Products > Test Equipment

Hacking the HDO1k/HDO4k Rigol 12 bit scope

<< < (131/151) > >>

Dennis Frie:
Just compared the permissions on the 2 apk's. Looks like the original apk pretty much just have full permission to everything :)

Original apk

--- Code: ---
    requested permissions:
      android.permission.CHANGE_WIFI_STATE
      android.permission.EXPAND_STATUS_BAR
      android.permission.READ_LOGS
      android.permission.SET_TIME
      android.permission.WRITE_EXTERNAL_STORAGE
      android.permission.ACCESS_NOTIFICATION_POLICY
      android.permission.CHANGE_CONFIGURATION
      android.permission.REBOOT
      android.permission.ACCESS_NETWORK_STATE
      android.permission.INTERNET
      android.permission.ACCESS_WIFI_STATE
      android.permission.CHANGE_NETWORK_STATE
      android.permission.CONNECTIVITY_INTERNAL
      android.permission.DISABLE_KEYGUARD
      android.permission.WAKE_LOCK
      android.permission.READ_FRAME_BUFFER
      android.permission.READ_PHONE_STATE
      android.permission.READ_EXTERNAL_STORAGE
    install permissions:
      android.permission.ACCESS_CACHE_FILESYSTEM: granted=true
      android.permission.WRITE_SETTINGS: granted=true
      android.permission.CONFIGURE_WIFI_DISPLAY: granted=true
      android.permission.CONFIGURE_DISPLAY_COLOR_MODE: granted=true
      android.permission.ACCESS_WIMAX_STATE: granted=true
      android.permission.RECOVERY: granted=true
      android.permission.USE_CREDENTIALS: granted=true
      android.permission.MODIFY_AUDIO_SETTINGS: granted=true
      android.permission.ACCESS_CHECKIN_PROPERTIES: granted=true
      android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
      com.rigol.watchdog.have.new.app: granted=true
      com.rigol.watchdog.have.new.sys: granted=true
      android.permission.INSTALL_LOCATION_PROVIDER: granted=true
      android.permission.SYSTEM_ALERT_WINDOW: granted=true
      android.permission.CLEAR_APP_USER_DATA: granted=true
      android.permission.INSTALL_PACKAGES: granted=true
      android.permission.NFC: granted=true
      android.permission.CHANGE_NETWORK_STATE: granted=true
      android.permission.MASTER_CLEAR: granted=true
      android.permission.WRITE_SYNC_SETTINGS: granted=true
      android.permission.RECEIVE_BOOT_COMPLETED: granted=true
      android.permission.PEERS_MAC_ADDRESS: granted=true
      android.permission.DEVICE_POWER: granted=true
      android.rockchip.update.permission.SHOW_UI: granted=true
      android.permission.EXPAND_STATUS_BAR: granted=true
      android.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS: granted=true
      android.permission.READ_PROFILE: granted=true
      android.permission.BLUETOOTH: granted=true
      android.permission.WRITE_MEDIA_STORAGE: granted=true
      android.permission.GET_TASKS: granted=true
      android.permission.INTERNET: granted=true
      android.permission.BLUETOOTH_ADMIN: granted=true
      android.permission.CONTROL_VPN: granted=true
      android.permission.MANAGE_FINGERPRINT: granted=true
      android.permission.MANAGE_USB: granted=true
      android.permission.INTERACT_ACROSS_USERS_FULL: granted=true
      android.permission.BATTERY_STATS: granted=true
      android.permission.PACKAGE_USAGE_STATS: granted=true
      android.permission.MOUNT_UNMOUNT_FILESYSTEMS: granted=true
      android.permission.TETHER_PRIVILEGED: granted=true
      android.permission.WRITE_SECURE_SETTINGS: granted=true
