rigol's internal I2C bus
« Reply #659 on: July 25, 2013, 06:05:56 am »
I put the changes people suggested before into the original Rigen before I released it.

You should be able to just leave the seed at 1. If RiGen detects that the seed won't work, it'll automatically choose another one up to 10 times.
 

Offline XaS

  • Contributor
  • Posts: 19
  • Country: ch
Re: Sniffing the Rigol's internal I2C bus
« Reply #660 on: July 25, 2013, 06:54:47 am »
I can confirm at least one additional sale on a DS2072, maybe up to 3 to friends of mine. All thanks to you guys! Rigol should promote the guys responsible for the licence key managment.  :-DD

MfG XaS
 

Offline Majorstrain

  • Contributor
  • Posts: 49
Re: Sniffing the Rigol's internal I2C bus
« Reply #661 on: July 25, 2013, 07:01:14 am »
Connor Wolf spreads the word via YouTube. EEVblog gets a mention.
He shows the process on a DS4000  :clap:

http://youtu.be/-Woslp7HXFM

Who will be next?

Cheers,
Phil
 

Offline roli_bark

  • Regular Contributor
  • *
  • Posts: 170
Re: Sniffing the Rigol's internal I2C bus
« Reply #662 on: July 25, 2013, 07:18:40 am »
So now due to high publicity, I'll bet you, they [R***L] will come up with new FW versions that defeat this R*G**.exe...
 

Online ve7xen

  • Super Contributor
  • ***
  • Posts: 1192
  • Country: ca
    • VE7XEN Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #663 on: July 25, 2013, 07:23:08 am »
So now due to high publicity, I'll bet you, they [R***L] will come up with new FW versions that defeat this R*G**.exe...
Who cares! Almost all bugs are fixed in latest version :P

Personally I think this is probably permanently modifying the scope's model, or perhaps the earlier engineer keys do. In which case there will be no way for them to tell between a generated and legitimate key. They may do like Agilent and prevent the *installation* of these keys (by creating a new key or authentication mechanism), but I don't think they can disable existing ones. And they apparently can't prevent downgrading. So I think it's cracked wide open, but I could be wrong. I'm going to let someone else risk their scope when the next firmware update comes out, I took enough risk already :).
73 de VE7XEN
He/Him
 

Offline roli_bark

  • Regular Contributor
  • *
  • Posts: 170
Re: Sniffing the Rigol's internal I2C bus
« Reply #664 on: July 25, 2013, 07:42:41 am »
Basically you're right. Who cares. But maybe except for new buyers of the same models starting, say, next year...?

Also, you never know what type of serious "bugs"  are still pending to be found & fixed. They may come up with a different curve next FW round, or even a total different crypto algo altogether.
 

Online ve7xen

  • Super Contributor
  • ***
  • Posts: 1192
  • Country: ca
    • VE7XEN Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #665 on: July 25, 2013, 07:44:24 am »
They may come up with a different curve next FW round, or even a total different crypto algo altogether.
My point is that I think, based on nothing other than pure speculation and intuition, that they won't be able to do this without forcing all users of anything other than a DS2072 to enter a new key upon upgrade, which Rigol will have to generate and provide to each user. They might consider that worthwhile, but it would be a pretty big PR problem among their 'serious' customers I think.
73 de VE7XEN
He/Him
 

Offline bleckers

  • Contributor
  • Posts: 35
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #666 on: July 25, 2013, 07:46:01 am »
The main risk you have is if you brick your scope and Rigol check that your scope has been upgraded by this method (they would have a list of serials that have upgrades), then they might refuse to fix it.
 

Offline true

  • Frequent Contributor
  • **
  • Posts: 329
  • Country: us
  • INTERNET
Re: Sniffing the Rigol's internal I2C bus
« Reply #667 on: July 25, 2013, 07:56:11 am »
The main risk you have is if you brick your scope and Rigol check that your scope has been upgraded by this method (they would have a list of serials that have upgrades), then they might refuse to fix it.
While under warranty, this is illegal in many countries. This includes the US. (I do not know your country of residence.)

If Rigol refused to fix a warranty hardware problem on my 'scope - or any other manufacturer / item for that matter - while under warranty, unrelated to any software or hardware modification, I would sue.

Out of warranty repairs, that's another story =)
 

Offline bleckers

  • Contributor
  • Posts: 35
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #668 on: July 25, 2013, 08:09:23 am »
The main risk you have is if you brick your scope and Rigol check that your scope has been upgraded by this method (they would have a list of serials that have upgrades), then they might refuse to fix it.
While under warranty, this is illegal in many countries. This includes the US. (I do not know your country of residence.)

If Rigol refused to fix a warranty hardware problem on my 'scope - or any other manufacturer / item for that matter - while under warranty, unrelated to any software or hardware modification, I would sue.

That is a fair point, I guess it depends on what your country's law is on jailbreaking/reverse engineering (in the same vane as rooting a phone for example). It could be argued that you effectively reverse engineered it to perform the operation (having access to the tools/source). IANAL though.

I guess worst case would be that they load it with a new firmware that you can't downgrade from or something, but that in itself is pretty drastic/paranoia.

The best suggestion for people would be to use the scope for a while, then apply the code when they actually need to use the extra features.
« Last Edit: July 25, 2013, 08:11:04 am by bleckers »
 

Offline roli_bark

  • Regular Contributor
  • *
  • Posts: 170
Re: Sniffing the Rigol's internal I2C bus
« Reply #669 on: July 25, 2013, 08:12:06 am »
Sue? On what grounds?
I suspect that your warranty automatically expires when they can prove that any part of the product has been tampered with.
 

Offline benemorius

  • Regular Contributor
  • *
  • Posts: 173
Re: Sniffing the Rigol's internal I2C bus
« Reply #670 on: July 25, 2013, 08:23:07 am »
I wouldn't be too quick to assume that they're going to fix anything. There is a fair chance that they deliberately chose the level of difficulty they wanted us to encounter in hacking these models knowing full well that it would generate extra sales. Too easy could have been embarrassing for them, and too hard might have made it take too long to be hacked. I'm no businessperson but it looks to me like they nailed it.

I recall someone having reasonably well convinced me that there is some evidence to suggest that at least a few people at Rigol are wise enough to do this intentionally, although the details have unfortunately escaped me right now.

Of course, time will tell. I post this not in an attempt to predict the future, but to help create it. I trust that someone at Rigol is reading this thread, and I'm hoping that they have the insight to make profitable decisions, and the influence to see them through.
 

Offline benemorius

  • Regular Contributor
  • *
  • Posts: 173
Re: Sniffing the Rigol's internal I2C bus
« Reply #671 on: July 25, 2013, 08:29:55 am »
Sue? On what grounds?
I suspect that your warranty automatically expires when they can prove that any part of the product has been tampered with.

On the grounds that they failed to honor a warranty.

I know very little about the legal systems in most countries, but I would lose all faith in any court that allowed a company to void a warranty due to tampering unless the company's engineers could demonstrate that such tampering could in fact reasonably be believed to have caused the observed fault. Hacking a license key magically makes the backlight inverter fail prematurely? Bullshit unless you can prove it, and any country with a court that doesn't agree is in dire trouble.
 

Offline mickpah

  • Regular Contributor
  • *
  • Posts: 148
  • Country: au
    • Yeti Hacks
Re: Sniffing the Rigol's internal I2C bus
« Reply #672 on: July 25, 2013, 08:32:39 am »
Basically you're right. Who cares. But maybe except for new buyers of the same models starting, say, next year...?

Also, you never know what type of serious "bugs"  are still pending to be found & fixed. They may come up with a different curve next FW round, or even a total different crypto algo altogether.

True they might change the crypto, but can you imagine the logistic of reissuing keys, the pissed off customers who loose functionality while this happens ? because to make the change work they would have to make the next fw upgrade irreversible
 

Offline true

  • Frequent Contributor
  • **
  • Posts: 329
  • Country: us
  • INTERNET
Re: Sniffing the Rigol's internal I2C bus
« Reply #673 on: July 25, 2013, 08:34:32 am »
Sue? On what grounds?
I suspect that your warranty automatically expires when they can prove that any part of the product has been tampered with.
Your suspicion is not the law. But let's not turn this into a legal thread - the point is, in many countries, installing a key on your scope will not void the warranty.

Quote from: benemorious
There is a fair chance that they deliberately chose the level of difficulty they wanted us to encounter in hacking these models knowing full well that it would generate extra sales.
Have you seen, in general, Chinese programming for consumer devices? It's not very different for special devices, either. This is not the first time such ideas have been brought up in this thread. This is purely a case of ignorance and poor practices.
« Last Edit: July 25, 2013, 08:37:57 am by true »
 

Offline benemorius

  • Regular Contributor
  • *
  • Posts: 173
Re: Sniffing the Rigol's internal I2C bus
« Reply #674 on: July 25, 2013, 09:01:43 am »
Have you seen, in general, Chinese programming for consumer devices? It's not very different for special devices, either. This is not the first time such ideas have been brought up in this thread. This is purely a case of ignorance and poor practices.

No indeed. I won't deny charges of wishful thinking. I'll try to turn up the evidence to the contrary that I alluded to though. It was by no means conclusive, but it was enough to make me nod and say "hmm... yeah, maybe so". In any case, like I said, I'm trying to help make the future - not predict it. :-+
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf