Sniffing the Rigol's internal I2C bus

[cosmos]

What of the higher BW settings of the DS4000? ideas for a way forward?

First tries (in this tread somewhere) with bits next to decoding options seemed not to work.
From the teardown it seems it uses an ASICs in the frontend, would be strange if it is not ready for the full BW.
Is it the same amplifier (as in DS2000) with selectable BW following the ASIC? That amplifier had settings to go to about 1GHz so it could fit.
One post (not in this tread) claimed to have seen 500MHz pulse response with a DS4000 that got confused about its internal state.

[synapsis]

enjoy

http://pastebin.com/ghYHnCfT

would not have happend without jtag firmware dump from DL5TOR, ecc help from some guy and testing by marc - thanks guys.


PS: the windows tool makers, might want to integrate that into their tool - only the length of the serial & private key differ, rest is the same ! (RILOL !)

The ecssign functions generated different keys between the DS2000 code and your DSA800 release. So there's something else different somewhere.

[synapsis]

I was in another city trying to find a job (no luck) and my PMs blow up about cybernet's latest offering.

I don't have a DSA815, so the only way I could test this code is to compare the output to cybernet's Linux code using Dave's demo unit serial number from his video. So, this code is considered beta.

Edit: Oh yeah, this is the Windows version of the keygen with DS2000 and DSA800 generators.

[cybernet]

I was in another city trying to find a job (no luck) and my PMs blow up about cybernet's latest offering.

I don't have a DSA815, so the only way I could test this code is to compare the output to cybernet's Linux code using Dave's demo unit serial number from his video. So, this code is considered beta.

Edit: Oh yeah, this is the Windows version of the keygen with DS2000 and DSA800 generators.

sorry dude didnt mean to blow up your pm's ;-) - verification is rather easy, if u have a copy of riglol (verification part not keygen) and just update the "point2" (which is the public key) to the DSA and a minor update to the serial length check:

Code: [Select]

if (strlen(serial) < 0xd) { fprintf(stderr, "serial has invalid length !\n"); exit(-1); }
you can then verify them as easily as the DS keys.

to the script kiddies: those are not the private keys ...

Code: [Select]

#ifdef RIGOL_KEYS
unsigned char prime1[]="AEBF94CEE3E707";
unsigned char prime2[]="AEBF94D5C6AA71";
unsigned char curve_a[]="2982";
unsigned char curve_b[]="3408";
unsigned char point1[]="7A3E808599A525";
unsigned char point2[]="8445B2BE29E5C7";
#endif
#ifdef RIGOL_DSA_KEYS
unsigned char prime1[]="AEBF94CEE3E707";
unsigned char prime2[]="AEBF94D5C6AA71";
unsigned char curve_a[]="2982";
unsigned char curve_b[]="3408";
unsigned char point1[]="7A3E808599A525";
unsigned char point2[]="691213692D18FA";
#endif

otherwise maybe somebody shares a real code with you DL5TOR has one, but im not doing it without his permission.

IMHO if u just swap in the new private key, and allow the serial to be >= 0xe it should work just fine for the DSA as well.
detection which key to use could be done via the serial format ...

[synapsis]

I ended up just replacing the ecssign function with yours. I only had to cast a couple unsigned chars and change a parameter name. 

[cybernet]

I ended up just replacing the ecssign function with yours. I only had to cast a couple unsigned chars and change a parameter name. 

good stuff 

[jsykes]

I was in another city trying to find a job (no luck) and my PMs blow up about cybernet's latest offering.

I don't have a DSA815, so the only way I could test this code is to compare the output to cybernet's Linux code using Dave's demo unit serial number from his video. So, this code is considered beta.

Edit: Oh yeah, this is the Windows version of the keygen with DS2000 and DSA800 generators.

synapsis
YOU THE MAN!
 
The other day,  jamesb was kind enough to generate keys for me using cybernet's code with his Linux box. I asked him to generate more that one set but he said with the 815 keygen, the other sets generated were exactly the same. For comparison, I used your windows software to generate the keys for my serial number and they all match the keys generated by cybernet's code running on the Linux box. Your Windows software is verified good on the first try. GREAT JOB to you, cybernet, DL5TOR, and all that made this happen.

[Rufus]

talking of firmware i would love to get a 2nd DSA firmware (.sys file) if somebody has 2 versions, and is willing to share let me know.

I have 1.05 and 1.07.

[fqahmad66]

I was in another city trying to find a job (no luck) and my PMs blow up about cybernet's latest offering.

I don't have a DSA815, so the only way I could test this code is to compare the output to cybernet's Linux code using Dave's demo unit serial number from his video. So, this code is considered beta.

Edit: Oh yeah, this is the Windows version of the keygen with DS2000 and DSA800 generators.

synapsis
YOU THE MAN!
 
The other day,  jamesb was kind enough to generate keys for me using cybernet's code with his Linux box. I asked him to generate more that one set but he said with the 815 keygen, the other sets generated were exactly the same. For comparison, I used your windows software to generate the keys for my serial number and they all match the keys generated by cybernet's code running on the Linux box. Your Windows software is verified good on the first try. GREAT JOB to you, cybernet, DL5TOR, and all that made this happen.

Hi jsykes,

Did you also send the bf dump or just the s.no and licence info? I do not want to open the analyser.


Regards
F

[fqahmad66]

Is it just a myth or real that after three wrong attempts of License Keys entry..the unit is locked and must be sent to China to unlock..

[dr.diesel]

Is it just a myth or real that after three wrong attempts of License Keys entry..the unit is locked and must be sent to China to unlock..

Myth, at least on the DSA.

[fqahmad66]

I have aquestion. My analyser has serial no. starting with DSA8.... but cybernet's keygen wants to put s.no DS2A....

printf("  <sn>       serial number of device (DS2A.........)\n");

Is that OK?

[PA0PBZ]

My analyser has serial no. starting with DSA8.... but cybernet's keygen wants to put s.no DS2A....

DS2A is for the DS2000 series of scopes, where the keygen was born.
I think someone just forgot to change that bit.

[fqahmad66]

Re.  'Rory'   « Reply #933 on: Today at 06:40:51 AM »
      Thanks Cybernet and dr.diesel, I'm up and running on all.
      The license info still shows the trial options by their keys and their "left time". I assume the trials will disappear once they expire?
_____________________________________________________________

No, it won't go away, and it is too bad because it says that the options were hacked in. This may be a dead give away when a future firmware version is installed. We should look for a way to clean them out, and of course leave the new option license info in place.

The trial key for the VSWR option stayed in after I entered the offical (sic) key I got from RIGOL.  So it's not specific to the hacked keys.

Hi Rory,

What is official (sic) key? Mine shows as trial.

REgards
F

[Carrington]

DS2000

Code: [Select]

MODEL_DSModelType_modify_?_sub_1D6BE2                ROM    001D6BE2 0000005E R . . . . . .
MODEL_MakeDSModelType_sub_9850A                      ROM    0009850A 00000042 R . . . . . .
MODEL_MakeDSXString_sub_F204E                        ROM    000F204E 00000056 R . . . . . .
MODEL_Make_sub_F273C                                 ROM    000F273C 000002CC R . . . . . .
MODEL_and_SERIAL_sub_9731C                           ROM    0009731C 0000005A R . . . . . .
MODEL_createModelTypeString_?_sub_F21BC              ROM    000F21BC 00000116 R . . . . . .
MODEL_getDSModelType_sub_F1DE2                       ROM    000F1DE2 00000014 R . . . . . .
MODEL_getStr_sub_18F0F4E                             ROM    018F0F4E 0000000E R . . . . . .
MODEL_getTypeID_sub_18F0EDE                          ROM    018F0EDE 00000014 R . . . . . .
MODEL_getTypeID_sub_18F0F84                          ROM    018F0F84 00000014 R . . . . . .
MODEL_getVendor_sub_18F0F72                          ROM    018F0F72 0000000E R . . . . . .
MODEL_makeDSModelType_sub_A9760                      ROM    000A9760 0000008C R . . . . . .
MODEL_retDS2XXX_sub_F1E4E                            ROM    000F1E4E 00000012 R . . . . . .
MODEL_setDSModelType_sub_F26DE                       ROM    000F26DE 0000005E R . . . . . .
MODEL_set_DSModel_Type_sub_F1E84                     ROM    000F1E84 00000018 R . . . . . .
MODEL_sub_19D5CDE                                    ROM    019D5CDE 0000005E R . . . . . .
Some of these functions are not accessible. Hidden menu? Any ideas?

[PA0PBZ]

Where do these names come from, I don't see them in the .GEL file?

[DL5TOR]

DS2000

Code: [Select]

MODEL_DSModelType_modify_?_sub_1D6BE2                ROM    001D6BE2 0000005E R . . . . . .
MODEL_MakeDSModelType_sub_9850A                      ROM    0009850A 00000042 R . . . . . .
MODEL_MakeDSXString_sub_F204E                        ROM    000F204E 00000056 R . . . . . .
MODEL_Make_sub_F273C                                 ROM    000F273C 000002CC R . . . . . .
MODEL_and_SERIAL_sub_9731C                           ROM    0009731C 0000005A R . . . . . .
MODEL_createModelTypeString_?_sub_F21BC              ROM    000F21BC 00000116 R . . . . . .
MODEL_getDSModelType_sub_F1DE2                       ROM    000F1DE2 00000014 R . . . . . .
MODEL_getStr_sub_18F0F4E                             ROM    018F0F4E 0000000E R . . . . . .
MODEL_getTypeID_sub_18F0EDE                          ROM    018F0EDE 00000014 R . . . . . .
MODEL_getTypeID_sub_18F0F84                          ROM    018F0F84 00000014 R . . . . . .
MODEL_getVendor_sub_18F0F72                          ROM    018F0F72 0000000E R . . . . . .
MODEL_makeDSModelType_sub_A9760                      ROM    000A9760 0000008C R . . . . . .
MODEL_retDS2XXX_sub_F1E4E                            ROM    000F1E4E 00000012 R . . . . . .
MODEL_setDSModelType_sub_F26DE                       ROM    000F26DE 0000005E R . . . . . .
MODEL_set_DSModel_Type_sub_F1E84                     ROM    000F1E84 00000018 R . . . . . .
MODEL_sub_19D5CDE                                    ROM    019D5CDE 0000005E R . . . . . .
Some of these functions are not accessible. Hidden menu? Any ideas?

Those are no menus These are Subs in the Firmware the Names are added from cybernet  read that post to 100% thén you will know

[PA0PBZ]

What is official (sic) key? Mine shows as trial.

I guess he bought the official key, and now he's sic(k) of it 

(The official key shows as "offcial" on the screen, so that is what he tried to type but he made a mistake quoting the mistake...)

_{The Latin adverb sic ("thus"; in full: sic erat scriptum, "thus was it written") added immediately after a quoted word or phrase (or a longer piece of text), indicates that the quotation has been transcribed exactly as found in the original source, complete with any erroneous spelling or other nonstandard presentation.}

[PA0PBZ]

Those are no menus These are Subs in the Firmware the Names are added from cybernet  read that post to 100% thén you will know

Is there an IDA database for grabbing somewhere?

[Rory]

Re.  'Rory'   « Reply #933 on: Today at 06:40:51 AM »
      Thanks Cybernet and dr.diesel, I'm up and running on all.
      The license info still shows the trial options by their keys and their "left time". I assume the trials will disappear once they expire?
_____________________________________________________________

No, it won't go away, and it is too bad because it says that the options were hacked in. This may be a dead give away when a future firmware version is installed. We should look for a way to clean them out, and of course leave the new option license info in place.

The trial key for the VSWR option stayed in after I entered the offical (sic) key I got from RIGOL.  So it's not specific to the hacked keys.

Hi Rory,

What is official (sic) key? Mine shows as trial.

REgards
F

offical (sic) was meant as joke to poke fun at Rigol's chinglish spelling of 'official' in the option info screen. (sic) means "this is how they spelled it, don't blame me for it".

Take a look at these two screen shots. One is before the hacked codes, the other after. Note that Option no. 5, which is the VSWR option, has the real official code from Rigol's website key code generator, generated from my unit's serial number and a code on the key certificate they emailed me when I purchased the optional kit which includes hardware.  Notice also that in both instances, the trial key still shows up with "Left Time".

[Rory]

What is official (sic) key? Mine shows as trial.

I guess he bought the official key, and now he's sic(k) of it 

(The official key shows as "offcial" on the screen, so that is what he tried to type but he made a mistake quoting the mistake...)

_{The Latin adverb sic ("thus"; in full: sic erat scriptum, "thus was it written") added immediately after a quoted word or phrase (or a longer piece of text), indicates that the quotation has been transcribed exactly as found in the original source, complete with any erroneous spelling or other nonstandard presentation.}

Hahaha you're right. I make a lot of mistakes...

[cybernet]

from the list with temp keys .. the temporary editions are SAAB (tm?), SAAC, SAAD, SAAE, SAAF ... .e.g. S=temp, A=perm

temp keys

80001 - SAAB
80002 - SAAC
80003 - SAAD
80004 - SAAE
80005 - SAAF

perm keys

00001 - AAAB
00002 - AAAC
00003 - AAAD
00004 - AAAE
00005 - AAAF

somebody with lxi could test other "bit positions" - to find other stuff ...

here is the not elegant way to come from option code to hexcode used ...

Code: [Select]

/****************************************************
* DS2000 license options reverse bruteforcer
* (c) CyberNet, 2013.
*****************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>

unsigned char codemap_ee00d0[]={ 0x0, 0x0, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
0x0, 0x0, 0x0,  0x0,  0x0,  0x0,  0x0,  0x0,  0x1,  0x2,
0x3, 0x4, 0x5,  0x6,  0x7,  0x0,  0x8,  0x9,  0xa,  0xb,
0xc, 0x0, 0xd,  0xe,  0xf,  0x10, 0x11, 0x12, 0x13, 0x14,
0x15,0x16, 0x17 };

unsigned char codemap_20688e[]={ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,  /* 0-9 = 0x30 */
                                 0x37, 0x37, 0x37, 0x37, 0x37, 0x37 };       /* A-F = 0x37 */


unsigned char vb[]={'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'J', 'K', 'L', 'M', 'N', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '2', '3', '4', '5', '6', '7', '8', '9'};


/*
** convert string to uppercase chars
*/
unsigned char *strtoupper(unsigned char *str)
{
    unsigned char *newstr, *p;
    p = newstr = (unsigned char*) strdup((char*)str);
    while((*p++=toupper(*p)));
    return newstr;
}

/*
**
*/
unsigned char code_map_206846(unsigned char i)
{
 if ((i >= 'A') && (i <= 'F')) return(i-0x37);
 if ((i >= '0') && (i <= '9')) return(i-0x30);
 return(0x0);
}

/*
** Encryption Routine 1
*/
unsigned char *lic_code_map(unsigned char *lic_skipped)
{
 unsigned char lv1,lv2;
 unsigned char b1_mapped, b1_shifted, b1_remapped;
 unsigned char b2_mapped, b2_shifted, b2_remapped;
 unsigned char b3_mapped, b3_shifted, b3_remapped;
 unsigned char b4_mapped, b4_shifted, b4_remapped;
 unsigned char b5_shifted, b5_remapped;
 unsigned char *lic_mapbytes;

 lic_mapbytes=calloc(28, 1);
 if (!lic_mapbytes) return(0);

 lv1=lv2=0;
 while(lv1 < strlen((unsigned char*)lic_skipped))
 {
    b1_mapped =  codemap_ee00d0[ *(lic_skipped+lv1) - 0x30 ];
    b1_shifted = (b1_mapped / 2) & 0xf;
    b1_remapped = b1_shifted + codemap_20688e[b1_shifted];
    lic_mapbytes[lv2++]=b1_remapped;
    b1_mapped = b1_mapped & 0x1;

    b2_mapped =  codemap_ee00d0[ *(lic_skipped+lv1+1) - 0x30 ];
    b2_shifted =  ((b1_mapped << 0x3) | (b2_mapped / 4)) & 0xF;
    b2_remapped = b2_shifted + codemap_20688e[b2_shifted];
    lic_mapbytes[lv2++]=b2_remapped;

    b3_mapped = codemap_ee00d0[ *(lic_skipped+lv1+2) - 0x30 ];
    b3_shifted = ((b3_mapped / 8) | ( (b2_mapped & 0x3) << 2 )) & 0xF;
    b3_remapped = b3_shifted + codemap_20688e[b3_shifted];
    lic_mapbytes[lv2++]=b3_remapped;

    b4_mapped = codemap_ee00d0[ *(lic_skipped+lv1+3) - 0x30 ];
    b4_shifted = ((b4_mapped / 16 ) |((b3_mapped & 0x7) << 0x1)) & 0xf;
    b4_remapped = b4_shifted + codemap_20688e[b4_shifted];
    lic_mapbytes[lv2++]=b4_remapped;

    b5_shifted = b4_mapped & 0xF;
    b5_remapped = b5_shifted + codemap_20688e[b5_shifted];
    lic_mapbytes[lv2++]=b5_remapped;

    lv1 = lv1 + 4;
  }
  return(lic_mapbytes);
}

unsigned char * find_match5(unsigned char *code5)
{
  unsigned char c1,c2,c3,c4;
  unsigned char *input;
  unsigned char *lic_mapbytes;
  input=calloc(40,1);

  /* lets bruteforce it ;-) */
  for (c1=0;c1<sizeof(vb);c1++) {
   for (c2=0;c2<sizeof(vb);c2++) {
    for (c3=0;c3<sizeof(vb);c3++) {
     for (c4=0;c4<sizeof(vb);c4++) {
      input[0]=vb[c1];
      input[1]=vb[c2];
      input[2]=vb[c3];
      input[3]=vb[c4];
      input[4]='\0';
      lic_mapbytes=lic_code_map(input);
      if (!strcmp(lic_mapbytes, code5))
      {
           printf(" Match found with map bytes: %s\n\n", input);
           return(input);
      }
     }
    }
   }
  }
  return(0); // no match 
}

int main(int argc, char *argv[0])
{
 unsigned char *lic_code;
 unsigned char  lic_code_len;
 unsigned char *lic_mapbytes;
 unsigned char c1,c2,c3,c4;
 unsigned char *input;

 if (argc < 2)
  exit(-1);
 if (argc==2)
   lic_code=strtoupper((unsigned char*)argv[1]);

 printf("target-code:     %s\n", lic_code);
 lic_code_len=strlen((char*)lic_code);
 if (lic_code_len < 5) { fprintf(stderr, "code is to short !\n"); exit(-1); }
 if (lic_code_len > 5) { fprintf(stderr, "code is to long !\n"); exit(-1); }
 

 input=calloc(40,1);
 /* lets bruteforce it ;-) */
 for (c1=0;c1<sizeof(vb);c1++) {
   for (c2=0;c2<sizeof(vb);c2++) {
     for (c3=0;c3<sizeof(vb);c3++) {
       for (c4=0;c4<sizeof(vb);c4++) {
         input[0]=vb[c1];
input[1]=vb[c2];
input[2]=vb[c3];
input[3]=vb[c4];
input[4]='\0';
         lic_mapbytes=lic_code_map(input);
       //  printf("input: %s\tlic_mapbytes: %s\n", input, lic_mapbytes);
if (!strcmp(lic_mapbytes, lic_code))
         {
   printf(" Match found with map bytes: %s\n\n", input);
   return(0);
}
       }
     }
   }
 }
 printf(" No match found\n\n");
 return(-1);
}


[Rory]

What is official (sic) key? Mine shows as trial.

I guess he bought the official key, and now he's sic(k) of it 

(The official key shows as "offcial" on the screen, so that is what he tried to type but he made a mistake quoting the mistake...)

_{The Latin adverb sic ("thus"; in full: sic erat scriptum, "thus was it written") added immediately after a quoted word or phrase (or a longer piece of text), indicates that the quotation has been transcribed exactly as found in the original source, complete with any erroneous spelling or other nonstandard presentation.}

Hahaha you're right. I make a lot of mistakes...

But not this time. They actually spelt it 'offical'  !

[PA0PBZ]

But not this time. They actually spelt it 'offical'  !

They keep trying and eventually will get it right, in the DS2000 series it is "offcial" !

[Carrington]

DS2000

Code: [Select]

MODEL_DSModelType_modify_?_sub_1D6BE2                ROM    001D6BE2 0000005E R . . . . . .
MODEL_MakeDSModelType_sub_9850A                      ROM    0009850A 00000042 R . . . . . .
MODEL_MakeDSXString_sub_F204E                        ROM    000F204E 00000056 R . . . . . .
MODEL_....

                                    ...

Some of these functions are not accessible. Hidden menu? Any ideas?

Sub-algorithms in firmware. Right? I said before functions, no menu.
But I'm sure there is a hidden menu, that use some of this subs, and I think that in this forum only a few guys have the knowledge to find it.
We already know this: "Press the [Menu7][Menu6][Menu7][Utility] buttons one after another quickly."

Cheers.