Hacking the Rigol DHO800/900 Scope

[Randy222]

I know some have been dissecting some binaries with Ghidra. I am now playing around with apk dissector APKEditor
https://github.com/REAndroid/APKEditor

It's been a few years since I had a android SDK going for doing some java and C apps, but now we get to dissect the rigol apk's that's on the DHO(android).

I pulled out the APK's from the v00.01.02.00.00 gel zip

Did APKEditor d  (type raw) on the Sparrow APK, found some interesting strings in the biggest binary (5,420,496 bytes resources.arsc). A lot of references to non DHO800/900 features and upgrades. Perhaps they reuse a code module across a lot of the various hardware?
In the pic, in the "opensurces.files" folder I find Rigol logo images, likely the boot image and one other smaller one. The "header.htm" file there appears to be the html front side to the opensource acknowledgement, but for the bigger models (see pic).
This DHO800/900 GEL appears to have files that are not applicable to the DHO800/900 models.

Examples below, attached is strings.txt if you want to just browse the output from strings command.

Code: [Select]

20.0kbps
2000
20000
20000X
2000X
200M
))200MHz to 350MHz bandwidth upgrade option
))200MHz to 400MHz bandwidth upgrade option
))200MHz to 500MHz bandwidth upgrade option
))200MHz to 800MHz bandwidth upgrade option
200Mpts deep memory option
200X
200ms
20Mbps
20kbps
230.4kbps
244.14kHz
250.0kbps
25000
250M
250kbps
2Gpts deep memory option
2Mbps
30.52kHz
300 bps
30000
300bps
305.18kHz
33.3kbps
))350MHz to 500MHz bandwidth upgrade option
38.4kbps
3Mbps
4.88MHz
4.8kbps
))400MHz to 800MHz bandwidth upgrade option
460.8kbps
480p/60Hz
488.28kHz
4Mbps
5 Bits
5 bits
50 Ohm overload protection
50 bps
50.0kbps
500.0kbps
5000
50000X
5000X
500M
500Mpts deep memory option
500X
500kbps
500ms
50Ohm Overload,Protected!(CH1)
50Ohm Overload,Protected!(CH2)
50Ohm Overload,Protected!(CH3)
50Ohm Overload,Protected!(CH4)

Some refernce to HP printers

Code: [Select]

HP/deskjet
HP/laserjet

[Randy222]

The best I could do was to dump TAR GZ of the raw decompiled APK's to easy upload site. Now you can dig in.

Files with my local sha256sum hashes

v 00.01.02.00.00
Sparrow https://easyupload.io/giyf2f
Launcher https://easyupload.io/8et8ty
Webcontrol https://easyupload.io/ewkhmh

b24e07e618d518775f8e8e830ae394cddf2c84c06c4ea4b733baebd09e67f5f8  Sparrow.apk.tar.gz
3e0f16b6fb2f83394b00600bb4da9c141b53a5541bb85fa09741f28ce18405e6  Launcher.apk.tar.gz
c260dae73c6e50021412cc38495b534b8e7fcadc146ec9e243f54c6f352156a8  Webcontrol.apk.tar.gz

v 00.01.02.00.02
Sparrow https://easyupload.io/a931b4
Launcher https://easyupload.io/i89y1t
Webcontrol https://easyupload.io/b4dhr6

8b09d764c7b84056ae8c84322c55916da30612f3bd829e888ba233819364e436  Sparrow-2.apk.tar.gz
085117333d0fdf2c62f7bdaf312ed55cb2dbc743f772575a17dcdadf7a547366  Launcher-2.apk.tar.gz
1b982eeae2eb1f822e93d309d00b0e669829d619c838dc59d0a1f121c43ace03  Webcontrol-2.apk.tar.gz

[0xACE]

Digging through the APK and classes is where I found the calls to the native library which controls the LEDs on the control surface. In `com.rigol.scope.cil` package.

As a side note, the colors of the traces are in the colors.xml file, which is compiled to a binary resource file. Easy to modify if you are recompiling, not so easy if the APK is signed.

[Randy222]

Digging through the APK and classes is where I found the calls to the native library which controls the LEDs on the control surface. In `com.rigol.scope.cil` package.

As a side note, the colors of the traces are in the colors.xml file, which is compiled to a binary resource file. Easy to modify if you are recompiling, not so easy if the APK is signed.

APKEditor says it can rebuild from dissecting, so you can edit and then rebuild it, I just not sure how signing works

b is option to build from the json/xml "b | build     -  Builds android binary from json/xml"

Code: [Select]

[roott@localhost APKeditor]# java -jar APKEditor.jar b -h
Builds android binary from json/xml
Options:
   -i                  input path
   -o                  output path
   -framework-version  preferred framework version number
   -framework          path of framework file (can be multiple)
   -sig                signatures directory path
   -res-dir            sets resource files root dir name
                       (eg. for obfuscation to move files from 'res/*' to 'r/*'
                       or vice versa)


[AndyBig]

Is the oscilloscope application really signed?
I wonder if an unsigned APK simply won’t launch? Or how does a signature work?

[sonic]

All .apk are signed. Normally they're just signed with your own local certificate, the problem are system apps with elevated rights recognizable by

Code: [Select]

android:sharedUserId="android.uid.system"in AndroidManifest.xml
You can't resign them because you don't have the private key of the system cert.
One possible workaround is to NOP out the cert check in PackageManagerService...

[shapirus]

One possible workaround is to NOP out the cert check in the system...

or, is it possible to add your own cert that you sign the APK with into the trusted certificate store in the system? There has to be a store of trusted certs that the system uses to validate the APKs against. I don't know how it works in android though.

[Randy222]

Since we have root access, should be easy to add a cert to System cert store. Then sign mod'd APK's.
Or even possibly mod the APK to trust User cert store?

https://medium.com/hackers-secrets/adding-a-certificate-to-android-system-trust-store-ae8ca3519a85

[sonic]

Those are for TLS, not apks.

[shapirus]

I wonder whether there is any validation method outside of the Google play framework at all. Internet search has been fruitless for me (besides the google apps related results), so I suppose there might be none, unless Rigol implemented something of their own.

[sonic]

apk validation happens in AOSP, not Google Play.

[shapirus]

apk validation is AOSP, not Google Play.

Still a bit hard to search (goddamn https related results make SNR ridiculous), however found this, FWIW:

Applications can be signed by a third-party (OEM, operator, alternative market) or self-signed. Android provides code signing using self-signed certificates that developers can generate without external assistance or permission. Applications do not have to be signed by a central authority. Android currently does not perform CA verification for application certificates.

https://source.android.com/docs/security/overview/app-security

[sonic]

Xposed might be an (untested) way:
https://www.xda-developers.com/application-signature-verification-how-it-works-how-to-disable-it-with-xposed-and-why-you-shouldnt/

A bit newer:
https://xiaomiui.net/how-to-disable-signature-verification-on-android-4235/

[Randy222]

Here's the manifest.xml for Sparrow.apk and Launcher.apk
attached as txt file

[shapirus]

Xposed might be an (untested) alternative:
https://www.xda-developers.com/application-signature-verification-how-it-works-how-to-disable-it-with-xposed-and-why-you-shouldnt/

A bit more current:
https://xiaomiui.net/how-to-disable-signature-verification-on-android-4235/

I may be misunderstanding the concept of apk signing and signature validation, but it all doesn't compute for me. It's still the same asymmetric cryptography, in principle similar to what is used e.g. by TLS (for https), correct? Which means the signature, at the end of the day, is validated against one of the trusted public keys, known by the local system, which must be kept either in plain text (like TLS CAs), or obfuscated in some way, but it must still be readable by the system, and thus, ultimately, also by the human having physical access to the storage device where that trusted key store is located. It should also be modifiable just as well.
This means it should be doable without extra software, just with modifying some files on the storage, just need where to look. After all, that software is aimed mostly towards smartphones and is made to be easy to use for a typical (power)user of a typical device. Am I wrong? Any android gurus here? How does it actually work under the hood?

(and, before we get ourselves too deep into this, perhaps the scope will be just happy to run a self-signed scope app?)

[Randy222]

I may be misunderstanding the concept of apk signing and signature validation, but it all doesn't compute for me.

There's v1 and v2 and a v3 of APK signing

https://source.android.com/docs/security/features/apksigning
https://medium.com/@dhuma1981/understanding-new-apk-signature-scheme-v2-b705178f4d60

But it does not seem like the signing part is an obstacle. Just sign mod'd APK with some new key, and put the trusted key in the System store.

https://developer.android.com/tools/apksigner

[Randy222]

Anyone have the Adroid Studio installed?

Use apksigner to verify if/how the Rigol APK's are signed

I need to get latest SDK on my windows since my linux disk is now full (need to fix that issue). But see if what I need is in cmd-line tools-only zip.

https://developer.android.com/tools/apksigner

[0xACE]

I have loaded and run my own apps (from android studio) but have not tried resigning the Sparrow.apk

[thm_w]

Use apksigner to verify if/how the Rigol APK's are signed

You can read about the signing details in the DHO1000 thread: https://www.eevblog.com/forum/testgear/hacking-the-hdo1khdo4k-rigol-12-bit-scope/msg5242014/#msg5242014
Assuming its the same here.

[WinterBreeze]

Hi Could you tell me how to restore the RLU.lic file?  I was trying to upgrade the 02 firmware and looks like I messed up with the RLU.lic file.  Thankyou

[Fungus]

Hi Could you tell me how to restore the RLU.lic file?  I was trying to upgrade the 02 firmware and looks like I messed up with the RLU.lic file.  Thankyou

It doesn't work with firmware 01.02.02

[AceyTech]

Howdy.  I'm trying to get a complete backup from a new/unmodded DHO800 so I can open it up and get hackin'.

I panicked a bit when the second calibration attempt failed.  I found this post from @Mechatrommer and others about calibration failure with "testmode on"
Anyone know which of the additional options work/fail to cal, to save me some time?

Also, I know ADB works fine via Wifi, but what about via USB?  Is that B port only for USBTMC?  I can't see any devices via ChromeOS/Linux or Windoze(altho', it shows up in Device Mangler)

[Fungus]

Howdy.  I'm trying to get everything backed up on my sparkling new(albeit smelly) DHO8xx so I can open it and get to work.

The smell goes away after a week or so.

(I left mine powered up in a spare room so it was warm, YMMV).

Since it takes so long to run thru a calibration, does anyone know which of the additional options fail, to save me some time?

How about you just use default options? They work.

Also, I know ADB works fine via Wifi, but what about via USB?

No.

Is that B port only for USBTMC?

It's for plugging in your WiFi dongle. 

After that you can use FTP to grab files and web browser for screenshots.

[AceyTech]

Howdy.  I'm trying to get everything backed up on my sparkling new(albeit smelly) DHO8xx so I can open it and get to work.

The smell goes away after a week or so.

(I left mine powered up in a spare room so it was warm, YMMV).

Since it takes so long to run thru a calibration, does anyone know which of the additional options fail, to save me some time?

How about you just use default options? They work.

Also, I know ADB works fine via Wifi, but what about via USB?

No.

Is that B port only for USBTMC?

It's for plugging in your WiFi dongle. 

After that you can use FTP to grab files and web browser for screenshots.

Oh great.  I heard it goes away, so I'll continue to be patient.  The smell makes me flash back to early years of "letting the smoke out" of components.

I know the default options work, but I wanted to have copies of the extended options, just in case.

So the USB B port on the back is for plugging devices into?  Sweet! I'll build a Male B to Female A adapter then. 
Thanks!

[gabiz_ro]

As is in current config
USB B port on the back is an USB device or client or whatever name they have, is not a USB host port.
USB A port on front is a USB host port where you can plug devices