Trying to hack the DSOX1204(A/G) firmware

[thomasb9511]

Or alter the routine that calls swupdate and change the -k parameter to point to a different cert.
Either requires altering something inside the scope.

[tv84]

0x00807b58      .dword 0x00808020 ; str.500MHz_Bandwidth
0x00807b5c      .dword 0x00808034 ; str.BW50


Capable of 500Mhz maybe?!?

That's this table.

[thomasb9511]

That's this table.

A feature flag table?

[tv84]

Another possible way is to go in through SCPI.

Either using the "syst:prod:sscr", which I believe sets bootup parameters, and change it to boot into "single user" mode

Nice! Worth investigating.

Edit: Included a list of all SCPI commands here.

[thomasb9511]

Wonder if the version of nginx and/or php the web server is running has any exploits.

[stafil]

Wonder if the version of nginx and/or php the web server is running has any exploits.

I highly doubt it for ndginx, but php is possible.

I also see the cups port and the rpc ports open, so that would be another attach surface if you are interested investigating.

[stafil]

Another possible way is to go in through SCPI.

Either using the "syst:prod:sscr", which I believe sets bootup parameters, and change it to boot into "single user" mode

Nice! Worth investigating.

And "syst:sscr?" should get the bootup parameters... (? ? ?)

Correct. But didn't have any luck with syst:prod:sscr, or syst:prod:rpr.

One returns `-440 Query UNTERMINATED after indefinite response` and the other `System error`

[stafil]

Another possible way is to go in through SCPI.

Either using the "syst:prod:sscr", which I believe sets bootup parameters, and change it to boot into "single user" mode

Nice! Worth investigating.

And "syst:sscr?" should get the bootup parameters... (? ? ?)

BTW, which decompiler is this one that you are using? looks cool

[stafil]

One returns `-440 Query UNTERMINATED after indefinite response` and the other `System error`

What about?

syst:sscr?

or

SYST:SSCR?

`syst:prod:sscr?` would just return empty string

[stafil]

BTW, which decompiler is this one that you are using? looks cool

IDA

Really nice, but also really expensive

[stafil]

I think it needs a param and we get a ON or a OFF...  (or 0 / 1)

I think you are onto something but `syst:prot:sscr ON` returns "Character data not allowed"


1 or 0, returns "Numeric data not allowed"
 

[tv84]

I think it needs a param and we get a ON or a OFF...  (or 0 / 1)

I think you are onto something but `syst:prot:sscr ON` returns "Character data not allowed"

1 or 0, returns "Numeric data not allowed"

There is a system flag SEALED_STATE_KEY that stores the "sealed" state of the scope. When the scope is in the "sealed" state, some of the interesting SYSTem SCPI commands are discarded.

To check if a scope is (un)sealed, one can use:

SYSTem:PRODuction:SEAL?

If it returns 1 (ON), means it is "SEALED"   

[thomasb9511]

There is a system flag SEALED_STATE_KEY that stores the "sealed" state of the scope. When the scope is in the "sealed" state, some of the interesting SYSTem SCPI commands are discarded.

To check if a scope is (un)sealed, one can use:

SYSTem:PRODuction:SEAL?

If it returns 1 (ON), means it is "SEALED"   

Not optimal, but I wonder if there is a console port on the pcb? If,so I wonder if it has a shell, and what user it has

[stafil]

Not optimal, but I wonder if there is a console port on the pcb? If,so I wonder if it has a shell, and what user it has

That's a good idea, but I don't think I have ever opened something up to try to hack it and didn't end up destroying it..

[thomasb9511]

That's a good idea, but I don't think I have ever opened something up to try to hack it and didn't end up destroying it..

Wonder if someone has a guide or video if there are any traps to taking it apart.

[pizzigri]

Sorry to resurrect an old thread like this, but I was looking at this Keysight scope, and wondering whether anyone managed to actually succeed in the hack.
Franco

[TK]

Sorry to resurrect an old thread like this, but I was looking at this Keysight scope, and wondering whether anyone managed to actually succeed in the hack.
Franco

All the features are now included in the base price, so no need for a SW hack.  The only hacks are BW with requires hardware mods ranging from a quick resistor swap and more advanced if you are starting from the EDU models.  If you start from the DSOX, then just a resistor swap can give you full BW

[pizzigri]

Hey TK, that was exactly what I was after, a BW increase... it's over 350 Euro and is actually presented as a SW package, hence the idea that it was some unlock sw key. But, if it's only a resistor swap - well, wow! do you happen to have the details? I have not found it in the forum, however I'm looking for the DSOX1202/4G, so maybe it's under some other name.
Thank you! It's really appreciated.

[TK]

Hey TK, that was exactly what I was after, a BW increase... it's over 350 Euro and is actually presented as a SW package, hence the idea that it was some unlock sw key. But, if it's only a resistor swap - well, wow! do you happen to have the details? I have not found it in the forum, however I'm looking for the DSOX1202/4G, so maybe it's under some other name.
Thank you! It's really appreciated.

Sorry!!! You don't get full BW with the resistor swap!!!  Not enough caffeine in the morning...

[uski]

I believe that instead of focusing on the efforts on how to "hack" the scope without opening it, we should focus on how we can actually install the options (generate keys, yada yada)

Because :
1) Our friendly Keysight folks will probably be less concerned if the hack requires opening the scope. And to be honest (I know you are reading Keysight) they will also have less incentive to make the process more difficult, if the barrier to entry is higher. Whereas if it's too easy, we might end up with a super protected scope and we don't want that. I can even imagine that they will leave it open on purpose... for hobbyist use. No company will do that. But hobbyists will. Keysight will sell more scopes and people will want to buy, at work, the scope they are using at home. WIN WIN !
2) We have limited time/resources to find a hack so we should focus on what brings the most value

Just my opinion

As a matter of fact I am currently looking for a scope for home use and I am considering only hackable scopes (which is why I started reading this thread).

[wxqhigh]

New keysight edux1052a Teardown
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg3733414/#msg3733414

[thaamike]

Has anyone had succes ?

[Bud]

See This topic.