enjoy
http://pastebin.com/ghYHnCfT
would not have happend without jtag firmware dump from DL5TOR, ecc help from some guy and testing by marc - thanks guys.
PS: the windows tool makers, might want to integrate that into their tool - only the length of the serial & private key differ, rest is the same ! (RILOL !)
I was in another city trying to find a job (no luck) and my PMs blow up about cybernet's latest offering.
I don't have a DSA815, so the only way I could test this code is to compare the output to cybernet's Linux code using Dave's demo unit serial number from his video. So, this code is considered beta.
Edit: Oh yeah, this is the Windows version of the keygen with DS2000 and DSA800 generators.
if (strlen(serial) < 0xd) { fprintf(stderr, "serial has invalid length !\n"); exit(-1); }
#ifdef RIGOL_KEYS
unsigned char prime1[]="AEBF94CEE3E707";
unsigned char prime2[]="AEBF94D5C6AA71";
unsigned char curve_a[]="2982";
unsigned char curve_b[]="3408";
unsigned char point1[]="7A3E808599A525";
unsigned char point2[]="8445B2BE29E5C7";
#endif
#ifdef RIGOL_DSA_KEYS
unsigned char prime1[]="AEBF94CEE3E707";
unsigned char prime2[]="AEBF94D5C6AA71";
unsigned char curve_a[]="2982";
unsigned char curve_b[]="3408";
unsigned char point1[]="7A3E808599A525";
unsigned char point2[]="691213692D18FA";
#endif
I ended up just replacing the ecssign function with yours. I only had to cast a couple unsigned chars and change a parameter name.
I was in another city trying to find a job (no luck) and my PMs blow up about cybernet's latest offering.
I don't have a DSA815, so the only way I could test this code is to compare the output to cybernet's Linux code using Dave's demo unit serial number from his video. So, this code is considered beta.
Edit: Oh yeah, this is the Windows version of the keygen with DS2000 and DSA800 generators.
talking of firmware i would love to get a 2nd DSA firmware (.sys file) if somebody has 2 versions, and is willing to share let me know.
I was in another city trying to find a job (no luck) and my PMs blow up about cybernet's latest offering.
I don't have a DSA815, so the only way I could test this code is to compare the output to cybernet's Linux code using Dave's demo unit serial number from his video. So, this code is considered beta.
Edit: Oh yeah, this is the Windows version of the keygen with DS2000 and DSA800 generators.
synapsis
YOU THE MAN!
The other day, jamesb was kind enough to generate keys for me using cybernet's code with his Linux box. I asked him to generate more that one set but he said with the 815 keygen, the other sets generated were exactly the same. For comparison, I used your windows software to generate the keys for my serial number and they all match the keys generated by cybernet's code running on the Linux box. Your Windows software is verified good on the first try. GREAT JOB to you, cybernet, DL5TOR, and all that made this happen.
Is it just a myth or real that after three wrong attempts of License Keys entry..the unit is locked and must be sent to China to unlock..
My analyser has serial no. starting with DSA8.... but cybernet's keygen wants to put s.no DS2A....
Re. 'Rory' « Reply #933 on: Today at 06:40:51 AM »
Thanks Cybernet and dr.diesel, I'm up and running on all.
The license info still shows the trial options by their keys and their "left time". I assume the trials will disappear once they expire?
_____________________________________________________________
No, it won't go away, and it is too bad because it says that the options were hacked in. This may be a dead give away when a future firmware version is installed. We should look for a way to clean them out, and of course leave the new option license info in place.
The trial key for the VSWR option stayed in after I entered the offical (sic) key I got from RIGOL. So it's not specific to the hacked keys.
MODEL_DSModelType_modify_?_sub_1D6BE2 ROM 001D6BE2 0000005E R . . . . . .
MODEL_MakeDSModelType_sub_9850A ROM 0009850A 00000042 R . . . . . .
MODEL_MakeDSXString_sub_F204E ROM 000F204E 00000056 R . . . . . .
MODEL_Make_sub_F273C ROM 000F273C 000002CC R . . . . . .
MODEL_and_SERIAL_sub_9731C ROM 0009731C 0000005A R . . . . . .
MODEL_createModelTypeString_?_sub_F21BC ROM 000F21BC 00000116 R . . . . . .
MODEL_getDSModelType_sub_F1DE2 ROM 000F1DE2 00000014 R . . . . . .
MODEL_getStr_sub_18F0F4E ROM 018F0F4E 0000000E R . . . . . .
MODEL_getTypeID_sub_18F0EDE ROM 018F0EDE 00000014 R . . . . . .
MODEL_getTypeID_sub_18F0F84 ROM 018F0F84 00000014 R . . . . . .
MODEL_getVendor_sub_18F0F72 ROM 018F0F72 0000000E R . . . . . .
MODEL_makeDSModelType_sub_A9760 ROM 000A9760 0000008C R . . . . . .
MODEL_retDS2XXX_sub_F1E4E ROM 000F1E4E 00000012 R . . . . . .
MODEL_setDSModelType_sub_F26DE ROM 000F26DE 0000005E R . . . . . .
MODEL_set_DSModel_Type_sub_F1E84 ROM 000F1E84 00000018 R . . . . . .
MODEL_sub_19D5CDE ROM 019D5CDE 0000005E R . . . . . .
DS2000Code: [Select]MODEL_DSModelType_modify_?_sub_1D6BE2 ROM 001D6BE2 0000005E R . . . . . .
MODEL_MakeDSModelType_sub_9850A ROM 0009850A 00000042 R . . . . . .
MODEL_MakeDSXString_sub_F204E ROM 000F204E 00000056 R . . . . . .
MODEL_Make_sub_F273C ROM 000F273C 000002CC R . . . . . .
MODEL_and_SERIAL_sub_9731C ROM 0009731C 0000005A R . . . . . .
MODEL_createModelTypeString_?_sub_F21BC ROM 000F21BC 00000116 R . . . . . .
MODEL_getDSModelType_sub_F1DE2 ROM 000F1DE2 00000014 R . . . . . .
MODEL_getStr_sub_18F0F4E ROM 018F0F4E 0000000E R . . . . . .
MODEL_getTypeID_sub_18F0EDE ROM 018F0EDE 00000014 R . . . . . .
MODEL_getTypeID_sub_18F0F84 ROM 018F0F84 00000014 R . . . . . .
MODEL_getVendor_sub_18F0F72 ROM 018F0F72 0000000E R . . . . . .
MODEL_makeDSModelType_sub_A9760 ROM 000A9760 0000008C R . . . . . .
MODEL_retDS2XXX_sub_F1E4E ROM 000F1E4E 00000012 R . . . . . .
MODEL_setDSModelType_sub_F26DE ROM 000F26DE 0000005E R . . . . . .
MODEL_set_DSModel_Type_sub_F1E84 ROM 000F1E84 00000018 R . . . . . .
MODEL_sub_19D5CDE ROM 019D5CDE 0000005E R . . . . . .
Some of these functions are not accessible. Hidden menu? Any ideas?
What is official (sic) key? Mine shows as trial.
Those are no menus These are Subs in the Firmware the Names are added from cybernet read that post to 100% thén you will know
Re. 'Rory' « Reply #933 on: Today at 06:40:51 AM »
Thanks Cybernet and dr.diesel, I'm up and running on all.
The license info still shows the trial options by their keys and their "left time". I assume the trials will disappear once they expire?
_____________________________________________________________
No, it won't go away, and it is too bad because it says that the options were hacked in. This may be a dead give away when a future firmware version is installed. We should look for a way to clean them out, and of course leave the new option license info in place.
The trial key for the VSWR option stayed in after I entered the offical (sic) key I got from RIGOL. So it's not specific to the hacked keys.
Hi Rory,
What is official (sic) key? Mine shows as trial.
REgards
F
What is official (sic) key? Mine shows as trial.
I guess he bought the official key, and now he's sic(k) of it
(The official key shows as "offcial" on the screen, so that is what he tried to type but he made a mistake quoting the mistake...)
The Latin adverb sic ("thus"; in full: sic erat scriptum, "thus was it written") added immediately after a quoted word or phrase (or a longer piece of text), indicates that the quotation has been transcribed exactly as found in the original source, complete with any erroneous spelling or other nonstandard presentation.
/****************************************************
* DS2000 license options reverse bruteforcer
* (c) CyberNet, 2013.
*****************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
unsigned char codemap_ee00d0[]={ 0x0, 0x0, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x2,
0x3, 0x4, 0x5, 0x6, 0x7, 0x0, 0x8, 0x9, 0xa, 0xb,
0xc, 0x0, 0xd, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14,
0x15,0x16, 0x17 };
unsigned char codemap_20688e[]={ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, /* 0-9 = 0x30 */
0x37, 0x37, 0x37, 0x37, 0x37, 0x37 }; /* A-F = 0x37 */
unsigned char vb[]={'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'J', 'K', 'L', 'M', 'N', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '2', '3', '4', '5', '6', '7', '8', '9'};
/*
** convert string to uppercase chars
*/
unsigned char *strtoupper(unsigned char *str)
{
unsigned char *newstr, *p;
p = newstr = (unsigned char*) strdup((char*)str);
while((*p++=toupper(*p)));
return newstr;
}
/*
**
*/
unsigned char code_map_206846(unsigned char i)
{
if ((i >= 'A') && (i <= 'F')) return(i-0x37);
if ((i >= '0') && (i <= '9')) return(i-0x30);
return(0x0);
}
/*
** Encryption Routine 1
*/
unsigned char *lic_code_map(unsigned char *lic_skipped)
{
unsigned char lv1,lv2;
unsigned char b1_mapped, b1_shifted, b1_remapped;
unsigned char b2_mapped, b2_shifted, b2_remapped;
unsigned char b3_mapped, b3_shifted, b3_remapped;
unsigned char b4_mapped, b4_shifted, b4_remapped;
unsigned char b5_shifted, b5_remapped;
unsigned char *lic_mapbytes;
lic_mapbytes=calloc(28, 1);
if (!lic_mapbytes) return(0);
lv1=lv2=0;
while(lv1 < strlen((unsigned char*)lic_skipped))
{
b1_mapped = codemap_ee00d0[ *(lic_skipped+lv1) - 0x30 ];
b1_shifted = (b1_mapped / 2) & 0xf;
b1_remapped = b1_shifted + codemap_20688e[b1_shifted];
lic_mapbytes[lv2++]=b1_remapped;
b1_mapped = b1_mapped & 0x1;
b2_mapped = codemap_ee00d0[ *(lic_skipped+lv1+1) - 0x30 ];
b2_shifted = ((b1_mapped << 0x3) | (b2_mapped / 4)) & 0xF;
b2_remapped = b2_shifted + codemap_20688e[b2_shifted];
lic_mapbytes[lv2++]=b2_remapped;
b3_mapped = codemap_ee00d0[ *(lic_skipped+lv1+2) - 0x30 ];
b3_shifted = ((b3_mapped / 8) | ( (b2_mapped & 0x3) << 2 )) & 0xF;
b3_remapped = b3_shifted + codemap_20688e[b3_shifted];
lic_mapbytes[lv2++]=b3_remapped;
b4_mapped = codemap_ee00d0[ *(lic_skipped+lv1+3) - 0x30 ];
b4_shifted = ((b4_mapped / 16 ) |((b3_mapped & 0x7) << 0x1)) & 0xf;
b4_remapped = b4_shifted + codemap_20688e[b4_shifted];
lic_mapbytes[lv2++]=b4_remapped;
b5_shifted = b4_mapped & 0xF;
b5_remapped = b5_shifted + codemap_20688e[b5_shifted];
lic_mapbytes[lv2++]=b5_remapped;
lv1 = lv1 + 4;
}
return(lic_mapbytes);
}
unsigned char * find_match5(unsigned char *code5)
{
unsigned char c1,c2,c3,c4;
unsigned char *input;
unsigned char *lic_mapbytes;
input=calloc(40,1);
/* lets bruteforce it ;-) */
for (c1=0;c1<sizeof(vb);c1++) {
for (c2=0;c2<sizeof(vb);c2++) {
for (c3=0;c3<sizeof(vb);c3++) {
for (c4=0;c4<sizeof(vb);c4++) {
input[0]=vb[c1];
input[1]=vb[c2];
input[2]=vb[c3];
input[3]=vb[c4];
input[4]='\0';
lic_mapbytes=lic_code_map(input);
if (!strcmp(lic_mapbytes, code5))
{
printf(" Match found with map bytes: %s\n\n", input);
return(input);
}
}
}
}
}
return(0); // no match
}
int main(int argc, char *argv[0])
{
unsigned char *lic_code;
unsigned char lic_code_len;
unsigned char *lic_mapbytes;
unsigned char c1,c2,c3,c4;
unsigned char *input;
if (argc < 2)
exit(-1);
if (argc==2)
lic_code=strtoupper((unsigned char*)argv[1]);
printf("target-code: %s\n", lic_code);
lic_code_len=strlen((char*)lic_code);
if (lic_code_len < 5) { fprintf(stderr, "code is to short !\n"); exit(-1); }
if (lic_code_len > 5) { fprintf(stderr, "code is to long !\n"); exit(-1); }
input=calloc(40,1);
/* lets bruteforce it ;-) */
for (c1=0;c1<sizeof(vb);c1++) {
for (c2=0;c2<sizeof(vb);c2++) {
for (c3=0;c3<sizeof(vb);c3++) {
for (c4=0;c4<sizeof(vb);c4++) {
input[0]=vb[c1];
input[1]=vb[c2];
input[2]=vb[c3];
input[3]=vb[c4];
input[4]='\0';
lic_mapbytes=lic_code_map(input);
// printf("input: %s\tlic_mapbytes: %s\n", input, lic_mapbytes);
if (!strcmp(lic_mapbytes, lic_code))
{
printf(" Match found with map bytes: %s\n\n", input);
return(0);
}
}
}
}
}
printf(" No match found\n\n");
return(-1);
}
What is official (sic) key? Mine shows as trial.
I guess he bought the official key, and now he's sic(k) of it
(The official key shows as "offcial" on the screen, so that is what he tried to type but he made a mistake quoting the mistake...)
The Latin adverb sic ("thus"; in full: sic erat scriptum, "thus was it written") added immediately after a quoted word or phrase (or a longer piece of text), indicates that the quotation has been transcribed exactly as found in the original source, complete with any erroneous spelling or other nonstandard presentation.
Hahaha you're right. I make a lot of mistakes...
But not this time. They actually spelt it 'offical' !
DS2000Code: [Select]MODEL_DSModelType_modify_?_sub_1D6BE2 ROM 001D6BE2 0000005E R . . . . . .
MODEL_MakeDSModelType_sub_9850A ROM 0009850A 00000042 R . . . . . .
MODEL_MakeDSXString_sub_F204E ROM 000F204E 00000056 R . . . . . .
MODEL_....
...
Some of these functions are not accessible. Hidden menu? Any ideas?