The firmware images don't appear to be signed, so they could be modified easily
I wouldn't be so sure.
they are 4194325-byte files, which seems to me like a 21-byte header plus a 4MB firmware image. The header is:
0000000: 4453 3130 3030 4520 2020 3032 2e30 322e 3032 2e30 30 DS1000E 02.02.02.00
That part is correct.
There's no room for a hash, so you could do whatever you want to the file.
There's no room for a hash
in the header, but that desn't mean that one (or a CRC) isn't embedded in the firmware images, to detect corruption or tampering.
Unfortunately, this means that there's no sort of bootloader which could recover corrupted firmware, so your options would be to desolder the NOR flash holding the firmware and reprogram it using a chip programmer, or try to get the 13-pin JTAG-looking connector working.
Actually, there IS a bootloader in the BlackFins, in protected space. But I doubt it would have the ability to read files off a USB stick. So in that sense, you may be right that once corrupted software was loaded, recovery would be difficult.
OR, they may have a dual-image system, where they can load a 2nd set of firmware into the other half of Flash, but not toggle control over to it until it had been successfully validated. Otherwise, once they started a reflash cycle, they'd have to blow away the original firmware first. From which point there'd be no recovery on power fail or by the time it knew the image it loaded was bad.
That could explain how they utilize 8 MB of Spansion Flash, when the firmware only occupies 4 MB. And during operation, the remaining 4 MB can be scratchpad space (like 1 MB for Reference waveform memory, as Andreas and Drieg pointed out).
- Mark