Hacking the Rigol DHO800/900 Scope

[norbert.kiszka]

In my 924S mac address is like completely random (unknown vendor id). First three bytes should be vendor id and Rigol got 0019AF for many years.

https://gist.github.com/aallan/b4bb86db86079509e6159810ae9bd3e4

Code: [Select]

0019AF Rigol Technologies, Inc.

[norbert.kiszka]

So I did it! The channel widgets in the bottom panel now display the actual probe divider value that was set for the channel.

do we really need the decimal place?

Probably difficulty with cracking compiled binaries - its not super easy to change float into int or the other way round in assembler. Example for ARM64:

https://godbolt.org/#g:!((g:!((g:!((h:codeEditor,i:(filename:'1',fontScale:14,fontUsePx:'0',j:1,lang:c%2B%2B,selection:(endColumn:2,endLineNumber:7,positionColumn:2,positionLineNumber:7,selectionStartColumn:2,selectionStartLineNumber:7,startColumn:2,startLineNumber:7),source:'//+Type+your+code+here,+or+load+an+example.%0Avoid+testFunction(void)+%7B%0A++++float+f%3B%0A++++int+i%3B%0A++++f+%3D+10.0%3B%0A++++i+%3D+(int)f%3B%0A%7D'),l:'5',n:'0',o:'C%2B%2B+source+%231',t:'0')),k:50,l:'4',n:'0',o:'',s:0,t:'0'),(g:!((h:compiler,i:(compiler:arm64g1020,filters:(b:'0',binary:'1',binaryObject:'1',commentOnly:'0',debugCalls:'1',demangle:'0',directives:'0',execute:'1',intel:'0',libraryCode:'0',trim:'1'),flagsViewOpen:'1',fontScale:14,fontUsePx:'0',j:1,lang:c%2B%2B,libs:!(),options:'',overrides:!(),selection:(endColumn:1,endLineNumber:1,positionColumn:1,positionLineNumber:1,selectionStartColumn:1,selectionStartLineNumber:1,startColumn:1,startLineNumber:1),source:1),l:'5',n:'0',o:'+ARM64+gcc+10.2+(Editor+%231)',t:'0')),k:50,l:'4',n:'0',o:'',s:0,t:'0')),l:'2',n:'0',o:'',t:'0')),version:4

[AndyBig]

Speaking of it. Another useful thing will be custom probe ratio. Like 11, 12, 13 but I think that probably can be hard. But... In some earlier firmware it was different, In 02.0.02 we have x20 x50 and somewhere before it was only powers of ten - so we can make diffs.

Yes, it will indeed be much more difficult. I'm not even entirely sure that this will be possible without serious modification of the native library.

do we really need the decimal place?

I simply take the text from the existing list of divisors. I'll look for this list and try to change it. Decimal places do look weird, I agree.

Probably difficulty with cracking compiled binaries - its not super easy to change float into int or the other way round in assembler. Example for ARM64:

For virtual machine bytecode everything is a little simpler, but you still have to tinker a lot

[rifkum]

Very nice work AndyBig!!
But a couple questions/comments...
It appears that you had to increase the bottom channel banner (taking away from the waveform display window?
It also appears this caused the text in the right hand "result" window to not display correctly as you can see "Vmin(C1)" is slightly on top of "Cur:"

Would it be possible to instead keep the bottom ribbon the same size (thus not taking away from the waveform window and causing the above noted problem) and instead
either
Make the large colored channel numbers slightly smaller and move them up and put the 10x under the large channel number?
or
Use the large black space to the right of the 4 channel boxes and put a table of 1,2,3,4 with the associated probe multiplier there?? Or even use the blank space at the top of the window next to Waveform View and put 1:10X, 2:1X, 3:1X, 4:10X
or
find some other open space that the probe multiplier would fit without causing window realestate placement conflicts

It definately seems Rigol could have done a much better job of providing the user with more info (like the missing probe multiplier).

What I really wish is that when viewing the display through the web interface that MORE info could be made available on the external monitor and have a nice large waveform display.

Good work none the less!!!
cheers
Dwight

[AndyBig]

Removed decimal places from probe divisor values. At the same time, I fixed the selection of the active channel widget in the bottom panel

[AndyBig]

Very nice work AndyBig!!

Thanks

But a couple questions/comments...
It appears that you had to increase the bottom channel banner (taking away from the waveform display window?
It also appears this caused the text in the right hand "result" window to not display correctly as you can see "Vmin(C1)" is slightly on top of "Cur:"

No, I didn't change the dimensions of the bottom panel. This misalignment of the text in the results pane is caused by my attempts to compile the measurements into one line. I still haven’t fully figured out the layout of this panel in all its modes, which is why I ended up with such an overlay I’ll have to try to figure it out again.

Would it be possible to instead keep the bottom ribbon the same size (thus not taking away from the waveform window and causing the above noted problem) and instead
either
Make the large colored channel numbers slightly smaller and move them up and put the 10x under the large channel number?

By the way, I considered this option for placing the divider, but abandoned it because for this the channel numbers would have to be significantly reduced, and I didn’t want that. But in general, you can try it and see what happens

or
Use the large black space to the right of the 4 channel boxes and put a table of 1,2,3,4 with the associated probe multiplier there??

No, this place is occupied by LA and AFG widgets in 9xx models .

Or even use the blank space at the top of the window next to Waveform View and put 1:10X, 2:1X, 3:1X, 4:10X

And here there is very little space when a second window opens, for example with FFT

or
find some other open space that the probe multiplier would fit without causing window realestate placement conflicts

Well, this is just the first attempt for now. If a more optimal option is found, of course we can redo it

It definately seems Rigol could have done a much better job of providing the user with more info (like the missing probe multiplier).

What I really wish is that when viewing the display through the web interface that MORE info could be made available on the external monitor and have a nice large waveform display.

Unfortunately this is not possible

[norbert.kiszka]

I simply take the text from the existing list of divisors. I'll look for this list and try to change it. Decimal places do look weird, I agree.

In text (char array) its just to set null (\0) to make a flag of end of text. If we need to get rid of ".0" and that is always two chars, then probably easiest way will be to count everything up to null and after that put another null with two places to the left.

It definately seems Rigol could have done a much better job of providing the user with more info (like the missing probe multiplier).

What I really wish is that when viewing the display through the web interface that MORE info could be made available on the external monitor and have a nice large waveform display.

Unfortunately this is not possible

If displayed waveform is 100% generated in FPGA (with same resolution as we see right now) then scaling this up will create same pixels but bigger, like resizing existing image.

Anyway, HDMI is a separate display. When I put and run Linux (instead of Android) on sd card, then right now I have only HDMI output. Maybe this info will help with further hacking.

[AndyBig]

In text (char array) its just to set null (\0) to make a flag of end of text. If we need to get rid of ".0" and that is always two chars, then probably easiest way will be to count everything up to null and after that put another null with two places to the left.

Everything is easier here Here is a piece of code in which the texts needed to be changed:

Code: [Select]

    new-instance v0, Lcom/rigol/scope/cil/ServiceEnum$ProbeX;
    const-string v9, "Probe_10X"
    const/16 v10, 0xf
    const/16 v11, 0xf
    const-string v12, "10"
    const-string v13, ""
    const-string v14, ""
    move-object v8, v0
    invoke-direct/range {v8 .. v14}, Lcom/rigol/scope/cil/ServiceEnum$ProbeX;-><init>(Ljava/lang/String;IILjava/lang/String;Ljava/lang/String;Ljava/lang/String;)V
    sput-object v0, Lcom/rigol/scope/cil/ServiceEnum$ProbeX;->Probe_10X:Lcom/rigol/scope/cil/ServiceEnum$ProbeX;
    new-instance v0, Lcom/rigol/scope/cil/ServiceEnum$ProbeX;
    const-string v2, "Probe_15X"
    const/16 v3, 0x10
    const/16 v4, 0x10
    const-string v5, "15"
    const-string v6, ""
    const-string v7, ""
    move-object v1, v0
    invoke-direct/range {v1 .. v7}, Lcom/rigol/scope/cil/ServiceEnum$ProbeX;-><init>(Ljava/lang/String;IILjava/lang/String;Ljava/lang/String;Ljava/lang/String;)V
    sput-object v0, Lcom/rigol/scope/cil/ServiceEnum$ProbeX;->Probe_15X:Lcom/rigol/scope/cil/ServiceEnum$ProbeX;
    new-instance v0, Lcom/rigol/scope/cil/ServiceEnum$ProbeX;
    const-string v9, "Probe_20X"
    const/16 v10, 0x11
    const/16 v11, 0x11
    const-string v12, "20"
    const-string v13, ""
    const-string v14, ""
    move-object v8, v0
    invoke-direct/range {v8 .. v14}, Lcom/rigol/scope/cil/ServiceEnum$ProbeX;-><init>(Ljava/lang/String;IILjava/lang/String;Ljava/lang/String;Ljava/lang/String;)V
    sput-object v0, Lcom/rigol/scope/cil/ServiceEnum$ProbeX;->Probe_20X:Lcom/rigol/scope/cil/ServiceEnum$ProbeX;


[norbert.kiszka]

Everything is easier here Here is a piece of code in which the texts needed to be changed:

Thats completely unknown language for me. In my case its only C, some script languages and little bit of assembler. Maybe I will start to learn this after I run everything on this scope on Linux instead of Android and that will take some time, because I need not only working kernel but also source or only headers to compile other things. Maybe I will try to run original kernel (binary from Rigol) in the last resort.

[AndyBig]

If anyone wants to try, here is a link to the modified application - https://drive.google.com/file/d/1m7_UzTostQTJtiZSkwr4j9gKpi_M7fQ9/view?usp=sharing
Before installation, you need to uninstall the original application:

Code: [Select]

adb uninstall com.rigol.scopeThen install the new one:

Code: [Select]

adb install -r Sparrow.apkWithout special steps, the modified application does not have system permissions, so it cannot take screenshots from the Quick button or from the Drive menu. Screenshots can only be taken in web control.
If you need to return the original application, then in the same way, first uninstall the modified one and then install the original one back.

[AndyBig]

Thats completely unknown language for me.

Yes, I, too, was not familiar with this language and did not even suspect its existence Now I’m studying, I will know another language in addition to those in which I have already written.

[norbert.kiszka]

If anyone wants to try, here is a link to the modified application - https://drive.google.com/file/d/1m7_UzTostQTJtiZSkwr4j9gKpi_M7fQ9/view?usp=sharing
Before installation, you need to uninstall the original application:

Code: [Select]

adb uninstall com.rigol.scopeThen install the new one:

Code: [Select]

adb install -r Sparrow.apkWithout special steps, the modified application does not have system permissions, so it cannot take screenshots from the Quick button or from the Drive menu. Screenshots can only be taken in web control.
If you need to return the original application, then in the same way, first uninstall the modified one and then install the original one back.

Unless You will use print screen on USB keyboard.

But tha... replacing all files on running scope (instead of using apk) won't do the trick?

[AndyBig]

But tha... replacing all files on running scope (instead of using apk) won't do the trick?

No, it won't help. The problem is the wrong key with which the application is signed. Only Rigol has the correct key
The only thing that will help is copying the files of the installed application in /system/priv-app/ to the folder created there for this application.

[norbert.kiszka]

But tha... replacing all files on running scope (instead of using apk) won't do the trick?

No, it won't help. The problem is the wrong key with which the application is signed. Only Rigol has the correct key
The only thing that will help is copying the files of the installed application in /system/priv-app/ to the folder created there for this application.

Or maybe bind quick button to Android print-screen?

[AndyBig]

Or maybe bind quick button to Android print-screen?

It’s better to copy it to the system directory, and let it work with privileged rights, as intended by the developers I’ll need to write a script for this later and run it via adb shell after installation.

[norbert.kiszka]

Or maybe bind quick button to Android print-screen?

It’s better to copy it to the system directory, and let it work with privileged rights, as intended by the developers I’ll need to write a script for this later and run it via adb shell after installation.

Now Im little confused. Maybe I miss something or its my lack of Android knowledge. Earlier You told uid 0 wont help as far I remember.

[AndyBig]

Or maybe bind quick button to Android print-screen?

It’s better to copy it to the system directory, and let it work with privileged rights, as intended by the developers I’ll need to write a script for this later and run it via adb shell after installation.

Now Im little confused. Maybe I miss something or its my lack of Android knowledge. Earlier You told uid 0 wont help as far I remember.

There are two ways to make an application privileged: 1 - run it as the user android.user.system (this is written in the application manifest during assembly), 2 - place it in the /system/priv-app directory.
The first method is standard, but it is not available to us, because... requires signing the application with a system key. And we can easily use the second one, thanks to Rigol, who left ADB open with root access
With the second method, the application is launched on behalf of an ordinary user, but the system still considers him privileged and gives access to those APIs that are inaccessible to a regular application.

[Randy222]

@AndyBig, and all others here

Good news, I made your apk take screen shot from the button "Quick"

One sec while I gather up the docs for you. Super easy fix. Nice work on the edits btw.
********************************************
1sec later... 

My edits are via ssh, I left off using adb to push app back onto scope, I park it in /system/priv-app/Sparrow/ as 644 root:root , pm install that apk


You need to add a perm to AndroidManifest.xml
<uses-permission android:name="android.permission.ACCESS_SURFACE_FLINGER"/>
Recompile, align, sign, reinstall
The launcher should restart scope app in a few sec
Find the uid for com.rigol.scope (ps |grep scope), you'll use this new uid in your platform.xml edit (my example shows u0_a36, your uid might be different)
The pitfall here is, every re-install will get a new uid for the app. I started with u0_a35, my hack failed, I tried again, works. I can create bash script to awk sed the platform file after a app reinstall to make it less pita, etc.


mount -o rw,remount /system

vi /system/etc/permissions/platform.xml
copy-paste the below block in
save file
reboot

Code: [Select]

<assign-permission name="android.permission.READ_FRAME_BUFFER" uid="u0_a36" />
<assign-permission name="android.permission.CAPTURE_VIDEO_OUTPUT" uid="u0_a36" />
<assign-permission name="android.permission.CAPTURE_SECURE_VIDEO_OUTPUT" uid="u0_a36" />
<assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="u0_a36" />

<permission name="android.permission.READ_FRAME_BUFFER" >
        <group gid="u0_a36" />
    </permission>
<permission name="android.permission.CAPTURE_VIDEO_OUTPUT" >
        <group gid="u0_a36" />
    </permission>
<permission name="android.permission.CAPTURE_SECURE_VIDEO_OUTPUT" >
        <group gid="u0_a36" />
    </permission>
<permission name="android.permission.ACCESS_SURFACE_FLINGER" >
        <group gid="u0_a36" />
    </permission>

***********************************************
side note for readers, if you want to see what all the code is logging, from ssh just run "logcat /system/log", then touch a knob, or tap screen and see what coords you actually touched. When logcat is idle, you can hit enter a few times to make a space, then touch a scope control, everything is basically logged, which in my opinion we might want to turn off to take some load off the cpu side, not need to log all that stuff unless we trying to debug it.

And sorry I could not hack it as fast as AndyBig has, my dho has been in the box, I only get to play around with it in limited spare time, I actually reworking my little lab area.

[gabiz_ro]

Those system key, where we can find them?
We have full raw dump of sdcard.
I don't know about cryptography but how system verify signature only with public key?

[norbert.kiszka]

Those system key, where we can find them?
We have full raw dump of sdcard.
I don't know about cryptography but how system verify signature only with public key?

I think Im no expert in cryptography, but when You generate private and public key, then private key You keep in a secret and its used only to sign other staff, including other keys. Public key is only to verify signed files, that's why its public.

[Randy222]

Those system key, where we can find them?
We have full raw dump of sdcard.
I don't know about cryptography but how system verify signature only with public key?

x509 cert signing, that's how.

I will have to say, if verification process needs to run through memory (which it does), then as root you have a way to steal key data. Is it worth the effort? Not for this device.

[AndyBig]

Those system key, where we can find them?
We have full raw dump of sdcard.
I don't know about cryptography but how system verify signature only with public key?

x509 cert signing, that's how.
I will have to say, if verification process needs to run through memory (which it does), then as root you have a way to steal key data. Is it worth the effort? Not for this device.

The public/private key scheme works a little differently. In order to verify a signature with a private key, you only need to know the corresponding public key. This is from the field of asymmetric encryption, where encoding is done with one key from the pair, and decoding is done with the second key. Thus, the system does not need to store the private key, it only needs to know the public key. Therefore, trying to find the private key in the firmware is pointless, it simply isn’t there

[AndyBig]

@AndyBig, and all others here

Good news, I made your apk take screen shot from the button "Quick"

You need to add a perm to AndroidManifest.xml
...

Great, then there is another method for granting high privileges to an application
I think that the issue with different uids can be solved by specifying some specific user in the application manifest, but I have not tried this yet.

[AndyBig]

Today I wrote and tested scripts to automate the installation of a modified application and grant it privileged rights so that it could take screenshots
The archive contains the application itself, as well as two .bat files, a .sh script and a readme. If for some reason it is not possible to run .bat files, then the readme describes all the steps using adb commands to install the application, grant it privileged rights and return to the original application.
The spmod_inst.bat file is used for the initial installation of the modified application and for updating it.
The spmod_uninst.bat file is used to return to the original application after the modified one.
The sysmode.sh file is a script that is copied to the oscilloscope and executed there, it includes all the actions to escalate application privileges.
Archive link - https://drive.google.com/file/d/15znLDczPyQCcPbygPwo7iK6uTHG0mk7z/view?usp=sharing

[Randy222]

Today I wrote and tested scripts to automate the installation of a modified application and grant it privileged rights so that it could take screenshots
The archive contains the application itself, as well as two .bat files, a .sh script and a readme. If for some reason it is not possible to run .bat files, then the readme describes all the steps using adb commands to install the application, grant it privileged rights and return to the original application.
The spmod_inst.bat file is used for the initial installation of the modified application and for updating it.
The spmod_uninst.bat file is used to return to the original application after the modified one.
The sysmode.sh file is a script that is copied to the oscilloscope and executed there, it includes all the actions to escalate application privileges.
Archive link - https://drive.google.com/file/d/15znLDczPyQCcPbygPwo7iK6uTHG0mk7z/view?usp=sharing

Check the other apps in priv-app, are they 644 and not 755? I forget, check it.

Also, that's a lot of scripting,

Take a look at managing user UID with pm.

Example,
before install add a uid using pm without restrictions
then install using pm and the -user switch

If that works a-ok, then you only need to echo into the platform.xml file once, and from there just re-use same uid during a re-intsall of the app.

I'll write up a .sh to install the app,.................  uninstall app, create uid , echo into the xml, install app.  But not until mon or tue next week. something like "install.sh [uid] [apk]"
creates the uid, install app, fixes platform.xml, it will also check to see if the install is first time or a reinstall.

@AndyBig, and all others here

Good news, I made your apk take screen shot from the button "Quick"

You need to add a perm to AndroidManifest.xml
...

Great, then there is another method for granting high privileges to an application
I think that the issue with different uids can be solved by specifying some specific user in the application manifest, but I have not tried this yet.

priv-app alone does not allow surface flinger for non-system uid. is there a fix just in manifest?
Also to note, we can do this perms thing only because it's an old version of droid, this feature has been deprecated, newer droid REQUIRES system uid to get at surface flinger.

Those system key, where we can find them?
We have full raw dump of sdcard.
I don't know about cryptography but how system verify signature only with public key?

x509 cert signing, that's how.
I will have to say, if verification process needs to run through memory (which it does), then as root you have a way to steal key data. Is it worth the effort? Not for this device.

The public/private key scheme works a little differently. In order to verify a signature with a private key, you only need to know the corresponding public key. This is from the field of asymmetric encryption, where encoding is done with one key from the pair, and decoding is done with the second key. Thus, the system does not need to store the private key, it only needs to know the public key. Therefore, trying to find the private key in the firmware is pointless, it simply isn’t there

That's not the point. The pub key is held in a trusted/protected area, just as they are when using keys auth for ssh, there's no priavte key on the system right, but it verifies only with a "trusted" pub key. The goal would be to find out how to add your pub key to the system keystore, and memory hacking is a way to do that. Once you can add your pub key to that protected keystore, then anything you sign with your private key will be trusted by the system.