Hey,
as it took me many hours to gather all the information needed to memdump my DS2KA I'd like to give a short summary to lower the pain for the gain. So here we go.
First of all the principles. Rigol implemented a lot of feature in the scopes that are artificially restricted to work only for a 4000 minutes trial period. After that time you have the opportunity reenable them forever by purchasing license keys from Rigol. These license keys are bound to each specific device via its serial number.
License verification mechanismThanks to zombie28's great work he managed to reconstruct the way the signature verification works.
To give you a short overview I'll rougly summarize the mechanism in the following for all the details check out
zombie28's code.
The License Key contains the desired
options as well as a
signature. With this signature the manufacturer signs that the scope with the serial number the license key was generated for is allowed to use the options. The following diagram depicts the process (I dropped some details for simplicity). For details about ECDSA I recommend you
kakaroto's blog post.
To verify the signature the scope needs the following information, that thus need to be stored in its memory
- two RC5 keys to decrypt the signature
- XXTEA key to encrypt the serial and option codes with
- ECC Parameters: a, b, p, N, G
- The scopes public key
For generating signatures we furthermore need the
Private key which is not stored in the memory.
Usually the whole sense of public-key crypto algorithms is that you cannot calculate the private from the public key (besides brute force of course). I'm not sure how but it seems tirulerbach has it's tricks: his
ecc-smash tool seems to generate the key
in milliseconds .
So tirulerbach can now generate valid license codes for us, BUT unfortuately the
RC5,XXTEA and public keys differ between the devices. It is currently not known if there is some hidden scheme between the different devices. Thats why currently we have to provide memory dumps to tirulerbach (and to zombie28?). But how to get them?
Memory dumpingFortunatelly Rigol has integrated a fully functional JTAG debug port to the Blackfin BF526 which is responsible for all the crypto stuff. So all we need to do is to connect to it and grab the dump. However not all of as are JTAG-lords and a big question mark hovers over the heads of a lot of us
So here comes a step by step guide:
Requirements- DS2000A scope with any firmware (you don't need to downgrade!) I use a DS2072A with HW 2.0, SW 00.02.00
- Torx T10 screw driver
- A compatible JTAG adapter
Actually all of them should work, however some are faster and some are slower. The following are known to work
- A linux or window computer
- A 3.9k and 10k resistor
- Some wire (preferably jumper wires)
- A breadboard or a soldering iron
I'm one of those nerds who owns an OpenMoko phone including debug board and never knew what to do with it now the time has come to brush the dust of my good old
OpenMoko Debug Board v3. It includes a FT2232 compatible JTAG connector with a usual
ARM 20 pin connector.
Step by Step Guide- 1. Void if broken Try removing the 'warrany void if broken' sticker like shown in . The metal layer of the sticker peals of extremely easy so be careful and if it nevertheless breaks don't worry and read this
- 2. Open up the beast There are 4 T10 screws, two at the bottom and two behind the handle.
- 3. Unmount the shield There are 8 T10 screws, 4 at the top, 4 at the bottom. Moreover you have to remove the nut arround the BNC connector before pulling of the shield.
- 4. Find the JTAG connector it is a 2x7 pinhead with pin 3 missing
- 5. Wiring Now comes the little more complicate part: use the jumper wires, breadboard and the resistors and connect the JTAG port to your adapter.
I feel that this step demands some further clarification. The image shows the connector on the board, the missing pin is marked with an X. You have to connect the TMS, TCLK, TRST, SRST, TDI, TDO, GND to your JTAG adapter, check its datasheet for its pinout (the most ones have an ARM 20 pin connector). Ignore the confusing pin UTST I guess cybernet used it just to probe the voltage. The two pull-up resistors have to be added externaly. I used a bread board for the wiring, check out the attached image. And one last point: the 3.3V on Pin 1 are not an output, you need to provide them. However, there are multiple pins where you can steal this voltage. I used the 4 pin connector on the opposite side of the PCB labeled VCC.
- 6. Download and install bfin toolchain Download here. For linux you can choose one blackfin-toolchain or blackfin-toolchain-elf, it doesn't matter. I used linux and blackfin-toolchain-2013R1_45-RC1.x86_64.tar.bz2, unpack with tar xjf blackfin-toolchain-2013R1_45-RC1.x86_64.tar.bz2
- 7. Power up your scope Switch on your scope, and wait a moment until it's running.
- 8. Start the gdbproxy Open a command line cd to the bin directory and execute bfin-gdbproxy like the following.
If errors occur try lowering the frequency or unplug/replug your JTAG adapter.
# cd opt/uClinux-45/bfin-uclinux/bin
# sudo ./bfin-gdbproxy --debug bfin --frequency=5000000
Found USB cable: USB-JTAG-RS232
Connected to libftdi driver.
IR length: 5
Chain length: 1
Device Id: 00100010011111100100000011001011 (0x227E40CB)
Manufacturer: Analog Devices, Inc. (0x0CB)
Part(0): BF526 (0x27E4)
Stepping: 2
Filename: ./../share/urjtag/analog/bf527/bf527
warning: USB-JTAG-RS232: untested cable, set wait_clocks to 30
warning: bfin: no board selected, BF526 is detected
notice: bfin: jc: waiting on TCP port 2001
notice: bfin: jc: (you must connect GDB before using jtag console)
notice: bfin-gdbproxy: waiting on TCP port 2000
- 9. Test GDB Keep the bfin-gdbproxy running in background and open a second command line window, cd into the directory and launch gdb like below.
The manual of the BF526 describes the meening of the different memory regions on page 115&116.
# cd opt/uClinux-45/bfin-uclinux/bin
# ./bfin-uclinux-gdb
(gdb) target remote :2000
Remote debugging using :2000
0xffa0142e in ?? ()
(gdb) info mem
Using memory regions provided by the target.
Num Enb Low Addr High Addr Attrs
0 y 0x20000000 0x20400000 rw nocache
1 y 0xef000000 0xef008000 ro nocache
2 y 0xff800000 0xff804000 rw nocache
3 y 0xff804000 0xff808000 rw nocache
4 y 0xff900000 0xff904000 rw nocache
5 y 0xff904000 0xff908000 rw nocache
6 y 0xffa00000 0xffa0c000 rw nocache
7 y 0xffa10000 0xffa14000 rw nocache
8 y 0xffb00000 0xffb01000 rw nocache
9 y 0xffc00000 0xffe00000 rw nocache
10 y 0xffe00000 0x100000000 rw nocache
- 10. Dump the memory
The part of the memory that contains the keys is the SDRAM (0x00000000 0x07FFFFFF). To dump it hack the following command into gdb.
dump binary memory ~/ds2k_00_sdram.bin 0x00000000 0x07FFFFFF
Depending on your JTAG adapter this might take you 15min or even some hours. With my adapter it took roughly an hour. You can check the progress in the gdbproxy terminal window: when started with --debug it outputs the address range of the dumped blocks.
If you want to dump GDB script below (only tested on linux). Save the code below as memdump.gdb and run
./bfin-uclinux-gdb --batch --comand=~/memdump.gdb
target remote :2000
dump binary memory ~/ds2k_00_sdram.bin 0x00000000 0x07FFFFFF
dump binary memory ~/ds2k_01_abank0.bin 0x20000000 0x200FFFFF
dump binary memory ~/ds2k_02_abank1.bin 0x20100000 0x201FFFFF
dump binary memory ~/ds2k_03_abank2.bin 0x20200000 0x202FFFFF
dump binary memory ~/ds2k_04_abank3.bin 0x20300000 0x203FFFFF
dump binary memory ~/ds2k_05_boot.bin 0xEF000000 0xEF007FFF
dump binary memory ~/ds2k_06_dbankA.bin 0xFF800000 0xFF803FFF
dump binary memory ~/ds2k_07_dbankAc.bin 0xFF804000 0xFF807FFF
dump binary memory ~/ds2k_08_dbankB.bin 0xFF900000 0xFF903FFF
dump binary memory ~/ds2k_09_dbankBc.bin 0xFF904000 0xFF907FFF
dump binary memory ~/ds2k_10_ibankA.bin 0xFFA00000 0xFFA07FFF
dump binary memory ~/ds2k_11_ibankB.bin 0xFFA08000 0xFFA0BFFF
dump binary memory ~/ds2k_12_ibankC.bin 0xFFA10000 0xFFA13FFF
dump binary memory ~/ds2k_13_scratch.bin 0xFFB00000 0xFFB00FFF
- 11. YEAAH you made it Now zip it e.g.
tar cJf ds2k_memdump.tar.xz ~/ds2k*
upload it to some one-click hoster and send the link to tirulerbach.
If you are nice to tirulerbach he'll send you a bunch of license keys which you can enter either directly on the scope via Utility>Options>Setup>Editor ON or using
SCPI :SYSTem:OPTion:INSTall <keyhere>Hope this guide helped you and you will all diligently commit your memory dumps.
Good luck, have fun with your scopes and happy hacking.
Changelog2014-01-11 Initial post2014-01-12 Inline attached images. Add some additional clarifications based on comments. Add list of working JTAG adapters.