Anybody who can't see that might want to make an appointment with the optician.
PS: There's a DS1000Z variant that is locked down - the one with the built-in AWG. They obviously decided not to let anybody have that for free, then repented with the MSO5000 and allowed it again.
This time, the way things were done it's not "the same way".
Regarding your pretty secure "DS1000Z variant": I've told you more than once that it's also fully "licensed". It's just not with riglol. It's with an upgraded version of rigup.
That doesn't deviate me from saying that this time it was a pretty bad implementation. Time will tell.
PS: There's a DS1000Z variant that is locked down - the one with the built-in AWG. They obviously decided not to let anybody have that for free, then repented with the MSO5000 and allowed it again.
Well not exactly... You don't make distinction between ability to generate fully valid licenses and possibility of patching scope's application. And there is a difference: with full license generator, once you unlock scope it is practically not hacked but in same state as if it where "real" licenses. After that you keep applying updates and don't care.
With patched scope application, after every FW update, you need to patch that one again before it is "enabled". So every time you rely on few "gurus" to do that for the rest of users. If they don't patch it, you stay on old FW until someone does. And in next FW it might be better protected.
Old DS1000Z had Riglol and you could create fully valid licenses and you were good forever.
With MSO5000, it needs new patch every FW update... This is same as with Keysight Infiniivision patch that is popular...
End result might be the same but one is much less effort..
And let me add this thought:
I was trying to give my contribution in order to bring some "good things" regarding this new HDO but as things turned out, AlphaRne did a pretty fast and effective job.
The sloppiness of this security/licensing implementation makes me worry: once again, how can we be sure that the rest of the code doesn't have problems of such caliber? In my mind, what I saw here doesn't bring me any comfort in the coding.
Let's consider that it was management deciding that it was necessary to put the thing out the door in a rush... But, nonetheless, the code /features were all in there so it could have been rushed out properly - in the end they could insert the same key for everyone but it would have been done correctly.
Using some bytes of a key from an, already used/tested, ECC implementation in a AES-ECB algo shows that the guy had no clue of what he was doing. And that there is no control over this.
What I saw in the MSO and RSA was well done. Of course, it was bypassed by a patch. It's even bypassed by a keygen but that's for another day... The brand that thinks it's protected can throw the first rock.
Because the "sloppiness" is deliberate?
Are you powered by Duracell?
Regarding your pretty secure "DS1000Z variant": I've told you more than once that it's also fully "licensed". It's just not with riglol. It's with an upgraded version of rigup.
It's not impossible but it's much more difficult, you need to open it up and extract the private internal key before you can use the keygen.
It's not impossible but it's much more difficult, you need to open it up and extract the private internal key before you can use the keygen.
How the heck do you think people accessed the HDO?
It's not impossible but it's much more difficult, you need to open it up and extract the private internal key before you can use the keygen.
How the heck do you think people accessed the HDO?
He hasn't any idea, he's powered by Duracell.
AlphaRne,
This is my parsing of the FRAM that I have access:
...
Do you know what are the UInt16 fields in the Block2? Do you know if their data contents has any XXTEA encryption or other?
I didn't spend much more time decoding all the fields, but it doesn't seem to use any encryption, it just more or less copies
the config structures into the FRAM.
In your dump the
number before DataSz is just the uncompressed size of the payload which is zlib compressed if the size is above 32.
And the first field after the address is actually 2 independent bytes with a
01 in the higher part if the data isn't compressed.
The other byte seems to be the
the id of the service belonging to that data.
Further, the 3rd byte in the raw structure is hard coded as 0 in the firmware and I didn't look into the other fields ...
00000808
001C 0004
0109 DataSz: 003C BlockSz: 0040 [00000814-00000853]
0000089D
011A 00F0
001F DataSz: 001F BlockSz: 001F [000008A9-000008C7]
Refreshing the FRAM dump...
00000000 Block_0 CRC32: 530E7D6A [00000008-0000008B] CRC OK
00000004 Block_0 Size: 00000084 bytes
00000100 Block_1 Size: 000000B0 bytes [00000100-000001AF] CKSM OK
-------------------------------------------------------------
00000108 Option: 0000091D CKSM OK
00000110 Option Size: 00000094 bytes CKSM OK
00000118 Option CRC32: 06131D97 [0000011C-000001AF] CRC OK
Key.data: brainpoolP256r1;04xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------------------------------------------------------
00000800 Block_2 CRC32: 7BAF99DF [00000808-00001143] CRC OK
00000804 Block_2 Size: 0000093C bytes
-------------------------------------------------------------
00000808 1C 00 0004 UncompSz: 0109 CompSz: 003C TotSz: 0040 [00000814-00000853] ***** 1C *****
0100000001000000000000000000000001000000000000005A0000000000000032000000000000000A0000000000000079D1F008000000000000000000000000
872E0FF7FFFFFFFF5A0000000000000032000000000000000A0000000000000080D1F008000000000000000000000000802E0FF7FFFFFFFF5A00000000000000
32000000000000000A0000000000000080D1F008000000000000000000000000802E0FF7FFFFFFFF5A0000000000000032000000000000000A00000000000000
80D1F008000000000000000000000000802E0FF7FFFFFFFF00000000C800000000000000200300000000000000000000000000000000000000000000000000E8
030000000000000000
00000854 0B 00 0011 UncompSz: 002F CompSz: 002F TotSz: 0030 [00000860-0000088F] ***** Rigol Scope *****
00010000000001240B0000005269676F6C2053636F7065240E0000002F646174612F55736572446174610000000000
00000890 28 01 0001 UncompSz: 0001 CompSz: 0001 TotSz: 0001 [0000089C-0000089C] ***** 28 *****
00
0000089D 1A 01 00F0 UncompSz: 001F CompSz: 001F TotSz: 001F [000008A9-000008C7] ***** 1A *****
00000000000000000000000032000000320000005000000001000132000000
000008C8 04 00 0002 UncompSz: 004C CompSz: 0020 TotSz: 0020 [000008D4-000008F3] ***** CH4 *****
0080F0FA02000000000000000000000000000000000001000000000000000000000000000000000000000000000000030000002403000000434834000C000000
000000000000000000000000
000008F4 03 00 0002 UncompSz: 004C CompSz: 0020 TotSz: 0020 [00000900-0000091F] ***** CH3 *****
0080F0FA02000000000000000000000000000000000001000000000000000000000000000000000000000000000000030000002403000000434833000C000000
000000000000000000000000
00000920 02 00 0002 UncompSz: 004C CompSz: 0020 TotSz: 0020 [0000092C-0000094B] ***** CH2 *****
0080F0FA02000000000000000000000000000000000001000000000000000000000000000000000000000000000000030000002403000000434832000C000000
000000000000000000000000
0000094C 01 00 0002 UncompSz: 0054 CompSz: 0021 TotSz: 0030 [00000958-00000987] ***** CH1 *****
0180F0FA020000000000000000000000000000000000010000000000000000000000000000000000000000000000000300000024030000004348310000000000
010000000C000000000000000000000000000000
00000988 1C 00 0004 UncompSz: 0109 CompSz: 0037 TotSz: 0040 [00000994-000009D3] ***** 1C *****
0100000002000000000000000000000001000000000000005A0000000000000032000000000000000A0000000000000080D1F008000000000000000000000000
802E0FF7FFFFFFFF5A0000000000000032000000000000000A0000000000000080D1F008000000000000000000000000802E0FF7FFFFFFFF5A00000000000000
32000000000000000A0000000000000080D1F008000000000000000000000000802E0FF7FFFFFFFF5A0000000000000032000000000000000A00000000000000
80D1F008000000000000000000000000802E0FF7FFFFFFFF00000000C800000000000000200300000000000000000000000000000000000000000000000000E8
030000000000000000
000009D4 1D 00 0001 UncompSz: 0029 CompSz: 001F TotSz: 0020 [000009E0-000009FF] ***** 1D *****
00010000000100000004000000000000000000000200000000000000000100000000406352BFC60100
00000A00 1E 01 0002 UncompSz: 001F CompSz: 001F TotSz: 001F [00000A0C-00000A2A] ***** 1E *****
000100000000000000000000000000000000000000000000CA9A3B00000000
00000A2B 16 00 0001 UncompSz: 00B2 CompSz: 0040 TotSz: 0040 [00000A37-00000A76] ***** REF 1-10 *****
00000000000001000000000400000024040000005245463100000000030000002404000000524546320000000002000000240400000052454633000000000100
00002404000000524546340000000000000000240400000052454635000000000400000024040000005245463600000000030000002404000000524546370000
0000020000002404000000524546380000000001000000240400000052454639000000000000000024050000005245463130
00000A77 15 00 0003 UncompSz: 0078 CompSz: 0030 TotSz: 0030 [00000A83-00000AB2] ***** 15 *****
0000000000000000010000000500000003000000C80000002003000040000000C0010000C80000002003000040000000C0010000C80000002003000040000000
C001000000000000010000000100000001000000020000000100000040000000C0010000C001000040000000C0010000400000006564000D
00000AB3 2A 00 0006 UncompSz: 01B2 CompSz: 006E TotSz: 0070 [00000ABF-00000B2E] ***** 2A *****
00000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000
00000000000000000000000001000000010001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100
00000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100
00000100000001000000010000000100000001000000000000008025000008000000000000000000000000000000000000010000000200000000010000000002
000000000000000300000000010800000000CA9A3B0000000001010100000040420F0040420F0001000000320000003200000001000000004B00000002000000
01010000000002000000030000000000000000040000000400000001000000010100000080969800000000000100000000000000010000000114000000C0C62D
0000000000060000000101000000A08601000000000000000000010000000100000001000000020000000100000000389C1C
00000B2F 2B 00 0006 UncompSz: 0192 CompSz: 006C TotSz: 0070 [00000B3B-00000BAA] ***** 2B *****
00000000000000000000000000010000000000010000000000000000000000000000000000000000000000000100000001000100000001000000010000000100
00000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100
00000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000000000000802500000800
0000000000000000000000000000000000010000000200000000010000000002000000000000000300000000010800000000CA9A3B0000000001010100000040
420F0040420F0001000000320000003200000001000000004B000000020000000101000000000200000003000000000000000004000000040000000100000001
0100000080969800000000000100000000000000010000000114000000C0C62D0000000000060000000101000000A08601000000000000000000010000000100
000001000000020000000100000000389C1C
00000BAB 2C 00 0006 UncompSz: 0192 CompSz: 006C TotSz: 0070 [00000BB7-00000C26] ***** 2C *****
00000000000000000000000000010000000000010000000000000000000000000000000000000000000000000100000001000100000001000000010000000100
00000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100
00000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000000000000802500000800
0000000000000000000000000000000000010000000200000000010000000002000000000000000300000000010800000000CA9A3B0000000001010100000040
420F0040420F0001000000320000003200000001000000004B000000020000000101000000000200000003000000000000000004000000040000000100000001
0100000080969800000000000100000000000000010000000114000000C0C62D0000000000060000000101000000A08601000000000000000000010000000100
000001000000020000000100000000389C1C
00000C27 2D 00 0006 UncompSz: 0192 CompSz: 006C TotSz: 0070 [00000C33-00000CA2] ***** 2D *****
00000000000000000000000000010000000000010000000000000000000000000000000000000000000000000100000001000100000001000000010000000100
00000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100
00000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000000000000802500000800
0000000000000000000000000000000000010000000200000000010000000002000000000000000300000000010800000000CA9A3B0000000001010100000040
420F0040420F0001000000320000003200000001000000004B000000020000000101000000000200000003000000000000000004000000040000000100000001
0100000080969800000000000100000000000000010000000114000000C0C62D0000000000060000000101000000A08601000000000000000000010000000100
000001000000020000000100000000389C1C
00000CA3 11 00 0005 UncompSz: 00C8 CompSz: 0066 TotSz: 0070 [00000CAF-00000D1E] ***** Math1 *****
00000000000000000000000024050000004D617468310001010101010065CD1D0000000000C817A80400000000E40B540200000000000000000000000010A5D4
E8000000005039278C04000000A0724E18090000000000000000000000A0724E18090000000057D3470100000000D2496B000000000005000000000000000500
00000102010100000000000000000103000000000000000000000000000000000000000000000000000000000000000040420F0000000000FAFFFFFF00000000
00000000FAFFFFFF
00000D1F 12 00 0005 UncompSz: 00C8 CompSz: 0066 TotSz: 0070 [00000D2B-00000D9A] ***** Math2 *****
00000000000000000000000024050000004D617468320001010101010065CD1D0000000000C817A80400000000E40B540200000000000000000000000010A5D4
E8000000005039278C04000000A0724E18090000000000000000000000A0724E18090000000057D3470100000000D2496B000000000005000000000000000500
00000102010100000000000000000103000000000000000000000000000000000000000000000000000000000000000040420F0000000000FAFFFFFF00000000
00000000FAFFFFFF
00000D9B 13 00 0005 UncompSz: 00C8 CompSz: 0066 TotSz: 0070 [00000DA7-00000E16] ***** Math3 *****
00000000000000000000000024050000004D617468330001010101010065CD1D0000000000C817A80400000000E40B540200000000000000000000000010A5D4
E8000000005039278C04000000A0724E18090000000000000000000000A0724E18090000000057D3470100000000D2496B000000000005000000000000000500
00000102010100000000000000000103000000000000000000000000000000000000000000000000000000000000000040420F0000000000FAFFFFFF00000000
00000000FAFFFFFF
00000E17 14 00 0005 UncompSz: 00C8 CompSz: 0066 TotSz: 0070 [00000E23-00000E92] ***** Math4 *****
00000000000000000000000024050000004D617468340001010101010065CD1D0000000000C817A80400000000E40B540200000000000000000000000010A5D4
E8000000005039278C04000000A0724E18090000000000000000000000A0724E18090000000057D3470100000000D2496B000000000005000000000000000500
00000102010100000000000000000103000000000000000000000000000000000000000000000000000000000000000040420F0000000000FAFFFFFF00000000
00000000FAFFFFFF
00000E93 29 00 0003 UncompSz: 0552 CompSz: 00A1 TotSz: 00B0 [00000E9F-00000F4E] ***** 29 *****
0100000000000000000000000000000000000000000000000000127A000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E725300000000004E725300
000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300
000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300
000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300
000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E72530000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000100000000000000010000000000000001000000009435770000000000
CA9A3B00000000010000000000000001000000009435770000000000CA9A3B000000000100000000000000000000000000000001000000020000000200000002
00000002000000020000000200000002000000020000000200000002000000020000000200000002000000020000000200000002000000020000000200000002
00000002000000020000000000000002000000020000000200000002000000020000000200000002000000020000000200000002000000020000000200000002
0000000200000002000000020000000200000002000000020000000200000002000000000000000100000001000000009435770000000000CA9A3B0000000001
0000000000000000CA9A3B00000000010000000000000000000000009435770000000000CA9A3B00000000010000000000000000CA9A3B000000000000000001
0000000100000001000000020000000000000000CA9A3B0000000000943577000000000000000000000000000000000000000000000000010000000200000000
00000000CA9A3B0000000000943577000000000100000000CA9A3B00000000010000000000000000000000010000008025000000000000000000000007000000
000000000000000000000000000000000000000000000000010000000200000000000000000000000000000000000000010000000000000000000000FFFFFFFF
24080000005858585858585858010000000200000003000000000000000000000000000000000000000700000000CA9A3B000000002408000000585858585858
5858080000000000000000000000000000000100000000000000000100000040420F0040420F0000000000000000000000000000000000000000000000000000
000000000000000000320000003200000000000000000000000000000024080000005858585858585858240C0000005858582058585858585858580000000000
00000000000000000000000000000000000000000000000100000080250000020000000000000000000000000000000000000000000000000000003200000001
000000240800000058585858585858580000000001000000020000000300000000000000000000000000000004000000040000000000000000000000FFFF0000
240400000058585858240400000058585858
00000F4F 2F 00 0011 UncompSz: 0049 CompSz: 0037 TotSz: 0040 [00000F5B-00000F9A] ***** Network Config *****
240E0000003139322E3136382E3130302E3635240D0000003235352E3235352E3235352E30240D0000003139322E3136382E3130302E31240D0000003231372E
32392E3134342E3635
00000F9B 0C 01 0001 UncompSz: 0015 CompSz: 0015 TotSz: 0015 [00000FA7-00000FBB] ***** 0C *****
000000000100000000000100010000000002000000
00000FBC 23 01 0003 UncompSz: 0008 CompSz: 0008 TotSz: 0008 [00000FC8-00000FCF] ***** 23 *****
0100000164000000
00000FD0 2E 00 0010 UncompSz: 0034 CompSz: 0020 TotSz: 0020 [00000FDC-00000FFB] ***** 2E *****
0000010000000000000000000000E7030000180000000C000000000100CA9A3B0000000000000000000000000100000000000000
00000FFC 0E 00 0010 UncompSz: 0030 CompSz: 0023 TotSz: 0030 [00001008-00001037] ***** 0E *****
0001000080969800000000000000000000407A10F35A0000000000000100000000000000010000000A000000E8030000
00001038 1B 01 000D UncompSz: 0010 CompSz: 0010 TotSz: 0010 [00001044-00001053] ***** 1B *****
00000000010000000000000007000000
00001054 19 00 0005 UncompSz: 01F6 CompSz: 0023 TotSz: 0030 [00001060-0000108F] ***** 19 *****
00000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000004E725300000000004E725300000000004E725300000000004E72530000
0000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E72530000
0000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E72530000
0000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E725300000000004E72530000
0000004E725300000000004E725300000000004E725300000000004E725300000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000100000000000000010000000000000001000000009435770000000000CA9A3B00000000
00001090 1F 00 0003 UncompSz: 0050 CompSz: 002E TotSz: 0030 [0000109C-000010CB] ***** 1F *****
00000000E8030000E8030000000000005A000000320000000A000000E0930400000000000000000000000000206CFBFFFFFFFFFF010000000000000001000000
02000000000000000500000000000000
000010CC 3A 00 0003 UncompSz: 005F CompSz: 002A TotSz: 0030 [000010D8-00001107] ***** 3A *****
000000000064000000000000000080E03779C3110002000000000100000000000000000000000000000000000000000000000000020000000000000001000000
000000000A00000000000000000400000000010000000A0000006400000000
00001108 0A 00 0005 UncompSz: 005C CompSz: 0026 TotSz: 0030 [00001114-00001143] ***** 0A *****
02000000000000000000000000000000000000000000009435770000000000000000000000000065CD1D00000000000000000000000002000000000000000002
00000006000000010000000064000000000000000010A5D4E8000000
It's not impossible but it's much more difficult, you need to open it up and extract the private internal key before you can use the keygen.
How the heck do you think people accessed the HDO?
People are
currently accessing the HDO like in Dave's video, I guess.
That
doesn't necessarily mean the final hack will require opening it up though.
(Fingers crossed we won't need to install Android Studio though.
)
He hasn't any idea, he's powered by Duracell.
I'm guessing you'll be stocking these new Rigol scopes, soon, right?
That doesn't necessarily mean the final hack will require opening it up though.
Sure, but that depends on the ammount of effort some guys here put into the matter. As in the case of your secure "DS1000Z variant", if there was still enough interest (and I'm not saying that you can't dump it via SCPI on an earlier FW) a solution would also appear.
Although, based on your assumptions, Rigol may soon start shipping stickers on the scopes with hacking/licensing instructions.
Someone with adb access to the device: Could you maybe please post the output of
adb shell getprop
? (also possible as "getprop" from uart console)
Thanks!
He hasn't any idea, he's powered by Duracell.
I'm guessing you'll won't be stocking these new Rigol scopes, soon, right?
FTFY
Just wondering why you're in every single Rigol thread, it's almost as if you're interested in selling them...
And you selling all the brands...
curious if adding a second ADC is possible on the 1k series. the power rails are off the shelf parts but the ADC itself...
Nope, it's a proprietary Rigol part. Or at least appears to be.
I think most people would be happy with the half sample limitation if you can hack everything else.
Exactly this.
Although there is nothing much to do for hackers, "officially".
Actually there are two types of enhancements avaible for the HDO1000.
Memory and bandwith, that´s all.
Yeah the closest ADC I found in 88 pad package is AD9691, but it's a 14bit one and wrong pinout. And costs more than the HDO1000 scope.
I think most people would be happy with the half sample limitation if you can hack everything else.
Yep.
If I can hack the HDO1074 to a HDO1204 with all options then that's good enough.
I dunno if making it a HDO1404 is a good idea or not.
The ideal hack would be a HDO1404 which turns on the 200MHz bandwidth limit when you enable more than 2 channels. Not impossible to do, but patching the binary would be quite a feat...
Actually there are two types of enhancements avaible for the HDO1000.
Memory and bandwith, that´s all.
Does the HDO1000 have 500M memory on the PCB?
Exactly this.
Although there is nothing much to do for hackers, "officially".
Actually there are two types of enhancements avaible for the HDO1000.
Memory and bandwith, that´s all.
US$900 saving.
Some of the current Siglent promo savings are 3x that.
Does the HDO1000 have 500M memory on the PCB?
I think it has 2GB total for the fpga. It's marked D9SHG which is a 4Gb chip, and has 4 of them.