Sniffing the Rigol's internal I2C bus

[zombie28]

Code: [Select]

// Copyright (c) 2013 RIGLOL Technologies, Inc. All Rights Reversed.

 

Well, this is my small tribute to cybernet, because without his findings I would have never been able to do this. 

[tirulerbach]

So here it is, the new license code decoder:

Great work! Fantastic!

So, a small question: Are you sure DecodeSignature() is correct? Maybe it's a roll instead a shift? 

[van-c]

nice
and now?

it's time to reverse

So, zombie28, if the correct private key were used in the existing keygen to produce a 28-character license code for a particular option code, then running that license code through your DecodeLicenseCode() function would return the option code back, verifying that the correct private key had been found, correct?  (Assuming the keygen is using an algorithm compatible with the decoder.)

[zombie28]

So here it is, the new license code decoder:

So, a small question: Are you sure DecodeSignature() is correct? Maybe it's a roll instead a shift? 

I'm pretty sure that my code is correct. I have run it with 'AAAAAAABBBBBBBCCCCCCCDDDDDDD' license code and found its output in memory dump:

option bits: 0x000f09f5 (at offset 0x1c3df7c as binary value)
sig1:   0x0000f464e5aebf3e (at offset 0x1c3df80 as hex string)
sig2:   0x000000000000000f (at offset 0x1c3df90 as hex string)

The same technique was used in non-A license decoder (take a look at riglol.c and variables i1 and i2), but instead of shifting binary values to the right, this decoder moves null terminator of hex strings to the left. I think Rigol uses shifting of signature values as a form of padding, to fill all available space in case of leading zeros (padding is often used in digital signature algorithms for security reasons).

[zombie28]

So, zombie28, if the correct private key were used in the existing keygen to produce a 28-character license code for a particular option code, then running that license code through your DecodeLicenseCode() function would return the option code back, verifying that the correct private key had been found, correct?  (Assuming the keygen is using an algorithm compatible with the decoder.)

Well, not exactly. After decoding of the license code, the ECDSA algorithm must be used to verify the signature (or the key). But first we need to find out how the signature is being constructed from the scope's serial number and option bits, because there are no explicit option characters in the new code format.

[van-c]

I had mistakenly thought the option code and serial number were being decrypted from the license code using the public key. Now I see that the algorithm verifies that the signature pairs embedded in the license code are valid before accepting the decoded license.  Was confusing public-private encryption with signature validation.

[ted572]

DP832 Power Supply with Firmware 08:

Please, has anyone been able to successfully activate the DP832 Options by downgrading to Firmware 06, installing the keys from the Riglol 1.03c Keygen, and then upgrading back to FW 08?

I have seen others ask questions about this, but I haven't seen any replies.

Or, is there a version of a Keygen that will work with a DP832 with Firmware 08?

[Sebastian]

DP832 Power Supply with Firmware 08:

Please, has anyone been able to successfully activate the DP832 Options by downgrading to Firmware 06, installing the keys from the Riglol 1.0c Keygen, and then upgrading back to FW 08?

I have seen others ask questions about this, but I haven't seen any replies.

Or, is there a version of a Keygen that will work with a DP832 with Firmware 08?

Hi,

I've got the same problem. 06 works no problem at all, when I upgrade to 08 all options are gone. When I downgrade back to 06 everything is official again.
BTW I am using Riglol 1.03c.

[marmad]

I've got the same problem. 06 works no problem at all, when I upgrade to 08 all options are gone. When I downgrade back to 06 everything is official again.
BTW I am using Riglol 1.03c.

This seems very odd. Does this mean that people who actually bought options legally from Rigol for the DP832 can't use the newest firmware?

[ted572]

I've got the same problem. 06 works no problem at all, when I upgrade to 08 all options are gone. When I downgrade back to 06 everything is official again.
BTW I am using Riglol 1.03c.

   Sebastian
[/quote]

I have 1.03c Keygen also, sorry but I left off the 3 from the Keygen number above.  Thank you for your reply.  Now I wonder what alternatives we can find without an updated Keygen for FW 08.

        ted572

[Sparky]

I've got the same problem. 06 works no problem at all, when I upgrade to 08 all options are gone. When I downgrade back to 06 everything is official again.
BTW I am using Riglol 1.03c.

I also have the DP832.  My unit is an early one with the small heatsink and it came with firmware 00.01.03.  All options installed fine using Riglol 1.03c keygen.  I have seen photos in other threads showing firmware 06 and 08.  Could someone kindly upload the 06 and 08 firmwares?  I haven't seen downloads for them...and haven't contact Rigol myself yet.

It seems 06 is fine to use, but 08 somehow invalidates options already installed...

[jkw13]

On my DP832, not only have the options gone on upgrade, the ADC calibration doesn't work
either (on v1.06 and v1.08) DAC is fine. Did they put a "booby trap" in there?

[Wall-E]

Same thing here with DP832 and Riglol 1.03c Keygen.  It worked fine on my new DP832 with FW 00.06, but then all the options were gone when I went back to FW 00.08.

I thought that it was just me, but now I don't know of any DP832 owners that were able to get the options to work with FW 00.08.

Can anyone help with this?

[Sebastian]

I've got the same problem. 06 works no problem at all, when I upgrade to 08 all options are gone. When I downgrade back to 06 everything is official again.
BTW I am using Riglol 1.03c.

I also have the DP832.  My unit is an early one with the small heatsink and it came with firmware 00.01.03.  All options installed fine using Riglol 1.03c keygen.  I have seen photos in other threads showing firmware 06 and 08.  Could someone kindly upload the 06 and 08 firmwares?  I haven't seen downloads for them...and haven't contact Rigol myself yet.

It seems 06 is fine to use, but 08 somehow invalidates options already installed...

If you go to the Riglol site and click on DP832 you get both of the versions, as well as the instructions on how to install them.

[marmad]

Same thing here with DP832 and Riglol 1.03c Keygen.  It worked fine on my new DP832 with FW 00.06, but then all the options were gone when I went back to FW 00.08.

I thought that it was just me, but now I don't know of any DP832 owners that were able to get the options to work with FW 00.08.

Can anyone help with this?

IMO, it would be worthwhile for one of you owners to start a separate thread asking if anyone with a purchased option for the DP832 has managed to successfully upgrade to v.08. It's always possible that there's a bug in the FW which affects ALL options (legal or otherwise) - and if so, Rigol can be notified for a fix.

As we know from his video review, Dave has a purchased license key, so perhaps you might find out from him if he's installed v.08 without troubles.

[Sparky]

I've got the same problem. 06 works no problem at all, when I upgrade to 08 all options are gone. When I downgrade back to 06 everything is official again.
BTW I am using Riglol 1.03c.

I also have the DP832.  My unit is an early one with the small heatsink and it came with firmware 00.01.03.  All options installed fine using Riglol 1.03c keygen.  I have seen photos in other threads showing firmware 06 and 08.  Could someone kindly upload the 06 and 08 firmwares?  I haven't seen downloads for them...and haven't contact Rigol myself yet.

It seems 06 is fine to use, but 08 somehow invalidates options already installed...

If you go to the Riglol site and click on DP832 you get both of the versions, as well as the instructions on how to install them.

I've had a look on www.rigol.com, www.eu.rigolna.com, www.rigolna.com and looked at the DP832 pages, but I can't find anywhere where the firmware is available for direct download.  Are you saying the firmware is somewhere for download, or referring to the "Request the Latest Firmware" page?

[AndersAnd]

I also have the DP832... Could someone kindly upload the 06 and 08 firmwares?

If you go to the Riglol site and click on DP832 you get both of the versions, as well as the instructions on how to install them.

I've had a look on www.rigol.com, www.eu.rigolna.com, www.rigolna.com and looked at the DP832 pages, but I can't find anywhere where the firmware is available for direct download.  Are you saying the firmware is somewhere for download, or referring to the "Request the Latest Firmware" page?

You missed the extra 'L' Sebastian wrote in RigLol.

It's this site he was referring to: http://riglol.3owl.com

Direct link: http://riglol.3owl.com/firmware/DP832.zip

[Sparky]

If you go to the Riglol site and click on DP832 you get both of the versions, as well as the instructions on how to install them.

