Hacking the Rigol DHO800/900 Scope

[Fungus]

Key.data has to be derived from the S/N otherwise Rigol wouldn't be able to generate licenses for you based on your S/N.
The question is: Does it have to match the S/N when the 'scope is checking the license files?
[...]
I want to try making a Key.data with a random number in it and generate some license files for that. If it works then we can just pass three files around for everybody to use instead of getting people to pull their key, generate licenses from it, etc.

While this might work, it would give Rigol the option (via a future firmware update) to invalidate licenses generated with a non-matching key. Nobody knows whether Rigol will ever be inclined to do that, but I would prefer to stick with licenses and keys which are indistinguishable from the official ones.

Maybe...

In that case we need to know how to derive Key.data from the scope's serial number. That way all we need is the S/N to generate keys that can be entered via the scope's web interface.

I wonder if Riglol does that.

[t_i_t_o]

Deriving the key from the SN would be a weakness - hacking one scope means hacking all of them. Having a random generated key associated with every serial number upon initializing when manufacturing is much safer. So I guess Rigol have a look up table associating serial number with the key. That is how they can generate the license based on a serial number eventually. Upper is based on assuming the key is secretly stored. In theory it is, because it's encrypted, in fact it's not because the key for encryption is well known.
Bottom line, this should mean, that the Fungus' idea of just passing three files should work...

[Martin72]

Did some APK unpacking and greping

I confirm this text fields in 7 apk files on my DHO804 original firmware:
OPT_AERO OPT_ARINC OPT_AUDIO OPT_AUTO OPT_BND OPT_BODE OPT_BW10T20 OPT_BW15T25 OPT_BW2T4 OPT_BW2T8 OPT_BW4T8 OPT_BW7T10 OPT_BW7T15 OPT_BW7T20 OPT_CM_ENET OPT_CM_HDMI OPT_CM_MIPI OPT_CM_USB OPT_COMP OPT_COUNT OPT_DG OPT_EMBD OPT_EYE OPT_FLEX OPT_JITTER OPT_MSO OPT_PWR OPT_RLU OPT_RTSA OPT_UNKNOWN OPT_UPA
These apk files are different copies of base.apk and Sparrow.apk.
Strings near by: "Unknown Forever days Key.data HDO800 HDO900 DHO800 DHO900"

I think those files have every string for every Rigol 'scope ever made in them. 

Exactly.
It is the whole bundle of all evtl options for this software platform.
Which of these can then actually become active depends on the respective hardware.
For example, jitter and eye diagram are of course complete utopia, even for the DHO4000 scopes.
We have already brought out the "absolute" with the bandwidth upgrade to 100Mhz and the memory expansion to 50Mpts.
More is not possible....for the 800 model.
If we told the 800 it was now a 900, we would add the 250Mhz max bandwidth at 2ns/div.
And that's it, or until rigol introduces new options that you can unlock.
Because they have to be there, anyone can try them out and generate and enter license keys for the other decoders for example, nothing will happen because they don't exist for either the 800 or the 900.

[Serg65536]

How to use a larger memory card (64GB tested).

1) copy byte to byte oscilloscope's SD-card to the start of a new 64GB card;

2) analyze and undelete 4 biggest ext4 partitions with partition manager software (tested with Paragon Hard Disk Manager; it's a MBR volume, so you can chooze only 4)

3) resize the last 26GB partition to the end of free space (Done with GParted from Linux. No Windows software is found to be able to do this. Paragon Disk Manager, EaseUS, AOMEI Partition Assistant failed at resizing the partition.)

If you find a Windows app that can resize the partition on the card, please, let me know.
My stock memory card is Lexar 633x SDHC-I V10 U1 A1 29.5 GB (31,719,424,000 bytes)

PS: it's done because I have a spare 64GB card, not for the extra space  .

[scient]

Is anyone willing to share their key.data file? Or has one been attached to post already? Looking at libscope-auklet.so inside sparrow apk, there are two references where it looks like it's reading licensing information near start of each function.

CApiLicense::ApiLicense_SetLicenseKey(CApiLicense *, __int64)
CApiLicense::getLicenseKey(__int64 a1, RString *a2, size_t *a3)
> sub_256818(&CApiLicense::LICENSE_PATH, "Key.data"); # I think this function just reads data from the device

In both license related functions, it looks like it reads the data from key.data near start of code then processes it. Would be helpful to see some actual data to understand what is going on.

Also, it is likely worthwhile to dig into the "opt" related functions as part of CAPiLicense class in that same .so file. This might help with analysis of how things are handled.

For example, I believe this is checking whether license is valid for bandwidth:

[Serg65536]

Is anyone willing to share their key.data file?

Here is the key from DHO924 firmware from the first post of this thread.

[dmulligan]

I wonder if BW10T20 could upgrade a DGO814 from 100 to 200 MHz.

I have also noticed that BW7T10.lic is not encrypted.  Maybe we can enable some of the other licenses by writing them directly to /rigol/data.

[Martin72]

DHO 800 : 70 Mhz/100Mhz
DHO 900 : 125Mhz/250Mhz
DHO 1000: 70Mhz/100Mhz/200Mhz
DHO 4000: 200Mhz/400Mhz/800Mhz

Hope that helps.

[Fungus]

Looking at libscope-auklet.so inside sparrow apk...

What are you using to look at that??

I've been poking around the apk and all the interesting stuff is in the .so file but I don't know what to use on it.

[scient]

The .so files are arm compiled libraries. You need something like IDA or Ghidra.

[Fungus]

The .so files are arm compiled libraries.

I know that much! 

You need something like IDA or Ghidra.

So you're using "IDA"...

[Fungus]

You need something like IDA or Ghidra.

So you're using "IDA"...

But the free version doesn't do ARM.   

[ballsystemlord]

Can anyone give an overview over the H/W variants of the 800/900 series scopes? E.g. which ones do have hardware capabilites preinstalled for the AWG and stuff like that.

Are all DHO900 series scopes identical hardware-wise, since all of them have the LA connector preinstalled as well as the AWG output at the back? I'd like to avoid having to cut into the case, so I'd go for the DHO914 in that case, as long as all the DHO924S features can be hacked software-wise.

In brief, the motherboard of all the 800/900 series are the same, just the 800 series is missing a few components.
All the 900 series have the LA connector on the front, while the 800 series don't have that connector soldered on the motherboard.
Only the 914S/924S models have the AFG module hardware inside, the 914/924 don't (at least that is my assumption).
The DHO924/DHO924S come with 350MHz probe, but the 914 and 800 series come with 150MHz probes.

If one's just missing a few components does this mean you could, with a bit of skill and some parts, convert the 800 to the 900? You'd need a FW image as well, of course.

Thanks!

[Fungus]

If one's just missing a few components does this mean you could, with a bit of skill and some parts, convert the 800 to the 900?

Yes.

You'd need a FW image as well, of course.

That's the easy part.

[souldevelop]

Is anyone willing to share their key.data file? Or has one been attached to post already? Looking at libscope-auklet.so inside sparrow apk, there are two references where it looks like it's reading licensing information near start of each function.

CApiLicense::ApiLicense_SetLicenseKey(CApiLicense *, __int64)
CApiLicense::getLicenseKey(__int64 a1, RString *a2, size_t *a3)
> sub_256818(&CApiLicense::LICENSE_PATH, "Key.data"); # I think this function just reads data from the device

In both license related functions, it looks like it reads the data from key.data near start of code then processes it. Would be helpful to see some actual data to understand what is going on.

Also, it is likely worthwhile to dig into the "opt" related functions as part of CAPiLicense class in that same .so file. This might help with analysis of how things are handled.

For example, I believe this is checking whether license is valid for bandwidth:

I don't understand what's going on and why do I need to do this? Doesn't the Rigoltool I provided earlier help you liberate bandwidth? Or something else happened that I didn't know.

[ebastler]

If one's just missing a few components does this mean you could, with a bit of skill and some parts, convert the 800 to the 900?

Besides soldering skills, you would also have to be good with a Dremel to cut the LA port into the front. I don't see many people doing that to their cute new scope...

Oh, and there are two extra buttons on the DHO900 too. Happy tinkering! 

[Serg65536]

I've checked BW7T15, BW7T20, and BW7T25 options installation on my DHO804, but no luck.
The BW7T10 and RLU options work fine.
So now I'm using 100MHz (? 2.1ns rize time = 166MHz bw) 50Mpts 64GB memory oscilloscope. 

It's time to calibrate the DHO924 firmware!...

[tv84]

I don't understand what's going on and why do I need to do this? Doesn't the Rigoltool I provided earlier help you liberate bandwidth? Or something else happened that I didn't know.

They are peer reviewing... 

[ebastler]

I don't understand what's going on and why do I need to do this? Doesn't the Rigoltool I provided earlier help you liberate bandwidth? Or something else happened that I didn't know.

They are peer reviewing... 

I think there are still two worthwhile directions for improving the hackability or making it more convenient:

(a) Make the DHO hackable just via the GUI, similar to e.g. the DS1000Z series: Provide an online generator for license keys which requires just the serial number as an input, not the device key. This will only work if the key is derived from the serial number, rather than generated independently and kept in a global serial > key lookup table by Rigol.

(b) Enable the activation of DHO900 bandwidth and decoders without causing calibration problems or loss of the serial number, and without activating the redundant display of the digital channels on the screen.

[tv84]

Gentlemen, the Key.data was created in the MSO days as an ECC public key destined to verify the option licenses. AFAIR, in this DHO world, the key is being used as a symmetric key (lo and behold    ) to encrypt/decrypt the licenses.

If this is the case, you don't need to know from where it was generated, you just need to use Key.data and create all the licenses based on it and spread joy all over (together with the key).

It's totally irrelevant what was the seed of the Key and you can overwrite it with no problems. People doing this will never buy official licenses from Rigol so their original key is useless.

[ebastler]

If this is the case, you don't need to know from where it was generated, you just need to use Key.data and create all the licenses based on it and spread joy all over (together with the key).

It's totally irrelevant what was the seed of the Key and you can overwrite it with no problems. People doing this will never buy official licenses from Rigol so their original key is useless.

But if (!) there is an algorithmic way to check whether the key.data is consistent with the serial number, Rigol could do that in a future firmware and disable "homemade" licenses -- right?

[DGeorgiev92]

If one's just missing a few components does this mean you could, with a bit of skill and some parts, convert the 800 to the 900?

Besides soldering skills, you would also have to be good with a Dremel to cut the LA port into the front. I don't see many people doing that to their cute new scope...

Oh, and there are two extra buttons on the DHO900 too. Happy tinkering! 

If I know really DHO804 will work LA. I will cut the panel for the connector on the new oscilloscope. And the buttons do not need to be cut, there is a touch screen and LA can be activated from the screen. In my country, 200 euros is a lot of money.

[Fungus]

It's totally irrelevant what was the seed of the Key and you can overwrite it with no problems. People doing this will never buy official licenses from Rigol so their original key is useless.

Yep, that's what I was thinking.

But if (!) there is an algorithmic way to check whether the key.data is consistent with the serial number, Rigol could do that in a future firmware and disable "homemade" licenses -- right?

They could do that but I really don't believe they will.

[tv84]

Rigol could do that in a future firmware and disable "homemade" licenses -- right?

We're talking about a system that started as ECC and now is being used as symmetric...  They could but they won't as they never did. In the past, no Rigol scope has ever complained about having its key changed.

[heather]

If I know really DHO804 will work LA. I will cut the panel for the connector on the new oscilloscope. And the buttons do not need to be cut, there is a touch screen and LA can be activated from the screen. In my country, 200 euros is a lot of money.

I have been thinking about making a small pin header to FPC cable adapter board and use a couple of MIPI camera cables to bring the LA pins out of the case without cutting anything.