Reasons for hacking DSOs

[nctnico]

They probably hire more or less staff and order more or less food depending on whether first class is nearly full or nearly empty so again the airplane analogy doesn't really fit well.

Well obviously you don't get the extra attention, free first class food, etc.

It will still be extra hassle for the flight attendants to figure out who gets economy food and who gets the first class food (including porcelain plates, real dinnerware, etc). So either way it is going to cost the airline extra if they fill those chairs with economy class passengers.

[Fungus]

They probably hire more or less staff and order more or less food depending on whether first class is nearly full or nearly empty so again the airplane analogy doesn't really fit well.

Well obviously you don't get the extra attention, free first class food, etc.

It will still be extra hassle for the flight attendants to figure out who gets economy food and who gets the first class food (including porcelain plates, real dinnerware, etc). So either way it is going to cost the airline extra if they fill those chairs with economy class passengers.

For the sake of argument: Let's make it a condition that they wear a bunny suit so the attendants know who the cattle-class passengers are and to make sure they don't dirty the nice leather seats, OK?

Point is: Stop avoiding the point by nitpicking the details.

People in aircraft have no expectation of being allowed to sit up front if the seats are empty. None. Zero. It doesn't even cross their minds that they might be allowed to because they instinctively feel they don't have that right. THAT's the point being made.

Contrast that with the people who say they're being wronged by Rigol selling them an oscilloscope with a couple of features disabled ('wronged' was the actual word used if you're new to the thread).

Why the dissonance? Where on earth does that come from.

[SeanB]

I have been bumped up to first class once on a flight, was travelling standby, and economy was full, so they started doing upgraded standby and by the time I got to the front of the line they were full in business so I got a free first class upgrade at business rate. Real cutlery (not plastic anywhere), real ceramic plates, glassware and a decent enough wine with the meal, which was superlative.

Funny thing about airlines is that they tend to take a full set of meals for first class, irrespective of the number of passengers travelling first class, as they always might sell those seats just before the gate closes, or bump standby up to first class if coach or business is oversubscribed.

Of course these days there is no more first class, just cattle class and slightly less cattle class, unless you travel on some top branded airlines.

[Fungus]

I have been bumped up to first class once on a flight

Me too.

Funny thing about airlines is that they tend to take a full set of meals for first class, irrespective of the number of passengers travelling first class, as they always might sell those seats just before the gate closes

Makes sense (sorta).

First class also has a menu to choose from so they don't know what people will pick. They'll have to take at a few extra of each menu along in case everybody chooses the same thing.

[kcbrown]

A manufacturer who is concerned about the kind of unlocking that we're primarily discussing here can easily implement a system that would make it impossible for the end user to determine what key he should enter into the scope to unlock a feature.  The manufacturer need only cryptographically sign with its private key a packet that contains both the feature descriptor and the scope's serial number, generating a blob that contains the signature and the feature descriptor.  Uploading the resulting blob to the scope would cause the scope to store the blob in its database.  The bootloader would have on file the public key of the manufacturer.  When the scope boots, the bootloader would go through the signed blobs and activate the features for which it is able to cryptographically verify the signature.

You make it sound really easy but the system you describe above would be prone to a patch (or a clone?) based attack.

Not if the entirety of the firmware (save for the basic bootstrapper, which, if the manufacturer was determined to prevent what we're talking about, could be cryptographically signed and its contents verified and enforced in hardware) is also encrypted with the same private key as the individual features.  Attacking that would require a violation of copyright law, because the manufacturer could claim copyright on the public key.

Again, this isn't hard.  Indeed, even the hardware cryptographic verification bit I referred to (which isn't strictly necessary to prevent someone from legally hacking the scope in such a way that they can use the vendor-provided firmware in an unencumbered manner) is something that is widely available and inexpensive (one of the Atmel chips that does this, the AT97SC3205T, is about $3 from Mouser in quantity).


I must stress again: what people are doing when they "hack" a Rigol scope is not illegal!   If the manufacturer aims to prevent illegal manipulation of their firmware (which, here, means copying the firmware or parts of it), or use of firmware acquired through illegal means, then they must take steps over and beyond those that would be required to prevent certain types of legal manipulation.

[kcbrown]

Perhaps but if you hack your scope nobody is going to say anything about it so that makes it a lot more OK than barging into first class on an airplane after which the flight attendant (and perhaps some security guy) will put you in your place.

This is the point: People choose different standards of right/wrong when it comes to oscilloscopes, copying music, etc.

They do things that they wouldn't do in other circumstances and justify it to themselves as "harmless, I wasn't going to buy it anyway".

Sitting in first class is harmless to the airline, you were never going to pay for a first class ticket, the seats are unoccupied ... so why is nobody here arguing that they are entitled to sit there or that the airline is wronging passengers by leaving the seats empty? Interesting psychology, n'est pas? 

Because the airline owns the seat, not the passenger.  This means the airline gets to dictate what happens with the seat, not the passenger.

The person who bought the oscilloscope owns the copy of the software that's running on his device, as well as the device itself.  Copyright law restricts the ability of that person to lawfully copy the software, but the person nevertheless owns the copy of the software that exists in his oscilloscope.  It is his to do with as he pleases, provided he doesn't violate copyright law (or any other law for that matter) in the process.

[G0HZU]

Not if the entirety of the firmware (save for the basic bootstrapper, which, if the manufacturer was determined to prevent what we're talking about, could be cryptographically signed its contents verified and enforced in hardware) is also encrypted with the same private key as the individual features.  Attacking that would require a violation of copyright law, because the manufacturer could claim copyright on the public key.

I agree you can make things a lot harder, but you also have to factor in that the supplier needs to introduce a lot of versatility into the system allowing stuff like time trials, licence transfer etc etc. This would not be so simple to develop and manage so a common solution is to approach a third party company that specialise in this stuff and let them 'protect' the system using their own licensing system. That's where the problems start because it becomes much harder to keep it all secure.

I'm getting old and very rusty on stuff like this but in the past I've successfully attacked systems (these were not TEqpt systems) that came in an encrypted shell or wrapper  that could also detect debugging and could self check itself and the protected code for signs of tampering.

A lot depends on how accessible the system is in terms of debug tools and if it runs a bloated OS. I've had success in some extreme cases by writing programs that run alongside the main app and the little side program can search and wait for vulnerable (or anti tamper) code in system RAM and modify or dump it to a file. At some point it has to decrypt and store and run the application code. So an attacker can exploit this and dump out code and analyse it. I'm getting too old and slow to do this stuff now and the VNA was the first thing I've looked at in quite a while. So I think I'm more pleased that I still managed to hack it than I am with the options I unlocked!. I'm unlikely to do much with the time domain option in my VNA other than learn how to use it. I'll probably never use the other option I unlocked

[Zero999]

Perhaps but if you hack your scope nobody is going to say anything about it so that makes it a lot more OK than barging into first class on an airplane after which the flight attendant (and perhaps some security guy) will put you in your place.

This is the point: People choose different standards of right/wrong when it comes to oscilloscopes, copying music, etc.

They do things that they wouldn't do in other circumstances and justify it to themselves as "harmless, I wasn't going to buy it anyway".

Sitting in first class is harmless to the airline, you were never going to pay for a first class ticket, the seats are unoccupied ... so why is nobody here arguing that they are entitled to sit there or that the airline is wronging passengers by leaving the seats empty? Interesting psychology, n'est pas? 

Because the airline owns the seat, not the passenger.  This means the airline gets to dictate what happens with the seat, not the passenger.

The person who bought the oscilloscope owns the copy of the software that's running on his device, as well as the device itself.  Copyright law restricts the ability of that person to lawfully copy the software, but the person nevertheless owns the copy of the software that exists in his oscilloscope.  It is his to do with as he pleases, provided he doesn't violate copyright law (or any other law for that matter) in the process.

Yes, I agree. The airline owns the seat and the passenger rents it.

When one buys an oscilloscope, they own it and are free to do anything they like with it.

No one is nitpicking. Comparing this with travelling on an airline, is as silly as saying driving a car and travelling on the bus are the same.

If the manufacture wants you to not hack your oscilloscope. They need to make you sign a contract with them, agreeing you won't hack it, before you buy it. Even then, the contract may not be legally binding in some jurisdictions, especially if the customer is a private individual, rather than a business, as the laws often differ between the two.

The kind of hacking that some refer to here (decrypting the code in the ROMs, for instance) is illegal per copyright law, as that does involve making copies.

Are you sure that would violate copyright law?

I don't know about the US but in most jurisdictions, copying copyrighted material is allowed for back up and archival purposes, so as long as the code you've ripped of your device is not transferred to a third party or used simlutaniously on another device i.e. it just sits on your hard drive, then it should be allowed.

[kcbrown]

The kind of hacking that some refer to here (decrypting the code in the ROMs, for instance) is illegal per copyright law, as that does involve making copies.

Are you sure that would violate copyright law?

It would have to be a specific exemption in the law for it to not be a violation of it.  Copyright forbids all unauthorized copies, with specific exceptions (such as the one I pointed out that exempts the copying required for normal operation of a computer).

I don't know about the US but in most jurisdictions, copying copyrighted material is allowed for back up and archival purposes, so as long as the code you've ripped of your device is not transferred to a third party or used simlutaniously on another device i.e. it just sits on your hard drive, then it should be allowed.

I believe the U.S. doesn't have that kind of exemption, else allowances for archival purposes wouldn't be needed in license agreements and thus wouldn't be present within them.

In any case, while making a copy of the software strictly for archival purposes might be allowed by copyright law, modification of the copy and then transference of the modified copy back to the machine would not be allowed by it, as the end result would be a "derivative work".

[kcbrown]

Not if the entirety of the firmware (save for the basic bootstrapper, which, if the manufacturer was determined to prevent what we're talking about, could be cryptographically signed its contents verified and enforced in hardware) is also encrypted with the same private key as the individual features.  Attacking that would require a violation of copyright law, because the manufacturer could claim copyright on the public key.

I agree you can make things a lot harder, but you also have to factor in that the supplier needs to introduce a lot of versatility into the system allowing stuff like time trials, licence transfer etc etc. This would not be so simple to develop and manage so a common solution is to approach a third party company that specialise in this stuff and let them 'protect' the system using their own licensing system. That's where the problems start because it becomes much harder to keep it all secure.

Those things are important for general purpose computer systems, of course, but aside from time trials, really aren't terribly relevant for special purpose devices such as oscilloscopes.

Implementation of time trials in the framework I described would be trivial: the various attributes of the time trial could be encoded along with the serial number and feature name, and included in the packet that is cryptographically signed.

I'm getting old and very rusty on stuff like this but in the past I've successfully attacked systems (these were not TEqpt systems) that came in an encrypted shell or wrapper  that could also detect debugging and could self check itself and the protected code for signs of tampering.

Tampering, reverse engineering, etc., is becoming much more difficult with the advent of "system on a chip" technology.  An architecture that is nearly tamperproof is quite trivial with such a system: you store the bootloader and decryption key in PROM inside the SOC (note: not EPROM!  It has to be write-once), and the bootloader can load the encrypted code from flash into the SOC's RAM for execution.  As long as the decryption key remains undiscovered, the entire system is essentially hack-proof, since hacking would then require that one gain access to the chip's internals -- a step that only the most well-heeled organizations might be able to pull off.

Of course, if the decryption key is discovered, it could be used to decrypt the firmware.  But even that doesn't help you if the decryption key is half of an asymmetric key pair, because you'd need the other half in order to encrypt a modified version of the firmware for execution in the SOC.


You'd have to replace the SOC itself with your own in order to go any further with the above.  At that point, you've probably hit the point of diminishing returns.  A company that is selling the device will, of course, be much more concerned about someone learning the techniques they used in their code, but that's what patents are for.  And someone who considers such examination of the code to be "wrong" had better think carefully about whether their stance is consistent with their stance on reverse engineering, since they're really the same thing.


In the end, everything depends on just how concerned the manufacturer is about these things.  The system I described above easily takes care of all but the most determined hackers.  The more determined a hacker is, the smaller his impact will be on the marketplace, as long as he is unable to share his hacks with others in such a way as to make them easy to deploy.  Replacing the SOC with one that someone has programmed their own bootloader into is a relatively involved thing, something that most people here wouldn't bother with.


In any case, the real point of all of this is that a manufacturer that is concerned about people "hacking" their products so as to enable features that are otherwise disabled is easily capable of preventing that.  It's not like we're talking about some technologically ignorant company here, we're talking about a company that does hardware and software design as its business.  It will deploy the kind of measures I'm talking about if it really wants to prevent its customers from easily enabling features.  Otherwise, it will do as Rigol has done: make it relatively easy to "hack" the product to enable features, but difficult enough to maintain the illusion that someone who buys a higher end model of the line is getting something for their money (in reality, they are getting something for their money: support, such as it may be, for the features they purchased).  Such easy hackability is not without its business benefits, as has already been pointed out, so to insist that "hacking" such a scope is "wrong" is amusing, to say the least, seeing how the manufacturer wants the scope to be "hackable" in that way.

[G0HZU]

Tampering, reverse engineering, etc., is becoming much more difficult with the advent of "system on a chip" technology.

True, but I'm not sure how many TE manufacturers would try and cram a 'system' in a chip. Maybe they do this already, I don't know... I'm out of touch, mainly because I only take an interest in stuff like this if it is relevant to my situation.

However, experience has taught me that the people who produce 'protection systems' are often lazy or incompetent and often over confident about the robustness of their elaborate system. What could/should be secure is often woefully insecure.

[G0HZU]

In any case, the real point of all of this is that a manufacturer that is concerned about people "hacking" their products so as to enable features that are otherwise disabled is easily capable of preventing that.  It's not like we're talking about some technologically ignorant company here, we're talking about a company that does hardware and software design as its business.  It will deploy the kind of measures I'm talking about if it really wants to prevent its customers from easily enabling features.

I agree that they could try and make things a lot harder but I suspect that the decision on how to adopt such a system is based on NRE dev costs and management costs...  At a guess the big players will prefer to choose a generic third party system that they simply staple into their system. This will be useable across a wide variation of hardware (and software) platforms and will be very versatile in terms of management. With this choice, they don't have to develop and manage numerous bespoke protection systems for various platforms.

They will know it isn't the most secure option but it is probably the best all round 'business' option and they probably don't care too much about the impact of hacking. A hack released into the wild has the same impact if it was trivial to discover or if it took the work of a genius to discover 

[kcbrown]

Tampering, reverse engineering, etc., is becoming much more difficult with the advent of "system on a chip" technology.

True, but I'm not sure how many TE manufacturers would try and cram a 'system' in a chip. Maybe they do this already, I don't know... I'm out of touch, mainly because I only take an interest in stuff like this if it is relevant to my situation.

There's actually a great deal of incentive for manufacturers to use SOC units when possible.  It reduces cost, increases reliability, reduces board space requirements, and (as explained previously) makes tampering more difficult.  Indeed, the only reason to not use a SOC is lack of capability, e.g. if you need more RAM than the SOC can provide.  That's becoming less of an issue over time, though everything ultimately depends on improvements in transistor density.

I'm sure you've heard of the Raspberry Pi, right?  That's a SOC implementation.  Current versions have a gigabyte of RAM.  It happens to be that the RAM is a separate chip in the current models, but the model B+ had 512M of memory in the form of a "package on package" construction, where the two chips are soldered directly to each other.  With respect to immunity from hacking, that's clearly not going to be as good as a complete SOC if the two can somehow be separated afterwards, but it's apparently quite a bit less expensive to produce.  A manufacturer that is concerned with tampering might easily be able to produce a hybrid package that contains both the RAM and the SOC in such a way as to make gaining access to the memory bus a difficult proposition.

However, experience has taught me that the people who produce 'protection systems' are often lazy or incompetent and often over confident about the robustness of their elaborate system. What could/should be secure is often woefully insecure.

Manufacturers only have to get it right once.  And the more capable a manufacturer is, the more likely they'll get it right.  Obviously, a manufacturer that doesn't really care about getting it right probably won't, but the market will tend to reveal whether or not that was a good business decision.   The point here is that it's not hard to get it right, so a manufacturer that really cares about this stuff will be perfectly capable of preventing the kind of easy hacks we've been discussing.

In any case, the real point of all of this is that a manufacturer that is concerned about people "hacking" their products so as to enable features that are otherwise disabled is easily capable of preventing that.  It's not like we're talking about some technologically ignorant company here, we're talking about a company that does hardware and software design as its business.  It will deploy the kind of measures I'm talking about if it really wants to prevent its customers from easily enabling features.

I agree that they could try and make things a lot harder but I suspect that the decision on how to adopt such a system is based on NRE dev costs and management costs...  At a guess the big players will prefer to choose a generic third party system that they simply staple into their system. This will be useable across a wide variation of hardware (and software) platforms and will be very versatile in terms of management. With this choice, they don't have to develop and manage numerous bespoke protection systems for various platforms.

That could be, of course, and if they go that route, they'll likely be able to evaluate ahead of time whether or not the third party's solution is an effective one.

They will know it isn't the most secure option but it is probably the best all round 'business' option and they probably don't care too much about the impact of hacking. A hack released into the wild has the same impact if it was trivial to discover or if it took the work of a genius to discover 

Well, it might actually be the most secure option!  It depends on the quality of the third party solution.  That said, if they don't care too much about the impact of hacking, then that's a legitimate business decision on their part.  Those here shouldn't then complain about the "immorality" of hacking the resulting devices, particularly when the "hacks" aren't even violations of law.  The plain fact is that prevention of the kind of "hacking" that is mainly being discussed here is straightforward and easy to implement, so manufacturers that fail to do so anyway clearly have no real desire to prevent it (only perhaps a token desire, if that).

[mnementh]

As for whether I would feel "entitled"... don't try to drag me into THAT recursive sophistry. 

Interesting - since that sense of 'entitlement' is fundamental to this argument.

Still - if you say the analogy is irrelevant, then it must be so.

Common sense says that it is so.

We are all free to do whatever we choose to do. You are free to live by a narrow, rigid set of rules. I am free to ignore them.

If I disagree with a set of rules that the society of a region considers to be just and lawful, I am still free to do AS I FEEL; I may encounter some resistance to that, however, as others of that society are also free to attempt to stop me, or to lock me away as a danger to their beliefs, or to ignore me as a pest, or also to ignore the same laws.

If I fear those consequences of my actions, I am free to go somewhere those laws don't exist, or work to get them changed, or to violate them as I see fit and hope nobody catches me who can do something about it.

This is what FREE WILL means. "Entitlement" is a lie that power-merchants and lawyers use to rob you of your free will.


As I said; a recursive sophistry... and a sophomoric one at that. 


mnem
My shoes disagree with that.

[NiHaoMike]

What about the case of hacking the hardware to increase the bandwidth limit? Not a single byte of the firmware is changed.

[Zero999]

What about the case of hacking the hardware to increase the bandwidth limit? Not a single byte of the firmware is changed.

https://www.eevblog.com/forum/testgear/reasons-for-hacking-dsos/msg899219/#msg899219

[m98]

Didn't read the whole discussion, but how can pressing some keys in a special order on my own property be illegal? I haven't licensed any software, service, or SAAS, nor have I agreed with any contract other than the purchase contract with the equipment distributor. I just got the "black box" hardware product, where I can feel free to press any key in any order I want and solder anything out or in of it as I like.

[tszaboo]

So here is my opinion:
Options exist, not to segment the market, but to lure companies to buying the product. Big companies, the purchasing goes on several levels. If you sell a scope for 10001 EUR, you need a chief senior vice president of manager's signature on the purchase order. If it costs 9999 EUR, a lower lever manager can sign it, who may understand that you need the scope. So the scope maker will not sell a scope for 10001 EUR because that will yield less sales. They will sell it for 4999 and the options will cost 499 each (ask a quote, mention how much can you sign. It will be that much, unless big difference). If you need CAN analysing, it will cost 499. The company saves few hours of enginers time, the manufacturer gets 499, the manager doesn't need to make a powerpoint presentation with ROI calculations. Screw shareholders, screw corporate politics, it is evil.
Why are there chinese scopes come with unlock software? Because, as always, Chinese copied the west. It works the same way at Agilent, lets do the same. 150 USD for bandwidth update, are you kidding me?
It is ultimately a flawed model, because there are no big companies buying BK-Segirol sold as Tenma scopes paying with paypal. So it is stealing to unlock it? Not really. You are probably not going to use it to make money anyway. If you do make money with it, then pay for it.

[Fungus]

We are all free to do whatever we choose to do. You are free to live by a narrow, rigid set of rules. I am free to ignore them.

This is what FREE WILL means.

Grown-ups can recognize that if you live in a society then you have a moral debt to that society. That society is what made you who you are and allows you to live freely.

[tggzzz]

We are all free to do whatever we choose to do. You are free to live by a narrow, rigid set of rules. I am free to ignore them.

This is what FREE WILL means.

Grown-ups can recognize that if you live in a society then you have a moral debt to that society. That society is what made you who you are and allows you to live freely.

Just so.

And of course mnementh's next sentence (viz: "Entitlement" is a lie that power-merchants and lawyers use to rob you of your free will) might be re-cast as "entitlement is a lie used by selfish young adults in an attempt to justify their antisocial behaviour"

[Zero999]

Quite right. I believe in the freedom to do what I want with my own personal property, which includes modifying/hacking it to gain better performance.

As I said before if the manufacturer doesn't want me to hack it, then they need to get me to sign a contract on purchase of said equipment but if they do that, I'll go elsewhere.

Why are there chinese scopes come with unlock software? Because, as always, Chinese copied the west. It works the same way at Agilent, lets do the same. 150 USD for bandwidth update, are you kidding me?
It is ultimately a flawed model, because there are no big companies buying BK-Segirol sold as Tenma scopes paying with paypal. So it is stealing to unlock it? Not really. You are probably not going to use it to make money anyway. If you do make money with it, then pay for it.

I think it's fine to hack an oscilloscope for commercial purposes. I know someone who has done it and good on them too. I wonder if the fact that they do a crappy day job, are just doing extra part time work at home and can't afford to pay the unlock ransom, influence your judgement of them? I don't care either way. I've taken my hacked Rigol 1054Z into work before and used it commercially, without a shred of guilt.

[Howardlong]

What about the case of hacking the hardware to increase the bandwidth limit? Not a single byte of the firmware is changed.

https://www.eevblog.com/forum/testgear/reasons-for-hacking-dsos/msg899219/#msg899219

I may have missed it, but I haven't seen anyone answer that question, ie what is the difference between lifting a resistor and fiddling the code.

[tggzzz]

What about the case of hacking the hardware to increase the bandwidth limit? Not a single byte of the firmware is changed.

https://www.eevblog.com/forum/testgear/reasons-for-hacking-dsos/msg899219/#msg899219

I may have missed it, but I haven't seen anyone answer that question, ie what is the difference between lifting a resistor and fiddling the code.

I don't see any difference, morally, ethically or legally. If the manufacturer is also selling and supporting an equivalent to the modified device, then in neither case is there a valid entitlement to the modification.

If it is abandonware, then the argument is probably still legally valid but, IMHO, much less morally and ethically clearcut. I would have little compunction about ensuring what I had already purchased continued to operate. Examples: Microsoft's PlaysForSure(TM) [sic], or attempting to reinstal WinXP on my laptop after a disk failure.

[Brumby]

A side question....

Would you consider any modification to the hardware and/or software (incl. firmware) as actions that would void warranty?

Would you include 'cracking' unpurchased software keys in this?

[tggzzz]

A side question....

Would you consider any modification to the hardware and/or software (incl. firmware) as actions that would void warranty?

Would you include 'cracking' unpurchased software keys in this?

People make false warranty claims all the time; the legal profession is well versed in sniffing that out. It would be more difficult to disguise a hardware modification, since software modifications can, potentially, be invisibly reversed.

In the event of a warranty claim, if the manufacturer accepts the liability there is no practical issue. If the manufacturer claims your actions voided the warranty then either you drop the claim or it will end up in the courts. If it ends up in the courts, then the judgement will depend on the law of the land and the quality of the legal presentations.

In the UK consumer items have to be "of merchandable quality" and without design flaws that have contributed to the claim. If you have modified the equipment then the manufacturer can easily claim your modification damaged the equipment, and you will have difficulty persuading the court that isn't the case.