Author Topic: Hameg R&S HMO scope licenses not available anymore  (Read 2325 times)

0 Members and 1 Guest are viewing this topic.

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1950
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #25 on: November 09, 2020, 07:31:08 pm »
AES-256 key for HMOxxxx .HFU packages:

2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409

Parsing of HAMEG_FW_HMO1524_HMO2024_04_531 firmware:
Code: [Select]
00000000      Header Size: 0400      [00000000-000003FF]    FileSize OK
00000002   Section 1 Size: 0004038C  [00000400-0004078B]
00000006   Section 2 Size: 00490E24  [0004078C-004D15AF]
0000000A  Section 1 CRC16: 93B5    CRC OK
0000000C  Section 2 CRC16: 80A8    CRC OK
0000000E             ????: 0x10130000
0000001E            Model: HMO_A24
0000002E       FW Version: 04.531
0000003E     Release Date: 2015-07-27
0000004E             ????: 16668.14471
0000005E      Compilation: Build 34649 built on 2015-07-27 10:03:31 by MaG? [04.531 - HCL: 02.015 - MesOS: 03.222]
0000015E  (???) Hash Type: 2
00000198            Build: 34649
000001AA Section 1 SHA256: 8F218EEC05C6B6894FF6B85A87349B0F    HASH OK
000001CA Section 2 SHA256: FAFD8282DA34598936B85C8FC7CFDE94    HASH OK
000003FE     Header CRC16: 9CB0    CRC OK
--------------------------------------------------------------------
0004078C **** SubSection 0x80 ****
0004078D  SubSect Hdr Size: 0025
0004078F   SubSection Size: 00003493  [000407B1-00043C43]
00040793  SubSection CRC16: 3416    CRC OK
000407AB     Contents Size: 0000348E  [000407B4-00043C41]
000407AF SubSect Hdr CRC16: FFB1      [0004078C-000407AE]    CRC OK
000407B4 BMP (640x480 pixels - 8 bits / compr.: 1)   [000407B4-00043C41]
00043C44 **** SubSection 0x11 ****
00043C45  SubSect Hdr Size: 0025
00043C47   SubSection Size: 0048D937  [00043C69-004D159F]
00043C4B  SubSection CRC16: 1026    CRC OK
00043C63     Contents Size: 0048D932  [00043C6C-004D159D]
00043C67 SubSect Hdr CRC16: E88A      [00043C44-00043C66]    CRC OK
00043C6C Bootloader Programmer
« Last Edit: November 16, 2020, 06:57:18 pm by tv84 »
 
The following users thanked this post: Xyphro

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 485
  • Country: ru
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #26 on: November 10, 2020, 12:27:46 pm »
"subsection 0x11" load address 0x10000, CPU Renesas SH2A
RAM segments:
D5F97D0-D617F7E copy from 341784
D617F80-D61BA28 copy from 35FF34
D61BA30-D917990 zero init
FFF84000-FFF8A874 copy from 3639DC

Some interesting functions:
00054E28: SCPI DIAGNOSTIC:SERVICE:LICENCE:INVALIDATE handler
0005D47C: SCPI DIAGNOSTIC:SERVICE:LICENCE:STATUS handler
0005D5C8: SCPI DIAGNOSTIC:SERVICE:LICENCE:SET:KEY handler

The key should look like 32 hex chars, CRC16-CCITT (0x1021 poly) is a part of validation algo.

Upd:
- the key is converted to 16 bytes binary
- decrypted with AES-256 ECB using key pointed to by [0D82C33C]
- byte order is swapped in each 4-byte group
- the result is passed to int func_00176830(uint32 key_decr[4]) for validation:

- key_decr[0] == [dword_D82C340] - instrument id ?
...

Many important things are pointed by fields of some struct starting at D82C330.

Looks like there is no validation at each power up (it is done at installation time, then option data is stored in a plain form somewhere), so with debug adapter and flash access it could be possible just to add more option records to that storage without reversing the key generation. But after getting that AES key from [0D82C33C]-> the rest could be trivial. A RAM dump would help a lot.
« Last Edit: November 10, 2020, 01:28:32 pm by abyrvalg »
 

Offline tmbinc

  • Regular Contributor
  • *
  • Posts: 234
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #27 on: November 10, 2020, 02:21:32 pm »
This sounds _very_ similar to the HMS-X spectrum analyzer. Same AES key for firmware decryption, same license crap.

From my notes - sorry, this was ~2015 - a license key is an AES-encrypted tuple of 4 little-endian words. First word is the serial number, second word is the "Feature" to enable, third word is "0", fourth word is "1" (or maybe it's don't-care?). The AES key starts with 86BA...
Feature was either 0x11, 0x13, 0x14, 0x15 on the HMS-X, but one of them was a reset key that cleared all options. (Which is super annoying when you need to enter 3x32 hex digits via the frontpanel again)

What I don't see here though is the CRC16 CCIT, so maybe things _are_ different.

I'm really not a fan of posting keygens here, but if these are unobtainium for otherwise EOL'ed devices, I care less.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1950
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #28 on: November 10, 2020, 03:05:22 pm »
key pointed to by [0D82C33C]

86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE
 
The following users thanked this post: tmbinc


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf