Rigol DSXXXX .GEL firmware file format

[Userli]

Good news!
It looks like the compression is optional.
In the new FW file the file GuiResData.hex is uncompressed, whilst it was compressed in the last FW file.
It might therefore be possible to change the ELF file and add it uncompressed, circumventing the possible compression problems.

I agree with smithnerd though, that most likely it will also accept files compressed with the LZMA algorithm from 7zip.

[janekivi]

After hacking something together with notepad I get all images from latest update:
I put this file and guiPicData to somewhere and double click on ***.py and get RAW data.
This is making for me BAT file too with ffmpg convert command lines. I add to this directory
ffmpeg.exe and all required DLL files for this. You can change "ffmpeg" with something else.
PNG can changed too to something else if other parameters corrected too.
Double click on BAT is making next miracle...

Code: [Select]

import os
src_file = 'guiPicData'      #code.py and this file with data must be in the same directory
path = 'images'              #it makes new directory
if not os.path.exists(path):
    os.makedirs(path)

src_file_size = os.path.getsize(src_file)
b = bytearray(open(src_file, 'rb').read())
pos = 0
nr = 0
 
while pos < src_file_size:
x = b[pos:pos+2]
y = b[pos+2:pos+4]
num1 = int.from_bytes(x, byteorder='little', signed=False)
num2 = int.from_bytes(y, byteorder='little', signed=False)
length = num1 * num2 * 2
data = b[pos+4:pos+4+length]
pos +=4+length
nr +=1
print (length, num1, num2, pos) # for test and feedback
output = "file_%03d_%dx%d" % (nr, num1, num2)
open(os.path.join(path, output), 'wb').write(data)
text = "ffmpeg -vcodec rawvideo -f rawvideo -pix_fmt rgb565 -s %dx%d -i %s -f image2 -vcodec png %s.png" % (num1, num2, output, output)
# output = "file_%03d_%dx%d.bat" % (nr, num1, num2)   # uncomment if you want bat file for each RAW image
# open(output, 'w').write(text)                       # uncomment if you want bat file for each RAW image
with open(os.path.join(path, "test.bat"), "a") as myfile:
myfile.write(text+ '\n')

All images are in zip here too:

[Dwaine]

I tried to replace the logo with this new firmware.  It worked with no issue.  Nice work everyone

[Userli]

First success.
I managed to replace the RIGOL logo on the main screen. (see attachment)
To do so, I replaced the image and put the uncompressed file back.
Bit 1 in the 5th byte of the 24byte file header tells if the file needs decompression - so it needs to be cleared.

You should always reopen the file with the application after saving and check that the changes have been applied.
I added loads of consistency checks and if you find any entry in the error log, the file is most likely broken.

[janekivi]

Looks like guiResData.hex contains some data : )
First part is menu structure, some parts contains text, one part is help...

First image - Apps, Menu, Item. This part is keep going to address in red - 05 BE 08.
If there is Apps, section length is the following 4 bytes - green.
Current Menu is ending at the same address and length to there is 04 80 - blue.
Inside of the Menu is couple of Item's with their lengths - yellow.

When this part is ending (next image), there is 3 addresses for next 3 parts.
05 BE 14 - beginning of 1st
06 AF 00 - beginning of second
09 AF E0 - beginning of third

On third image we see 1st part ending, second beginning and length A1 A8
which lead us to beginning of something. That part is ending at 09 AF DF and
next we see last file with his length. From 09 AF E0 is exactly 01 BB 3C to the
file end.
Now, how to eat those parts and what's inside...

[Userli]

I guess that guiResData contains the references to the images in guiPicData.
Most likely their address and geometry is coded in there as well as the position at which they must be shown on the screen.

[Fungus]

A really nice thing to do to start with which shouldn't be too difficult is to find the version number of the GEL file and hack it.

This would allow people to downgrade their firmware by fooling the scope into thinking old versions are actually newer so they can downgrade their firmware.

[janekivi]

This is easiest trick. (In first look...)
You edit the firmware number by smallest step needed and scope say:
"A newer software version detected.
Update?
Model :DS1000Z
Version:00.04.03.02.05"
Where is the numbers. Just at the beginning. Bytes 10 .... 1F
Why smallest step? Because then  You can update it many times.
If there is too big version nr, You need always increase it ...

(Actually I didn't let it to do update at this time, so it may not be sucess, but barely)
...and that's it, he checking it in all other places too

[Userli]

Next success!
I decompressed guiPicData and compressed it again.
Then I created a new .GEL file with the newly compressed guiPicData and deployed it successfully to the scope.
Now we know that the Rigol decompression mechanism can handle files compressed by the 7z SDK.
This obviously doesn't mean, that it will always work but the probability is high that it does.

The next step will now be to change the Pluses, of which I still found two occurrences in the latest FW.

Concerning changing the version number: this is indeed easy.
You can even make it the same number as the one installed.
The scope will then ask you if you want to reinstall this version.
However, if by accident you put a number much bigger than the current one, you will have to tweak all subsequent FW files to this very version to make them install.

[smithnerd]

Next success!
I decompressed guiPicData and compressed it again.
Then I created a new .GEL file with the newly compressed guiPicData and deployed it successfully to the scope.
Now we know that the Rigol decompression mechanism can handle files compressed by the 7z SDK.
This obviously doesn't mean, that it will always work but the probability is high that it does.

The next step will now be to change the Pluses, of which I still found two occurrences in the latest FW.

Great news about LZMA. I would counsel against trying to patch SparrowAPP.out at the moment, unless you have the ability to recover via JTAG. I have reason to believe that even trivial modification of this file will brick the scope.

[Userli]

Thanks for the warning.
Would you want to share your concerns with us?

[Meka77 wd]

Hi everyone.
I just modified DS1000ZUpdate.GEL file 00.04.03.01.05 (04.03 SP1) to 00.04.03.02.03 (04.03 SP2, current installed shit)...
 
Here is what happened:

1. Same software version detected. Update?... 
2. Reading Gel file... 
3. Analysing Gel file... 
4. Update was failured. Please, check your flash driver and the update file, then try again!...

fkers.

[smithnerd]

Thanks for the warning.
Would you want to share your concerns with us?

High Assurance Boot:

http://cache.freescale.com/files/32bit/doc/app_note/AN4555.pdf

I suspect the contents of the mystery footer is a signature for SparrowAPP.out. I might be totally wrong about this though - too early to say...

[Userli]

Well, not THAT easy.
The version number is repeated in each file header as Uint32.
So all of them have to be changed, too.

I will add a mechanism to my application where you can change the version to the one of another .GEL file by opening it.
This should be reasonably safe .

[janekivi]

Files not the problem I think, so not that easy too. Something is now in the footer.

Actually I took DS1000Z(ARM)Update_00.04.03.01.05 and have DS1000Z(ARM)Update_00.04.03.02.03
Now I look footers and DS1000Z(ARM)Update_00.04.03.01.05 footer second half from 80 to FF is the
same as DS1000Z(ARM)Update_00_04_04_00_07 footer.
Somebody must look into APP. I can't read it.

[Userli]

@Meka77 wd if you open your modified file in the RigolPacker you should see one error per file stating that the version is different.
I modified the application as mentioned in the last post.
You can now click on change version, open another FW file who's version will then be copied to the current one.

I didn't try to deploy a FW file with modified version.
As before: USAGE AT YOUR OWN RISK!!!

@janekivi I didn't find the version in the footer.
I would therefore assume that it's sufficient to change it in all the headers.
When you say "Somebody must look into APP." what are you referring to?

[Meka77 wd]

Thanks for your efforts @userli...
I just tried your tool and same things happened...
Sorry no joy.
Btw. i also tried in bootloader mode (when device off, put usb stick, powerup wait untill beeps, press help button some, device reads stick, asap all leds flashing (fail to update) ) and nothing changed.

[janekivi]

When you say "Somebody must look into APP." what are you referring to?

If somebody understand IDA, this is may be helpful to help us to find out how this footer is made...
When we know how app is reading it.
Something is done here with RC5_RC6 and SHA-1.
License generator is using SHA-1 too but footer can be made with SHA-1 and RC5_RC6.
Weirdly there is 128 bytes matching older firmware footer.

I see that MD5/SHA-1 share their initial values, so there is one of them or both.
You know, one thing needs MD5...
and now - there it is: PKSC: X.509

[Userli]

@ janekivi ok, I see.
 I agree, that it will be difficult to analyze the footer without a hint from the code.

I added a very basic viewer for ELF files.
At least it shows, where the application code is.
Maybe somebody has a disassembler for this uP?

Furthermore I added checksums of the code shown, to help finding if it's referenced anywhere else.
For the footer I assumed that it also had a 24byte header.
This is not certain at all, since the structure of the first 24 bytes of the footer do not match the structure of the other file headers.
Therefore the export function now exports the footer including the first 24bytes.

Today was rather disappointing:
 I reproduced Meka77 wd's problem.  So the version is stored also somewhere else.
Furthermore I fixed the Pluses and replaced the compressed file in the archive.
This gives the same error as you get with the version change.

[janekivi]

I have seen scope on Dave's video with custom logo. One is here:
https://www.eevblog.com/forum/blog/coolest-rigol-ds1052e-firmware-ever!/
But I don't remember surely was there something more...

[Meka77 wd]

Hi.. Thanks again @userli.

For future reference:

https://www.eevblog.com/forum/testgear/rigol-ds1000z-series-firmware-downgrade-*is*-possible-and-here-is-how/

As seen on above discussion reply #23 there is nothing bad happening when firmware ver. upgraded or downgraded.

But there is a catch... bootloader version!!!

Why they blocked firmware downgrade from later ver. bootloaders is beyond my imagination.

Again, i think most important! feature for this kind of devices is ability to freely upgrade or downgrade firmware or bootloader revisions.

This scope is unreliable and very frustrating to use for me since 4.3.2.3 ver. firmware.

And RMS bug is not that simple...



Please if you did not watch it, take a closer look

It affects FTT, other channels RMS measurements, Auto Cursor Quick Trace, scope performance and many other shit i am not aware of. I think there is some kind of constant background calculation or error correction scheme going on and because of it scope very slow, intensity grading performance  degraded (to me anyway).

Sorry for my bad english...

[janekivi]

For bugs is there another thread but this firmware stuff is bit complicated.
There may be different upgrade types and then corresponding files in it.
For logo we can may be make only GEL with logo.hex. But update with
app is needing footer where is public key or certificate or hashed something...

First 128 bytes is signature for example. Following 128 bytes is key or...
which  an be the same as in other firmware footer.

[Userli]

I was wondering if it could be as easy as removing the 2nd bit of the 4th byte in the file header, which is only set for SparrowApp. (assuming this indicates "requires checking", like the first bit indicates "requires decompression")
Only removing this bit doesn't have any obvious effect.
The FW still installs fine.

Fixing now the Pluses in addition, though, makes the deployment fail.

Now I just decompressed and re compressed the ELF file without changing anything (adapting the checksums obviously) and the deployment also failed.
Assuming that the newly compressed file can be decompressed by the scope, it means that the check using (most likely) information from the  footer is done on the compressed file only.

[janekivi]

We inventing a bit a our own wheel here
http://gotroot.ca/rigol/
http://gotroot.ca/rigol/degel-0.1.tar.gz
In one update there was this new bootloader: SparrowBootloader.sb
This can be sb - secure boot.
http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
x509 keys and all this kind of stuff or only name like this...

[Userli]

It's well possible that they used an existing mechanism to sign the code.
It could be as simple as signing a combination of version number and sha1 of the compressed file with the private key used for the license codes.
It might also be that they secure the boot process, this, however, would not prevent it from deploying the FW.
I would assume the corresponding code being part of the ELF file.