Sniffing the Rigol's internal I2C bus

[zombie28]

How do I calculate the Y coordinate of the public key X coordinate out of the ECC curve parameters, base point and order?

Code: [Select]

mirsys(0x320, 16)->IOBASE = 16;

big a = mirvar(0);
big b = mirvar(0);
big p = mirvar(0);
big x = mirvar(0);
big y = mirvar(0);

instr(a, A);
instr(b, B);
instr(p, P);

ecurve_init(a, b, p, MR_PROJECTIVE);
instr(x, ECCPublicKey);

epoint *point = epoint_init();

if (!epoint_set(x, x, 1, point))
{
printf("ERR: Public key is invalid\n");
exit(-1);
}

epoint_get(point, x, y);
cotnum(y, stdout);


[battlefield]

I will get you another memory dump, I just need to wait for my JTAG programmer to arrive(will get it for few € from a friend ) and read this forum a bit to get the inctructions for getting the memory dumps.

[cidcorp]

This is not totally related to the thread but the question relates to the options for licenses on the Rigol Scopes.

So (and I apologize in advance if this has already been covered in the thread), assuming that the software utilities that aren't free like
Ultra Power Analyzer (online version) have to have keys that are linked to the equipment that will use it - would the equipment options
that are undefined (like I thought there were some unlocks that no-one knew what they 'unlocked') be the keys for unlocking those pieces
of software, or (wow this is a long questions  ) are they unlocked for ANY equipment when you do?

I don't know if anyone actually understands what I'm trying to ask, but a person with two DS2000 scopes and an unlocked version of
Ultra Power Analyzer be able to use the software with both scopes (or is it serial number locked)?

Just asking because the license keys are in exactly the same format, or at least appear to be.

Chris

[tirulerbach]

Code: [Select]

if (!epoint_set(x, x, 1, point))


Thanks again and again zombie28. You helped me a lot! Thank you! 

So I learned about ECC point decompression and the result is:

Code: [Select]

$ time ./ecc-smash A05810........
5BCEE4........

real    0m0.076s
user    0m0.072s
sys     0m0.004s


I can create definitions for those functions tomorrow. I'll be using C++, so let me know if that's a problem for you.

Normally I would like stick to C, but the heck: Any help is appreciated! You are welcome. I'm looking forward for your code. 

Btw.: You provided a memory dump of your scope? You should check your PM...   

[dr.diesel]

Appears a firmware update is available for the DSA815, anyone tried it with hacks installed?

DSA815 FW-Version: 00.01.08

[sled]

I have implemented your interface in ANSI C, with a Makefile and some basic tests (copy the 0x00000000-0x01ffffff_dram.bin into the same folder to extract the keys).

The only thing that is missing is the descrambling of the public key, but I've added an empty method for it `void DescramblePublicKey(uint8_t bytes[8]);`

The only thing that I'm confused about is whether the public key is 7 or 8 bytes long because we read an 8 byte sequence from the dump file but in your examples the hex string has only 7 bytes.

Have fun and keep us updated 


Output when running the compiled test binary should look like:

Code: [Select]

--- FormatHex RC5Key1:
4155BFD82D429EA69B3EE7D7D59C8906
--- FormatHex RC5Key2:
B9BC53D8B8CE6CE3594555AA89556543
--- FormatHex XXTEAKey:
86F4A0930BC7ED276B2D6C2CE293535F
--- Compare reconstructed byte arrays from string to original:
RC5Key1: PASS
RC5Key2: PASS
XXTEAKey: PASS
---- PrintKeyData from memory:
RC5KEY1=4155BFD82D429EA69B3EE7D7D59C8906
RC5KEY2=B9BC53D8B8CE6CE3594555AA89556543
XXTEAKEY=86F4A0930BC7ED276B2D6C2CE293535F
PUBKEY=A0581020E5C012
SECKEY=ABCEDFGHIJKLMN
SERIAL=DS2E123456789012
---- SaveKeyData as key.dat ...
---- LoadKeyData from key.dat ...
---- PrintKeyData from file:
RC5KEY1=4155BFD82D429EA69B3EE7D7D59C8906
RC5KEY2=B9BC53D8B8CE6CE3594555AA89556543
XXTEAKEY=86F4A0930BC7ED276B2D6C2CE293535F
PUBKEY=A0581020E5C012
SECKEY=ABCEDFGHIJKLMN
SERIAL=DS2E123456789012
---- Compare KeyData from file with KeyData in memory:
RC5Key1: PASS
RC5Key2: PASS
XXTEAKey: PASS
publicKey: PASS
secretKey: PASS
serialNumber: PASS
---- Scanning Memory Dump
!!! DESCRAMBLE PUBLICK KEY: NOT IMPLEMENTED!
RC5KEY1=3F578E1C441834DDA54621363281FBCF
RC5KEY2=14DC15AFA1483D7D6AC1DCA1798DAA3E
XXTEAKEY=3969A204559C35529044ED8552161332
PUBKEY=
SECKEY=
SERIAL=


[tokugawa]

Hello guys, i've just bought new Rigol DS1074z and i tried to put key into it. While i was trying different keys i got a message
Installation avoid for 12 hours!
However at the end i've used the web : http://riglol.3owl.com/
and it worked beautifully.

I bought it in Czech Republic (Central Europe) and my sw version is 00.02.01.SP1

Thanks for your great work, wish you all good luck

[zombie28]

The only thing that I'm confused about is whether the public key is 7 or 8 bytes long because we read an 8 byte sequence from the dump file but in your examples the hex string has only 7 bytes.

Rigol uses 56-bit ECC keys, but in scrambled (i.e. bit-shuffled) form they take up 64 bits.

[neamyalo]

This is what tirulerbach has done to my scope with the info in my JTAG dump...   

More DS****A memory dumps are needed...

[neslekkim]

This is awesome!, did the serial change or do you still have one that starts with DS2D?, I didnt find out yet why mine starts with DS2E..

[neamyalo]

No serial number change 

[neslekkim]

I guess it is not possible to jtag dump the scope without taking it apart?, and thus voiding warranty?, since we have good warranty here in Norway, I'm a bit reluctant to destroy the warranty sticker yet

[marmad]

I guess it is not possible to jtag dump the scope without taking it apart?, and thus voiding warranty?, since we have good warranty here in Norway, I'm a bit reluctant to destroy the warranty sticker yet

There are numerous videos about removing warranty stickers without breaking them - such as this one from EEVBlog member mikeselectricstuff.

[neslekkim]

cool, need to check that.
Does it also exists info on how to use tools to do the dump?
I have
FT2232H USB 2.0 Hi-Speed breakout board
http://www.seeedstudio.com/depot/ft2232h-usb-20-hispeed-breakout-board-p-737.html
and
Bus Pirate v3.6 universal serial interface
http://www.seeedstudio.com/depot/bus-pirate-v36-universal-serial-interface-p-609.html

And I guess the firmware 02.01.00.03 is also the same that I can use on my A-S model?, not only for the A models?
Because I guess there is no interrest for dump on the scope how is it right now?  (with 02.00.00.04)

[AndersAnd]

I guess it is not possible to jtag dump the scope without taking it apart?, and thus voiding warranty?, since we have good warranty here in Norway, I'm a bit reluctant to destroy the warranty sticker yet

I believe in at least most Western countries you don't void your warranty by opening your product and you don't void your warranty by destroying or removing any warranty sticker. The only thing you void your warranty on is the sticker itself.
But those broken warranty void stickers scare customers away from filing claims, even if the product is still under warranty regardless of any broken or removed stickers. It's a tried and true money saving technique.

In the EU you can even root your device and load a custom firmware without voiding the warranty, unless the new firmware itself is the cause of any hardware defect you have a warranty claim for. So if say a power supply capacitor leaks it's still under warranty even with custom firmware loaded unless the firmware is the cause to the for the leaked capacitor.
http://matija.suklje.name/rooting-and-flashing-your-device-does-not-void-the-warranty-in-eu

Rooting and flashing your device does not void the warranty in EU

Just the fact that you modified or changed the software of your device, is not a sufficient reason to void your statutory warranty. As long as you have bought the device as a consumer in the European Union.

...So, we finally come to the question of rooting, flashing and changing the software. Unless the seller can prove that modifying the software, rooting your device or flashing it with some other OS or firmware was the cause for the defect, you are still covered for defects during those 2 years.

The same applies to breaking a warranty void sticker. Simply breaking a warranty sticker will never be the cause of some other hardware of software defect, so your product is still under warranty with a broken sticker except for the sticker itself.

Many manufacturers of consumer devices write into their warranties a paragraph that by changing the software or “rooting” your device, you void the warranty. You have to understand that in EU we have a “statutory warranty”, which is compulsory that the seller must offer by law (Directive 1999/44/CE, §7.1) and a “voluntary warranty” which the seller or manufacturer can, but does not need to, offer as an additional service to the consumer. Usually the “voluntary warranty” covers a longer period of time or additional accidents not covered by law 6. If though the seller, the manufacturer or anyone else offers a “voluntary warranty”, he is bound to it as well!

