Hameg R&S HMO scope licenses not available anymore

[artag]

It's a $765+$1550 option and some people still seem to be selling it. Others are showing no stock of the voucher, but R&S still seem to processing the vouchers even if they've stopped on the HMO.

The information might need some thought, but it's all there. I didn't know how to use it either but it didn't take much research to find out. I'm not aware that doing it wrong would screw anything up, but I don't really want to risk that on someone else's equipment.

For what it's worth .. the TG is not very fancy. It's certainly not as functional as a proper signal generator. $765 is overpriced imho.

[pegasu]

I don't really understand this key system with the serial number that's why I asked to do it for me.
It's a shame that there isn't a small program that can generate this key with the serial number
For me more than 700 is way too expensive
Too bad I couldn't Upgrade my HMS-X.....

[electr_peter]

Does someone have a valid license key for Hameg/R&S equipment in a "SERIALNUMBER.hlk" file? Looking at the manuals of scopes I see slightly different info, real example would be appreciated. License keys or s/n are not needed, just the formatting.
I am checking documentation on R&S and Hameg equipment and licenses (HMO/RTC/RTB/RTM/RTA scopes, HMC devices). There is a mention of "SERIAL NUMBER.hlk", "SERIALNUMMER.hlk" files with license code, presumably formatted in this fashion:

Code: [Select]

0123456789ABCDEF0123456789ABCDEFHowever, format above does not work - it is probably much more complex than this.

[electr_peter]

HMC* series devices from Hameg/R&S seems to follow the same licensing scheme as mentioned above.

[pegasu]

Hello:
Anyone to help me get this license key for my HMS-X please ?

[Cold North]

Hi, I tried the above for my HMO 1002, wrote a key generator, but didn't have much luck. So, based on the information above more reverse-engineering was called for. Now, I should really know my way around e.g. Ghidra, but in actual fact I'm not that useful when it comes to actual work... However, my son is!  So combining our efforts, mostly his, we delved a bit deeper.

The first clue came straight from the user manual(!):

(See attached image, can't get it to show here...)

If one decrypts (using the 256 bit AES key above) the first three keys listed in the manual one gets (hex):

2f31c100 02000000  00000000  00000000
2f31c100 08000000  00000000  00000000
2f31c100 07000000  00000000  00000000

i.e. little endian 32 bit words, where first is serial number, second feature, and then zeroes. In this case the serial number of the scope used in the manual is: 012 661 039 decimal as listed by the scope (for complete test vectors).

It's of course amusing that information is leaked like this in the product manual.

Now, continuing the reversing we found that the file format for license keys is fairly straightforward: The license key file is a straight text file with one key per line. If the first character of the line is a '#' the rest of the line is ignored (i.e. a comment) and then the keys themselves are just 32 hex characters (case doesn't matter) and begun by "KEY:"

So the key in the example in the manual would be written:

KEY:fd907d5ba47... etc.

The only thing left to dig out was the actual features which obviously vary from scope model to model. We found that 0x11 erased all license (good to know for testing), and that the function that prints information about the licences write "Not available" (or words to that effect) and doesn't parse the license further if the feature is greater than 0x28.

So as the parsing routine doesn't abend when its given an invalid key, but just skips to the next, we didn't actually reverse which features correspond to which codes, we just generated a file with all possible features (except 0x11 of course) and just ran that. Which had the intended effect. (It's of course equally possible to generate one license file per feature to map them out, we didn't bother).

Since we reversed the license key file format, experimenting becomes much, much more tractable than having to enter them by hand (which is somewhat painful).

So, even if there is still much to do reversing-wise (we used the latest firmware and Ghidra even found an ELF in there) all the features have been cracked, and writing a key-generator is of course trivial given knowledge of the serial number. (I don't know about how you usually think about that, so I refrain from posting code.)

Many thanks to the people who posted the information earlier in the thread, standing on the shoulders of gigants and all that, continuing was much, much easier.

[electr_peter]

Now, continuing the reversing we found that the file format for license keys is fairly straightforward: The license key file is a straight text file with one key per line. If the first character of the line is a '#' the rest of the line is ignored (i.e. a comment) and then the keys themselves are just 32 hex characters (case doesn't matter) and begun by "KEY:"
So the key in the example in the manual would be written:

Code: [Select]

KEY:fd907d5ba47... etc.

Excellent info

[homerjs]

Working 
thx to all

[homerjs]

PS: the "key gen" is openssl   

[nikifena]

Hi guys, let me share my experience, but first many thanks to Cold North!

I wasn't able to generate the keys by myself. I have different skills, but I have a friend with good programming experience, and he helped me by generating some keys.  I gave him all the information given by Cold North plus the serial number of my scope. He didn't know the exact feature number, but he put a lot of keys into a single text file using this order:

KEY:**********
KEY:**********
etc.

Most of the keys were wrong, but there were also all working keys. Each key was written in a new line, and finally I changed the name of this text file to serialnumber.hlk


Then I loaded the file from the scope, and now I have all options available


Many thanks to Cold North!

[AJ3G]

Rich:

I am personal friends with another current R&S Applications Engineer, as he worked with me at another company. I too tried to get S/W Option keys for some of the Legacy R&S/Hameg equipment. In this case it was a 500MHz Scope, which had been discontinued. I was willing to pay for those options, but simply could not find them anywhere.

Despite his position in R&S he too could not get his hands on any of the licenses to open up some of the features of the scope. I agree with others here, these really ought to be supported for those that do have older scopes. It would be great if they were free, but providing a paid for option for a scope that is less than 10 years old does not seem like a poor business practice to me, especially when you consider the customer who typically buys a HMO series.

Rich

[Cold North]

PS: the "key gen" is openssl   

Ugh!  I hate the convoluted mess that is openssl with a burning passion! It probably took me less time to write C/Python to do the same thing originally, but you can indeed persuade openssl to do your bidding (I had to try just for "fun"). No it actually wasn't that bad as this is a relatively simple task.

I found xxd useful to convert between hex and binary (both ways). And wouldn't be fun without test vectors.

[avkas]

Hello,
Please could you send me the keygen?
Thaks

[pegasu]

Hello,
For an RTB2000 oscilloscope has anyone managed to unlock the options ?

[randolfss]

On the RTB2000 oscilloscopes (and probably most other current R&S equipment) there are device-specific keys programmed into the device at the factory that are used to validate the option keys. If you have your device-specific keys, then generating option keys is easy enough- it's just a few layers of 3DES-CBC encryption with some bit shuffling along with a truncated RIPEMD160 hash. The most straight-forward way to dump your device keys would be through the JTAG interface if you are willing to open your oscilloscope and plug something in to the debug port.

[Neurosurg]

Hi,
I went in possesion one of this exellent scope HMO1002 (HMO1102, BW ihas a code key licence") as a prezent from my Director of Physics Institute where I worked They should do more out of them and buy me although RTO1044... dream)
Comming on planet, this scope is exelent, the smallest in my lab, silent no fans, ultra light. But in the section Software licences) I have only one extended BW up to 100MHz.
Please describe mi in easy way what should I do to get a valid Key-s for other OPTIONS.
Have you seen a keygen for this, i"m not good in IT. But see that a few person unlocked the scope after the mail describing the revers proces engenering.

Thanks a lot,
Michael.

[Neurosurg]

Another quesstion: for mso is obtained to have a ori probe or computer standard connecting tape works fine? Or mayby it can damage the digital chanells wich I don't wanna do ?

[Grubi]

Anyone have success with RTH1004? I bought it fully unlocked with demo license few years ago,
and it still stays like this, becasue was not used too much and clock is still staying few years back.
I guess best possibility is to calculate same demo key for one year (unlocking all features),
and more difficult be to calculate all different licenses. Appreciate if someone try to unlock
and have good or bad results - and share those. I ask R&S few times., but they just want me to pay one more RTH1004...
instead of calculate some decent price for unlocking full potential of the instrument.

[hazzer]

this link might be useful... its describes how to get hex in and out of openSSL
- openSSL isn't that user friendly to a novice ... rem you want the output as a 32bit hex word.....

https://stackoverflow.com/questions/38082644/how-to-generate-the-output-in-hexadecimal-in-openssl

stick with it.... and you will get there ....

H

[paddySparks]

Go raibh maith agat Hazzer & big thanks to everyone else for info 

For those with HMO1202 here are hex offsets
# Offset 02 - HOO10 - Serial trigger
# Offset 07 - HOO11 - serial trigger with CAN and LIN
# Offset 08 - HOO12 - Serial trigger analogue
# Offset 11 - Remove all licences / demo time expired
# Offset 26 - HOO312 - Bandwidth 200 MHz
# Offset 28 - HOO313 - Bandwidth 300 MHz

[tv84]

for info....
serial number 012661039 byte flipped becomes 3092929 which is 2F31C100 in hex

  This is incorrect.

The decimal number 012661039 corresponds to 0x00C1312F in hex representation. The "2F 31 C1 00" is how it is stored in little-endian format.

There is no flipping of decimal numbers and much less 3092929 is the same as 2F31C100 in hex.

All the stuff talked about in this page is sufficient "rocket science" enough for most people, no need to make it harder.

[wappendorf]

Does anyone know if this AES key is valid for HMS1000 Spectrum Analyzer?

What is the feature code for Preamplifier option unlock?

Thank you very much!

[artag]

The HMS-X is a lot like it's predecessors HMS-3000 and HMS-1000 and the AES key is the same used on other products, such as the 'scope. So I'd think there's a good chance it will work. And nobody here has reported bricking anything, just failure to apply incorrect keys.

The options for the HMS-X are

11 - delete all options
12 - invalid option (but maybe does something on an older instrument ?)
13 - EMC options (preamp, 9kHz bandwidth, quasi-peak detector)
14 - Tracking generator
15 - 3GHz bandwidth

I have no way of knowing if these are also applicable to the HMS-1000, though.

[wappendorf]

Hi!

I am trying to make it work on my HMS-1000 and I keep getting error (-23) Invalid input, both reading from the file or manually entering the code.

I use the following algorithm:

• I compose the uncyphered unlock code as 32 bytes byte string: <serial code, little endian 4 bytes> + <feature code, little endian 4 bytes> + <0x00 - 8 bytes>
• I use AES256 cypher to obtain cyphered code
• I write the cyphered code to the file 'SERIAL NUMBER.hlk', prepending with 'KEY:'
  

Is this Ok? I am not using any kind of CRC

Kind regards,
 

[Cold North]

Hi, well, there’s something off… The blocksize of the encryption is 128 bits, yet you say 32 byte ”byte string”.

So just to be clear, you should have 16 binary bytes when you’re done, not 32.

If you check my post above, you’ll find the serial number the, the feature vector and the encrypted key (in the screen shot in the manual).

So check that to make sure that you can get the same results with that data before you try with your own serial number, etc.