I came across this thread and found it interesting. It looked like a nice puzzle. I thought whether there is any way to put all the previous information into a single line of code (e.g. shell code), so there is no need for:
- patching the firmware
- searching strings in a hex editor
- compiling some search tools with a version of VS you don't have, so you need to change the code before it runs
- messing arround with USB
The following code is for educational purpose. Do not use it if you have not bought the options or bandwith. If you want to play with it, you should first ask Siglent, how to remove/disable an unwanted/unlicenced option which was unlocked by accident while playing with the device.
This is important because they put a lot of time and work in it to disable some functionality. This work need to be paid!
There might be some exceptions (but I'm mot sure):
- if you lost your bought keys, and the device did it too, or you have not entered it before the precious loss
- if the device was delivered in a wrong configuration (i.e. bandwith)
- if your device came in a wrong case or with a wrong label
This code is for the shell (e.g. Telnet):
BW_OK="200M"; QuickSearch=500; cat /proc/$(pidof sds1000b.app)/maps | grep heap | while read line; do start=0x$(echo $line | cut -c 0-8); end=0x$(echo $line | cut -c 10-18); dd if=/proc/$(pidof sds1000b.app)/mem bs=4096 skip=$(($start/4096)) count=$( [ -z "$QuickSearch" ] && echo $((($end-$start)/4096)) || echo $QuickSearch) | grep -ohE "[A-Z0-9]{16}" | grep -vhE "([A-Z])\1{2}" | while read line; do echo "LCISL WIFI,$line" | nc -w1 127.0.0.1 5024; echo "LCISL AWG,$line" | nc -w1 127.0.0.1 5024; echo "LCISL MSO,$line" | nc -w1 127.0.0.1 5024; [ $BW_OK != "$(echo "PRBD?" | nc -w1 127.0.0.1 5024 | grep -o $BW_OK)" ] && echo "MCBD $line" | nc -w1 127.0.0.1 5024; done; done
You need to enable Telnet like described in post #67.
Yeah ok, it's not a single line in the meaning of code but in the meaning of a string.
Can this also be put into the web interface? Not directly but it can:
SHELLCMD sh -c $'BW_OK="200M" \x3b QuickSearch=500 \x3b cat /proc/$(pidof sds1000b.app)/maps | grep heap | while read line\x3b do start=0x$(echo $line | cut -c 0-8)\x3b end=0x$(echo $line | cut -c 10-18)\x3b dd if=/proc/$(pidof sds1000b.app)/mem bs=4096 skip=$(($start/4096)) count=$( [ -z "$QuickSearch" ] && echo $((($end-$start)/4096)) || echo $QuickSearch) | grep -ohE "[A-Z0-9]{16}" | grep -vhE "([A-Z])\\1{2}" | while read line\x3b do echo "LCISL WIFI,$line" | nc -w1 127.0.0.1 5024\x3b echo "LCISL AWG,$line" | nc -w1 127.0.0.1 5024\x3b echo "LCISL MSO,$line" | nc -w1 127.0.0.1 5024\x3b [ $BW_OK != "$(echo "PRBD?" | nc -w1 127.0.0.1 5024 | grep -o $BW_OK)" ] && echo "MCBD $line" | nc -w1 127.0.0.1 5024\x3b done\x3b done' &
This was a little bit more complicated because the web interface doesn't accept semicolons, so they needed to be masked. There is also a circular dependency for SCPI, which will lock netcat if the script is not running independently, so the ampersand at the end is mandatory.
The variable at the beginning is the bandwith you want to select, and need to be set to a correct string like "200M" or "100M". This can be used if you want to try a different BW (e.g. for benchmarks or so).
I figured out that the keys are at the very beginning of the heap. I put a QuickSearch limit at the beginning of the script, so that it does not need to grep through the whole heap, which would need more then a minute. With the limit of 500 it will run about 5 seconds. If it does not find the keys, you can remove the "500" and it will run through the full heap.
You can watch how the options get unlocked ("xx" instead of a value) if you have this info page opened.
I put an additional filter (grep -vhE "([A-Z])\1{2}") in it to remove found strings (about 50 in the whole heap) with low entropy. This is not really needed, and does not have huge effect on performance but it makes it a little bit more sophisticated. There is a chance of 1/3589 (if I'm right) that this will filter a valid key. You can remove it if you think this is the case.
What do we learn from that at the end?
If you want to use cryptography to check a key, do not calculate the right one in parallel and compare it to the entered one. I also don't understand why they did this if there is nothing to compare. Hmmm, intention?
I hope you have fun and don't forget "Piracy. It's a Crime."