Products > Test Equipment
Hacking the HDO1k/HDO4k Rigol 12 bit scope
Dennis Frie:
Just compared the permissions on the 2 apk's. Looks like the original apk pretty much just have full permission to everything :)
Original apk
--- Code: ---
requested permissions:
android.permission.CHANGE_WIFI_STATE
android.permission.EXPAND_STATUS_BAR
android.permission.READ_LOGS
android.permission.SET_TIME
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_NOTIFICATION_POLICY
android.permission.CHANGE_CONFIGURATION
android.permission.REBOOT
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.ACCESS_WIFI_STATE
android.permission.CHANGE_NETWORK_STATE
android.permission.CONNECTIVITY_INTERNAL
android.permission.DISABLE_KEYGUARD
android.permission.WAKE_LOCK
android.permission.READ_FRAME_BUFFER
android.permission.READ_PHONE_STATE
android.permission.READ_EXTERNAL_STORAGE
install permissions:
android.permission.ACCESS_CACHE_FILESYSTEM: granted=true
android.permission.WRITE_SETTINGS: granted=true
android.permission.CONFIGURE_WIFI_DISPLAY: granted=true
android.permission.CONFIGURE_DISPLAY_COLOR_MODE: granted=true
android.permission.ACCESS_WIMAX_STATE: granted=true
android.permission.RECOVERY: granted=true
android.permission.USE_CREDENTIALS: granted=true
android.permission.MODIFY_AUDIO_SETTINGS: granted=true
android.permission.ACCESS_CHECKIN_PROPERTIES: granted=true
android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
com.rigol.watchdog.have.new.app: granted=true
com.rigol.watchdog.have.new.sys: granted=true
android.permission.INSTALL_LOCATION_PROVIDER: granted=true
android.permission.SYSTEM_ALERT_WINDOW: granted=true
android.permission.CLEAR_APP_USER_DATA: granted=true
android.permission.INSTALL_PACKAGES: granted=true
android.permission.NFC: granted=true
android.permission.CHANGE_NETWORK_STATE: granted=true
android.permission.MASTER_CLEAR: granted=true
android.permission.WRITE_SYNC_SETTINGS: granted=true
android.permission.RECEIVE_BOOT_COMPLETED: granted=true
android.permission.PEERS_MAC_ADDRESS: granted=true
android.permission.DEVICE_POWER: granted=true
android.rockchip.update.permission.SHOW_UI: granted=true
android.permission.EXPAND_STATUS_BAR: granted=true
android.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS: granted=true
android.permission.READ_PROFILE: granted=true
android.permission.BLUETOOTH: granted=true
android.permission.WRITE_MEDIA_STORAGE: granted=true
android.permission.GET_TASKS: granted=true
android.permission.INTERNET: granted=true
android.permission.BLUETOOTH_ADMIN: granted=true
android.permission.CONTROL_VPN: granted=true
android.permission.MANAGE_FINGERPRINT: granted=true
android.permission.MANAGE_USB: granted=true
android.permission.INTERACT_ACROSS_USERS_FULL: granted=true
android.permission.BATTERY_STATS: granted=true
android.permission.PACKAGE_USAGE_STATS: granted=true
android.permission.MOUNT_UNMOUNT_FILESYSTEMS: granted=true
android.permission.TETHER_PRIVILEGED: granted=true
android.permission.WRITE_SECURE_SETTINGS: granted=true
android.permission.MOVE_PACKAGE: granted=true
android.permission.STATUS_BAR_SERVICE: granted=true
android.permission.READ_SEARCH_INDEXABLES: granted=true
android.permission.ACCESS_DOWNLOAD_MANAGER: granted=true
android.permission.BROADCAST_STICKY: granted=true
android.permission.BLUETOOTH_PRIVILEGED: granted=true
android.permission.HARDWARE_TEST: granted=true
android.intent.category.MASTER_CLEAR.permission.C2D_MESSAGE: granted=true
android.permission.BIND_JOB_SERVICE: granted=true
android.permission.CONFIRM_FULL_BACKUP: granted=true
android.permission.SET_TIME: granted=true
android.permission.WRITE_APN_SETTINGS: granted=true
android.permission.CHANGE_WIFI_STATE: granted=true
android.permission.MANAGE_USERS: granted=true
android.permission.ACCESS_NETWORK_STATE: granted=true
android.permission.ACCESS_MTP: granted=true
android.permission.DISABLE_KEYGUARD: granted=true
android.permission.BACKUP: granted=true
android.permission.CHANGE_CONFIGURATION: granted=true
android.permission.USER_ACTIVITY: granted=true
android.permission.READ_LOGS: granted=true
android.permission.COPY_PROTECTED_DATA: granted=true
android.permission.SET_WALLPAPER: granted=true
android.permission.SET_KEYBOARD_LAYOUT: granted=true
android.permission.KILL_BACKGROUND_PROCESSES: granted=true
android.permission.USE_FINGERPRINT: granted=true
android.permission.WRITE_USER_DICTIONARY: granted=true
android.permission.READ_SYNC_STATS: granted=true
android.permission.REBOOT: granted=true
android.permission.OEM_UNLOCK_STATE: granted=true
android.permission.MANAGE_DEVICE_ADMINS: granted=true
android.permission.CHANGE_APP_IDLE_STATE: granted=true
android.permission.SET_POINTER_SPEED: granted=true
com.rigol.watchdog.business.process.crash: granted=true
android.permission.MANAGE_NOTIFICATIONS: granted=true
com.rigol.watchdog.update.app: granted=true
com.rigol.watchdog.update.sys: granted=true
android.permission.CONNECTIVITY_INTERNAL: granted=true
android.permission.READ_SYNC_SETTINGS: granted=true
android.permission.OVERRIDE_WIFI_CONFIG: granted=true
android.permission.FORCE_STOP_PACKAGES: granted=true
android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS: granted=true
android.permission.ACCESS_NOTIFICATIONS: granted=true
android.permission.VIBRATE: granted=true
com.android.certinstaller.INSTALL_AS_USER: granted=true
android.permission.READ_USER_DICTIONARY: granted=true
android.permission.ACCESS_WIFI_STATE: granted=true
android.permission.CHANGE_WIMAX_STATE: granted=true
android.permission.REQUEST_INSTALL_PACKAGES: granted=true
android.permission.MODIFY_PHONE_STATE: granted=true
com.android.launcher.permission.INSTALL_SHORTCUT: granted=true
android.permission.STATUS_BAR: granted=true
android.permission.READ_FRAME_BUFFER: granted=true
android.permission.LOCATION_HARDWARE: granted=true
android.permission.WAKE_LOCK: granted=true
android.permission.INJECT_EVENTS: granted=true
android.permission.DELETE_PACKAGES: granted=true
User 0: ceDataInode=0 installed=true hidden=false suspended=false stopped=false notLaunched=false enabled=0
Shared users:
SharedUser [android.uid.system] (6d90f1f):
userId=1000
install permissions:
android.permission.ACCESS_CACHE_FILESYSTEM: granted=true
android.permission.WRITE_SETTINGS: granted=true
android.permission.CONFIGURE_WIFI_DISPLAY: granted=true
android.permission.CONFIGURE_DISPLAY_COLOR_MODE: granted=true
android.permission.ACCESS_WIMAX_STATE: granted=true
android.permission.RECOVERY: granted=true
android.permission.USE_CREDENTIALS: granted=true
android.permission.MODIFY_AUDIO_SETTINGS: granted=true
android.permission.ACCESS_CHECKIN_PROPERTIES: granted=true
android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
com.rigol.watchdog.have.new.app: granted=true
com.rigol.watchdog.have.new.sys: granted=true
android.permission.INSTALL_LOCATION_PROVIDER: granted=true
android.permission.SYSTEM_ALERT_WINDOW: granted=true
android.permission.CLEAR_APP_USER_DATA: granted=true
android.permission.INSTALL_PACKAGES: granted=true
android.permission.NFC: granted=true
android.permission.CHANGE_NETWORK_STATE: granted=true
android.permission.MASTER_CLEAR: granted=true
android.permission.WRITE_SYNC_SETTINGS: granted=true
android.permission.RECEIVE_BOOT_COMPLETED: granted=true
android.permission.PEERS_MAC_ADDRESS: granted=true
android.permission.DEVICE_POWER: granted=true
android.rockchip.update.permission.SHOW_UI: granted=true
android.permission.EXPAND_STATUS_BAR: granted=true
android.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS: granted=true
android.permission.READ_PROFILE: granted=true
android.permission.BLUETOOTH: granted=true
android.permission.WRITE_MEDIA_STORAGE: granted=true
android.permission.GET_TASKS: granted=true
android.permission.INTERNET: granted=true
android.permission.BLUETOOTH_ADMIN: granted=true
android.permission.CONTROL_VPN: granted=true
android.permission.MANAGE_FINGERPRINT: granted=true
android.permission.MANAGE_USB: granted=true
android.permission.INTERACT_ACROSS_USERS_FULL: granted=true
android.permission.BATTERY_STATS: granted=true
android.permission.PACKAGE_USAGE_STATS: granted=true
android.permission.MOUNT_UNMOUNT_FILESYSTEMS: granted=true
android.permission.TETHER_PRIVILEGED: granted=true
android.permission.WRITE_SECURE_SETTINGS: granted=true
android.permission.MOVE_PACKAGE: granted=true
android.permission.STATUS_BAR_SERVICE: granted=true
android.permission.READ_SEARCH_INDEXABLES: granted=true
android.permission.ACCESS_DOWNLOAD_MANAGER: granted=true
android.permission.BROADCAST_STICKY: granted=true
android.permission.BLUETOOTH_PRIVILEGED: granted=true
android.permission.HARDWARE_TEST: granted=true
android.intent.category.MASTER_CLEAR.permission.C2D_MESSAGE: granted=true
android.permission.BIND_JOB_SERVICE: granted=true
android.permission.CONFIRM_FULL_BACKUP: granted=true
android.permission.SET_TIME: granted=true
android.permission.WRITE_APN_SETTINGS: granted=true
android.permission.CHANGE_WIFI_STATE: granted=true
android.permission.MANAGE_USERS: granted=true
android.permission.ACCESS_NETWORK_STATE: granted=true
android.permission.ACCESS_MTP: granted=true
android.permission.DISABLE_KEYGUARD: granted=true
android.permission.BACKUP: granted=true
android.permission.CHANGE_CONFIGURATION: granted=true
android.permission.USER_ACTIVITY: granted=true
android.permission.READ_LOGS: granted=true
android.permission.COPY_PROTECTED_DATA: granted=true
android.permission.SET_WALLPAPER: granted=true
android.permission.SET_KEYBOARD_LAYOUT: granted=true
android.permission.KILL_BACKGROUND_PROCESSES: granted=true
android.permission.USE_FINGERPRINT: granted=true
android.permission.WRITE_USER_DICTIONARY: granted=true
android.permission.READ_SYNC_STATS: granted=true
android.permission.REBOOT: granted=true
android.permission.OEM_UNLOCK_STATE: granted=true
android.permission.MANAGE_DEVICE_ADMINS: granted=true
android.permission.CHANGE_APP_IDLE_STATE: granted=true
android.permission.SET_POINTER_SPEED: granted=true
com.rigol.watchdog.business.process.crash: granted=true
android.permission.MANAGE_NOTIFICATIONS: granted=true
com.rigol.watchdog.update.app: granted=true
com.rigol.watchdog.update.sys: granted=true
android.permission.CONNECTIVITY_INTERNAL: granted=true
android.permission.READ_SYNC_SETTINGS: granted=true
android.permission.OVERRIDE_WIFI_CONFIG: granted=true
android.permission.FORCE_STOP_PACKAGES: granted=true
android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS: granted=true
android.permission.ACCESS_NOTIFICATIONS: granted=true
android.permission.VIBRATE: granted=true
com.android.certinstaller.INSTALL_AS_USER: granted=true
android.permission.READ_USER_DICTIONARY: granted=true
android.permission.ACCESS_WIFI_STATE: granted=true
android.permission.CHANGE_WIMAX_STATE: granted=true
android.permission.REQUEST_INSTALL_PACKAGES: granted=true
android.permission.MODIFY_PHONE_STATE: granted=true
com.android.launcher.permission.INSTALL_SHORTCUT: granted=true
android.permission.STATUS_BAR: granted=true
android.permission.READ_FRAME_BUFFER: granted=true
android.permission.LOCATION_HARDWARE: granted=true
android.permission.WAKE_LOCK: granted=true
android.permission.INJECT_EVENTS: granted=true
android.permission.DELETE_PACKAGES: granted=true
User 0:
gids=[2001, 3002, 1023, 1015, 3003, 3001, 1024, 1007]
runtime permissions:
android.permission.ACCESS_FINE_LOCATION: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
android.permission.READ_EXTERNAL_STORAGE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
android.permission.ACCESS_COARSE_LOCATION: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
android.permission.READ_PHONE_STATE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
android.permission.CALL_PHONE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
android.permission.WRITE_CONTACTS: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
android.permission.GET_ACCOUNTS: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
android.permission.WRITE_EXTERNAL_STORAGE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
android.permission.READ_CONTACTS: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
--- End code ---
Modified apk
--- Code: --- requested permissions:
android.permission.CHANGE_WIFI_STATE
android.permission.EXPAND_STATUS_BAR
android.permission.READ_LOGS
android.permission.SET_TIME
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_NOTIFICATION_POLICY
android.permission.CHANGE_CONFIGURATION
android.permission.REBOOT
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.ACCESS_WIFI_STATE
android.permission.CHANGE_NETWORK_STATE
android.permission.CONNECTIVITY_INTERNAL
android.permission.DISABLE_KEYGUARD
android.permission.WAKE_LOCK
android.permission.READ_FRAME_BUFFER
android.permission.READ_PHONE_STATE
android.permission.READ_EXTERNAL_STORAGE
install permissions:
android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
android.permission.CHANGE_NETWORK_STATE: granted=true
android.permission.EXPAND_STATUS_BAR: granted=true
android.permission.INTERNET: granted=true
android.permission.CHANGE_WIFI_STATE: granted=true
android.permission.ACCESS_NETWORK_STATE: granted=true
android.permission.DISABLE_KEYGUARD: granted=true
android.permission.CHANGE_CONFIGURATION: granted=true
android.permission.READ_LOGS: granted=true
android.permission.ACCESS_WIFI_STATE: granted=true
android.permission.WAKE_LOCK: granted=true
User 0: ceDataInode=112521 installed=true hidden=false suspended=false stopped=true notLaunched=true enabled=0
Shared users:
SharedUser [org.riglol] (2b0b91a):
userId=10036
install permissions:
android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
android.permission.CHANGE_NETWORK_STATE: granted=true
android.permission.EXPAND_STATUS_BAR: granted=true
android.permission.INTERNET: granted=true
android.permission.CHANGE_WIFI_STATE: granted=true
android.permission.ACCESS_NETWORK_STATE: granted=true
android.permission.DISABLE_KEYGUARD: granted=true
android.permission.CHANGE_CONFIGURATION: granted=true
android.permission.READ_LOGS: granted=true
android.permission.ACCESS_WIFI_STATE: granted=true
android.permission.WAKE_LOCK: granted=true
User 0:
gids=[3003, 1007]
runtime permissions:
android.permission.READ_EXTERNAL_STORAGE: granted=true
android.permission.READ_PHONE_STATE: granted=true
android.permission.WRITE_EXTERNAL_STORAGE: granted=true
--- End code ---
Trying to add a specific permission that differs, I get the error;
--- Code: ---Operation not allowed: java.lang.SecurityException: Package com.riglol.scope has not requested permission android.permission.ACCESS_CACHE_FILESYSTEM
--- End code ---
apk is installed using .\adb install -g packagename.apk
bosav:
--- Quote from: Dennis Frie on December 28, 2023, 03:34:38 pm ---Just compared the permissions on the 2 apk's. Looks like the original apk pretty much just have full permission to everything :)
--- End quote ---
The issue is not about the android permissions the app requests, but about the permissions of the linux user running the application process.
The original app is using "system" user, but a user-installed app(for the patched one) - will be a separate user… with different permissions (meaning no access to some parts of the file system, and probably not getting some of the requested android permissions which are limited to system apps).
Dennis Frie:
--- Quote from: bosav on December 28, 2023, 03:57:39 pm ---
--- Quote from: Dennis Frie on December 28, 2023, 03:34:38 pm ---Just compared the permissions on the 2 apk's. Looks like the original apk pretty much just have full permission to everything :)
--- End quote ---
The issue is not about the android permissions the app requests, but about the permissions of the linux user running the application process.
The original app is using "system" user, but a user-installed app(for the patched one) - will be a separate user… with different permissions (meaning no access to some parts of the file system, and probably not getting some of the requested android permissions which are limited to system apps).
--- End quote ---
Oh, I got the impression the "SU" command would switch to a user with full permissions, eleminating that problem? I've not messed with Android apps and adb before, so I'm on deep water. Thanks for your inputs
bosav:
--- Quote from: zrq on December 27, 2023, 07:02:16 pm ---OK my instinct is right, the screenshot problem disappears if I use bosav's method for patching the native binary instead of recompiling the apk. Also worth mentioning, somehow on my scope, the com.rigol.scope-2 is the right folder name instead of com.rigol.scope-1.
The 50Ohm gain problem is more stubborn than I expected, fiddled again with DrvChannel_SetScale but no success, running out of ideas now...
--- End quote ---
Tried patching more functions - but also had no luck getting it working.
tried patching _ZN7CApiRef29ApiReference_GetUIVScaleRangeERxS, _ZN12CApiVertical26ApiChannel_SetRefAutoScaleE, _ZN12CApiVertical19ApiChannel_GetScaleERx
also, checking things in a code around impedance, found checks for it to look like _ZN8CChannel12getImpedanceEv call or alternatively something like "*(int *)(param_1 + 0x128)" in decompiled code(when it is accessed directly), where - 0 = 50Ω and 1 = 1MΩ
with that, noticed one common pattern in a bunch of places:
--- Code: --- iVar2 = _ZN8CChannel12getImpedanceEv(…);
if (iVar2 == 0) {
...
if (iVar1 == 1000) {
DevInOutAFE_SetHzOutput(param_1,0,0);
DevInOutAFE_SetHzOutput(param_1,1,1);
}
else if (iVar1 == 4000) {
DevInOutAFE_SetBuffer(param_1,1);
}
...
} else {
...
DevInOutAFE_SetBuffer(param_1,1);
...
}
--- End code ---
not sure what that is doing (any ideas?), but DevInOutAFE_SetHzOutput looks to change something similar to what DevInOutAFE_SetBuffer changes…
and so, I tried patching that as well(especially given it looks to be specific to 50Ω), however also was not successful
so far - that is all the places, I noticed to somehow relate to 50Ω
zrq:
--- Quote from: bosav on December 29, 2023, 03:24:17 pm ---
--- Quote from: zrq on December 27, 2023, 07:02:16 pm ---OK my instinct is right, the screenshot problem disappears if I use bosav's method for patching the native binary instead of recompiling the apk. Also worth mentioning, somehow on my scope, the com.rigol.scope-2 is the right folder name instead of com.rigol.scope-1.
The 50Ohm gain problem is more stubborn than I expected, fiddled again with DrvChannel_SetScale but no success, running out of ideas now...
--- End quote ---
Tried patching more functions - but also had no luck getting it working.
tried patching _ZN7CApiRef29ApiReference_GetUIVScaleRangeERxS, _ZN12CApiVertical26ApiChannel_SetRefAutoScaleE, _ZN12CApiVertical19ApiChannel_GetScaleERx
also, checking things in a code around impedance, found checks for it to look like _ZN8CChannel12getImpedanceEv call or alternatively something like "*(int *)(param_1 + 0x128)" in decompiled code(when it is accessed directly), where - 0 = 50Ω and 1 = 1MΩ
with that, noticed one common pattern in a bunch of places:
--- Code: --- iVar2 = _ZN8CChannel12getImpedanceEv(…);
if (iVar2 == 0) {
...
if (iVar1 == 1000) {
DevInOutAFE_SetHzOutput(param_1,0,0);
DevInOutAFE_SetHzOutput(param_1,1,1);
}
else if (iVar1 == 4000) {
DevInOutAFE_SetBuffer(param_1,1);
}
...
} else {
...
DevInOutAFE_SetBuffer(param_1,1);
...
}
--- End code ---
not sure what that is doing (any ideas?), but DevInOutAFE_SetHzOutput looks to change something similar to what DevInOutAFE_SetBuffer changes…
and so, I tried patching that as well(especially given it looks to be specific to 50Ω), however also was not successful
so far - that is all the places, I noticed to somehow relate to 50Ω
--- End quote ---
So far I did 4 successful hacks to my libscope:
1. nop out the API_SetProductSeries
2. patch the default value of the variable referenced in API_GetProductSeries. Together with 1, everywhere API_GetProductSeries is called shall get 4000, which seems OK to me. However one should not do this to DevSystem_GetProductSeries as it will mess up with the acquisition.
3. DrvChannel_SetBandLimit: patch all the 4000 to 1000 and 1000 to probably 1001
4. frida hooking _ZN11CApiLicense18check_BandWidthOptE7OptType and installing :SYST:OPT:INST HDO1000-BW2T8
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version