      android.permission.MOVE_PACKAGE: granted=true
      android.permission.STATUS_BAR_SERVICE: granted=true
      android.permission.READ_SEARCH_INDEXABLES: granted=true
      android.permission.ACCESS_DOWNLOAD_MANAGER: granted=true
      android.permission.BROADCAST_STICKY: granted=true
      android.permission.BLUETOOTH_PRIVILEGED: granted=true
      android.permission.HARDWARE_TEST: granted=true
      android.intent.category.MASTER_CLEAR.permission.C2D_MESSAGE: granted=true
      android.permission.BIND_JOB_SERVICE: granted=true
      android.permission.CONFIRM_FULL_BACKUP: granted=true
      android.permission.SET_TIME: granted=true
      android.permission.WRITE_APN_SETTINGS: granted=true
      android.permission.CHANGE_WIFI_STATE: granted=true
      android.permission.MANAGE_USERS: granted=true
      android.permission.ACCESS_NETWORK_STATE: granted=true
      android.permission.ACCESS_MTP: granted=true
      android.permission.DISABLE_KEYGUARD: granted=true
      android.permission.BACKUP: granted=true
      android.permission.CHANGE_CONFIGURATION: granted=true
      android.permission.USER_ACTIVITY: granted=true
      android.permission.READ_LOGS: granted=true
      android.permission.COPY_PROTECTED_DATA: granted=true
      android.permission.SET_WALLPAPER: granted=true
      android.permission.SET_KEYBOARD_LAYOUT: granted=true
      android.permission.KILL_BACKGROUND_PROCESSES: granted=true
      android.permission.USE_FINGERPRINT: granted=true
      android.permission.WRITE_USER_DICTIONARY: granted=true
      android.permission.READ_SYNC_STATS: granted=true
      android.permission.REBOOT: granted=true
      android.permission.OEM_UNLOCK_STATE: granted=true
      android.permission.MANAGE_DEVICE_ADMINS: granted=true
      android.permission.CHANGE_APP_IDLE_STATE: granted=true
      android.permission.SET_POINTER_SPEED: granted=true
      com.rigol.watchdog.business.process.crash: granted=true
      android.permission.MANAGE_NOTIFICATIONS: granted=true
      com.rigol.watchdog.update.app: granted=true
      com.rigol.watchdog.update.sys: granted=true
      android.permission.CONNECTIVITY_INTERNAL: granted=true
      android.permission.READ_SYNC_SETTINGS: granted=true
      android.permission.OVERRIDE_WIFI_CONFIG: granted=true
      android.permission.FORCE_STOP_PACKAGES: granted=true
      android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS: granted=true
      android.permission.ACCESS_NOTIFICATIONS: granted=true
      android.permission.VIBRATE: granted=true
      com.android.certinstaller.INSTALL_AS_USER: granted=true
      android.permission.READ_USER_DICTIONARY: granted=true
      android.permission.ACCESS_WIFI_STATE: granted=true
      android.permission.CHANGE_WIMAX_STATE: granted=true
      android.permission.REQUEST_INSTALL_PACKAGES: granted=true
      android.permission.MODIFY_PHONE_STATE: granted=true
      com.android.launcher.permission.INSTALL_SHORTCUT: granted=true
      android.permission.STATUS_BAR: granted=true
      android.permission.READ_FRAME_BUFFER: granted=true
      android.permission.LOCATION_HARDWARE: granted=true
      android.permission.WAKE_LOCK: granted=true
      android.permission.INJECT_EVENTS: granted=true
      android.permission.DELETE_PACKAGES: granted=true
    User 0: ceDataInode=0 installed=true hidden=false suspended=false stopped=false notLaunched=false enabled=0

Shared users:
  SharedUser [android.uid.system] (6d90f1f):
    userId=1000
    install permissions:
      android.permission.ACCESS_CACHE_FILESYSTEM: granted=true
      android.permission.WRITE_SETTINGS: granted=true
      android.permission.CONFIGURE_WIFI_DISPLAY: granted=true
      android.permission.CONFIGURE_DISPLAY_COLOR_MODE: granted=true
      android.permission.ACCESS_WIMAX_STATE: granted=true
      android.permission.RECOVERY: granted=true
      android.permission.USE_CREDENTIALS: granted=true
      android.permission.MODIFY_AUDIO_SETTINGS: granted=true
      android.permission.ACCESS_CHECKIN_PROPERTIES: granted=true
      android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
      com.rigol.watchdog.have.new.app: granted=true
      com.rigol.watchdog.have.new.sys: granted=true
      android.permission.INSTALL_LOCATION_PROVIDER: granted=true
      android.permission.SYSTEM_ALERT_WINDOW: granted=true
      android.permission.CLEAR_APP_USER_DATA: granted=true
      android.permission.INSTALL_PACKAGES: granted=true
      android.permission.NFC: granted=true
      android.permission.CHANGE_NETWORK_STATE: granted=true
      android.permission.MASTER_CLEAR: granted=true
      android.permission.WRITE_SYNC_SETTINGS: granted=true
      android.permission.RECEIVE_BOOT_COMPLETED: granted=true
      android.permission.PEERS_MAC_ADDRESS: granted=true
      android.permission.DEVICE_POWER: granted=true
      android.rockchip.update.permission.SHOW_UI: granted=true
      android.permission.EXPAND_STATUS_BAR: granted=true
      android.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS: granted=true
      android.permission.READ_PROFILE: granted=true
      android.permission.BLUETOOTH: granted=true
      android.permission.WRITE_MEDIA_STORAGE: granted=true
      android.permission.GET_TASKS: granted=true
      android.permission.INTERNET: granted=true
      android.permission.BLUETOOTH_ADMIN: granted=true
      android.permission.CONTROL_VPN: granted=true
      android.permission.MANAGE_FINGERPRINT: granted=true
      android.permission.MANAGE_USB: granted=true
      android.permission.INTERACT_ACROSS_USERS_FULL: granted=true
      android.permission.BATTERY_STATS: granted=true
      android.permission.PACKAGE_USAGE_STATS: granted=true
      android.permission.MOUNT_UNMOUNT_FILESYSTEMS: granted=true
      android.permission.TETHER_PRIVILEGED: granted=true
      android.permission.WRITE_SECURE_SETTINGS: granted=true
      android.permission.MOVE_PACKAGE: granted=true
      android.permission.STATUS_BAR_SERVICE: granted=true
      android.permission.READ_SEARCH_INDEXABLES: granted=true
      android.permission.ACCESS_DOWNLOAD_MANAGER: granted=true
      android.permission.BROADCAST_STICKY: granted=true
      android.permission.BLUETOOTH_PRIVILEGED: granted=true
      android.permission.HARDWARE_TEST: granted=true
      android.intent.category.MASTER_CLEAR.permission.C2D_MESSAGE: granted=true
      android.permission.BIND_JOB_SERVICE: granted=true
      android.permission.CONFIRM_FULL_BACKUP: granted=true
      android.permission.SET_TIME: granted=true
      android.permission.WRITE_APN_SETTINGS: granted=true
      android.permission.CHANGE_WIFI_STATE: granted=true
      android.permission.MANAGE_USERS: granted=true
      android.permission.ACCESS_NETWORK_STATE: granted=true
      android.permission.ACCESS_MTP: granted=true
      android.permission.DISABLE_KEYGUARD: granted=true
      android.permission.BACKUP: granted=true
      android.permission.CHANGE_CONFIGURATION: granted=true
      android.permission.USER_ACTIVITY: granted=true
      android.permission.READ_LOGS: granted=true
      android.permission.COPY_PROTECTED_DATA: granted=true
      android.permission.SET_WALLPAPER: granted=true
      android.permission.SET_KEYBOARD_LAYOUT: granted=true
      android.permission.KILL_BACKGROUND_PROCESSES: granted=true
      android.permission.USE_FINGERPRINT: granted=true
      android.permission.WRITE_USER_DICTIONARY: granted=true
      android.permission.READ_SYNC_STATS: granted=true
      android.permission.REBOOT: granted=true
      android.permission.OEM_UNLOCK_STATE: granted=true
      android.permission.MANAGE_DEVICE_ADMINS: granted=true
      android.permission.CHANGE_APP_IDLE_STATE: granted=true
      android.permission.SET_POINTER_SPEED: granted=true
      com.rigol.watchdog.business.process.crash: granted=true
      android.permission.MANAGE_NOTIFICATIONS: granted=true
      com.rigol.watchdog.update.app: granted=true
      com.rigol.watchdog.update.sys: granted=true
      android.permission.CONNECTIVITY_INTERNAL: granted=true
      android.permission.READ_SYNC_SETTINGS: granted=true
      android.permission.OVERRIDE_WIFI_CONFIG: granted=true
      android.permission.FORCE_STOP_PACKAGES: granted=true
      android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS: granted=true
      android.permission.ACCESS_NOTIFICATIONS: granted=true
      android.permission.VIBRATE: granted=true
      com.android.certinstaller.INSTALL_AS_USER: granted=true
      android.permission.READ_USER_DICTIONARY: granted=true
      android.permission.ACCESS_WIFI_STATE: granted=true
      android.permission.CHANGE_WIMAX_STATE: granted=true
      android.permission.REQUEST_INSTALL_PACKAGES: granted=true
      android.permission.MODIFY_PHONE_STATE: granted=true
      com.android.launcher.permission.INSTALL_SHORTCUT: granted=true
      android.permission.STATUS_BAR: granted=true
      android.permission.READ_FRAME_BUFFER: granted=true
      android.permission.LOCATION_HARDWARE: granted=true
      android.permission.WAKE_LOCK: granted=true
      android.permission.INJECT_EVENTS: granted=true
      android.permission.DELETE_PACKAGES: granted=true
    User 0:
      gids=[2001, 3002, 1023, 1015, 3003, 3001, 1024, 1007]
      runtime permissions:
        android.permission.ACCESS_FINE_LOCATION: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.READ_EXTERNAL_STORAGE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.ACCESS_COARSE_LOCATION: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.READ_PHONE_STATE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.CALL_PHONE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.WRITE_CONTACTS: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.GET_ACCOUNTS: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.WRITE_EXTERNAL_STORAGE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.READ_CONTACTS: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]

--- End code ---



Modified apk

--- Code: ---    requested permissions:
      android.permission.CHANGE_WIFI_STATE
      android.permission.EXPAND_STATUS_BAR
      android.permission.READ_LOGS
      android.permission.SET_TIME
      android.permission.WRITE_EXTERNAL_STORAGE
      android.permission.ACCESS_NOTIFICATION_POLICY
      android.permission.CHANGE_CONFIGURATION
      android.permission.REBOOT
      android.permission.ACCESS_NETWORK_STATE
      android.permission.INTERNET
      android.permission.ACCESS_WIFI_STATE
      android.permission.CHANGE_NETWORK_STATE
      android.permission.CONNECTIVITY_INTERNAL
      android.permission.DISABLE_KEYGUARD
      android.permission.WAKE_LOCK
      android.permission.READ_FRAME_BUFFER
      android.permission.READ_PHONE_STATE
      android.permission.READ_EXTERNAL_STORAGE
    install permissions:
      android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
      android.permission.CHANGE_NETWORK_STATE: granted=true
      android.permission.EXPAND_STATUS_BAR: granted=true
      android.permission.INTERNET: granted=true
      android.permission.CHANGE_WIFI_STATE: granted=true
      android.permission.ACCESS_NETWORK_STATE: granted=true
      android.permission.DISABLE_KEYGUARD: granted=true
      android.permission.CHANGE_CONFIGURATION: granted=true
      android.permission.READ_LOGS: granted=true
      android.permission.ACCESS_WIFI_STATE: granted=true
      android.permission.WAKE_LOCK: granted=true
    User 0: ceDataInode=112521 installed=true hidden=false suspended=false stopped=true notLaunched=true enabled=0

Shared users:
  SharedUser [org.riglol] (2b0b91a):
    userId=10036
    install permissions:
      android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
      android.permission.CHANGE_NETWORK_STATE: granted=true
      android.permission.EXPAND_STATUS_BAR: granted=true
      android.permission.INTERNET: granted=true
      android.permission.CHANGE_WIFI_STATE: granted=true
      android.permission.ACCESS_NETWORK_STATE: granted=true
      android.permission.DISABLE_KEYGUARD: granted=true
      android.permission.CHANGE_CONFIGURATION: granted=true
      android.permission.READ_LOGS: granted=true
      android.permission.ACCESS_WIFI_STATE: granted=true
      android.permission.WAKE_LOCK: granted=true
    User 0:
      gids=[3003, 1007]
      runtime permissions:
        android.permission.READ_EXTERNAL_STORAGE: granted=true
        android.permission.READ_PHONE_STATE: granted=true
        android.permission.WRITE_EXTERNAL_STORAGE: granted=true

--- End code ---


Trying to add a specific permission that differs, I get the error;

--- Code: ---Operation not allowed: java.lang.SecurityException: Package com.riglol.scope has not requested permission android.permission.ACCESS_CACHE_FILESYSTEM
--- End code ---


apk is installed using .\adb install -g packagename.apk

bosav:

--- Quote from: Dennis Frie on December 28, 2023, 03:34:38 pm ---Just compared the permissions on the 2 apk's. Looks like the original apk pretty much just have full permission to everything :)

--- End quote ---

The issue is not about the android permissions the app requests, but about the permissions of the linux user running the application process.

The original app is using "system" user, but a user-installed app(for the patched one) - will be a separate user… with different permissions (meaning no access to some parts of the file system, and probably not getting some of the requested android permissions which are limited to system apps).

Dennis Frie:

--- Quote from: bosav on December 28, 2023, 03:57:39 pm ---
--- Quote from: Dennis Frie on December 28, 2023, 03:34:38 pm ---Just compared the permissions on the 2 apk's. Looks like the original apk pretty much just have full permission to everything :)

--- End quote ---

The issue is not about the android permissions the app requests, but about the permissions of the linux user running the application process.

The original app is using "system" user, but a user-installed app(for the patched one) - will be a separate user… with different permissions (meaning no access to some parts of the file system, and probably not getting some of the requested android permissions which are limited to system apps).

--- End quote ---

Oh, I got the impression the "SU" command would switch to a user with full permissions, eleminating that problem? I've not messed with Android apps and adb before, so I'm on deep water. Thanks for your inputs

bosav:

--- Quote from: zrq on December 27, 2023, 07:02:16 pm ---OK my instinct is right, the screenshot problem disappears if I use bosav's method for patching the native binary instead of recompiling the apk. Also worth mentioning, somehow on my scope, the com.rigol.scope-2 is the right folder name instead of com.rigol.scope-1.
The 50Ohm gain problem is more stubborn than I expected, fiddled again with DrvChannel_SetScale but no success, running out of ideas now...

--- End quote ---

Tried patching more functions - but also had no luck getting it working.

tried patching _ZN7CApiRef29ApiReference_GetUIVScaleRangeERxS, _ZN12CApiVertical26ApiChannel_SetRefAutoScaleE, _ZN12CApiVertical19ApiChannel_GetScaleERx

also, checking things in a code around impedance, found checks for it to look like _ZN8CChannel12getImpedanceEv call or alternatively something like "*(int *)(param_1 + 0x128)" in decompiled code(when it is accessed directly), where - 0 = 50Ω and 1 = 1MΩ

with that, noticed one common pattern in a bunch of places:


--- Code: ---  iVar2 = _ZN8CChannel12getImpedanceEv(…);
  if (iVar2 == 0) {
    ...
    if (iVar1 == 1000) {
      DevInOutAFE_SetHzOutput(param_1,0,0);
      DevInOutAFE_SetHzOutput(param_1,1,1);
    }
    else if (iVar1 == 4000) {
      DevInOutAFE_SetBuffer(param_1,1);
    }
    ...
  } else {
    ...
    DevInOutAFE_SetBuffer(param_1,1);
    ...
  }

--- End code ---

not sure what that is doing (any ideas?), but DevInOutAFE_SetHzOutput looks to change something similar to what DevInOutAFE_SetBuffer changes…
and so, I tried patching that as well(especially given it looks to be specific to 50Ω), however also was not successful

so far - that is all the places, I noticed to somehow relate to 50Ω

zrq:

--- Quote from: bosav on December 29, 2023, 03:24:17 pm ---
--- Quote from: zrq on December 27, 2023, 07:02:16 pm ---OK my instinct is right, the screenshot problem disappears if I use bosav's method for patching the native binary instead of recompiling the apk. Also worth mentioning, somehow on my scope, the com.rigol.scope-2 is the right folder name instead of com.rigol.scope-1.
The 50Ohm gain problem is more stubborn than I expected, fiddled again with DrvChannel_SetScale but no success, running out of ideas now...

--- End quote ---

Tried patching more functions - but also had no luck getting it working.

tried patching _ZN7CApiRef29ApiReference_GetUIVScaleRangeERxS, _ZN12CApiVertical26ApiChannel_SetRefAutoScaleE, _ZN12CApiVertical19ApiChannel_GetScaleERx

also, checking things in a code around impedance, found checks for it to look like _ZN8CChannel12getImpedanceEv call or alternatively something like "*(int *)(param_1 + 0x128)" in decompiled code(when it is accessed directly), where - 0 = 50Ω and 1 = 1MΩ

with that, noticed one common pattern in a bunch of places:


--- Code: ---  iVar2 = _ZN8CChannel12getImpedanceEv(…);
  if (iVar2 == 0) {
    ...
    if (iVar1 == 1000) {
      DevInOutAFE_SetHzOutput(param_1,0,0);
      DevInOutAFE_SetHzOutput(param_1,1,1);
    }
    else if (iVar1 == 4000) {
      DevInOutAFE_SetBuffer(param_1,1);
    }
    ...
  } else {
    ...
    DevInOutAFE_SetBuffer(param_1,1);
    ...
  }

--- End code ---

not sure what that is doing (any ideas?), but DevInOutAFE_SetHzOutput looks to change something similar to what DevInOutAFE_SetBuffer changes…
and so, I tried patching that as well(especially given it looks to be specific to 50Ω), however also was not successful

so far - that is all the places, I noticed to somehow relate to 50Ω

--- End quote ---

So far I did 4 successful hacks to my libscope:
1. nop out the API_SetProductSeries
2. patch the default value of the variable referenced in API_GetProductSeries. Together with 1, everywhere API_GetProductSeries is called shall get 4000, which seems OK to me. However one should not do this to DevSystem_GetProductSeries as it will mess up with the acquisition.
3. DrvChannel_SetBandLimit: patch all the 4000 to 1000 and 1000 to probably 1001
4. frida hooking _ZN11CApiLicense18check_BandWidthOptE7OptType and installing :SYST:OPT:INST HDO1000-BW2T8

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod