General > General Technical Chat
The Rigol DS1052E
<< < (89/166) > >>
Mark_O:

--- Quote from: rf-loop on March 30, 2010, 01:56:42 pm ---(also I do not believe that this hack is first known outside China. ;)  
..... but maybe they have not so open mouth...)

--- End quote ---

I agree.

Everyone here seems to want to publicize this in the most public way possible.  Even flaunting it in "reviews" on the Hong Kong websites, with links back to here.  Thus forcing Rigol to take action.  There's lots of things they could do, but I'm not going to enumerate them here, because I don't want to give them any good ideas.  (I work on embedded systems.)

I can understand sharing the good fortune with others, that came from Rigol "leaving the back door open".  Security through obscurity (undocumented commands) is never a good idea.  And many could have benefitted (even Rigol).  But I'm not sure why so many are hell bent on turning this into a "Once upon a time..." story, as soon as possible.  It just seems very immature to me.

- Mark
darkith:

--- Quote from: Simon on March 30, 2010, 05:01:24 pm ---I would think all known 1102 serials have been blocked in the new versions, it is obvious that rigol saw this thread and other mentions on the net pretty quickly, and I'm sure  blocking this hack was simple: just remove the model changing commands from the command set, clearly this was an easy way of choosing later what the scope would be, now they probably have to Flash two different versions of the firmware to the scopes to make the choice ie: it is preobably now hard coded. Perhaps copying the firmware of a 1102 to a 1052 would get around that but then they could put something in like the bios to prevent it being accepted. suerely at some point a new hack will be found but it wil be a case of how far one is willing to go to carry out the mod

--- End quote ---

Mmm.  Possibly.  But rf-loop's message seems to suggest that the commands would run, but they just wouldn't "stick".  He said that the serial number sometimes changed, but the model reverted to 1052 or got glitchy, which sounds like previous experiences where people were inputting the commands in the opposite order didn't get them in correctly and the firmware didn't like the mismatched model config.  

I don't know if they'd waste flash space with a list of blacklisted serials....they might change the algorithm (which may be what happened) or just lock out the capability, either remove the commands entirely, or make them "one-time" use only, so that they'd still only need one firmware, and just program them whichever way.

I wonder if perhaps the "model check" based upon the serial number was more sophisticated than just checking the one digit out of the prefix, and newer scopes with a different prefix need more than one character changed?  That's why I'm wondering if the older style serials would work, if as rf-loop suggested it's just a running change and not an actual countermeasure.  

If they did change the verification algorithm, it could be an interesting headache. That would make upgrading existing scopes (hacked or not) tricky/impossible.  And I wonder if the old firmware could be flashed onto these newer scopes.  I'm sure the dedicated "re-badgers" would work quite hard at restoring this capability (thought they would probably keep it secret again).

Ahh well, all speculation.  Though it does make me very curious...  :)

D.
Mark_O:

--- Quote from: darkith on March 30, 2010, 12:08:56 pm ---
--- Quote from: anli on March 30, 2010, 11:52:22 am ---Can anybody suggest a hint where to dig in the hack for other RIGOL model sries (DS1022C at my case)? I have tried the same commands, but, say, :INFO:MODEL? returns nothing, :IO:TEST someText doesn't echo. Connection is OK (say, *IDN? and :INFO:SERIAL? do work).

--- End quote ---

This was all made possible by the "hidden commands" that "mxmxmx" found in the DS1000E firmware (see http://www.rcgroups.com/forums/showthread.php?t=663958&page=49#post13549739)

It sounds like he parsed through a firmware file for the acceptable commands, either through just searching for strings, or actually dis-assembling the binary.  You could try that, but there's no guarantee that the DS1000C series used the same method to select model...ie. it could have been done in hardware instead.

--- End quote ---

Anli,

"Can anybody suggest a hint".  mxmxmx found the undocumented commands using a simple string search utility.  I've done the same thing myself.  It's not very hard.

Unfortunately for you, those commands do not exist in the earlier C-series Rigols.  That was a "clever" addition they made to the E and D-series units.  There is no command to either read out or write in a MODEL string on your (older) unit.  So you're not going to turn lead into gold with a SCPI command.  Sorry.

- Mark
Mark_O:

--- Quote from: Simon on March 30, 2010, 05:01:24 pm ---I would think all known 1102 serials have been blocked in the new versions
--- End quote ---

You might think that, but you'd be wrong.


--- Quote ---I'm sure  blocking this hack was simple: just remove the model changing commands from the command set
--- End quote ---

And wrong again.  No need to remove any commands.


--- Quote ---they probably have to Flash two different versions of the firmware to the scopes to make the choice ie: it is preobably now hard coded.
--- End quote ---

Nope.


--- Quote ---Perhaps copying the firmware of a 1102 to a 1052 would get around that
--- End quote ---

Nope.  (That info isn't stored in the firmware.)


--- Quote ---suerely at some point a new hack will be found but it wil be a case of how far one is willing to go to carry out the mod
--- End quote ---

Maybe.  But certainly not "surely".

- Mark
Simon:

--- Quote from: Mark_O on March 30, 2010, 06:23:32 pm ---
--- Quote from: Simon on March 30, 2010, 05:01:24 pm ---I would think all known 1102 serials have been blocked in the new versions
--- End quote ---

You might think that, but you'd be wrong.


--- Quote ---I'm sure  blocking this hack was simple: just remove the model changing commands from the command set
--- End quote ---

And wrong again.  No need to remove any commands.


--- Quote ---they probably have to Flash two different versions of the firmware to the scopes to make the choice ie: it is preobably now hard coded.
--- End quote ---

Nope.


--- Quote ---Perhaps copying the firmware of a 1102 to a 1052 would get around that
--- End quote ---

Nope.  (That info isn't stored in the firmware.)


--- Quote ---suerely at some point a new hack will be found but it wil be a case of how far one is willing to go to carry out the mod
--- End quote ---

Maybe.  But certainly not "surely".

- Mark


--- End quote ---

I'm not software expert but I can see how easy the mod was (even I managed it), i'm sure rigol can come up with something more substantial if they put their minds to it
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod