Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 599135 times)

B0B45 and 3 Guests are viewing this topic.

Offline eevblogfan

  • Frequent Contributor
  • **
  • Posts: 569
  • Country: 00
really ?

can I use the 30 day trail and after 30 days "just" dial the clock back in time and the trail will be accessible again ?
 
The following users thanked this post: Andrew

Offline EEVblog

  • Administrator
  • *****
  • Posts: 29469
  • Country: au
    • EEVblog
You'd need to store more than a flag, as the license may also contain an expiry date

In that case you know the date from the info screen, so you might be able to use that as a baseline to search in the firmware  :-//
 
The following users thanked this post: Andrew

Offline EEVblog

  • Administrator
  • *****
  • Posts: 29469
  • Country: au
    • EEVblog
Sort of surprising considering how many very intelligent people buy and use this kind of tool.
I just assumed most of the people/companies who could readily afford that type of tool don't really need to be hacking options.

Yes, the vast majority have no need nor desire to hack their scope, nor would most even think to look for one. Agilent know that and rely on that. If a hack did eventually happen, I doubt they would bat much of an eyelid.
 
The following users thanked this post: Andrew

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2979
  • Country: aq
    • DaysAlive
Yes, the vast majority have no need nor desire to hack their scope, nor would most even think to look for one. Agilent know that and rely on that. If a hack did eventually happen, I doubt they would bat much of an eyelid.

Honestly, it seems as if even Rigol is not that worried about it (with the DS2000, DS4000, DG4000 series models all being identical inside). It appears as if they've expanded and released better-designed and built lines of test equipment after all of the publicity (and sales) surrounding the DS1000 hack - so I'm guessing it didn't financially damage the company.  ;)
« Last Edit: April 11, 2013, 10:22:31 am by marmad »
 
The following users thanked this post: Andrew

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 11967
  • Country: gb
    • Mike's Electric Stuff
really ?

can I use the 30 day trail and after 30 days "just" dial the clock back in time and the trail will be accessible again ?
AFAIK one thing they have done is made it not possible to set the clock back to before the release date fo the current firmware. Not sure if they have done anything else to prevent re-trials. Might also be interesting to see if you can request the same trial more than once.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 
The following users thanked this post: Andrew

Offline Hypernova

  • Supporter
  • ****
  • Posts: 654
  • Country: tw
really ?

can I use the 30 day trail and after 30 days "just" dial the clock back in time and the trail will be accessible again ?

Yep, the licenses get deleted once they expire but if you dial the clock back you can install them again. So just dial the clock as far back to the build date of the FW you are on after you install and you are golden, of course the only draw back is that you can't install FW updates that comes later than the trial expiration date.

The reinstall trick doesn't work with the internal 30day full trial since there's no install file, I lost them when I dialed the clock forward so they are gone forever for me. I suspect that if you dial forward to 2099 first before activating them and then dial back it might work.

Quote
Might also be interesting to see if you can request the same trial more than once.

Tried that, no go. They keep a record of your applications on their server.
« Last Edit: April 11, 2013, 12:59:14 pm by Hypernova »
 
The following users thanked this post: Andrew

Offline Fsck

  • Super Contributor
  • ***
  • Posts: 1157
  • Country: ca
  • sleep deprived
I think only the hobbyists and work for yourself types would ever bother hacking their equipment, and the % of buyers who would do such a hack are probably a negligible (not 0, but not too important) fraction of their sales.

"This is a one line proof...if we start sufficiently far to the left."
 
The following users thanked this post: Andrew

Offline Tooms

  • Supporter
  • ****
  • Posts: 91
  • Country: dk
really ?

can I use the 30 day trail and after 30 days "just" dial the clock back in time and the trail will be accessible again ?

The reinstall trick doesn't work with the internal 30day full trial since there's no install file, I lost them when I dialed the clock forward so they are gone forever for me. I suspect that if you dial forward to 2099 first before activating them and then dial back it might work.

Quote
Might also be interesting to see if you can request the same trial more than once.

Tried that, no go. They keep a record of your applications on their server.

I have just got an new scope(demo model) with some active trials in it, i dont have the keys so is there any way to export them out for backup ?


Tooms
 
The following users thanked this post: Andrew

Offline zibadun

  • Regular Contributor
  • *
  • Posts: 112
  • Country: us
DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #33 on: April 11, 2013, 01:05:26 pm »
really ?

can I use the 30 day trail and after 30 days "just" dial the clock back in time and the trail will be accessible again ?

Yep, the licenses get deleted once they expire but if you dial the clock back you can install them again. So just dial the clock as far back to the build date of the FW you are on after you install and you are golden, of course the only draw back is that you can't install FW updates that comes later than the trial expiration date.

The reinstall trick doesn't work with the internal 30day full trial since there's no install file, I lost them when I dialed the clock forward so they are gone forever for me. I suspect that if you dial forward to 2099 first before activating them and then dial back it might work.

Quote
Might also be interesting to see if you can request the same trial more than once.

Tried that, no go. They keep a record of your applications on their server.

This worked for me only once, setting the clock back and run self cal.  The second time they've expired looks like for good. I've tried a couple of different "procedures" but no joy..
 
The following users thanked this post: Andrew

Offline Hypernova

  • Supporter
  • ****
  • Posts: 654
  • Country: tw
really ?

can I use the 30 day trail and after 30 days "just" dial the clock back in time and the trail will be accessible again ?

Yep, the licenses get deleted once they expire but if you dial the clock back you can install them again. So just dial the clock as far back to the build date of the FW you are on after you install and you are golden, of course the only draw back is that you can't install FW updates that comes later than the trial expiration date.

The reinstall trick doesn't work with the internal 30day full trial since there's no install file, I lost them when I dialed the clock forward so they are gone forever for me. I suspect that if you dial forward to 2099 first before activating them and then dial back it might work.

Quote
Might also be interesting to see if you can request the same trial more than once.

Tried that, no go. They keep a record of your applications on their server.

This worked for me only once, setting the clock back and run self cal.  The second time they've expired looks like for good. I've tried a couple of different "procedures" but no joy..

Which one stopped working? The built in one with all features or the downloaded one?
 
The following users thanked this post: Andrew

Offline Hypernova

  • Supporter
  • ****
  • Posts: 654
  • Country: tw
really ?

can I use the 30 day trail and after 30 days "just" dial the clock back in time and the trail will be accessible again ?

The reinstall trick doesn't work with the internal 30day full trial since there's no install file, I lost them when I dialed the clock forward so they are gone forever for me. I suspect that if you dial forward to 2099 first before activating them and then dial back it might work.

Quote
Might also be interesting to see if you can request the same trial more than once.

Tried that, no go. They keep a record of your applications on their server.

I have just got an new scope(demo model) with some active trials in it, i dont have the keys so is there any way to export them out for backup ?


Tooms

None that I know of, but since you got a demo unit are you sure it's not full licenses? Demo unit usually come fully activated since they aren't meant to stay in your possession for long. When I bought my 3014A the dealer gave me a demo unit before he got the stock in and that one was fully activated.
 
The following users thanked this post: Andrew

Offline zibadun

  • Regular Contributor
  • *
  • Posts: 112
  • Country: us

Which one stopped working? The built in one with all features or the downloaded one?

The built in trial that came with the scope.  What's a "downloaded one"? 
 
The following users thanked this post: Andrew

Offline Hypernova

  • Supporter
  • ****
  • Posts: 654
  • Country: tw

Which one stopped working? The built in one with all features or the downloaded one?

The built in trial that came with the scope.  What's a "downloaded one"? 

Ones that you can apply for on the website, they email you an .lic file, if those expire you just dial the clock back and reinstall.
 
The following users thanked this post: Andrew

Offline Tooms

  • Supporter
  • ****
  • Posts: 91
  • Country: dk

None that I know of, but since you got a demo unit are you sure it's not full licenses? Demo unit usually come fully activated since they aren't meant to stay in your possession for long. When I bought my 3014A the dealer gave me a demo unit before he got the stock in and that one was fully activated.

it has the trial for all options for around 90 days and then they will expire.

I can see in the papirs that i got that they install the demo licenser there is having a runtime of 120 days and there is about 90 days left now, but i dont have the key files and was hoping that i can export them some how.

Thanks
Tooms

 
The following users thanked this post: Andrew

Offline Hypernova

  • Supporter
  • ****
  • Posts: 654
  • Country: tw

None that I know of, but since you got a demo unit are you sure it's not full licenses? Demo unit usually come fully activated since they aren't meant to stay in your possession for long. When I bought my 3014A the dealer gave me a demo unit before he got the stock in and that one was fully activated.

it has the trial for all options for around 90 days and then they will expire.

I can see in the papirs that i got that they install the demo licenser there is having a runtime of 120 days and there is about 90 days left now, but i dont have the key files and was hoping that i can export them some how.

Thanks
Tooms



Well, logic dictates that there must be hidden SCPI commands that access what you need. Either way even if you can extract them you have to return the demo unit anyway, and those licenses are locked to the serial of the scope.

Unless you mean you bought an ex-demo?
« Last Edit: April 11, 2013, 02:12:03 pm by Hypernova »
 
The following users thanked this post: Andrew

Offline Tooms

  • Supporter
  • ****
  • Posts: 91
  • Country: dk

None that I know of, but since you got a demo unit are you sure it's not full licenses? Demo unit usually come fully activated since they aren't meant to stay in your possession for long. When I bought my 3014A the dealer gave me a demo unit before he got the stock in and that one was fully activated.

it has the trial for all options for around 90 days and then they will expire.

I can see in the papirs that i got that they install the demo licenser there is having a runtime of 120 days and there is about 90 days left now, but i dont have the key files and was hoping that i can export them some how.

Thanks
Tooms


Well, logic dictates that there must be hidden SCPI commands that access what you need. Either way even if you can extract them you have to return the demo unit anyway, and those licenses are locked to the serial of the scope.

Unless you mean you bought an ex-demo?

yes i have bought an ex-demo msox3024a there is as good as new but cheaper


Tooms
 
The following users thanked this post: Andrew

Offline Hypernova

  • Supporter
  • ****
  • Posts: 654
  • Country: tw

None that I know of, but since you got a demo unit are you sure it's not full licenses? Demo unit usually come fully activated since they aren't meant to stay in your possession for long. When I bought my 3014A the dealer gave me a demo unit before he got the stock in and that one was fully activated.

it has the trial for all options for around 90 days and then they will expire.

I can see in the papirs that i got that they install the demo licenser there is having a runtime of 120 days and there is about 90 days left now, but i dont have the key files and was hoping that i can export them some how.

Thanks
Tooms


Well, logic dictates that there must be hidden SCPI commands that access what you need. Either way even if you can extract them you have to return the demo unit anyway, and those licenses are locked to the serial of the scope.

Unless you mean you bought an ex-demo?

yes i have bought an ex-demo msox3024a there is as good as new but cheaper

Well then become drinking buddies with the dealer, they probably have the files then.

How much did you pay? My 3014A after taxes came in at 6333K USD (190k NTD at 30/1 exchange rate), this is with the SEGMEM and MEMUP options, I also got the Front Panel Cover for free.
« Last Edit: April 11, 2013, 03:05:15 pm by Hypernova »
 
The following users thanked this post: Andrew

Offline Tooms

  • Supporter
  • ****
  • Posts: 91
  • Country: dk
Quote
Quote
yes i have bought an ex-demo msox3024a there is as good as new but cheaper
Well then become drinking buddies with the dealer, they probably have the files then.
How much did you pay? My 3014A after taxes came in at 6333K USD (190k NTD at 30/1 exchange rate), this is with the SEGMEM and MEMUP options, I also got the Front Panel Cover for free.

it is an less then 3 month old MSOX 3024A with the LAN/VGA, wavegen, volt meter options and 3 year warrent for the price of 5985$ (with the danish sales tax of 25%)

I also got an front cover and bag for free with the unit and as it is an demo unit then i have all the options for 90 days

it was via the locale agilent partner in Denmark so it is easy for me if there is an issue with


The options that i think i will get leter on for it is I2C, RS232 and maybe the power analyzer option.


Tooms
« Last Edit: April 11, 2013, 04:05:41 pm by Tooms »
 
The following users thanked this post: Andrew

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 11967
  • Country: gb
    • Mike's Electric Stuff
Quote
Well, logic dictates that there must be hidden SCPI commands that access what you need.
Why? There is no legitimite reason to need to read license data out.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 
The following users thanked this post: Andrew

Offline _Sin

  • Regular Contributor
  • *
  • Posts: 247
  • Country: gb
True, but I'd guess storing an expiry date still takes less space than a license key, so probably not much difference. Just need to allocate enough fixed locations for the number of envisaged future options, as opposed to the maximum number of keys installable at one time.

For one or two licenses perhaps storing a flag+date would be more compact, but once you need space for several licenses then storing just the key (which is fairly compact and applies to all licenses) ought to be smaller.

The other possible issue I can think of with your suggested scheme is that it means that the scope firmware necessarily contains the ability to write to the secure storage area, which would provide an additional attack surface for a hack attempt. You can either use an exploit in the firmware to flip a flag, or use the knowledge of how the secure-store is written to in order to write it directly.

With their existing scheme, the software only needs to be able to verify a hash using the securely stored key value, and never needs to write anything, so the mechanism to do so can be left out entirely. The full key information required to author the hash in the first place doesn't even need to be present at all.

Until some muppet leaves the scope initialisation tool in the firmware package.

Of course as you said earlier, the firmware itself could be an easier target than the licenses, for the scopes where the key information is unknown. If the only license check is in the software, it could be as simple as changing a branch or two. The only thing to work out would be what verification of the firmware code is done, and how to defeat it. But fiddling with that seems far more likely to lead to a possibly bricked scope, so it's not something I'd necessarily try unless I either had money to burn or a really pressing need for a feature I couldn't afford to buy...
Programmer with a soldering iron - fear me.
 
The following users thanked this post: Andrew

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 11967
  • Country: gb
    • Mike's Electric Stuff
Of course another entirely practical, and more secure solution would  be for every scope to have a unique key. When they issue a license they just look it up on their internal database of keys vs. serial number. They already program unique serial numbers in, so adding a unique key would be minimal additional hassle.
The only additional effort would be to link the license issuing system with the production key generator.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 
The following users thanked this post: Andrew

Offline Rufus

  • Super Contributor
  • ***
  • Posts: 2094
With their existing scheme, the software only needs to be able to verify a hash using the securely stored key value, and never needs to write anything, so the mechanism to do so can be left out entirely.

As far as I can tell the existing scheme does not store any key, the public key(s) are in the firmware. Which key to use is determined by something in secure storage. Secure storage holds that something, the scope model and serial number. It looks like licences are pretty much stored as received.

Until some muppet leaves the scope initialisation tool in the firmware package.

I very much doubt it was left. I suspect initially the secure storage was encrypted or signed with the same key used to generate licences. The desire to have the scope model number change to reflect installation of MSO and bandwidth options meant the scope had to re-write secure storage and needed to have the private key. Embedding the initialisation tool was an easy kludge to achieve that. The muppet was the one that wanted to change the model number, or the software guy who didn't tell him it was a gaping security hole. That's my theory anyway.

Has anyone recently installed MSO or bandwidth options with a license? Did the model number change?
« Last Edit: April 11, 2013, 11:42:51 pm by Rufus »
 
The following users thanked this post: Andrew

Offline Hypernova

  • Supporter
  • ****
  • Posts: 654
  • Country: tw
Quote
Well, logic dictates that there must be hidden SCPI commands that access what you need.
Why? There is no legitimite reason to need to read license data out.

There has to be some means to fiddle with the license state when they prep the ex-demo for release at least, granted there might only be overwrite commands available.

"5985$"
Wow, that's an awesome deal!
 
The following users thanked this post: Andrew

Offline _Sin

  • Regular Contributor
  • *
  • Posts: 247
  • Country: gb
Has anyone recently installed MSO or bandwidth options with a license? Did the model number change?

Neither changes the model number - not with the firmware revision which contained the initialisation tool, nor the very latest.
Programmer with a soldering iron - fear me.
 
The following users thanked this post: Andrew

Offline amyk

  • Super Contributor
  • ***
  • Posts: 6403
Of course as you said earlier, the firmware itself could be an easier target than the licenses, for the scopes where the key information is unknown. If the only license check is in the software, it could be as simple as changing a branch or two. The only thing to work out would be what verification of the firmware code is done, and how to defeat it. But fiddling with that seems far more likely to lead to a possibly bricked scope, so it's not something I'd necessarily try unless I either had money to burn or a really pressing need for a feature I couldn't afford to buy...
Someone who can afford the scope might be more likely to have EEPROM programmers and the like as well, meaning recovery from accidental bricking may not be too difficult. Unless there's some storage that can't be rewritten with external hardware somehow...

Mike makes it look too easy. :D
 
The following users thanked this post: Andrew


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf