Sniffing the Rigol's internal I2C bus

[Daruosha]

Updates do not interfere with your installed licenses.
How did you generate the keys? JTAG dump?

[RetroDan™]

Generated them with the Altered firmware - LAN mem dump - rigup method.  Took a chance and updated.  No issues whatsoever!

[Fungus]

Successfully hacked my MSO1074Z-S.  If I upgrade the firmware to the most recent, will I lose my hacks?

No, because you didn't "hack" anything. All you did was enter a key - exactly the same as a paying customer would do.

[ebastler]

Fungus, this is about an MSO. Not quite as straightforward.

[tv84]

Fungus, this is about an MSO. Not quite as straightforward.

Sure it is. All the same. The only difference is which private key used BUT once private keys are known, the generated licenses are as "official" as it gets!

For all Rigol equipments.

[Fungus]

Fungus, this is about an MSO. Not quite as straightforward.

It's exactly the same.

Would a customer expect all his paid-for options to vanish if he did a firmware update? Of course not.

Riglol-generated keys are no different from "official" ones.

[ebastler]

Ok, agree. The process is a bit more involved for the MSOs and the -Plus version, but the result is the same.

[RetroDan™]

Successfully hacked my MSO1074Z-S.  If I upgrade the firmware to the most recent, will I lose my hacks?

No, because you didn't "hack" anything. All you did was enter a key - exactly the same as a paying customer would do.

Are you really going to get that bent out of shape over semantics?  Fine.  I utilized an altered firmware to allow me to dump the contents of my scope's memory and then used a community-created piece of software to generate license keys so that I could unlock, without paying, features available for my MSO1074Z-S.

Isn't it just easier to say 'hacked'?  The precision of the term may be lacking, but the implication is certainly there.  Loosen your necktie, mate; nobody's grading you on this.

[ebastler]

Are you really going to get that bent out of shape over semantics?  [...]
Isn't it just easier to say 'hacked'?  The precision of the term may be lacking, but the implication is certainly there.  Loosen your necktie, mate; nobody's grading you on this.

Fungus' comment was not about your choice of words, but about the underlying mechanism to enable the additional scope features. And his comment was a pertinent answer to your original question whether your new features would survive a firmware udate:

You had to jump through a few hoops to get information from the scope and generate keys. But in the end, you generated the same keys which Rigol would have generated for you if you had bought these features. The scope accepts them since they look correct to its internal checking algorithm -- just as correct as the Rigol-generated keys. So any future firmware will need to accept these keys too.

So yes, please relax and loosen your necktie.

[aristarchus]

From what I understand, the license codes generated via the 'hacked' method are exactly the same digit-by-digit with what someone would get officially for the same option on the same serial number device.
So, eventually they have to survive any FW upgrade.

(loose neckties everywhere..)

[tv84]

From what I understand, the license codes generated via the 'hacked' method are exactly the same digit-by-digit with what someone would get officially for the same option on the same serial number device.
So, eventually they have to survive any FW upgrade.

(loose neckties everywhere..)

Well, let's get loose-necktie techie for a bit: the licenses are not exactly the same digit-by-digit because they are dependent on a k-factor (usually random). So, they can be different but the achieve the same goal.

[aristarchus]

Well, let's get loose-necktie techie for a bit: the licenses are not exactly the same digit-by-digit because they are dependent on a k-factor (usually random). So, they can be different but the achieve the same goal.

Thanks tv84 for clearing this, interesting.
(I have to review the riglol sources and see how this plays out)

[ve7xen]

It's also very unlikely but not completely outside the realm of possibility that Rigol revokes the existing keys, and issues new licenses to legitimate customers.

[McBryce]

It's also very unlikely but not completely outside the realm of possibility that Rigol revokes the existing keys, and issues new licenses to legitimate customers.

So annoy all the paid customers, making them enter new codes for the products they already paid for, just to remove a few users that "libereated" their scope themselves?? Extremely unlikely I'd say.

McBryce.

[2N3055]

It's also very unlikely but not completely outside the realm of possibility that Rigol revokes the existing keys, and issues new licenses to legitimate customers.

And why would they do that when, for a year now, all options are free and unlocked...?

[ve7xen]

It's also very unlikely but not completely outside the realm of possibility that Rigol revokes the existing keys, and issues new licenses to legitimate customers.

And why would they do that when, for a year now, all options are free and unlocked...?

They're not going to. But let's not say it's impossible.

[tv84]

They're not going to. But let's not say it's impossible.

I will.  That's impossible as the software has no revoke mechanisms. That's a totally different ballgame.

Develop that at this stage would be economically prohibitive for this kind of equipment. 

[ve7xen]

They're not going to. But let's not say it's impossible.

I will.  That's impossible as the software has no revoke mechanisms. That's a totally different ballgame.

Develop that at this stage would be economically prohibitive for this kind of equipment.

From a software engineering point of view it's trivial, just change the trusted key on the scope. To do so in a manner that wouldn't be easy to hack again wouldn't be, but this kind of thing is always an arms race and it wouldn't be the first time a company saw value in throwing up some meaningless barriers. I'd actually call the MSO's unique keys a step in this direction.

The difficulty actually doing it would be the business ramifications of making all issued licenses not forward compatible to the new software, and the realization that it wouldn't actually achieve anything. It's a matter of the business impact of causing all those support issues and bad juju from paying customers that is stopping them. And probably they recognize that the hacking is good for the popularity of their products and aren't going to spend good will to try to stop it.

What they can't do is go all FTDI and start bricking stuff.

[Fungus]

They're not going to. But let's not say it's impossible.

Pigs could also evolve wings, but...

[ve7xen]

They're not going to. But let's not say it's impossible.

Pigs could also evolve wings, but...

I feel like we're engineers here and should hold ourselves to the most basic standard of accuracy. If, on an engineering forum, you say something can't be done, I take it to mean that it can't be done, not that it won't be.

[Fungus]

Pigs could also evolve wings, but...

I feel like we're engineers here and should hold ourselves to the most basic standard of accuracy. If, on an engineering forum, you say something can't be done, I take it to mean that it can't be done, not that it won't be.

Spending time discussing how we're going to deal with pesky flying pigs doesn't seem like a productive use of our engineering talents.

[tv84]

I feel like we're engineers here and should hold ourselves to the most basic standard of accuracy. If, on an engineering forum, you say something can't be done, I take it to mean that it can't be done, not that it won't be.

Totally agree with you. Let's stay that way. BUT, we earthling engineers should also have in mind that we are bound by the economics of the world we live in.  Or else, we can say that they could do all that doesn't break the laws of physics.

Changing the pubkey in their flagship product, as has been done in the past with others, HAS TO involve migrating all the licenses that are currently working in the equipment. As such, once that FW upgrade is installed all "official" and "unofficial" licenses will be happily upgraded (because ANY upgrade program will have no way to differentiate both types of licenses) and what once was a "official/virtual unofficial" situation becomes an "all official" situation.

So, everyone stays licensed and only the new guys must redo riglol with a new private key.

[Fungus]

They might have a database of all the legal keys that they could include in the firmware update to keep them working, sure.

OTOH no company is that competent and it's probably too big to fit in memory anyway.

Plus: We all know that hacking is part of their marketing strategy. They still made money on all those hacked 'scopes and they've sold millions of them because of it.

[ilya]

Can someone help me out to restore the serial number of a DS2072A ?
I tried to do some of the hacks in the distant past and this lead me to a unit with serial number DS2A0000000001.
The MAC address on the LAN interface is also screwed up.  It's 46:46:46:46:46:46.  I assume this must be uniquely generated from the serial number somehow.
The device is currently at firmware DS2000(DSP)Update_00.03.04.01.00

I think if I could get hold of a memory dump from someone with a working unit (and what their serial number is) I could write back correct values into the scope with my own number.   Thanks!

I don't know if this is still relevant, but I had the same issue and was struggling with it since 2013-2014. Finally the solution was found. Read this post:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/msg369122/#msg369122

And follow the steps exactly as described. This is very important since when you flash the patched firmware, the serial is stored in RAM only. And you HAVE to uninstall all options in order to write your serial into the flash.
Hope that this will help people with the same problem. And kudos to people who made this solution available.

[ossilampe]

Hi there

my English is not so good, I have a DS2072A and would like to unlock it on a DS2302, according to this manual http://gotroot.ca/rigol/D2072A%20Unlocking%20Guide.pdf

FW is 03_06_00_00

unfortunately no modifidy software can be installed
not even the downgrade to FW 03_05_04_00

I can only install the original one from boot mode, can someone help me ..

Greetings and happy Easter