Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 901564 times)

satellit72 and 3 Guests are viewing this topic.

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2845
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #475 on: January 01, 2019, 09:16:29 pm »
i beleive that rgwan has done this.  They have hand edited some of the code. The function that checks for the various licenses has been modifyed so that it always returns true.   A old school hack, but none the less very effective.

For some reason hes not wanting to share his hack
On a quest to find increasingly complicated ways to blink things
 

Offline nimish

  • Regular Contributor
  • *
  • Posts: 144
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #476 on: January 01, 2019, 09:38:15 pm »
that is classic binary patching a good but complicated solution. Will it survive a firmware upgrade?
 

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 68
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #477 on: January 01, 2019, 09:41:28 pm »
Only a license file will survive an upgrade.
 

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2845
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #478 on: January 01, 2019, 09:47:52 pm »
Only a license file will survive an upgrade.

Yes, you'd need to go and 'hack' the new binarys. ( assuming they have changed ).    This is of course is unverified as nobody has seen his hack yet, and they seem unwillling to share it. ( I think they feel that Rigol will close the hack if they release it ).    It is very hard to know, who is who, Part of me thinks that Rigol itself might be feeding part of the info in this thread.  The change of password in teh latest fw, was extremely weak. There were lots of things that could have been done ( and simply )...  They theory that they want to be hacked has merit.
On a quest to find increasingly complicated ways to blink things
 

Offline nimish

  • Regular Contributor
  • *
  • Posts: 144
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #479 on: January 01, 2019, 09:53:34 pm »
Only a license file will survive an upgrade.

Yes, you'd need to go and 'hack' the new binarys. ( assuming they have changed ).    This is of course is unverified as nobody has seen his hack yet, and they seem unwillling to share it. ( I think they feel that Rigol will close the hack if they release it ).    It is very hard to know, who is who, Part of me thinks that Rigol itself might be feeding part of the info in this thread.  The change of password in teh latest fw, was extremely weak. There were lots of things that could have been done ( and simply )...  They theory that they want to be hacked has merit.

If it is what you say then the "hack" would simply be to share a patched binary. Not worth it if the "-fullopt" trick still works. If it won't survive an upgrade it's a lot of work each time + clearly needs more patching to pass the firmware upgrade unscathed. I don't blame them. I managed to find some interesting functions but a) radare2 is complicated b) i don't have the time to spelunk more :)


Perhaps more useful would be to dump the Rigol public keys.
« Last Edit: January 01, 2019, 09:55:38 pm by nimish »
 

Offline Martin72

  • Super Contributor
  • ***
  • Posts: 5680
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #480 on: January 01, 2019, 09:57:25 pm »
Only a license file will survive an upgrade.

Hm-hm....
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 68
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #481 on: January 01, 2019, 09:59:16 pm »
The change of password in teh latest fw, was extremely weak.
Remember that this firmware has been created before the release of Dave’s teardown video. It was not a reaction to our hacks.
 
The following users thanked this post: mrpackethead

Offline FireBird

  • Regular Contributor
  • *
  • Posts: 68
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #482 on: January 01, 2019, 10:01:42 pm »
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
There are license files for the demo mode of the decoders. Location and format of the files are known.
 

Offline Martin72

  • Super Contributor
  • ***
  • Posts: 5680
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #483 on: January 01, 2019, 10:05:46 pm »
OK, so only the difference between demo/installed is important for a hack who could "survive" FW updates..

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #484 on: January 01, 2019, 10:09:20 pm »
Just updated https://gitlab.com/riglol/rigolee but be warned, as things are being developed, they are not always tested.

SO USE WITH CAUTION AND WARNING. You break stuff, it is your own responsibility.

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #485 on: January 01, 2019, 10:19:58 pm »
@Oliv3r, thanks for the qspi push, but could you fix the missing / at col2 line 1 in qspi_unpack.sh and remove the -eu also?

Sorry; fixed in both scripts :(

I tested my scripts by running them as sh -x <script> so I did miss it

also, been on the clock really and only doing it inbetween jobs (vacation time is just differnt work :D)

As for set -eu; I rather not, I prefer the scripts to fail rather then burn. I am thinking of whether its worth it to add a few tests to catch these things; but they also take .. time.

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #486 on: January 01, 2019, 10:23:36 pm »
I need some high speed signal generators it seems.

Precisely that.

I'll get my scope mid next week,  though i'll not be in teh lab. ( picking it up in teh US, on my way home )..
Can we restore the scope if we brick it yet?

You have to do it with uboot, via serial port (requires open the box). Or JTAG...

First thing is do a NAND dump.

The nand dump is not that important; I think we have enough to re-create it now.

What we do not have, is each users individual /rigol/data directory. I think we best create a script that backs that up.

Secondly, we do not have reliably what's in the SPI flash yet. We have 1 dump and we do not know yet how accurate or reliable it is yet.

So technically; because we have u-boot access via SPI flash we cannot brick anything that's not fixable via UART (IF we have the /rigol/data backup) and until we know what exactly lives there (MAC address for example) that we can restore otherwise (so in the case of the MAC address; DHCP server logs, sticker on the box etc). For other items that are unique to each scope (factory calibration?) we can't restore these.

TL;DR as long as we do not brick the SPI flash, we can always restore via UART.

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #487 on: January 01, 2019, 10:24:39 pm »
Anyone played around with trying to make the fullopt stuff permanent? Tried Radare2 but I am not that great with it and appEntry is huge.
That's because appEntry is a statically compiled binary with everything in it; well almost everything. There's tons of XML output even compiled into the app. Crazy.

The only think I think they are loading externally via dlopen is Qt5.5 ...

Offline oliv3r

  • Frequent Contributor
  • **
  • Posts: 279
  • Country: nl
    • Rigol related stuff!
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #488 on: January 01, 2019, 10:26:08 pm »
Only a license file will survive an upgrade.

Hm-hm....
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
That of course helps a great deal, even if indirectly. And I think it's basically files from /rigol/data ...

Offline nimish

  • Regular Contributor
  • *
  • Posts: 144
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #489 on: January 01, 2019, 10:27:28 pm »
Anyone played around with trying to make the fullopt stuff permanent? Tried Radare2 but I am not that great with it and appEntry is huge.
That's because appEntry is a statically compiled binary with everything in it; well almost everything. There's tons of XML output even compiled into the app. Crazy.

The only think I think they are loading externally via dlopen is Qt5.5 ...
Yeah it has a bunch of crap in it.  Some tantalizing bits including their scpi parser as well. I think they are using ecdsa for key digests which is smart, makes the short keys make more sense.


Sent from my iPhone using Tapatalk
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #490 on: January 01, 2019, 10:34:31 pm »
A byte pacthing solution is the most easy and obvious one, besides the -fullopt feature.

From what I've seen it could be done in a couple of days. Easy for me to believe that rgwan & friends have done it already. Don't discredit them.

A future-proof solution can also be done, it's just a matter of tuning other factors. Probably just as easy.

Discovering how to go beyond the stated features is the hard part (hoping that the HW is able to physically handle it...)

BTW, I'm not buying the theory that Rigol is making things easy on purpose. I believe that we'll see more evidences of that in future updates. Give them time.

 

Online TheSteve

  • Supporter
  • ****
  • Posts: 3743
  • Country: ca
  • Living the Dream
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #491 on: January 01, 2019, 10:42:15 pm »
Hah, how much time would it take to remove sshd?
VE7FM
 

Offline sparkv

  • Newbie
  • Posts: 4
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #492 on: January 01, 2019, 10:44:09 pm »
So it needs to find someone who bought an upgrade ( option-bundle, bandwith or memory) to find the differences before/after upgrading ?
There are license files for the demo mode of the decoders. Location and format of the files are known.

I don't have my instrument yet (mid/late January based on what TE told me), but the DATA partition (mtd1) contains some licensing and calibration information. Someone posted a dump of their NAND partitions so I am working off of that and extracted firmware. They silence the kernel while mounting this partition so it doesn't show up in kernel logs (it is UBIFS). I guess they were going for "out of sight out of mind" approach with that and user partitions.

Code: [Select]
############################################
#Mount key data partition. cost:1s
############################################
/rigol/shell/mount_user_space.sh 0
$TOOLS/beeper

#Don't allow the kernel to output
echo 0 > /proc/sys/kernel/printk


if [ $YourInput -eq '0' ]; then
#########################################################
# mount data partition for Calibration and License data
#########################################################
mount_mtd $SPACE_DATA $SPACE_DATA $DATA_PATH "DATA"
Result=$?
if [ $Result -ne 0 ]; then
if [ $Result -ne 1 ]; then
echo 'mounting DATA partition failed'
/rigol/tools/beeper 1
else
cp /rigol/default/*  $DATA_PATH
fi
fi
fi

The files that seem to be interesting there are not calibration files (.hex), but Key.data, sysvendor.bin and various .lic files. Key.data is read from and written to it seems based on options installed. sysvendor.bin is also read from/written to. Various .lic files are of format <OPTION>;<KEY>. There are also references to ECC cryptography in appEntry, which is what was used before for licensing. I looked at some old code for generating licenses that used ecc crypto and the hash of choice was SHA1 (20 bytes/40 hex characters). New keys seems to be SHA512 (64 bytes/128 hex characters). I could be completely wrong though as I have no way to test any of the stuff until my scope arrives. My Zynq board is in use elsewhere currently.

Did anyone try dumping the core to obtain memory dump of appEntry? If busybox was modified to disallow core dumps, there is a version for ARMv7 that is used for Siglent scopes (Zynq platform) that one can drop into /tmp and spawn from there. Should be fairly straight forward. Assuming busybox wasn't modified to disallow the core dumps:
Code: [Select]
cd /tmp
ps -ef | grep appEntry
ulimit -c unlimited
kill -ABRT <appEntry PID>
Core should be dumped and can be copied over to USB jumpdrive for analysis on PC. I'd try this myself if my scope was here.

Another option is to tap into AXI and see if DRAM can be read directly if the full DRAM dump is desired. Their AXI driver API seems fairly simple.

Been lurking around the forums and reading for a long time now, figured I'd register and see if I can contribute to hacking this thing, so Hello is in order.

 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #493 on: January 01, 2019, 10:48:13 pm »
Hah, how much time would it take to remove sshd?

"Roads? Where we're going, we don't need roads."

They can't take away the sshd from the .GEL that I have! And, there are other ways...
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #494 on: January 01, 2019, 10:56:11 pm »
The files that seem to be interesting there are not calibration files (.hex), but Key.data, sysvendor.bin and various .lic files. Key.data is read from and written to it seems based on options installed. sysvendor.bin is also read from/written to. Various .lic files are of format <OPTION>;<KEY>. There are also references to ECC cryptography in appEntry, which is what was used before for licensing. I looked at some old code for generating licenses that used ecc crypto and the hash of choice was SHA1 (20 bytes/40 hex characters). New keys seems to be SHA512 (64 bytes/128 hex characters). I could be completely wrong though as I have no way to test any of the stuff until my scope arrives. My Zynq board is in use elsewhere currently.

The .hex files have smple CRC32 protecting them but, of course, are of no use.

The key.dat has a ECC Curve + PubKey inside. It's XXTEA encrypted.
The sysvendor.bin is also XXTEA encrypted with another key. Contains info about the scope inside (SN, MAC, etc)

The LICs are related to the key in key.dat.

In hash terms I see evidences only of SHA256 use but may be incomplete.

The memdumps from zynq are not helpful. At least, worse that I expected.
 
The following users thanked this post: sparkv

Offline nimish

  • Regular Contributor
  • *
  • Posts: 144
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #495 on: January 01, 2019, 11:00:22 pm »
The files that seem to be interesting there are not calibration files (.hex), but Key.data, sysvendor.bin and various .lic files. Key.data is read from and written to it seems based on options installed. sysvendor.bin is also read from/written to. Various .lic files are of format <OPTION>;<KEY>. There are also references to ECC cryptography in appEntry, which is what was used before for licensing. I looked at some old code for generating licenses that used ecc crypto and the hash of choice was SHA1 (20 bytes/40 hex characters). New keys seems to be SHA512 (64 bytes/128 hex characters). I could be completely wrong though as I have no way to test any of the stuff until my scope arrives. My Zynq board is in use elsewhere currently.

The .hex files have smple CRC32 protecting them but, of course, are of no use.

The key.dat has a ECC Curve + PubKey inside. It's XXTEA encrypted.
The sysvendor.bin is also XXTEA encrypted with another key. Contains info about the scope inside (SN, MAC, etc)

The LICs are related to the key in key.dat.

In hash terms I see evidences only of SHA256 use but may be incomplete.

The memdumps from zynq are not helpful. At least, worse that I expected.

Yes they finally wised up and just have signed licenses -- however:

1. replace pub key with own pubkey
2. sign own license
3. ? ? ? ?
4. profit

:)


A byte pacthing solution is the most easy and obvious one, besides the -fullopt feature.

From what I've seen it could be done in a couple of days. Easy for me to believe that rgwan & friends have done it already. Don't discredit them.

A future-proof solution can also be done, it's just a matter of tuning other factors. Probably just as easy.

Discovering how to go beyond the stated features is the hard part (hoping that the HW is able to physically handle it...)

BTW, I'm not buying the theory that Rigol is making things easy on purpose. I believe that we'll see more evidences of that in future updates. Give them time.

Yes someone who is competent like rgwan could easily do it--he posted IDA screenshots so he has the right tools. Not all that different from changing the startup shell script to pass "-fullopt" -- both basically bytepatching ;)

Anyway, my scope is going to take a month to arrive (according to Tequipment) so I have plenty of time to try exploring.
 

Offline rgwan

  • Contributor
  • Posts: 24
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #496 on: January 02, 2019, 01:29:21 am »
Well, does anyone noticed that the CH1 and CH3 has overshoot on measuring calibration square wave? And you can't remove it by adjust the probe.
 

Offline rgwan

  • Contributor
  • Posts: 24
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #497 on: January 02, 2019, 01:37:04 am »
Btw, We already have our license generator, But patch the application is necessary, at least this application will send a report contains Sn and license state to Rigol server on power up. If you want your scope keep on the Internet, you have to patch it, otherwise you may lose your warranty.

So, we're waiting for new firmware. When it is ready, then We will ready to release.
 
The following users thanked this post: thm_w, nimish

Offline nimish

  • Regular Contributor
  • *
  • Posts: 144
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #498 on: January 02, 2019, 03:29:06 am »
Btw, We already have our license generator, But patch the application is necessary, at least this application will send a report contains Sn and license state to Rigol server on power up. If you want your scope keep on the Internet, you have to patch it, otherwise you may lose your warranty.

So, we're waiting for new firmware. When it is ready, then We will ready to release.

Wow, that's impressive. How did you guys do it? Did they mess up in the key validation/generation and leave the priv key exposed somehow? Or, knowing Rigol, something dumber :D I wouldn't put these scopes on the internet, given that they have SSH exposed. Best to keep them isolated!
 

Offline justanothername

  • Regular Contributor
  • *
  • Posts: 143
  • Country: at
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #499 on: January 02, 2019, 09:16:10 am »
Well, does anyone noticed that the CH1 and CH3 has overshoot on measuring calibration square wave? And you can't remove it by adjust the probe.

Sorry but I cannot confirm this.
If you want to see something funny, try this:
Connect generator 1 to CH1, enable and change to square. Manually enter 999kHz as frequency then observe the waveform change when increasing to 1MHz.
Not worth 269$.
« Last Edit: January 02, 2019, 02:32:17 pm by justanothername »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf