Rigol DSXXXX .GEL firmware file format

[janekivi]

Newly fixed (with help of our SparrowAPP) Signsrch http://aluigi.altervista.org/mytoolz.htm#signsrch
can recognize 36 signatures

Code: [Select]

  offset   num  description [bits.endian.size]
  --------------------------------------------
  400264e1 1038 padding used in hashing algorithms (0x80 0 ... 0) [..64]
  400ae1f0 1119 Jpeg dct AA&N scale factor [double.le.64]
  4014b9ec 2249 TEA1_DS [32.le.4]
  40150d70 2057 RC5 and RC6 magic values (0xb7e15163L 0x9e3779b9L) [32.le.8&]
  401ceddc 1016 MD4 digest [32.le.24&]
  401ceddc 1036 SHA1 / SHA0 / RIPEMD-160 initialization [32.le.20&]
  401ceddc 2402 Lucifer (outerbridge) DFLTKY [..16]
  401cede8 2053 RIPEMD-128 InitState [32.le.16&]
  401f372c 3048 DMC compression [32.le.16&]
  401f3dec 648  CRC-32-IEEE 802.3 [crc32.0xedb88320 lenorev 1.1024]
  401f3dec 641  CRC-32-IEEE 802.3 [crc32.0x04c11db7 le rev int_min.1024]
  401f41ec 129  Adler CRC32 (0x191b3141) [32.le.1024]
  401f45ec 131  Adler CRC32 (0x01c26a37) [32.le.1024]
  401f49ec 133  Adler CRC32 (0xb8bc6765) [32.le.1024]
  401f4dec 652  CRC-32-IEEE 802.3 [crc32.0xedb88320 benorev 1.1024]
  401f4dec 645  CRC-32-IEEE 802.3 [crc32.0x04c11db7 be rev int_min.1024]
  401f51ec 130  Adler CRC32 (0x191b3141) [32.be.1024]
  401f55ec 132  Adler CRC32 (0x01c26a37) [32.be.1024]
  401f59ec 134  Adler CRC32 (0xb8bc6765) [32.be.1024]
  401f5e69 2295 zinflate_lengthExtraBits [32.be.116]
  401f5e6c 2294 zinflate_lengthExtraBits [32.le.116]
  401f5edd 2304 zinflate_distanceExtraBits [32.be.120]
  401f5ee0 2303 zinflate_distanceExtraBits [32.le.120]
  401f64b0 1086 Zlib dist_code [..512]
  401f66b0 1087 Zlib length_code [..256]
  401f67b0 1089 Zlib base_length [32.le.116]
  401f6824 1091 Zlib base_dist [32.le.120]
  40229148 408  CRC-16-CCITT modem/x25/kermit [crc16.0x8408 lenorev 1.512]
  40229148 401  CRC-16-CCITT modem/x25/kermit [crc16.0x1021 le rev int_min.512]
  4022a1c8 1290 __popcount_tab (compression?) [..256]
  4022a2d8 2075 Generic squared map [..16]
  4022bd40 2875 libavcodec ff_mjpeg_val_ac_luminance [..162]
  4022bde4 2876 libavcodec ff_mjpeg_val_ac_chrominance [..162]
  4022c777 3051 compression algorithm seen in the game DreamKiller [32.be.12&]
  40356877 2914 libavcodec nuppelvideo fallback_lquant [..64]
  40356a6c 1994 power2 table [16.le.30]

How to read or analyze bootloader SparrowBootloader.sb in http://gotroot.ca/rigol/DS1000Z-04_00_00_00.7z

[smithnerd]

I've been looking at SparrowBootloader.sb with this:

https://github.com/eewiki/elftosb

Code: [Select]

$ ./sbtool SparrowBootloader.sb
---- Boot image header ----
Signature 1:           STMP
Signature 2:           sgtl
Format version:        1.1
Flags:                 0x0000
Image blocks:          19764
First boot tag block:  9
First boot section ID: 0x00000000
Key count:             1
Key dictionary block:  7
Header blocks:         6
Section count:         1
Section header size:   1
Timestamp:             446216079000000
Product version:       999.999.999
Component version:     999.999.999
Drive tag:             0x0000
SHA-1 digest of header:
    0x00000000: 2d 5c 14 b8 10 81 fe 5f ee e2 09 ee 75 55 fe 80
    0x00000010: bb 35 50 44
Header digest is correct.

---- Section table ----
Section 0:
    Identifier: 0x0
    Offset:     10 blocks (160 bytes)
    Length:     19752 blocks (316032 bytes)
    Flags:      0x00000001
                0x1 = ROM_SECTION_BOOTABLE

---- Key dictionary ----
error: the image is encrypted but no key was provided
It should be encrypted with AES-128, the key for which is burned into the OTP area of the i.MX28. Hopefully though, it might only be using 'encrypted boot' mode and not the 'high assurance boot' mode.

[technogeeky]

I haven't dug into this myself (I will at some point, I'm working on porting something right now for the scope).


But while digging around today, I recognized that this is an opportunity to really make the scope's help functionality useful.

I can't imagine that they would have encrypted that. We could include our own pictures, and take advantage of the multiple pages to add useful information and diagrams in.

Let me know if this is currently possible (in the sense that it will survive unpacking and repacking), and I'll get started.

[Userli]

It might be a good point to give a short summary on where we are, such that it is easier to get into this thread.

It is currently possible to change the start screen image and any of the 420 small images which are used to make up the user interface.
Rigol packer supports those changes as well as the extraction of the decompressed payload for further analysis.

Still to be done are (at least)
- the change of version (for downgrading),
- changes to the application code (mostly correcting typos in strings)

The problems seen/suspected are
- the compressed application code seems to be signed, most likely taking the version number into account
  * we suspect the signature in the first half of the footer but don't know about the mechanism used
- the boot loader might use at least secure boot


-

[MarkF]

Any chance of finding a way to swap out the small font?

[Dwaine]

Any chance of finding a way to swap out the small font?

I noticed some bmp that were fonts/characters.  Like the input keyboard.  I guess you would have to redo the bmp file with larger fonts.

[technogeeky]

Any chance of finding a way to swap out the small font?

I noticed some bmp that were fonts/characters.  Like the input keyboard.  I guess you would have to redo the bmp file with larger fonts.

This might be easier than if they were actual fonts, though. We'll see.

[Dwaine]

Any chance of finding a way to swap out the small font?

I noticed some bmp that were fonts/characters.  Like the input keyboard.  I guess you would have to redo the bmp file with larger fonts.

This might be easier than if they were actual fonts, though. We'll see.

I was kinda disappointed to see that really they are just throwing up bmp files to make up the screen.  No GUI rendering for the UI.   

I always wondered why BMP files.   Would it not be more efficient to use png files?  Smaller and less processing intensive?

 

[smithnerd]

The fonts are not in guiPicData.hex. They may be in guiResData.hex, but I doubt it. Most likely they were included in the main SparrowAPP.out encoded as 1bpp tables.

A few days ago, I looked for the bit pattern of the 'busy part' of a W or M (I forget) on the extra large font, but didn't find anything - too many false positives...

I'm sure they'll turn up as we identify more parts of the SparrowAPP.out and guiResData.hex data.

[smithnerd]

I was kinda disappointed to see that really they are just throwing up bmp files to make up the screen.  No GUI rendering for the UI.   

I always wondered why BMP files.   Would it not be more efficient to use png files?  Smaller and less processing intensive?

They're not using BMP files, they're using raw 16bpp data. I'm slapping a BMP header on them, because BMP supports that bitmap data type without a lot of extra hassle. PNG for example, does not really support 16bpp, only 8 or 24/32.

[FrozenHaxor]

I always wondered why BMP files.   Would it not be more efficient to use png files?  Smaller and less processing intensive?

Actually both formats are lossless while PNG is compressed and BMP not. So technically BMP is less demanding on computing side of things. It's sort of, closer to the roots of the machine itself so to speak.

[Dwaine]

I was kinda disappointed to see that really they are just throwing up bmp files to make up the screen.  No GUI rendering for the UI.   

I always wondered why BMP files.   Would it not be more efficient to use png files?  Smaller and less processing intensive?

They're not using BMP files, they're using raw 16bpp data. I'm slapping a BMP header on them, because BMP supports that bitmap data type without a lot of extra hassle. PNG for example, does not really support 16bpp, only 8 or 24/32.

Thanks for answering.   All this is interesting stuff.

[technogeeky]

I've been looking at SparrowBootloader.sb with this:

https://github.com/eewiki/elftosb

Code: [Select]

$ ./sbtool SparrowBootloader.sb
---- Boot image header ----
Signature 1:           STMP
Signature 2:           sgtl
Format version:        1.1
Flags:                 0x0000
Image blocks:          19764
First boot tag block:  9
First boot section ID: 0x00000000
Key count:             1
Key dictionary block:  7
Header blocks:         6
Section count:         1
Section header size:   1
Timestamp:             446216079000000
Product version:       999.999.999
Component version:     999.999.999
Drive tag:             0x0000
SHA-1 digest of header:
    0x00000000: 2d 5c 14 b8 10 81 fe 5f ee e2 09 ee 75 55 fe 80
    0x00000010: bb 35 50 44
Header digest is correct.

---- Section table ----
Section 0:
    Identifier: 0x0
    Offset:     10 blocks (160 bytes)
    Length:     19752 blocks (316032 bytes)
    Flags:      0x00000001
                0x1 = ROM_SECTION_BOOTABLE

---- Key dictionary ----
error: the image is encrypted but no key was provided
It should be encrypted with AES-128, the key for which is burned into the OTP area of the i.MX28. Hopefully though, it might only be using 'encrypted boot' mode and not the 'high assurance boot' mode.

...

Can we get a (somewhat comprehensive) list of the software you guys are using to do these searches? Or, if the software won't necessarily be available to us, a list of the techniques you're using so we can learn to do the same?

Thanks,
-tg

[MarkF]

I have generated several bmp and png files containing fonts for both Windows Direct X and OpenGL.  Not a problem if we can id the font data and format.

[Fungus]

I noticed some bmp that were fonts/characters.  Like the input keyboard.  I guess you would have to redo the bmp file with larger fonts.

You'll also have to change all the character sizes and offsets.

They might be stored separately or they might even be hard-coded in the program (in which case you'll have a hard time changing them).

I always wondered why BMP files.   Would it not be more efficient to use png files?  Smaller and less processing intensive?

Completely the opposite. PNG uses ZLIB compression so it needs a lot more RAM and resources to decompress.

Plus: BMP can use indexed colors, PNG cannot. BMP might be smaller than PNG for fonts.

Actually both formats are lossless while PNG is compressed and BMP not.

BMP has compression: https://en.wikipedia.org/wiki/BMP_file_format#Compression

[FrozenHaxor]

BMP has compression: https://en.wikipedia.org/wiki/BMP_file_format#Compression

Sure it does, that was not the point though. You'll want to avoid compression in such application to limit the amount of computing needed to be done, which would slow things down.

At the end of the day, everything has compression if you run it through those particular lossless algorithms

[smithnerd]

Has anybody dumped the memory on a 4.4.0.7 scope yet?

[Fungus]

BMP has compression: https://en.wikipedia.org/wiki/BMP_file_format#Compression

Sure it does, that was not the point though. You'll want to avoid compression in such application to limit the amount of computing needed to be done, which would slow things down.

Just keeping the facts straight.

A font on something like an oscilloscope would probably be best as a single uncompressed bitplane. BMP can do that.

[janekivi]

For entertainment I dived into DS6000 latest firmware. Header is similar but there is no file names.
Somebody must know them or they in standard order. I found familiar ones but images are in many
of them. Here is are the samples. What is DT-3033A and is it charging something?

[technogeeky]

For entertainment I dived into DS6000 latest firmware. Header is similar but there is no file names.
Somebody must know them or they in standard order. I found familiar ones but images are in many
of them. Here is are the samples. What is DT-3033A and is it charging something?

Can you post the list of tools you are using to analyze the .GEL files?

[janekivi]

File 16 is this

[janekivi]

Tools... what You need. I was using notepad and calculator all the time actually.
Sometimes I need convert or process then I make script for python (with notepad
of course). If I look firmware file in text lister (this is from Total Commander and
[F3 View] button actually what does all the magic for me)  then I look hex numbers
and calculate them in all kind of weird ways with windows calculator. Then in
Total Commander is compare tool in Files -> Compare by content... this is on images
in my previous posts. Then I use some sort of HexEdit because hex data operations
are difficult with notepad. I cut and paste to new files some data.
All other things for image process or unpack or ... I find on the way with google like
7zip and ffmpeg and for raw image opening and guessing is good to use Gimp and
IrfanView. If I stuck on something strange I google for tools to open, process, convert...

There is no standard frmware hacking tool (other than notepad and calculator).
If there is something, they are for some standard files. But anybody try to avoid these
standards to keep us away : )

[janekivi]

Yeah, interesting DS6000 files. First of them is... I don't know, app of some kind.
Text in it:
[Battery]   Installation:   Yes Consumption:    Voltage£?   Current£?   No  [Fan]   Fan1 Speed: Fan2 Speed: [Temperature]   Inlet:  Outlet:
Cryptographic verification operation has started, the certification failed!
DS1204B Rigol   RIGOL Technologies, Inc.    Screen Oscillograph Copyright (c) 2009 Rigol.

Files are all in open format and You can open DS2000, DS4000, DS6000 firmware files
and search for text - battery, temperature, PLUSE

[Dwaine]

That's interesting.  I guess maybe they had their build environment setup for some other product/device.  Then just changed that environment for the scopes?
Oh would it be so nice to have the firmware source in GITHub.  I guess we can only dream.

[smithnerd]

Tools... what You need.

I mostly just use the tools which the average linux distro provides; dd, hd (hexdump), grep, more, tail, head, strings etc. I write a few shell scripts for doing repetitive stuff (often with sed/awk). Rarely do I need to break out the C compiler.

I use Regular Expressions a lot.

binwalk is very useful for quickly identifying files within files.

A hex editor, paper, pencil and a calculator with base-n.