Hacking the Rigol MHO900 Scope

[norbert.kiszka]

Do you use JADX for the apk's?

I used multiple Smali to Java decompilers. Each one has different problems with the generated code and sometimes no code at all.

Often I don't even look into the decompiled code, because usually it's a waste of time. Unless I have problems to understand Smali code.

I don't mind standard libc programs on Android.

Libc on Android is different than any other system (glibc). As I said many times: whole Android is like a reinventing the wheel, but in a shape of a square.

I haven't found a working link for the complete firmware, so I've only been going off the firmware update. It's obviously incomplete though, I took a peek at the main file in IDA and it's obvious that it's referring to code that already exists but not in the update.

Sorry, I have no idea what are You referring to.

https://www.eevblog.com/forum/testgear/rigol-mho98-and-mho900-oscilloscope-series/msg6093421/#msg6093421

[norbert.kiszka]

Ha, so the AFG is actually capable of much higher frequencies than Rigol, by default, allows us to use?

Does it have the bandwidth to output that signal?

Does it heat up or burn any components?

Im not sure, but I think I said it already somewhere. According to the documentation, AFG has a sample rate 1 G Sa/s. So theoretically it should be able to give sine wave 500 MHz.

Low pass filters, even in theory, will not cut out everything. Unless we start speak about extremely high frequency like 100 THz or more.

Upper limit is only a limit - If You don't need to use it, then don't use it.

One person reported on his scope that anything above 100 MHz is unstable and with square wave above 25 MHz it's the same.

IMHO capacitive load hurts the feelings of the power rails designed by Rigol.

I guess AFG board has to be reverse engineered - maybe all we need is a two capacitors added in like 10 minutes including a break for the coffee?

And yes, higher frequency will cause burns, if the people behind the design was like: I have no idea what Im doing here, but they pay me for each hour.

Maybe people working in Rigol are not the smartest in the world (nobody is), but I have strong doubts of making such big mistakes. You don't need to install any mod or hacked license key to have higher frequency than Rigol theoretically limited.

[norbert.kiszka]

I haven't found a working link for the complete firmware, so I've only been going off the firmware update. It's obviously incomplete though, I took a peek at the main file in IDA and it's obvious that it's referring to code that already exists but not in the update.

Sorry, I have no idea what are You referring to.

I feel stupid right now - I was in hurry with reading. Dave posted image of his SD card, which is no longer available. But I did a copy.

[dc101]

I did see that link and downloaded it, but I was expecting to see drives/partitions visible on the card in my Linux VM. I have made SDCards for iMX6 Sabre devboards and those cards seem to have no problems showing at least some partitions in Linux.
I'll have to trying downloading the image again and verifying the md5. If that doesn't work then I'll just run binwalk on the image and manually extract the partitions with dd so i can mount them. I also don't have this scope, but I wanted to poke around the file system.

[norbert.kiszka]

MTD is used instead of partition table.

Testdisk is much faster than binwalk - unless You want to play with bootloader or DT.

[dc101]

Ahh ok that explains why gparted barfed when I pointed it to the card I made.

I've only every used testdisk/photorec to recover deleted files for vulnerability reports. I don't like using binwalk because it missed many things, last night I showed someone on Recessim's discord server how it couldn't even find jffs2 partition in firmware which was clearly visible in vbindiff at 0xF80000. But binwalk will show me the offset in a firmware dump and then I just use dd to manually carve out the specific start and stop address I want to make a new file.

[Fungus]

Does it heat up or burn any components?

Im not sure, but I think I said it already somewhere. According to the documentation, AFG has a sample rate 1 G Sa/s. So theoretically it should be able to give sine wave 500 MHz.

That doesn't mean the output circuitry can handle it.

IMHO capacitive load hurts the feelings of the power rails designed by Rigol.

Maybe Rigol was designing a 100Mhz device, not a 500Mhz device.

That "capacitive load" is the danger. Will you take responsibility if this "hack" destroys people's limited edition bling 'scopes?

At the very least you set yours to maximum voltage/500Mhz and pointed a thermal camera at it for an hour, right?


A cautionary tale:
https://youtu.be/4rADgFqFFH8?t=766

[dc101]

MTD is used instead of partition table.

Testdisk is much faster than binwalk - unless You want to play with bootloader or DT.

I tried your suggestion of using testdisk to search for partitions and then writing the partition table to the disk image. Nice suggestion! That was much faster and the drives don't have errors. When I used dd to extract them, fsck complained they all had errors. Thanks!

[dc101]

When I said "referring to code that doesn't exist" this is what I was talking about. In the SparrowIII...bin file there's several entries in the vector table that reference memory addresses that are outside the range of the Sparrow binary. Originally I thought it was missing because I was looking at the binary from the update, but this screenshot is from the SDCard image you posted, so there is something else going on here.

[dzebrys]

That "capacitive load" is the danger. Will you take responsibility if this "hack" destroys people's limited edition bling 'scopes?

if u read EULA from Norbert that comment would not be needed.
also that would maybe mean less personal journeys between you both on this forum.

best regards
Piotr

[dzebrys]

When I said "referring to code that doesn't exist" this is what I was talking about. In the SparrowIII...bin file there's several entries in the vector table that reference memory addresses that are outside the range of the Sparrow binary. Originally I thought it was missing because I was looking at the binary from the update, but this screenshot is from the SDCard image you posted, so there is something else going on here.

probably Norbert can explain more and details but this scope.apk is build around glibc library libscope-auklet.so
where most of driver i/f functions and math is implemented. those addresses are likely direct calls to such.

br/Piotr

[norbert.kiszka]

With a huge help from the users (tests and experiments) and listening raw communication with AFE, finally there is a fix for the DC offsets.

Changelog for the v0.1.2:

• Quick fix of DC offset in analog channels which appeared in most cases when impedance was 1 MΩ and bandwidth limit was set to 800 MHz or OFF. Fix realized by limiting maximum allowed bandwidth to 500 MHz whenever impedance is set to 1 MΩ. Caused by wrong flags being sent to AFE chip (stock app does the same limit with same conditions in slightly different way). With impedance 50 Ω maximum bandwidth is unchanged (1 GHz).
  
• Removed code which in some rare cases can prevent from changing bandwidth.
• Optimizations.

Tomorrow I will reply for some posts here - I didn't have time for "some" reason.

[dc101]

When I said "referring to code that doesn't exist" this is what I was talking about. In the SparrowIII...bin file there's several entries in the vector table that reference memory addresses that are outside the range of the Sparrow binary. Originally I thought it was missing because I was looking at the binary from the update, but this screenshot is from the SDCard image you posted, so there is something else going on here.

probably Norbert can explain more and details but this scope.apk is build around glibc library libscope-auklet.so
where most of driver i/f functions and math is implemented. those addresses are likely direct calls to such.

br/Piotr

I was looking in the wrong place, SparrowIII_AFGMCUAPP0106.bin. But it seems this file is not very useful, at least regarding unlocking features.
I found /data/Key.data in the filesystem and after a recursive search I found references to Key.data in the library you mentioned packed inside Sparrow.apk
Thank you!

[norbert.kiszka]

glibc library libscope-auklet.so

Small problem with libc in Android is the fact this is not glibc (GNU Lib C) but it's rather Bionic.

[norbert.kiszka]

Maybe Rigol was designing a 100Mhz device, not a 500Mhz device.

*MHz, not "Mhz".

That "capacitive load" is the danger.

If the AFG sample rate is 1 GHz, it means AFG can output 500 MHz. If the power rails can't keep up with delivering stable enough voltage with 101 MHz, that means only one thing: extremely bad design.

Maybe some cheap opamp or other amplifier can't keep up with such frequency. What is the point of choosing such fast and expensive DAC and using it's (presumably) full sample rate, when other parts can't keep up with it?

You don't need to install any mod, hack or whatever to manually make samples like -1, 1, -1, 1, ... which should end with output frequency half of the sample rate.

On the side note, I did similar thing with GPIO in two STM32. Little bit of code in Assembly and I got nice almost sinus wave without any magic smoke.

At the very least you set yours to maximum voltage/500Mhz and pointed a thermal camera at it for an hour, right?

I will do similar experiments when I will have any model from MHO900 series. Not only for fun, but mostly to figure out problem behind this design.

A cautionary tale:
https://youtu.be/4rADgFqFFH8?t=766

From this video I see a multimeter with frequency measurement, without AFG inside of it. From the Uni-T webpage and datasheet in pdf, it can measure frequency up to 220 MHz. But it had problems with less than half of that. Also I have no idea if there was proper termination on the both ends.

Multimeters from this brand are like lottery. Some models (not even series, but exact models) are nothing else than a random number generators. And some (IMHO mostly UT210E) has measurements results with error much less than noted in datasheet and error below 0.1 % - beside of the very low price.

I have/had multiple Uni-T, along with there is UT-204. I didn't even bought it - some company bought it with delivery to me, only to do some tests with it.

Right after receiving it, almost all measurements was more or less random. Mentioned company contacted the seller and seller after contact with me, replaced it with another one.

And guess what? This time it was just slightly better - only AC measurements (with some delay...) and continuity was working correctly.



So it ended as a toy. I remember only once when I used it (only for continuity), because I forget to took my other meter from home and I grabbed this toy instead (UT204 visible at end):



If somebody wants to know, operating rooms are equipped with a speakers in the walls or ceilings - this music was played randomly at night (I did nothing to chose this exact song).

[Fungus]

A cautionary tale:
https://youtu.be/4rADgFqFFH8?t=766

From this video I see a multimeter with frequency measurement, without AFG inside of it. From the Uni-T webpage and datasheet in pdf, it can measure frequency up to 220 MHz. But it had problems with less than half of that. Also I have no idea if there was proper termination on the both ends.

And I see somebody who doesn't understand capacitance and missed the part where actually putting 200MHz into it made the meter melt.

Short version: learn about frequency derating before posting again.

[norbert.kiszka]

A cautionary tale:
https://youtu.be/4rADgFqFFH8?t=766

From this video I see a multimeter with frequency measurement, without AFG inside of it. From the Uni-T webpage and datasheet in pdf, it can measure frequency up to 220 MHz. But it had problems with less than half of that. Also I have no idea if there was proper termination on the both ends.

And I see somebody who doesn't understand capacitance and missed the part where actually putting 200MHz into it made the meter melt.

Short version: learn about frequency derating before posting again.

Again, this is bad design. It shouldn't fail (unless it's outside of what was allowed in datasheet and norms) and it should be capable of doing what was described in datasheet. If the datasheet will tell it's capable of measuring up to 10 QHz and it will melt with 5 QHz it means manufacturer is a scammer. What is Your business with defending scammers?

[Fungus]

Again, this is bad design.

Rigol sells a 100MHz signal generator, not a 500MHz signal generator.

[norbert.kiszka]

Again, this is bad design.

Rigol sells a 100MHz signal generator, not a 500MHz signal generator.

Really? I didn't know that before. Thanks to letting me know.

In that case, explain why this is AFG and original software allows to make 500 MHz with custom samples?

[gsobol]

This must have been shared before, but here is a list of all the options that can be added to MHO900 line of scopes.

Option		Description
BND		CAN-FD serial bus decoding analysis option Flexray bus trigger and decoding analysis option Audio serial bus 12S trigger and decoding analysis option MIL-STD-1553 bus trigger and decoding analysis option Built-in dual-channel 100MHz function generator(and Bode) option
EMBD		Embedded serial bus trigger and analysis
COMP		Computer serial trigger and analysis (RS232/UART)
AUTO		Auto serial bus trigger and analysis
AUTOA		CAN-FD serial bus decoding analysis option
FlexA		Flexray bus trigger and decoding analysis option
AUDIOA		Audio serial bus 12S trigger and decoding analysis option
AEROA		MIL-STD-1553 bus trigger and decoding analysis option
RLU05		500Mpts storage depth option
AFG50		Built-in dual-channel 50MHz function generator(and Bode) option
AFG100		Built-in dual-channel 100MHz function generator(and Bode) option
BWU03T05		350MHz to 500MHz bandwidth upgrade option
BWU03T08		350MHz to 800MHz bandwidth upgrade option
BWU05T08		500MHz to 800MHz bandwidth upgrade option

Based on the model, some of these options may already be active by default - such as 500 MHz bandwidth on MHO954, and 800 MHz on MHO984 (or MHO98).
Also, I noticed that 3 options - EMB, COMP and AUTO are not officially offered, but can be found in firmware, 

I was unable to locate new 16-byte key.  However I was able to locate unencrypted public key in memory dump and I was able to activate all options on my scope.  All the thanks to others that did all the work on activating earlier scopes.  Digging through some of the scripts was very informative.  If anyone is interested where and how to look, just post a reply.

Mind you, activating all options on stock scope does not have the benefit of all the upgrades that others bring to modded firmware (i.e. Norbert).  So, if you want more than just activated options, you should support people that do work hard to make these scopes better.  My $.02

[sdouble]

Hi, I'd love to activate all options

[norbert.kiszka]

Hi, I'd love to activate all options

Right now all options are hacked and some features are added to the scope firmware. It's here.

[gsobol]

Hi, I'd love to activate all options

 Legal disclaimer: All that follows is just a suggestion, observation, whiff of a glue or whatever kids do these days. There is no guarantee any of this will work for you or that it's absolutely accurate in any shape or form in this or any other multiverse.  I might have made all of this $#!+ up.  As it says on any [insert your favorite here] theme park ride, you bare all responsibility hence forth, abandon all hope ye who enter here and enter at your own risk.  If you break something, remember YOU did it.

If anything below seems daunting, or you are looking for improvements to stock firmware I suggest hitting up Norbert

Right now all options are hacked and some features are added to the scope firmware. It's here.

So before we get started, we'll need few things: duct tape, zip ties, shovel ... sorry wrong list, let's try this again:

• ADB - we'll need to connect to scope via LAN.  I use Total Commander plugin, but you can use whatever as long as you can get to the ADB shell
• HEX Editor - whatever works for you, as long as it has a search option
• Text Editor - we'll need to edit Serg65536 script
• Serg65536 rgtoolMod.go script - you can get it here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5153628/#msg5153628
• Key.data - copy of your scope Key file, find it in /rigol/data directory on your scope

Turn on your scope (fresh start, clear memory is preferred)

Connect to your scope via ADB shell, remember to use correct port [IP]:55555  (if you don't know how to do this, just search this forum, you can also look into Serg65536 scripts - OR this may be a good time to turn back)

Once connected, in the shell elevate to root

Code: [Select]

rkXXXX_rigol:/ $ su - root
get all rigol running processes

Code: [Select]

rkXXXX_rigol:/ # ps | grep rigol
root      675   1     3104   504            0 0000000000 S /rigol/tools/tcpsvd
root      689   1     816    4              0 0000000000 S /rigol/tools/pmapService
system    1160  235   1758572 116404          0 0000000000 S com.rigol.launcher
system    1213  235   3816544 302636          0 0000000000 S com.rigol.scope
system    1283  235   1601540 101012          0 0000000000 S com.rigol.launcher:Watchdog
system    1297  235   1621496 85728          0 0000000000 S com.rigol.webcontrol
We are going to look at com.rigol.scope process - process id for it is 1213 (Yours will differ - use your process id for all below)

Now, let's take a look at process memory maps, specifically for libc_malloc:

Code: [Select]

rkXXXX_rigol:/ # cat /proc/1213/maps | grep "libc_malloc"
7ee2200000-7ee2400000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7efac00000-7efae00000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7efba00000-7efbc00000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f04200000-7f04600000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f1e400000-7f1e600000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f1ea00000-7f1ec00000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f1ee00000-7f1f000000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f1f200000-7f24600000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f24800000-7f4a800000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f4be00000-7f4c000000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f4ce00000-7f4d000000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f4de00000-7f4e000000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f4e200000-7f50200000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f50400000-7f57800000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f58800000-7f59a00000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f62c00000-7f63000000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f64400000-7f64600000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f65400000-7f65800000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f69800000-7f69a00000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f7c600000-7f7c800000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f84c00000-7f84e00000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
7f85c00000-7f86000000 rw-p 00000000 00:00 0                              [anon:libc_malloc]

I did dump all of these, but in my case I found the unencrypted key in the 3rd from the bottom entry, so suggestions below will reflect that.  If you can't find the key in this one, might have to look at other memory entries.

This is the entry we will concentrate on:

Code: [Select]

7f7c600000-7f7c800000 rw-p 00000000 00:00 0                              [anon:libc_malloc]
Few things to note:

• We need to know the start of memory region to dump
  It's going to be the first number 0x7f7c600000 (before the dash), but it needs to be turned into decimal and divided by 4096 - OR for simplicity sake, let's just drop the last 3 zeros, so we get 0x7f7c600
• We also need to know how much we need to dump
  You could calculate it by taking the second number (after the dash), subtract the first number and then divide it by 4096, bla bla bla .... OR we can just use 512

Now, let's put it all together and dump some memory.  Best place to put it is going to be in /data/UserData folder.

Code: [Select]

rkXXXX_rigol:/ # cd /data/UserData
rkXXXX_rigol:/data/UserData # dd if=/proc/1213/mem bs=4096 skip=$((0x7f7c600)) count=512 of=./memory.dmp
512+0 records in
512+0 records out
2097152 bytes transferred in 0.018 secs (116508444 bytes/sec)
We should have this:

Code: [Select]

rkXXXX_rigol:/data/UserData # ls -l
total 4096
-rw------- 1 root root 2097152 2025-12-01 16:51 memory.dmp
Transfer the 2MB file to your PC, and you can cleanup /data/UserData folder by running:

Code: [Select]

rkXXXX_rigol:/data/UserData # rm memory.dmp
On your PC, open Key.data in a Hex editor - we'll need the content so we know what we'll be searching for in the memory file.  It should look something like that:

Code: [Select]

00000000  16 f9 39 41 6d 9d 16 8e  e7 a9 73 61 fd c2 fd f7  |..9Am.....sa....|
00000010  e3 cd 39 ee c0 1e 64 35  c4 92 35 46 cd 15 24 af  |..9...d5..5F..$.|
00000020  ea 46 42 4c 4d fd fd 20  7c d3 3c 13 cf ec 6f 0a  |.FBLM.. |.<...o.|
00000030  cc 61 1a d3 8b 9b 34 ef  f2 08 99 89 fd 86 7f c8  |.a....4.........|
00000040  cc 41 ce 34 53 f2 f8 0c  c1 44 f1 cd f7 6c e3 fc  |.A.4S....D...l..|
00000050  4a 90 c7 c3 bd 6f 25 dd  e7 81 aa df df df fd 70  |J....o%........p|
00000060  57 b3 f3 33 63 26 56 00  e9 1d 02 e6 fd 60 d3 43  |W..3c&V......`.C|
00000070  35 43 c5 34 56 88 9e a0  0c e2 ec cc d9 85 fd 0c  |5C.4V...........|
00000080  dd fb a8 f1 f1 bd cc 5b  bc bd f0 67 3c 6f 08 1d  |.......[...g<o..|
00000090  ad f4 45 54                                       |..ET|

Take note of the first few bytes in hex -> 16 f9 39 41 6d 9d  Now let's look for this sequence in memory file.  It may show up 2 or 3 times, and we need to examine all the hits to locate the unencrypted key.
Each location of the hit, we need to scroll down a bit to locate the unencrypted key.  Example below:

Code: [Select]

00000000  00 00 00 00 00 00 00 00  00 00 00 16 f9 39 41 6d  |.............9Am|
00000010  9d 16 8e e7 a9 73 61 fd  c2 fd f7 e3 cd 39 ee c0  |.....sa......9..|
00000020  1e 64 35 c4 92 35 46 cd  15 24 af ea 46 42 4c 4d  |.d5..5F..$..FBLM|
00000030  fd fd 20 7c d3 3c 13 cf  ec 6f 0a cc 61 1a d3 8b  |.. |.<...o..a...|
00000040  9b 34 ef f2 08 99 89 fd  86 7f c8 cc 41 ce 34 53  |.4..........A.4S|
00000050  f2 f8 0c c1 44 f1 cd f7  6c e3 fc 4a 90 c7 c3 bd  |....D...l..J....|
00000060  6f 25 dd e7 81 aa df df  df fd 70 57 b3 f3 33 63  |o%........pW..3c|
00000070  26 56 00 e9 1d 02 e6 fd  60 d3 43 35 43 c5 34 56  |&V......`.C5C.4V|
00000080  88 9e a0 0c e2 ec cc d9  85 fd 0c dd fb a8 f1 f1  |................|
00000090  bd cc 5b bc bd f0 67 3c  6f 08 1d ad f4 45 54 00  |..[...g<o....ET.|
000000a0  00 00 00 00 00 00 00 00  00 00 00 22 41 44 43 31  |..........."ADC1|
000000b0  5f 41 4d 42 49 45 4e 54  5f 54 45 4d 50 00 00 00  |_AMBIENT_TEMP...|
000000c0  00 00 00 90 43 43 24 56  57 8d fa 78 d7 8d f8 9f  |....CC$VW..x....|
000000d0  78 9f f5 00 00 00 00 00  00 00 00 00 00 00 00 00  |x...............|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 68 99 00 da ff  |...........h....|
00000120  d8 78 9d 00 00 00 00 00  00 00 00 00 00 00 00 00  |.x..............|
00000130  56 df 67 00 00 00 00 00  00 df 76 56 58 76 99 41  |V.g.......vVXv.A|
00000140  00 00 00 03 00 00 00 00  00 00 00 1c 41 44 43 31  |............ADC1|
00000150  5f 43 48 49 50 5f 54 45  4d 50 00 00 00 00 00 00  |_CHIP_TEMP......|
00000160  00 00 00 42 35 36 37 32  33 45 35 34 46 35 37 41  |...B56723E54F57A|
00000170  42 35 45 00 00 00 00 00  00 00 00 00 00 00 00 00  |B5E.............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001b0  00 00 00 00 00 00 00 00  00 00 00 37 38 39 34 35  |...........78945|
000001c0  37 41 31 00 00 00 00 00  00 00 00 00 00 00 00 00  |7A1.............|
000001d0  c0 57 40 00 00 00 00 00  00 f0 bf 01 44 00 00 07  |.W[member=242705].....[/member]....D...|
000001e0  00 00 00 02 00 00 00 00  00 00 00 20 43 48 34 5f  |........... CH4_|
000001f0  41 4d 42 49 45 4e 54 5f  54 45 4d 50 00 00 00 00  |AMBIENT_TEMP....|
00000200  00 00 00 41 36 37 38 41  44 46 45 39 35 33 34 33  |...A678ADFE95343|
00000210  35 39 41 00 00 00 00 00  00 00 00 00 00 00 00 00  |59A.............|
00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000250  00 00 00 00 00 00 00 00  00 00 00 34 35 36 41 46  |...........456AF|
00000260  36 38 45 00 00 00 00 00  00 00 00 00 00 00 00 00  |68E.............|
00000270  34 67 80 00 00 00 00 00  00 45 78 84 2a 00 00 aa  |4g.......Ex.*...|
00000280  00 00 00 0d ad ff df 00  00 00 00 30 34 36 38 37  |...........04687|
00000290  41 45 44 30 34 33 37 36  37 38 43 45 35 37 41 46  |AED0437678CE57AF|
000002a0  36 31 32 44 44 33 35 37  36 46 41 37 39 35 44 37  |612DD3576FA795D7|
000002b0  43 30 43 32 33 33 43 42  43 35 34 37 38 37 38 39  |C0C233CBC5478789|
000002c0  41 37 36 39 31 41 39 30  32 35 36 32 42 39 39 42  |A7691A902562B99B|
000002d0  45 42 37 36 38 39 34 41  37 38 37 30 30 35 31 43  |EB76894A7870051C|
000002e0  36 37 38 38 45 36 39 31  36 33 32 38 42 34 43 38  |6788E6916328B4C8|
000002f0  31 34 35 33 35 36 31 32  37 38 31 32 31 36 36 44  |145356127812166D|
00000300  31 43 43 42 36 33 35 35  39 45 46 46 41 00 00 44  |1CCB63559EFFA..D|
00000310  31 43 43 42 36 33 35 35  39 45 46 46 41 00 00 00  |1CCB63559EFFA...|
00000320  00 00 00 00 00 00 00 00  00 00 00 1a 43 48 34 5f  |............CH4_|
00000330  43 48 49 50 5f 54 45 4d  50 00 00 00 00 00 00 00  |CHIP_TEMP.......|
00000340  00 00 00 33 35 36 41 44  35 37 41 45 33 36 37 36  |...356AD57AE3676|
00000350  36 43 43 00 00 00 00 00  00 00 00 00 00           |6CC..........|

Above, the unencrypted key starts with 04 - Notice it's in plain text and not HEX.   The length of the key is 130 characters (132 if we are to include 2 NULLs at the end).  We need to copy out the text portion.

Code: [Select]

04687AED0437678CE57AF612DD3576FA795D7C0C233CBC5478789A7691A902562B99BEB76894A7870051C6788E6916328B4C8145356127812166D1CCB63559EFFA
We need to create a string that we'll add to the script by combining "brainpoolP256r1;" and our unencrypted key, the result will look like this:

Code: [Select]

brainpoolP256r1;04687AED0437678CE57AF612DD3576FA795D7C0C233CBC5478789A7691A902562B99BEB76894A7870051C6788E6916328B4C8145356127812166D1CCB63559EFFA
Now, let's modify Serg65536 rgtoolMod.go script.  Open the script in Text editor.  We are looking for a function LoadKeys():

Code: [Select]

163 func LoadKeys() ([]uint8, error, []uint8) {
164 data, err := ioutil.ReadFile(Expand(keyFile))
165 if nil != err {
166 return nil, err, nil
167 }
168 dd := decodeDefaultXXTEA(data)
169 i := bytes.Index(dd, []uint8(";"))
170 if -1 == i {
171 return nil, errors.New("key format error"), nil
172 }
173 return dd[i+1:], nil, dd
174 }

We'll add a line with the full key string, so the resulting function will look like this:

Code: [Select]

163 func LoadKeys() ([]uint8, error, []uint8) {
164 data, err := ioutil.ReadFile(Expand(keyFile))
165 if nil != err {
166 return nil, err, nil
167 }
168 dd := decodeDefaultXXTEA(data)
169 dd = []byte ("brainpoolP256r1;04687AED0437678CE57AF612DD3576FA795D7C0C233CBC5478789A7691A902562B99BEB76894A7870051C6788E6916328B4C8145356127812166D1CCB63559EFFA")
170 i := bytes.Index(dd, []uint8(";"))
171 if -1 == i {
172 return nil, errors.New("key format error"), nil
173 }
174 return dd[i+1:], nil, dd
175 }

Yeah, I know it's ugly and I could have come up with a cleaner solution, but hey, it's a one line ... nothing beats a temporary solution that works 

Now you can run the script to generate SCPI commands:

Code: [Select]

# go run ./rgtoolMod.go Key.data MHO9 :SYST:OPT:INST BND EMBD COMP AUTO AUTOA FlexA AUDIOA AEROA RLU05 AFG50 AFG100 BWU03T05 BWU03T08 BWU05T08
keyFile: Key.data
deviceId: MHO9
SCPI format: ':SYST:OPT:INST'
options: [BND EMBD COMP AUTO AUTOA FlexA AUDIOA AEROA RLU05 AFG50 AFG100 BWU03T05 BWU03T08 BWU05T08]

Key: brainpoolP256r1;04687AED0437678CE57AF612DD3576FA795D7C0C233CBC5478789A7691A902562B99BEB76894A7870051C6788E6916328B4C8145356127812166D1CCB63559EFFA

Generating unlock SCPI commands for the MHO900 series scope:

:SYST:OPT:INST MHO900-BND@34889ad79cb89ae70997912344acb5686c654675744252cf82e4ecd43e30b7cba78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-EMBD@86545315253a910cc3434566758aa68c663477da0f1ece98c37705978d8747dea78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-COMP@a66787500e54329d356f99c53aac579899deb7d4ed506a5c9cf427ce6cba5aa9a78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-AUTO@12885349aff89055600dc04dd9a805d6d86048a94ebf09d53843177a99bcec6aa78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-AUTOA@3348780acc356ff5768dc04dd9a805d68a56f1500834b1cb157cb677f5cb422ea78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-FlexA@44678a78997e878ff7709cccd1314ecab90b3b059ccaa572794dbcbdb6def9aba78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-AUDIOA@13a897c8755f88900caac00f995e40fda49b99c176d7ff8e112b02494dbc9587a78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-AEROA@f6897345a7988cc8787f977e7585210c8a56f1500834b1cb157cb677f5cb422ea78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-RLU05@e76590a08c70b80b8888e5d89194b88ab3186bc261a888a87ec774c82bf1d4eba78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-AFG50@b989684311467a97f9077b69886d622a93e2cae7fe5c271ad9e7a23cee986a74a78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-AFG100@5972afc799dd987e00f7007f05f4222a6c6342dcb384cd4e2bd3caf775af8d71a78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-BWU03T05@89cb234ff124eb4566ef7888d8887fabd2b602a87903da4b0a5fb2c1981fe02ca78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-BWU03T08@28feb79add88070301ad3545696643ab4f7587b603350f808cd89291d5de6a58a78d980daf843570d878b77cb320fa1a
:SYST:OPT:INST MHO900-BWU05T08@a869d080b8e04655aa879fe567cb78ab5bc24e5a8f5cbdc1c4196c85ad318fc9a78d980daf843570d878b77cb320fa1a


Generated option commands saved to the file: 'SCPI_commands_generated.txt'


Now, you can open a browser and navigate to the "Web Control" page for your scope (use scope IP address)
Select "SCPI Panel Control" on the left side
In the command window delete '*IDN?" and paste each :SYST:OPT:INST command one at the time, each time hit [Send & Read] button.

If you made it this far, you are brave or ..., yeah let's go with brave.   


* Applied the function code fix that andyCap24 pointed out just below - wrong line order strikes again

[andyCap24]

Thanks gsobol! 
Adding another suggestion with same disclaimer, to get the function working 

Code: [Select]

func LoadKeys() ([]uint8, error, []uint8) {
data, err := ioutil.ReadFile(Expand(keyFile))
if nil != err {
return nil, err, nil
}
dd := decodeDefaultXXTEA(data)
dd = []byte ("brainpoolP256r1;04687AED0437678CE57AF612DD3576FA795D7C0C233CBC5478789A7691A902562B99BEB76894A7870051C6788E6916328B4C8145356127812166D1CCB63559EFFA")
i := bytes.Index(dd, []uint8(";"))
if -1 == i {
return nil, errors.New("key format error"), nil
}
return dd[i+1:], nil, dd
}


[0xdeadbeef]

Also, I noticed that 3 options - EMB, COMP and AUTO are not officially offered, but can be found in firmware, 

IMHO, these are always included by default.
From what I can tell, "AUTO" is CAN (non FD) and LIN, "EMB" is SPI and I2C and "COMP" is UART.