Hacking the Rigol DHO800/900 Scope

[AndyBig]

That's it, I'll stop here with the alteration of measurements. True, so far I have not been able to put the names of the parameters and the values ​​in the disclosed measurement points into one line...

[shapirus]

That's near perfect. But this still prevents taking screenshots, right? I wonder what's the deal with that.

[ebastler]

That's near perfect. But this still prevents taking screenshots, right? I wonder what's the deal with that.

Umm -- what am I looking at in AndyBig's most recent post then? I nearly mistook it for a screenshot. 

[shapirus]

Umm -- what am I looking at in AndyBig's most recent post then? I nearly mistook it for a screenshot. 

Lol good point. Then the issue is solved? There was the issue of the inability to take screenshots with custom-rebuilt APK.

[norbert.kiszka]

Linux file permissions management are made with KISS (Keep It Simple, Stupid) idea, so its preety simple. Android is based on modified Linux (Linux is the name of a system kernel doing very low level stuff - not the whole system, like some people think) and I dont have too much experience with any hacking on Android. BTW. I noticed my 924S (noted in about or somewhere here) has Linux kernel with word Ubuntu in a version text...

Those permissions are bits (flags) for three categories: "user" (owner of file), "group" (files and users can be in groups for additional permissions) and "others".

Mentioned bits can be changed to more human readable form:

Code: [Select]

ls -l /dev/tty0
crw--w---- 1 root tty 4, 0 02-20 12:30 /dev/tty0
chmod changes those bits, also with human readable R, W and X - last one is for execution permission (normal binary like exe in Windows or even shell scripts).

To make it readable for user, group and others (for everyone) its just:

Code: [Select]

chmod +r /some/file/path
To make it readable for users: u+r, for group: g+r, and for others: o+r.

There are also two special bits, but its not related here. But... sometimes suid bit can be usefull to execute file as root (admin) user instead of id of user in file.

So, when You cant read file, change this file permissions or use another user or add yourself in that group.

[AndyBig]

That's near perfect. But this still prevents taking screenshots, right? I wonder what's the deal with that.

Alas, yes. The problem is this. There are two points:
1. Applications from Rigol are signed with their key, which we do not have, so we have to sign the modified application with the key we generated for ourselves.
2. In applications from Rigol, the user android.uid.system is specified in the manifest, which means, as it seems to me, that this application will be launched with system rights.
If we leave this user in the manifest, then when we try to install our modified Android application, it will throw the error INSTALL_FAILED_SHARED_USER_INCOMPATIBLE. This means that Android has detected an existing key for this user, and it does not match our key with which we signed the application. Therefore, we have to remove this system user from the manifest, and the application starts with the usual permissions of a simple user. And as a result, when I try to take a screenshot, the following error appears in the system log:

Code: [Select]

SurfaceFlinger: Permission Denial: can't read framebuffer pid=6902, uid=10038That is, a simple user does not have enough permissions to read the framebuffer to take a screenshot. I don't know what to do with this yet. There is an idea to delete all Rigol applications so that there are no applications left in the system with this user, then re-sign them with our key and install them back. But I suspect this trick won't work

Umm -- what am I looking at in AndyBig's most recent post then? I nearly mistook it for a screenshot. 

This is a screenshot from web control

P.S. Hmm, yeah. A quick search on the Internet led to the conclusion that the android.permission.READ_FRAME_BUFFER permission is only allowed for applications that are signed with the same key as the Android ROM. So, it seems there is no way to overcome this, unless you crack Rigol’s native key

[shapirus]

And as a result, when I try to take a screenshot, the following error appears in the system log:

Code: [Select]

SurfaceFlinger: Permission Denial: can't read framebuffer pid=6902, uid=10038That is, a simple user does not have enough permissions to read the framebuffer to take a screenshot. I don't know what to do with this yet. There is an idea to delete all Rigol applications so that there are no applications left in the system with this user, then re-sign them with our key and install them back. But I suspect this trick won't work

Yeah so basically non-system apps have no direct access to framebuffer. There are two solutions:

a) run the recompiled apk as a system app. This should be possible (we have root, we can do everything), just need to figure out how;

b) instead of reading the framebuffer directly, run the following command: "screencap -p /data/UserData/custom-screenshot-NNN.png".

I've just verified that the second one works all right. I wonder how feasible it will be to substitute the native framebuffer capture code with a custom code doing exec() to run screencap on whatever the called might be: the "quick" button or the respective menu fuction. Or maybe it can be possible to run a daemon in background that would watch for "quick" button key press events and run screencap regardless of what the rigol app is doing.

Some additional details: https://stackoverflow.com/questions/12615240/how-to-run-android-system-app-without-root-permission

For the first one:

https://stackoverflow.com/questions/15205159/install-failed-shared-user-incompatible-while-using-shared-user-id
https://xdaforums.com/t/solved-install-failed-shared-user-incompatible.1219029/

Apparently it should be as easy as properly uninstalling the original app before installing the rebuilt one?

[norbert.kiszka]

P.S. Hmm, yeah. A quick search on the Internet led to the conclusion that the android.permission.READ_FRAME_BUFFER permission is only allowed for applications that are signed with the same key as the Android ROM. So, it seems there is no way to overcome this, unless you crack Rigol’s native key

So Google destroyed Linux simplicity (with Android), more than I thought. Maybe there is possible to make frame buffer file (if its still Linux with "everything is a file") readable/writable for every user with chmod 666 or chmod +rw (both will do same thing).

[norbert.kiszka]

PS. https://stackoverflow.com/questions/24917927/how-to-execute-a-chmod-in-android-api-8

Looks like there is chmod in Andoid.

Dont know how its with other models, but in mine 924S there is ssh on default port. So its possible to insert key into .ssh and log into ssh. After that, type chmod something [enter].

[AndyBig]

Apparently it should be as easy as properly uninstalling the original app before installing the rebuilt one?

I read through these links, and others too. It seems that this task is not trivial. Now I’ll try one quick method that I read about, without installing a custom recovery and without rebuilding the kernel But I don’t think it will work.

PS. https://stackoverflow.com/questions/24917927/how-to-execute-a-chmod-in-android-api-8
Looks like there is chmod in Andoid.
Dont know how its with other models, but in mine 924S there is ssh on default port. So its possible to insert key into .ssh and log into ssh. After that, type chmod something [enter].

There is chmod, there is chown, there are many other commands from Linux
Only chmod will not help here. We need to somehow convince the system that this application is signed with the correct key. Well, or that it is its own and has the right to execute privileged methods of the system API

[Fungus]

So Google destroyed Linux simplicity (with Android), more than I thought.

Think: You really can't have apps capturing the screen on people's phones.

[norbert.kiszka]

So Google destroyed Linux simplicity (with Android), more than I thought.

Think: You really can't have apps capturing the screen on people's phones.

User groups (as in original Linux) is good enough for this job. User root and group name fb (framebuffer in short). If app is not working with uid 0 (as root) and running user is not in group fb (gid of that group), then it cant read framebuffer or execute anything which can do it - in exception with suid bit, but in that case, this process manages what it can be done and what not so much - great example is sudo - with (or without - if configured in this way) giving/asking current user password it read configuration and it checks if You can do this or not.

With that in mind, I dont see any reason to make it more complicated in any way. Linux is not Windows. Google basically made Windows from Linux for no obvious reason. If something is working 100% correctly - dont change it.

Yet again, people speaks about Linux and permissions management in it, without knowing completely anything about it.

[norbert.kiszka]

Only chmod will not help here. We need to somehow convince the system that this application is signed with the correct key. Well, or that it is its own and has the right to execute privileged methods of the system API

Maybe some non-developers and Windows users will not agree with me, but again I see Google is a crap company with very cheap developers. Why they didnt use something which was working good enough for years and in same time was simple? User groups as mentioned before. If root user (app running with uid 0) wants to give or take permission, then it will do it. Normal user can't, unless he become root in some way (password, key or suid).

Is there possible to install self-signed cert in Android?

Anyway, I have one more reason to try installing Linux instead crappy Android on this scope.

[AndyBig]

Maybe some non-developers and Windows users will not agree with me, but again I see Google is a crap company with very cheap developers. Why they didnt use something which was working good enough for years and in same time was simple? User groups as mentioned before. If root user (app running with uid 0) wants to give or take permission, then it will do it. Normal user can't, unless he become root in some way (password, key or suid).

Is there possible to install self-signed cert in Android?

Anyway, I have one more reason to try installing Linux instead crappy Android on this scope.

I’m not an Android developer, but offhand I can see the following reason: in addition to restricting access to resources, Android developers also decided to introduce restricting access to system API functions.

And I still defeated this scourge! ))) I was able to persuade the system to consider the application trusted enough so that it could gain access to privileged system calls, including the framebuffer True, this is quite confusing, you will need to write a script that will perform all the actions to enter the installed application to trusted ones.
Here is a screenshot honestly taken on an oscilloscope, downloaded from it via FTP

[shapirus]

Time to create a github repo with a toolchain/scripts, and a patchset to be applied to the original apk, for others to create their own custom apks!

[norbert.kiszka]

Time to create a github repo with a toolchain/scripts, and a patchset to be applied to the original apk, for others to create their own custom apks!

IMHO scrips working directly on scope should be better.

Doing those scripts, we need to remember, not everybody will have everything original - including config files. Also it can be different firmware.

[AceyTech]

Is there possible to install self-signed cert in Android?

Anyway, I have one more reason to try installing Linux instead crappy Android on this scope.

Awesome!  Do you have experience porting/running Android apps on Linux?  I(for one) eagerly await news of your progress so my 'scope won't be so crappy.   

We clearly need more help here on the Android side of things.  Perhaps you and @Randy222 can team up and open source this baby!

[norbert.kiszka]

Is there possible to install self-signed cert in Android?

Anyway, I have one more reason to try installing Linux instead crappy Android on this scope.

Awesome!  Do you have experience porting/running Android apps on Linux?  I(for one) eagerly await news of your progress so my 'scope won't be so crappy.   

We clearly need more help here on the Android side of things.  Perhaps you and @Randy222 can team up and open source this baby!

https://en.wikipedia.org/wiki/Anbox

Same thing like Wine, but for Android apps instead of Windows apps. No need for sarcasm here.

[AndyBig]

Time to create a github repo with a toolchain/scripts, and a patchset to be applied to the original apk, for others to create their own custom apks!

Yes, there is already a decent set of tools, and the operations are not very simple.
I wrote out a reminder for myself on updating the application so that it becomes a system one - it turned out to be 14 points that need to be completed in the oscilloscope shell. Here you definitely need to write a script that will do all this without errors and typos

Is there possible to install self-signed cert in Android?

I do not know this. I think it is possible if you try hard enough. But what will this give?

[norbert.kiszka]

Is there possible to install self-signed cert in Android?

I do not know this. I think it is possible if you try hard enough. But what will this give?

Im currently using self signed and even expired cert to sign other (expired) certs. Thats how my private mail server is running for many years. Everyday in logs I can see (mostly) russian hack attempts without succeed.

[AndyBig]

Anyway, I have one more reason to try installing Linux instead crappy Android on this scope.

It seems to me that this will be a very difficult task. I think the FPGA is very closely coupled to the processor at a very low level. It is possible that the image of the traces is transmitted directly to the video subsystem.
But if you succeed, it will be great!

Im currently using self signed and even expired cert to sign other (expired) certs.

I think that you can do this in Android, but it will not help with system applications. Here it is necessary that both the system kernel and the application are signed with the same key. That is, to use a self-signed certificate, you need to disassemble the android image, re-sign its ROM with your key and put it back together. And then if you sign applications with this key, they will have access to all privileged API functions without any installation difficulties

Thats how my private mail server is running for many years. Everyday in logs I can see (mostly) russian hack attempts without succeed.

But why do they need your mail server? ))

[AceyTech]

https://en.wikipedia.org/wiki/Anbox

Same thing like Wine, but for Android apps instead of Windows apps. No need for sarcasm here.

I'm aware of Anbox.  I was asking if you can port the 'scope app to Linux so it runs natively vs VM.  And BTW:  --from the link you shared--
Anbox was deprecated on February 3, 2023 as it's no longer being actively maintained.

And BTW#2: I wasn't being sarcastic.  If you're trying to make friends here, perhaps you could take a less abrasive tone with everyone.

[norbert.kiszka]

But why do they need your mail server? ))

Welcome in real IT world. They have more than one reason. One is as in most cases, free computing power with fast and reliable internet connection. Second one, my server is doing one "bad" things for many Russia servers - mostly government servers, and naturally they want to stop this. No luck for them for ~2 years.

I dont have anything to Russians - its just for those bad ones.

Bit offtopic here.

[norbert.kiszka]

Anbox was deprecated on February 3, 2023 as it's no longer being actively maintained.

Dont know about others, but mine 924S is running on Android 7. Also this scope is not a phone - as far I know.

And BTW#2: I wasn't being sarcastic.

Sounded to me like sarcasm, especially with this red text color.

If you're trying to make friends here, perhaps you could take a less abrasive tone with everyone.

You sounded to me also abrasive. Maybe we should go back to topic and stop this stupid fight of who is more smart?

[gabiz_ro]

I remember seeing something about test keys in some android devices in about menu.
Can't check now, no Android phone and my scope is disassembled.
Take a look in android menu, settings, about, and maybe under software versions .
Also if they use AOSP maybe, worth a try with keys from AOSP version 7 if is Android 7 ?

Maybe I'm wrong, I have no knowledge on Android builds or apps.