Hacking the Rigol DHO800/900 Scope

[Randy222]

This is the HOW TO SSH post

So, real easy to setup your SSH access.
I use putty app on windoze, because it's ez to use, saves session profiles, and can gen keys.
Reference info --> https://www.liquidweb.com/kb/putty-ssh-keys/

step-1 gen and save rsa pub private key pair (1 pair, two keys) using the putttgen tool (command line) (leave the passphrase blank)
step-2 open the pub key in like notepad, edit the file, make just the key part one line, leave open, DO NOT SAVE your edit, doing this edit just for a copy later.
step-3 create a ssh session for your scope IP, save the session so you can load it later. Follow steps --> (see ref info url), always go back to SESSION and click SAVE after each change is made in session settings. Use "root" for username in DATA.
step-4 follow steps in this snippet
//snippet\\
adb connect [IP]:55555
adb root
adb remount
adb shell
vi /system/etc/ssh/authorized_keys  (I won't expand how to use vi)
//end snippet\\

paste your one-line pub key from step-2 as a new line in this keys file
save your vi edit, exit vi

At this point you should be able to just load your saved Putty session and click "open" button. It drops you in as root.
Troubleshoot as needed, but you should not have to.

Now exit adb from your adb cmd window
exit
exit
adb disconnect

Shutdown and reboot scope, test your ssh access.

//// optional editing \\\\\
You'll notice some existing keys in the ssh keys file, not sure why those are there, maybe for support reasons.
If you want to make your scope more secure (since sshd is running), you can make a backup copy of the keys file, edit the keys file and remove the existing lines (dd in vi) , then continue on to add your pub key into the file.
You could also just comment out the existing lines in keys files, but having just your pub key there is more secure.

[gabiz_ro]

Most or maybe all will have connected oscilloscope to local area network and not exposed to internet.
So no way to access it from internet until you set up such thing in your router or modem.

[zelea2]

So... It seems that the issue of licenses and keys is not dealt with by the application itself, but by one of the binary libraries in it - libscope-auklet.so
Only in this library is the file name RKey.data found, and it also contains a list of all oscilloscope models, and not only the 800/900 series.

I had a brief look at that library and in function CApiLicense::getLicenseKey a call to 'access' is made to verify if that file is present.
If not it falls back and reads "Key.data" instead.
So the fix could be as simple as deleting RKey.data and restoring Key.data from backup. I haven't checked this yet because I haven't upgraded my firmware.

[mwb1100]

[  271.753363] SELinux: Unable to set superblock options before the security server is initialized

The DHO800 has selinux enabled?  That's surprising (I don't actually have a DHO800, so I'm just going by what I read on eevblog).

Try to disable selinux with:

Code: [Select]

setenforce 0
and see if that allows the WiFi driver to start.

[Randy222]

[  271.753363] SELinux: Unable to set superblock options before the security server is initialized

The DHO800 has selinux enabled?  That's surprising (I don't actually have a DHO800, so I'm just going by what I read on eevblog).

Try to disable selinux with:

Code: [Select]

setenforce 0
and see if that allows the WiFi driver to start.

Not that I see, selinux is not in enforcement mode, but appears to be running. More logging which means more delays with cpu cycles. If it's not used then it should not be running.

[Randy222]

Most or maybe all will have connected oscilloscope to local area network and not exposed to internet.
So no way to access it from internet until you set up such thing in your router or modem.

Devices get exposed to internet all the time, mostly by accident/ignorance.

You can likely find many DHO devices in shodan.

[AndyBig]

So... It seems that the issue of licenses and keys is not dealt with by the application itself, but by one of the binary libraries in it - libscope-auklet.so
Only in this library is the file name RKey.data found, and it also contains a list of all oscilloscope models, and not only the 800/900 series.

I had a brief look at that library and in function CApiLicense::getLicenseKey a call to 'access' is made to verify if that file is present.
If not it falls back and reads "Key.data" instead.
So the fix could be as simple as deleting RKey.data and restoring Key.data from backup. I haven't checked this yet because I haven't upgraded my firmware.

Yes, I also spent the evening tinkering with the disassembler, but I couldn’t find where the new keys were being read from. Everything is not as obvious there as I hoped

[Fungus]

So the fix could be as simple as deleting RKey.data and restoring Key.data from backup. I haven't checked this yet because I haven't upgraded my firmware.

You can downgrade your firmware and restore the original Key.data, no problem.

[AndyBig]

So the fix could be as simple as deleting RKey.data and restoring Key.data from backup. I haven't checked this yet because I haven't upgraded my firmware.

Oh, didn't pay attention to that.
No, that won't work. In this case, it reads Key.data, decrypts the data from it with the old key, then encrypts this data with the new key and stores it in RKey.data, and deletes Key.data.
Actually, this is exactly what he does immediately after the update, and this is how the RKey.data file appears instead of Key.data.

[tv84]

  Waiting for next episodes...

[Fungus]

Yes, this new firmware recreates RKey.data on boot and deletes the old one.

[sonic]

I just got Bluetooth working with the Edimax EW-7611ULB and V2 Bluetooth/Wifi combo adapters Just extract
https://sven.killig.de/android/DHO/ew7611ulb.tgz
to the root of the filesystem and start

Code: [Select]

rk3399_rigol:/ # ew7611ulb.sh
or

Code: [Select]

rk3399_rigol:/ # ew7611ulb-v2.sh
Both the Bluetooth and Wi-Fi pages in the Settings app should work then:



To undo, replace *.so with a backup or the initially shipped ones.
Build instructions on https://sven.killig.de/android/DHO

[JDW]

I just got Bluetooth to work for the Edimax EW-7611ULB (not V2) Just extract
https://sven.killig.de/android/DHO/ew7611ulb.tgz
to the root of the filesystem and start

Code: [Select]

rk3399_rigol:/ # /data/local/tmp/ew7611ulb.sh
Both the Bluetooth and Wi-Fi pages (since it's a combo dongle) in the Settings app should work then.

This info comes at an interesting time, seeing Amazon just delivered my TL-WN725N (WIFI-only dongle) today.  However, the Edimax EW-7611ULB is not sold here in Japan (not yet on Amazon Japan), so I guess it doesn't really matter for me.  But I do see the merits, as Bluetooth would allow you to connect a wireless keyboard and mouse.  But arguably, if you have WiFi and get your scope on your computer, then the computer has the keyboard and mouse, making the need for them on the actual scope less important.

With that said, it would be helpful to iOS users who haven't the faintest idea how Android works to know a precise step-by-step method to "extract XXX to the root of the filesystem" and then "start."  I personally don't know what that entails, hence the desire to see steps.

Thanks.

[sonic]

Shipping to Japan seems to be available at eBay.com.

Steps:

Code: [Select]

adb connect [IP]:55555
adb root
adb remount
adb push ew7611ulb.tgz /data/local/tmp
adb shell

rk3399_rigol:/ # tar xfz /data/local/tmp/ew7611ulb.tgz

rk3399_rigol:/ # ew7611ulb.sh
rk3399_rigol:/ # am start -a android.settings.SETTINGS


[JDW]

Shipping to Japan seems to be available at eBay.com.

Yes, but the total is about US$30, and when you consider the horrid exchange rate we have right now, that makes an otherwise ¥1000 product become something like ¥4400, which is totally and utterly insane.  I paid ¥800 for my TL-WN725N and free shipping as a Prime member here in Japan.  That dongle, even without Bluetooth, is therefore the logical choice for the frugal.

But thank you for the steps, as those steps will help others who can actually afford the dongle you are using.

[sonic]

It might also work for other RTL8723BU dongles with USB Vendor IDs

Code: [Select]

0489
0bda
1358
13d3
but after much trial & error with other chips in the Edimax EW-7611UB5/BT-8500 and the Plugable USB-BT4LE, I'm unsure...

[hpmaxim]

Just wanedt to thank everyone, especially Randy222 for all the detailed help.  I'm about to go on a vacation, so I'll be away from the scope for a few weeks.  As it stands now, I did load the module into the kernel and it seems to work pretty reliably if the Nano is plugged directly in to the scope when booted.  Otherwise, it can be flaky.

[Ivan7enych]

Hello!

I was "lucky" enough to upgrade my new HDO804 to v00.01.02.00.02 without backup and only then trying to unlock the options. ;(
Now I have only RKey.data file, even when I downgrade firmware it doesn't create old file.

Is there a way to copy it from some other scope? Or I have now only old upgrade way with rewriting flash card?

I suppose, in next 2-3 months all new scopes will be with this v00.01.02.00.02 firmware where current unlock script is not working.

[zelea2]

Yes, this new firmware recreates RKey.data on boot and deletes the old one.

Exploring the functions of interest that handle the RKey.data file I came up with the following:

• I've disassembled the entire libscope-auklet.so with IDA Pro
• Then wrote a Perl script to extract only some of the functions and also change the assembly format so it will be accepted by GAS
• All calls to libc functions have been replaced with the "native" ARM64 libc
• I've then added some C wrappers to be able to compile a static ELF aarch64 file

This worked fine and at least enabled me to understand the RString structure which is used everywhere in the license API for strings.
It also makes a much smaller executable which is handled faster by IDA. The IDA ARM64 decompiler only works in v7.7 not the latest v8.3 but it's not very helpful.
My plan was to run this test program on my Linux machine with the qemu-aarch64 emulator, read the old Key.data file and observe it how it creates the new RKey.data
Unfortunately all the libscope functions are written in C++, "new" and "delete" operators are everywhere and are a pain to interface with plain C.
I've got  tangled in the tens of extra functions needed to properly run this on the emulator so I've dropped it for now.
(If someone want ot have a look I've included the sources here: https://github.com/zelea2/rigol_vendor_bin/tree/main/rkey_test )

A better approach would be to patch the functions of interest with hooks which will run C functions from a separate .so library. This new library can be written
and compiled comfortably on a Linux machine. Then the original libscope-auklet.so has to be manipulated with objcopy/objdump to add the hooks extra symbols.
Finally the patched and new library can be reinserted in the Sparrow.apk (with zip update) and then replaced on the scope. The entire process can be automated with a script.
This will allow the modified application to run directly on the scope and make it save trace files and data dumps while it is handling its licenses.

My observation is that generating the option license strings have stayed the same but now the AES key for decrypting them is hidden inside the  RKey.data

[AndyBig]

Yes, this new firmware recreates RKey.data on boot and deletes the old one.

Exploring the functions of interest that handle the RKey.data file I came up with the following:

• I've disassembled the entire libscope-auklet.so with IDA Pro
• Then wrote a Perl script to extract only some of the functions and also change the assembly format so it will be accepted by GAS
• All calls to libc functions have been replaced with the "native" ARM64 libc
• I've then added some C wrappers to be able to compile a static ELF aarch64 file

This worked fine and at least enabled me to understand the RString structure which is used everywhere in the license API for strings.
It also makes a much smaller executable which is handled faster by IDA. The IDA ARM64 decompiler only works in v7.7 not the latest v8.3 but it's not very helpful.
My plan was to run this test program on my Linux machine with the qemu-aarch64 emulator, read the old Key.data file and observe it how it creates the new RKey.data
Unfortunately all the libscope functions are written in C++, "new" and "delete" operators are everywhere and are a pain to interface with plain C.
I've got  tangled in the tens of extra functions needed to properly run this on the emulator so I've dropped it for now.
(If someone want ot have a look I've included the sources here: https://github.com/zelea2/rigol_vendor_bin/tree/main/rkey_test )

A better approach would be to patch the functions of interest with hooks which will run C functions from a separate .so library. This new library can be written
and compiled comfortably on a Linux machine. Then the original libscope-auklet.so has to be manipulated with objcopy/objdump to add the hooks extra symbols.
Finally the patched and new library can be reinserted in the Sparrow.apk (with zip update) and then replaced on the scope. The entire process can be automated with a script.
This will allow the modified application to run directly on the scope and make it save trace files and data dumps while it is handling its licenses.

My observation is that generating the option license strings have stayed the same but now the AES key for decrypting them is hidden inside the  RKey.data

There must be a key to decrypt RKey.data somewhere there...

[zelea2]

There must be a key to decrypt RKey.data somewhere there...

There is no AES operation in CApiLicense::getLicenseKey (which reads RKey.data)  just bytes scrambling.
AES_decrypt is only called in CApiLicense::verifyOption

Unfortunately qemu-aarch64 cannot run dynamically linked programs, only static - otherwise I would have used libscope-auklet.so as is.
Maybe an even better option is to make a minimal ARM64 disk image (constructed from the scope's filesystem)  and then run my test program
inside the emulated system with qemu-system-aarch64

[Fungus]

I was "lucky" enough to upgrade my new HDO804 to v00.01.02.00.02 without backup and only then trying to unlock the options. ;(
Now I have only RKey.data file, even when I downgrade firmware it doesn't create old file.

Is there a way to copy it from some other scope? Or I have now only old upgrade way with rewriting flash card?

I think it'll work if you just change the name to Key.data.

In theory it's derived from your serial number in vendor.bin but 'the firmware doesn't seem to check if they match.

[Fungus]

There must be a key to decrypt RKey.data somewhere there...

Yep. That's the important thing and it should be much easier to find than figuring out how RKey.data is generated.

[tv84]

Yep. That's the important thing and it should be much easier to find than figuring out how RKey.data is generated.

Knowing out to decrypt it is, at most, as easy as knowing how to create it. In a worst case scenario (asym crypto), much harder or practically unfeasible.

[Fungus]

Knowing out to decrypt it is, at most, as easy as knowing how to create it. In a worst case scenario (asym crypto), much harder or practically unfeasible.

You don't just have to know how to encrypt it, you have to know what to put in it.