Author Topic: Siglent .ads firmware file format  (Read 38819 times)

0 Members and 2 Guests are viewing this topic.

Offline steffenmauch

  • Contributor
  • Posts: 29
  • Country: de
Siglent .ads firmware file format
« on: January 31, 2016, 10:01:46 am »
Hey,

does anyone of you have more information how the .ads file from Siglent can be read?
I am curious what kind of encryption is used.
Some dumps are available of e.g. the SDG2000x application ... anyone with IDA skills has been already successful?

Thanks.
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 13032
  • Country: nz
  • NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #1 on: January 31, 2016, 04:20:04 pm »
Hey,

does anyone of you have more information how the .ads file from Siglent can be read?
I am curious what kind of encryption is used.
Some dumps are available of e.g. the SDG2000x application ... anyone with IDA skills has been already successful?

Thanks.
According to a Google search the .ads file format is probably linked to the Linux OS
http://fileinfo.com/extension/ads

In a recent interview by Dave with the head of Siglent Eric Quin it was revealed the main OS in Siglent products was Linux.
Sorry, that's all I know but it might point you in the right direction.  ;)

FYI for all Siglent products that I have installed new FW, the FW updates have been in .ads format. (unpacked and ready to install)
Avid Rabid Hobbyist
 

Offline bitseeker

  • Super Contributor
  • ***
  • Posts: 6108
  • Country: us
  • Lots of engineer-tweakable parts inside!
Re: Siglent .ads firmware file format
« Reply #2 on: January 31, 2016, 05:04:01 pm »
Ah, thanks for the references tautech.
You don't acquire TEA. It acquires you.
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 2830
  • Country: fi
  • Starting with DLL21
Re: Siglent .ads firmware file format
« Reply #3 on: January 31, 2016, 07:38:29 pm »
I do not want say this have anything to do with Siglent equipments but about .ADS
It is file extension used by Ada.

Is it (file extension) a coincidence or not I will not take any position.
Of course, it would be interesting if Siglent use it or have been in contact with this Ada. (military, aviation, industry...)

If there is Linux, http://www.pegasoft.ca/resources/boblap/4.html
(The Big Online Book of Linux Ada Programming)

What is Ada?
https://www.adacore.com/adaanswers/about/ada

example
  three_d.ads
    three_d-opengl.ads
    three_d-animation.ads
      three_d-animation-sequences.ads
« Last Edit: January 31, 2016, 07:43:48 pm by rf-loop »
If practice and theory is not equal it tells that used application of theory  is wrong or the theory itself is wrong.
It is much easier to think an apple fall to the ground than to think that the earth and the apple will begin to move toward each other and collide.
 

Offline analogNewbie

  • Contributor
  • Posts: 46
  • Country: cn
Re: Siglent .ads firmware file format
« Reply #4 on: February 01, 2016, 02:15:43 pm »
I have reverse-engineered the ads firmware file format of SDG2000X. I think others might use the same format but different encryption key.
 

Offline steffenmauch

  • Contributor
  • Posts: 29
  • Country: de
Re: Siglent .ads firmware file format
« Reply #5 on: February 01, 2016, 06:32:54 pm »
@analogNewbie:
Could you share your information about the cryptography been used as-well as how to find the encryption key?
 

Offline analogNewbie

  • Contributor
  • Posts: 46
  • Country: cn
Re: Siglent .ads firmware file format
« Reply #6 on: February 01, 2016, 07:55:29 pm »
I find the key and decrypt code in the SDG2000x app file with IDA. It's not so easy to do. You have to very familiar with 3DES algorithm, since they modified or implemented the wrong way.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #7 on: June 23, 2016, 10:25:56 pm »
One day I took my notepad and calculator out, again  (ads0.jpg)
and took a good look inside SDG2000 ads file.
Since they overwrite passwd file during new firmware upgrade this file must be changed
if you like to login by telnet. But what file is this ADS. I'm not found crypt yet but can show
some files. Firmware P17R5 and P21R2 have the same root password but I think this is not
crackable and because of update this has no point too.   (ads1.jpg)
Zip-ed passwd file is very similar with this section in ADS file. (ads2.jpg)
But there is one trick they done. After firmware file is complete they XOR-ed it with FF by
some kind of pattern. One this point is in position 15BD. (ads3.jpg)
All may not be fully accurate but may illustrate a bit this structure from
P21R2.ADS or P17R5.ADS file here:
(after I XOR-ed 71 back to 8E)
Code: [Select]
00000000 | 50 4B 03 04 14 00 00 00 08 00 11 56 2F 48 8B 48 | PK.........V/H?H |
00000010 | 08 21 3B 00 00 00 3C 00 00 00 0E 00 1C 00 61 70 | .!;...<.......ap |
00000020 | 70 2F 65 74 63 2F 73 68 61 64 6F 77 55 54 09 00 | p/etc/shadowUT.. |
00000030 | 03 02 5E 98 56 02 5E 98 56 75 78 0B 00 01 04 E8 | ..^?V.^?Vux....? |
00000040 | 03 00 00 04 E8 03 00 00 2B CA CF 2F B1 52 31 54 | ....?...+?Ž/?R1T |
00000050 | F1 F3 29 F7 CD 32 F4 AF 50 31 AC 34 89 74 4B 8E | ±¾)„?2¶»P1¼4?tKÄ |
00000060 | 88 CC 8C F2 F4 29 0C 4D CD 70 71 F3 2E 75 32 B4 | ???“¶).M?pq¾.u2? |
00000070 | 32 34 35 33 37 B2 32 B0 B2 04 01 2B 73 2B 2B 2B | 24537?2??..+s+++ |
00000080 | 2E 2E 00                                        | ...              |


Signature 50 4B 03 04
Version 14 00 (= 20 -> 2.0)
Flags 00 00 (no flags)
Compression method 08 00 (deflated)
File modification time 11 56 (0101 0110 0001 0001)
hour   = (01010)11000010001 = 10
minute = 01010(110000)10001 = 48
second = 01010110000(10001) = 17 = 34 seconds
10:48:34
File modification date 2F 48 (0100 1000 0010 1111)
year  = (0100100)000101111 = 36
month = 0100100(0001)01111 = 1
day   = 01001000001(01111) = 15
01/15/2016
Crc-32 checksum 8B 48 08 21 (2108488B)
Compressed size 3B 00 00 00 (59 bytes)
Uncompressed size 3C 00 00 00 (60 bytes)
File name length 0E 00 (14 bytes)
Extra field length 1C 00 (28 bytes)
File name "app/etc/shadow"
Extra field id 55 54: extended timestamp, size: 9 bytes
data size 09 00 (9 bytes)
data bytes 03 02 5E 98 56 02 5E 98 56
id 75 78 (Unix UID/GID)
data size 0B 00 (11 bytes)
data bytes 01 04 E8 03 00 00 04 E8 03 00 00
Packed data 2B CA CF 2F ...... 2E 2E 00 (59 bytes)
 
The following users thanked this post: AxaRu

Offline kmike

  • Contributor
  • Posts: 27
  • Country: de
Re: Siglent .ads firmware file format
« Reply #8 on: June 24, 2016, 01:19:00 am »
Anyway, if someone wants to give it a try:
root:$1$NLwMj1Ox$1y4YFcXYiZILqUehDFKuB1:15672:0:99999:7:::

edit: this is of course encrypted  :(

br,
mike
« Last Edit: June 24, 2016, 01:32:09 am by kmike »
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 448
  • Country: us
Re: Siglent .ads firmware file format
« Reply #9 on: June 24, 2016, 03:29:44 am »
I had started John The Ripper running against that password back on the 18th just out of curiosity (haven't used a password cracker in so long, probably didn't do it right) and then forgot about it shortly after that. After seeing your post I remembered and so checked in on it. It had run for close to 3 days until we lost power the other night and my computer had shutdown. No luck on getting the password, so either I did something wrong when I started running the cracker or they didn't pick a super simple password (at least that would be in the word file I used). Probably a combination of the two.

Edit: Typos
 

Online TheSteve

  • Supporter
  • ****
  • Posts: 2593
  • Country: ca
  • GHz or bust
Re: Siglent .ads firmware file format
« Reply #10 on: June 24, 2016, 03:32:31 am »
I'll probably give it a shot as well and will start it running tonight. The last one I did took several days, I'm not using the fastest computer around.
VE7FM
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #11 on: June 24, 2016, 09:14:47 am »
If you want beat my notepad and calculator...
you need
https://hashcat.net/oclhashcat/
and
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
https://sagitta.pw/hardware/gpu-compute-nodes/brutalis/
Password is not simple and short and not from some dictionary. For reasonable time you need come up with
some masks and rules too. (I tried them with single R9 390 : )

(Found that FF XOR mask. Next I think I need checksum or something)
 
The following users thanked this post: AxaRu

Offline kmike

  • Contributor
  • Posts: 27
  • Country: de
Re: Siglent .ads firmware file format
« Reply #12 on: June 24, 2016, 09:45:30 pm »
After watching a nice video , I decided to open up my generator.

No rust in there   ;D

The serial port is easily accessable, and the command prompt is also there. After connecting the normal "upgrade" can still be done.

br,
mike

 
The following users thanked this post: tautech, AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #13 on: June 24, 2016, 10:56:03 pm »
But how about this, ads file is too easy accessable
 
The following users thanked this post: tautech, AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #14 on: June 26, 2016, 04:53:18 am »
This is better but they driving my notepad and calculator to red hot.
There is some tricks they done, I never guess all of them.
But all ADS files are not the same. Scopes for example are not
like this SDG800 based generator and multimeter. But spectrum
analyzer is.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #15 on: July 01, 2016, 03:44:44 am »
So far I managed to scroll up and down with notepad and calculate some patterns to open
and extract similar ADS files. But I can't get all out of them and run on something at the end
of file. Some portion of ZIP data from some small places is changed. May be this is the crypt...
 
The following users thanked this post: MasterTech

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #16 on: July 01, 2016, 11:16:45 pm »
So what code are you using to work out the initial decide of the ADS files ?

Has anyone started on the SDG10xx model firmware ?

--
 Darryl

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #17 on: July 14, 2016, 01:33:18 am »
There are many different ADS file types. SDG1000 have some similar XOR FF patterns
with other packed multi files firmwares but inside here is like some kind of boot or
dump image. As you know SDG1000 series are similar with LeCroy WaveStation
and the firmware files are very similar too. Like wavestation_2000_v1.01.02.36.ads
and SDG1000-V100R001B01D01P36.ADS. Half of file is practically the same.
http://www.eevblog.com/forum/testgear/siglent-sdg1000-(aka-lecroy-wavestation)-firmware-updates/
SDG800 and SPD3303X files are a bit similar to it but SDS2000X file is very different again.

I have no progress with 3des and can't read the whole file. I can't disassemble apps.
I can, but I don't see there anything understandable...

I don't have notepad powerful enough : (  and calculator : ( and paper big enough
I think my pencil is not sharp enough.
 
The following users thanked this post: AxaRu

Offline flynnjs

  • Contributor
  • Posts: 24
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #18 on: July 14, 2016, 08:53:24 am »
The 3DES key is fairly easy to find as are the 3DES functions.
I haven't been bothered to pick through them yet to see what has
been implemented in a non standard way...

Is it the key expansion, the order of the functions..? Give us a clue   :=\

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #19 on: July 16, 2016, 12:59:27 am »
After choosing better hammer for SDG1000 file I see there 2 files. They are using the same XOR FF
pattern and part of file is crypted. One file is some FPGA Data? and the other is some binary program?
But what kind of... there is nowhere i see the familiar signatures.
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #20 on: July 16, 2016, 03:04:51 am »
Oh please tell more on the SDG1000 series.  Clues as to your work method would be interesting and educational.

--
 Darryl

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #21 on: July 16, 2016, 05:47:52 am »
Let's take a look in SDG1000-V100R001B01D01P31.ADS for example:

Like most of the firmwares, they are turned around. So first step is turn the file around (or look it backwards)
Next step is XOR FF it with pattern bytes 0, 1, 3, 6, A, F and so on - space increasing by 1. But this isn't all,
next XOR FF it from center -> file have 72 byte header (now at the end) -> (file length - 72)/2
For now we can investigate something but this isn't all. There is 2 crypted parts. 5120 bytes and 10239 (27FF)
bytes at the end + there is 72 bytes something... File is turned over before crypt so they are calculated actually
from the file beginning (I believe ...) So the second crypt is from 2E777 after header.
Let's forget this part at this time.

File is (now) beginning with:

E8 E6 01 FF 94 32 05 00 01 00 00 00 19 EE 01 FF     ----  05 32 94 is promising and next 05 32 7C too
7C 32 05 00 66 70 67 61 20 64 61 74 61 00 12 00     ----  ____FPGA DATA___
8F 04 D4 77 FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF AA 99 55 66 30 A1 00 07 20 00 31 A1

Turns out the 05 32 94 is data from first file header beginning to second file header beginning and
05 32 7C is from end of Fpga data file header and this is file length. So the first file header is beginning
with 19 EE 01 FF... and file data start with FF FF FF...
First file is ending:

30 A1 00 0D 20 00 20 00 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00   <---- here is the end of first file
E1 ED 9E FA C6 FA 0A 00 02 00 00 00 40 00 00 00   ---- from E1 ED... is starting second file header
80 00 FF 00 04 00 00 00 00 00 00 00 12 00 00 00

There is 0A FA C6... this is promising. This is second file data length. So data is beginning with
40 00 00 00 80 00 FF 00... then it ends in right place and rest is 72 bytes.
But, now, the two regions in second file are crypted.

They have same crypt and key and patterns in other firmware files too and if you show me
this crypt procedure I can show you more... With the same procedure I opening all other
firmware files here, with notepad or this file viewer-compare and calculator. Actually I use hexedit too.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #22 on: July 16, 2016, 04:44:36 pm »
We can continue with some analysis because i have to have eeprom dump.
The second file is like "self extracting archive"? From address CFE4 the visual picture of data
changes rapidly and 78 9C EC 7D is zlib compression magic number. From here to the end is
archive and can be unpacked. Unpacked file is readable and contains all kind of stuff. There
is all the same DES constants and HTML and text...
So this is the executable, how to disassemble this
 

Online MasterTech

  • Frequent Contributor
  • **
  • Posts: 799
  • Country: 00
Re: Siglent .ads firmware file format
« Reply #23 on: July 16, 2016, 05:23:09 pm »
Hi janekivi,
what tools do you use to make the XORs, turn around files etc...
or you just do it with self programmed code?
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #24 on: July 16, 2016, 06:26:35 pm »
I have Python and I google around to find procedures I need and then hack something together like:

Code: [Select]
import sys, os, shutil
input = 'rev_P31.ADS'
output = 'Xor_2_'+input
b = bytearray(open(input, 'rb').read())
a = 0
i = 0
j = 0
i = len(b)
while j < i:
    b[j] ^= 0xFF
    j = j + a + 1
    a = a + 1
open(output, 'wb').write(b)
print (' * XOR with increasing pattern done * ')
And then I can change there variables and change starting addresses

Code: [Select]
i = len(b)
j = len(b)/2-36
while j < i:
    b[j] ^= 0xFF
    j = j + 1

And reverse example:
Code: [Select]
import os

src_file_path = 'P31.ADS'
reversed = ('rev_'+src_file_path)

src_file_size = os.path.getsize(src_file_path)
src_file = open(src_file_path, 'rb')
src_file.seek(0)
byte_list = src_file.read(src_file_size)
with open(reversed, 'wb') as outfile:
    outfile.write(bytes(byte_list[::-1]))
src_file.close()

I modify them a lot and there is not needed parts and different rows sometimes...
« Last Edit: July 16, 2016, 06:50:32 pm by janekivi »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf