| Products > Test Equipment |
| Hacking the Rigol MSO8204 / MSO8000 |
| << < (3/9) > >> |
| asp:
They have changed the appended 00 chars lately (from 2 * 00 to two hundred and something * 00) before doing the XXTEA encrypt on the key (used have 148 bytes and now there are scopes with 388 bytes). They key is the same since otherwise the old licenses would not work on newer firmware In Regards to RSA series I would need somebody with a RSA to send me a dump of the filesystem (most notably /rigol) |
| tv84:
--- Quote from: asp on July 12, 2024, 09:41:44 am ---They have changed the appended 00 chars lately (from 2 * 00 to two hundred and something * 00) before doing the XXTEA encrypt on the key (used have 148 bytes and now there are scopes with 388 bytes). They key is the same since otherwise the old licenses would not work on newer firmware --- End quote --- Oh, OK. Probably they are preparing the room for changing the ECC Curve. But, then just accommodate a bigger BIGNUM in the code and all is good. :) |
| BTO:
--- Quote ---I have some doubts about what you all say "keys with different sizes"... --- End quote --- Different LENGTHS Actually it would seem that the pattern was, since you and DrMefisto released rigol_kg2.py that there were basically 2 Options At the bottom (Can't remember the line) there was the option of -2 00 or change it to -3 000 Now.. I observed that MSO5074 (70MHz) Models with no BND Options Activated without issue on -2 00 MSO5100 (100MHz) Models Activated by using -3 000 but could not by using the above. this method also held true for MSO5074 WITH BND Options The Key Length across all these models were identical (I have them recorded but can't remember the length off hand) Then around 6 to 8 weeks ago i noticed a trend, that being that even MSO5074 didn't activate with the script you provided. They got an Assertion Error which was triggered by the Assertion pertaining to "len" and it all went from there upon examinatin of the key, the key was approx 3x the length of the one's that didn't get assertion error so yes.. it's a Length thing, to my knowledge. Happy to be proven incorrect though. --- Quote ---If you are, then you have not fully understood what is at play. The key size of a specific ECC Brainpool curve key is always the same! --- End quote --- OK, I'll look into that --- Quote ---Another TODO: you can also expand the keygen to address Rigol's RSA devices... ;) --- End quote --- LOL, Ironically i was wondering the exact same thing and suspected that i could do exactly that. i also had a guy contact me about the RSA series, so that's next on my TODO List |
| BTO:
--- Quote from: asp on July 12, 2024, 09:41:44 am ---They have changed the appended 00 chars lately (from 2 * 00 to two hundred and something * 00) before doing the XXTEA encrypt on the key (used have 148 bytes and now there are scopes with 388 bytes). They key is the same since otherwise the old licenses would not work on newer firmware In Regards to RSA series I would need somebody with a RSA to send me a dump of the filesystem (most notably /rigol) --- End quote --- --- Quote ---(used have 148 bytes and now there are scopes with 388 bytes) --- End quote --- i have also seen 276 bytes as well as 148 and 388 --- Quote ---In Regards to RSA series I would need somebody with a RSA to send me a dump of the filesystem (most notably /rigol) --- End quote --- I MAY BE ABLE TO HELP WITH THIS I'll reach out to the person who approached me with the RSA Model and ask them to supply the dump, I don't imagine they'll put up resistance as they were extremely keen to get it activated I'll Keep you updated |
| BTO:
--- Quote from: tv84 on July 12, 2024, 09:46:59 am --- --- Quote from: asp on July 12, 2024, 09:41:44 am ---They have changed the appended 00 chars lately (from 2 * 00 to two hundred and something * 00) before doing the XXTEA encrypt on the key (used have 148 bytes and now there are scopes with 388 bytes). They key is the same since otherwise the old licenses would not work on newer firmware --- End quote --- Oh, OK. Probably they are preparing the room for changing the ECC Curve. But, then just accommodate a bigger BIGNUM in the code and all is good. :) --- End quote --- something to that effect.... Was my suspicion and it only started, Up to.. 2 Months ago |
| Navigation |
| Message Index |
| Next page |
| Previous page |