Products > Test Equipment
Trying to hack the DSOX1204(A/G) firmware
stafil:
This is were I am so far.
The 1200AXSeries.02.10.2019111333.ksx is really just a `cpio` archive. We can extract it using:
```
$ cpio -iv < ../1200AXSeries.02.10.2019111333.ksx
sw-description
sw-description.sig
customer.postinstall.sh
customer.preinstall.sh
FPGA1000A.binx
FPGA1200A.bin
FPGA1200A.binx
infiniivision-firmware-bin.tar.bz2
instrument-dso.squashfs
standardsplash.png
uImage
uImage.spear600-keysight-infiniivision-1000-xseries-4channel.bin
uImage.spear600-keysight-infiniivision-1000-xseries-4channel-ecc4.bin
134571 blocks
```
Then the `instrument-dso.squashfs` is just a squashfs, which we can again extract using the squasfs tools this time. It contains the root filesystem of the linux buildroot.
```
$ unsquashfs.exe -d rootfs -f instrument-dso.squashfs
Parallel unsquashfs: Using 16 processors
3917 inodes (4722 blocks) to write
[============================================================================================================================================================================================================|] 4722/4722 100%
created 3287 files
created 494 directories
created 622 symlinks
created 0 devices
created 0 fifos
```
If we go into rootfs we can now see that it is just linux rootfs tree:
```
$ ls
bin boot dev etc firmware home lib media mnt proc run sbin sys tmp usb 'User Files' usr var
```
We can change the root password by editing the etc/shadow, and enable ssh by creating a soft link from `etc/init.d/sshd` to `etc/rc[2-4].d/S50sshd` (No sure which is the actual mode it will boot into).
Once we are happy with the changes we can create a new `instrument-dso.squashfs` by using the `mksquasfs` tool:
```
$ mksquashfs rootfs archive/instrument-dso.squashfs
```
And then create the image with cpio:
```
$ ls | cpio -ov -H crc > ../1200AXSeries.02.10.2019111334.ksx
```
Now we should be able to load the image, and have ssh enabled and have root access, right?
Well, no. The problem is that they are using the `swupdate` tool and have a file called `sw-description` which contains sh256 hashes for all the files and they sign this file using the public key in `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem`.
If we want to be able to install this image we have to be able to ssh to the box, and change that file with our own public key, which we will use to sign our image.
So we are stuck in a chicken and egg problem.
Anybody has any better idea now how to enable ssh?
tv84:
--- Quote from: stafil on April 06, 2020, 01:04:55 am ---The 1200AXSeries.02.10.2019111333.ksx is really just a `cpio` archive. We can extract it using:
...
Well, no. The problem is that they are using the `swupdate` tool and have a file called `sw-description` which contains sh256 hashes for all the files and they sign this file using the public key in `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem`.
If we want to be able to install this image we have to be able to ssh to the box, and change that file with our own public key, which we will use to sign our image.
--- End quote ---
You can open ksx easily with 7zip.
Can you share here the "swupdate" tool and "Rocky-SWU-Signing-only.pem" file?
BTW, usually we sign with a privkey and then use the pubkey to verify.
stafil:
--- Quote from: tv84 on April 06, 2020, 01:54:51 pm ---
--- Quote from: stafil on April 06, 2020, 01:04:55 am ---The 1200AXSeries.02.10.2019111333.ksx is really just a `cpio` archive. We can extract it using:
...
Well, no. The problem is that they are using the `swupdate` tool and have a file called `sw-description` which contains sh256 hashes for all the files and they sign this file using the public key in `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem`.
If we want to be able to install this image we have to be able to ssh to the box, and change that file with our own public key, which we will use to sign our image.
--- End quote ---
You can open ksx easily with 7zip.
Can you share here the "swupdate" tool and "Rocky-SWU-Signing-only.pem" file?
BTW, usually we sign with a privkey and then use the pubkey to verify.
--- End quote ---
swupdate is open source. You can find it here: https://github.com/sbabic/swupdate
Their public key is:
```
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwwXhBjYKCBLYev928vxW5JTyQ
+zGryJcMdogZYUa2V8+2t21n5JX5RCq3uDgWaXhwxDKj/gYFJ0d8cmMCSGf297yt
9fZL2pZkuNwoXUY9lzIT0yDxQv+X2UrCJLMtGOcPt3cFQCKlB3Gs/mwK4Df7LhYz
V/c84adFxvgK/VuhlQIDAQAB
-----END PUBLIC KEY-----
```
The binary compiled of swupdate is at:
https://send.firefox.com/download/8204aa6fa99b6caf/#OVfQFaIBDULPP0Wsdpq8LA
Keysight DanielBogdanoff:
I'll jump in and add my typical caveat:
Keysight does not support hacked hardware and you do so at your own risk. Additionally, if you try to up-hack and sell for a profit there's a good chance you'll hear from the lawyer folks.
If you are doing this at your own risk to your own hardware, we generally aren't going to do anything about it.
I, personally and not on behalf of Keysight, views are my own, yada yada, feel like this: :popcorn:
stafil:
--- Quote from: Keysight DanielBogdanoff on April 06, 2020, 09:42:36 pm ---I'll jump in and add my typical caveat:
Keysight does not support hacked hardware and you do so at your own risk. Additionally, if you try to up-hack and sell for a profit there's a good chance you'll hear from the lawyer folks.
If you are doing this at your own risk to your own hardware, we generally aren't going to do anything about it.
I, personally and not on behalf of Keysight, views are my own, yada yada, feel like this: :popcorn:
--- End quote ---
Thanks Daniel! Wow, first because I wasn't expecting anybody from Keysight to respond here, and secondly because that's a (generally :D) very mature position for a company (not going out of users that try to hack their equipment for fun :))
Of course it goes without saying that I don't expect Keysight to support my, soon to be bricked, oscilloscope.
Also this is just for fun and knowledge and definitely not planning to sell my Keysight.
Finally if at any point you feel the slightest bit uncomfortable by my actions, please do let me know and will cease immediately.
Navigation
[0] Message Index
[#] Next page
Go to full version