Trying to hack the DSOX1204(A/G) firmware

[stafil]

This is were I am so far.

The 1200AXSeries.02.10.2019111333.ksx is really just a `cpio` archive. We can extract it using:
```
$ cpio -iv < ../1200AXSeries.02.10.2019111333.ksx
sw-description
sw-description.sig
customer.postinstall.sh
customer.preinstall.sh
FPGA1000A.binx
FPGA1200A.bin
FPGA1200A.binx
infiniivision-firmware-bin.tar.bz2
instrument-dso.squashfs
standardsplash.png
uImage
uImage.spear600-keysight-infiniivision-1000-xseries-4channel.bin
uImage.spear600-keysight-infiniivision-1000-xseries-4channel-ecc4.bin
134571 blocks
```

Then the `instrument-dso.squashfs` is just a squashfs, which we can again extract using the squasfs tools this time. It contains the root filesystem of the linux buildroot.

```
$ unsquashfs.exe -d rootfs -f instrument-dso.squashfs
Parallel unsquashfs: Using 16 processors
3917 inodes (4722 blocks) to write

[============================================================================================================================================================================================================|] 4722/4722 100%

created 3287 files
created 494 directories
created 622 symlinks
created 0 devices
created 0 fifos
```

If we go into rootfs we can now see that it is just linux rootfs tree:

```
$ ls
 bin   boot   dev   etc   firmware   home   lib   media   mnt   proc   run   sbin   sys   tmp   usb  'User Files'   usr   var
```

We can change the root password by editing the etc/shadow, and enable ssh by creating a soft link from `etc/init.d/sshd` to `etc/rc[2-4].d/S50sshd` (No sure which is the actual mode it will boot into).

Once we are happy with the changes we can create a new `instrument-dso.squashfs` by using the `mksquasfs` tool:

```
$ mksquashfs rootfs archive/instrument-dso.squashfs
```

And then create the image with cpio:
```
$ ls |  cpio -ov -H crc > ../1200AXSeries.02.10.2019111334.ksx
```

Now we should be able to load the image, and have ssh enabled and have root access, right?

Well, no. The problem is that they are using the `swupdate` tool and have a file called `sw-description` which contains sh256 hashes for all the files and they sign this file using the public key in `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem`.

If we want to be able to install this image we have to be able to ssh to the box, and change that file with our own public key, which we will use to sign our image.

So we are stuck in a chicken and egg problem.

Anybody has any better idea now how to enable ssh?

[tv84]

The 1200AXSeries.02.10.2019111333.ksx is really just a `cpio` archive. We can extract it using:

...

Well, no. The problem is that they are using the `swupdate` tool and have a file called `sw-description` which contains sh256 hashes for all the files and they sign this file using the public key in `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem`.

If we want to be able to install this image we have to be able to ssh to the box, and change that file with our own public key, which we will use to sign our image.

You can open ksx easily with 7zip.

Can you share here the "swupdate" tool and "Rocky-SWU-Signing-only.pem" file?

BTW, usually we sign with a privkey and then use the pubkey to verify.

[stafil]

The 1200AXSeries.02.10.2019111333.ksx is really just a `cpio` archive. We can extract it using:

...

Well, no. The problem is that they are using the `swupdate` tool and have a file called `sw-description` which contains sh256 hashes for all the files and they sign this file using the public key in `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem`.

If we want to be able to install this image we have to be able to ssh to the box, and change that file with our own public key, which we will use to sign our image.

You can open ksx easily with 7zip.

Can you share here the "swupdate" tool and "Rocky-SWU-Signing-only.pem" file?

BTW, usually we sign with a privkey and then use the pubkey to verify.

swupdate is open source. You can find it here: https://github.com/sbabic/swupdate

Their public key is:

```
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwwXhBjYKCBLYev928vxW5JTyQ
+zGryJcMdogZYUa2V8+2t21n5JX5RCq3uDgWaXhwxDKj/gYFJ0d8cmMCSGf297yt
9fZL2pZkuNwoXUY9lzIT0yDxQv+X2UrCJLMtGOcPt3cFQCKlB3Gs/mwK4Df7LhYz
V/c84adFxvgK/VuhlQIDAQAB
-----END PUBLIC KEY-----
```

The binary compiled of swupdate is at:

https://send.firefox.com/download/8204aa6fa99b6caf/#OVfQFaIBDULPP0Wsdpq8LA

[Keysight DanielBogdanoff]

I'll jump in and add my typical caveat:

Keysight does not support hacked hardware and you do so at your own risk. Additionally, if you try to up-hack and sell for a profit there's a good chance you'll hear from the lawyer folks.

If you are doing this at your own risk to your own hardware, we generally aren't going to do anything about it.

I, personally and not on behalf of Keysight, views are my own, yada yada, feel like this: 

[stafil]

I'll jump in and add my typical caveat:

Keysight does not support hacked hardware and you do so at your own risk. Additionally, if you try to up-hack and sell for a profit there's a good chance you'll hear from the lawyer folks.

If you are doing this at your own risk to your own hardware, we generally aren't going to do anything about it.

I, personally and not on behalf of Keysight, views are my own, yada yada, feel like this: 

Thanks Daniel! Wow, first because I wasn't expecting anybody from Keysight to respond here, and secondly because that's a (generally ) very mature position for a company (not going out of users that try to hack their equipment for fun )

Of course it goes without saying that I don't expect Keysight to support my, soon to be bricked, oscilloscope.

Also this is just for fun and knowledge and definitely not planning to sell my Keysight.

Finally if at any point you feel the slightest bit uncomfortable by my actions, please do let me know and will cease immediately.

[tv84]

So it's a  RSA-1024 public key. I think that your only chance of changing anything would require JTAG access and/or bootloader dump/rewrite.

[TK]

I am not sure if SW hacking is needed, as serial decoding is now included standard and the only upgrades are BW10 and BW20.

If you start from an EDUX1052A, you can mod (I don't like to call it a hack, as you are just adding and exchanging components in the PCB) it to a 70MHz DSOX1202G for around $50 in parts and get 2Mpts, 200,000wfm/s, wavegen, Segmented Memory, FRA and additional serial protocols (SPI, CAN, LIN).

The front-end mod brings the scope to 200MHz capable input, so the only thing I can think BW10 and BW20 add is more smaller time scale with the horizontal knob.

[stafil]

I am not sure if SW hacking is needed, as serial decoding is now included standard and the only upgrades are BW10 and BW20.

If you start from an EDUX1052A, you can mod (I don't like to call it a hack, as you are just adding and exchanging components in the PCB) it to a 70MHz DSOX1202G for around $50 in parts and get 2Mpts, 200,000wfm/s, wavegen, Segmented Memory, FRA and additional serial protocols (SPI, CAN, LIN).

The front-end mod brings the scope to 200MHz capable input, so the only thing I can think BW10 and BW20 add is more smaller time scale with the horizontal knob.

BW20 is not a bad upgrade, is it?

[TK]

I am not sure if SW hacking is needed, as serial decoding is now included standard and the only upgrades are BW10 and BW20.

If you start from an EDUX1052A, you can mod (I don't like to call it a hack, as you are just adding and exchanging components in the PCB) it to a 70MHz DSOX1202G for around $50 in parts and get 2Mpts, 200,000wfm/s, wavegen, Segmented Memory, FRA and additional serial protocols (SPI, CAN, LIN).

The front-end mod brings the scope to 200MHz capable input, so the only thing I can think BW10 and BW20 add is more smaller time scale with the horizontal knob.

BW20 is not a bad upgrade, is it?

Which model did you buy

[stafil]

Which model did you buy

1204A, and before you ask, no I don't really *need* the extra BW. It's just a matter of why not

[TK]

Which model did you buy

1204A, and before you ask, no I don't really *need* the extra BW. It's just a matter of why not

Of course, pure hacker spirit.  BTW, if you only do a SW hack, you can always go back to the official firmware and you are not voiding any warranty, I guess... unless you mod to add the wavegen HW (why not spirit, right?)

[stafil]

Of course, pure hacker spirit.  BTW, if you only do a SW hack, you can always go back to the official firmware and you are not voiding any warranty, I guess... unless you mod to add the wavegen HW (why not spirit, right?)

I like to believe that my software skills are much more advanced than the hardware ones, so no wavegen mod at the moment. But you never know what the future will bring

[TK]

The 1200X software has a bunch of php scripts for remote control... maybe you can find a hole and execute linux commands remotely without ssh

[stafil]

The 1200X software has a bunch of php scripts for remote control... maybe you can find a hole and execute linux commands remotely without ssh

I had a look at that. The attack surface doesn't look that large. I saw a possible hole at `$response = $jService->ProcessExecRequest($saveType, $args);` but couldn't find a `saveType` that would actually execute something.

In the infiniiVisionCore binary I see in the data section a string "Unable to execute shell command", so maybe the have a way to execute shall commands somehow? Haven't figured out yet which function uses this.

[tv84]

In the infiniiVisionCore binary I see in the data section a string "Unable to execute shell command", so maybe the have a way to execute shall commands somehow? Haven't figured out yet which function uses this.

Also, didn't find any connection to that string.

Nonetheless, I confirmed that sw-description.sig is the RSA-1024 (with SHA256) signature of sw-description file. So we definitely need a way to change the Rocky-SWU-Signing-only.pem pubkey file in order to resign a "refreshed" sw-description.

[stafil]

Another possible way is to go in through SCPI.

Either using the "syst:prod:sscr", which I believe sets bootup parameters, and change it to boot into "single user" mode

Or using the command that calls "setSystProdRunProcess". It's not "syst:prod:run:process" however, so probably we have to do a bit of decoding of their SCPI command tree to find which SCPI command it is.

Also there is this "deb:command" command, that expects xml. Not sure the exact format though.

Edit: I believe that the scpi command that will invoke the "setSystProdRunProcess" is ":syst:prod:rpr"

Edit2: Found something interesting in the symbols:

0x00807b58      .dword 0x00808020 ; str.500MHz_Bandwidth
0x00807b5c      .dword 0x00808034 ; str.BW50


Capable of 500Mhz maybe?!?

[thomasb9511]

1. If you can change the root password, can you login as root?
2. What are the file permissions on `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem` and the folder it is in?

[stafil]

1. If you can change the root password, can you login as root?
2. What are the file permissions on `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem` and the folder it is in?

1.
I cannot find a way to even get to a login prompt (telnet, ssh, etc..)

2.
# ls -ld usr/share/ca-certificates/keysight/
drwxr-xr-x 2 root root 4096 Nov 12 19:31 usr/share/ca-certificates/keysight/

# ls -l usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem
-rw-r--r-- 1 root root 272 Nov 12 19:31 usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem

[thomasb9511]

1.
I cannot find a way to even get to a login prompt (telnet, ssh, etc..)

2.
# ls -ld usr/share/ca-certificates/keysight/
drwxr-xr-x 2 root root 4096 Nov 12 19:31 usr/share/ca-certificates/keysight/

# ls -l usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem
-rw-r--r-- 1 root root 272 Nov 12 19:31 usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem

1. Wonder if the binaries even exist. How are you running these commands?
2. can you do whoami?

I wonder what perms the running user have in terms of launching processes in bin/.

[thomasb9511]

Maybe you could run sshd(if it exists) as the running user - https://serverfault.com/questions/344295/is-it-possible-to-run-sshd-as-a-normal-user

[stafil]

Maybe you could run sshd(if it exists) as the running user - https://serverfault.com/questions/344295/is-it-possible-to-run-sshd-as-a-normal-user

How? If I could login, I wouldn't need to run sshd...

[thomasb9511]

How? If I could login, I wouldn't need to run sshd...

How are you running ls?

[stafil]

How? If I could login, I wouldn't need to run sshd...

How are you running ls?

Oh.. That's from the extracted image. I can extract the image on my PC

[thomasb9511]

Fair enough.
If I'm correct, we would need to change the "Rocky-SWU-Signing-only.pem" that may live on the scope in order to change things then. Less the update process uses the cert in the update.

[stafil]

Fair enough.
If I'm correct, we would need to change the "Rocky-SWU-Signing-only.pem" that may live on the scope in order to change things then. Less the update process uses the cert in the update.

Absolutely right.

[thomasb9511]

Or alter the routine that calls swupdate and change the -k parameter to point to a different cert.
Either requires altering something inside the scope.

[tv84]

0x00807b58      .dword 0x00808020 ; str.500MHz_Bandwidth
0x00807b5c      .dword 0x00808034 ; str.BW50


Capable of 500Mhz maybe?!?

That's this table.

[thomasb9511]

That's this table.

A feature flag table?

[tv84]

Another possible way is to go in through SCPI.

Either using the "syst:prod:sscr", which I believe sets bootup parameters, and change it to boot into "single user" mode

Nice! Worth investigating.

Edit: Included a list of all SCPI commands here.

[thomasb9511]

Wonder if the version of nginx and/or php the web server is running has any exploits.

[stafil]

Wonder if the version of nginx and/or php the web server is running has any exploits.

I highly doubt it for ndginx, but php is possible.

I also see the cups port and the rpc ports open, so that would be another attach surface if you are interested investigating.

[stafil]

Another possible way is to go in through SCPI.

Either using the "syst:prod:sscr", which I believe sets bootup parameters, and change it to boot into "single user" mode

Nice! Worth investigating.

And "syst:sscr?" should get the bootup parameters... (? ? ?)

Correct. But didn't have any luck with syst:prod:sscr, or syst:prod:rpr.

One returns `-440 Query UNTERMINATED after indefinite response` and the other `System error`

[stafil]

Another possible way is to go in through SCPI.

Either using the "syst:prod:sscr", which I believe sets bootup parameters, and change it to boot into "single user" mode

Nice! Worth investigating.

And "syst:sscr?" should get the bootup parameters... (? ? ?)

BTW, which decompiler is this one that you are using? looks cool

[stafil]

One returns `-440 Query UNTERMINATED after indefinite response` and the other `System error`

What about?

syst:sscr?

or

SYST:SSCR?

`syst:prod:sscr?` would just return empty string

[stafil]

BTW, which decompiler is this one that you are using? looks cool

IDA

Really nice, but also really expensive

[stafil]

I think it needs a param and we get a ON or a OFF...  (or 0 / 1)

I think you are onto something but `syst:prot:sscr ON` returns "Character data not allowed"


1 or 0, returns "Numeric data not allowed"
 

[tv84]

I think it needs a param and we get a ON or a OFF...  (or 0 / 1)

I think you are onto something but `syst:prot:sscr ON` returns "Character data not allowed"

1 or 0, returns "Numeric data not allowed"

There is a system flag SEALED_STATE_KEY that stores the "sealed" state of the scope. When the scope is in the "sealed" state, some of the interesting SYSTem SCPI commands are discarded.

To check if a scope is (un)sealed, one can use:

SYSTem:PRODuction:SEAL?

If it returns 1 (ON), means it is "SEALED"   

[thomasb9511]

There is a system flag SEALED_STATE_KEY that stores the "sealed" state of the scope. When the scope is in the "sealed" state, some of the interesting SYSTem SCPI commands are discarded.

To check if a scope is (un)sealed, one can use:

SYSTem:PRODuction:SEAL?

If it returns 1 (ON), means it is "SEALED"   

Not optimal, but I wonder if there is a console port on the pcb? If,so I wonder if it has a shell, and what user it has

[stafil]

Not optimal, but I wonder if there is a console port on the pcb? If,so I wonder if it has a shell, and what user it has

That's a good idea, but I don't think I have ever opened something up to try to hack it and didn't end up destroying it..

[thomasb9511]

That's a good idea, but I don't think I have ever opened something up to try to hack it and didn't end up destroying it..

Wonder if someone has a guide or video if there are any traps to taking it apart.

[pizzigri]

Sorry to resurrect an old thread like this, but I was looking at this Keysight scope, and wondering whether anyone managed to actually succeed in the hack.
Franco

[TK]

Sorry to resurrect an old thread like this, but I was looking at this Keysight scope, and wondering whether anyone managed to actually succeed in the hack.
Franco

All the features are now included in the base price, so no need for a SW hack.  The only hacks are BW with requires hardware mods ranging from a quick resistor swap and more advanced if you are starting from the EDU models.  If you start from the DSOX, then just a resistor swap can give you full BW

[pizzigri]

Hey TK, that was exactly what I was after, a BW increase... it's over 350 Euro and is actually presented as a SW package, hence the idea that it was some unlock sw key. But, if it's only a resistor swap - well, wow! do you happen to have the details? I have not found it in the forum, however I'm looking for the DSOX1202/4G, so maybe it's under some other name.
Thank you! It's really appreciated.

[TK]

Hey TK, that was exactly what I was after, a BW increase... it's over 350 Euro and is actually presented as a SW package, hence the idea that it was some unlock sw key. But, if it's only a resistor swap - well, wow! do you happen to have the details? I have not found it in the forum, however I'm looking for the DSOX1202/4G, so maybe it's under some other name.
Thank you! It's really appreciated.

Sorry!!! You don't get full BW with the resistor swap!!!  Not enough caffeine in the morning...

[uski]

I believe that instead of focusing on the efforts on how to "hack" the scope without opening it, we should focus on how we can actually install the options (generate keys, yada yada)

Because :
1) Our friendly Keysight folks will probably be less concerned if the hack requires opening the scope. And to be honest (I know you are reading Keysight) they will also have less incentive to make the process more difficult, if the barrier to entry is higher. Whereas if it's too easy, we might end up with a super protected scope and we don't want that. I can even imagine that they will leave it open on purpose... for hobbyist use. No company will do that. But hobbyists will. Keysight will sell more scopes and people will want to buy, at work, the scope they are using at home. WIN WIN !
2) We have limited time/resources to find a hack so we should focus on what brings the most value

Just my opinion

As a matter of fact I am currently looking for a scope for home use and I am considering only hackable scopes (which is why I started reading this thread).

[wxqhigh]

New keysight edux1052a Teardown
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg3733414/#msg3733414

[thaamike]

Has anyone had succes ?

[Bud]

See This topic.