I've had a look on www.rigol.com, www.eu.rigolna.com, www.rigolna.com and looked at the DP832 pages, but I can't find anywhere where the firmware is available for direct download.  Are you saying the firmware is somewhere for download, or referring to the "Request the Latest Firmware" page?

You missed the extra 'L' Sebastian wrote in RigLol.

It's this site he was referring to: http://riglol.3owl.com

Direct link: http://riglol.3owl.com/firmware/DP832.zip

Oh!  Thanks for that!

[Sparky]

Same thing here with DP832 and Riglol 1.03c Keygen.  It worked fine on my new DP832 with FW 00.06, but then all the options were gone when I went back to FW 00.08.

I thought that it was just me, but now I don't know of any DP832 owners that were able to get the options to work with FW 00.08.

Can anyone help with this?

IMO, it would be worthwhile for one of you owners to start a separate thread asking if anyone with a purchased option for the DP832 has managed to successfully upgrade to v.08. It's always possible that there's a bug in the FW which affects ALL options (legal or otherwise) - and if so, Rigol can be notified for a fix.

As we know from his video review, Dave has a purchased license key, so perhaps you might find out from him if he's installed v.08 without troubles.

Good suggestion marmad; I have done so here.  I will try to add more details on which bugs and firmware differences.

[m-joy]

Hello, 

 I have Hardware Version 1.0.2.0.0.  Can i use 300MHz?

Greetings

[Pehtoori]

Hello, 

 I have Hardware Version 1.0.2.0.0.  Can i use 300MHz?

Greetings

Yes, but accuracy isn't great. Better limit it to 200MHz

[tirulerbach]

So here it is, the new license code decoder:

Thanks again. I' currently working on a keygen for that beast and run into a small issue, regarding the options bits: 

Code: [Select]

uint32 DecodeLicenseCode(char *licenseCode, uint64& sig1, uint64& sig2)
{
[...]

// option bits
return uint32(RC5Block1 >> 48) | (uint32(licenseBits[34]) << 16);
}

How this binary 32 bit return value gets hashed by the ECC-signature verification?

In reality, because of coding techniques used, only the lower 20 bits are valid of this return value. The higher 12 bits are always zero. In the original non-A code these options were an ASCII string which was hashed character wise. But in the A-models it is a 20 bit binary value.

If I don't miss something more, this detail is the remaining issue which holds me back to complete the keygen... 

As mentioned earlier by zombie28 it would be very helpful if somebody posts an original key for an DS2000-A option. There exists an ambiguity due the license generating. There are about roughly a few dozen possible encoding schemes for a serial and options tuple. 

[marmad]

As mentioned earlier by zombie28 it would be very helpful if somebody posts an original key for an DS2000-A option.

I seriously doubt anyone (at least reading this blog) HAS an original key for the DS2000A. The trial reset bug  (which allowed many original DS2000 owners to get new Trial keys) no longer exists - and no one is buying options anymore.

[Wall-E]

DM3058E Benchtop Multimeter:

I understand that the DM3058E hardware is very similar to, or the same as the DM3068.  And it does look like there is room on the DM3058E's LCD for an additional digit as is on the DM3068.

Is it true that the hardware may be the same, and if so, is there anyway (software/firmware/mod) that the DM3058E could incorporate at least some of the advanced features of the DM3068?

      Wallie

[Mark_O]

I seriously doubt anyone (at least reading this blog) HAS an original key for the DS2000A. The trial reset bug  (which allowed many original DS2000 owners to get new Trial keys) no longer exists - and no one is buying options anymore.

If this is true, then...

There exists an ambiguity due the license generating. There are about roughly a few dozen possible encoding schemes for a serial and options tuple.

Assuming the combinations were not too elaborate (i.e. painful to code), it would still be possible to build a license-gen with those S1-S24 schemes, that generated the full set, then try each until you got a hit.  That would then identify it was S17, for example.  In the absence of any original A-keys, brute force may be the only practical option.  If you had a sense of which combinations may be most likely, you could start with those, and do the rest only if they all failed.