Products > Test Equipment

Sniffing the Rigol's internal I2C bus

<< < (355/899) > >>

zombie28:

--- Quote from: cybernet on December 09, 2013, 12:45:13 am ---there are no plaintext keys anymore in code - and the GEL format slightly changed

--- End quote ---

The ECC parameters are still the same, but they are hidden as binary data, encoded with bit shuffling algorithm. The newest firmwares of DP832 and DS2K both contain the following sequences of bytes (in little-endian order):

1F A8 BD F4 B8 C9 55 45
29 B5 66 E6 B8 C9 55 45
93 86 33 C4 88 6A 54 05

which are encoded form of the well known ASCII-HEX strings, respectively:

"AEBF94CEE3E707"
"AEBF94D5C6AA71"
"7A3E808599A525"

Here is unshuffling algorithm that I found in DP832 firmware (each DWORD is being processed separately):


--- Code: ---DWORD Unshuffle(DWORD x)
{
    x = (x & 0x22222222) << 1 | (x >> 1) & 0x22222222 | x & 0x99999999;
    x = (x & 0x0C0C0C0C) << 2 | (x >> 2) & 0x0C0C0C0C | x & 0xC3C3C3C3;
    x = (x & 0x00F000F0) << 4 | (x >> 4) & 0x00F000F0 | x & 0xF00FF00F;
    x = (x & 0x0000FF00) << 8 | (x >> 8) & 0x0000FF00 | x & 0xFF0000FF;
    return x;
}

--- End code ---

In DS2K firmware, just before aforementioned sequences of bytes, you can also find elliptic curve parameters A and B, encoded as big-endian WORDs:
29 82 00 00
34 08 00 00

In DP832 firmware these A and B values are hardcoded directly into a call to mirvar function (during ECC initialization phase).

cybernet:
very nice find, didnt bother to change the ECC parameters, funny.
i wonder how to enable CAN at the DS2000(A) then ...
did somebody with a DS2000A already try the keygen ? shouldnt fail if the ECC params are the same - unless they changed the hash, and meaning of it.

zombie28:

--- Quote from: cybernet on December 09, 2013, 02:37:15 pm ---very nice find, didnt bother to change the ECC parameters, funny.
i wonder how to enable CAN at the DS2000(A) then ...
did somebody with a DS2000A already try the keygen ? shouldnt fail if the ECC params are the same - unless they changed the hash, and meaning of it.

--- End quote ---

I didn't find the public key yet, but I expect that Rigol changed it (some people were reporting, that keygen doesn't work for new firmware).

marmad:

--- Quote from: zombie28 on December 09, 2013, 03:21:28 pm ---I didn't find the public key yet, but I expect that Rigol changed it (some people were reporting, that keygen doesn't work for new firmware).

--- End quote ---
People with A-models were reporting that keygen doesn't work with the new firmware, but g***! (with a non-A model) reported that it worked for him.

zombie28:

--- Quote from: marmad on December 09, 2013, 03:55:18 pm ---People with A-models were reporting that keygen doesn't work with the new firmware, but g***! (with a non-A model) reported that it worked for him.

--- End quote ---

And now I know why - Rigol didn't bother to change the public key either. I found the old public key in the new firmware (encoded by the same bit shuffling algorithm I described earlier). The sequence of encoded bytes is as follows: 97 58 B9 DE 24 C5 11 10, which obviously translates to "8445B2BE29E5C7". I believe Rigol didn't change the keys to maintain backward compatibility with previously sold license codes. Alternatively they may use two separate keys for 'non-A' and 'A' license codes.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod