Sniffing the Rigol's internal I2C bus

[Wall-E]

Re.  'Rory'   « Reply #933 on: Today at 06:40:51 AM »
      Thanks Cybernet and dr.diesel, I'm up and running on all.
      The license info still shows the trial options by their keys and their "left time". I assume the trials will disappear once they expire?
_____________________________________________________________

No, it won't go away, and it is too bad because it says that the options were hacked in. This may be a dead give away when a future firmware version is installed. We should look for a way to clean them out, and of course leave the new option license info in place.

[olsenn]

Still cannot get :SYST:OPT:INST to work correctly from SCPI command line.

The proper VISA command is, ":SYSTem:LKEY <license key>" without hyphens in the license

[olsenn]

Maybe not the correct thread to ask... but looking at the phase noise data on the DSA815 it is not that spectacular at close in, is the 10 Hz RBW really that useful? It seems several forum members mentions that the 10 Hz filter does make a difference when trying to resolve signals. I would love to se a plot showing the improvement. Any taker??

Here is a screenshot showing a typical noise floor for the DSA815 with 10Hz RBW @ a span of 100Hz, with the per-amplifier enabled. Notice that even at a span of 100Hz, the sweep time is 1 second for this RBW.

Also, to illustrate where having such a low RBW can be useful, I have included two captures of an FM modulated signal with sidebands at 30Hz from the carrier frequency. With the 10Hz RBW you can clearly see the two sidebands; however, in the 100Hz RBW shot, only a single dirac can be seen.

[Rory]

Still cannot get :SYST:OPT:INST to work correctly from SCPI command line.

The proper VISA command is, ":SYSTem:LKEY <license key>" without hyphens in the license

That was exactly what I used, did not work for me. Did anyone else have success with this on the DSA815-TG?

[Marc M.]

Still cannot get :SYST:OPT:INST to work correctly from SCPI command line.

The proper VISA command is, ":SYSTem:LKEY <license key>" without hyphens in the license

That was exactly what I used, did not work for me. Did anyone else have success with this on the DSA815-TG?

I haven't had any luck either.  The key entry dialog box pops up, but no text gets entered.  When I look under SYSTEM/INFORMATION/SYSTEM MSG I get:
"331     Invalid Option Serial Number."
 
Edit:  I found the list of error messages in the back of the manual.  For 331 it states: "The length of option serial number must be less than 20 characters."  The generated keys are 28 characters in length so you can't set it VIA SCPI without triggering this error message.   
/Edit

I thought that may indicate you need to provide the option number for the key you are entering.  I tried various formats/positions of option numbers and keys with no luck.  I'm not sure if the fact I already have the options enabled is causing issues.  I then tried to uninstall the options but haven't been able to find anything that works for that either.  Has anyone had any success in uninstalling the 815 options?

[Mr Simpleton]

Here is a screenshot showing a typical noise floor for the DSA815 with 10Hz RBW @ a span of 100Hz, with the per-amplifier enabled. Notice that even at a span of 100Hz, the sweep time is 1 second for this RBW.

Also, to illustrate where having such a low RBW can be useful, I have included two captures of an FM modulated signal with sidebands at 30Hz from the carrier frequency. With the 10Hz RBW you can clearly see the two sidebands; however, in the 100Hz RBW shot, only a single dirac can be seen.

Thanks for taking the time and to a measurement! Can clearly see the 10 Hz RBW can be useful when looking for 50/60 Hz sidebands! 

The DSA815 looks more and more like a useful addition to my workbench... 

[ted572]

Is there a Windows Keygen available for the DSA815 Options?

[dr.diesel]

Is there a Windows Keygen available for the DSA815 Options?

Nope, not yet.

[tom66]

Would there be any complaint if I compiled the gcc version of the DSA815 keygen and posted a PHP interface on the 'net? Too easy for "noobs"? 

Was being seriously tempted by DS1000Z vs DS2000 (4channel 100MHz looks very nice) but from what I've read, they aren't yet hackable (no key?), though it does appear to use the same firmware so only a matter of time. If I bought one, I may be tempted to try sniffing the private key, but I only have a basic logic analyser from Seeed, nothing fancy like a Saleae.  Do I need to dump firmware to find the private key?

[olsenn]

If I bought one, I may be tempted to try sniffing the private key, but I only have a basic logic analyser from Seeed, nothing fancy like a Saleae.  Do I need to dump firmware to find the private key?

A logic analyzer won't help you here; you need to dump the firmware of the Blackfin MCU and extract the keys which are left in plain-text. The private key I believe needs to be brute forced / calculated with a tool on the web. Ask the user, "cybernet" for details; he is the one who knows what to do

[tom66]

One question, from what (little) I know of public-private encryption, why do they make the private key available on the widget which is given to the customer? Or am I missing something? Surely you'd put the public key in the widget, which can only decrypt the option key. The private key, used to generate the option key, can be kept secret in Rigol's head office and used only to generate new option keys. Is it not a little back-asswards?

[PA0PBZ]

One question, from what (little) I know of public-private encryption, why do they make the private key available on the widget which is given to the customer? Or am I missing something? Surely you'd put the public key in the widget, which can only decrypt the option key. The private key, used to generate the option key, can be kept secret in Rigol's head office and used only to generate new option keys. Is it not a little back-asswards?

As far as I followed the discussion the private key is not available in the firmware, the public key is. The way they implemented the encryption makes it relative easy to calculate the private key.

[tom66]

Ah OK. So if I were to dump the firmware, and I knew where to look, I could find a public key?

[jamesb]

Yes, and then knowing the encryption schema and any weaknesses, you can compute the private key knowing the public key and a cypher protected datagram.

[tom66]

So... This sounds like a challenge. 

Do we need to dump the firmware from the Blackfin, or will Rigol's own "download update" USB files do? They include the FPGA bitstream, main firmware, etc... but I do not know if the crypto is kept on a hidden partition (or similar) on the flash, or perhaps even in on-chip ROM.

Surely one way of doing this would be to replace the public key with one of our own? Thus circumventing the need to break any private key. Are the public keys signed by Rigol?

[DL5TOR]

So... This sounds like a challenge. 

Do we need to dump the firmware from the Blackfin, or will Rigol's own "download update" USB files do? They include the FPGA bitstream, main firmware, etc... but I do not know if the crypto is kept on a hidden partition (or similar) on the flash, or perhaps even in on-chip ROM.

Surely one way of doing this would be to replace the public key with one of our own? Thus circumventing the need to break any private key. Are the public keys signed by Rigol?

if you do a bfin dump then the poblic keys are in there in plain text. all you Need is a jtag cable (20$+) that is compatible with urjtag

sometimes it is also in the updatefile.
- if the file is a *.gel file the  there is a Chance that it is in there.
- if it is a *.sys file then it will not be in there.

Edit:

The keys are in the sdram part of the Firmware (that is how it is in the ds2k and the dsa815)

i hope to help

73 de DL5TOR

[Rory]

Re.  'Rory'   « Reply #933 on: Today at 06:40:51 AM »
      Thanks Cybernet and dr.diesel, I'm up and running on all.
      The license info still shows the trial options by their keys and their "left time". I assume the trials will disappear once they expire?
_____________________________________________________________

No, it won't go away, and it is too bad because it says that the options were hacked in. This may be a dead give away when a future firmware version is installed. We should look for a way to clean them out, and of course leave the new option license info in place.

The trial key for the VSWR option stayed in after I entered the offical (sic) key I got from RIGOL.  So it's not specific to the hacked keys.

[alank2]

Was being seriously tempted by DS1000Z

Does anyone have a DS1000Z firmware file yet?

[cybernet]

talking of firmware i would love to get a 2nd DSA firmware (.sys file) if somebody has 2 versions, and is willing to share let me know.
an ida loader for it would help for future updates they might do .

[tom66]

Since the DS1000Z has i.MX processor from Freescale, can the firmware be dumped in the same was as the Blackfin?

[cybernet]

Since the DS1000Z has i.MX processor from Freescale, can the firmware be dumped in the same was as the Blackfin?

yes, but freescale stuff can usually be locked down quite a bit (ECU, Automotive stuff) so somebody would need to try it to be sure.

[tom66]

Hmm. May have to see if DS1000Z firmware turns up then e.g. firmware update.

[Maalobs]

Cybernet, can you describe what hardware- and software-tools you used for finding and dumping the firmware from the DS2072?
I gather that an Amontec JTAGkey-Tiny was involved, but what software did you use to analyse the internals of the scope and dump the firmwares?
Did you use any other resources for that part of the operation?

[cybernet]

Cybernet, can you describe what hardware- and software-tools you used for finding and dumping the firmware from the DS2072?
I gather that an Amontec JTAGkey-Tiny was involved, but what software did you use to analyse the internals of the scope and dump the firmwares?
Did you use any other resources for that part of the operation?

all in the thread ... either the custom rigol .GEL file loader + ida pro (would have worked, but cumbersome to start with) - and jtag + uclinux gdb bridge, memory dumps imported into ida pro - and lots of brain.
jtag has the benefit that you can observe the device ... bp's/wp's,data inspection - the dsa stuff was a quick win, because it was clear after looking at dl5's dump for 10mins that they are using exactly the same setup (however code style s different, they used another compiler or other flags) - finding the parameters or better say verifying them took another 5mins ;-)
thats why im working on flirt signatures for ida, will allow any other bf based rigol device to be investigated much more easily. cracking the bootloader would also be nice - i'd still love to see whats in their flash based filesystem (probably the way to go for the DG4XXX's)

[Rory]

Now if we could figure out how to change the text color on the DS2000 FFT display so you can read it when the noise is behind it...