Hameg R&S HMO scope licenses not available anymore

[Xyphro]

Hi Guys,

Just heard, that I cannot buy anymore a license for my HMO2024 scope (i need Ho010 serial decoding).
Took me 6 month to get convinced, that the money is worth it and now they discontinued even the buying of licenses? Quite disappointing.

Is there still a way, how I can buy a licenses, that somebody is aware of?

Best regards,

Kai

[rvalente]

Typical support behavior from germany (as well Japanese) companies, they discontinue their product and do not give a fuck for their legacy. I've seen this with siemens industrial equipment so many times.

At list they should have been nice and released a last firmware with all add-ons enabled just like Tek (aint a fan boy) did.

Id try to sell this unit and get yourself a hackable siglent/rigol.

[YetAnotherTechie]

To do serial analysis get a cheap usb logic analyzer. To add licenses, open the scope and start investigating!

[Xyphro]

Well, I have 3 Rigol scopes (& 1 Tek 1GHz scope) and still prefer this nice, tiny very portable, pretty noise free guy.

I also have a logic analzyer, but sometimes it is just nice to see timing behaviour of analog towards a decoded serial. Yes, I have a saleae logic pro 8 analyzer, that one can do analog too, but with limited bandwidth and sensitivity.
Let's call my wish for serial decoding a luxury problen, not a definate need.

I go to h*cking mode indeed then. So disappointed about the company mentality here - I am willing to pay and they discontinued just very few weeks ago

[Messtechniker]

Hi Guys,

Just heard, that I cannot buy anymore a license for my HMO2024 scope (i need Ho010 serial decoding).

Did you ask R&S directly by email, for example at "CustomerSupport@rohde-schwarz.com"?
If no licences are available any more simply ask for a free licence. Maybe worth a try.

[darkstar49]

I go to h*cking mode indeed then. So disappointed about the company mentality here - I am willing to pay and they discontinued just very few weeks ago

Do you have any early FW files ?? Just checked 4.531, resource file is OK, but the actual firmware file seems encrypted... (could be compression only, but entropy looks pretty high and constant for compression only). Can't recall to have seen any threads discussing HMO hacking...
If you're willing to dig in 'the hard way', check maybe the RTB thread... https://www.eevblog.com/forum/testgear/rs-rtb2004-snooping/msg3241942/#msg3241942

[EEVblog]

Hi Guys,

Just heard, that I cannot buy anymore a license for my HMO2024 scope (i need Ho010 serial decoding).

Did you ask R&S directly by email, for example at "CustomerSupport@rohde-schwarz.com"?
If no licences are available any more simply ask for a free licence. Maybe worth a try.

Yes, they should just give it away if they no longer sell it. I think Keysight did this with their 5000 series scope?

[Xyphro]

They will likely be afraid of people buying cheap end of life equipment and then getting all nice goodies for free anf not buying limited new stuff again. If I put a matketing-hat on, I can even somehow understand it :-) as a techie, it is hard to understand those kind of politics. But why shutdown a simple license generation system, generating money from virtually no effort.

This Renesas Sh2a/sh7203 is pretty closed in terms of details about debugging protocol, so I can't go a nice openocd based approach, but will borrow a debugger from an friend + willing to desolder also the tsop48 housing flash for readout. Will take some time, but now I feel a challenge to solve.

[RBBVNL9]

You might want to consider a PicoScope.

Most PicoScopes, including their most affordable models, use the same software which supports a wide range of serial protocol decoding functions. While the actual supported protocols may depend on hardware (e.g. bandwidth of channels), even the cheapest PicoScopes models support 1-Wire, ARINC 429, CAN & CAN FD, DALI, DCC, DMX512, Ethernet,  FlexRay, I²C, I²S, LIN, Manchester, MODBUS, PS/2, SENT, SPI, UART (RS-232 / RS-422 / RS-485), and USB 1.1. You can decode multiple protocols at the same time, the only limitation is the number of input channels you have.

I have PicoScope models 3405D and 2204A and find they both work quite well for serial decoding. While they do not have advanced triggering on serial protocols (which my R&S RTB2004 does have), the PicoScope's memory, search and analysis functions are much more powerful than many oscilloscopes.

The 2204A has a list price os US$ 139, which is less than many software options for bench oscilloscopes!

GL

[uski]

But why shutdown a simple license generation system, generating money from virtually no effort.

They hope that people who were ready to pay for a license will pay for a new scope, PLUS the license for this new scope, instead. This is especially valid for business users.
The cash cow is companies paying for equipment, not hobbyists. It is not surprising that they are protecting the model so that it is the most efficient possible toward people who pay the most...

I guess it's time to start hacking 

[darkstar49]

I guess it's time to start hacking 

yes, once you'll have a (decrypted) firmware image to chew... 

[Xyphro]

Will work on this over weekend, hoping the image is unencrypted in the flash at least (e10a debugger I will also get). I even found a nice tssop48 socket, that I can solder on the hmo2024 tssop48 pad directly, after removing the flash for easy multiple read/write cycles.

Oh, I got official direct reply too. No licenses can be bought anymore.

[Noy]

Will follow this thread.
Have an old Hameg HMO3524 (pre R&S Type) here with not all options installed :-D

[tunk]

Oh, I got official direct reply too. No licenses can be bought anymore.

Politely tell them that you will not buy any R&S products,
and that you will advice other people to be cautious if they
consider buying R&S products.

[Xyphro]

I did, but honestly if I would get such an email, I'd also think: "yeaaaaah, suuure".

Although there is something behind it, but simply not in a measureable way, so nobody believes.

[Saskia]

thanks for the info, it seems that that finally convinces me to NOT buy one of their newer scopes.

[tv84]

Looking for a unique, cheap versatile USB to GPIB adapter with standard USBTMC interface?
Build it yourself :-) https://github.com/xyphro/UsbGpib

Very nice!   

[Xyphro]

Thanks, took quite some effort to make and I use it with all my GPIB devices so far. There are also some guys having it built with success.

On the HMO: Find an update attached.

jTag pins identified, could read out the correct ID of the SH7203 MPU (confirmed jedec Manufacturer ID).

The only issue is, I am stuck without the E10a debugger from Renesas. The jTag, which they call uHDI is not documented and I could not find any software supporting this interface in context with SH7203 MPU.

Any Japanese colleagues here, that are able to google on japanese pages for e.g. an FTDI based H-UDI interface Software enabling memory read/write for SH7203 and help me out? 

It not, I'll will pick up an e10a tomorrow from a friend.
Edit: The interface is called H-UDI not U-HDI

[Rich@RohdeScopesUSA]

Zyphro - I can't make any promises, but let me see what I can get to happen.

-Rich

[YetAnotherTechie]

Thanks, took quite some effort to make and I use it with all my GPIB devices so far. There are also some guys having it built with success.

On the HMO: Find an update attached.

jTag pins identified, could read out the correct ID of the SH7203 MPU (confirmed jedec Manufacturer ID).

The only issue is, I am stuck without the E10a debugger from Renesas. The jTag, which they call uHDI is not documented and I could not find any software supporting this interface in context with SH7203 MPU.

Any Japanese colleagues here, that are able to google on japanese pages for e.g. an FTDI based H-UDI interface Software enabling memory read/write for SH7203 and help me out? 

It not, I'll will pick up an e10a tomorrow from a friend.
Edit: The interface is called H-UDI not U-HDI

So i read a few pages here and there about your renesas cpu, what i figured is you can use jtag as boundary scan *and* as debugger, boundary scan "uses standard registers" and h-udi is proprietary (https://renesasrulz.com/the_vault/f/archive-forum/7208/sh7253-jtag-debug-through-e10a) (https://www.manualslib.com/manual/140503/Renesas-Sh7781.html?page=1517)
It should be possible to use jtag to bit-bang a sequence to read the flash, I would desolder the chip and read it on tl866...

[Xyphro]

The sh7203 does not have boundary scan as one of the few devices in the series. Some sh2a controllers have it, some not as I could see so far. I started with urJtag, because that can bitbang using boundary scan.

As I will get the e10a today (just a 30km drive) there is no need to desolder + I can dump ram (maybe flash just has a bootloader and decrypts flash to ram?) and even debug too.

@Rich/R&S: let me know if you can organize sth. to avoid this overhead. Thanks for checking.

Best regards,

Kai

[Xyphro]

Ps: my tsop30/40/48 adapter for tl866 will only arrive in a few weeks. Made a layout for a flash programmer using atmega16 + a few 74lv164/74lv165 as IO expanders, but my PCB etching setup has some issues, making this path slower.

[MichalZ]

Hi.
I have similar problem with Hameg HMO3524 but mine applies to firmware.
Not  so long ago i have idea to find a new firmware to my Hameg, but i cant find hameg home page, its redirect you to the R&S page, but on R&S page i cant find any f.. information about Hameg or firmware for Hameg.
Their help desk inform me that latest firmware that i can instal to my scope without problem is 2.502, there is newer version 4.206 but for install it in Hamegs HMO3522 and HMO3524 the hardware upgrade is necessarry.
For HMO3000 serie not. That is a different hardware and different firmware.
They dont want to tell me what about these "hardware upgrade", they send me to my local R&S distributor, but distributor don't answer to my emails.

So, if you have Hameg HMO3522 or HMO3524 and you have firmware 2.xx the 2.502 is max you can install, if you want ver 4.206 you have to send the scope to R&S for hardware upgrade and probably pay for these. Great!!

If somebody needs i have both version in my HDD.

[Noy]

Same issue with mine..

[Xyphro]

Nice (NOT! ), I know somebody, that killed his SMIQ frontpanel in a similar way, by installing accidentally a version for a newer one. Funny to see, that newer stuff still has no firmware compatibility check built in.

Fyi: Have dumped flash and the 2 RAMs, investigation ongoing.

[tv84]

AES-256 key for HMOxxxx .HFU packages:

2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409

Parsing of HAMEG_FW_HMO1524_HMO2024_04_531 firmware:

Code: [Select]

00000000      Header Size: 0400      [00000000-000003FF]    FileSize OK
00000002   Section 1 Size: 0004038C  [00000400-0004078B]
00000006   Section 2 Size: 00490E24  [0004078C-004D15AF]
0000000A  Section 1 CRC16: 93B5    CRC OK
0000000C  Section 2 CRC16: 80A8    CRC OK
0000000E             ????: 0x10130000
0000001E            Model: HMO_A24
0000002E       FW Version: 04.531
0000003E     Release Date: 2015-07-27
0000004E             ????: 16668.14471
0000005E      Compilation: Build 34649 built on 2015-07-27 10:03:31 by MaG? [04.531 - HCL: 02.015 - MesOS: 03.222]
0000015E  (???) Hash Type: 2
00000198            Build: 34649
000001AA Section 1 SHA256: 8F218EEC05C6B6894FF6B85A87349B0F    HASH OK
000001CA Section 2 SHA256: FAFD8282DA34598936B85C8FC7CFDE94    HASH OK
000003FE     Header CRC16: 9CB0    CRC OK
--------------------------------------------------------------------
0004078C **** SubSection 0x80 ****
0004078D  SubSect Hdr Size: 0025
0004078F   SubSection Size: 00003493  [000407B1-00043C43]
00040793  SubSection CRC16: 3416    CRC OK
000407AB     Contents Size: 0000348E  [000407B4-00043C41]
000407AF SubSect Hdr CRC16: FFB1      [0004078C-000407AE]    CRC OK
000407B4 BMP (640x480 pixels - 8 bits / compr.: 1)   [000407B4-00043C41]
00043C44 **** SubSection 0x11 ****
00043C45  SubSect Hdr Size: 0025
00043C47   SubSection Size: 0048D937  [00043C69-004D159F]
00043C4B  SubSection CRC16: 1026    CRC OK
00043C63     Contents Size: 0048D932  [00043C6C-004D159D]
00043C67 SubSect Hdr CRC16: E88A      [00043C44-00043C66]    CRC OK
00043C6C Bootloader Programmer


[abyrvalg]

"subsection 0x11" load address 0x10000, CPU Renesas SH2A
RAM segments:
D5F97D0-D617F7E copy from 341784
D617F80-D61BA28 copy from 35FF34
D61BA30-D917990 zero init
FFF84000-FFF8A874 copy from 3639DC

Some interesting functions:
00054E28: SCPI DIAGNOSTIC:SERVICE:LICENCE:INVALIDATE handler
0005D47C: SCPI DIAGNOSTIC:SERVICE:LICENCE:STATUS handler
0005D5C8: SCPI DIAGNOSTIC:SERVICE:LICENCE:SET:KEY handler

The key should look like 32 hex chars, CRC16-CCITT (0x1021 poly) is a part of validation algo.

Upd:
- the key is converted to 16 bytes binary
- decrypted with AES-256 ECB using key pointed to by [0D82C33C]
- byte order is swapped in each 4-byte group
- the result is passed to int func_00176830(uint32 key_decr[4]) for validation:

- key_decr[0] == [dword_D82C340] - instrument id ?
...

Many important things are pointed by fields of some struct starting at D82C330.

Looks like there is no validation at each power up (it is done at installation time, then option data is stored in a plain form somewhere), so with debug adapter and flash access it could be possible just to add more option records to that storage without reversing the key generation. But after getting that AES key from [0D82C33C]-> the rest could be trivial. A RAM dump would help a lot.

[tmbinc]

This sounds _very_ similar to the HMS-X spectrum analyzer. Same AES key for firmware decryption, same license crap.

From my notes - sorry, this was ~2015 - a license key is an AES-encrypted tuple of 4 little-endian words. First word is the serial number, second word is the "Feature" to enable, third word is "0", fourth word is "1" (or maybe it's don't-care?). The AES key starts with 86BA...
Feature was either 0x11, 0x13, 0x14, 0x15 on the HMS-X, but one of them was a reset key that cleared all options. (Which is super annoying when you need to enter 3x32 hex digits via the frontpanel again)

What I don't see here though is the CRC16 CCIT, so maybe things _are_ different.

I'm really not a fan of posting keygens here, but if these are unobtainium for otherwise EOL'ed devices, I care less.

[tv84]

key pointed to by [0D82C33C]

86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE

[tv84]

It seems the method described in the previous messages, works!

[Noy]

Should this also work in the old Hameg Brand HMO3524?

So i have to create my "key" according the upper message and than encrypt it AES with the posted key and this into the scope?

[tv84]

My guess would be 'yes' to both but I've never dealt with one.

[Noy]

THX to tv84 he veryfied thats it is also possible for the old Hameg brand HMO devices.

[artag]

Confirmed to work on HMS-X as tmbinc describes.

The option numbers are not similar to the licence numbers (HV211 etc). 0x11 deletes all options (heart in mouth moment as I already had two of them installed at the factory) and 0x12 is invalid.

[MichalZ]

Hello.
Finally i have a response from Rohde & Schwarz about loading firmware 4.206 to Hameg HMO3522 or HMO3524.

These is mail from Service Coordinator in Hungary where is apparently service center for EU:

Please be informed about that for modification to be able to do the fw upgrade there is no spare part needed, but some components on digital acquisition board need to be changed.
Unfortunately this action can not be offered free of charge like FW update on other devices. We can do this modification including FW Update as a part of R&S® Manufacturer Calibration product.
So this small HW change will be covered in calibration product.

As for this please find attached our offer about mentioned calibration including the necessary modification and fw update.
Thank you for your understanding and cooperation!


And these is the price proposal:

1. CAL-MAN                            Part Number: 5930.0015.00
R&S®Manufacturer Calibration:
- Calibration certificate incl. compliance statement
- ISO 9001 certified and in line with ISO 17025
- Measurement of complete product specifications with the same procedures as used in production, incl. measurement uncertainties/guardbanding
- Documentation of calibration results upon receipt
- Adjustments to optimize the product parameters to after production condition when needed and documentation of after adjustment parameters
- Preventive maintenance/perform. modifications
R&S®Manufacturer Calibration
Type: HMO3524
Man.: ROHDE & SCHWARZ
Serial no.: n.a.
Ident no.: 3594.4680.24
350MHz Mixed Signal Oscilloscope, 4 Channels
Delivery time: 2 weeks

Price:  317.00Euro


2. GENCOSTS              Part number:  3642.9623.06
Freight - Customized
Return delivery.
Price: 55.00Euro

Total Net Price: EUR372.00

So it's looks like customers have to pay for manufacturer project/productions mistakes/failure.

This is not cool. 

[Neper]

That's R&S for you. Many years ago, I bought a R&S HE011 active antenna from them. Cost over 1000 deutschmarks which was a lot of money at the time. A year later, there was a lightning strike in the close vicinity and I phoned them if I could send the antenna in to have it checked, only to be told that this was a "non-service-item". I should just bin it and buy another one. Haven't bought anything from them since.

And their customer service has been moved to Hungary, of all places? Yet another example of the EU's double standards. Our governments complain about Orban's neo-fascist regime and our industry profits from his low wages and the dismantling of workers' rights.

[BreakingOhmsLaw]

Yeah, R&S support is abysmal. They recently dumped the entire support for older Hameg equipment and now that's in the hand of a small company called Sky.
They do an ever worse job and don't even respond to requests, not even a friendly "f*#% off, peasant!"

R&S living up to their German nickname. We call them "Rostig & Schwer" here. ("Rusty and heavy").

[TRN]

I just stumbled across this post, and have a question.

When I use binwalk -B on the decrypted HAMEG_FW_HMO1524_HMO2024_04_531 firmware, It does not find a main binary (ELF), but only:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
177400        0x2B4F8         CRC32 polynomial table, big endian
264116        0x407B4         PC bitmap, Windows 3.x format,, 640 x 480 x 8
3125508       0x2FB104        CRC32 polynomial table, big endian
3129604       0x2FC104        CRC32 polynomial table, little endian
3133715       0x2FD113        Copyright string: "Copyright 1995-2005 Jean-loup Gailly "
3255235       0x31ABC3        Copyright string: "Copyright 1995-2005 Mark Adler "
3258896       0x31BA10        GIF image data, version "89a", 25381
3259696       0x31BD30        CRC32 polynomial table, big endian
3260828       0x31C19C        SHA256 hash constants, big endian
3261422       0x31C3EE        Copyright string: "Copyright (c) 1998-2010 Glenn Randers-Pehrson"
3261468       0x31C41C        Copyright string: "Copyright (c) 1996-1997 Andreas Dilger"
3261507       0x31C443        Copyright string: "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."
3432368       0x345FB0        Zlib compressed data, best compression
3433524       0x346434        Zlib compressed data, best compression
3433928       0x3465C8        Zlib compressed data, best compression
3437696       0x347480        GIF image data, version "89a", 222 x 29
------------------------------------------------------------------------------
------------------------------------------------------------------------------
3556212       0x364374        GIF image data, version "89a", 218 x 257
3561137       0x3656B1        PC bitmap, Windows 3.x format,, 640 x 480 x 8
3565159       0x366667        PC bitmap, Windows 3.x format,, 640 x 50 x 8
3569439       0x36771F        PC bitmap, Windows 3.x format,, 640 x 50 x 8
3574003       0x3688F3        PC bitmap, Windows 3.x format,, 640 x 50 x 8
3575551       0x368EFF        PC bitmap, Windows 3.x format,, 250 x 400 x 8
3588149       0x36C035        PC bitmap, Windows 3.x format,, 640 x 480 x 8
3703088       0x388130        PNG image, 323 x 207, 8-bit colormap, non-interlaced
3779696       0x39AC70        Zip archive data, at least v2.0 to extract, compressed size: 331086, uncompressed size: 520561, name: 1G0K010.rbf
4110851       0x3EBA03        Zip archive data, at least v2.0 to extract, compressed size: 34729, uncompressed size: 62902, name: MC_EP2C5F256VK11.rbf
4145658       0x3F41FA        Zip archive data, at least v2.0 to extract, compressed size: 796, uncompressed size: 4986, name: I2C.HDS
4146519       0x3F4557        Zip archive data, at least v2.0 to extract, compressed size: 791, uncompressed size: 4986, name: SSPI.HDS
4147376       0x3F48B0        Zip archive data, at least v2.0 to extract, compressed size: 801, uncompressed size: 4986, name: UART.HDS
4148243       0x3F4C13        Zip archive data, at least v2.0 to extract, compressed size: 506691, uncompressed size: 1234318, name: hm_chin13.hft
4655005       0x47079D        Zip archive data, at least v2.0 to extract, compressed size: 370623, uncompressed size: 1060402, name: hm_chin14.hft
5025699       0x4CAFA3        Zip archive data, at least v2.0 to extract, compressed size: 1881, uncompressed size: 5624, name: hm_sz10.hft
5027649       0x4CB741        Zip archive data, at least v2.0 to extract, compressed size: 2091, uncompressed size: 6508, name: hm_sz12.hft
5029809       0x4CBFB1        Zip archive data, at least v2.0 to extract, compressed size: 2186, uncompressed size: 6948, name: hm_sz13.hft
5032064       0x4CC880        Zip archive data, at least v2.0 to extract, compressed size: 2320, uncompressed size: 7392, name: hm_sz14.hft
5035347       0x4CD553        End of Zip archive, footer length: 22

