Trying to hack the DSOX1204(A/G) firmware

[stafil]

This is were I am so far.

The 1200AXSeries.02.10.2019111333.ksx is really just a `cpio` archive. We can extract it using:
```
$ cpio -iv < ../1200AXSeries.02.10.2019111333.ksx
sw-description
sw-description.sig
customer.postinstall.sh
customer.preinstall.sh
FPGA1000A.binx
FPGA1200A.bin
FPGA1200A.binx
infiniivision-firmware-bin.tar.bz2
instrument-dso.squashfs
standardsplash.png
uImage
uImage.spear600-keysight-infiniivision-1000-xseries-4channel.bin
uImage.spear600-keysight-infiniivision-1000-xseries-4channel-ecc4.bin
134571 blocks
```

Then the `instrument-dso.squashfs` is just a squashfs, which we can again extract using the squasfs tools this time. It contains the root filesystem of the linux buildroot.

```
$ unsquashfs.exe -d rootfs -f instrument-dso.squashfs
Parallel unsquashfs: Using 16 processors
3917 inodes (4722 blocks) to write

[============================================================================================================================================================================================================|] 4722/4722 100%

created 3287 files
created 494 directories
created 622 symlinks
created 0 devices
created 0 fifos
```

If we go into rootfs we can now see that it is just linux rootfs tree:

```
$ ls
 bin   boot   dev   etc   firmware   home   lib   media   mnt   proc   run   sbin   sys   tmp   usb  'User Files'   usr   var
```

We can change the root password by editing the etc/shadow, and enable ssh by creating a soft link from `etc/init.d/sshd` to `etc/rc[2-4].d/S50sshd` (No sure which is the actual mode it will boot into).

Once we are happy with the changes we can create a new `instrument-dso.squashfs` by using the `mksquasfs` tool:

```
$ mksquashfs rootfs archive/instrument-dso.squashfs
```

And then create the image with cpio:
```
$ ls |  cpio -ov -H crc > ../1200AXSeries.02.10.2019111334.ksx
```

Now we should be able to load the image, and have ssh enabled and have root access, right?

Well, no. The problem is that they are using the `swupdate` tool and have a file called `sw-description` which contains sh256 hashes for all the files and they sign this file using the public key in `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem`.

If we want to be able to install this image we have to be able to ssh to the box, and change that file with our own public key, which we will use to sign our image.

So we are stuck in a chicken and egg problem.

Anybody has any better idea now how to enable ssh?

[tv84]

The 1200AXSeries.02.10.2019111333.ksx is really just a `cpio` archive. We can extract it using:

...

Well, no. The problem is that they are using the `swupdate` tool and have a file called `sw-description` which contains sh256 hashes for all the files and they sign this file using the public key in `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem`.

If we want to be able to install this image we have to be able to ssh to the box, and change that file with our own public key, which we will use to sign our image.

You can open ksx easily with 7zip.

Can you share here the "swupdate" tool and "Rocky-SWU-Signing-only.pem" file?

BTW, usually we sign with a privkey and then use the pubkey to verify.

[stafil]

The 1200AXSeries.02.10.2019111333.ksx is really just a `cpio` archive. We can extract it using:

...

Well, no. The problem is that they are using the `swupdate` tool and have a file called `sw-description` which contains sh256 hashes for all the files and they sign this file using the public key in `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem`.

If we want to be able to install this image we have to be able to ssh to the box, and change that file with our own public key, which we will use to sign our image.

You can open ksx easily with 7zip.

Can you share here the "swupdate" tool and "Rocky-SWU-Signing-only.pem" file?

BTW, usually we sign with a privkey and then use the pubkey to verify.

swupdate is open source. You can find it here: https://github.com/sbabic/swupdate

Their public key is:

```
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwwXhBjYKCBLYev928vxW5JTyQ
+zGryJcMdogZYUa2V8+2t21n5JX5RCq3uDgWaXhwxDKj/gYFJ0d8cmMCSGf297yt
9fZL2pZkuNwoXUY9lzIT0yDxQv+X2UrCJLMtGOcPt3cFQCKlB3Gs/mwK4Df7LhYz
V/c84adFxvgK/VuhlQIDAQAB
-----END PUBLIC KEY-----
```

The binary compiled of swupdate is at:

https://send.firefox.com/download/8204aa6fa99b6caf/#OVfQFaIBDULPP0Wsdpq8LA

[Keysight DanielBogdanoff]

I'll jump in and add my typical caveat:

Keysight does not support hacked hardware and you do so at your own risk. Additionally, if you try to up-hack and sell for a profit there's a good chance you'll hear from the lawyer folks.

If you are doing this at your own risk to your own hardware, we generally aren't going to do anything about it.

I, personally and not on behalf of Keysight, views are my own, yada yada, feel like this: 

[stafil]

I'll jump in and add my typical caveat:

Keysight does not support hacked hardware and you do so at your own risk. Additionally, if you try to up-hack and sell for a profit there's a good chance you'll hear from the lawyer folks.

If you are doing this at your own risk to your own hardware, we generally aren't going to do anything about it.

I, personally and not on behalf of Keysight, views are my own, yada yada, feel like this: 

Thanks Daniel! Wow, first because I wasn't expecting anybody from Keysight to respond here, and secondly because that's a (generally ) very mature position for a company (not going out of users that try to hack their equipment for fun )

Of course it goes without saying that I don't expect Keysight to support my, soon to be bricked, oscilloscope.

Also this is just for fun and knowledge and definitely not planning to sell my Keysight.

Finally if at any point you feel the slightest bit uncomfortable by my actions, please do let me know and will cease immediately.

[tv84]

So it's a  RSA-1024 public key. I think that your only chance of changing anything would require JTAG access and/or bootloader dump/rewrite.

[TK]

I am not sure if SW hacking is needed, as serial decoding is now included standard and the only upgrades are BW10 and BW20.

If you start from an EDUX1052A, you can mod (I don't like to call it a hack, as you are just adding and exchanging components in the PCB) it to a 70MHz DSOX1202G for around $50 in parts and get 2Mpts, 200,000wfm/s, wavegen, Segmented Memory, FRA and additional serial protocols (SPI, CAN, LIN).

The front-end mod brings the scope to 200MHz capable input, so the only thing I can think BW10 and BW20 add is more smaller time scale with the horizontal knob.

[stafil]

I am not sure if SW hacking is needed, as serial decoding is now included standard and the only upgrades are BW10 and BW20.

If you start from an EDUX1052A, you can mod (I don't like to call it a hack, as you are just adding and exchanging components in the PCB) it to a 70MHz DSOX1202G for around $50 in parts and get 2Mpts, 200,000wfm/s, wavegen, Segmented Memory, FRA and additional serial protocols (SPI, CAN, LIN).

The front-end mod brings the scope to 200MHz capable input, so the only thing I can think BW10 and BW20 add is more smaller time scale with the horizontal knob.

BW20 is not a bad upgrade, is it?

[TK]

I am not sure if SW hacking is needed, as serial decoding is now included standard and the only upgrades are BW10 and BW20.

If you start from an EDUX1052A, you can mod (I don't like to call it a hack, as you are just adding and exchanging components in the PCB) it to a 70MHz DSOX1202G for around $50 in parts and get 2Mpts, 200,000wfm/s, wavegen, Segmented Memory, FRA and additional serial protocols (SPI, CAN, LIN).

The front-end mod brings the scope to 200MHz capable input, so the only thing I can think BW10 and BW20 add is more smaller time scale with the horizontal knob.

BW20 is not a bad upgrade, is it?

Which model did you buy

[stafil]

Which model did you buy

1204A, and before you ask, no I don't really *need* the extra BW. It's just a matter of why not

[TK]

Which model did you buy

1204A, and before you ask, no I don't really *need* the extra BW. It's just a matter of why not

Of course, pure hacker spirit.  BTW, if you only do a SW hack, you can always go back to the official firmware and you are not voiding any warranty, I guess... unless you mod to add the wavegen HW (why not spirit, right?)

[stafil]

Of course, pure hacker spirit.  BTW, if you only do a SW hack, you can always go back to the official firmware and you are not voiding any warranty, I guess... unless you mod to add the wavegen HW (why not spirit, right?)

I like to believe that my software skills are much more advanced than the hardware ones, so no wavegen mod at the moment. But you never know what the future will bring

[TK]

The 1200X software has a bunch of php scripts for remote control... maybe you can find a hole and execute linux commands remotely without ssh

[stafil]

The 1200X software has a bunch of php scripts for remote control... maybe you can find a hole and execute linux commands remotely without ssh

I had a look at that. The attack surface doesn't look that large. I saw a possible hole at `$response = $jService->ProcessExecRequest($saveType, $args);` but couldn't find a `saveType` that would actually execute something.

In the infiniiVisionCore binary I see in the data section a string "Unable to execute shell command", so maybe the have a way to execute shall commands somehow? Haven't figured out yet which function uses this.

[tv84]

In the infiniiVisionCore binary I see in the data section a string "Unable to execute shell command", so maybe the have a way to execute shall commands somehow? Haven't figured out yet which function uses this.

Also, didn't find any connection to that string.

Nonetheless, I confirmed that sw-description.sig is the RSA-1024 (with SHA256) signature of sw-description file. So we definitely need a way to change the Rocky-SWU-Signing-only.pem pubkey file in order to resign a "refreshed" sw-description.

[stafil]

Another possible way is to go in through SCPI.

Either using the "syst:prod:sscr", which I believe sets bootup parameters, and change it to boot into "single user" mode

Or using the command that calls "setSystProdRunProcess". It's not "syst:prod:run:process" however, so probably we have to do a bit of decoding of their SCPI command tree to find which SCPI command it is.

Also there is this "deb:command" command, that expects xml. Not sure the exact format though.

Edit: I believe that the scpi command that will invoke the "setSystProdRunProcess" is ":syst:prod:rpr"

Edit2: Found something interesting in the symbols:

0x00807b58      .dword 0x00808020 ; str.500MHz_Bandwidth
0x00807b5c      .dword 0x00808034 ; str.BW50


Capable of 500Mhz maybe?!?

[thomasb9511]

1. If you can change the root password, can you login as root?
2. What are the file permissions on `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem` and the folder it is in?

[stafil]

1. If you can change the root password, can you login as root?
2. What are the file permissions on `usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem` and the folder it is in?

1.
I cannot find a way to even get to a login prompt (telnet, ssh, etc..)

2.
# ls -ld usr/share/ca-certificates/keysight/
drwxr-xr-x 2 root root 4096 Nov 12 19:31 usr/share/ca-certificates/keysight/

# ls -l usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem
-rw-r--r-- 1 root root 272 Nov 12 19:31 usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem

[thomasb9511]

1.
I cannot find a way to even get to a login prompt (telnet, ssh, etc..)

2.
# ls -ld usr/share/ca-certificates/keysight/
drwxr-xr-x 2 root root 4096 Nov 12 19:31 usr/share/ca-certificates/keysight/

# ls -l usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem
-rw-r--r-- 1 root root 272 Nov 12 19:31 usr/share/ca-certificates/keysight/Rocky-SWU-Signing-only.pem

1. Wonder if the binaries even exist. How are you running these commands?
2. can you do whoami?

I wonder what perms the running user have in terms of launching processes in bin/.

[thomasb9511]

Maybe you could run sshd(if it exists) as the running user - https://serverfault.com/questions/344295/is-it-possible-to-run-sshd-as-a-normal-user

[stafil]

Maybe you could run sshd(if it exists) as the running user - https://serverfault.com/questions/344295/is-it-possible-to-run-sshd-as-a-normal-user

How? If I could login, I wouldn't need to run sshd...

[thomasb9511]

How? If I could login, I wouldn't need to run sshd...

How are you running ls?

[stafil]

How? If I could login, I wouldn't need to run sshd...

How are you running ls?

Oh.. That's from the extracted image. I can extract the image on my PC

[thomasb9511]

Fair enough.
If I'm correct, we would need to change the "Rocky-SWU-Signing-only.pem" that may live on the scope in order to change things then. Less the update process uses the cert in the update.

[stafil]

Fair enough.
If I'm correct, we would need to change the "Rocky-SWU-Signing-only.pem" that may live on the scope in order to change things then. Less the update process uses the cert in the update.

Absolutely right.