Thought I would sign on here and let you guys know some more details on what I've been trying to do and where I'm having some problems.
Originally I thought it was running a flavour of cuLinux for the blackfin 5xx series processors, only to find that when I started doing some comparisons with code from the toolchain and also the kernel I realized I couldn't actually locate entry for the kernel or code that would have suggested it was running something else. Since cuLinux uses a bFLT which should be easily identifed in the .RGL files. I could still be wrong, as I'm still dissecting the hexadecimal mess that these files are made up of. VisualDSP from Analog Devices uses a .DXE format and I'm struggling going through the .LDR bootloader format that they claim is required by the on-chip boot-rom interpreter, if it's in fact using that method... I believe the first 805686 bytes of the 2.05.01.02 firmware are the loader... directly followed by the first of 2 ELF headers easily found using an ASCII search. I feel a bit silly as I missed them completely forgetting to tick the 'search ascii' while I was going through the hex file. Uggghhh...
A bit earlier in the thread Bushing I guess was doing a bunch of the initial chipdumping when he wrote...
"There's no room for a hash, so you could do whatever you want to the file. Unfortunately, this means that there's no sort of bootloader which could recover corrupted firmware, so your options would be to desolder the NOR flash holding the firmware and reprogram it using a chip programmer, or try to get the 13-pin JTAG-looking connector working."
He then followed up a bit later with...
"I was just plain wrong about the bootloader. There are at least two, one of which has me mystified"
The internal boot ROM on the blackfin has an interesting tiny boot kernel that can either be directly bypassed or triggered during a chip reset or on power up to load processing code straight from an external memory device. This is what allows .LDR wrapping and direct code interpretation that from what I understand bypasses and overwrites itself on the uART, or something along those lines allowing for a true no-boot mode... Interesting trick. From what I've been able to identify this firmware is using a wrapped .LDR module suggesting it does have a boot loader. Keep in mind this is heavy speculation still, but from what I've gathered so far from studying this, this is my most current speculation. If anyone has any other insights, feel free to chime in. I could use some help with this.
From what I get the DSP compilation and linking, basically ELF based during compilation when the toolchain apparently converts it to the native .DXE format, which in turn becomes a .LDR file? If I have the order right? I could be a bit confused on the process. This has been a total crash course and it's making my head spin. Anways, since cuLinux for microcontrollers has issues with the kernel compiling and what not under DSP, ADI does some absolute custom compilation and linking routines that are unique to their DSP development environment and for the Blackfin 533 processors... granted the limited ways this can be compiled and linked there's only so many choices out there. Since I've been completely unable to identify anything that ressembles the GNU toolchain this leaves the VisualDSP environment or attaining one of the bootimage loader files that accomponies the DSP environment from ADI for comparison. I'll admit, I have no idea how to use the DSP coding environment with the SDK that ADI provides, but someone out there might have more experience with this than me. Regardless, what's more important is my focus on the comparison changes between the DSP USB/Pictbridge module they've imbeded as the plugin to do the USB stick reading and the interface with the PC, where it goes, and what it calls and the order.
As for the suggestions from ToBeFrank and my initial ideas of writing an emulator, or doing some sort of decompilation of the firmware this is a full fledged processor with a complete 16 and 32 bit instruction set. GDB apparently has a simluation environment under cuLinux that is capable of emulating most of the chipset, but it's buggy, and still doens't have a full set of the instruction implemented. So...I hate to admit this, but my experience with this sort of thing without low level access to trace and breakpoint step through process with a real-time decompiler is grim. Since I don't have a way to do this with the processor it leaves me painstakingly looking at this for changes betwen the Toolchain DSP code and the code that's in the .RGL files.
I was hoping to at least be optomistic about identifying the FILE/IO sections but even that isn't going well. I've been systemically using a programming guide and the byte code variations attempting to write a custom decompiler of certain ranges of code that I think may contain the serial number checker. The largest problem I'm having is addressing how memory is being mapped and what the DPS code is doing once it recognizes there's a .RGL file on a USB stick. If I could figure out how memory addresses are being stored, and looked at, this would be a whole lot easier.
Past that... a new file that shows up in the mangled header
AUTO_KEY_Lock&Unlock.RGL has also peaked my interest...
As well as the small block of 48 characters that preceeds it...
0012de53h: 73 68 91 ED 7C 3F B5 3F 1B 2F DD 24 06 81 B5 3F ; sh‘í|?µ?./Ý$.µ?
0012de63h: 0A DA E4 F0 49 27 42 3F F7 8F 85 E8 10 38 42 3F ; .ÚäðI'B?÷…è.8B?
0012de73h: 2D 43 1C EB E2 36 3A 3F 61 32 55 30 2A A9 43 3F ; -C.ëâ6:?a2U0*©C?
0000000ah: 82 85 84 88 C3 7B 47 92 39 C8 7E 60 ; ‚…„ˆÃ{G’9È~`
The serial number occurs at 12c7d5, 134925, 13600f, and 1362cf as straight text
My initial thought with the 3 keys was something like Des3... but that didn't work. Tried a few different flavours of the algorithm to no avail. Possibly RSA, 3-128 bit keys... I haven't converted them from hex to base 10 and checked for primality yet... got some old miller-rabin algortihms, I'll run those when I get back... any other ideas? This could also be something completey in house, as marked by the Rigol Technologies marker from 2005. That 48 byte key showed up injected when the header started getting scrambled. Which leaves no choice but to decompile and interpret the code.
3 other series keys exist in the file up a bit...
0012d21bh: C7 EB CA E4 C8 EB BE C9 BD E2 CB F8 C3 DC C2 EB ; ÇëÊäÈë¾É½âËøÃÜÂë
0012d22bh: 3A 00 00 00 50 6C 65 61 73 65 20 65 6E 74 65 72 ; :...Please enter
0012d23bh: 20 74 68 65 20 6F 6C 64 20 6B 65 79 73 3A 00 00 ; the old keys:..
0012d24bh: C7 EB CA E4 C8 EB D0 C2 BD E2 CB F8 C3 DC C2 EB ; ÇëÊäÈëнâËøÃÜÂë
0012d25bh: 3A 00 00 00 50 6C 65 61 73 65 20 65 6E 74 65 72 ; :...Please enter
0012d26bh: 20 74 68 65 20 6E 65 77 20 6B 65 79 73 3A 00 00 ; the new keys:..
0012d27bh: C7 EB D6 D8 D0 C2 CA E4 C8 EB D0 C2 BD E2 CB F8 ; ÇëÖØÐÂÊäÈëнâËø
0012d28bh: C3 DC C2 EB 3A 00 00 00 50 6C 65 61 73 65 20 72 ; ÃÜÂë:...Please r
0012d29bh: 65 65 6E 74 65 72 20 74 68 65 20 6E 65 77 20 6B ; eenter the new k
0012d2abh: 65 79 73 3A 00 00 00 00 C7 EB CA E4 C8 EB BD E2 ; eys:....ÇëÊäÈë½â
0012d2bbh: CB F8 C3 DC C2 EB 3A 00 50 6C 65 61 73 65 20 65 ; ËøÃÜÂë:.Please e
0012d2cbh: 6E 74 65 72 20 75 6E 6C 6F 63 6B 20 6B 65 79 73 ; nter unlock keys
0012d2dbh: 3A ; :
Those 3 keys exist even in the unmangled 2.04 version of the firmware... so the code likely has been there all along, it was just never activated. Or it was mistaken oversight on their part. Dunno...
I'm not out of ideas yet... and I'm still plugging away...
Back to the ELF headers that are in the files.. doing what I can with knowledge of the structures and their formats, the 2 elf statements, I'm pretty sure are not what I think they are. 106 should be in there somewhere identifying them as Analog Devices header... which in hex would be 6A... the first one has 6a in the neighbourhood, but the 2nd one has no 6a near it... and they just don't seem right. So this is what puts me back to thinking they're no-boot, no kernel... though there still the issue of VDK which is a potential inhouse ADI proprietary kernel. But I can't find traces of it either. Doesn't mean it's not in their, I think their just some obfuscations I'm overlooking.
Be well...
Vandel
[Torch's Son]