So, even if, by any chance your “voluntary warranty” got voided, by European law, you should still have the 2 year “compulsory warranty” as it is described in the Directive and which is the topic of this article.

In case the seller refuses your right to repair or replace the device, you can sue him in a civil litigation and can report the incident to the national authority. In many European countries such action does not even require hiring a lawyer and is most of the time ensured by consumers associations.

The warranty under this Directive is only applicable inside the European Union and only if you bought the device as a consumer.

I know Norway is not part of the EU, but they have very similar laws and cooperate in many areas including consumer rights, so you probably have very similar warranty laws. But try to ask your national Consumer Center: http://www.forbrukerradet.no

http://forbrukereuropa.no/en/

Forbruker Europa offers free help and advice for consumers on purchasing in EU, Island and Norway.

[marmad]

I believe in at least most Western countries you don't void your warranty by opening your product and you don't void your warranty by destroying or removing any warranty sticker.

Nonetheless, it might save you time to remove the sticker without breaking it (which is easy to do), then in possible arguments/discussions with companies and service personnel - which is, after all, the point of Mike's video.

[sled]

I can't really imagine that RIGOL would supply each device with its own unique private and public key... Simply because it's a nightmare to keep track of all keypairs and if the dataset is lost, no options could be sold anymore...

Maybe there is a universal key that gets shuffled by either the model number or serial number?

Would it be possible to watch the memory address where the keys are and back trace the method that puts them there? Or scanning the dumps for references to this memory address?

[AndersAnd]

I believe in at least most Western countries you don't void your warranty by opening your product and you don't void your warranty by destroying or removing any warranty sticker.

Nonetheless, it might save you time to remove the sticker without breaking it (which is easy to do), then in possible arguments/discussions with companies and service personnel - which is, after all, the point of Mike's video.

Yes I fully agree with that. If you can open your device without damaging the sticker then by all means do it as it doesn't require much effort. Even if the warranty isn't broken with a broken sticker, the seller might argue otherwise until they are told otherwise by a consumer organisation or court. It could potentially save you a lost of hassle and arguing even if you have the law on your side.

But remember you shouldn't just give up possible future warranty claims just because of a broken or missing "warranty void" sticker - or a custom firmware for that matter.


I have also read (on this forum IIRC) one who completely removed his warranty sticker and all goo traces of it on his Rigol and later sent it to repair under warranty. They repaired it under warranty without complaining of any sticker missing.

I also read about another one who sent a DP832 to have the the PCB replaced with the new improved version with a larger heatsink. When he received it back from repair the warranty void sticker was missing or broken. So what's he supposed to do if he has another warranty claim and the warranty is broken by a missing sticker when he got it back from repair? I'm pretty sure I read it somewhere on this forum and I think it was TEquipment he sent it to.

I've also read of one where the sticker was missing on a device from new. And how can the seller even prove there has ever been a sticker on a device even if there has been? They could also have forgot to put it on during production.
So if you have a broken sticker it's better to just remove it completely and all it's goo traces before sending it to repair. The repairman might not even notice a missing sticker then, but he will notice it if it's broken.

[thetooth]

I believe in at least most Western countries you don't void your warranty by opening your product and you don't void your warranty by destroying or removing any warranty sticker.

Nonetheless, it might save you time to remove the sticker without breaking it (which is easy to do), then in possible arguments/discussions with companies and service personnel - which is, after all, the point of Mike's video.

Yes I fully agree with that. If you can open your device without damaging the sticker then by all means do it as it doesn't require much effort. Even if the warranty isn't broken with a broken sticker, the seller might argue otherwise until they are told otherwise by a consumer organisation or court. It could potentially save you a lost of hassle and arguing even if you have the law on your side.

But remember you shouldn't just give up possible future warranty claims just because of a broken or missing "warranty void" sticker - or a custom firmware for that matter.


I have also read (on this forum IIRC) one who completely removed his warranty sticker and all goo traces of it on his Rigol and later sent it to repair under warranty. They repaired it under warranty without complaining of any sticker missing.

I also read about another one who sent a DP832 to have the the PCB replaced with the new improved version with a larger heatsink. When he received it back from repair the warranty void sticker was missing or broken. So what's he supposed to do if he has another warranty claim and the warranty is broken by a missing sticker when he got it back from repair? I'm pretty sure I read it somewhere on this forum and I think it was TEquipment he sent it to.

I've also read of one where the sticker was missing on a device from new. And how can the seller even prove there has ever been a sticker on a device even if there has been? They could also have forgot to put it on during production.
So if you have a broken sticker it's better to just remove it completely and all it's goo traces before sending it to repair. The repairman might not even notice a missing sticker then, but he will notice it if it's broken.

Its only real use for warranty is if you cut the sticker, clearly this means someones opened the device, a removed or partially lifted sticker has no meaning at all because they will detach/become damaged naturally.

In my experience the _only_ people who check those stickers are asshole merchants selling low value items that are too cheap to pay the return shipping, here in Australia i've seen just about every level of stance on warranty from companys like Dell Business who have sent replacement equipment before i even sent the faulty item back based entirely on my word(they did check the item and sent a report confirming the problem), to a computer store that refused to honor basic consumer law until we had police presence.

[AndreaEl]

Are some days that i not follow this topic and i have some question that i have not understand...

I have a Rigol DS2072 (HW 2)
I have a not update firmware and i must update, is right that the last version is: 00.02.01.00.03? (I have read about clear FRAM after update).

With this version is available the 300MHz BW Option, but i have read that 200MHz BW option give more performance in LF than 300MHz in HW 1. Is the same for HW 2 or i can Install 300MHz BW with no problem in my HW 2?

I have read about newest code for enable 300MHz and CAN, but not understand what enable each code. I have read about DSHH, DSGH etc.
I search for: 200MHz + All Option (include CAN), 300MHz + All Option.

[hammy]

Are some days that i not follow this topic and i have some question that i have not understand…

Deja vu   from Reply #2390 

I have a Rigol DS2072 (HW 2)
I have a not update firmware and i must update, is right that the last version is: 00.02.01.00.03?

Here are the latest Firmware versions by Rigol product family as of January 7th, 2014:
http://beyondmeasure.rigoltech.com/acton/form/1579/0012:d-0001/1/index.htm

[AndersAnd]

I have a Rigol DS2072 (HW 2)

With this version is available the 300MHz BW Option, but i have read that 200MHz BW option give more performance in LF than 300MHz in HW 1. Is the same for HW 2 or i can Install 300MHz BW with no problem in my HW 2?

For HW 2 use 300 MHz.

I have read about newest code for enable 300MHz and CAN, but not understand what enable each code. I have read about DSHH, DSGH etc.
I search for: 200MHz + All Option (include CAN), 300MHz + All Option.

Use DSHH for HW 2 (300 MHz with all options).
Use this keygen http://riglol.3owl.com

[granz]

Gentlemen,

I recently purchased a DS2072A from Tequipment and discovered this thread in regards to hacking it (nice work so far!)  I've opened it up and I'm trying to get another dump as it seems like that would be useful to people.  I would have offered to write those C routines but I guess someone beat me to it.  I have two different JTAG interfaces on hand, a Xilinx Platform USB Cable, and an Altera USB Blaster.  I first tried the Xilinx cable under Linux with bfin-jtag with no luck even connecting to it, same with the Altera one.  I decided to give it a try under windows and first tried to generic urjtag package, which works with the Altera cable and I see the BF526 (see image).  Unfortunately bfin-jtag doesn't want to see either interface...  (Both cables work fine with their respective proprietary software.)

It looks like the generic urjtag doesn't have the bus support needed, is this correct?  I see many more options from "help initbus" under bfin-jtag.

I've tried installing different versions of the drivers etc, with no luck, but it looks like maybe bfin-jtag is looking for a different USB VID/PID based on the message.  Anyone have any ideas?  I don't mind ordering yet-another JTAG cable, but I assume the sooner I can post another memory dump the better.

My scope came with software 00.02.00 and I haven't updated it.

[Posterisan]

...
But it's the old problem: People are only sitting around and waiting for the keygen and don't would like to break her warranty seal on the scope to provide a memory dump... This is bad indeed... 

Today I ordered a DS2072A and a Segger J-Link JTAG adapter. I hope I can provide a memory dump next week .

[nonosoft]

Hi,
Today I received my DS2072A, I had ordered a DS2072 non A from Batronix (Germany) but received a A model. I think non-A model are going to be replaced by A.

I'm really insterested by the possibility to unlock decoding options.

Reading this topic I understood that you need memory dump from A model to help decrypt the protection.
I would like to help and I'm ready to open my oscilloscope to make this dump but I'm not very familiar with JTAG, maybe someone could make a small tutorial to explain how to proceed ?

For now I have only a Bus Pirate that can act as a slow JTAG device, but if needed I could buy a real JTAG programmer.