Enabling options for R&S test equipment

[CJay]

Does any one know if R&S are amenable to providing 'keys' for software options to hobbyists who own older equipment?

I've a CMU200 on which I'd like the K29 AMPS option to be enabled as it'd allow me to rid my tiny bench of some clutter but obviously, as a hobbyist, the cost would be a massive issue so if R&S need me to have a deep wallet it won't be possible.

[rfbroadband]

they will most likely not do that. If you are not a regular customer that spends n* 10k or >100k each year....you won't even get a meaningful discount.

[CJay]

they will most likely not do that. If you are not a regular customer that spends n* 10k or >100k each year....you won't even get a meaningful discount.

Ah nuts, still, nothing ventured, nothing gained. I'll email them and ask how much it would cost but it's a 15+ year old piece of kit.

I might have to revisit some of my old hobbies.

[nctnico]

I once asked about the decoding options for an older oscilloscope (RTM1500 series IIRC) but they cost more than the scope so never mind.

[CJay]

Oh well, shame.

*digs out copy of IDA and Sourcer*

[tmbinc]

R+S's response to support for the CRTU-RU was basically "sorry, we don't have that software anymore, you're out of luck". It wasn't that they didn't _want_ to help me (in their words), but that they couldn't. (I'm not sure if that was the complete truth, though.)

I wished they could have helped me. Instead, I had to help myself...

from Crypto.Cipher import ARC2
import struct

for l in open("SWOPT.DAT"):
   if len(l) == 17:
      a, b = struct.unpack("<II", ARC2.new("Revision\0").decrypt(l.strip().decode("hex")))
      print "SN: %d - %08x" % (a, b)

[dcarr]

Question:  Is the actual software for the options included on the base system?

(ie: They didn't have to mail you a disk with the new code on it?)

[eliocor]

Not sure it can help you, but some time ago I found this (see attachment).
Maybe it can be used also for other devices....

[CJay]

OK, so it's Python, it runs after importing pycrypto to my Raspberry Pi, needed a minor tweak I think related to the difference between DOS and Linux EOL/LF handling but the output appears valid.

I get output which is my serial number and then an option number I can tie up to installed options, trivial to work out the option number from this code.

I think I'm safe to assume I need to encipher 01D000C3 using my serial number as key (or vice versa) to obtain the option key for K29 and this is where I'm stuck as I'm struggling to understand the python code and how it decrypts, let alone how to reverse the process and obtain a valid ciphertext key.

What's also worrying me at the moment is that there's no 'installed version' for K29 so I have a sinking dread that K29 software may not actually be on the machine unless it's hidden somewhere in an archive and needs to be installed by Version Manager?

Also very curious about the 'FM Stereo' option in there if anyone has any knowledge of it?

[eb4eqa]

Hi,

No idea about the Stereo option, but I do have K29 in my CMU200. If you need me to check something or get some files, I'll be happy to do it. Always interesting.

Regards,
Roberto

[AudioplatinumService]

Hi guys.. Nice to saw here some progress. I have R&S UPL and I Am also interested in some sw options.
@CJay  Can you give me more information how do you make setup on RPi?

Cheers,
Damir


Sent from my iPad using Tapatalk

[CJay]

Hi guys.. Nice to saw here some progress. I have R&S UPL and I Am also interested in some sw options.
@CJay  Can you give me more information how do you make setup on RPi?

Cheers,
Damir


Sent from my iPad using Tapatalk

I only used a Pi to run the Python code provided by TMBInc earlier in this thread because Python is included with the Raspbian image and it's very simple to install the PyCrypto software so I went with the easiest option available to me.

It would have been non trivial for me to install Python and PyCrypto on my laptop, though if you're proficient with Python I'm sure it would be very simple to install. 

The only change I had to make to the code was to change

if len(l) == 17:

to

if len(l) == 18:

because I think the way DOS and Linux terminate lines is different. Or perhaps there's a difference between CMU and CRTU SWOPT.DAT files

I'm really not a programmer so it's going to be a voyage of discovery for me to unpick what is almost definitely a very simple python script and reverse it to make myself a key generator.

[Jackob]

CJay - I am curious;  how did you figure out that you need to encipher 01D000C3 to obtain the option key for K29?

BR, Jackob

[CJay]

If I've understood the code and its output correctly, the licenses decode to serial number - option code where option code is 0xx0003C and xx is the hex representation of the decimal option number.

So, K29 would be 01d0003C

I could be way off the mark though.

[oh2ftu]

Hi,
I have a CMU200 with the K29 option enabled.
Below is the contents from swopt.dat:

Code: [Select]

FEEC0364A639F575
A2AF0325E648F54D
4D8CB38F128844B2
0A4080E5DDB3F339
08678B2806514740
D710C80B984FFD23
8E1182008AE45EB2
42D23B964CE7C522
DE8BC25F5305D1EB
6E1701C72B5F9256
6B53740D41CF8780
DBBE31F8EAEB9C22
And the options installed are
K21-K24, K27-K29, K42, K43, K53, K84, K85. Serial 837109/035

From another,

Code: [Select]

917D1CFF38E8F2C1
AC15C4AFBA26733A
D87CDA77974C9514
BE238053BEA30B16
75AE27EBF3F52E40
DFB718A6C9D85764
11B26D02CEE94BEA
and options:
K21-K24, K42, K43 and K45. Oh, and serial 103086.

[artag]

So that gives

SN: 837109 - 01500023
SN: 837109 - 01600023
SN: 837109 - 01700023
SN: 837109 - 01b00023
SN: 837109 - 01c00023
SN: 837109 - 01d00023
SN: 837109 - 01800023
SN: 837109 - 02a00023
SN: 837109 - 05400023
SN: 837109 - 05500023
SN: 837109 - 03500023
SN: 837109 - 02b00023


and
SN: 103086 - 01500002
SN: 103086 - 01600002
SN: 103086 - 01700002
SN: 103086 - 01800002
SN: 103086 - 02b00002
SN: 103086 - 02a00002
SN: 103086 - 02d00002

Not having a CMU200, I don't understand what you mean by 'Serial 837109/035' - but the 035 turns up again as 0023. So what does 002 on the second example refer to ?

[artag]

For those, like me, with little experience of python, that fragment can be expressed less tersely as :

Code: [Select]

from Crypto.Cipher import ARC2
import struct
KEY = "Revision\0"  # decryption key for the data
STRUCT_TWO_UNSIGNED_INTS = "<II"
for line in open("SWOPT.DAT"):
    if len(line) == 17:
        cipher = ARC2.new(KEY)  # a new ARC2 cipher with the right key (ARC2 is a symmetric block cipher, we need a new cipher for each ciphertext)
        ciphertext = line.strip().decode("hex")  # Decode our ciphertext from hex, removing whitespace from the start and end
        plaintext = cipher.decrypt(ciphertext)  # Decrypt the cyphertext using the key
        a, b = struct.unpack(STRUCT_TWO_UNSIGNED_INTS, plaintext)  # unpack two unsigned ints from the plaintext
        print "SN: %d - %08x" % (a, b)

(courtesy of a more knowledgeable person elsewhere)

[oh2ftu]

In what format should the code be entered? just as 01500023 or must the hexadecimal version?
I'm not into crypto so I can only get a basic understanding of what the python does. How would one create new keys if I need them in hexadecimal format?
Apparently the decrypt is essential to do first, then crypt them again?

[CJay]

At the moment I'm just trying to write code which will verify what we have, simply entering the results from a known good pair generated from an existing enabled option, encrypting it and testing it against the input for a match. Once that works it'll generate new option keys as well.

it'll need to be manually edited to suit the required option but that'll be plenty for my needs, someone else can polish it to take command line options etc.

My available time is running out until after the holidays so it'll have to take a place on the back burner for a little while if I can't work it out today.

I'd like to complete this myself, good motivation to get a grip on Python but of course, if someone else works it out (and I'm sure it's trivial as it seems 'all' that needs to be done is work out how to get the plaintext into the ARC2 routine) given the information we have) then I will be happy too.

[artag]

The decrypt does give the 0023 or whatever, from your existing licences. I don't see that you'd need to do it for any other reason than proving the process. It would be better to know how to derive the 23 (or 2, or C3 ..) directly, so you don't need an existing licence to make a new one.

The encrypt process would be something like :

make a record consisting of serial number, option number, suffix (23 etc) in binary
encrypt it using the RC2 cypher and the key 'Revision'
convert to ascii
add to the license file
 

[CJay]

That last byte (or perhaps two bytes)  would seem to be the /xxx part of the serial number, mine is 836072/060 and the last byte of what I'm calling the option code is 3C, 060 decimal, the last byte of OH2FTU's matches the /035 of his serial number.

The SWOPT.DAT file will probably exist on all machines and have at least one or two licences in it, but even if it's empty it should be possible to create an 'option code' from the full serial number and the desired option.

[artag]

This seems to do the reverse :

Code: [Select]

from Crypto.Cipher import ARC2
import struct

serial = 103086
serial2 = 2
option = 45

record = struct.pack("<II", serial, serial2 + (option <<20))
encyphered = ARC2.new("Revision\0").encrypt(record)
print encyphered.encode("hex")

produces

11b26d02cee94bea

i.e. the last entry in oh2ftu's list

[CJay]

If that's the case I think we have a winner.

My CMU is at home and I'm unable to get to it until later but I'll be able to test it later.

[artag]

Check it with some existing options for your machine first

[CJay]

I will, unfortunately I'm unable to install python on this machine but I will run my options through it first and report back.