Products > Test Equipment
Sniffing the Rigol's internal I2C bus
zombie28:
--- Quote from: andyturk on January 04, 2014, 04:34:39 pm ---
--- Code: ---// Copyright (c) 2013 RIGLOL Technologies, Inc. All Rights Reversed.
--- End code ---
:-DD
--- End quote ---
Well, this is my small tribute to cybernet, because without his findings I would have never been able to do this. ;)
tirulerbach:
--- Quote from: zombie28 on January 04, 2014, 02:15:22 pm ---So here it is, the new license code decoder:
--- End quote ---
Great work! Fantastic! :-+
So, a small question: Are you sure DecodeSignature() is correct? Maybe it's a roll instead a shift? :-//
van-c:
--- Quote from: zombie28 on January 04, 2014, 02:40:28 pm ---
--- Quote from: NikWing on January 04, 2014, 02:36:11 pm ---nice :o
and now? :)
--- End quote ---
it's time to reverse
--- End quote ---
So, zombie28, if the correct private key were used in the existing keygen to produce a 28-character license code for a particular option code, then running that license code through your DecodeLicenseCode() function would return the option code back, verifying that the correct private key had been found, correct? (Assuming the keygen is using an algorithm compatible with the decoder.)
zombie28:
--- Quote from: tirulerbach on January 04, 2014, 08:55:46 pm ---
--- Quote from: zombie28 on January 04, 2014, 02:15:22 pm ---So here it is, the new license code decoder:
--- End quote ---
So, a small question: Are you sure DecodeSignature() is correct? Maybe it's a roll instead a shift? :-//
--- End quote ---
I'm pretty sure that my code is correct. I have run it with 'AAAAAAABBBBBBBCCCCCCCDDDDDDD' license code and found its output in memory dump:
option bits: 0x000f09f5 (at offset 0x1c3df7c as binary value)
sig1: 0x0000f464e5aebf3e (at offset 0x1c3df80 as hex string)
sig2: 0x000000000000000f (at offset 0x1c3df90 as hex string)
The same technique was used in non-A license decoder (take a look at riglol.c and variables i1 and i2), but instead of shifting binary values to the right, this decoder moves null terminator of hex strings to the left. I think Rigol uses shifting of signature values as a form of padding, to fill all available space in case of leading zeros (padding is often used in digital signature algorithms for security reasons).
zombie28:
--- Quote from: van-c on January 04, 2014, 09:33:13 pm ---So, zombie28, if the correct private key were used in the existing keygen to produce a 28-character license code for a particular option code, then running that license code through your DecodeLicenseCode() function would return the option code back, verifying that the correct private key had been found, correct? (Assuming the keygen is using an algorithm compatible with the decoder.)
--- End quote ---
Well, not exactly. After decoding of the license code, the ECDSA algorithm must be used to verify the signature (or the key). But first we need to find out how the signature is being constructed from the scope's serial number and option bits, because there are no explicit option characters in the new code format.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version