Author Topic: Siglent .ads firmware file format  (Read 29461 times)

ian.ameline and 1 Guest are viewing this topic.

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 438
  • Country: us
Re: Siglent .ads firmware file format
« Reply #175 on: July 02, 2018, 11:48:06 am »
Great news. Congrats!!!
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 119
  • Country: us
Re: Siglent .ads firmware file format
« Reply #176 on: July 02, 2018, 11:50:12 am »
Great news. Congrats!!!

Thanks!! Color me impressed with all the efforts in this thread.

Thanks again yall!
« Last Edit: July 02, 2018, 11:59:38 am by SMB784 »
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Online tv84

  • Regular Contributor
  • *
  • Posts: 144
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #177 on: July 02, 2018, 06:55:39 pm »
As I've told SMB784, I advise all to:

1st option - Instead of the official OS install, install janekivi full OS file. It's exactly the same thing with the pwds already changed.

2nd option - After installing the official OS, when you install janekivi patch, do it only with the rootfs file (and the script .txt, of course).

Less operations, less risk!

Regarding the advice of CustomEngineerer about the login problem: thinking of it, it was totally right and not an insult, it could have been a problem with the client  SMB784 was using to connect to the scope. Although SMB784 was able to see the correct prompt, there was no assurance that what he writes in the console was correctly/transparently being sent to the scope.

A solution could have been to change the client (I usually use Putty) or investigate what was introducing garbage in the connection.

Or, in the extreme, use (in his case) the RPi as a gateway to telnet to the scope...

Glad it is solved! Now, time for upgrade.  :)
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 119
  • Country: us
Re: Siglent .ads firmware file format
« Reply #178 on: July 02, 2018, 09:11:59 pm »
As I've told SMB784, I advise all to:

1st option - Instead of the official OS install, install janekivi full OS file. It's exactly the same thing with the pwds already changed.

2nd option - After installing the official OS, when you install janekivi patch, do it only with the rootfs file (and the script .txt, of course).

Less operations, less risk!

Regarding the advice of CustomEngineerer about the login problem: thinking of it, it was totally right and not an insult, it could have been a problem with the client  SMB784 was using to connect to the scope. Although SMB784 was able to see the correct prompt, there was no assurance that what he writes in the console was correctly/transparently being sent to the scope.

A solution could have been to change the client (I usually use Putty) or investigate what was introducing garbage in the connection.

Or, in the extreme, use (in his case) the RPi as a gateway to telnet to the scope...

Glad it is solved! Now, time for upgrade.  :)

As it turned out in my case, the problem wasn't the telnet, rather it was the act of copying the files from the computer to the flash drive.

I tried telnetting into the scope from the RPI with the software installed from files copied over using my desktop and couldn't log into the scope. But as soon as I copied the files over to the USB using the RPI, the scope recognized them and correctly installed the custom software, and at that point I could log in via telnet from either the RPI or the desktop.

So something was going wrong in the process of making the USB with the custom software on it when using the desktop. I have no earthly idea what could have been going on though.

In my case, using RF-loop's instructions worked perfectly once I performed them using the RPI to make the USB instead of the desktop.
« Last Edit: July 02, 2018, 09:14:25 pm by SMB784 »
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Online BillB

  • Frequent Contributor
  • **
  • Posts: 310
  • Country: us
Re: Siglent .ads firmware file format
« Reply #179 on: July 02, 2018, 10:57:23 pm »
As it turned out in my case, the problem wasn't the telnet, rather it was the act of copying the files from the computer to the flash drive.

I tried telnetting into the scope from the RPI with the software installed from files copied over using my desktop and couldn't log into the scope. But as soon as I copied the files over to the USB using the RPI, the scope recognized them and correctly installed the custom software, and at that point I could log in via telnet from either the RPI or the desktop.

So something was going wrong in the process of making the USB with the custom software on it when using the desktop. I have no earthly idea what could have been going on though.

In my case, using RF-loop's instructions worked perfectly once I performed them using the RPI to make the USB instead of the desktop.

Congrats!  Figured it wasn't telnet, as you could correctly type "root\r".  I guess if you wanted to be sure the pwd characters you were typing were correct, you could have typed them into the user field to see them.  :)

Anyway, what is odd, is that you were able to correctly generate the factory OS update USB configuration.  Was that the same process that didn't work for your attempt with the modified OS update? 
 

Online tv84

  • Regular Contributor
  • *
  • Posts: 144
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #180 on: July 03, 2018, 01:42:09 am »
As it turned out in my case, the problem wasn't the telnet, rather it was the act of copying the files from the computer to the flash drive.

Remember why I asked you to make sure the CRC of the files (in the flash drive) was correct... 

For sure, next time you'll remember! :)
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 119
  • Country: us
Re: Siglent .ads firmware file format
« Reply #181 on: July 03, 2018, 01:56:50 am »
Anyway, what is odd, is that you were able to correctly generate the factory OS update USB configuration.  Was that the same process that didn't work for your attempt with the modified OS update?

That is correct, I used the exact same process on the same computer to generate the modified OS update USB configuration as the one I used to generate the factory OS update USB configuration.  The factory USB configuration worked, and the modified USB configuration didn't.

Then when I generated the modified USB configuration on my RPi, it worked right away.  It's very strange.

Indeed, TV84 was probably correct in his advice that I check the CRC values.  I didn't actually check them, because I was in the process of learning how to check them when I tried making the USB on the RPi.  However, it seems strange to me that the simple act of copying the files over to the USB on one system would change the CRC values of those files when doing that exact same process on a different system does not modify them in any way.

Anyways it was a fun, albeit frustrating experience, with a rather bewildering but ultimately satisfying end result.  Thanks again to all of you who helped me.
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Online tv84

  • Regular Contributor
  • *
  • Posts: 144
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #182 on: July 03, 2018, 07:39:12 am »
Updated my parsing list of all Siglent FWs.

Now we can see the extra details of the files used in the ZIPs.

The only UID/GID combinations are:

1000/1000
65534/65534 (only in some SDG800 .ADS when the rw_uImage is used)
 

Online kerouanton

  • Contributor
  • Posts: 43
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #183 on: July 14, 2018, 10:24:17 pm »
thank you all especially janekivi and tv84 for reversing the .ads file format.
I'm still new at that and as I'm learning Python it motivated me to reimplement the decoding process. I followed the steps described on some of your posts, but I am still far from what tv84 outputs in his parsing list.

Up to now, I am able to :
1. extract a .ads file from the downloaded zip file and load it in memory.
2. calculate the checksum
3. reverse the bytes
4. xor it with increasing pattern
5. xor it from the center
6. save the result

What should be the next steps, for example to locate and isolate each part?
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 324
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #184 on: July 15, 2018, 08:18:03 am »
Next you need probably put this before reverse and XOR
http://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg984820/#msg984820

to get SPD3303X-E_1.01.01.02.05-EN.hex

like there, inside is the same jpg image starting at 0x00024D68
http://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1181598/#msg1181598
 

Online kerouanton

  • Contributor
  • Posts: 43
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #185 on: July 16, 2018, 05:49:22 pm »
Let's take a look in SDG1000-V100R001B01D01P31.ADS for example

I am trying to move forward on my python .ads decoding script, but as a newbie I'm a bit lost and expect to rely on janekivi replies to see if I'm able to get the same results. For this, I need this exact SDG1000-V100R001B01D01P31.ADS file, but I wasn't able to find the correct download URL, both on siglent.com, siglentamerica.com, and old.siglentamerica.com.
Has anyone the download url, so I can move forward and try getting the same results on my script?

Also, as far as I understood, some parts of the file are 3des encrypted (some parts only as with my actual script I am able to get clear-text strings such as model number, at least on the SPD3303 .ads file), but I'm still unable to understand how janekivi found the right offset and length of the encrypted part, as well as the key itself. The method used to investigate and find those is challenging for me!

As both of you, I'm just playing around with those files for fun, as I try to learn Python and nothing more (well, having a root access on my devices is fun too).

Thanks
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 324
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #186 on: July 17, 2018, 02:42:59 am »
Oh crap. I could have let you to walk the same way. But you can test my theory and find those
patterns and XOR regions and crypted places. It was straightforward because inside was zip.
Some stuff you can find by scrolling id up and down in "notepad", because XOR FF pattern is
easily visible in 00 regions and in other places data is looking so alien. Crypted parts I found
simply by unziping it by cutted pieces to see if output ends now as it ends by unziping full file.
If output was shorter - I did cut file too early, if output was the same - my piece was longer
or right size, then I shortened it by one byte for test. With this method I found exact places
without decompiling update file reading part in app. I don't know can I now find something
like this with IDA... probably no, I would use notepad and calculator, maybe a little bit python.

I didn't cut the header off - 72 or 112 bytes and after reverse it was at the end, that's why
there was offset in file center calculation (j = len(b)/2-36) or (j = len(b)/2-56)
 

Online tv84

  • Regular Contributor
  • *
  • Posts: 144
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #187 on: July 17, 2018, 07:32:40 am »
The file is attached.

The 2 encrypted blocks have 0x2800 and 0x1400 sizes, as my parsings show. It shouldn't be too dificult to find where they are located. The key is available inside an .app file.

Study what janekivi linked (the 3DES implemented is "Siglent 3DES", not standard 3DES).

Have fun!
 

Online kerouanton

  • Contributor
  • Posts: 43
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #188 on: July 17, 2018, 08:37:00 am »
Thank you both of you for your kind answer, and the file.

I will keep you informed of my findings! it is like a puzzle game, indeed.
 

Offline PhilipPeake

  • Newbie
  • Posts: 2
  • Country: us
Re: Siglent .ads firmware file format
« Reply #189 on: July 18, 2018, 08:46:09 am »
This may be common knowledge, but I was about to try fixing the root password for my SDS1102X running SDS1000X_V100R001B01D02P1510.ADS, and discovered that there is no telnet service running. Only Ports 111 and 9009.

So much for my idea of trying to upgrade the bandwidth - at least until there is enough progress here to decode and re-assemble the entire thing.
 

Online BillB

  • Frequent Contributor
  • **
  • Posts: 310
  • Country: us
Re: Siglent .ads firmware file format
« Reply #190 on: July 18, 2018, 08:52:05 am »
This may be common knowledge, but I was about to try fixing the root password for my SDS1102X running SDS1000X_V100R001B01D02P1510.ADS, and discovered that there is no telnet service running. Only Ports 111 and 9009.

So much for my idea of trying to upgrade the bandwidth - at least until there is enough progress here to decode and re-assemble the entire thing.

The same with the SPD3303X-E.  Open ports 111,9009 and no telnet.
 

Offline markus_jlrb

  • Contributor
  • Posts: 39
  • Country: de
Re: Siglent .ads firmware file format
« Reply #191 on: July 20, 2018, 08:12:00 am »
Philip,

In Linux and in a sh, bash
shell enter the cmds below.

echo *IDN? > /dev/usbtmc0

or other SCPI commands

in one window

and

while true
do
cat /dev/usbtmc0
sleep 1
done

in a second window.

While the scope is connected via USB
and not LAN.

USBTMC must be enabled in the utility
menu under IO selection.

Good luck for your investigation
Markus
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf