Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1217901 times)

0 Members and 4 Guests are viewing this topic.

Offline Uup

  • Regular Contributor
  • *
  • Posts: 70
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #600 on: July 24, 2013, 12:48:20 AM »
However, some of the zip files are corrupt... (dstool.zip, RiGen-1.zip, ScopeCommander.zip)

no, they not

Really?  :-//

I just tried again now, from a different computer this time as well. Same result, get an 'unexpected error in archive' message when trying to unzip those files.
Ununpentium
 

Offline zombie28

  • Regular Contributor
  • *
  • Posts: 69
Re: Sniffing the Rigol's internal I2C bus
« Reply #601 on: July 24, 2013, 12:51:06 AM »
Here is optimized signing function with all necessary checks for valid signature generation:

Code: [Select]
char private_key[] = "8..."; <-- fill with valid key
char prime1[] = "AEBF94CEE3E707";
char prime2[] = "AEBF94D5C6AA71";
char curve_a[] = "2982";
char curve_b[] = "3408";
char point1[] = "7A3E808599A525";
char point2[] = "28BE7FAFD2A052";

void ecssign(char *serial, char *options, char *lic1, char *lic2)
{
    mirsys(800, 16)->IOBASE = 16;

    sha sha1;
    shs_init(&sha1);
    char *ptr = serial;
    while(*ptr) shs_process(&sha1, *ptr++);
    ptr = options;
    while(*ptr) shs_process(&sha1, *ptr++);
    char h[20];
    shs_hash(&sha1, h);
    big hash = mirvar(0);
    bytes_to_big(20, h, hash);

    big a = mirvar(0);  instr(a, curve_a);
    big b = mirvar(0);  instr(b, curve_b);
    big p = mirvar(0);  instr(p, prime1);
    big q = mirvar(0);  instr(q, prime2);
    big Gx = mirvar(0); instr(Gx, point1);
    big Gy = mirvar(0); instr(Gy, point2);
    big d = mirvar(0);  instr(d, private_key);
    big k = mirvar(0);
    big r = mirvar(0);
    big s = mirvar(0);
    big k1 = mirvar(0);
    big zero = mirvar(0);

    big f1 = mirvar(17);
    big f2 = mirvar(53);
    big f3 = mirvar(905461);
    big f4 = mirvar(60291817);

    epoint *G = epoint_init();
    epoint *kG = epoint_init();
    ecurve_init(a, b, p, MR_PROJECTIVE);
    epoint_set(Gx, Gy, 0, G);

    for(;;)
    {
        incr(k, 1, k);

        if(divisible(k, f1) || divisible(k, f2) || divisible(k, f3) || divisible(k, f4))
            continue;

        ecurve_mult(k, G, kG);
        epoint_get(kG, r, r);
        divide(r, q, q);
       
        if(mr_compare(r, zero) == 0)
            continue;

        xgcd(k, q, k1, k1, k1);
        mad(d, r, hash, q, q, s);
        mad(s, k1, k1, q, q, s);

        if(!divisible(s, f1) && !divisible(s, f2) && !divisible(s, f3) && !divisible(s, f4))
            break;
    }

    cotstr(r, lic1);
    cotstr(s, lic2);
}
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 246
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #602 on: July 24, 2013, 12:53:30 AM »
Wow, I haven't been following this post, but it looks like it might be awesome! So has there been a key generator built for the DSA815? Or does this only work with the DS2000 oscilloscopes?

As of right now there is no implemetion for the DSA815. But I am working on it

do you see the ECC parameters in the DSA firmware ? in gel DS2 GEL file its as easy as "strings file|grep ..."
ps: the algo that takes the license string input and converts it to HEX - is more capable than the way its used on the DS2 ... e.g. all kinds of special chars - but i only implemented /reversed what i saw being used by the DS2k.
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline synapsis

  • Regular Contributor
  • *
  • Posts: 139
  • Country: us
    • Blackcow
Re: Sniffing the Rigol's internal I2C bus
« Reply #603 on: July 24, 2013, 12:57:28 AM »
To help some people out, the MD5 for the Windows app I released (RiGen-1.zip) is:

e5165fee6155ceb9d8cae6176acf4c37
 

Offline zombie28

  • Regular Contributor
  • *
  • Posts: 69
Re: Sniffing the Rigol's internal I2C bus
« Reply #604 on: July 24, 2013, 01:29:21 AM »
Here is my current state. There are a few checks and simplifications. For me it works perfectly. Still missing something?

Code: [Select]
    [...]
    if (r==0) fail=1;
    if (s==0) fail=1;
    [...]

This check won't work - r and s are pointers, so this code checks whether they are NULLs, but doesn't check if their values are equal to zero
 

Offline DL5TOR

  • Contributor
  • Posts: 35
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #605 on: July 24, 2013, 01:44:22 AM »
Wow, I haven't been following this post, but it looks like it might be awesome! So has there been a key generator built for the DSA815? Or does this only work with the DS2000 oscilloscopes?

As of right now there is no implemetion for the DSA815. But I am working on it

do you see the ECC parameters in the DSA firmware ? in gel DS2 GEL file its as easy as "strings file|grep ..."
ps: the algo that takes the license string input and converts it to HEX - is more capable than the way its used on the DS2 ... e.g. all kinds of special chars - but i only implemented /reversed what i saw being used by the DS2k.

That is the point. I can not find them. Also on thwe dsa815 the updatefile is not a gel file it is a sys file that will not load in ida with the gel-plugin.

One thing i did find is that the option is marked as 000# and if i use the segments from the key that i have i get aaab
 

Offline olsenn

  • Frequent Contributor
  • **
  • Posts: 997
Re: Sniffing the Rigol's internal I2C bus
« Reply #606 on: July 24, 2013, 01:54:37 AM »
Quote
you see the ECC parameters in the DSA firmware ? in gel DS2 GEL file its as easy as "strings file|grep ..."
ps: the algo that takes the license string input and converts it to HEX - is more capable than the way its used on the DS2 ... e.g. all kinds of special chars - but i only implemented /reversed what i saw being used by the DS2k.

What do these parameters look like (example)? What are you grepping for? Could viewing the .sys file in a hex editor be the key to this one?
 

Offline ve7xen

  • Frequent Contributor
  • **
  • Posts: 642
  • Country: ca
    • VE7XEN Blog
Re: Sniffing the Rigol's internal I2C bus
« Reply #607 on: July 24, 2013, 02:04:09 AM »
Really?  :-//

I just tried again now, from a different computer this time as well. Same result, get an 'unexpected error in archive' message when trying to unzip those files.
Pretty sure you're doing something wrong:

Code: [Select]
$> md5sum RiGen-1.zip
e5165fee6155ceb9d8cae6176acf4c37  RiGen-1.zip
$> unzip -t RiGen-1.zip
Archive:  RiGen-1.zip
    testing: dotNetFx40_Full_setup.exe   OK
    testing: miracl.lib               OK
    testing: msvcp100.dll             OK
    testing: msvcr100.dll             OK
    testing: RiGen.exe                OK
No errors detected in compressed data of RiGen-1.zip.
73 de VE7XEN
 

Offline zombie28

  • Regular Contributor
  • *
  • Posts: 69
Re: Sniffing the Rigol's internal I2C bus
« Reply #608 on: July 24, 2013, 02:04:34 AM »
Here is my current state. There are a few checks and simplifications. For me it works perfectly. Still missing something?

Code: [Select]
    [...]
    xgcd(k,q,k,k,k);
    [...]
      if (divisible(k, tmp)) fail=1;
    [...]

There is another problem - original value of k gets destroyed during xgcd(...) call, so divisibility check should be done before this call (take a look at my code a few posts above).
 

Offline DL5TOR

  • Contributor
  • Posts: 35
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #609 on: July 24, 2013, 02:30:55 AM »
Quote
you see the ECC parameters in the DSA firmware ? in gel DS2 GEL file its as easy as "strings file|grep ..."
ps: the algo that takes the license string input and converts it to HEX - is more capable than the way its used on the DS2 ... e.g. all kinds of special chars - but i only implemented /reversed what i saw being used by the DS2k.

What do these parameters look like (example)? What are you grepping for? Could viewing the .sys file in a hex editor be the key to this one?

I did just that i opend the sys file in a hex editor and did a serch for the keys that are used  in the ds20000 with no result. One  thing that is poitive is that the mcu is the same
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 261
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #610 on: July 24, 2013, 02:47:05 AM »
Quote
you see the ECC parameters in the DSA firmware ? in gel DS2 GEL file its as easy as "strings file|grep ..."
ps: the algo that takes the license string input and converts it to HEX - is more capable than the way its used on the DS2 ... e.g. all kinds of special chars - but i only implemented /reversed what i saw being used by the DS2k.

What do these parameters look like (example)? What are you grepping for? Could viewing the .sys file in a hex editor be the key to this one?

I did just that i opend the sys file in a hex editor and did a serch for the keys that are used  in the ds20000 with no result. One  thing that is poitive is that the mcu is the same
If you boot the DSA815 it says "decompressing...".
Maybe the sys file is compressed ?
 

Offline olsenn

  • Frequent Contributor
  • **
  • Posts: 997
Re: Sniffing the Rigol's internal I2C bus
« Reply #611 on: July 24, 2013, 02:56:53 AM »
Quote
I did just that i opend the sys file in a hex editor and did a serch for the keys that are used  in the ds20000 with no result. One  thing that is poitive is that the mcu is the same

If the .sys file is just the firmware, perhaps hooking said MCU up to a JTAG debugger and downloading the firmware that way would help. I'm look to see if there is anything I can figure out when I get home; I would really like to see this get hacked
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 246
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #612 on: July 24, 2013, 02:59:20 AM »
if somebody wants me to have a look send me such a file ;-) - DS2 fw contains for example the zlib inflate/deflate algo - but there it only seems to be used by the PNG image format.
jtag is definitly the way to go anyway because it eases the process so much. i recommend 20$ amontec jtag key tiny - best invest ;)


___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 261
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #613 on: July 24, 2013, 03:17:51 AM »
DSA815, V1.07
 

studio25

  • Guest
Re: Sniffing the Rigol's internal I2C bus
« Reply #614 on: July 24, 2013, 04:45:28 AM »
@zombie28
Thank you for your feedback. I slept in 48h only 6h. Now I see clearly what crap I've written.
 

Offline true

  • Frequent Contributor
  • **
  • Posts: 290
  • Country: us
  • INTERNET
Re: Sniffing the Rigol's internal I2C bus
« Reply #615 on: July 24, 2013, 05:33:08 AM »
Here is optimized signing function with all necessary checks for valid signature generation:
That's a bit cleaner, but we're getting to the point of absurdity now, the thing works and is faster than it needs to be. Still, I'll put this in my updated copy, thanks.
 

Offline alank2

  • Super Contributor
  • ***
  • Posts: 1633
Re: Sniffing the Rigol's internal I2C bus
« Reply #616 on: July 24, 2013, 05:50:46 AM »
I found this document about clearing/cleaning memory on various Rigol scopes:

http://www.tequipment.net/ProductImages/Rigol/DS1302CA/media/DS1302CA_doc_7.pdf

It mentioned a security clear to clear the NOR FLASH 16MB - I wonder if this could possibly help people with the mangled serial number.  Not likely I realize, but I'll bet that S/N is stored in the NOR FLASH 16MB in some sort of configuration file...
 

Offline CodyShaw

  • Contributor
  • Posts: 44
  • Country: ca
    • My Blog!
Re: Sniffing the Rigol's internal I2C bus
« Reply #617 on: July 24, 2013, 06:09:00 AM »
So, what are the downsides to using the keygen (2072)? Are there issues on what FW version it works best on, and reverting is not working as of current, or is it all clear for use for new people?
Candidate for Bachelor of Applied Science, Electrical Engineering, University of Waterloo, Waterloo, ON, Sept. 2011 – Present
3A Electrical Engineering
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 246
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #618 on: July 24, 2013, 06:22:06 AM »
attached you will find a FLAIR signature file for IDA pro (you need kraters bfin plugin !) -  it contains around 300 subs that i reversed, (un)fortunately no comments got exported so you are spared by my comments ;-) but it should give a pretty clear indication of MIRACL, Bootloader, USB, the whole ADI stuff, some TWI, SPI routines.

I've tried it with a FW02 file, it gives some results - the blackfin GEL loader is buggy i have to say that, something is not right with the address fixup - so if someone wants to seriously do this i strongly suggest you do a JTAG memory dump - the match rate should then be 100% and u dont have any dead references. for the DG4000 firmware the loader format is slightly different i patched the blackfin loader and i can import it, *but* i will stay put until i get a JTAG memory dump due to above issues. (it is much easier with a memory dump)

i also looked at the DSA file for a couple of hours, not much luck - so far i didnt spot any hidden packed formats, nor any header that looks familiar - i even ran the file completely as it is and ROT13 (they are not *that* stupid ;-) through a disasm, except tons of ILLEGAL opcodes nothing - only thing left thats doable is maybe a filesystem image hidden in there - but binwalk found nothing - so it is packed, crypted etc somehow - im not a DSA owner, but if i were one i would leave the file alone, and do a JTAG dump as well - i saw in daves teardown pics there is a jtag port next to the blackfin - so that should be no issue.

___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline alank2

  • Super Contributor
  • ***
  • Posts: 1633
Re: Sniffing the Rigol's internal I2C bus
« Reply #619 on: July 24, 2013, 06:46:20 AM »
So, what are the downsides to using the keygen (2072)? Are there issues on what FW version it works best on, and reverting is not working as of current, or is it all clear for use for new people?

Some people have experienced a mangled S/N with it changing from 13 digits to a 14 digit that ends in 0001, but I think these are people who tried bandwidth options on the FW 05.

I can tell you that on the latest firmware FW 02 (00.01.01.00.02) that my experience is that a DSAZ code will install without any issues or changes to the S/N and also that you can even uninstall it with the USB SCPI uninstall command and completely go back to stock.
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 261
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #620 on: July 24, 2013, 06:56:57 AM »
I found this document about clearing/cleaning memory on various Rigol scopes:

http://www.tequipment.net/ProductImages/Rigol/DS1302CA/media/DS1302CA_doc_7.pdf

It mentioned a security clear to clear the NOR FLASH 16MB - I wonder if this could possibly help people with the mangled serial number.  Not likely I realize, but I'll bet that S/N is stored in the NOR FLASH 16MB in some sort of configuration file...
Declassification, or clearing test equipment is probably a mandatory thing in the USA. You see this also on Tektronix, Agilent and Fluke equipment. Every vendor has some sort of document to describe how the secret DMM values can (must) be cleared if the thing leaves the office or premises of the CIA :)

On the Scope is does only clear the stored stuff, and hopefully not the serial number, but you never know with RIGOL  :)
 

Offline M. András

  • Super Contributor
  • ***
  • Posts: 1016
  • Country: hu
Re: Sniffing the Rigol's internal I2C bus
« Reply #621 on: July 24, 2013, 07:01:02 AM »
hahh according to that pdf file it have 3 damn 32MB ddr2 memory for aquisition, is that sooo expensive to stick a simple pc memory card in the scope for this purpose? and it costs hundreds of dollar premium? :palm:
 

Offline CodyShaw

  • Contributor
  • Posts: 44
  • Country: ca
    • My Blog!
Re: Sniffing the Rigol's internal I2C bus
« Reply #622 on: July 24, 2013, 07:07:17 AM »
So, what are the downsides to using the keygen (2072)? Are there issues on what FW version it works best on, and reverting is not working as of current, or is it all clear for use for new people?

Some people have experienced a mangled S/N with it changing from 13 digits to a 14 digit that ends in 0001, but I think these are people who tried bandwidth options on the FW 05.

I can tell you that on the latest firmware FW 02 (00.01.01.00.02) that my experience is that a DSAZ code will install without any issues or changes to the S/N and also that you can even uninstall it with the USB SCPI uninstall command and completely go back to stock.

So what can't the keygen unlock? Is it limited to bandwidth?

Or will the keygen unlock the bandwidth too, as long as you weren't messing around trying to get at it in FW 05?
Candidate for Bachelor of Applied Science, Electrical Engineering, University of Waterloo, Waterloo, ON, Sept. 2011 – Present
3A Electrical Engineering
 

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2986
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #623 on: July 24, 2013, 07:09:06 AM »
hahh according to that pdf file it have 3 damn 32MB ddr2 memory for aquisition, is that sooo expensive to stick a simple pc memory card in the scope for this purpose? and it costs hundreds of dollar premium? :palm:

32MB x 16 bits - so 3x 64MB x 8 bits.
 

Offline mickpah

  • Regular Contributor
  • *
  • Posts: 148
  • Country: au
    • Yeti Hacks
Re: Sniffing the Rigol's internal I2C bus
« Reply #624 on: July 24, 2013, 07:20:24 AM »

jtag is definitly the way to go anyway because it eases the process so much. i recommend 20$ amontec jtag key tiny - best invest ;)

seems a nice little jtag, price is good. Pity they can't find a better shipping solution even the cheapest, slowest shipping to the southern hemisphere is 33 euro - for a 45 gram pcb ??? I hate when suppliers do this
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf

 

http://opalkelly.com/