Hameg R&S HMO scope licenses not available anymore

[Gert67]

Hi
I'm new to the forum and have the same problem with my HMO1202.

I understood almost everything, but I don't quite understand the encryption? I can't find the "Secret Key" on the pages! I tried an online AES encryption site on the internet.
The secret key with 86BAFE... is too big for 256 bits.

Can someone help me here maybe further. Many thanks in advance.

Regards Gert67

[Cold North]

Hmm, what? There are 64 hex digits, times 4 bits per digit makes 256 bits...

So I'm not sure what the problem is?

[ttssyy]

Steps to do with a HMO1024 oscilloscope via one made-up example:

• The oscilloscope serial number is (DEC): 0123456789
• Convert this to HEX (dashes added for visibility for next step): 07-5B-CD-15
• Swap the order to Little-endian: 15-CD-5B-07
• Add the functionality offset to unlock (xy) - note, do not add extra spaces, these are added here just for visibility: 15CD5B07 xy000000 00000000 00000000
• In this example xy=07 is HOO11 - serial trigger with CAN and LIN: 15CD5B07 07000000 00000000 00000000
• This is how your string should look like (note the lack of spaces between): 15CD5B07070000000000000000000000

As a reminder, from the previous posts, these are the functionalities with their offsets:

# Offset 02 - HOO10 - Serial trigger
# Offset 07 - HOO11 - serial trigger with CAN and LIN
# Offset 08 - HOO12 - Serial trigger analogue
# Offset 11 - Remove all licences / demo time expired

You will need a working Linux (I used Ubuntu 21.10 server) and need to have installed the following programs (should all be already available under ubuntu server):

• openssl
• xxd
• awk

(Update: a standard Ubuntu Desktop v22.04.1 will do the job, without installation (try)  https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started  )
Open up the terminal and type this:

Code: [Select]

echo YOUR_STRING_YOU_CREATED | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd | head -1 | awk '{print "KEY:"$2$3$4$5$6$7$8$9}'
So in our example:

Code: [Select]

echo 15CD5B07070000000000000000000000 | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd | head -1 | awk '{print "KEY:"$2$3$4$5$6$7$8$9}'
The output of the example will be the key what you need, so from the above example:
KEY:fa866d2193d0707d989d77852f961cd4

Copy the output to "SERIALNUMBER.hlk" file (do not replace it with your serial number, leave it SERIALNUMBER literally) and copy that to a USB drive which you insert into the oscilloscope, and install the license file as usual.

[ktgun]

You will need a working Linux (I used Ubuntu 21.10 server) and need to have installed the following programs (should all be already available under ubuntu server):

• openssl
• xxd
• awk

(Update: a standard Ubuntu Desktop v22.04.1 will do the job, without installation (try)  https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started  )
Open up the terminal and type this:

Code: [Select]

echo YOUR_STRING_YOU_CREATED | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd | head -1 | awk '{print "KEY:"$2$3$4$5$6$7$8$9}'
So in our example:

Code: [Select]

echo 15CD5B07070000000000000000000000 | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd | head -1 | awk '{print "KEY:"$2$3$4$5$6$7$8$9}'
The output of the example will be the key what you need, so from the above example:
KEY:fa866d2193d0707d989d77852f961cd4

If there is 'lazy-windows-users' here, like me, here is alternative steps for generate keys from compiled bin's of xxd, openssl and awk in MS Windows:
1) Download 'bin.7z' with libraries from attachment
2) Extract them on your machine
3) Run 'cmd' and go to folder with downloaded bin's. For example

Code: [Select]

cd C:\LIBRARIES\OpenSSL_1_1_1\x32\STATIC\Debug\bin4) Input this string:

Code: [Select]

echo 15CD5B07070000000000000000000000 | xxd -r -p | openssl enc -aes-256-ecb -K 86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE | xxd -l 16 | awk {print$2$3$4$5$6$7$8$9}Note that instead string '15CD5B0707.......' you must input string with your own serial and option number! How to produce it read in post above.
You will see output like this (valid for example above):

Code: [Select]

fa866d2193d0707d989d77852f961cd4Enjoy!

[ktgun]

I understood almost everything, but I don't quite understand the encryption? I can't find the "Secret Key" on the pages! I tried an online AES encryption site on the internet.
The secret key with 86BAFE... is too big for 256 bits.

I think there is some misunderstanding between those things, that wrote on sites with online-AES and key represenation from this thread. 

Secret key '86BAFEC912C42A...' is valid. It consist of 256 bits OR 64 hex signs OR 32 bytes (aka 'octets'). As i understand, online AES-sites means exactly the last one representation, when wrote that key must be 32 signs length. It's only question of representation of key in different forms.

For educational purpose i wrote keygen in Python (v. 3.11) for this HMO, based on example from 'ttssyy's (THX!) post.
You will need to install 'pycryptodome' library to run it, 'binascii' and 'itertools' are standart python libraries.

I tried to comment all significant steps in the code to give the most complete picture of the whole process.

Code: [Select]

from Crypto.Cipher import AES
import binascii
from itertools import chain

#---------------START---------------------------


print('Input your serial number:')
serial_str = list(input()) #input your serial number

#--------MAKE OPTION STRING:START--------
ln = len(serial_str) #length of input serial number
flag = 0 #flag for detecting leading zero in serial
for ch in serial_str:
    if ch[0]== '0':
        flag=1 #leading zero detected
        serial_str=serial_str[1:ln] #deleting leading zero if need
serial_str=int(''.join(serial_str)) #concatenate list in one string
serial_hex = list(f'{serial_str:x}') #serial number to hex represent

if flag == 1:
    serial_hex.insert(0,'0') #inserting leading zero to hex represent if need

#--make Little Endian from Big Endian:START--
LE_serial_list=list(reversed(list(chain(*(x for x in zip(serial_hex[1::2], serial_hex[::2])))))) #make list from our string and than reverse for LE-representation
LE_serial = (''.join(LE_serial_list)) #concatenate list in one string
#--make Little Endian from Big Endian:END--

#--input option offset:START--

print('Option list for HMO1202:')
print('\tOffset 02 - HOO10 - Serial trigger\n',
'\tOffset 07 - HOO11 - serial trigger with CAN and LIN\n',
'\tOffset 08 - HOO12 - Serial trigger analogue\n',
'\tOffset 11 - Remove all licences / demo time expired\n',
'\tOffset 26 - HOO312 - Bandwidth 200 MHz\n',
'\tOffset 28 - HOO313 - Bandwidth 300 MHz\n') #may be different depend of model
print('Input option offset:')
offset = input()
#--input option offset:END--

option_str = LE_serial+offset+'0000000000000000000000' #make result option string

#--------MAKE OPTION STRING:END--------


#--------ENCODE OPTION STRING WITH AES-256 in ECB MODE:START--------

key = '86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE'
key = bytes.fromhex(key) #from 64 hex characters (256-bit) key we make key for AES encode (ECB mode) that consist of 32 bytes (256-bit)

option_str = bytes.fromhex(option_str) #from 32 hex characters (128-bit) message we make message for AES encode that consist of 16 bytes (128-bit)

cipher = AES.new(key, AES.MODE_ECB) # call AES-256 (key lenght is 256 bits(!!!)) cipher protocol in ECB mode (only secret key needed)
option_str_en = cipher.encrypt(option_str) #encrypting result option string

#--------ENCODE OPTION STRING WITH AES-256 in ECB MODE:END--------


#--print results:START--
print("DONE !")
result = (binascii.hexlify(option_str_en)).decode("utf-8") #making from encoded option key regular string to output
print(f'KEY:{result}')
#--print results:END--


#---------------END---------------------------

For example above output string will be:

Code: [Select]

DONE !
KEY:fa866d2193d0707d989d77852f961cd4


[blackdog]

Hi,

Does it make sense to put time into my MHO3004 with the examples indicated here in this topic?
Is my scope basically the same as the ones you indicate and/or have tested?
Below is a picture of the license screen and I would like to turn on bandwidth and segmented memory.



So my interest is in the HOO14 and HOO454 license, is this possible?

Thanks and regards,
Bram

[ktgun]

So my interest is in the HOO14 and HOO454 license, is this possible?

I don't have HMO3004 but i think they have same algo for whole HMO line.
Only question is to know correct offset for option that you need. As i understand range of these offsets is from '01' to '99', but only few of them valid for option key.
You may try offset's for HMO1202 from posts above and if they will be incorrect then try all others.

[tv84]

Anyone has an Hameg with any of these options?

HOO31  Power Analysis  (don't know which device uses it)
HOC154 Multi-Channel   (HMC8015)
HO3011 Preamplifier    (HMS1000, HMS1010, HMS3000, HMS3010)

[PA3BBV]

Hi,

I have an HMS1000 spectrum analyzer with a deactivated preamp. I'm not a programmer and I find most of this topic quite difficult to follow, which is of course due to my lack of knowledge. Is there a software tool available in the meantime to generate the key? Or is it possible that someone generates the file for me? Many thanks in advance for your response.

Regards Leo

[bobdring]

HMO1002

HOO572 offset 1C   50 to 70 MHz
HOO712 offset 1E   70 to 100 MHz

[codepainters]

Hi!

I just came across this excellent thread, looking for some info on my HMO1202. Keygen works like a charm, awesome. Thank you all!

AES-256 key for HMOxxxx .HFU packages:

2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409

However, I failed to decrypt the firmware image (I want to investigate some unrelated topic). My understanding is that this is regular AES-256-ECB mode, so the following should work:

Code: [Select]

openssl enc -aes-256-ecb -nosalt -d -K 2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409 -in HMO1202.HFU -out firmware

Yet I get gibberish this way. Has R&S changed the key at some point? Or there is different key for each model? Anyone tried decrypting last HMO1202 firmware image (it's 05.886 from july 2016, MD5 41c61b37457bbeb96417cd681ba7fe94)?

Parsing of HAMEG_FW_HMO1524_HMO2024_04_531 firmware:

Code: [Select]

00000000      Header Size: 0400      [00000000-000003FF]    FileSize OK
00000002   Section 1 Size: 0004038C  [00000400-0004078B]
00000006   Section 2 Size: 00490E24  [0004078C-004D15AF]
0000000A  Section 1 CRC16: 93B5    CRC OK
0000000C  Section 2 CRC16: 80A8    CRC OK
0000000E             ????: 0x10130000
0000001E            Model: HMO_A24
0000002E       FW Version: 04.531
0000003E     Release Date: 2015-07-27
0000004E             ????: 16668.14471
0000005E      Compilation: Build 34649 built on 2015-07-27 10:03:31 by MaG? [04.531 - HCL: 02.015 - MesOS: 03.222]


Also wondering how this structure was revealed? Reverse engineering the update procedure?

[codepainters]

However, I failed to decrypt the firmware image (I want to investigate some unrelated topic). My understanding is that this is regular AES-256-ECB mode, so the following should work:

Code: [Select]

openssl enc -aes-256-ecb -nosalt -d -K 2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409 -in HMO1202.HFU -out firmware

Yet I get gibberish this way. Has R&S changed the key at some point? Or there is different key for each model? Anyone tried decrypting last HMO1202 firmware image (it's 05.886 from july 2016, MD5 41c61b37457bbeb96417cd681ba7fe94)?

Forget it. I've just found another post on this forum explaining it's AES-256-CBC with IV of all zeros. Works like a charm 

[tv84]

Also wondering how this structure was revealed? Reverse engineering the update procedure?

Simple structure analysis and a lot of "pasting posters" experience... When completed with "reversing the update procedure" the fields still ?? ?? should disappear.

[codepainters]

Also wondering how this structure was revealed? Reverse engineering the update procedure?

Simple structure analysis and a lot of "pasting posters" experience... When completed with "reversing the update procedure" the fields still ?? ?? should disappear.

I asked, as I occasionally do some reverse engineering myself and I know how time consuming it can be to get to this level of details I assumed most of the details come from disassembling the actual code performing update.

[wofritz]

Modified the script from post 79:

* Fixed serial number conversion (did not work with my serial number). Serial number can now be free format (no leading zeroes needed)
* Enter serial number and option via command line:
-s <serial>
-o <option>
* Only print the KEY: line


This allows direct redirection into a .hlk file.
Example call:
  python makeoptions.py -s 123456789 -o 07 >outfile.hlk

Code: [Select]

from Crypto.Cipher import AES
import binascii
from optparse import OptionParser

#---------------START---------------------------

parser = OptionParser()

parser.add_option("-s", "--serial", dest="serial_str", help="Serial Number", metavar="SERIAL")
parser.add_option("-o", "--option", dest="option_str", help="Option", metavar="OPTION")
parser.add_option("-l", "--list", dest="list_options", help="List Options", metavar="LIST", action = "store_true")

(options, args) = parser.parse_args()


if options.list_options :
    print('Option list for HMO1202:')
    print('\tOffset 02 - HOO10 - Serial trigger\n',
    '\tOffset 07 - HOO11 - serial trigger with CAN and LIN\n',
    '\tOffset 08 - HOO12 - Serial trigger analogue\n',
    '\tOffset 11 - Remove all licences / demo time expired\n',
    '\tOffset 26 - HOO312 - Bandwidth 200 MHz\n',
    '\tOffset 28 - HOO313 - Bandwidth 300 MHz\n') #may be different depend of model
    exit()
   
#--------MAKE OPTION STRING:START--------
# Convert decimal to hex string
serhex="%08x" % int(options.serial_str)
#print("hex = %s" % serhex)
# reverse
LE_serial=""
while serhex != "" :
    LE_serial += serhex[-2:]
    serhex = serhex[:-2]
#print (LE_serial)   
   
#--input option offset:START--


option_str = LE_serial+options.option_str+'0000000000000000000000' #make result option string
#print(option_str)

#--------MAKE OPTION STRING:END--------


#--------ENCODE OPTION STRING WITH AES-256 in ECB MODE:START--------

key = '86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE'
key = bytes.fromhex(key) #from 64 hex characters (256-bit) key we make key for AES encode (ECB mode) that consist of 32 bytes (256-bit)

option_str = bytes.fromhex(option_str) #from 32 hex characters (128-bit) message we make message for AES encode that consist of 16 bytes (128-bit)

cipher = AES.new(key, AES.MODE_ECB) # call AES-256 (key lenght is 256 bits(!!!)) cipher protocol in ECB mode (only secret key needed)
option_str_en = cipher.encrypt(option_str) #encrypting result option string

#--------ENCODE OPTION STRING WITH AES-256 in ECB MODE:END--------


#--print results:START--
#print("DONE !")
result = (binascii.hexlify(option_str_en)).decode("utf-8") #making from encoded option key regular string to output
print(f'KEY:{result}')
#--print results:END--


#---------------END---------------------------


[tv84]

I assumed most of the details come from disassembling the actual code performing update.

No bragging intended but, in this case, there was none. Only trained eyes looking at FW package headers. Something binwalk still doesn't do, but future AI versions will surpass.

[codepainters]

I assumed most of the details come from disassembling the actual code performing update.

No bragging intended but, in this case, there was none. Only trained eyes looking at FW package headers. Something binwalk still doesn't do, but future AI versions will surpass.

I don't perceive it as bragging, your skills are truly impressive! Looking at the file in the hex editor again, I think it's not as complex as I initially assumed, but still... The subsections are where it becomes more messy

Anyway, based on your info I managed to dissect my decrypted firmware file. It seems overall structure is the same with minor differences, e.g. I found no subsection of type 0x22 (was it for i18n? If so, it's inside ELF now).

I've extracted the ELF file and opened it with IDA without issues. Now I need lots and lots of spare time At least no need to learn new CPU architecture (HMO1202 is based on SAMA5D31).

[pawel]

Good morning
I have a problem with the preamplifier license in HMS3010. My serial number is 014266314. I only have one hour left on my license. You can't buy it. I have an old license file. 

In old file  hlk:  licence time 90 hours


#Device: HMS3010
#Serial: 014266314
#Date: 2014-01-05
#Modul0: HO3011 - Preamplifier für HMS

Version: 1

Key0: AA1E23BF88BE93BD3B5EBFC5733294F9

[electr_peter]

@pawel, empty your forum inbox. You cannot receive new messages until you empty you inbox.

[nicnac117]

Certainly works on HMO 1232 .Thanks to the above contributors . Tried it on Windows but could not get keys . Luckily I have Ubuntu2204LTS on a PC . It worked flawlessly on Terminal .

[nicnac117]

I had to enter the keys i generated manually as i couldnt get the scope to see the " serialnumber.hlk" file i made . any ideas? what i did wrong

[pawel]

SUPER MY FRIEND UNLIMITED THANKS ))))

GOOD CODE 57CFD5C6CE752C4FCBFD6D2F017FF155

 electr_peter  is THE BEST FRIEND !

[brezel_neb]

Hi,

anyone has a FW for the hame HMO3522? I only found one that's old (2009), and wayback machine doesn't save downloads from the old hameg site :\

[MichalZ]

Hello.

Good news in my RS HMO3032 those offset works:
# Offset 02 - HOO10 - Serial trigger
# Offset 07 - HOO11 - serial trigger analogue
# Offset 08 - HOO12 - Serial trigger with CAN and LIN

and i found

# Offset 09 - HOO14 - Segmented Memory

also works.

Anyone maybe have found offset for HOO352 Bandwidth 500 MHz??

[tv84]

Anyone maybe have found offset for HOO352 Bandwidth 500 MHz??

0x0D