Products > Test Equipment

MDO3000 hacking

(1/43) > >>

kilohercas:
Today is a good day, i get my MDO3104 oscilloscope with AFG, SA, and MSO options. Based on my experience with MSO2000 i thought that MDO3000 will use simple 24C04 EEPROM. But this assumption was so wrong.

So first step was to take my hacked DPO2EMBD module, and write MDO3EMBD code. And what do you know, MDO3000 will recognize that i have option installed, but i can't move my license to scope, so i could apply another one. That was very strange. Since i have original MDO3000x series app modules, i simply dissemble it, and was expecting simple EEPROM, but no! It get very strange tek part number. I was trying to read it with STM32F429, but it was unresponsive ( 24C04 will have 0xA0 address ).

Next step , i soldered SDA, and SCL, and ground, so i could probe while MDO3104 will check eeprom. And what do you know, address is 0x8C. I google it, and is is very fancy protected EEPROM from Atmel, with advanced security options :-(


* Secure authentication and validation device
* Integrated capability for both Host and Client operations
* Superior SHA-256 Hash algorithm with Message Authentication Code (MAC) and Hash-Based Message Authentication Code (HMAC) options
* Best-in-class, 256-bit key length; storage for up to 16 keys
* Guaranteed unique 72-bit serial number
* Internal, high-quality Random Number Generator (RNG)
* 4.5Kb EEPROM for keys and data
* 512 OTP (One Time Programmable) bits for fixed information
* Multiple I/O options
* High-Speed, Single-Wire Interface
* 1MHz I2C interface
Part number ATSHA204

abyrvalg:
A quick look into MDO3k firmware update package (outer .img is Linux EXT3 image file - use any EXT3 tool, inner filesystem.img file is SquashFS image - use 7-zip) reveals many interesting things: /usr_1/local/bin/scopeApp.imx6 is an unstripped ELF executable (all debug info like functions/vars names is there), there are functions like cmdSet_Cfg_fixedLicenseKey, there are some AES keys used to decrypt those LicenseKeys  ;)

kilohercas:

--- Quote from: abyrvalg on July 22, 2014, 09:08:45 pm ---A quick look into MDO3k firmware update package (outer .img is Linux EXT3 image file - use any EXT3 tool, inner filesystem.img file is SquashFS image - use 7-zip) reveals many interesting things: /usr_1/local/bin/scopeApp.imx6 is an unstripped ELF executable (all debug info like functions/vars names is there), there are functions like cmdSet_Cfg_fixedLicenseKey, there are some AES keys used to decrypt those LicenseKeys  ;)

--- End quote ---
I am no windows or Linux programmer, i don't know any of this stuff  :(

tinhead:

--- Quote from: abyrvalg on July 22, 2014, 09:08:45 pm ---A quick look into MDO3k firmware update package

--- End quote ---

actually they all (DPO/MSO 2000,3000,4000 x/B, GPIB-USB, more?) Linux based, sure different µC and FPGAs (if any) but executables are always with debug informations and fw contains lot of "tools".

mikeselectricstuff:
Just because a chip has a load of security features, it doesn't necessarily mean they're all used, or used effectively - it's always worth a closer look....

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod