Author Topic: Hameg R&S HMO scope licenses not available anymore  (Read 36550 times)

0 Members and 2 Guests are viewing this topic.

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3319
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #25 on: November 09, 2020, 07:31:08 pm »
AES-256 key for HMOxxxx .HFU packages:

2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409

Parsing of HAMEG_FW_HMO1524_HMO2024_04_531 firmware:
Code: [Select]
00000000      Header Size: 0400      [00000000-000003FF]    FileSize OK
00000002   Section 1 Size: 0004038C  [00000400-0004078B]
00000006   Section 2 Size: 00490E24  [0004078C-004D15AF]
0000000A  Section 1 CRC16: 93B5    CRC OK
0000000C  Section 2 CRC16: 80A8    CRC OK
0000000E             ????: 0x10130000
0000001E            Model: HMO_A24
0000002E       FW Version: 04.531
0000003E     Release Date: 2015-07-27
0000004E             ????: 16668.14471
0000005E      Compilation: Build 34649 built on 2015-07-27 10:03:31 by MaG? [04.531 - HCL: 02.015 - MesOS: 03.222]
0000015E  (???) Hash Type: 2
00000198            Build: 34649
000001AA Section 1 SHA256: 8F218EEC05C6B6894FF6B85A87349B0F    HASH OK
000001CA Section 2 SHA256: FAFD8282DA34598936B85C8FC7CFDE94    HASH OK
000003FE     Header CRC16: 9CB0    CRC OK
--------------------------------------------------------------------
0004078C **** SubSection 0x80 ****
0004078D  SubSect Hdr Size: 0025
0004078F   SubSection Size: 00003493  [000407B1-00043C43]
00040793  SubSection CRC16: 3416    CRC OK
000407AB     Contents Size: 0000348E  [000407B4-00043C41]
000407AF SubSect Hdr CRC16: FFB1      [0004078C-000407AE]    CRC OK
000407B4 BMP (640x480 pixels - 8 bits / compr.: 1)   [000407B4-00043C41]
00043C44 **** SubSection 0x11 ****
00043C45  SubSect Hdr Size: 0025
00043C47   SubSection Size: 0048D937  [00043C69-004D159F]
00043C4B  SubSection CRC16: 1026    CRC OK
00043C63     Contents Size: 0048D932  [00043C6C-004D159D]
00043C67 SubSect Hdr CRC16: E88A      [00043C44-00043C66]    CRC OK
00043C6C Bootloader Programmer
« Last Edit: November 16, 2020, 06:57:18 pm by tv84 »
 
The following users thanked this post: Xyphro, artag, nicnac117

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 837
  • Country: es
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #26 on: November 10, 2020, 12:27:46 pm »
"subsection 0x11" load address 0x10000, CPU Renesas SH2A
RAM segments:
D5F97D0-D617F7E copy from 341784
D617F80-D61BA28 copy from 35FF34
D61BA30-D917990 zero init
FFF84000-FFF8A874 copy from 3639DC

Some interesting functions:
00054E28: SCPI DIAGNOSTIC:SERVICE:LICENCE:INVALIDATE handler
0005D47C: SCPI DIAGNOSTIC:SERVICE:LICENCE:STATUS handler
0005D5C8: SCPI DIAGNOSTIC:SERVICE:LICENCE:SET:KEY handler

The key should look like 32 hex chars, CRC16-CCITT (0x1021 poly) is a part of validation algo.

Upd:
- the key is converted to 16 bytes binary
- decrypted with AES-256 ECB using key pointed to by [0D82C33C]
- byte order is swapped in each 4-byte group
- the result is passed to int func_00176830(uint32 key_decr[4]) for validation:

- key_decr[0] == [dword_D82C340] - instrument id ?
...

Many important things are pointed by fields of some struct starting at D82C330.

Looks like there is no validation at each power up (it is done at installation time, then option data is stored in a plain form somewhere), so with debug adapter and flash access it could be possible just to add more option records to that storage without reversing the key generation. But after getting that AES key from [0D82C33C]-> the rest could be trivial. A RAM dump would help a lot.
« Last Edit: November 10, 2020, 01:28:32 pm by abyrvalg »
 
The following users thanked this post: nicnac117

Offline tmbinc

  • Frequent Contributor
  • **
  • Posts: 253
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #27 on: November 10, 2020, 02:21:32 pm »
This sounds _very_ similar to the HMS-X spectrum analyzer. Same AES key for firmware decryption, same license crap.

From my notes - sorry, this was ~2015 - a license key is an AES-encrypted tuple of 4 little-endian words. First word is the serial number, second word is the "Feature" to enable, third word is "0", fourth word is "1" (or maybe it's don't-care?). The AES key starts with 86BA...
Feature was either 0x11, 0x13, 0x14, 0x15 on the HMS-X, but one of them was a reset key that cleared all options. (Which is super annoying when you need to enter 3x32 hex digits via the frontpanel again)

What I don't see here though is the CRC16 CCIT, so maybe things _are_ different.

I'm really not a fan of posting keygens here, but if these are unobtainium for otherwise EOL'ed devices, I care less.
 
The following users thanked this post: artag, electr_peter

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3319
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #28 on: November 10, 2020, 03:05:22 pm »
key pointed to by [0D82C33C]

86BAFEC912C42A0D424E01DEBEE7A1530722004569CA0D052F617380FFAD59FE
 
The following users thanked this post: hazzer, artag, electr_peter, tmbinc, homerjs

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3319
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #29 on: March 17, 2021, 06:21:09 pm »
It seems the method described in the previous messages, works!
 

Offline Noy

  • Frequent Contributor
  • **
  • Posts: 361
  • Country: de
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #30 on: March 17, 2021, 09:16:00 pm »
Should this also work in the old Hameg Brand HMO3524?

So i have to create my "key" according the upper message and than encrypt it AES with the posted key and this into the scope?
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3319
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #31 on: March 17, 2021, 09:25:46 pm »
My guess would be 'yes' to both but I've never dealt with one.
 

Offline Noy

  • Frequent Contributor
  • **
  • Posts: 361
  • Country: de
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #32 on: April 01, 2021, 07:03:28 pm »
THX to tv84 he veryfied thats it is also possible for the old Hameg brand HMO devices.
 

Offline artag

  • Super Contributor
  • ***
  • Posts: 1249
  • Country: gb
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #33 on: April 04, 2021, 08:38:03 pm »
Confirmed to work on HMS-X as tmbinc describes.

The option numbers are not similar to the licence numbers (HV211 etc). 0x11 deletes all options (heart in mouth moment as I already had two of them installed at the factory) and 0x12 is invalid.
 

Offline MichalZ

  • Contributor
  • Posts: 23
  • Country: pl
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #34 on: May 14, 2021, 06:37:02 am »
Hello.
Finally i have a response from Rohde & Schwarz about loading firmware 4.206 to Hameg HMO3522 or HMO3524.

These is mail from Service Coordinator in Hungary where is apparently service center for EU:

Please be informed about that for modification to be able to do the fw upgrade there is no spare part needed, but some components on digital acquisition board need to be changed.
Unfortunately this action can not be offered free of charge like FW update on other devices. We can do this modification including FW Update as a part of R&S® Manufacturer Calibration product.
So this small HW change will be covered in calibration product.

As for this please find attached our offer about mentioned calibration including the necessary modification and fw update.
Thank you for your understanding and cooperation!



And these is the price proposal:

1. CAL-MAN                            Part Number: 5930.0015.00
R&S®Manufacturer Calibration:
- Calibration certificate incl. compliance statement
- ISO 9001 certified and in line with ISO 17025
- Measurement of complete product specifications with the same procedures as used in production, incl. measurement uncertainties/guardbanding
- Documentation of calibration results upon receipt
- Adjustments to optimize the product parameters to after production condition when needed and documentation of after adjustment parameters
- Preventive maintenance/perform. modifications
R&S®Manufacturer Calibration
Type: HMO3524
Man.: ROHDE & SCHWARZ
Serial no.: n.a.
Ident no.: 3594.4680.24
350MHz Mixed Signal Oscilloscope, 4 Channels
Delivery time: 2 weeks

Price:  317.00Euro


2. GENCOSTS              Part number:  3642.9623.06
Freight - Customized
Return delivery.
Price: 55.00Euro

Total Net Price: EUR372.00


So it's looks like customers have to pay for manufacturer project/productions mistakes/failure.

This is not cool.  :--
 
The following users thanked this post: 2N3055

Offline Neper

  • Frequent Contributor
  • **
  • Posts: 543
  • Country: de
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #35 on: May 14, 2021, 01:01:49 pm »
That's R&S for you. Many years ago, I bought a R&S HE011 active antenna from them. Cost over 1000 deutschmarks which was a lot of money at the time. A year later, there was a lightning strike in the close vicinity and I phoned them if I could send the antenna in to have it checked, only to be told that this was a "non-service-item". I should just bin it and buy another one. Haven't bought anything from them since.

And their customer service has been moved to Hungary, of all places? Yet another example of the EU's double standards. Our governments complain about Orban's neo-fascist regime and our industry profits from his low wages and the dismantling of workers' rights.
If I knew everything I'd be starving because no-one could afford me.
 

Offline BreakingOhmsLaw

  • Frequent Contributor
  • **
  • Posts: 372
  • Country: de
  • Certified solder fume addict
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #36 on: May 14, 2021, 01:22:50 pm »
Yeah, R&S support is abysmal. They recently dumped the entire support for older Hameg equipment and now that's in the hand of a small company called Sky.
They do an ever worse job and don't even respond to requests, not even a friendly "f*#% off, peasant!"

R&S living up to their German nickname. We call them "Rostig & Schwer" here. ("Rusty and heavy").


 
The following users thanked this post: artag

Offline TRN

  • Supporter
  • ****
  • Posts: 131
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #37 on: May 21, 2021, 04:48:10 pm »
I just stumbled across this post, and have a question.

When I use binwalk -B on the decrypted HAMEG_FW_HMO1524_HMO2024_04_531 firmware, It does not find a main binary (ELF), but only:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
177400        0x2B4F8         CRC32 polynomial table, big endian
264116        0x407B4         PC bitmap, Windows 3.x format,, 640 x 480 x 8
3125508       0x2FB104        CRC32 polynomial table, big endian
3129604       0x2FC104        CRC32 polynomial table, little endian
3133715       0x2FD113        Copyright string: "Copyright 1995-2005 Jean-loup Gailly "
3255235       0x31ABC3        Copyright string: "Copyright 1995-2005 Mark Adler "
3258896       0x31BA10        GIF image data, version "89a", 25381
3259696       0x31BD30        CRC32 polynomial table, big endian
3260828       0x31C19C        SHA256 hash constants, big endian
3261422       0x31C3EE        Copyright string: "Copyright (c) 1998-2010 Glenn Randers-Pehrson"
3261468       0x31C41C        Copyright string: "Copyright (c) 1996-1997 Andreas Dilger"
3261507       0x31C443        Copyright string: "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."
3432368       0x345FB0        Zlib compressed data, best compression
3433524       0x346434        Zlib compressed data, best compression
3433928       0x3465C8        Zlib compressed data, best compression
3437696       0x347480        GIF image data, version "89a", 222 x 29
------------------------------------------------------------------------------
------------------------------------------------------------------------------
3556212       0x364374        GIF image data, version "89a", 218 x 257
3561137       0x3656B1        PC bitmap, Windows 3.x format,, 640 x 480 x 8
3565159       0x366667        PC bitmap, Windows 3.x format,, 640 x 50 x 8
3569439       0x36771F        PC bitmap, Windows 3.x format,, 640 x 50 x 8
3574003       0x3688F3        PC bitmap, Windows 3.x format,, 640 x 50 x 8
3575551       0x368EFF        PC bitmap, Windows 3.x format,, 250 x 400 x 8
3588149       0x36C035        PC bitmap, Windows 3.x format,, 640 x 480 x 8
3703088       0x388130        PNG image, 323 x 207, 8-bit colormap, non-interlaced
3779696       0x39AC70        Zip archive data, at least v2.0 to extract, compressed size: 331086, uncompressed size: 520561, name: 1G0K010.rbf
4110851       0x3EBA03        Zip archive data, at least v2.0 to extract, compressed size: 34729, uncompressed size: 62902, name: MC_EP2C5F256VK11.rbf
4145658       0x3F41FA        Zip archive data, at least v2.0 to extract, compressed size: 796, uncompressed size: 4986, name: I2C.HDS
4146519       0x3F4557        Zip archive data, at least v2.0 to extract, compressed size: 791, uncompressed size: 4986, name: SSPI.HDS
4147376       0x3F48B0        Zip archive data, at least v2.0 to extract, compressed size: 801, uncompressed size: 4986, name: UART.HDS
4148243       0x3F4C13        Zip archive data, at least v2.0 to extract, compressed size: 506691, uncompressed size: 1234318, name: hm_chin13.hft
4655005       0x47079D        Zip archive data, at least v2.0 to extract, compressed size: 370623, uncompressed size: 1060402, name: hm_chin14.hft
5025699       0x4CAFA3        Zip archive data, at least v2.0 to extract, compressed size: 1881, uncompressed size: 5624, name: hm_sz10.hft
5027649       0x4CB741        Zip archive data, at least v2.0 to extract, compressed size: 2091, uncompressed size: 6508, name: hm_sz12.hft
5029809       0x4CBFB1        Zip archive data, at least v2.0 to extract, compressed size: 2186, uncompressed size: 6948, name: hm_sz13.hft
5032064       0x4CC880        Zip archive data, at least v2.0 to extract, compressed size: 2320, uncompressed size: 7392, name: hm_sz14.hft
5035347       0x4CD553        End of Zip archive, footer length: 22

So what am I missing?





 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3319
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #38 on: May 21, 2021, 06:53:01 pm »
I just stumbled across this post, and have a question.

When I use binwalk -B on the decrypted HAMEG_FW_HMO1524_HMO2024_04_531 firmware, It does not find a main binary (ELF), but only:
...
So what am I missing?

The main app is this part (this proc. has no .ELFs):

Code: [Select]
00000002   Section 1 Size: 0004038C  [00000400-0004078B]
Look at my parsing a few posts back.

You load it like this:

Code: [Select]
ROM:0C000400 ; Processor       : SH2A
ROM:0C000400 ; Target assembler: SHASM Assembler
ROM:0C000400 ; Byte sex        : Big endian
« Last Edit: May 21, 2021, 07:49:57 pm by tv84 »
 

Offline TRN

  • Supporter
  • ****
  • Posts: 131
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #39 on: May 22, 2021, 11:40:04 am »
Thanks tv84.

I presume

ROM:0C000400 ; Processor       : SH2A
ROM:0C000400 ; Target assembler: SHASM Assembler
ROM:0C000400 ; Byte sex        : Big endian

Was a slip of the pen, and should read

ROM:0x000400 ; Processor       : SH2A
ROM:0x000400 ; Target assembler: SHASM Assembler
ROM:0x000400 ; Byte sex        : Big endian

rgds
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3319
  • Country: pt
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #40 on: May 22, 2021, 11:45:06 am »
 

Offline lux

  • Newbie
  • Posts: 9
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #41 on: June 10, 2021, 07:29:23 pm »
Hi, i have a hmo 1202 and i would like to enable a higher bandwidth, bus analysis options...
I have read the previous posts, but i haven´ t understand everything.
Can someone please explain what are the steps to unlock the scope?
 

Offline avkas

  • Newbie
  • Posts: 4
  • Country: fr
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #42 on: August 31, 2021, 11:38:23 am »
Hi,
I have a HMO1002 oscilloscope, anybody have the keygen to upgarde?
The r&s not sell any lic key!!!
Thanks
 

Offline avkas

  • Newbie
  • Posts: 4
  • Country: fr
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #43 on: September 13, 2021, 10:02:16 am »
Hi,
I have a HMO 1002, can you help me to upgrade?
Thanks
 

Offline Neper

  • Frequent Contributor
  • **
  • Posts: 543
  • Country: de
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #44 on: September 13, 2021, 11:29:06 am »
R&S living up to their German nickname. We call them "Rostig & Schwer" here. ("Rusty and heavy").

I know them as Schwarte und Rotz, which isn't very complimentary either.
If I knew everything I'd be starving because no-one could afford me.
 
The following users thanked this post: tooki

Offline avkas

  • Newbie
  • Posts: 4
  • Country: fr
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #45 on: October 19, 2021, 01:37:38 pm »
Hi, i have a hmo 1002 and i would like to enable a higher bandwidth, bus analysis options...
Can someone please explain what are the steps to unlock the scope?
Thanks
 

Offline pegasu

  • Newbie
  • Posts: 5
  • Country: fr
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #46 on: October 24, 2021, 01:58:11 pm »
Hello,
I have an R&S®HMS-X:

Does anyone have the keys for the next upgrade

R&S®HV211: Unlock Integrated Tracking Generators (TG)
R&S®HV212: Bandwidth upgrade to 3GHz

Thank you in advance
 

Offline Jan Audio

  • Frequent Contributor
  • **
  • Posts: 820
  • Country: nl
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #47 on: October 24, 2021, 02:32:52 pm »
No support is asking for hacks.
About time you can get your R&S the full rigol treatment.
 

Offline artag

  • Super Contributor
  • ***
  • Posts: 1249
  • Country: gb
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #48 on: October 24, 2021, 02:46:30 pm »
@pegasu: You need to calculate them yourself from the information in the thread, because your keys are related to your serial number.
However, it's all there and worked for me in enabling the TG.
Especially see the post from tmbinc but you will need to understand the previous posts to make use of that.
« Last Edit: October 24, 2021, 02:49:35 pm by artag »
 

Offline pegasu

  • Newbie
  • Posts: 5
  • Country: fr
Re: Hameg R&S HMO scope licenses not available anymore
« Reply #49 on: October 24, 2021, 04:06:29 pm »
Hello Artag,
thank you for your answer but it's not very easy to understand.
If I give you my serial number could you calculate the key for me?
« Last Edit: October 24, 2021, 04:31:52 pm by pegasu »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf