Hacking the Rigol DHO800/900 Scope

[ebastler]

Answering both of those questions is not going to help you sign software as Rigol.

But wouldn't it help you sign software as "someone who can sign software which gets all privileges on this scope"? Create your own private key, place the corresponding public key in the scope's store for trusted keys, then sign apps with your own private key -- and the scope should accept them?

I understand that the public keys for "trusted keys", stored in the scope, are secured in some way for that very reason. (In a TPM module in the SOC?) So this may not be an approach that works in practice. But if one could add a new public key, it should do the trick, right?

[AndyBig]

But wouldn't it help you sign software as "someone who can sign software which gets all privileges on this scope"? Create your own private key, place the corresponding public key in the scope's store for trusted keys, then sign apps with your own private key -- and the scope should accept them?

I understand that the public keys for "trusted keys", stored in the scope, are secured in some way for that very reason. (In a TPM module in the SOC?) So this may not be an approach that works in practice. But if one could add a new public key, it should do the trick, right?

No. There is a key that signs the kernel assembly. The system application must be signed with the same key, and not some other one, even if it is also super trusted

[shapirus]

Answering both of those questions is not going to help you sign software as Rigol.

But we don't need to. We need to sign APKs with a key that the system would trust. How do we make it trust a key? Right, we add the respective public key to the keystore.

[shapirus]

No. There is a key that signs the kernel assembly. The system application must be signed with the same key, and not some other one, even if it is also super trusted

Then how/when exactly are these keys compared?

[AndyBig]

No. There is a key that signs the kernel assembly. The system application must be signed with the same key, and not some other one, even if it is also super trusted

Then how/when exactly are these keys compared?

I don’t know such details, but I think that the signature of the kernel itself is checked during boot using the key specified as system. In fact, we need to re-sign the kernel itself with our key in order to be able to sign system applications in the future.
But I could be wrong.

[Mechatrommer]

yeah! especially an MSO that you can get at ~$600 including LA probe up the game? probably 1-2GSps MSO? buy siglent SDS800X! and those AFG and LA module sold separately. (ps: i dont mind mentioning the name here as i sense rigol fanboys dont get easily insulted )

FWIW I don't think the DHO900 is a very good purchase for the LA.
(and I never have...)
If there was a DHO800 with AWG optino for $100 more? That would be cool...

maybe i was not clear enough... MSO at ~$600 with LA probe and AWG module and function such as bode plot included... granted LA and AWG GUI is at stage of toyish level, but lets hope it can be better with FW upgrade from rigol and hack route fropm users.

[AndyBig]

Here is a good battery for an oscilloscope, enough for a whole day of work, 28 lithium cells with a capacity of 3200 mAh each  

[Fungus]

Answering both of those questions is not going to help you sign software as Rigol.

But we don't need to. We need to sign APKs with a key that the system would trust. How do we make it trust a key? Right, we add the respective public key to the keystore.

Don't those keys need to be signed by the master key?

[Fungus]

Here is a good battery for an oscilloscope, enough for a whole day of work, 28 lithium cells with a capacity of 3200 mAh each  

How many days to charge that?

[Mechatrommer]

Here is a good battery for an oscilloscope, enough for a whole day of work, 28 lithium cells with a capacity of 3200 mAh each  

How many days to charge that?

thats a 28-35 li-on batteries that costs $3 each the cheap and descent capacity... hence we are talking about $85-$100 cost... not to mention assembling them. if i want that kind of setup, i just buy a small 4Ah SLA battery. easier to setup and charge, but that just me maybe.

[shapirus]

Don't those keys need to be signed by the master key?

Whatever the "master key" is, it is at the end of the day still compared against a known public key, stored somewhere. That may ultimately end up being in the bootloader, but as long as it is unlocked, we should be able to modify it as we wish. But how exactly it is done, I have no idea. Depends on implementation.

[shapirus]

if i want that kind of setup, i just buy a small 4Ah SLA battery

...which won't last an hour.

[AndyBig]

How many days to charge that?

Three or four hours

thats a 28-35 li-on batteries that costs $3 each the cheap and descent capacity... hence we are talking about $85-$100 cost... not to mention assembling them. if i want that kind of setup, i just buy a small 4Ah SLA battery. easier to setup and charge, but that just me maybe.

Yes, their cost is about that. But this, of course, is a joke. I just repacked this battery with new cells today In general, I’m thinking about assembling an external battery with 8 or 12 of these cells - 4S2P or 4S3P. For a voltage of 12-16 volts and a capacity of 6400 or 9200 mAh.

[Fungus]

I'm getting one of these:

[Mechatrommer]

if i want that kind of setup, i just buy a small 4Ah SLA battery

...which won't last an hour.

i mean the normal SLA car battery 40Ah still cheaper... or we can just make a cigarette plug for it.

[Flori444]

I installed RLU and BW7T10 options on a DHO804 with FW 00.01.02
100M BW works (no entry in option list, only "Max BW: 100M" in "Model").
But the 50M memory option does not show up in UI and I can select 50M only on CH2, every other channel is limited to 25M (single channel mode of course)
If I try to apply the RLU code again it says "option already activated".
I tried changing model to 814 and replacing contents of RLU.lic with the fresh generated one for 814, but it does not change anything.

Am I doing something wrong or is this a bug?
EDIT: ebastler is right, trigger on CH2 

Regarding fan noise: I just added 100Ohm in series to the stock fan, not noticeable anymore. CPU stays below 70°C (50°C in idle) at 20°C ambient, heatsink is 45-50°C. So maybe something around 70Ohm would be better.

[AndyBig]

I'm getting one of these:

Such a suitcase probably weighs as much as five oscilloscopes? 

[AndyBig]

i mean the normal SLA car battery 40Ah still cheaper... or we can just make a cigarette plug for it.

You will also need to buy a cart for it )

[ebastler]

I can select 50M only on CH2, every other channel is limited to 25M (single channel mode of course)

You are probably still triggering on channel 2? So that channel is still active, even if it is not displayed, and will take up its share of the memory. If you display and trigger from CH1 (or 3 or 4) only, you should have the full memory available for them.

[Fungus]

i mean the normal SLA car battery 40Ah still cheaper... or we can just make a cigarette plug for it.

You will also need to buy a cart for it )

Good idea! It can power the cart, too...

[ebastler]

@Fungus -- don't attach that battery to your VESA mount! 
(Well, maybe it can serve as the base for a VESA mount...)

Does the price of that no-name battery include fire insurance?

[norbert.kiszka]

@AndyBig You are familiar with APKLab. I tried probably everything. I can deassemble original apk, rebuild it and install.

Same with apk from You - Your changes are visible. But when I made my own modifications in decompiled code (in many files at the same time, including displayed text) rebuild and install it, nothing is changed. I tried older versions of apktool (of course I changed APKLab config and to be sure I deleted ~/.apklab/apktool_2.9.3.jar).

Is there maybe some cache preventing changes?

BTW. Its hard to search thru this topic with that many posts. Can You give me url to Your repo?

[AndyBig]

@AndyBig You are familiar with APKLab. I tried probably everything. I can deassemble original apk, rebuild it and install.

Same with apk from You - Your changes are visible. But when I made my own modifications in decompiled code (in many files at the same time, including displayed text) rebuild and install it, nothing is changed. I tried older versions of apktool (of course I changed APKLab config and to be sure I deleted ~/.apklab/apktool_2.9.3.jar).

Is there maybe some cache preventing changes?

No, there are no caches there, all changes are applied directly, without additional actions.
What files exactly did you change? Was the modified file taken from the /dist directory?

BTW. Its hard to search thru this topic with that many posts. Can You give me url to Your repo?

Yes, of course - https://github.com/Andy-Big/DHO800_900_Sparrow_project

[norbert.kiszka]

What files exactly did you change? Was the modified file taken from the /dist directory?

Exactly. After every rebuild date/time of this new apk was changed to actual. Even I tried to to manual installation with same result.

However... Now i tried to move generated apk into another folder, unpack+dissasemble it and rebuild it back - looks like it works (because of crash...). Of course that is not good way to test changes.

Maybe now I try to make it from beginning from Your repo.

BTW. FPGA Image from DHO1000 works, however after reflashing I see no changes - not at all. BTW2. PLL is driven by a kernel module.

Edit:

What files exactly did you change?

Mostly inside: smali_classes2/com/rigol/scope

[AndyBig]

However... Now i tried to move generated apk into another folder, unpack+dissasemble it and rebuild it back - looks like it works (because of crash...). Of course that is not good way to test changes.

I haven't encountered anything like this. I disassembled it through APKLab, and put it back together through it - everything worked.

Mostly inside: smali_classes2/com/rigol/scope

Well, yes, that's right. I just thought that maybe you changed the .java files, then nothing will really happen, these files are not involved in the build