So what am I missing?

[tv84]

I just stumbled across this post, and have a question.

When I use binwalk -B on the decrypted HAMEG_FW_HMO1524_HMO2024_04_531 firmware, It does not find a main binary (ELF), but only:
...
So what am I missing?

The main app is this part (this proc. has no .ELFs):

Code: [Select]

00000002   Section 1 Size: 0004038C  [00000400-0004078B]
Look at my parsing a few posts back.

You load it like this:

Code: [Select]

ROM:0C000400 ; Processor       : SH2A
ROM:0C000400 ; Target assembler: SHASM Assembler
ROM:0C000400 ; Byte sex        : Big endian

[TRN]

Thanks tv84.

I presume

ROM:0C000400 ; Processor       : SH2A
ROM:0C000400 ; Target assembler: SHASM Assembler
ROM:0C000400 ; Byte sex        : Big endian

Was a slip of the pen, and should read

ROM:0x000400 ; Processor       : SH2A
ROM:0x000400 ; Target assembler: SHASM Assembler
ROM:0x000400 ; Byte sex        : Big endian

rgds

[tv84]

Was a slip of the pen

Nope.

[lux]

Hi, i have a hmo 1202 and i would like to enable a higher bandwidth, bus analysis options...
I have read the previous posts, but i haven´ t understand everything.
Can someone please explain what are the steps to unlock the scope?

[avkas]

Hi,
I have a HMO1002 oscilloscope, anybody have the keygen to upgarde?
The r&s not sell any lic key!!!
Thanks

[avkas]

Hi,
I have a HMO 1002, can you help me to upgrade?
Thanks

[Neper]

R&S living up to their German nickname. We call them "Rostig & Schwer" here. ("Rusty and heavy").

I know them as Schwarte und Rotz, which isn't very complimentary either.

[avkas]

Hi, i have a hmo 1002 and i would like to enable a higher bandwidth, bus analysis options...
Can someone please explain what are the steps to unlock the scope?
Thanks

[pegasu]

Hello,
I have an R&S®HMS-X:

Does anyone have the keys for the next upgrade

R&S®HV211: Unlock Integrated Tracking Generators (TG)
R&S®HV212: Bandwidth upgrade to 3GHz

Thank you in advance

[Jan Audio]

No support is asking for hacks.
About time you can get your R&S the full rigol treatment.

[artag]

@pegasu: You need to calculate them yourself from the information in the thread, because your keys are related to your serial number.
However, it's all there and worked for me in enabling the TG.
Especially see the post from tmbinc but you will need to understand the previous posts to make use of that.

[pegasu]

Hello Artag,
thank you for your answer but it's not very easy to understand.
If I give you my serial number could you calculate the key for me?

[artag]

It's a $765+$1550 option and some people still seem to be selling it. Others are showing no stock of the voucher, but R&S still seem to processing the vouchers even if they've stopped on the HMO.

The information might need some thought, but it's all there. I didn't know how to use it either but it didn't take much research to find out. I'm not aware that doing it wrong would screw anything up, but I don't really want to risk that on someone else's equipment.

For what it's worth .. the TG is not very fancy. It's certainly not as functional as a proper signal generator. $765 is overpriced imho.

[pegasu]

I don't really understand this key system with the serial number that's why I asked to do it for me.
It's a shame that there isn't a small program that can generate this key with the serial number
For me more than 700 is way too expensive
Too bad I couldn't Upgrade my HMS-X.....

[electr_peter]

Does someone have a valid license key for Hameg/R&S equipment in a "SERIALNUMBER.hlk" file? Looking at the manuals of scopes I see slightly different info, real example would be appreciated. License keys or s/n are not needed, just the formatting.
I am checking documentation on R&S and Hameg equipment and licenses (HMO/RTC/RTB/RTM/RTA scopes, HMC devices). There is a mention of "SERIAL NUMBER.hlk", "SERIALNUMMER.hlk" files with license code, presumably formatted in this fashion:

Code: [Select]

0123456789ABCDEF0123456789ABCDEFHowever, format above does not work - it is probably much more complex than this.

[electr_peter]

HMC* series devices from Hameg/R&S seems to follow the same licensing scheme as mentioned above.

[pegasu]

Hello:
Anyone to help me get this license key for my HMS-X please ?

[Cold North]

Hi, I tried the above for my HMO 1002, wrote a key generator, but didn't have much luck. So, based on the information above more reverse-engineering was called for. Now, I should really know my way around e.g. Ghidra, but in actual fact I'm not that useful when it comes to actual work... However, my son is!  So combining our efforts, mostly his, we delved a bit deeper.

The first clue came straight from the user manual(!):

(See attached image, can't get it to show here...)

If one decrypts (using the 256 bit AES key above) the first three keys listed in the manual one gets (hex):

2f31c100 02000000  00000000  00000000
2f31c100 08000000  00000000  00000000
2f31c100 07000000  00000000  00000000

i.e. little endian 32 bit words, where first is serial number, second feature, and then zeroes. In this case the serial number of the scope used in the manual is: 012 661 039 decimal as listed by the scope (for complete test vectors).

It's of course amusing that information is leaked like this in the product manual.

Now, continuing the reversing we found that the file format for license keys is fairly straightforward: The license key file is a straight text file with one key per line. If the first character of the line is a '#' the rest of the line is ignored (i.e. a comment) and then the keys themselves are just 32 hex characters (case doesn't matter) and begun by "KEY:"

So the key in the example in the manual would be written:

KEY:fd907d5ba47... etc.

The only thing left to dig out was the actual features which obviously vary from scope model to model. We found that 0x11 erased all license (good to know for testing), and that the function that prints information about the licences write "Not available" (or words to that effect) and doesn't parse the license further if the feature is greater than 0x28.

So as the parsing routine doesn't abend when its given an invalid key, but just skips to the next, we didn't actually reverse which features correspond to which codes, we just generated a file with all possible features (except 0x11 of course) and just ran that. Which had the intended effect. (It's of course equally possible to generate one license file per feature to map them out, we didn't bother).

Since we reversed the license key file format, experimenting becomes much, much more tractable than having to enter them by hand (which is somewhat painful).

So, even if there is still much to do reversing-wise (we used the latest firmware and Ghidra even found an ELF in there) all the features have been cracked, and writing a key-generator is of course trivial given knowledge of the serial number. (I don't know about how you usually think about that, so I refrain from posting code.)

Many thanks to the people who posted the information earlier in the thread, standing on the shoulders of gigants and all that, continuing was much, much easier.

[electr_peter]

Now, continuing the reversing we found that the file format for license keys is fairly straightforward: The license key file is a straight text file with one key per line. If the first character of the line is a '#' the rest of the line is ignored (i.e. a comment) and then the keys themselves are just 32 hex characters (case doesn't matter) and begun by "KEY:"
So the key in the example in the manual would be written:

Code: [Select]

KEY:fd907d5ba47... etc.

Excellent info

[homerjs]

Working 
thx to all

[homerjs]

PS: the "key gen" is openssl   

[nikifena]

Hi guys, let me share my experience, but first many thanks to Cold North!

I wasn't able to generate the keys by myself. I have different skills, but I have a friend with good programming experience, and he helped me by generating some keys.  I gave him all the information given by Cold North plus the serial number of my scope. He didn't know the exact feature number, but he put a lot of keys into a single text file using this order:

KEY:**********
KEY:**********
etc.

Most of the keys were wrong, but there were also all working keys. Each key was written in a new line, and finally I changed the name of this text file to serialnumber.hlk


Then I loaded the file from the scope, and now I have all options available


Many thanks to Cold North!

[AJ3G]

Rich:

I am personal friends with another current R&S Applications Engineer, as he worked with me at another company. I too tried to get S/W Option keys for some of the Legacy R&S/Hameg equipment. In this case it was a 500MHz Scope, which had been discontinued. I was willing to pay for those options, but simply could not find them anywhere.

Despite his position in R&S he too could not get his hands on any of the licenses to open up some of the features of the scope. I agree with others here, these really ought to be supported for those that do have older scopes. It would be great if they were free, but providing a paid for option for a scope that is less than 10 years old does not seem like a poor business practice to me, especially when you consider the customer who typically buys a HMO series.

Rich

[Cold North]

PS: the "key gen" is openssl   

Ugh!  I hate the convoluted mess that is openssl with a burning passion! It probably took me less time to write C/Python to do the same thing originally, but you can indeed persuade openssl to do your bidding (I had to try just for "fun"). No it actually wasn't that bad as this is a relatively simple task.

I found xxd useful to convert between hex and binary (both ways). And wouldn't be fun without test vectors.

[avkas]

Hello,
Please could you send me the keygen?
Thaks

[pegasu]

Hello,
For an RTB2000 oscilloscope has anyone managed to unlock the options ?

[randolfss]

On the RTB2000 oscilloscopes (and probably most other current R&S equipment) there are device-specific keys programmed into the device at the factory that are used to validate the option keys. If you have your device-specific keys, then generating option keys is easy enough- it's just a few layers of 3DES-CBC encryption with some bit shuffling along with a truncated RIPEMD160 hash. The most straight-forward way to dump your device keys would be through the JTAG interface if you are willing to open your oscilloscope and plug something in to the debug port.

[Neurosurg]

Hi,
I went in possesion one of this exellent scope HMO1002 (HMO1102, BW ihas a code key licence") as a prezent from my Director of Physics Institute where I worked They should do more out of them and buy me although RTO1044... dream)
Comming on planet, this scope is exelent, the smallest in my lab, silent no fans, ultra light. But in the section Software licences) I have only one extended BW up to 100MHz.
Please describe mi in easy way what should I do to get a valid Key-s for other OPTIONS.
Have you seen a keygen for this, i"m not good in IT. But see that a few person unlocked the scope after the mail describing the revers proces engenering.

Thanks a lot,
Michael.

[Neurosurg]

Another quesstion: for mso is obtained to have a ori probe or computer standard connecting tape works fine? Or mayby it can damage the digital chanells wich I don't wanna do ?

[Grubi]

Anyone have success with RTH1004? I bought it fully unlocked with demo license few years ago,
and it still stays like this, becasue was not used too much and clock is still staying few years back.
I guess best possibility is to calculate same demo key for one year (unlocking all features),
and more difficult be to calculate all different licenses. Appreciate if someone try to unlock
and have good or bad results - and share those. I ask R&S few times., but they just want me to pay one more RTH1004...
instead of calculate some decent price for unlocking full potential of the instrument.

[hazzer]

this link might be useful... its describes how to get hex in and out of openSSL
- openSSL isn't that user friendly to a novice ... rem you want the output as a 32bit hex word.....

https://stackoverflow.com/questions/38082644/how-to-generate-the-output-in-hexadecimal-in-openssl

stick with it.... and you will get there ....

H

[paddySparks]

Go raibh maith agat Hazzer & big thanks to everyone else for info 

For those with HMO1202 here are hex offsets
# Offset 02 - HOO10 - Serial trigger
# Offset 07 - HOO11 - serial trigger with CAN and LIN
# Offset 08 - HOO12 - Serial trigger analogue
# Offset 11 - Remove all licences / demo time expired
# Offset 26 - HOO312 - Bandwidth 200 MHz
# Offset 28 - HOO313 - Bandwidth 300 MHz

[tv84]

for info....
serial number 012661039 byte flipped becomes 3092929 which is 2F31C100 in hex

  This is incorrect.

The decimal number 012661039 corresponds to 0x00C1312F in hex representation. The "2F 31 C1 00" is how it is stored in little-endian format.

There is no flipping of decimal numbers and much less 3092929 is the same as 2F31C100 in hex.

All the stuff talked about in this page is sufficient "rocket science" enough for most people, no need to make it harder.

[wappendorf]

Does anyone know if this AES key is valid for HMS1000 Spectrum Analyzer?

What is the feature code for Preamplifier option unlock?

Thank you very much!

[artag]

The HMS-X is a lot like it's predecessors HMS-3000 and HMS-1000 and the AES key is the same used on other products, such as the 'scope. So I'd think there's a good chance it will work. And nobody here has reported bricking anything, just failure to apply incorrect keys.

The options for the HMS-X are

11 - delete all options
12 - invalid option (but maybe does something on an older instrument ?)
13 - EMC options (preamp, 9kHz bandwidth, quasi-peak detector)
14 - Tracking generator
15 - 3GHz bandwidth

I have no way of knowing if these are also applicable to the HMS-1000, though.

[wappendorf]

Hi!

I am trying to make it work on my HMS-1000 and I keep getting error (-23) Invalid input, both reading from the file or manually entering the code.

I use the following algorithm:

• I compose the uncyphered unlock code as 32 bytes byte string: <serial code, little endian 4 bytes> + <feature code, little endian 4 bytes> + <0x00 - 8 bytes>
• I use AES256 cypher to obtain cyphered code
• I write the cyphered code to the file 'SERIAL NUMBER.hlk', prepending with 'KEY:'
  

Is this Ok? I am not using any kind of CRC

Kind regards,
 

[Cold North]

Hi, well, there’s something off… The blocksize of the encryption is 128 bits, yet you say 32 byte ”byte string”.

So just to be clear, you should have 16 binary bytes when you’re done, not 32.

If you check my post above, you’ll find the serial number the, the feature vector and the encrypted key (in the screen shot in the manual).

So check that to make sure that you can get the same results with that data before you try with your own serial number, etc.

[Gert67]

Hi
I'm new to the forum and have the same problem with my HMO1202.

I understood almost everything, but I don't quite understand the encryption? I can't find the "Secret Key" on the pages! I tried an online AES encryption site on the internet.
The secret key with 86BAFE... is too big for 256 bits.

Can someone help me here maybe further. Many thanks in advance.

Regards Gert67

[Cold North]

Hmm, what? There are 64 hex digits, times 4 bits per digit makes 256 bits...

So I'm not sure what the problem is?

[ttssyy]

Steps to do with a HMO1024 oscilloscope via one made-up example:

• The oscilloscope serial number is (DEC): 0123456789
• Convert this to HEX (dashes added for visibility for next step): 07-5B-CD-15
• Swap the order to Little-endian: 15-CD-5B-07
• Add the functionality offset to unlock (xy) - note, do not add extra spaces, these are added here just for visibility: 15CD5B07 xy000000 00000000 00000000
• In this example xy=07 is HOO11 - serial trigger with CAN and LIN: 15CD5B07 07000000 00000000 00000000
• This is how your string should look like (note the lack of spaces between): 15CD5B07070000000000000000000000

As a reminder, from the previous posts, these are the functionalities with their offsets:

# Offset 02 - HOO10 - Serial trigger
# Offset 07 - HOO11 - serial trigger with CAN and LIN
# Offset 08 - HOO12 - Serial trigger analogue
# Offset 11 - Remove all licences / demo time expired

You will need a working Linux (I used Ubuntu 21.10 server) and need to have installed the following programs (should all be already available under ubuntu server):

• openssl
• xxd
• awk

(Update: a standard Ubuntu Desktop v22.04.1 will do the job, without installation (try)  https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started  )
Open up the terminal and type this:

Code: [Select]

echo YOUR_STRING_YOU_CREATED | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd | head -1 | awk '{print "KEY:"$2$3$4$5$6$7$8$9}'
So in our example:

Code: [Select]

echo 15CD5B07070000000000000000000000 | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd | head -1 | awk '{print "KEY:"$2$3$4$5$6$7$8$9}'
The output of the example will be the key what you need, so from the above example:
KEY:fa866d2193d0707d989d77852f961cd4

Copy the output to "SERIALNUMBER.hlk" file (do not replace it with your serial number, leave it SERIALNUMBER literally) and copy that to a USB drive which you insert into the oscilloscope, and install the license file as usual.

[ktgun]

You will need a working Linux (I used Ubuntu 21.10 server) and need to have installed the following programs (should all be already available under ubuntu server):

• openssl
• xxd
• awk

(Update: a standard Ubuntu Desktop v22.04.1 will do the job, without installation (try)  https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started  )
Open up the terminal and type this:

Code: [Select]

echo YOUR_STRING_YOU_CREATED | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd | head -1 | awk '{print "KEY:"$2$3$4$5$6$7$8$9}'
So in our example:

Code: [Select]

echo 15CD5B07070000000000000000000000 | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd | head -1 | awk '{print "KEY:"$2$3$4$5$6$7$8$9}'
The output of the example will be the key what you need, so from the above example:
KEY:fa866d2193d0707d989d77852f961cd4

If there is 'lazy-windows-users' here, like me, here is alternative steps for generate keys from compiled bin's of xxd, openssl and awk in MS Windows:
1) Download 'bin.7z' with libraries from attachment
2) Extract them on your machine
3) Run 'cmd' and go to folder with downloaded bin's. For example

Code: [Select]

cd C:\LIBRARIES\OpenSSL_1_1_1\x32\STATIC\Debug\bin4) Input this string:

Code: [Select]

echo 15CD5B07070000000000000000000000 | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd -l 16 | awk {print$2$3$4$5$6$7$8$9}Note that instead string '15CD5B0707.......' you must input string with your own serial and option number! How to produce it read in post above.
You will see output like this (valid for example above):

Code: [Select]

fa866d2193d0707d989d77852f961cd4Enjoy!

[ktgun]

I understood almost everything, but I don't quite understand the encryption? I can't find the "Secret Key" on the pages! I tried an online AES encryption site on the internet.
The secret key with 86BAFE... is too big for 256 bits.

I think there is some misunderstanding between those things, that wrote on sites with online-AES and key represenation from this thread. 

Secret key '86BAFEC912C42A...' is valid. It consist of 256 bits OR 64 hex signs OR 32 bytes (aka 'octets'). As i understand, online AES-sites means exactly the last one representation, when wrote that key must be 32 signs length. It's only question of representation of key in different forms.

For educational purpose i wrote keygen in Python (v. 3.11) for this HMO, based on example from 'ttssyy's (THX!) post.
You will need to install 'pycryptodome' library to run it, 'binascii' and 'itertools' are standart python libraries.

I tried to comment all significant steps in the code to give the most complete picture of the whole process.

Code: [Select]

from Crypto.Cipher import AES
import binascii
from itertools import chain

#---------------START---------------------------


print('Input your serial number:')
serial_str = list(input()) #input your serial number

#--------MAKE OPTION STRING:START--------
ln = len(serial_str) #length of input serial number
flag = 0 #flag for detecting leading zero in serial
for ch in serial_str:
    if ch[0]== '0':
        flag=1 #leading zero detected
        serial_str=serial_str[1:ln] #deleting leading zero if need
serial_str=int(''.join(serial_str)) #concatenate list in one string
serial_hex = list(f'{serial_str:x}') #serial number to hex represent

if flag == 1:
    serial_hex.insert(0,'0') #inserting leading zero to hex represent if need

#--make Little Endian from Big Endian:START--
LE_serial_list=list(reversed(list(chain(*(x for x in zip(serial_hex[1::2], serial_hex[::2])))))) #make list from our string and than reverse for LE-representation
LE_serial = (''.join(LE_serial_list)) #concatenate list in one string
#--make Little Endian from Big Endian:END--

#--input option offset:START--

print('Option list for HMO1202:')
print('\tOffset 02 - HOO10 - Serial trigger\n',
'\tOffset 07 - HOO11 - serial trigger with CAN and LIN\n',
'\tOffset 08 - HOO12 - Serial trigger analogue\n',
'\tOffset 11 - Remove all licences / demo time expired\n',
'\tOffset 26 - HOO312 - Bandwidth 200 MHz\n',
'\tOffset 28 - HOO313 - Bandwidth 300 MHz\n') #may be different depend of model
print('Input option offset:')
offset = input()
#--input option offset:END--

option_str = LE_serial+offset+'0000000000000000000000' #make result option string

#--------MAKE OPTION STRING:END--------


#--------ENCODE OPTION STRING WITH AES-256 in ECB MODE:START--------

key = '86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE'
key = bytes.fromhex(key) #from 64 hex characters (256-bit) key we make key for AES encode (ECB mode) that consist of 32 bytes (256-bit)

option_str = bytes.fromhex(option_str) #from 32 hex characters (128-bit) message we make message for AES encode that consist of 16 bytes (128-bit)

cipher = AES.new(key, AES.MODE_ECB) # call AES-256 (key lenght is 256 bits(!!!)) cipher protocol in ECB mode (only secret key needed)
option_str_en = cipher.encrypt(option_str) #encrypting result option string

#--------ENCODE OPTION STRING WITH AES-256 in ECB MODE:END--------


#--print results:START--
print("DONE !")
result = (binascii.hexlify(option_str_en)).decode("utf-8") #making from encoded option key regular string to output
print(f'KEY:{result}')
#--print results:END--


#---------------END---------------------------

For example above output string will be:

Code: [Select]

DONE !
KEY:fa866d2193d0707d989d77852f961cd4


[blackdog]

Hi,

Does it make sense to put time into my MHO3004 with the examples indicated here in this topic?
Is my scope basically the same as the ones you indicate and/or have tested?
Below is a picture of the license screen and I would like to turn on bandwidth and segmented memory.



So my interest is in the HOO14 and HOO454 license, is this possible?

Thanks and regards,
Bram

[ktgun]

So my interest is in the HOO14 and HOO454 license, is this possible?

I don't have HMO3004 but i think they have same algo for whole HMO line.
Only question is to know correct offset for option that you need. As i understand range of these offsets is from '01' to '99', but only few of them valid for option key.
You may try offset's for HMO1202 from posts above and if they will be incorrect then try all others.

[tv84]

Anyone has an Hameg with any of these options?

HOO31  Power Analysis  (don't know which device uses it)
HOC154 Multi-Channel   (HMC8015)
HO3011 Preamplifier    (HMS1000, HMS1010, HMS3000, HMS3010)

[PA3BBV]

Hi,

I have an HMS1000 spectrum analyzer with a deactivated preamp. I'm not a programmer and I find most of this topic quite difficult to follow, which is of course due to my lack of knowledge. Is there a software tool available in the meantime to generate the key? Or is it possible that someone generates the file for me? Many thanks in advance for your response.

Regards Leo

[bobdring]

HMO1002

HOO572 offset 1C   50 to 70 MHz
HOO712 offset 1E   70 to 100 MHz

[codepainters]

Hi!

I just came across this excellent thread, looking for some info on my HMO1202. Keygen works like a charm, awesome. Thank you all!

AES-256 key for HMOxxxx .HFU packages:

2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409

However, I failed to decrypt the firmware image (I want to investigate some unrelated topic). My understanding is that this is regular AES-256-ECB mode, so the following should work:

Code: [Select]

openssl enc -aes-256-ecb -nosalt -d -K 2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409 -in HMO1202.HFU -out firmware

Yet I get gibberish this way. Has R&S changed the key at some point? Or there is different key for each model? Anyone tried decrypting last HMO1202 firmware image (it's 05.886 from july 2016, MD5 41c61b37457bbeb96417cd681ba7fe94)?

Parsing of HAMEG_FW_HMO1524_HMO2024_04_531 firmware:

Code: [Select]

00000000      Header Size: 0400      [00000000-000003FF]    FileSize OK
00000002   Section 1 Size: 0004038C  [00000400-0004078B]
00000006   Section 2 Size: 00490E24  [0004078C-004D15AF]
0000000A  Section 1 CRC16: 93B5    CRC OK
0000000C  Section 2 CRC16: 80A8    CRC OK
0000000E             ????: 0x10130000
0000001E            Model: HMO_A24
0000002E       FW Version: 04.531
0000003E     Release Date: 2015-07-27
0000004E             ????: 16668.14471
0000005E      Compilation: Build 34649 built on 2015-07-27 10:03:31 by MaG? [04.531 - HCL: 02.015 - MesOS: 03.222]


Also wondering how this structure was revealed? Reverse engineering the update procedure?

[codepainters]

However, I failed to decrypt the firmware image (I want to investigate some unrelated topic). My understanding is that this is regular AES-256-ECB mode, so the following should work:

Code: [Select]

openssl enc -aes-256-ecb -nosalt -d -K 2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409 -in HMO1202.HFU -out firmware

Yet I get gibberish this way. Has R&S changed the key at some point? Or there is different key for each model? Anyone tried decrypting last HMO1202 firmware image (it's 05.886 from july 2016, MD5 41c61b37457bbeb96417cd681ba7fe94)?

Forget it. I've just found another post on this forum explaining it's AES-256-CBC with IV of all zeros. Works like a charm 

[tv84]

Also wondering how this structure was revealed? Reverse engineering the update procedure?

Simple structure analysis and a lot of "pasting posters" experience... When completed with "reversing the update procedure" the fields still ?? ?? should disappear.

[codepainters]

Also wondering how this structure was revealed? Reverse engineering the update procedure?

Simple structure analysis and a lot of "pasting posters" experience... When completed with "reversing the update procedure" the fields still ?? ?? should disappear.

I asked, as I occasionally do some reverse engineering myself and I know how time consuming it can be to get to this level of details I assumed most of the details come from disassembling the actual code performing update.

[wofritz]

Modified the script from post 79:

* Fixed serial number conversion (did not work with my serial number). Serial number can now be free format (no leading zeroes needed)
* Enter serial number and option via command line:
-s <serial>
-o <option>
* Only print the KEY: line


This allows direct redirection into a .hlk file.
Example call:
  python makeoptions.py -s 123456789 -o 07 >outfile.hlk

Code: [Select]

from Crypto.Cipher import AES
import binascii
from optparse import OptionParser

#---------------START---------------------------

parser = OptionParser()

parser.add_option("-s", "--serial", dest="serial_str", help="Serial Number", metavar="SERIAL")
parser.add_option("-o", "--option", dest="option_str", help="Option", metavar="OPTION")
parser.add_option("-l", "--list", dest="list_options", help="List Options", metavar="LIST", action = "store_true")

(options, args) = parser.parse_args()


if options.list_options :
    print('Option list for HMO1202:')
    print('\tOffset 02 - HOO10 - Serial trigger\n',
    '\tOffset 07 - HOO11 - serial trigger with CAN and LIN\n',
    '\tOffset 08 - HOO12 - Serial trigger analogue\n',
    '\tOffset 11 - Remove all licences / demo time expired\n',
    '\tOffset 26 - HOO312 - Bandwidth 200 MHz\n',
    '\tOffset 28 - HOO313 - Bandwidth 300 MHz\n') #may be different depend of model
    exit()
   
#--------MAKE OPTION STRING:START--------
# Convert decimal to hex string
serhex="%08x" % int(options.serial_str)
#print("hex = %s" % serhex)
# reverse
LE_serial=""
while serhex != "" :
    LE_serial += serhex[-2:]
    serhex = serhex[:-2]
#print (LE_serial)   
   
#--input option offset:START--


option_str = LE_serial+options.option_str+'0000000000000000000000' #make result option string
#print(option_str)

#--------MAKE OPTION STRING:END--------


#--------ENCODE OPTION STRING WITH AES-256 in ECB MODE:START--------

key = '86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE'
key = bytes.fromhex(key) #from 64 hex characters (256-bit) key we make key for AES encode (ECB mode) that consist of 32 bytes (256-bit)

option_str = bytes.fromhex(option_str) #from 32 hex characters (128-bit) message we make message for AES encode that consist of 16 bytes (128-bit)

cipher = AES.new(key, AES.MODE_ECB) # call AES-256 (key lenght is 256 bits(!!!)) cipher protocol in ECB mode (only secret key needed)
option_str_en = cipher.encrypt(option_str) #encrypting result option string

#--------ENCODE OPTION STRING WITH AES-256 in ECB MODE:END--------


#--print results:START--
#print("DONE !")
result = (binascii.hexlify(option_str_en)).decode("utf-8") #making from encoded option key regular string to output
print(f'KEY:{result}')
#--print results:END--


#---------------END---------------------------


[tv84]

I assumed most of the details come from disassembling the actual code performing update.

No bragging intended but, in this case, there was none. Only trained eyes looking at FW package headers. Something binwalk still doesn't do, but future AI versions will surpass.

[codepainters]

I assumed most of the details come from disassembling the actual code performing update.

No bragging intended but, in this case, there was none. Only trained eyes looking at FW package headers. Something binwalk still doesn't do, but future AI versions will surpass.

I don't perceive it as bragging, your skills are truly impressive! Looking at the file in the hex editor again, I think it's not as complex as I initially assumed, but still... The subsections are where it becomes more messy

Anyway, based on your info I managed to dissect my decrypted firmware file. It seems overall structure is the same with minor differences, e.g. I found no subsection of type 0x22 (was it for i18n? If so, it's inside ELF now).

I've extracted the ELF file and opened it with IDA without issues. Now I need lots and lots of spare time At least no need to learn new CPU architecture (HMO1202 is based on SAMA5D31).

[pawel]

Good morning
I have a problem with the preamplifier license in HMS3010. My serial number is 014266314. I only have one hour left on my license. You can't buy it. I have an old license file. 

In old file  hlk:  licence time 90 hours


#Device: HMS3010
#Serial: 014266314
#Date: 2014-01-05
#Modul0: HO3011 - Preamplifier für HMS

Version: 1

Key0: AA1E23BF88BE93BD3B5EBFC5733294F9

[electr_peter]

@pawel, empty your forum inbox. You cannot receive new messages until you empty you inbox.

[nicnac117]

Certainly works on HMO 1232 .Thanks to the above contributors . Tried it on Windows but could not get keys . Luckily I have Ubuntu2204LTS on a PC . It worked flawlessly on Terminal .

[nicnac117]

I had to enter the keys i generated manually as i couldnt get the scope to see the " serialnumber.hlk" file i made . any ideas? what i did wrong

[pawel]

SUPER MY FRIEND UNLIMITED THANKS ))))

GOOD CODE 57CFD5C6CE752C4FCBFD6D2F017FF155

 electr_peter  is THE BEST FRIEND !

[brezel_neb]

Hi,

anyone has a FW for the hame HMO3522? I only found one that's old (2009), and wayback machine doesn't save downloads from the old hameg site :\

[MichalZ]

Hello.

Good news in my RS HMO3032 those offset works:
# Offset 02 - HOO10 - Serial trigger
# Offset 07 - HOO11 - serial trigger analogue
# Offset 08 - HOO12 - Serial trigger with CAN and LIN

and i found

# Offset 09 - HOO14 - Segmented Memory

also works.

Anyone maybe have found offset for HOO352 Bandwidth 500 MHz??

[tv84]

Anyone maybe have found offset for HOO352 Bandwidth 500 MHz??

0x0D

[MichalZ]

Thank you very much tv84, works great

[electr_peter]

I had to enter the keys i generated manually as i couldnt get the scope to see the " serialnumber.hlk" file i made . any ideas? what i did wrong

There is info on this thread on *.hlk file formating. Have you tried that?

[dannyUK66]

Hi Everyone,

I recently obtained a HMS-X but unfortunately the tracking gen appears to be limited use and it also does not have the 3Ghz Bandwidth option.
 I see reading this thread that some have had success with generating Keys but this is far beyond me. 
Is there anybody that would be wiling to help me as although I have contacted R&S I expect they will advise to buy another but as a hobbyist this is totally unrealistic for a nice to have piece of test gear.


Hope I'm not  lol
Danny