Flatlander (and everyone else interested in the MSO1000Z series)..
Today I dumped the RAM from my MSO1074Z-S using an Olimex ARM-USB-OCD-H adapter and a JTAG cable I made using the information provided by sptm14.
I ran the "rigup" tool on the memory dump but it didn't find any keys. However, I then went and manually searched for variations of what rigup was searching for, and found a section of the memory dump that seems to almost exactly match what rigup wants to see in order to extract the keys and resolve the private key.
In the rigup-0.4.zip, /src/ directory, there is a file called utils.c, which contains a function called ScanKeys(). It searches for the following pattern in the memory dump:
(hex):
02 00 84 00 10 00
I changed it to:
01 00 84 00 10 00
and then re-compiled and ran it on my memory dump, then I got this:
root@kali03:/home/rdavidson/rigup-0.4# ./rigup scan /root/mso1074z-s_64M_RAM.bin
rigup scan - Version 0.4
RC5KEY1: 057C2FCEFAD84E75AF393F05A13F8690
RC5KEY2: 23E24CFCA6FA196C89F3A9706BDA3689
XXTEAKEY: D4AD754E348E9D2BF3C161517AE2CB04
PUBKEY: 005497018B62F230
PRIVKEY: 0099FC5DFBE778D0
I also ran "rigup search /root/mso1074z-s_64M_RAM.bin". It spat out 6 keys, one of which looks obviously wrong/invalid, but I tried one of the more reasonable looking keys on my scope and got a message saying the key has already been used. So, I believe I have 1 valid key (which might be a trial key, since my scope still has about 33 hours of its trial period left and I haven't purchased any upgrades, or maybe its a feature key for the Sig Gen or LA. No idea!).
The key below, VZ2RCVM... is the key that rigup was able to find in my memory dump, and that the scope says has already been used. This info below, I believe, is rigup validating the key, using the key info above:
root@kali03:/home/rdavidson/rigup-0.4# ./rigup info mso1074z-s.keys VZ2RCVM-ZK8ZY4L-_______-_______
rigup info - Version 0.4
License: VZ2RCVM-ZK8ZY4L-_______-_______ (V2MP = 0x9ED6D)
Signature 1: 0000000000000000
Signature 2: 0000000000000000
Padding 1: 00000000A0EF87DE
Padding 2: 00000000743732CE
Verify: Ok
All of the other keys it found do not verify (and I haven't tried inputting them into my scope yet, to see if they work there).
FYI: My MSO1074Z-S runs firmware version 00.04.01.SP2. In the memory dump, the keys appear to be located at hex address 0x00E063AC.
I have not had any luck generating keys to unlock the features in the scope yet.
If anyone wants to give me a hand or has any ideas, let me know. I'm not giving up yet, but its 2am here and I'm off to bed.