Author Topic: Rigol DSXXXX .GEL firmware file format  (Read 63126 times)

0 Members and 2 Guests are viewing this topic.

Offline janekiviTopic starter

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Rigol DSXXXX .GEL firmware file format
« Reply #150 on: April 12, 2018, 09:27:37 pm »
As you may assume we are working on GEL file format day and night.
And we found some weird and wonderful things there.

After taking some lessons from tv84 I have connected IDA to the scope and now all is possible -
from top to the bottom.  Things can be dangerous and destructive but some are safe to try. You will
find them after this format guide:

====================================================================
Rigol DS1000Z GEL file format:
GEL file has header, all the required update files and scrambled footer at the end.
I believe all the hex numbers are in little endian format.

====================================================================

--------------------------------------------------------------------------------------------
00000000 | 44 53 31 30 30 30 5A 00 00 00 00 00 00 00 00 00 | DS1000Z         
00000010 | 30 30 2E 30 34 2E 30 34 2E 30 33 2E 30 32 00 00 | 00.04.04.03.02 
00000020 | 00 07 00 00 0A 00 00 00                                         |         
--------------------------------------------------------------------------------------------

GEL header is starting with model number and for this there are 16 bytes (0x00 - 0x0F).
For DS1000Z there is written DS1000Z in ASCII-ANSI.

Next 16 bytes (0x10 - 0x1F) are for update version in ASCII-ANSI like 00.04.04.03.02
First 00 are the software branch here which is compared with last 4 bytes in SparrowApp.out
header during update.

Next 4 bytes (0x20 - 0x23) are some sort of firmware type "bitmask" as tv84 suggest.
So normal update has there 00 07 00 00 and updates with bootloader have there 00 0F 00 00.
0000 0111 0000 0000 - normal update file
0000 1111 0000 0000 - update file with bootloader
So there is one bit which may mark bootloader existence.

Next 4 bytes (0x24 - 0x27) are update files count in this GEL.
Number is in hex format and 0A 00 00 00 is meaning - 10 files in this GEL. One of them is Footer which is
like control sum and not used by scope.

--------------------------------------------------------------------------------------------
00000020 |                                          2F 73 79 73 2F 53 70 61 |         /sys/Spa
00000030 | 72 72 6F 77 41 50 50 2E  6F 75 74 00 00 00 00 00 | rrowAPP.out     
00000040 | 00 00 00 00 00 00 00 00  13 92 10 00 80 02 00 00 |           
00000050 | 1D 3D 2F AE 00 00 00 00 00 00 00 00 01 00 00 00=/®           
00000060 | 00 00 00 00                                                              |                 
--------------------------------------------------------------------------------------------

From 0x28 are coming 60 byte sections with info about every file in GEL.
First is usually app file - SparrowAPP and all of them are saved in SYS directory. So there are all names
like this first example - /sys/SparrowAPP.out in ASCII-ANSI format. For filename may be reserved 32 bytes.
Next 4 bytes are this file length in hex like 13 92 10 00.
Next 4 bytes are this file beginning address in GEL from the first header byte 0x00000000.
For example 80 02 00 00 so right after last header byte because this is the first file.
Next 4 bytes are this file CRC32 like 1D 3D 2F AE in little endian.
Next 4 + 4 bytes are always 00 00 00 00 00 00 00 00. May be for any other use in some other
equipment firmware.
Next 4 bytes are probably file type in hex format. App is 0x01, Logo is 0x0A, footer is 0x32.
Scope is saving files from GEL and say in messagebox what it is doing, may be it used for this.
Last 4 bytes are 00 00 00 00 again and may be buffer or reserved for any other use.

Last 60 byte info about last file is footer info. There are used only 3 fields - length, which is 0x118,
beginning and file type, which is 0x32. There is no needed filename or CRC32.

====================================================================

--------------------------------------------------------------------------------------------
00000000 | B2 BD E7 A7 03 00 00 00 FB 91 10 00 AA 55 55 AA | ²½?§    ?‘  ?UU?
00000010 | 6E A6 3D 00 00 00 00 00                                         | n¦=             
--------------------------------------------------------------------------------------------

Files itself coming after header with their own 24 byte headers.
File headers first 4 bytes is file CRC32 in little endian.
Next 4 bytes are info about compression. This is probably in hex format and also bitmask.
03 00 00 00 (bitmask 0011) - if there is LZMA packed app
01 00 00 00 (bitmask 0001) - if there is LZMA packed gui data
00 00 00 00 (bitmask 0000) - if there is plain file
Next 4 bytes are file length in little endian.
Next 4 bytes are AA 55 55 AA - unknown.
Next 4 bytes are software version in little endian like 6E A6 3D 00 = 4040302.
Next 4 bytes are software branch 00 00 00 00. tv84 explanation

====================================================================

Last 280 bytes of GEL is footer. Footer has its own header and footer. It contain 2 x 128 (0x80) byte parts.

--------------------------------------------------------------------------------------------
00000000 | 80 00 00 00 01 00 00 00 80 00 00 00 01 00 00 00 |               
00000010 | 04 00 00 00                                                             |                 
--------------------------------------------------------------------------------------------

First 4 bytes are first part length 0x80
Next 4 bytes are first part bitmask probably ?
Next 4 bytes are second part length 0x80
Next 4 bytes are first part bitmask probably ?
Last 4 bytes are footer length 0x04


Footer last 4 bytes are footer footer...
--------------------------------------------------------------------------------------------
00000110 |                 01 00 01 00                                         |                 
--------------------------------------------------------------------------------------------

It is in little endian and used in scope like 10001 (00010001). So this may be the processing bitmask.
One 1 is indicating you need to process one part and second 1 is indicating you need to use second
part for this. When we see it in action we can clarify it later.

Between are the two 128 byte parts which are created by complex obfuscation script.
Some day we see it in action but for now it is black box. Probably you give to it some
parameters to begin and data to scramble.
Data is version string length, update version in ASCII-ANSI and SparrowAPP.out CRC32
without its header.
--------------------------------------------------------------------------------------------
00000000 | 0E 30 30 2E 30 34 2E 30 34 2E 30 33 2E 30 32 B200.04.04.03.02²
00000010 | BD E7 A7                                                                  | ½?§             
--------------------------------------------------------------------------------------------

I saw this during my first baby steps in jtag debugging after teammates pointed me out the right place.
After which we started footer descrambler program. I saw there some weak points and made new footer
by hand.

*****************************************************************************

That's why you need to have compressed SparrowAPP.out with the same CRC32. This can be done
by modifying this part CRC for example. GEL itself must have at least 2 files which are SparrowAPP.out
and footer. Then you have files count 2 in header but need to have all other files already in scope.
This is good for updating modified files separately. My dream of having GEL with only LOGO was
crashed...

... to be continued


So next steps with modifying GEL file and doing upgrade or downgrade we cover in following section:

*****************************************************************************
For playing with your GEL and oscilloscope:
*****************************************************************************
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg1478447/#msg1478447
« Last Edit: April 21, 2018, 11:20:39 am by janekivi »
 
The following users thanked this post: Marcos, RoGeorge, Daruosha

Offline bitwelder

  • Frequent Contributor
  • **
  • Posts: 964
  • Country: fi
Re: Rigol DSXXXX .GEL firmware file format
« Reply #151 on: April 13, 2018, 08:39:00 am »
(Probably I link to this page and I update it in the future)
As you opened the thread, perhaps you can copy the contents of this last post (or whatever 'final results' you'll have to share) to the opening post, so it doesn't get buried it in the discussion.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Rigol DSXXXX .GEL firmware file format
« Reply #152 on: April 13, 2018, 10:57:06 am »
Janekivi,

I propose that you use a parsing like this as a reference for your "guide", so everybody can follow the various fields involved.

Code: [Select]
00000000 - File Type: DS1000Z
00000010 - Version: 00.04.04.03.02
00000020 - Bitmask: 00000700
00000024 - # Sections: 10
Offset    Section Name                SectiSz   StartAdr  CRC32     Type
00000028  /sys/SparrowAPP.out         00109213  00000280  AE2F3D1D  00000001  [00000280-00109492]  CRC OK
00000064  /sys/SparrowFPGA.hex        000C4372  00109493  679334B7  00000005  [00109493-001CD804]  CRC OK
000000A0  /sys/SparrowDGFPGA.hex      00046F04  001CD805  E4FDFCA9  00000006  [001CD805-00214708]  CRC OK
000000DC  /sys/logo.hex               000BB818  00214709  AC2CE5C4  0000000A  [00214709-002CFF20]  CRC OK
00000118  /sys/guiResData.hex         000B6A2C  002CFF21  EFF83A4B  0000000C  [002CFF21-0038694C]  CRC OK
00000154  /sys/guiPicData.hex         0001E6BF  0038694D  B8D72DB2  00000011  [0038694D-003A500B]  CRC OK
00000190  /sys/SparrowConfig.hex      000BB818  003A500C  BAD12B30  00000010  [003A500C-00460823]  CRC OK
000001CC  /sys/SparrowWaveTable.hex   000020E8  00460824  B0445B96  0000000B  [00460824-0046290B]  CRC OK
00000208  /sys/SparrowCalFile.hex     0002329C  0046290C  FBE2BA34  0000000F  [0046290C-00485BA7]  CRC OK
00000244                              00000118  00485BA8  00000000  00000032  [00485BA8-00485CBF]
Offset    CRC32     Flags     Filesize  Endianes  Version     Rsvd
00000280  A7E7BDB2  00000003  001091FB  AA5555AA  4040302     00000000  [00000298-00109492]  CRC OK
00109493  C9AF5D56  00000000  000C435A  AA5555AA  4040302     00000000  [001094AB-001CD804]  CRC OK
001CD805  138E13B9  00000000  00046EEC  AA5555AA  4040302     00000000  [001CD81D-00214708]  CRC OK
00214709  9B4EA177  00000000  000BB800  AA5555AA  4040302     00000000  [00214721-002CFF20]  CRC OK
002CFF21  D7825E44  00000000  000B6A14  AA5555AA  4040302     00000000  [002CFF39-0038694C]  CRC OK
0038694D  01873014  00000001  0001E6A7  AA5555AA  4040302     00000000  [00386965-003A500B]  CRC OK
003A500C  5DEF7058  00000000  000BB800  AA5555AA  4040302     00000000  [003A5024-00460823]  CRC OK
00460824  558BD392  00000000  000020D0  AA5555AA  4040302     00000000  [0046083C-0046290B]  CRC OK
0046290C  7717C897  00000000  00023284  AA5555AA  4040302     00000000  [00462924-00485BA7]  CRC OK

I was under the impression that the software version number is constructed as this:
Code: [Select]
00. - branch number
xx.00. - version number
xx.xx.00. - subversion number
etc.
 
I think the fact that 0A in branch gives "old version" is because the only chars accepted are decimal numbers. Any other is converted to 0.
 

Offline janekiviTopic starter

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Rigol DSXXXX .GEL firmware file format
« Reply #153 on: April 13, 2018, 02:55:14 pm »
I can copy this information to the first page but probably I link in my "Gel format guide"
other people findings and work too. Like smithnerd who made footer decrypter arm
version and tv84 who is doing most of the work and probably make x86 footermaker
some day. I don't know where he finds that enthusiasm to push my near nonexistent skills
over the limit while we working on script debugging and even not having this Rigol scope himself :)

I make this longer GEL summary by sections as I test something and some previous talk
about things is in the beginning of this thread. So I make links or repeat them... I don't know yet.
Like: you can't change SparrowApp version number without changing checksum in header and you
can verify GEL file with RigolPacker from Userli. May be we have updated version from that program too.

"Like I said, who knows where we ending with this... at the end or dead end."
there is no dead end any more.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Rigol DSXXXX .GEL firmware file format
« Reply #154 on: April 13, 2018, 04:34:40 pm »
janekivi,

I did it in response to your request and to help you in your/our quest. Thanks to you and to smithnerd! It was a learning process for all!

It's true, I don't have a Rigol but I also don't have a Siglent...   :-DD   

Soon we'll be releasing the footer checker and the magic footer version  ;) that everybody can use to make their own official SparrowAPP without CRC patch workarounds, and life goes on.

Oh, I forgot: maybe I'll look at the scope NAND contents just to have that UFFS completed checked!

The DS1000Z GEL format seems totally busted and, now, the sky is the limit.

And, konnor seems to be the right person to lead the DS1000Z new features revolution!

I'll be looking at other Rigol equipments also. Maybe this footer checking, special USB flash signature, etc is used in other RIGOL equipments.

For now, it's not necessary to share the footer source code since the magic footer will solve everyone's needs. If RIGOL upgrades the footer validation, we'll repeat the reversing or create another workaround.

You should create the GEL format guide and gather all the infos of your investigations!! And explain the downgrades, etc...
 

Offline janekiviTopic starter

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Rigol DSXXXX .GEL firmware file format
« Reply #155 on: April 14, 2018, 06:40:27 am »
*****************************************************************************

For playing with your GEL and oscilloscope:

*****************************************************************************
Unbricing the scope may be the first thing.

If something is wrong with app, bootloader don't load it at next boot and all lights are blinking.
You need probably some older and smaller USB flash drive and known good GEL on it to proceed
with boottime update:
http://int.rigol.com/File/ProductSoftWare/20151124/Firmware%20update%20instruction.pdf
(I think the version must be the same or newer, but I update this information if someone report
something new about this)

*****************************************************************************
GEL header is starting with Model number like DS1000Z. Altering this row bring up new text
only in update message and has no other known effect known

*****************************************************************************
Firmware version is presented in GEL header and in all parts headers. They are safe
to change but there are some consequences. Altering it in GEL header second row
Code: [Select]
00000000 | 44 53 31 30 30 30 5A 00 00 00 00 00 00 00 00 00 | DS1000Z         
00000010 | 30 30 2E 30 34 2E 30 34 2E 30 33 2E 30 32 00 00 | 00.04.04.03.02 
is resulting message change when scope finds GEL on flash drive. It compares it with version
number from previous SparrowApp.out header which is saved to /SYS/ directory during last
update.
There may be written any number and nothing much happening. Replacing ASCII-ANSI numbers
in main header bring up different update menu messages depending what you have in previous
app header and what  position you change:

Code: [Select]
"A newer software version detected. Update?"
"An older software version detected. Update?"
"The same software version detected. Update?"
"Warning:the software branch is different. Update?"
"A temporary software detected.Update?"
"An official software detected. Update?

In SparrowApp header is version number in HEX
Code: [Select]
00000000 | B2 BD E7 A7 03 00 00 00 FB 91 10 00 AA 55 55 AA | ²½?§    ?‘  ?UU?
00000010 | 6E A6 3D 00 00 00 00 00                         | n¦=             
00 3D A6 6E - 4040302
If you change something in here, it will be saved and used to compare next software number in GEL
header. For example, if you write there 6D A6 3D 00, it brings up message "A newer software version
detected" after reboot if it sees the same GEL file on the inserted USB.
You can reset your experiments by correcting numbers in all headers and making new update.
But there are no other side effects detected. In system information are all correct number probably
from SparrowApp. So, changing those numbers is making no change in actual software version
and don't allow any downgrade.
(We talk about this later)
 
*****************************************************************************
Logo in firmware can be safely modified.
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg984434/#msg984434
In next discussion is covered its format and other details

*****************************************************************************
guiPicData can basically be modified the same way.
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg985362/#msg985362
This is packed file from every graphics used in scope GUI. guiPicData compression is optional.
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg987165/#msg987165

*****************************************************************************
guiResData is explained little bit by konnor
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1478454/#msg1478454

*****************************************************************************


*****************************************************************************
Footer...
Modifying its contents allow you to change app easily. Otherwise you need to match original
CRC32 of SparrowApp.out. This of course can be done with any CRCManipulator which is
adding 4 bytes to the end of the file to achieve desired CRC32.
Simplest footer I found this far is 54 bytes (0x36). It must contain 13 bytes from original and
required attributes.
--------------------------------------------------------------------------------------------
00000000 | 13 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00 |                 
00000010 | 00 00 00 00 0E 30 30 2E 30 34 2E 30 34 2E 30 30 |      00.04.04.00
00000020 | 2E 30 37 B2 5D 43 F6 00 00 00 00 00 00 00 00 00 | .07²]Cö         
00000030 | 00 00 00 00 00 00 00 00 00 00                               |                 
--------------------------------------------------------------------------------------------
First 4 bytes are first part length
Next 4 bytes are first part bitmask ?
Next 4 bytes are second part length
Next 4 bytes are second part bitmask ?
Next 4 bytes are footer length
Next 13 bytes are footer first part - the decoded footer contents
Next 13 bytes are footer second part

My first try was with the same footer length and all its components. I was filling all unused
components with 00. The same way can footer made with any length. As shown here by tv84:
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg1479419/#msg1479419

I did test with shorter footer too like:
00000000 | 13 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00  |
00000010 | 00 00 00 00 0E 30 30 2E 30 34 2E 30 34 2E 30 33  |      00.04.04.03
00000020 | 2E 30 32 41 13 AC 82                                               | .02A ¬‚
but this is working probably by reading following zeroes from memory as required
second part data.

Do not change the firmware version higher than you have it in the oscilloscope.
This is going to be your highest version number the scope have used. Firmware with
smaller version number isn't allowed to save. It is best to have it always "your scope
highest version number".
Otherwise you must alter every future update file!


May be there comes handy Rigol SuperFlash which allow you to reset your scope...
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517
I did some tests and it allow you to update any file and version is saved from it.

Best practice is not to use GEL files made by other people from now, make your own!

*****************************************************************************
Downgrade can be very easily achieved by using footer manipulation.
You can take previous firmware file and replace his footer. There must be changed
"your scope highest version number" (see in footer section).
For example:
you have 00.04.04.03.02 in the scope. You take 00.04.04.01.01 GEL file and strip it 280 byte
footer. For new footer you need SparrowApp.out CRC32 from its header at 0x00000280
which you know by looking from header where are file beginning addresses. So it is 41 13 AC 82.
Your scope highest version number = 00.04.04.03.02 so far and new footer must look like:

00000000 | 13 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00  |
00000010 | 00 00 00 00 0E 30 30 2E 30 34 2E 30 34 2E 30 33  |      00.04.04.03
00000020 | 2E 30 32 41 13 AC 82 00 00 00 00 00 00 00 00 00  | .02A ¬‚
00000030 | 00 00 00 00 00 00                                                    |

Nothing else is necessary to change, only footer length in header. There is nothing
serious if you forget this. Afterwards you can reflash 00.04.04.03.02 back.
But if you alter "your scope highest version number" you must alter it again to
allow it to be at least the same as in your previous file.

May be there comes handy Rigol SuperFlash which allow you to reset your scope...
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517
I did some tests and it allow you to update any file and version is saved from it.

Best practice is not to use GEL files made by other people from now, make your own!

*****************************************************************************




... to be continued
« Last Edit: April 27, 2018, 10:11:44 pm by janekivi »
 

Offline janekiviTopic starter

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Rigol DSXXXX .GEL firmware file format
« Reply #156 on: April 14, 2018, 10:04:25 am »
I like to see some more disassembly like from update version calculation.
What is "An official software..." and how they affect update. There are more interesting functions.

I saw function names from konnor DS1000Z-00.04.04.03.02 SparrowApp and made IDA script from it.
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1467137/#msg1467137

He made new one, mine is updated too.
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1478726/#msg1478726



I add more here if I found.
« Last Edit: April 15, 2018, 08:48:22 am by janekivi »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Rigol DSXXXX .GEL firmware file format
« Reply #157 on: April 15, 2018, 11:34:28 am »
Footer deobfuscated (as janekivi explained).

And, now that we understand what is the other int32 in the files header (software branch), here is an updated parsing of all the DS1000 GELs available.

Regarding the update messages showed by the scope when updating, the different msgs are decided by:

if (gelBranch == scopeBranch)
  gelVer == scopeVer -> same FW
  gelVer <  scopeVer -> older FW
  gelVer >  scopeVer -> newer FW

else if (gelBranch > 0)
  gelVer(high16) >=  scopeVer(high16) -> temporary FW
  gelVer(high16) <   scopeVer(high16) -> different SW branch

else
  gelVer(high16) >=  scopeVer(high16) -> official FW           
  gelVer(high16) <   scopeVer(high16) -> different SW branch
« Last Edit: April 15, 2018, 02:09:07 pm by tv84 »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Rigol DSXXXX .GEL firmware file format
« Reply #158 on: April 17, 2018, 08:11:07 pm »
Regarding the SparrowBootloader.sb known versions:

BootVersion 0.0.0.11 (GEL 02.00.01.00 02-09-2013) -> SparrowBootloader.sb with creation time: 02-08-2013 12:00:21
BootVersion 0.0.0.12 (GEL 02.01.01.00 31-10-2013) -> SparrowBootloader.sb with creation time: 25-09-2013 13:54:22
BootVersion 0.0.1.0 (GEL 04.00.00.00 18-03-2014) -> SparrowBootloader.sb with creation time: 20-02-2014 12:54:39
BootVersion 0.0.1.1 (GEL 04.01.02.00 28-07-2014) -> SparrowBootloader.sb with creation time: 04-05-2014 19:30:44
BootVersion 0.0.1.2 (taken from a MSO dump       ) -> SparrowBootloader.sb with creation time: 16-09-2014 14:04:36
BootVersion 0.0.1.2 (GEL 04.02.03.00 21-10-2014) -> SparrowBootloader.sb with creation time: 17-10-2014 10:14:44
BootVersion 0.0.1.3 (GEL 04.02.04.07 31-12-2014) -> I haven't yet seen this bootloader!
BootVersion 0.0.1.4 (GEL 04.04.01.01 14-09-2016) -> SparrowBootloader.sb with creation time: 27-04-2015 14:28:39
BootVersion 0.0.1.5 (taken from a dump               ) -> SparrowBootloader.sb with creation time: 16-11-2017 14:03:38

If anyone has others, please post.

The bootloader blocks parsing is attached.
« Last Edit: March 25, 2019, 10:01:52 pm by tv84 »
 

Online Shock

  • Super Contributor
  • ***
  • Posts: 4200
  • Country: au
Re: Rigol DSXXXX .GEL firmware file format
« Reply #159 on: April 18, 2018, 09:53:10 pm »
Regarding the SparrowBootloader.sb known versions:

GEL 4.0.0.0 -> SparrowBootloader.sb with creation time: 20-02-2014 12:54:39
BootVersion 0.0.1.2 -> SparrowBootloader.sb with creation time: 17-10-2014 10:14:44
GEL 4.4.1.1 -> SparrowBootloader.sb with creation time: 27-04-2015 14:28:39

If anyone has others, please post.

0.04.04.03.02 2017/02/06 almost suggests it might have the file as the release notes mentioned a bootloader fix, but it's not listed in the header. Have you checked that version?
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 189, 87V, 117, 112   >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Rigol DSXXXX .GEL firmware file format
« Reply #160 on: April 20, 2018, 05:41:25 pm »
Files itself coming after header with their own 24 byte headers.
File headers first 4 bytes is file CRC32 in little endian.
Next 4 bytes are info about compression. This is probably in hex format and also bitmask.
03 00 00 00 (bitmask 0011) - if there is LZMA packed app
01 00 00 00 (bitmask 0001) - if there is LZMA packed gui data
00 00 00 00 (bitmask 0000) - if there is plain file
Next 4 bytes are file length in little endian.
Next 4 bytes are AA 55 55 AA - unknown.
Next 4 bytes are software version in little endian like 6E A6 3D 00 = 4040302.
Next 4 bytes are software branch 00 00 00 00. tv84 explanation

An addon to the explanation of these last 8 bytes:

The model's version (as placed in the GEL's header) is: 00.04.04.03.02

the RED is the software branch
the BLUE is the version number

In the region of the 24-bytes headers, quoted above, the last 8 bytes are:

4 bytes are software version in little endian like 6E A6 3D 00 = 04.04.03.02
4 bytes are software branch 00 00 00 00 = 00

If we look at the whole 8 bytes in little-endian the (4 bytes) branch comes before the (4 bytes) version.

This is important because when we want to upload a "temporary version" (like the one in the attached picture), one must change these "branch" bytes of the SparrowAPP file.

An "official version" appears when there is a previous "temporary version" installed in the scope, and we change the branch to 00.
« Last Edit: April 21, 2018, 08:36:20 am by tv84 »
 

Offline janekiviTopic starter

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Rigol DSXXXX .GEL firmware file format
« Reply #161 on: April 21, 2018, 11:32:27 am »
0.04.04.03.02 2017/02/06 almost suggests it might have the file as the release notes mentioned a bootloader fix, but it's not listed in the header. Have you checked that version?

As you can see in my parsing file DS1000_parsing_v2.txt, in previous msgs, the only 04.04.03.02 that is publicly available doesn't have a bootloader.

But, someone who has a factory 4.4.3.2 might have a bootloader in it's NAND. So, if they could extract it or from NVRAM...

Then I would assume 4.4.1.1 is 1.3 and the 4.4.3.2 has a 1.4.

Needs to be checked by you guys.

In 00.04.00.00.00 is bootloader 0.0.1.0.
I got mine from factory with 0.0.1.2 and have extracted it from memory here.
From NAND I extracted this 00.04.04.01.01 where was bootloader 0.0.1.4.

Now you need to find out how this is stored there because I can't find it by debuging...
 
The following users thanked this post: tv84

Offline konnor

  • Contributor
  • Posts: 49
  • Country: ru
Re: Rigol DSXXXX .GEL firmware file format
« Reply #162 on: April 21, 2018, 01:36:21 pm »
LOAD:41047414 MainProcess                             ; DATA XREF: LOAD:MQX_template_listo
LOAD:41047414                 STMFD   SP!, {R12,LR}
LOAD:41047418                 MOV     R0, BootVersion
LOAD:41047420                 MOV     R1, 0x10010
LOAD:41047428                 STR     R1, [R0]

 
The following users thanked this post: tv84

Online Shock

  • Super Contributor
  • ***
  • Posts: 4200
  • Country: au
Re: Rigol DSXXXX .GEL firmware file format
« Reply #163 on: April 21, 2018, 03:20:01 pm »
According to Rigol, these three firmware had associated bootloader:
00.04.00.00.00   0.0.1.0 released on 20140318
00.04.01.02.00   0.0.1.1 released on 20140728
00.04.02.03.00   0.0.1.2 released on 20141021

Then there was:
00.04.02.04.07 0.0.1.? released on 20141231

My scope (build date 2015/03) came with:
00.04.03.00.01 0.0.1.3 released on 20150505
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 189, 87V, 117, 112   >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 
The following users thanked this post: tv84

Offline janekiviTopic starter

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Rigol DSXXXX .GEL firmware file format
« Reply #164 on: April 21, 2018, 04:14:05 pm »
LOAD:41047414 MainProcess                             ; DATA XREF: LOAD:MQX_template_listo
LOAD:41047414                 STMFD   SP!, {R12,LR}
LOAD:41047418                 MOV     R0, BootVersion
LOAD:41047420                 MOV     R1, 0x10010
LOAD:41047428                 STR     R1, [R0]

So bootloader is writing it into memory? I see app is reading it from somewhere.
Where the version is hidden in bootloader?
 

Offline konnor

  • Contributor
  • Posts: 49
  • Country: ru
Re: Rigol DSXXXX .GEL firmware file format
« Reply #165 on: April 21, 2018, 04:28:51 pm »
The fragment of code(from the loader), what write the version code,  I cited above. I do not know of any other version storage locations in the bootloader. The main firmware simply reads the version from the memory.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Rigol DSXXXX .GEL firmware file format
« Reply #166 on: April 21, 2018, 05:23:56 pm »
I updated my previous post about the Bootloaders versions with the informations shared in these last posts.

https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg1481222/#msg1481222

If you see any error or have any of the missing versions (or NAND/NVRAM dumps) please post or pm me.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Rigol DSXXXX .GEL firmware file format
« Reply #167 on: April 21, 2018, 07:06:54 pm »
As konnor suggested (I only suspected :) ), the bootloader version is HARDCODED in the code (one of the last functions in the block). Here is an extract of the bootloaders that I have:

Bootloader v1.0 - MainProcess
00 50 2D E9                             STMFD           SP!, {R12,LR}
FC 00 A0 E3 7F 0C 80 E3           MOV             R0, #0x7FFC
10 10 A0 E3 40 1B 81 E3           MOV             R1, #0x10010 ; BOOT VERSION
00 10 80 E5                             STR             R1, [R0]

Bootloader v1.2 - MainProcess
10 40 2D E9                             STMFD           SP!, {R4,LR}
00 40 B0 E1                             MOVS            R4, R0
FC 00 A0 E3 7F 0C 80 E3          MOV             R0, #0x7FFC
12 10 A0 E3 40 1B 81 E3          MOV             R1, #0x10012 ; BOOT VERSION
00 10 80 E5                             STR             R1, [R0]

Bootloader v1.4 - MainProcess
10 40 2D E9                             STMFD           SP!, {R4,LR}
00 40 B0 E1                             MOVS            R4, R0
FC 00 A0 E3 7F 0C 80 E3          MOV             R0, #0x7FFC
14 10 A0 E3 40 1B 81 E3          MOV             R1, #0x10014 ; BOOT VERSION
00 10 80 E5                             STR             R1, [R0]

Finally, now we can see the version of a bootloader without loading it into the scope.
 

Offline janekiviTopic starter

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Rigol DSXXXX .GEL firmware file format
« Reply #168 on: April 22, 2018, 02:20:44 pm »
It's funny how we hack all this backwards. I do some dirty hardware hack and then you
disassemble it right way. I have EEPROM there with connector and did flash it in TL866
with different files to see their versions.
Now it is simple. You take SparrowBootloader.sb, unpack it with sbtool, take look at the
right address and all is clear :)

For example there is my bootloader, version 0.0.1.2
In hex is the main function region with version number.
 

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2845
  • Country: nz
  • D Size Cell
Re: Rigol DSXXXX .GEL firmware file format
« Reply #169 on: December 18, 2018, 11:30:51 am »
I'm wondering if anyone has done anything with the most recent MSO5000/7000 and their Gel file? Its looking at bit different from previous versions.
On a quest to find increasingly complicated ways to blink things
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Rigol DSXXXX .GEL firmware file format
« Reply #170 on: December 19, 2018, 08:57:40 pm »
I'm wondering if anyone has done anything with the most recent MSO5000/7000 and their Gel file? Its looking at bit different from previous versions.

It's a simple .TAR file.
 

Offline emartine

  • Contributor
  • Posts: 39
  • Country: ar
Re: Rigol DSXXXX .GEL firmware file format
« Reply #171 on: February 22, 2019, 07:26:41 pm »
Anyone know what's the file that stores the channel colors?
would be great to change the 3rd channel color to red..

I believe channel RGB values are:
ch1: 255, 255, 0
ch2: 0, 255, 255
ch3: 255, 0, 255
ch4: 0, 130, 255
« Last Edit: February 22, 2019, 07:36:49 pm by emartine »
 

Offline emartine

  • Contributor
  • Posts: 39
  • Country: ar
Re: Rigol DSXXXX .GEL firmware file format
« Reply #172 on: March 12, 2019, 01:17:06 pm »
So, anyone knows if there is a chance to change channel colors??
Are they stored somewhere in the GEL firmware file?

Thanks!
 

Offline SERJSOCHI

  • Contributor
  • Posts: 14
  • Country: ru
Re: Rigol DSXXXX .GEL firmware file format
« Reply #173 on: August 22, 2020, 09:44:45 pm »
I tried to recolor CH3 ray, but I was able to recolor only the labels of the left menu :( Thanks konnor for help with repack. There are no ideas yet on how to change the color.
(tested at ds1054z, base FW 00.04.04.04.03, project folder https://yadi.sk/d/-GBWnMQ16S703g)
« Last Edit: August 22, 2020, 11:50:03 pm by SERJSOCHI »
 
The following users thanked this post: Fungus, RoGeorge, rob040, maelh

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Rigol DSXXXX .GEL firmware file format
« Reply #174 on: August 22, 2020, 11:32:37 pm »
The colors of the trace might come directly from the FPGA.

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf