Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1825295 times)

0 Members and 1 Guest are viewing this topic.

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #400 on: July 17, 2013, 11:40:26 am »
yes, at the moment thats a bit of a showstopper, to be honest, my mathfoo is not up to ECC (and never will be ;-).
but what they do is take the serial in  <DSA2format>+2nd,10th,18th,26th Char of the license string (e.g. DSA9 = option enable keyword) and build a SHA1 hash out of it. thats the secret message if u will.
that message is then signed using a private key (unknown to us) - and the resulting public key is the license key - from the looks of it the public key is 56bits long.

so without bruteforcing the private key (56bits, not in my lifetime probably ;-) - the only way around this is that we install our own public keys in the GEL file and sign our own licensekeys - this leads to the nessecarity to be able to flash a custom GEL file. (e.g. find bootloader checksums blah) - if they also signed that .. then a software mod only is impossible, and it could only be done via jtag.

the main verification routing is a almost complete ripoff of https://github.com/CertiVox/MIRACL/blob/master/source/ecsver.c
except instead of files, the static parts are values in the firmware - thats the hexnumber like looking strings.
i will post a small c file later on that replays what they do once i come around to rewrite it for the MIRACL library. (reversing that lib still was fun ;-)


« Last Edit: July 17, 2013, 11:55:04 am by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline DL5TOR

  • Contributor
  • Posts: 35
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #401 on: July 17, 2013, 11:50:05 am »

so without bruteforcing the private key (56bits, not in my lifetime probably ;-) - the only way around this is that we install our own public keys in the GEL file and sign our own licensekeys - this leads to the nessecarity to be able to flash a custom GEL file. (e.g. find bootloader checksums blah) - if they also signed that .. then a software mod only is impossible, and it could only be done via jtag.


at 100000 keys / sec that will be in the range of 2000 years
 

Offline M. András

  • Super Contributor
  • ***
  • Posts: 1014
  • Country: hu
Re: Sniffing the Rigol's internal I2C bus
« Reply #402 on: July 17, 2013, 05:36:53 pm »
is there a way to download that buttload of files from github?
 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1192
  • Country: ca
    • VE7XEN Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #403 on: July 17, 2013, 05:48:00 pm »
is there a way to download that buttload of files from github?
https://github.com/CertiVox/MIRACL -> Download ZIP

Or just git clone it.
73 de VE7XEN
He/Him
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #404 on: July 18, 2013, 12:08:14 am »
As promised here is an implementation of what Rigol does in C using MIRACL.
Except a few tiny bits (see code comments) its 100% what they do.

Should compile on any linux box - RTFM -> file header


Code: [Select]
/*
** C implementation of rigol ds2k ECC-112 license key check
** version 0.1
** cybernet, 2013 - <cn@warp.at>
**
**
** to compile this you need MIRACL from [url]https://github.com/CertiVox/MIRACL[/url]
** download the master.zip into a new folder and run 'unzip -j -aa -L master.zip'
** then run 'bash linux' to build the miracle.a library
**
** once done compile this c file with:
**
** gcc main.c -I../MIRACL ../MIRACL/miracl.a -o riglol
**
** adapt -I and path to miracl.a to your environment
**
** RUN:
**
** ./riglol ???????-???????-???????-??????? DSA2Aserial
**
** WHAT THIS IS:
**
** an implementation that matches rigols license key check
** except a few deviations which are not yet reversed fully.
**
** WHAT THIS IS NOT:
**
** a keygen, something for scriptkiddies to ask questions about - RTFM instead
**
**
** more info: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/
**       http://certivox.org/pages/viewpage.action?pageId=7635202
**
**
*/

#include <stdio.h>
#include "miracl.h"
#include <stdlib.h>
#include <string.h>

// primes, ecurve parameters, points from FW v.00.01.00.05 - probably always the same anyhow
unsigned char prime1[]="AEBF94CEE3E707";
unsigned char prime2[]="AEBF94D5C6AA71";
unsigned char curve_a[]="2982";
unsigned char curve_b[]="3408";
unsigned char point1[]="7A3E808599A525";
unsigned char point2[]="8445B2BE29E5C7";

// which chars to skip for option key
char skip_chars[] = { 2, 10, 18, 26 };

// some helper maps to convert key to hex
char map_ee00d0[]={ 0x0, 0x0, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
                    0x0, 0x0, 0x0,  0x0,  0x0,  0x0,  0x0,  0x0,  0x1,  0x2,
                    0x3, 0x4, 0x5,  0x6,  0x7,  0x0,  0x8,  0x9,  0xa,  0xb,
                    0xc, 0x0, 0xd,  0xe,  0xf,  0x10, 0x11, 0x12, 0x13, 0x14,
                    0x15,0x16, 0x17 };

char map_20688[]={ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,  /* 0-9 = 0x30 */
                   0x37, 0x37, 0x37, 0x37, 0x37, 0x37 };                        /* A-F = 0x37 */

void show_help(void)
{
 printf("\n");
 printf("./riglol <licensekey> <serial>\n\n");
 printf("<licensekey> can be given with or without dashes\n");
 printf("<serial> DSA2...\n");
 printf("\n");
 exit(-1);
}

/*
** convert string to uppercase chars
*/
char *strtoupper(char *str)
{
    char *newstr, *p;
    p = newstr = (char*) strdup((char*)str);
    while((*p++=toupper(*p)));
    return newstr;
}

/*
** skip dashes in input string
*/
char *lic_skip_dash(char *str)
{
 char *out, *c;
 char i=0;

 out=calloc(strlen(str)+1,1);
 if (!out) return(NULL);

 c=str;
 i=0;
 while (*c)
 {
   if (*c != '-')
    out[i++]=*c++;
   else *c++;
 }
 // printf("out: %s\n", out);
 return(out);
}


/*
** return string with skipped 2nd,10th,18th,26th character
*/
char *lic_make_skipped_str(char * lic_raw)
{
 char *c;
 char i,j,k;
 char *lic_skipped;

 if (!lic_raw) return(NULL);
 lic_skipped=calloc(strlen((char*)lic_raw)+1-sizeof(skip_chars), 1);
 if (!lic_skipped) return(NULL);

 c=lic_raw;
 i=j=k=0;
 while (*c)
 {
   j++;
   if (skip_chars[i] == j)
    i++;
   else lic_skipped[k++]=*c;

   c++;
 }
 return(lic_skipped);
}

/*
** return string of the skipped 2nd,10th,18th,26th character
*/
char *lic_make_skipped_chars(char * lic_raw)
{
 char *c;
 char i,j,k;
 char *lic_skipped;

 if (!lic_raw) return(NULL);
 lic_skipped=calloc(sizeof(skip_chars)+1, 1);
 if (!lic_skipped) return(NULL);

 c=lic_raw;
 i=j=k=0;
 while (*c)
 {
   j++;
   if (skip_chars[i] == j)
   {
    lic_skipped[k++]=*c;
    i++;
   }
   c++;
 }
 return(lic_skipped);
}

/*
** conver to hex
*/
char char_to_hex(char i)
{
 if ((i >= 'A') && (i <= 'F')) return(i-0x37);
 if ((i >= '0') && (i <= '9')) return(i-0x30);
 return(0x0);
}

/*
** map the skipped license string into hex bytes
**
*/
char *lic_code_map(char *lic_skipped)
{
 char lv1,lv2;
 char b1_mapped, b1_shifted, b1_remapped;
 char b2_mapped, b2_shifted, b2_remapped;
 char b3_mapped, b3_shifted, b3_remapped;
 char b4_mapped, b4_shifted, b4_remapped;
 char b5_shifted, b5_remapped;
 char *lic_skipped_mapbytes;
 unsigned int c=0;
 lic_skipped_mapbytes=calloc(255, 1);
 if (!lic_skipped_mapbytes) return(0);

 lv1=lv2=0;
 while(lv1 < strlen((char*)lic_skipped))
 {
    b1_mapped =  map_ee00d0[ *(lic_skipped+lv1) - 0x30 ];
    b1_shifted = (b1_mapped / 2) & 0xf;
    b1_remapped = b1_shifted + map_20688[b1_shifted];
    lic_skipped_mapbytes[lv2++]=b1_remapped;
    b1_mapped = b1_mapped & 0x1;

    b2_mapped =  map_ee00d0[ *(lic_skipped+lv1+1) - 0x30 ];
    b2_shifted =  ((b1_mapped << 0x3) | (b2_mapped / 4)) & 0xF;
    b2_remapped = b2_shifted + map_20688[b2_shifted];
    lic_skipped_mapbytes[lv2++]=b2_remapped;

    b3_mapped = map_ee00d0[ *(lic_skipped+lv1+2) - 0x30 ];
    b3_shifted = ((b3_mapped / 8) | ( (b2_mapped & 0x3) << 2 )) & 0xF;
    b3_remapped = b3_shifted + map_20688[b3_shifted];
    lic_skipped_mapbytes[lv2++]=b3_remapped;

    b4_mapped = map_ee00d0[ *(lic_skipped+lv1+3) - 0x30 ];
    b4_shifted = ((b4_mapped / 16 ) |((b3_mapped & 0x7) << 0x1)) & 0xf;
    b4_remapped = b4_shifted + map_20688[b4_shifted];
    lic_skipped_mapbytes[lv2++]=b4_remapped;
    b5_shifted = b4_mapped & 0xF;
    b5_remapped = b5_shifted + map_20688[b5_shifted];
    lic_skipped_mapbytes[lv2++]=b5_remapped;

    lv1 = lv1 + 4;
    c=c+5;
  }
  lic_skipped_mapbytes[c-1]=0;
  return(lic_skipped_mapbytes);
}

/*
** MAIN
*/
int main(int argc, char *argv[0])
{
  miracl *mip;
  big    p1,p2; // primes
  big    c1,c2; // curve parameters (A,B)
  big    tmp; // generic temp bigvar
  big    lic1,lic2; // the two parts of our license key
  epoint *pt1,*pt2; // points on our curve
  sha sh;
  big sha_hash; // sha1 hash of serial + lic_opt
  big    m1,m2; // output from mad() func
  big    v;
  big    g; // gxcd output
  char   *lic_raw,*serial; // cmdline input
  char   *lic_opt,*lic_skipped; // options as given per license key (2nd,10th,18th,26th char)
  char   *lic_opt_mapbytes; // options in hex format - denotes type of option and the bitflags for the options
  char   *lic_skipped_mapbytes; // input into the ECC routines
  char   *lic_hash; // serial + lic_opt string
  char   *lic_1_mapbytes; // split lic_map_bytes on character 0xe (mapped)
  char   *lic_2_mapbytes;  // second half
  int i1,i2;
  char   *p;

  // get our commandline input
  // and do some basic checks
  if (argc!=3) show_help();
  lic_raw=(char*)strtoupper((char*)argv[1]); // make it uppercase
  serial=(char*)strtoupper((char*)argv[2]);             // make it uppercase
  lic_raw=lic_skip_dash(lic_raw); // skip any dashes
  if (strlen(lic_raw)  < 0x1c) { fprintf(stderr, "license key is to short !\n"); exit(-1); }
  if (strlen(lic_raw) > 0x1c) { fprintf(stderr, "license key is to long !\n"); exit(-1); }
  if (strlen(serial) != 0xd) { fprintf(stderr, "serial has invalid length !\n"); exit(-1); }
  // generate the strings and map the license key to hex
  lic_skipped=lic_make_skipped_str(lic_raw); // licensekey minus 2nd,10th,18th,26th char
  lic_opt=lic_make_skipped_chars(lic_raw); // licensekey 2nd,10th,18th,26th char
  lic_skipped_mapbytes=lic_code_map(lic_skipped); // convert to base 16
  lic_opt_mapbytes=lic_code_map(lic_opt); // same for the desired options
  // split the lic_skipped_mapbytes
  lic_1_mapbytes=strdup(lic_skipped_mapbytes);
  i1=(char)(0x0e - char_to_hex(lic_skipped_mapbytes[0xe]));
  if ((0xe < i1) || (i1 < 0)) i1=0;
  lic_1_mapbytes[i1]=0;
  lic_2_mapbytes=strdup(lic_skipped_mapbytes);
  i2=(char)(0x1d-char_to_hex(lic_skipped_mapbytes[0x1d]));
  if ((0x1d < i2) || (i2 < 0)) i2=0xf;
  lic_2_mapbytes[i2]=0;           
  p=strdup(lic_2_mapbytes+0xf);
  lic_2_mapbytes=strdup(p);
  lic_hash=calloc(strlen(serial)+strlen(lic_opt)+1,1);
  strcpy(lic_hash, serial);
  strcat(lic_hash, lic_opt);

  // our strings, inputs to the ECC/sha crypto part
  printf("\nserial:           %s\n", serial);
  printf("license-key:      %s\n", lic_raw);
  printf("license-skipped:  %s (%s)\n", lic_skipped, lic_skipped_mapbytes);
  printf("license-1-mapped: %s\n", lic_1_mapbytes);
  printf("license-2-mapped: %s\n", lic_2_mapbytes);
  printf("license-options:  %s (%s)\n", lic_opt, lic_opt_mapbytes);
  printf("serial&options:   %s\n", lic_hash);
 
  // initialize MIRACL
  mip=mirsys(0x320,0x10); // 800 bit precison, 16=hexmode
  // initialize "big" variables used by MIRACL
  tmp=mirvar(0);
  p1=mirvar(0);
  p2=mirvar(0);
  c1=mirvar(0);
  c2=mirvar(0);
  lic1=mirvar(0);
  lic2=mirvar(0);
  sha_hash=mirvar(0);
  m1=mirvar(0);
  m2=mirvar(0);
  v=mirvar(0);
  g=mirvar(0);
  // initalize the epoints used
  pt1=epoint_init();
  pt2=epoint_init();
  // setup static items like rigol (primes, the elliptic curve)
  instr(p1, prime1);
  instr(p2, prime2);
  instr(c1, curve_a);
  instr(c2, curve_b);
 
  // initialize ecurve and set the 2 points 
  ecurve_init(c1, c2, p1, MR_PROJECTIVE);
  instr(tmp, point1);
  if (!epoint_set(tmp, tmp, 0x0, pt1))
  {
  printf("ERR: '%s' not a point on the given curve\n", point1);
        exit(-1);
  }
  instr(tmp, point2);
  if (!epoint_set(tmp, tmp, 0x1, pt2))
  {
        printf("ERR: '%s' not a point on the given curve\n", point2);
        exit(-1);
  }
  /* 
  * at this point initialization of the ECC crypto system is completed
  ** this is done only once on a rigol per powerup cycle
  **
  ** now comes the part that is run for every key check
  */


  // generate the sha1 hash for the serial+option string
  shs_init(&sh);
  p=lic_hash;
  while(*p)
  {
    shs_process(&sh,*p);
    p++;
  }
  shs_hash(&sh, lic_hash);
  bytes_to_big(20, lic_hash, sha_hash);
  mip->IOBASE = 16;
  printf("sha1(serial&opts) "); cotnum(sha_hash, stdout); printf("\n");

  // convert our 2 halves of the mapped license key into big's
  instr(lic1, lic_1_mapbytes);
  instr(lic2, lic_2_mapbytes);

  // make sure lic1 and lic2 are not our p2 prime ? why ?
  if (mr_compare(lic1, p2) >= 0x0)
  {
  printf("ERR: lic1 compare\n");
  }
  if (mr_compare(lic2, p2) >= 0x0)
  {
        printf("ERR: lic2 compare\n");
  }
  // here should be two unimplemented/unknown test functions again testing lic1/lic2 - tbc.
  // they only seem to check a length nothing super important imho
  // i will add them once i match them to MIRACL
 

  // now the mathfoo starts ...
  xgcd(lic2, p2, lic2, lic2, lic2); // xgcd(x, p, x, x, x,); -> x = 1/x mod p (p is prime)
  copy(lic2,g); // copy output (lic2) to g for simplicity

  mad(sha_hash, g, g, p2, p2, m1); // multiply and add - mad(x, x, x, w, x, x); -> x = x^2 / w
  mad(lic1    , g, g, p2, p2, m2); // multiply and add - mad(x, x, x, w, x, x); -> x = x^2 / w
  ecurve_mult2(m1, pt1, m2, pt2, pt1); // multiply and add - ecurve_mult2(e,p,ea,pa,pt) -> pt== e (x) p + ea (x) pa

  // check if pt1 (output from ecurve_mult2) divided by the prime p2 matches lic1
  // this is actually done slightly differnt in the firmware, but i was unable to find a match in MIRACL so far
  // so i used the method from the ecsver.c example
  epoint_get(pt1,v,v); // epoint_get(p, x, y); // extract x coordinate and lsb of y
  divide(v,p2,p2); // quotient and remainder - divide(x,y,z) ->  x = x (mod y)

  // now we compare v to the first part of our license key (lic1)
  // to give some idea of how the ECC-112 output changes with input print the compared value
  printf("v:    "); cotnum(v, stdout);
  printf("lic1: "); cotnum(lic1, stdout); printf("\n");
 
  if (mr_compare(v, lic1)==0)
  {
  printf(" License Key is VALID\n");
  }
  else
  {
printf(" INVALID License Key\n");
  }
  printf("\n\n");
  exit(0);
}
« Last Edit: July 18, 2013, 12:11:06 am by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline true

  • Frequent Contributor
  • **
  • Posts: 329
  • Country: us
  • INTERNET
Re: Sniffing the Rigol's internal I2C bus
« Reply #405 on: July 18, 2013, 12:23:33 am »
Great work cybernet. Runs fine but don't have anything to test =) Thanks for commenting as well.
« Last Edit: July 18, 2013, 12:28:24 am by true »
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #406 on: July 18, 2013, 12:30:04 am »
maybe someone agrees to post a trial key, the ones that i've gotten i can not post because i promised to keep em private.
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #407 on: July 18, 2013, 12:34:48 am »
Great work cybernet. Runs fine but don't have anything to test =) Thanks for commenting as well.

well u could try to find a match for your serial - lottery at its best ..  :-DD
just use DSAH for the 2nd,10th,18th,26th char ;-)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline zibadun

  • Regular Contributor
  • *
  • Posts: 112
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #408 on: July 18, 2013, 01:43:12 am »
as a script kiddie it's my duty to report that cybernet's code works perfectly with my trial key

$ ./riglol RVEblah-blah-blah-blah DS2Afoo

...
license-options:  VSA9 (9C01)
serial&options:   DS2AfooVSA9
sha1(serial&opts) 6AE0077305B7953919FF39181418828E5CA517C4

v:    7BBCFEBAF16BEA
lic1: 7BBCFEBAF16BEA

 License Key is VALID

 

Offline DL5TOR

  • Contributor
  • Posts: 35
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #409 on: July 18, 2013, 08:33:44 am »
at 100000 keys / sec that will be in the range of 2000 years

It's feasible on modern GPUs, in the range of months. The problem is you need a custom implementation in something like OpenCL.

so we have the soruce of the crypto we know how it is used and we have the Hardware to do it. All we need then is someone who can write the program and the CPU/GPU time.

Who is willing to do this??


thanx to all
DL5TOR
Torsten
 

Offline orbiter

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: gb
  • -0 Resistance is Futile
Re: Sniffing the Rigol's internal I2C bus
« Reply #410 on: July 18, 2013, 09:20:08 am »
I'm in..  Just get me a program and it'll give my two GTX295's something to munch on :)
 

Offline kizzap

  • Supporter
  • ****
  • Posts: 477
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #411 on: July 18, 2013, 01:35:42 pm »
The bitcoin guys are getting into ASIC territory for mining. I wonder if something like that could be used for this....

-kizzap
<MatCat> The thing with aircraft is murphy loves to hang out with them
<Baljem> hey, you're the one who apparently pronounces FPGA 'fuhpugger'
 

Offline zibadun

  • Regular Contributor
  • *
  • Posts: 112
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #412 on: July 18, 2013, 01:58:22 pm »
The bitcoin guys are getting into ASIC territory for mining. I wonder if something like that could be used for this....

-kizzap

if my math is right for a 56 bit key we would need aggregate performance of ~10 Gkeys/sec to solve this in a couple of months.  BTW ATI GPUs were much faster than a comparable price NVIDIA for generating bitcoins. or here is another comparison from a known "security" company http://www.elcomsoft.com/news/545.html.  (I'll donate Radeon HD 5700 time:)
« Last Edit: July 18, 2013, 02:03:23 pm by zibadun »
 

Offline DL5TOR

  • Contributor
  • Posts: 35
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #413 on: July 18, 2013, 02:17:24 pm »
The bitcoin guys are getting into ASIC territory for mining. I wonder if something like that could be used for this....

-kizzap

if my math is right for a 56 bit key we would need aggregate performance of ~10 Gkeys/sec to solve this in a couple of months.  BTW ATI GPUs were much faster than a comparable price NVIDIA for generating bitcoins. or here is another comparison from a known "security" company http://www.elcomsoft.com/news/545.html.  (I'll donate Radeon HD 5700 time:)

with 10 GKeys/sec that will be 83,4 days. The math is simple

56 bit = 2^56 posibilts = 72057594037927936

then
72057594037927936 / 10.000.000.000= 7205759,4s = 120095 min = 2001,6h = 83,4 Days


this is max time so in reality it will not be that Long

73
 
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #414 on: July 18, 2013, 02:25:13 pm »
Per serial number of each ds2xx2 don't forget !


--
 Darryl

 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #415 on: July 18, 2013, 02:46:19 pm »
given my lacking math skills - i think what we *would' need to crack is the two prime numbers p1,p2 - which means its a 112 Bit problem.
these prime numbers are the public key, which when cracked lead to the private key - having the private key means we can sign whatever message (serial+opt) we want.

and 112bits of ECC is unbroken as of now (at least i read that somewhere recently).

so we should focus on checking the bootloader + its firmware verification .. hash, crc, whatever - then simply replace the two primes with a public/private key of our own, and flash the GEL file - once done, you can sign your own license keys and voila.

just skipping the checks might prove difficult, because they could get very creative where they do such checks, and it would be hard to find for a new FW version.
compromising the public key (primes) is much easier, and much harder for them to get rid of - unless they start to move the whole ECC framework into the FGPA, because then its game over ;-)

btw - i wonder if they paid for the commercial license of MIRACL ;-)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline CodyShaw

  • Contributor
  • Posts: 44
  • Country: ca
    • My Blog!
Re: Sniffing the Rigol's internal I2C bus
« Reply #416 on: July 18, 2013, 03:08:05 pm »
given my lacking math skills - i think what we *would' need to crack is the two prime numbers p1,p2 - which means its a 112 Bit problem.
these prime numbers are the public key, which when cracked lead to the private key - having the private key means we can sign whatever message (serial+opt) we want.

and 112bits of ECC is unbroken as of now (at least i read that somewhere recently).

so we should focus on checking the bootloader + its firmware verification .. hash, crc, whatever - then simply replace the two primes with a public/private key of our own, and flash the GEL file - once done, you can sign your own license keys and voila.

just skipping the checks might prove difficult, because they could get very creative where they do such checks, and it would be hard to find for a new FW version.
compromising the public key (primes) is much easier, and much harder for them to get rid of - unless they start to move the whole ECC framework into the FGPA, because then its game over ;-)

btw - i wonder if they paid for the commercial license of MIRACL ;-)

"How to beat encryption:

Screw brute forcing the prime numbers, just hack the damn thing and change them to 5!"
Candidate for Bachelor of Applied Science, Electrical Engineering, University of Waterloo, Waterloo, ON, Sept. 2011 – Present
3A Electrical Engineering
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #417 on: July 18, 2013, 03:13:01 pm »
just skipping the checks might prove difficult, because they could get very creative where they do such checks, and it would be hard to find for a new FW version.

Is the license key stored?  Is it validated at startup each and every time or only at the time of entry?  Some may have theorized that the key is stored because a trial extension can't be used multiple times, but there could be an internal counter that tracks how many trial extensions have been issued and only allows so many.

If the key is NOT stored, then it is potentially enter key -> validate as good -> set license mode and features permanently someplace

If this is the case, then a simple opcode modification at the point where it decides if the key is valid or invalid will allow entering a key like this:

xDxxxxx-xxSxxxx-xxxAxxx-xxxxZxx

No matter what the x values or S/N are it would accept the key and enable the features and license mode.

Then you could go to a factory firmware version and no longer be able to enter such a key, but have all features enabled in official license key mode...

i think (didnt look carefully) the option key e.g. 1C0XX or 9C0XX is checked everytime a licensed feature is requested (e.g. menu pops up).
i asked some ppl to check for the encoded option key in the FRAM, but its not there i guess. so probably they store the outcome of the ecurve operations, and then compare it - somebody with FRAM access could check that. because *that* could easily be faked, written to FRAM and will be permanent.
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline docmandu

  • Contributor
  • Posts: 17
Re: Sniffing the Rigol's internal I2C bus
« Reply #418 on: July 18, 2013, 06:15:34 pm »
I wonder if Rigol learned from Sony's mistake :-)

http://www.thedistractionnetwork.com/sonys-ecdsa-code/


Anyway, nice work on the reversing.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #419 on: July 18, 2013, 06:18:31 pm »
I wonder if Rigol learned from Sony's mistake :-)

http://www.thedistractionnetwork.com/sonys-ecdsa-code/


Anyway, nice work on the reversing.

that was about  the first thing i tried, but the private/pub key pair was done on a pc and MIRACL is having a proper RNG ;-) (9 digit seed ... then generating an 800 bit number ..)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline docmandu

  • Contributor
  • Posts: 17
Re: Sniffing the Rigol's internal I2C bus
« Reply #420 on: July 18, 2013, 09:30:16 pm »
Does it? Only had a very quick look at it. It seemed to be using a pseudo number generator, albeit seeded with a 9 digit number in the example code from MIRACL.
Anyway if they used a proper one, then the only options are a buffer overrun somewhere or directly patching the firmware.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #421 on: July 18, 2013, 09:46:36 pm »
These are the FW 5 addresses of the MIRACL functions for those who work with JTAG.

Code: [Select]
MIRACL_convert_sub_1FB2E8         ROM 001FB2E8 00000048 R . . . . . .
MIRACL_copy_sub_1FBA4C            ROM 001FBA4C 0000008A R . . . . . .
MIRACL_decr_sub_1F91EE            ROM 001F91EE 0000004A R . . . . . .
MIRACL_divide_sub_1FA2CA          ROM 001FA2CA 00000890 R . . . . . .
MIRACL_ecp_memalloc_1FC2F8        ROM 001FC2F8 00000082 R . . . . . .
MIRACL_ecp_memkill_sub_1FC37A     ROM 001FC37A 0000008A R . . . . . .
MIRACL_ecurve_add_sub_1FD184      ROM 001FD184 0000008E R . . . . . .
MIRACL_ecurve_add_sub_1FD542      ROM 001FD542 000001F2 R . . . . . .
MIRACL_ecurve_double_sub_1FC8B0   ROM 001FC8B0 000004A2 R . . . . . .
MIRACL_ecurve_mult2_sub_1FD734    ROM 001FD734 00000266 R . . . . . .
MIRACL_ecurve_mult_1FD2C6         ROM 001FD2C6 0000027C R . . . . . .
MIRACL_ecurve_padd_sub_1FCD52     ROM 001FCD52 000003E6 R . . . . . .
MIRACL_ecurve_sub_sub_1FD25E      ROM 001FD25E 00000068 R . . . . . .
MIRACL_epoint_copy_sub_1FD138     ROM 001FD138 0000004C R . . . . . .
MIRACL_epoint_init_mem_sub_1FC2C6 ROM 001FC2C6 00000032 R . . . . . .
MIRACL_epoint_negate_sub_1FD212   ROM 001FD212 0000004C R . . . . . .
MIRACL_epoint_norm_sub_1FC5F2     ROM 001FC5F2 000000E4 R . . . . . .
MIRACL_epoint_set_sub_1FC4DE      ROM 001FC4DE 00000114 R . . . . . .
MIRACL_exsign_sub_1FAF32          ROM 001FAF32 00000020 R . . . . . .
MIRACL_insign_sub_1FAF08          ROM 001FAF08 0000002A R . . . . . .
MIRACL_jack_sub_1FDF84            ROM 001FDF84 000001BA R . . . . . .
MIRACL_logb2_sub_1FAC04           ROM 001FAC04 0000006A R . . . . . .
MIRACL_mad_sub_1FAB5A             ROM 001FAB5A 000000A8 R . . . . . .
MIRACL_memkill_sub_1FB8C0         ROM 001FB8C0 00000042 R . . . . . .
MIRACL_mirsys_sub_1FB892          ROM 001FB892 0000002E R . . . . . .
MIRACL_mirsys_sub_1FEE10          ROM 001FEE10 00000168 R . . . . . .
MIRACL_mirvar_mem_sub_1FB3B8      ROM 001FB3B8 00000032 R . . . . . .
MIRACL_mirvar_sub_1FB330          ROM 001FB330 00000088 R . . . . . .
MIRACL_mr_addbit_sub_1FBF66       ROM 001FBF66 0000006E R . . . . . .
MIRACL_mr_berror_sub_1FB0F4       ROM 001FB0F4 00000024 R . . . . . .
MIRACL_mr_compare_sub_1FACD4      ROM 001FACD4 000000B0 R . . . . . .
MIRACL_mr_jsf_sub_1F99B8          ROM 001F99B8 0000021E R . . . . . .
MIRACL_mr_notint_sub_1FADEE       ROM 001FADEE 00000028 R . . . . . .
MIRACL_mr_padd_sub_1F8C60         ROM 001F8C60 00000240 R . . . . . .
MIRACL_mr_pmul_sub_1F9238         ROM 001F9238 000001F0 R . . . . . .
MIRACL_mr_psub_sub_1F8EA0         ROM 001F8EA0 00000138 R . . . . . .
MIRACL_mr_sdiv_sub_1F94A2         ROM 001F94A2 0000017A R . . . . . .
MIRACL_mr_select_sub_1F8FD8       ROM 001F8FD8 0000016C R . . . . . .
MIRACL_mr_select_sub_1F9174       ROM 001F9174 00000030 R . . . . . .
MIRACL_mr_testbit_sub_1FAC6E      ROM 001FAC6E 00000066 R . . . . . .
MIRACL_multiply_sub_1F9C7E        ROM 001F9C7E 0000064C R . . . . . .
MIRACL_negify_sub_1FBAD6          ROM 001FBAD6 00000020 R . . . . . .
MIRACL_normalise_sub_1F9BD8       ROM 001F9BD8 000000A6 R . . . . . .
MIRACL_nres_lucas_1FE140          ROM 001FE140 000001E8 R . . . . . .
MIRACL_nres_moddiv_sub_1FEBCE     ROM 001FEBCE 0000008E R . . . . . .
MIRACL_nres_modmult_sub_1FEB28    ROM 001FEB28 000000A6 R . . . . . .
MIRACL_nres_modsub_sub_1FE97E     ROM 001FE97E 00000054 R . . . . . .
MIRACL_nres_negate_sub_1FE890     ROM 001FE890 0000003E R . . . . . .
MIRACL_nres_premult_sub_1FE9D2    ROM 001FE9D2 00000156 R . . . . . .
MIRACL_nres_sqroot_sub_1FF354     ROM 001FF354 00000250 R . . . . . .
MIRACL_nres_sub_1FE328            ROM 001FE328 000000B2 R . . . . . .
MIRACL_redc_sub_1FE584            ROM 001FE584 0000030C R . . . . . .
MIRACL_remain_sub_1F9786          ROM 001F9786 000000AE R . . . . . .
MIRACL_sha1_sub_1FFFA6            ROM 001FFFA6 000000A2 R . . . . . .
MIRACL_size_sub_1FAD84            ROM 001FAD84 0000006A R . . . . . .
MIRACL_subdiv_sub_1F961C          ROM 001F961C 0000016A R . . . . . .
MIRACL_xgcd_caller_sub_1FFF2A     ROM 001FFF2A 0000001A R . . . . . .
MIRACL_xgcd_sub_1FF790            ROM 001FF790 0000079A R . . . . . .
MIRACL_zero_sub_1FB222            ROM 001FB222 0000003E R . . . . . .

the magic happens in

LIC_HUGE_sub_200048 ROM 00200048 0000031A R . . . . . .

which is basically the riglol.c

« Last Edit: July 18, 2013, 09:51:10 pm by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #422 on: July 18, 2013, 09:51:57 pm »
Other stuff, with questionable naming from my side .. so rely on that with caution.

Code: [Select]
BOOTLDR_MAIN_?_sub_1FD1632                           ROM    01FD1632 00000096 R . . . . . .
BOOTLDR_send_SPORT_sub_1FD2C2C                       ROM    01FD2C2C 0000002C R . . . . . .
BOOTLDR_sub_1FD107A                                  ROM    01FD107A 000000EE R . . . . . .
BOOTLDR_sub_1FD150E                                  ROM    01FD150E 00000078 R . . . . . .
BOOTLDR_sub_1FD2C58                                  ROM    01FD2C58 000000A4 R . . . . . .
BOOT_sub_20B3A                                       ROM    00020B3A 00000370 R . . . . . .
CALLOC_0x258_Bytes_sub_1F8BE8                        ROM    001F8BE8 00000014 R . . . . . .
CALLOC_unknown_libname_74                            ROM    0020F3C8 00000014 R . L . . . .
CALL_deref_EE0828_sub_20FD54                         ROM    0020FD54 00000026 R . . . . . .
CALL_faa0b3c0_sub_E408                               ROM    0000E408 00000018 R . . . . . .
CAPTURE_FOREVER_sub_FFA045EC                         seg010 FFA045EC 00000006 R . . . . . .
CFG_Save_?_sub_E7D0E                                 ROM    000E7D0E 000003D0 R . . . . . .
CHIP_ID_sub_FFA00D70                                 seg010 FFA00D70 000000C4 R . . . . . .
CODE_MapBytes_sub_206CBE                             ROM    00206CBE 000001D2 R . . . . . .
DATETIME_get_sub_18BA90                              ROM    0018BA90 00000058 R . . . . . .
DISASM_?_sub_13EA92                                  ROM    0013EA92 00000072 R . . . . . .
DISPLAY_UPDATE_?_sub_14875C                          ROM    0014875C 00000276 R . . . . . .
DIS_TWI_XMIT_sub_E090                                ROM    0000E090 0000011E R . . . . . .
DS2000Update_GEL_sub_1FD5F24                         ROM    01FD5F24 000001FC R . . . . . .
Disable_EA041C_sub_DEA48                             ROM    000DEA48 00000016 R . . . . . .
EBIU_sub_1E89F0                                      ROM    001E89F0 0000003C R . . . . . .
Enable_EA041C_sub_DEA5E                              ROM    000DEA5E 00000016 R . . . . . .
FPGA_GetVersion_sub_8A94                             ROM    00008A94 00000018 R . . . . . .
GET_0xEA8EE0_sub_11E7FC                              ROM    0011E7FC 00000014 R . . . . . .
GET_0xEA94B4_sub_139A8A                              ROM    00139A8A 00000014 R . . . . . .
HWSETUP_sub_1E8A2C                                   ROM    001E8A2C 000000A8 R . . . . . .
HWSETUP_sub_1E939A                                   ROM    001E939A 00000010 R . . . . . .
KEYBOARD_POLL_sub_1A7C5A                             ROM    001A7C5A 000000E6 R . . . . . .
KEYBOARD_onPress_sub_1E1B8C                          ROM    001E1B8C 00000048 R . . . . . .
KEYBOARD_sub_1A7B8E                                  ROM    001A7B8E 0000008C R . . . . . .
KEYMAP_?_sub_1D4860                                  ROM    001D4860 000000DE R . . . . . .
KEYMAP_JT_sub_1E45A8                                 ROM    001E45A8 00000128 R . . . . . .
KEYMAP_sub_1E46D0                                    ROM    001E46D0 000000C4 R . . . . . .
KEYPRESS_?_sub_11555E                                ROM    0011555E 00000B00 R . . . . . .
LICENSE_DECODE_Main_sub_1FDEE8                       ROM    001FDEE8 0000009A R . . . . . .
LIC_ALLOC_StrBuffers_sub_1858B2A                     ROM    01858B2A 00000166 R . . . . . .
LIC_ALLOC_StrBuffers_sub_59A2A                       ROM    00059A2A 00000166 R . . . . . .
LIC_ALLOC_calc_sub_1FAF52                            ROM    001FAF52 0000006C R . . . . . .
LIC_ALLOC_struct_sub_1FC14E                          ROM    001FC14E 00000088 R . . . . . .
LIC_AddFuncPtrMain_sub_1A6B82                        ROM    001A6B82 00000118 R . . . . . .
LIC_AddFunctionPtr_sub_5A7BE                         ROM    0005A7BE 00000088 R . . . . . .
LIC_CALLOC_?_sub_1FB3EA                              ROM    001FB3EA 00000040 R . . . . . .
LIC_CALLOC_?_sub_205D78                              ROM    00205D78 0000002A R . . . . . .
LIC_CALLOC_sub_20628A                                ROM    0020628A 0000007A R . . . . . .
LIC_CALLOC_verify_sub_1F8BFC                         ROM    001F8BFC 0000004E R . . . . . .
LIC_CODE_CreateStrings_sub_2070A4                    ROM    002070A4 000000B8 R . . . . . .
LIC_CODE_MapKeyBytesAgain_sub_20688E                 ROM    0020688E 00000036 R . . . . . .
LIC_CODE_StringToHex_sub_206846                      ROM    00206846 00000048 R . . . . . .
LIC_CODE_write_0x19e517e_sub_206FD0                  ROM    00206FD0 00000048 R . . . . . .
LIC_CODE_write_0x19e5183_sub_20715C                  ROM    0020715C 00000060 R . . . . . .
LIC_CODE_write_0x19e519b_sub_207018                  ROM    00207018 0000008C R . . . . . .
LIC_CalledEverySec_sub_1A7640                        ROM    001A7640 0000043C R . . . . . .
LIC_CheckSerialUsed_helper_sub_206A16                ROM    00206A16 0000003C R . . . . . .
LIC_CheckSerialUsed_helper_sub_20A650                ROM    0020A650 0000008C R . . . . . .
LIC_CheckSerialUsed_sub_204060                       ROM    00204060 00000036 R . . . . . .
LIC_Chunk_Copy_sub_59890                             ROM    00059890 00000056 R . . . . . .
LIC_Chunk_Input_sub_5A456                            ROM    0005A456 0000008C R . . . . . .
LIC_Chunk_addChar_sub_5A364                          ROM    0005A364 000000F2 R . . . . . .
LIC_ChunksCopy_sub_134A62                            ROM    00134A62 00000116 R . . . . . .
LIC_ChunksCopy_sub_1858990                           ROM    01858990 00000056 R . . . . . .
LIC_CryptedAccess_?_sub_200362                       ROM    00200362 0000011E R . . . . . .
LIC_DECODE_?_sub_1FDD9C                              ROM    001FDD9C 0000014C R . . . . . .
LIC_DECODE_?_sub_2063DA                              ROM    002063DA 00000024 R . . . . . .
LIC_DECODE_CALC_sub_1FAFD8                           ROM    001FAFD8 000000EE R . . . . . .
LIC_DECODE_CallSubs_?_sub_2040F4                     ROM    002040F4 00000070 R . . . . . .
LIC_DECODE_WORKER_sub_1FD99C                         ROM    001FD99C 00000400 R . . . . . .
LIC_DECODE_slashonly_sub_1FBC3A                      ROM    001FBC3A 0000015A R . . . . . .
LIC_DECODE_sub_1FBD94                                ROM    001FBD94 000000FE R . . . . . .
LIC_DECODE_sub_1FBE92                                ROM    001FBE92 000000D4 R . . . . . .
LIC_DECODE_sub_203F86                                ROM    00203F86 00000026 R . . . . . .
LIC_Decode_?_sub_204440                              ROM    00204440 0000013C R . . . . . .
LIC_Decode_?_sub_204958                              ROM    00204958 000000EC R . . . . . .
LIC_DerefPTR_0x19E4AA0_sub_20617E                    ROM    0020617E 0000001E R . . . . . .
LIC_DerefPTR_0x19E4AB0_sub_20606E                    ROM    0020606E 0000001E R . . . . . .
LIC_DerefPTR_0x19E4ABC_sub_205FC8                    ROM    00205FC8 0000001E R . . . . . .
LIC_DerefPTR_0x19E4AC8_sub_205EFC                    ROM    00205EFC 0000001E R . . . . . .
LIC_DerefPTR_0x19E4AE8_sub_205F40                    ROM    00205F40 0000001E R . . . . . .
LIC_DerefPTR_0x19E4B68_sub_2053EE                    ROM    002053EE 0000001E R . . . . . .
LIC_DerefPTR_0x19E4B7C_sub_2053AA                    ROM    002053AA 0000001E R . . . . . .
LIC_Encode_Create_Strings_sub_206F0E                 ROM    00206F0E 000000C2 R . . . . . .
LIC_EvalKey_?_sub_59B90                              ROM    00059B90 00000320 R . . . . . .
LIC_GetCODEString_?_sub_1FFF44                       ROM    001FFF44 00000062 R . . . . . .
LIC_GetKeyLenSub_0x28_sub_205F84                     ROM    00205F84 0000001E R . . . . . .
LIC_GetKeyLenSub_0x4_sub_2061C2                      ROM    002061C2 0000001E R . . . . . .
LIC_HUGE_sub_200048                                  ROM    00200048 0000031A R . . . . . .
LIC_INIT_sub_1FC404                                  ROM    001FC404 000000DA R . . . . . .
LIC_INIT_sub_1FE3DA                                  ROM    001FE3DA 000001AA R . . . . . .
LIC_INIT_sub_1FE932                                  ROM    001FE932 0000004C R . . . . . .
LIC_Input_?_sub_1483D4                               ROM    001483D4 000000AA R . . . . . .
LIC_Input_JumpChunkBlocks_sub_18589E6                ROM    018589E6 00000048 R . . . . . .
LIC_KeyCheckMaxLen_sub_20400E                        ROM    0020400E 00000026 R . . . . . .
LIC_MAGICKey_Check_sub_5A152                         ROM    0005A152 000001EA R . . . . . .
LIC_MAGICKey_Check_sub_5A33C                         ROM    0005A33C 00000028 R . . . . . .
LIC_MATH_Test_lic_ptr_sub_1FB902                     ROM    001FB902 0000004A R . . . . . .
LIC_MATH_codebytes_sub_1FAE16                        ROM    001FAE16 00000096 R . . . . . .
LIC_MATH_shift_sub_1FB0C6                            ROM    001FB0C6 0000002E R . . . . . .
LIC_MATH_sub_FFA05526                                seg010 FFA05526 00000132 R . . . . . .
LIC_MATH_upd_codebytes_len_sub_1FAEAC                ROM    001FAEAC 0000005C R . . . . . .
LIC_MATH_upd_codebytes_sub_1FB94C                    ROM    001FB94C 00000100 R . . . . . .
LIC_MagicKeyProcessor_sub_2064B8                     ROM    002064B8 00000010 R . . . . . .
LIC_MagicKey_Process4bytes_sub_206E90                ROM    00206E90 0000007E R . . . . . .
LIC_OPT_Test_?_sub_205058                            ROM    00205058 0000004A R . . . . . .
LIC_ProcessKey_sub_20439A                            ROM    0020439A 000000A6 R . . . . . .
LIC_SERIAL_2ndPassScamble_sub_1FEFF0                 ROM    001FEFF0 00000246 R . . . . . .
LIC_Scamble_sub_1F7CB0                               ROM    001F7CB0 00000054 R . . . . . .
LIC_Scamble_sub_206A6E                               ROM    00206A6E 000000E8 R . . . . . .
LIC_SerialVerify_BuildCodeBytes_sub_1FF2A8           ROM    001FF2A8 000000AA R . . . . . .
LIC_SerialVerify_Clear80Bytes_WriteQwords_sub_1FEF78 ROM    001FEF78 00000078 R . . . . . .
LIC_SerialVerify_CollectCodeBytes_sub_1F9834         ROM    001F9834 00000184 R . . . . . .
LIC_SerialVerify_JT_Caller_sub_1F9144                ROM    001F9144 00000030 R . . . . . .
LIC_SerialVerify_JT_Caller_sub_1F91A4                ROM    001F91A4 0000004A R . . . . . .
LIC_SerialVerify_scramble_0x195f7f4_sub_1FF236       ROM    001FF236 00000072 R . . . . . .
LIC_SetupPtr4DECODE_sub_2042AE                       ROM    002042AE 000000EC R . . . . . .
LIC_SetupPtrs_?_sub_2064C8                           ROM    002064C8 0000011A R . . . . . .
LIC_VERIFY_sub_1FC1D6                                ROM    001FC1D6 000000F0 R . . . . . .
LIC_VERIFY_sub_1FE8CE                                ROM    001FE8CE 00000064 R . . . . . .
LIC_checkKeyLen_sub_20424C                           ROM    0020424C 00000062 R . . . . . .
LIC_check_sub_1FF5A4                                 ROM    001FF5A4 000001EC R . . . . . .
LIC_getChunkPtr_sub_18587BE                          ROM    018587BE 0000002A R . . . . . .
LIC_getChunktPtr_sub_596BE                           ROM    000596BE 0000002E R . . . . . .
LIC_getRandVal_R1_sub_5974E                          ROM    0005974E 00000014 R . . . . . .
LIC_get_0xEE0034_sub_1FB20E                          ROM    001FB20E 00000014 R . . . . . .
LIC_init_?_EE0034_sub_1FB42A                         ROM    001FB42A 00000468 R . . . . . .
LIC_shiftcodebytes_1FBAF6                            ROM    001FBAF6 00000144 R . . . . . .
LIC_struct_upd_?_sub_1FB260                          ROM    001FB260 00000088 R . . . . . .
LIC_sub_134A3A                                       ROM    00134A3A 00000028 R . . . . . .
LIC_sub_1859464                                      ROM    01859464 000000EE R . . . . . .
LIC_sub_18595E2                                      ROM    018595E2 000000DA R . . . . . .
LIC_sub_18596C0                                      ROM    018596C0 00000064 R . . . . . .
LIC_sub_1859724                                      ROM    01859724 0000009A R . . . . . .
LIC_sub_1D4478                                       ROM    001D4478 0000004A R . . . . . .
LIC_sub_1EF644                                       ROM    001EF644 0000004C R . . . . . .
LIC_sub_1F0F14                                       ROM    001F0F14 0000005C R . . . . . .
LIC_sub_1F0F94                                       ROM    001F0F94 00000032 R . . . . . .
LIC_sub_204096                                       ROM    00204096 0000005E R . . . . . .
LIC_sub_204C26                                       ROM    00204C26 0000008A R . . . . . .
LIC_sub_2051F8                                       ROM    002051F8 00000024 R . . . . . .
LIC_sub_20562E                                       ROM    0020562E 00000090 R . . . . . .
LIC_sub_206454                                       ROM    00206454 00000010 R . . . . . .
LIC_sub_597AC                                        ROM    000597AC 00000050 R . . . . . .
LIC_sub_5A4E2                                        ROM    0005A4E2 000000DE R . . . . . .
LIC_sub_5A5C0                                        ROM    0005A5C0 00000064 R . . . . . .
LIC_sub_5A624                                        ROM    0005A624 0000009E R . . . . . .
LIC_sub_5A6C2                                        ROM    0005A6C2 000000A0 R . . . . . .
LIC_sub_5A764                                        ROM    0005A764 0000005A R . . . . . .
LIC_verify_sub_1FC6D6                                ROM    001FC6D6 00000098 R . . . . . .
LIC_word_set_sub_203FAC                              ROM    00203FAC 00000062 R . . . . . .
LLIST_sub_125C9C                                     ROM    00125C9C 0000004E R . . . . . .
LLIST_sub_1475A4                                     ROM    001475A4 0000017C R . . . . . .
LOOP_?_sub_1EC826                                    ROM    001EC826 000002F8 R . . . . . .
MAIN_STARTUP_sub_FFA00000                            seg010 FFA00000 00000080 R . . . . . .
MEMCOPY_R1_to_R0_sub_FFA06B5C                        seg010 FFA06B5C 00000052 R . . . . . .
MEMCOPY_sub_F1E9C                                    ROM    000F1E9C 00000036 R . . . . . .
MEMDEPTH_sub_12609C                                  ROM    0012609C 0000032E R . . . . . .
MEMDEPTH_sub_128504                                  ROM    00128504 000000E0 R . . . . . .
MEMSET_sub_20F784                                    ROM    0020F784 0000005E R . . . . . .
MODEL_DSModelType_modify_?_sub_1D6BE2                ROM    001D6BE2 0000005E R . . . . . .
MODEL_MakeDSModelType_sub_9850A                      ROM    0009850A 00000042 R . . . . . .
MODEL_MakeDSXString_sub_F204E                        ROM    000F204E 00000056 R . . . . . .
MODEL_Make_sub_F273C                                 ROM    000F273C 000002CC R . . . . . .
MODEL_and_SERIAL_sub_9731C                           ROM    0009731C 0000005A R . . . . . .
MODEL_createModelTypeString_?_sub_F21BC              ROM    000F21BC 00000116 R . . . . . .
MODEL_getDSModelType_sub_F1DE2                       ROM    000F1DE2 00000014 R . . . . . .
MODEL_getStr_sub_18F0F4E                             ROM    018F0F4E 0000000E R . . . . . .
MODEL_getTypeID_sub_18F0EDE                          ROM    018F0EDE 00000014 R . . . . . .
MODEL_getTypeID_sub_18F0F84                          ROM    018F0F84 00000014 R . . . . . .
MODEL_getVendor_sub_18F0F72                          ROM    018F0F72 0000000E R . . . . . .
MODEL_makeDSModelType_sub_A9760                      ROM    000A9760 0000008C R . . . . . .
MODEL_retDS2XXX_sub_F1E4E                            ROM    000F1E4E 00000012 R . . . . . .
MODEL_setDSModelType_sub_F26DE                       ROM    000F26DE 0000005E R . . . . . .
MODEL_set_DSModel_Type_sub_F1E84                     ROM    000F1E84 00000018 R . . . . . .
MODEL_sub_19D5CDE                                    ROM    019D5CDE 0000005E R . . . . . .
NOTHING_sub_1CD18                                    ROM    0001CD18 0000000A R . . . . . .
OPTIONS_HUGE_JT_sub_193434A                          ROM    0193434A 00000436 R . . . . . .
OPTIONS_Installed_tst_OptionType_sub_135124          ROM    00135124 00000080 R . . . . . .
OPTIONS_ListInstalled_onKeyPress_sub_135C24          ROM    00135C24 0000007C R . . . . . .
OPTIONS_ListInstalled_sub_135098                     ROM    00135098 0000008C R . . . . . .
OPTIONS_ListInstalled_sub_135684                     ROM    00135684 000005A0 R . . . . . .
OPTIONS_ListInstalled_sub_1934194                    ROM    01934194 0000008C R . . . . . .
OPTIONS_ListInstalled_sub_1934780                    ROM    01934780 000005A0 R . . . . . .
OPTIONS_ListInstalled_sub_1934D20                    ROM    01934D20 0000007C R . . . . . .
OPTIONS_getJumpTableOffsetIDX_sub_599CA              ROM    000599CA 00000060 R . . . . . .
OPTION_Status_?_sub_F8618                            ROM    000F8618 00000014 R . . . . . .
OPT_Decode_?_sub_206464                              ROM    00206464 00000046 R . . . . . .
OPT_ModelType_sub_1D6A98                             ROM    001D6A98 0000014A R . . . . . .
OPT_get_R0_0x30_sub_20527C                           ROM    0020527C 0000001E R . . . . . .
OPT_sub_20573A                                       ROM    0020573A 0000001E R . . . . . .
OPT_sub_205A00                                       ROM    00205A00 00000048 R . . . . . .
Options_PrintMainType_?_sub_13524E                   ROM    0013524E 00000436 R . . . . . .
« Last Edit: July 18, 2013, 11:27:11 pm by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #423 on: July 18, 2013, 09:52:29 pm »
2nd part (20000 bytes is not enough ;-)

Code: [Select]
PLLDIV_sub_1B07FBC                                   ROM    01B07FBC 0000005A R . . . . . .
PLLDIV_sub_FFA001C8                                  seg010 FFA001C8 0000005A R . . . . . .
PRINT_ERR_sub_20CE14                                 ROM    0020CE14 00000054 R . . . . . .
PRINT_NoticePopup_sub_1375A4                         ROM    001375A4 0000015A R . . . . . .
PRINT_NoticePopup_sub_137894                         ROM    00137894 0000015A R . . . . . .
PRINT_Notice_sub_1376FE                              ROM    001376FE 00000130 R . . . . . .
PRINT_Notice_sub_1EF448                              ROM    001EF448 00000028 R . . . . . .
PRINT_TXT_sub_1EE642                                 ROM    001EE642 0000016E R . . . . . .
PRINT_sub_20CE68                                     ROM    0020CE68 00000054 R . . . . . .
PRINT_sub_20CEF8                                     ROM    0020CEF8 0000003A R . . . . . .
QUICKPRINT_sub_FCBCC                                 ROM    000FCBCC 00000298 R . . . . . .
R0_deref_E4E4BC_sub_F7DB0                            ROM    000F7DB0 00000014 R . . . . . .
R0_is_1_sub_20572C                                   ROM    0020572C 0000000E R . . . . . .
R0_is_ZERO_sub_21334                                 ROM    00021334 0000000C R . . . . . .
R0_is_ZERO_sub_F68B4                                 ROM    000F68B4 0000000C R . . . . . .
R0_is_ZERO_sub_FE59C                                 ROM    000FE59C 0000000C R . . . . . .
RANDOM_sub_1F9AE                                     ROM    0001F9AE 0000003C R . . . . . .
RAND_R0R1_sub_205712                                 ROM    00205712 0000001A R . . . . . .
RTS_sub_211E2C                                       ROM    00211E2C 00000002 R . . . . . .
SERIAL_?_sub_F2670                                   ROM    000F2670 0000006E R . . . . . .
SERIAL_Gen?_sub_A8B02                                ROM    000A8B02 00000062 R . . . . . .
SERIAL_Make?_sub_F1ED2                               ROM    000F1ED2 000000DC R . . . . . .
SERIAL_copytoR0_sub_F1FE4                            ROM    000F1FE4 00000020 R . . . . . .
SERIAL_getPtr_sub_F1E60                              ROM    000F1E60 00000012 R . . . . . .
SERIAL_setPtrtoGetSerialSub_sub_206632               ROM    00206632 00000028 R . . . . . .
SERIAL_sub_1A0625C                                   ROM    01A0625C 00000060 R . . . . . .
SPI_Enable_sub_980C                                  ROM    0000980C 0000001A R . . . . . .
SPI_Setup_?_sub_984A                                 ROM    0000984A 000000A4 R . . . . . .
SPI_XMIT_sub_97C6                                    ROM    000097C6 0000002C R . . . . . .
SPI_sub_1E986A                                       ROM    001E986A 000000B0 R . . . . . .
SPI_sub_97B0                                         ROM    000097B0 00000016 R . . . . . .
SPI_sub_97F2                                         ROM    000097F2 0000001A R . . . . . .
SPI_sub_98EE                                         ROM    000098EE 00000110 R . . . . . .
SPORT_Loop_sub_1EB1AE                                ROM    001EB1AE 000002DA R . . . . . .
SPORT_Setup_sub_1CBB0                                ROM    0001CBB0 0000013C R . . . . . .
SPORT_sub_1C57A                                      ROM    0001C57A 00000134 R . . . . . .
STAIR_sub_13EC34                                     ROM    0013EC34 000007F0 R . . . . . .
STAIR_sub_193DD30                                    ROM    0193DD30 000007F0 R . . . . . .
STRCAT_R1_to_R0_sub_20F9D4                           ROM    0020F9D4 00000032 R . . . . . .
STRCAT_sub_1A0EAD4                                   ROM    01A0EAD4 00000034 R . . . . . .
STRCMP_sub_20FA20                                    ROM    0020FA20 00000072 R . . . . . .
STRING_?_sub_20FB20                                  ROM    0020FB20 00000036 R . . . . . .
SoftBUTTON_R_SetCallbacks_sub_1A80BC                 ROM    001A80BC 000023E6 R . . . . . .
SoftButton_R_APPLY_sub_1D4556                        ROM    001D4556 00000056 R . . . . . .
SoftButton_R_BACKSPACE_sub_1D44C2                    ROM    001D44C2 0000004A R . . . . . .
SoftButton_R_CLEAR_sub_1D450C                        ROM    001D450C 0000004A R . . . . . .
SoftButton_Setup_sub_1D493E                          ROM    001D493E 0000004E R . . . . . .
TIMEDATE_GetStr_sub_20F30C                           ROM    0020F30C 00000064 R . . . . . .
TIMEDATE_GetString_unknown_libname_416               ROM    0020F3DC 00000012 R . L . . . .
TIMER0_PWM_Enable_sub_1FD0E4C                        ROM    01FD0E4C 0000007C R . . . . . .
TIMER0_sub_181E9AE                                   ROM    0181E9AE 000000B8 R . . . . . .
TIMER0_sub_1F8B2                                     ROM    0001F8B2 000000C4 R . . . . . .
TIMER_Setup_sub_181E94C                              ROM    0181E94C 00000056 R . . . . . .
TIMER_Setup_sub_1F85C                                ROM    0001F85C 00000056 R . . . . . .
TWI_RECV_sub_DEA8                                    ROM    0000DEA8 000000AA R . . . . . .
TWI_XMIT_R0_sub_1FC1E                                ROM    0001FC1E 00000018 R . . . . . .
TWI_XMIT_sub_D99A                                    ROM    0000D99A 00000064 R . . . . . .
TWI_XMIT_sub_DFBA                                    ROM    0000DFBA 00000084 R . . . . . .
TWI_sub_181EC72                                      ROM    0181EC72 0000009C R . . . . . .
TWI_sub_1FB14                                        ROM    0001FB14 0000006E R . . . . . .
TWI_sub_1FB82                                        ROM    0001FB82 0000009C R . . . . . .
TWI_sub_1FC36                                        ROM    0001FC36 0000001E R . . . . . .
TWI_sub_1FC54                                        ROM    0001FC54 0000001E R . . . . . .
TWI_sub_1FCB6                                        ROM    0001FCB6 00000018 R . . . . . .
TWI_sub_1FCCE                                        ROM    0001FCCE 00000026 R . . . . . .
TWI_sub_1FCF4                                        ROM    0001FCF4 00000026 R . . . . . .
TWI_sub_DBA0                                         ROM    0000DBA0 0000003E R . . . . . .
TWI_sub_DC04                                         ROM    0000DC04 000000D0 R . . . . . .
VERSION_Set_sub_192A74          ROM    00192A74 00000016 R . . . . . .
VER_MODEL_?_sub_21614           ROM    00021614 00000046 R . . . . . .
__Assert                        ROM    0020FCE8 00000040 R . L . . . .
__Assert_0                      ROM    01A0EDE8 00000040 R . L . . . .
__Getmem                        ROM    002106F8 00000020 R . L . . . .
__Getmem_0                      ROM    01A0F7F8 00000020 R . L . . . .
__Getmem_1                      ROM    01FE8C3C 00000020 R . L . . . .
__calloc_sub_FFA03314           seg010 FFA03314 0000008C R . . . . . .
__heap_calloc                   ROM    0020FD28 0000002C R . L . . . .
__heap_calloc_0                 ROM    01A0EE28 0000002A R . L . . . .
_div32__sub_FFA05338            seg010 FFA05338 00000082 R . . . . . .
_divrem_u32_sub_FFA054A8        seg010 FFA054A8 0000007E R . . . . . .
_localtime                      ROM    0020F5F0 00000016 R . L . . . .
_localtime_0                    ROM    01A0E6F0 00000016 R . L . . . .
_lshftli_sub_FFA06114           seg010 FFA06114 00000030 R . . . . . .
_mul64_sub_FFA061E4             seg010 FFA061E4 0000003C R . . . . . .
_rem_s32_sub_FFA066D8           seg010 FFA066D8 0000007A R . . . . . .
_remu32_sub_FFA067CC            seg010 FFA067CC 00000066 R . . . . . .
_strchr                         ROM    0020FA08 00000016 R . L . . . .
_strchr_0                       ROM    01A0EB08 00000016 R . L . . . .
_strchr_1                       ROM    01FE8ACC 00000016 R . L . . . .
_strcpy_0                       ROM    01A0EB94 0000000C R . L . . . .
_strcpy_1                       ROM    01FE8AE4 0000000E R . L . . . .
_strcpy_R1_to_R0                ROM    0020FA94 0000000E R . L . . . .
_strrchr                        ROM    0020FBE8 00000016 R . L . . . .
_strrchr_0                      ROM    01A0ECE8 00000014 R . L . . . .
_strtol                         ROM    00211228 00000012 R . L . . . .
_strtol_0                       ROM    002113E8 00000012 R . L . . . .
_strtol_1                       ROM    002117A6 00000012 R . L . . . .
_strtol_2                       ROM    01A10328 00000012 R . L . . . .
_strtol_3                       ROM    01A104E8 00000012 R . L . . . .
_strtol_4                       ROM    01A108A6 00000012 R . L . . . .
_time                           ROM    0020FCD8 0000000E R . L . . . .
_time_0                         ROM    01A0EDD8 0000000E R . L . . . .
_udiv32_sub_FFA053BC            seg010 FFA053BC 00000068 R . . . . . .
deref_0x19E4A98_sub_20620C      ROM    0020620C 0000001E R . . . . . .
deref_0xEA0428_sub_DEA74        ROM    000DEA74 00000014 R . . . . . .
deref_EE0094_sub_205240         ROM    00205240 0000000E R . L . . . .
deref_EE0094_sub_205268         ROM    00205268 00000014 R . . . . . .
deref_R0_AND_0x7FFF_sub_1FAFBE  ROM    001FAFBE 0000001A R . . . . . .
deref_R0_sub_20503A             ROM    0020503A 0000001E R . . . . . .
getRIGOL_TECHNOLOGIES_sub_F1E72 ROM    000F1E72 00000012 R . . . . . .
get_E_S_sub_192AB6              ROM    00192AB6 00000016 R . . . . . .
heapCALLOC_sub_1A0E4C8          ROM    01A0E4C8 00000014 R . L . . . .
« Last Edit: July 18, 2013, 09:55:02 pm by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline docmandu

  • Contributor
  • Posts: 17
Re: Sniffing the Rigol's internal I2C bus
« Reply #424 on: July 19, 2013, 08:10:16 pm »
Does it? Only had a very quick look at it. It seemed to be using a pseudo number generator, albeit seeded with a 9 digit number in the example code from MIRACL.
Anyway if they used a proper one, then the only options are a buffer overrun somewhere or directly patching the firmware.

That ecsgen command in the MIRACL toolkit does always generate the same key when you feed it the same seed. I really wonder if Rigol this code as-is (and maybe it was this toolkit that sony also used?! )

Anyway found a nice and understandable explanation of Elliptic Curve and the Sony / rand() exploit:
  http://www.johannes-bauer.com/compsci/ecc/

Worth a read for people who are into this stuff.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf