Author Topic: DG4000 - a firmware investigation  (Read 163526 times)

0 Members and 1 Guest are viewing this topic.

Offline Netsniper

  • Newbie
  • Posts: 3
Re: DG4000 - a firmware investigation
« Reply #325 on: August 06, 2018, 03:42:18 pm »
Hello everybody !

First, I'm sorry for my english... I'm French and the school is so far...

I have two DG4062 (#3 is not mine) and I have working to obtain the last firmware (01.14) AND 200Mhz version.

By luck, I had three DG4000 to play with:

#1 DG4062 with "Keyboard version" (Bootloader) 06.01 and FW00.01.12 ("upgraded" in DG4102 model before upgrade FW00.01.12/Bootloarder 06.01)
#2 DG4062 with "Keyboard version" (Bootloader) 05.01 and FW00.01.06 (leave in DG4062 model)
#3 DG4062 (My father one) with "Keyboard version" (Bootloader) 06.02 and FW00.01.13

I will now explain how I have proceed...

First, I have unsolder the flash memory chipset S29GL128P90TFIR1 from the #1

- I have read the flash with a RT809H
- Write a blank flash chip with the content (I know, no modification at this state  :D)
I have use a S29GL128P11TFI020 (R&S dont have the exact ref. but the speed is not very important, just the time to transfer the content at each startup of the DG to RAMs module. (Difference is not perceptible)
- I have solder a TSOP56 socket in the DG at the flash place.
- Put the newly write flash in the socket, power ON and the DG work as before...no progress but desolder/cleaning/read/write process was valid !

I have start with #1 becaus I was aware about the process and if I make a mistake, I prefer to kill the flash with the bootloader 06.01 and make my second try to the #2 with knowledge of my eventual mistake...

After that, same thing with the #2 with success... Ouf... the big deal was over...


At this state, I had two DG4000 with socket in place of the flash and two .BIN. I can write flash with this .BIN and put inside each one.

When I put the #1 flash in #2, #2 work as #1, same serial, same version at all (Device model, serial, Soft. Vers., FPGA Vers. and Keyboard Version)

*For information, the Hardware Version is not in the flash (normal) it's hard Coded, 5 Zero Ohm resistor are inside and the version is binary coded: For Hard ver. 1.3 resistor are 01.011 (It' near the buzzer)

Ok... I know what you think... "He write the #1 Flash with the #2 .BIN and he can use the licence key file to have DG4202 because he don't have the 06.01 bootloader limit..."

Yes, I can...but it's not sufficient. I don't want to have two DG4202 with old firmware...
For memory, the Goal was two DG4202 with latest firmware (01.14 at this time)

But with socket and the hability to write directly the flash with the content I want, I can make lot of test.
If I brick the DG... just unpluged the flash, program it again with a working content and then test again...
I can make tests without stress...and it's that I did.

Rest of process :

- I have write the #2 flash content (FW 00.01.08 Keyboard Ver. 05.01) to a new flash and plug it inside one DG4000
- Create licence file with Cybernet method. Model DG4062 --> DG4202 without change the serial
- Upgrade Bootloader to 06.01 (Rigol process)
- Upgrade to FW 00.01.12 (DG4202 model is preserved)
- Upgrade to FW 00.01.14 (DG4202 model is preserved)

I don't know why the DG4202 model is preserved when I come from FW 00.01.08 Bootloader 05.01 --> FW 00.01.12 and 00.01.14 Bootloader 06.01...


The case of the #3 : I have unsolder the flash but the socket soldering was a failure...
Finally, I have read the flash content to have the .BIN and I have solder directly a new flash with alreday DG4202 model FW V00.01.12 Bootloader 06.01 and after I have upgrade to FW 00.01.14 (keeping model DG4202 as for #1 and #2)

But the difference for the #3 is the Keyboard Version... When I have start to work with this DG4062, the Keyboard Version was 06.02
For memory, when I put a flash (.BIN) coming from #1 or #2 to #1 or #2 all version except Hardware ver. follow (Device model, serial, Soft. Vers., FPGA Vers. and Keyboard Version)
When I put a flash with an older version of the Keyboard, the Keyboard version is downgraded.


For the #3, the Keyboard Version DON'T change, all the rest change (Device model, serial, Soft. Vers., FPGA Vers.)
My conclusion, in the #3, the Keyboard version is elsewhere... (I have search at the keyboard PCB in #1 and #2 and the LATTICE chipset LCMX0256C don't inform me, no ROM in this version but...)
I don't understand this point.

At this time I have following FW (Rigol update files) :
- 00.01.04.00.02
- 00.01.06.00.02
- 00.01.07.00.03
- 00.01.08.00.02
- 00.01.12.00.02
- 00.01.14.00.01

In the #3, the firmware was 00.13.00.XX but I don't have original files from Rigol. If somebody have some other Firmware, I'm interested (All versions I don't have already).

Here, I don't have explain all steps of my work, it's to long for one message, if somebody is intersted, I will continu to explain other action.

First Goal : Have two DG4062 upgraded in DG4202 with last FW and be able to search without risk --> Achieved
Next Goal : Flash from file or from JTAG (I don't know how to flash the flash memory from JTAG port (or other present at the mother board), If someone can explain to me, I will be happy)
Next Next Goal : Understand where is the Keyboard version in the #3, extract and flash if possible in #1 and #2


I hope to restart this old subject  >:D
« Last Edit: August 08, 2018, 09:54:05 am by Netsniper »
 
The following users thanked this post: thm_w, GonzoTheGreat

Offline Sparky

  • Frequent Contributor
  • **
  • Posts: 431
  • Country: us
Re: DG4000 - a firmware investigation
« Reply #326 on: August 06, 2018, 06:14:25 pm »
Hello everybody !

First, I'm sorry for my english... I'm French and the school is so far...

<snip>

At this time I have following FW (Rigol update files) :
- 00.01.04.00.02
- 00.01.06.00.02
- 00.01.07.00.03
- 00.01.08.00.02
- 00.01.12.00.02
- 00.01.14.00.01

In the #3, the firmware was 00.13.00.XX but I don't have original files from Rigol. If somebody have some other Firmware, I'm interested (All versions I don't have already).

Here, I don't have explain all steps of my work, it's to long for one message, if somebody is intersted, I will continu to explain other action.

First Goal : Have two DG4062 upgraded in DG4202 with last FW and be able to search without risk --> Achieved
Next Goal : Flash from file or from JTAG (I don't know how to flash the flash memory from JTAG port (or other present at the mother board), If someone can explain to me, I will be happy)
Next Next Goal : Understand where is the Keyboard version in the #3, extract and flash if possible in #1 and #2

I hope to restart this old subject  >:D

Hello Netsniper!  Your English is great!  No need to worry about that :)  Great job with the work you have done to revise this project and examine more firmware differences :-+

For firmwares, you are missing a few.  I have posted them all here, and various versions of "upgrade" instructions I have come across.  I will leave the files here for few days :)

That is interesting puzzle with the keyboard version.  I have an early DG4062 unit and the keyboard has given me troubles in the past...at times it seemed unresponsive and I needed to really push the buttons hard/firm.  If I don't the keypress will not be detected.  I have used a later manufactured one (same model) and it does not have the issue --- keyboard is very responsible and feels "normal".

So, I wonder if there is a real keyboard hardware change...if so it might help explain some difference you are observing...but does not indicate where the keyboard version is stored or wired.

Good luck with the extra firmware versions -- hope it will help you!
« Last Edit: August 06, 2018, 07:48:59 pm by Sparky »
 

Online bgm370

  • Contributor
  • Posts: 8
  • Country: us
Re: DG4000 - a firmware investigation
« Reply #327 on: October 12, 2018, 08:38:37 pm »
I can confirm that installing 1.12/1.14 on an "upgraded" DG4062 running 1.08 preserves the 200Mhz "upgrade".
Just to be safe I desoldered and cloned the flash chip first. Then I went from 1.05 to 1.08, new bootloader next, then 1.12 and 1.14.
No problems whatsoever.
 

Offline TheNewLab

  • Frequent Contributor
  • **
  • Posts: 254
  • Country: us
Re: DG4000 - a firmware investigation
« Reply #328 on: October 26, 2018, 06:10:40 am »
I have just acquired a DG4062 with the plan of updating it here. I have downloaded everything I can find, and made notes form this thread and others.

Simple question, which I may already know.When compiling on Linux I use the makefile, command from the terminal, there is no application to do this, is there?
 

Offline gts1991

  • Newbie
  • Posts: 2
Re: DG4000 - a firmware investigation
« Reply #329 on: December 14, 2018, 07:34:00 pm »
Can you release DG4062 versions?
Without opening the housing

Thank you
 

Offline GonzoTheGreat

  • Regular Contributor
  • *
  • Posts: 116
  • Country: aq
Re: DG4000 - a firmware investigation
« Reply #330 on: January 26, 2019, 02:19:39 am »
I can confirm that installing 1.12/1.14 on an "upgraded" DG4062 running 1.08 preserves the 200Mhz "upgrade".
Just to be safe I desoldered and cloned the flash chip first. Then I went from 1.05 to 1.08, new bootloader next, then 1.12 and 1.14.
No problems whatsoever.
Is it possible to upgrade directly from firmware v1.08 to v1.14 without a Bootloader upgrade?
If "no", then what version of the Bootloader is needed before upgrading to firmware v1.14 and where to get the Bootloader from ?
 

Offline GonzoTheGreat

  • Regular Contributor
  • *
  • Posts: 116
  • Country: aq
Re: DG4000 - a firmware investigation
« Reply #331 on: January 27, 2019, 10:19:35 am »
With the newer versions it is no longer possible to change the model.
But does the v1.12 or v1.14 downgrade the current model (DG4202 v1.08 in my case)  like the v1.09 does ?

P.S.
Thank you for the link to the v1.14 firmware
 

Offline Vahoo

  • Contributor
  • Posts: 8
  • Country: am
Re: DG4000 - a firmware investigation
« Reply #332 on: January 28, 2019, 02:32:40 pm »
Hi dear GonzoTheGreat, send  please link  v1.14, thanks! vahagnhak@yahoo.com
« Last Edit: January 28, 2019, 02:34:28 pm by Vahoo »
 

Offline Netsniper

  • Newbie
  • Posts: 3
Re: DG4000 - a firmware investigation
« Reply #333 on: January 28, 2019, 03:23:22 pm »
Please find the link to the 1.14 FW : https://we.tl/t-68FtwLMVMK
 

Offline Vahoo

  • Contributor
  • Posts: 8
  • Country: am
Re: DG4000 - a firmware investigation
« Reply #334 on: January 28, 2019, 08:00:52 pm »
thanks for firmware, also tell please ,

in what chip the serial number of the generator is?

thanks!
 

Offline TooOldForThis

  • Regular Contributor
  • *
  • Posts: 55
  • Country: us
  • H: 42.576MHz/Tesla
Re: DG4000 - a firmware investigation
« Reply #335 on: February 01, 2019, 03:15:25 am »
Many years ago my ersatz DG4202 went back to being a boring old DG4062 after I installed FW 1.09.   And it was a boring old DG4062 ever sense.  But tonight I updated it from FW 1.12 to 1.14 and it's suddenly back to being a DG4202.   The extra 140MHz were lying dormant in there all along.   I didn't do anything other than load 1.14.
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2656
  • Country: ro
Re: DG4000 - a firmware investigation
« Reply #336 on: February 01, 2019, 09:48:00 am »
It was never clear to me:
1. Is the old calibration (up to 60MHz) preserved after extending the range?
2. Does it require a new calibration for frequencies higher than 60MHz?

Offline kado

  • Regular Contributor
  • *
  • Posts: 51
  • Country: de
Re: DG4000 - a firmware investigation
« Reply #337 on: February 01, 2019, 11:12:47 am »
Hi @ all

can someone please send me FW 1.12 Version via PM or Downloadserver ?
I stuck on FW 1.08 (dont want to lost the 200 Mhz). If i want to go to FW 1.4 i need first go via FW 1.12 is that right?

Thanks to all contributors

Karsten
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2656
  • Country: ro
Re: DG4000 - a firmware investigation
« Reply #338 on: February 01, 2019, 11:56:59 am »
I have these (including FW1.12):  http://s.go.ro/blmbni71

A couple of questions, please:
1. Is the old calibration (0...60MHz) preserved after extending the range to 200MHz?
2. Does it require a new calibration for frequencies higher than 60MHz?
 
The following users thanked this post: kado

Offline kado

  • Regular Contributor
  • *
  • Posts: 51
  • Country: de
Re: DG4000 - a firmware investigation
« Reply #339 on: February 01, 2019, 03:18:08 pm »
Thanks to PeDre and RoGeorge for the FW Links !

Karsten
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2656
  • Country: ro
Re: DG4000 - a firmware investigation
« Reply #340 on: February 01, 2019, 05:46:17 pm »
You're welcomed.

What about the calibration?
Does anybody have any info about the calibration under, and over 60 MHz, please?

Offline Sparky

  • Frequent Contributor
  • **
  • Posts: 431
  • Country: us
Re: DG4000 - a firmware investigation
« Reply #341 on: February 01, 2019, 06:44:42 pm »
What about the calibration?
Does anybody have any info about the calibration under, and over 60 MHz, please?

Have a read at post #149 and subsequent posts by ted.  I think you'll find the information you need.
 
The following users thanked this post: RoGeorge

Offline TooOldForThis

  • Regular Contributor
  • *
  • Posts: 55
  • Country: us
  • H: 42.576MHz/Tesla
Re: DG4000 - a firmware investigation
« Reply #342 on: February 02, 2019, 12:30:44 am »
I just ran a quick test of my DG4062 that still has the original factory cal.   It's flat from 1 to 160Mhz and then gradually loses 2dBm over the last 40MHz. I'm sure if I fiddle with the calibration menus for a while I can make it much, much worse.
 
The following users thanked this post: RoGeorge

Offline GonzoTheGreat

  • Regular Contributor
  • *
  • Posts: 116
  • Country: aq
Re: DG4000 - a firmware investigation
« Reply #343 on: February 13, 2019, 01:02:33 pm »
My contribution to your cause is attached (parsing of all the DG4000 GELs that I have).

Don't know if looking at the various segments in each GEL allows you to identify the different parts.

Code: [Select]
F:\zscan\original\RIGOL\DG4000_GEL\DG4000 FPGA 00.01.08\DG4000Update.GEL  /  CRC32: E5BFBD9A
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - C000  C773  20300000  000C3DF6  00000008  00000008  [00000054-000C3E49]  CRC OK

F:\zscan\original\RIGOL\DG4000_GEL\DG4000(Bootloader)Update_00.06\DG4000Update.GEL  /  CRC32: D8960038
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - D053  D2BD  20000000  00029710  3B4E0002  B1000002  [00000054-00029763]  CRC OK

F:\zscan\original\RIGOL\DG4000_GEL\DG4000(DSP)Update_00.01.08.00.02\DG4000Update.GEL  /  CRC32: D36150FB
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4000  1017  20040000  0024AD90  00000004  00000004  [00000054-0024ADE3]  CRC OK
0024ADE4 - 4000  913A  20300000  000C3DF6  00000008  00000008  [0024ADF8-0030EBED]  CRC OK
0030EBEE - 4000  7697  20400000  0000165C  00000008  00000008  [0030EC02-0031025D]  CRC OK
0031025E - 4000  2644  20440000  00000254  00000010  00000010  [00310272-003104C5]  CRC OK
003104C6 - 4000  9DE4  20440400  0000286B  00000010  00000010  [003104DA-00312D44]  CRC OK
00312D45 - 4000  636F  20443400  00000254  00000010  00000010  [00312D59-00312FAC]  CRC OK
00312FAD - 4000  E553  20443800  00001A11  00000010  00000010  [00312FC1-003149D1]  CRC OK
003149D2 - 4000  D12E  20460000  0000021A  00000010  00000010  [003149E6-00314BFF]  CRC OK
00314C00 - 4000  C36B  20460400  0000F7F3  00000010  00000010  [00314C14-00324406]  CRC OK
00324407 - 4000  4AF6  2046FC00  0000021A  00000010  00000010  [0032441B-00324634]  CRC OK
00324635 - 4000  84CF  20470000  000095D7  00000010  00000010  [00324649-0032DC1F]  CRC OK
0032DC20 - 4000  219D  205B0000  00169DE8  00000020  00000020  [0032DC34-00497A1B]  CRC OK
00497A1C - 4000  A299  207B0000  0003D6C4  00000040  00000040  [00497A30-004D50F3]  CRC OK
004D50F4 - 4000  FBF1  20830000  0004BBEC  00000040  00000040  [004D5108-00520CF3]  CRC OK
00520CF4 - 0000  0000  208B0000  0000CF0C  00000040  00000040  [00520D08-0052DC13]
0052DC14 - 0000  0000  208F0000  0000644C  00000040  00000040  [0052DC28-00534073]
00534074 - 8000  0000  209B0000  00480000  00000080  00000080  [00534088-009B4087]

F:\zscan\original\RIGOL\DG4000_GEL\DG4000(Dsp)Update_00.01.12.00.02\DG4000Update.GEL  /  CRC32: 2A0D0C3C
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 48EF  4F98  20040000  0025ABAC  25970004  FE000004  [00000054-0025ABFF]  CRC OK
0025AC00 - 4053  790A  20300000  000C3DF6  73000008  00000008  [0025AC14-0031EA09]  CRC OK
0031EA0A - 403F  8C44  20400000  00001661  F2000008  00000008  [0031EA1E-0032007E]  CRC OK
0032007F - 4016  34ED  20440000  0000027E  8D000010  00000010  [00320093-00320310]  CRC OK
00320311 - 4043  CA34  20440400  00002C18  03000010  00000010  [00320325-00322F3C]  CRC OK
00322F3D - 405C  632B  20443400  0000027E  22000010  00000010  [00322F51-003231CE]  CRC OK
003231CF - 4060  51F6  20443800  00001C36  93000010  00000010  [003231E3-00324E18]  CRC OK
00324E19 - 4033  A7BA  20460000  00000232  FC000010  00000010  [00324E2D-0032505E]  CRC OK
0032505F - 40F0  D041  20460400  0000FFCF  62000010  00000010  [00325073-00335041]  CRC OK
00335042 - 403A  C82A  20470400  00000232  1C000010  00000010  [00335056-00335287]  CRC OK
00335288 - 404C  83E8  20470800  00009C1C  D7000010  00000010  [0033529C-0033EEB7]  CRC OK
0033EEB8 - 4017  219D  205B0000  00169DE8  FA000020  00000020  [0033EECC-004A8CB3]  CRC OK
004A8CB4 - 40B6  A299  207B0000  0003D6C4  3B000040  00000040  [004A8CC8-004E638B]  CRC OK
004E638C - 403E  FBF1  20830000  0004BBEC  18000040  00000040  [004E63A0-00531F8B]  CRC OK
00531F8C - 0000  0000  208B0000  0000DE90  00000040  00000040  [00531FA0-0053FE2F]
0053FE30 - 0000  0000  208F0000  00006C5A  00000040  00000040  [0053FE44-00546A9D]
00546A9E - 8000  0000  209B0000  00480000  00000080  00000080  [00546AB2-009C6AB1]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.04.00.02\DG4000Update.GEL  /  CRC32: 902CF808
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4000  C90D  20040000  00228CF0  00000004  00000004  [00000054-00228D43]  CRC OK
00228D44 - 4000  AF46  20300000  000C3DF6  00000008  00000008  [00228D58-002ECB4D]  CRC OK
002ECB4E - 4000  8C44  20400000  00001661  00000008  00000008  [002ECB62-002EE1C2]  CRC OK
002EE1C3 - 4000  8ED1  20440000  00000252  00000010  00000010  [002EE1D7-002EE428]  CRC OK
002EE429 - 4000  5256  20440400  00002859  00000010  00000010  [002EE43D-002F0C95]  CRC OK
002F0C96 - 4000  DCD6  20443400  00000252  00000010  00000010  [002F0CAA-002F0EFB]  CRC OK
002F0EFC - 4000  042D  20443800  00001A00  00000010  00000010  [002F0F10-002F290F]  CRC OK
002F2910 - 4000  EB6F  20460000  00000208  00000010  00000010  [002F2924-002F2B2B]  CRC OK
002F2B2C - 4000  E168  20460400  0000F0CD  00000010  00000010  [002F2B40-00301C0C]  CRC OK
00301C0D - 4000  3945  2046FC00  00000208  00000010  00000010  [00301C21-00301E28]  CRC OK
00301E29 - 4000  9307  20470000  000091BC  00000010  00000010  [00301E3D-0030AFF8]  CRC OK
0030AFF9 - 4000  219D  205B0000  00169DE8  00000020  00000020  [0030B00D-00474DF4]  CRC OK
00474DF5 - 4000  A299  207B0000  0003D6C4  00000040  00000040  [00474E09-004B24CC]  CRC OK
004B24CD - 4000  63BD  20830000  0004BB9C  00000040  00000040  [004B24E1-004FE07C]  CRC OK
004FE07D - 8000  0000  209B0000  00480000  00000080  00000080  [004FE091-0097E090]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.04.00.02\Piranha(DSP)Update_00.01.04.00.02\DG4000Update.GEL  /  CRC32: 902CF808
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4000  C90D  20040000  00228CF0  00000004  00000004  [00000054-00228D43]  CRC OK
00228D44 - 4000  AF46  20300000  000C3DF6  00000008  00000008  [00228D58-002ECB4D]  CRC OK
002ECB4E - 4000  8C44  20400000  00001661  00000008  00000008  [002ECB62-002EE1C2]  CRC OK
002EE1C3 - 4000  8ED1  20440000  00000252  00000010  00000010  [002EE1D7-002EE428]  CRC OK
002EE429 - 4000  5256  20440400  00002859  00000010  00000010  [002EE43D-002F0C95]  CRC OK
002F0C96 - 4000  DCD6  20443400  00000252  00000010  00000010  [002F0CAA-002F0EFB]  CRC OK
002F0EFC - 4000  042D  20443800  00001A00  00000010  00000010  [002F0F10-002F290F]  CRC OK
002F2910 - 4000  EB6F  20460000  00000208  00000010  00000010  [002F2924-002F2B2B]  CRC OK
002F2B2C - 4000  E168  20460400  0000F0CD  00000010  00000010  [002F2B40-00301C0C]  CRC OK
00301C0D - 4000  3945  2046FC00  00000208  00000010  00000010  [00301C21-00301E28]  CRC OK
00301E29 - 4000  9307  20470000  000091BC  00000010  00000010  [00301E3D-0030AFF8]  CRC OK
0030AFF9 - 4000  219D  205B0000  00169DE8  00000020  00000020  [0030B00D-00474DF4]  CRC OK
00474DF5 - 4000  A299  207B0000  0003D6C4  00000040  00000040  [00474E09-004B24CC]  CRC OK
004B24CD - 4000  63BD  20830000  0004BB9C  00000040  00000040  [004B24E1-004FE07C]  CRC OK
004FE07D - 8000  0000  209B0000  00480000  00000080  00000080  [004FE091-0097E090]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.05.00.04\DG4000Update.GEL  /  CRC32: D1689375
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4000  3C14  20040000  0022CF98  00000004  00000004  [00000054-0022CFEB]  CRC OK
0022CFEC - 4000  09F9  20300000  000C3CE2  00000008  00000008  [0022D000-002F0CE1]  CRC OK
002F0CE2 - 4000  8C44  20400000  00001661  00000008  00000008  [002F0CF6-002F2356]  CRC OK
002F2357 - 4000  8ED1  20440000  00000252  00000010  00000010  [002F236B-002F25BC]  CRC OK
002F25BD - 4000  5256  20440400  00002859  00000010  00000010  [002F25D1-002F4E29]  CRC OK
002F4E2A - 4000  DCD6  20443400  00000252  00000010  00000010  [002F4E3E-002F508F]  CRC OK
002F5090 - 4000  042D  20443800  00001A00  00000010  00000010  [002F50A4-002F6AA3]  CRC OK
002F6AA4 - 4000  184D  20460000  0000020A  00000010  00000010  [002F6AB8-002F6CC1]  CRC OK
002F6CC2 - 4000  B518  20460400  0000F126  00000010  00000010  [002F6CD6-00305DFB]  CRC OK
00305DFC - 4000  7121  2046FC00  0000020A  00000010  00000010  [00305E10-00306019]  CRC OK
0030601A - 4000  367E  20470000  000091E4  00000010  00000010  [0030602E-0030F211]  CRC OK
0030F212 - 4000  219D  205B0000  00169DE8  00000020  00000020  [0030F226-0047900D]  CRC OK
0047900E - 4000  A299  207B0000  0003D6C4  00000040  00000040  [00479022-004B66E5]  CRC OK
004B66E6 - 4000  63BD  20830000  0004BB9C  00000040  00000040  [004B66FA-00502295]  CRC OK
00502296 - 8000  0000  209B0000  00480000  00000080  00000080  [005022AA-009822A9]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.06.00.02\DG4000Update.GEL  /  CRC32: EB7EF2D7
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4000  8725  20040000  00202608  00000004  00000004  [00000054-0020265B]  CRC OK
0020265C - 4000  9052  20300000  000C3DF6  00000008  00000008  [00202670-002C6465]  CRC OK
002C6466 - 4000  7697  20400000  0000165C  00000008  00000008  [002C647A-002C7AD5]  CRC OK
002C7AD6 - 4000  8ED1  20440000  00000252  00000010  00000010  [002C7AEA-002C7D3B]  CRC OK
002C7D3C - 4000  5256  20440400  00002859  00000010  00000010  [002C7D50-002CA5A8]  CRC OK
002CA5A9 - 4000  DCD6  20443400  00000252  00000010  00000010  [002CA5BD-002CA80E]  CRC OK
002CA80F - 4000  042D  20443800  00001A00  00000010  00000010  [002CA823-002CC222]  CRC OK
002CC223 - 4000  5F4B  20460000  0000020C  00000010  00000010  [002CC237-002CC442]  CRC OK
002CC443 - 4000  7D3C  20460400  0000F144  00000010  00000010  [002CC457-002DB59A]  CRC OK
002DB59B - 4000  774F  2046FC00  0000020C  00000010  00000010  [002DB5AF-002DB7BA]  CRC OK
002DB7BB - 4000  6E3C  20470000  000091F7  00000010  00000010  [002DB7CF-002E49C5]  CRC OK
002E49C6 - 4000  219D  205B0000  00169DE8  00000020  00000020  [002E49DA-0044E7C1]  CRC OK
0044E7C2 - 4000  A299  207B0000  0003D6C4  00000040  00000040  [0044E7D6-0048BE99]  CRC OK
0048BE9A - 4000  FBF1  20830000  0004BBEC  00000040  00000040  [0048BEAE-004D7A99]  CRC OK
004D7A9A - 8000  0000  209B0000  00480000  00000080  00000080  [004D7AAE-00957AAD]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.07.00.03\DG4000Update.GEL  /  CRC32: 9AEA33D0
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4000  3A3C  20040000  0021C000  00000004  00000004  [00000054-0021C053]  CRC OK
0021C054 - 4000  C773  20300000  000C3DF6  00000008  00000008  [0021C068-002DFE5D]  CRC OK
002DFE5E - 4000  7697  20400000  0000165C  00000008  00000008  [002DFE72-002E14CD]  CRC OK
002E14CE - 4000  8ED1  20440000  00000252  00000010  00000010  [002E14E2-002E1733]  CRC OK
002E1734 - 4000  5256  20440400  00002859  00000010  00000010  [002E1748-002E3FA0]  CRC OK
002E3FA1 - 4000  DCD6  20443400  00000252  00000010  00000010  [002E3FB5-002E4206]  CRC OK
002E4207 - 4000  042D  20443800  00001A00  00000010  00000010  [002E421B-002E5C1A]  CRC OK
002E5C1B - 4000  5F4B  20460000  0000020C  00000010  00000010  [002E5C2F-002E5E3A]  CRC OK
002E5E3B - 4000  7D3C  20460400  0000F144  00000010  00000010  [002E5E4F-002F4F92]  CRC OK
002F4F93 - 4000  774F  2046FC00  0000020C  00000010  00000010  [002F4FA7-002F51B2]  CRC OK
002F51B3 - 4000  6E3C  20470000  000091F7  00000010  00000010  [002F51C7-002FE3BD]  CRC OK
002FE3BE - 4000  219D  205B0000  00169DE8  00000020  00000020  [002FE3D2-004681B9]  CRC OK
004681BA - 4000  A299  207B0000  0003D6C4  00000040  00000040  [004681CE-004A5891]  CRC OK
004A5892 - 4000  FBF1  20830000  0004BBEC  00000040  00000040  [004A58A6-004F1491]  CRC OK
004F1492 - 8000  0000  209B0000  00480000  00000080  00000080  [004F14A6-009714A5]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.07.00.03\DG4000(DSP)update\Piranha(DSP)Update_00.01.07.00.03\DG4000Update.GEL  /  CRC32: 9AEA33D0
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4000  3A3C  20040000  0021C000  00000004  00000004  [00000054-0021C053]  CRC OK
0021C054 - 4000  C773  20300000  000C3DF6  00000008  00000008  [0021C068-002DFE5D]  CRC OK
002DFE5E - 4000  7697  20400000  0000165C  00000008  00000008  [002DFE72-002E14CD]  CRC OK
002E14CE - 4000  8ED1  20440000  00000252  00000010  00000010  [002E14E2-002E1733]  CRC OK
002E1734 - 4000  5256  20440400  00002859  00000010  00000010  [002E1748-002E3FA0]  CRC OK
002E3FA1 - 4000  DCD6  20443400  00000252  00000010  00000010  [002E3FB5-002E4206]  CRC OK
002E4207 - 4000  042D  20443800  00001A00  00000010  00000010  [002E421B-002E5C1A]  CRC OK
002E5C1B - 4000  5F4B  20460000  0000020C  00000010  00000010  [002E5C2F-002E5E3A]  CRC OK
002E5E3B - 4000  7D3C  20460400  0000F144  00000010  00000010  [002E5E4F-002F4F92]  CRC OK
002F4F93 - 4000  774F  2046FC00  0000020C  00000010  00000010  [002F4FA7-002F51B2]  CRC OK
002F51B3 - 4000  6E3C  20470000  000091F7  00000010  00000010  [002F51C7-002FE3BD]  CRC OK
002FE3BE - 4000  219D  205B0000  00169DE8  00000020  00000020  [002FE3D2-004681B9]  CRC OK
004681BA - 4000  A299  207B0000  0003D6C4  00000040  00000040  [004681CE-004A5891]  CRC OK
004A5892 - 4000  FBF1  20830000  0004BBEC  00000040  00000040  [004A58A6-004F1491]  CRC OK
004F1492 - 8000  0000  209B0000  00480000  00000080  00000080  [004F14A6-009714A5]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.09\DG4000Update_Bootloader.GEL  /  CRC32: D8960038
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - D053  D2BD  20000000  00029710  3B4E0002  B1000002  [00000054-00029763]  CRC OK

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.09\DG4000Update_DSP.GEL  /  CRC32: DDA03A46
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4834  17B4  20040000  00247D04  D6BF0004  8A000004  [00000054-00247D57]  CRC OK
00247D58 - 40B4  913A  20300000  000C3DF6  8B000008  00000008  [00247D6C-0030BB61]  CRC OK
0030BB62 - 402B  7697  20400000  0000165C  87000008  00000008  [0030BB76-0030D1D1]  CRC OK
0030D1D2 - 40DD  AB61  20440000  0000025C  BF000010  00000010  [0030D1E6-0030D441]  CRC OK
0030D442 - 40D0  ECA7  20440400  000028F9  AC000010  00000010  [0030D456-0030FD4E]  CRC OK
0030FD4F - 4078  168A  20443400  0000025C  85000010  00000010  [0030FD63-0030FFBE]  CRC OK
0030FFBF - 40B9  5A4F  20443800  00001A6A  B3000010  00000010  [0030FFD3-00311A3C]  CRC OK
00311A3D - 407E  D12E  20460000  0000021A  A5000010  00000010  [00311A51-00311C6A]  CRC OK
00311C6B - 408D  C36B  20460400  0000F7F3  ED000010  00000010  [00311C7F-00321471]  CRC OK
00321472 - 40DF  4AF6  2046FC00  0000021A  FD000010  00000010  [00321486-0032169F]  CRC OK
003216A0 - 4041  84CF  20470000  000095D7  77000010  00000010  [003216B4-0032AC8A]  CRC OK
0032AC8B - 4017  219D  205B0000  00169DE8  FA000020  00000020  [0032AC9F-00494A86]  CRC OK
00494A87 - 40B6  A299  207B0000  0003D6C4  3B000040  00000040  [00494A9B-004D215E]  CRC OK
004D215F - 403E  FBF1  20830000  0004BBEC  18000040  00000040  [004D2173-0051DD5E]  CRC OK
0051DD5F - 0000  0000  208B0000  0000CF0C  00000040  00000040  [0051DD73-0052AC7E]
0052AC7F - 0000  0000  208F0000  0000644C  00000040  00000040  [0052AC93-005310DE]
005310DF - 8000  0000  209B0000  00480000  00000080  00000080  [005310F3-009B10F2]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.10.00.00\DG4000(Bootloader)Update_00.06\DG4000Update.GEL  /  CRC32: D8960038
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - D053  D2BD  20000000  00029710  3B4E0002  B1000002  [00000054-00029763]  CRC OK

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.10.00.00\DG4000(Dsp)Update_00.01.10.00.00\DG4000Update.GEL  /  CRC32: B617C0B0
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 485D  FEAF  20040000  0024CD2C  EE6A0004  EB000004  [00000054-0024CD7F]  CRC OK
0024CD80 - 40B8  6F4D  20300000  000C3F0A  8C000008  00000008  [0024CD94-00310C9D]  CRC OK
00310C9E - 403F  8C44  20400000  00001661  F2000008  00000008  [00310CB2-00312312]  CRC OK
00312313 - 40B9  D9CB  20440000  00000270  71000010  00000010  [00312327-00312596]  CRC OK
00312597 - 4053  FBDF  20440400  00002AEC  4F000010  00000010  [003125AB-00315096]  CRC OK
00315097 - 40EA  D4AB  20443400  00000270  75000010  00000010  [003150AB-0031531A]  CRC OK
0031531B - 4053  E5B5  20443800  00001B88  8A000010  00000010  [0031532F-00316EB6]  CRC OK
00316EB7 - 40DD  21CE  20460000  0000022C  EE000010  00000010  [00316ECB-003170F6]  CRC OK
003170F7 - 406E  4072  20460400  0000FDC4  47000010  00000010  [0031710B-00326ECE]  CRC OK
00326ECF - 406A  0F08  20470400  0000022C  D4000010  00000010  [00326EE3-0032710E]  CRC OK
0032710F - 404A  C5D3  20470800  000098FD  1C000010  00000010  [00327123-00330A1F]  CRC OK
00330A20 - 4017  219D  205B0000  00169DE8  FA000020  00000020  [00330A34-0049A81B]  CRC OK
0049A81C - 40B6  A299  207B0000  0003D6C4  3B000040  00000040  [0049A830-004D7EF3]  CRC OK
004D7EF4 - 403E  FBF1  20830000  0004BBEC  18000040  00000040  [004D7F08-00523AF3]  CRC OK
00523AF4 - 0000  0000  208B0000  0000DA98  00000040  00000040  [00523B08-0053159F]
005315A0 - 0000  0000  208F0000  00006A9E  00000040  00000040  [005315B4-00538051]
00538052 - 8000  0000  209B0000  00480000  00000080  00000080  [00538066-009B8065]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.11.00.00\DG4000(Bootloader)Update_00.06\DG4000Update.GEL  /  CRC32: D8960038
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - D053  D2BD  20000000  00029710  3B4E0002  B1000002  [00000054-00029763]  CRC OK

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.11.00.00\DG4000(Dsp)Update_00.01.11.00.00\DG4000Update.GEL  /  CRC32: 4C561044
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4867  C712  20040000  0024AE08  9B5D0004  CB000004  [00000054-0024AE5B]  CRC OK
0024AE5C - 4053  790A  20300000  000C3DF6  73000008  00000008  [0024AE70-0030EC65]  CRC OK
0030EC66 - 403F  8C44  20400000  00001661  F2000008  00000008  [0030EC7A-003102DA]  CRC OK
003102DB - 40B9  D9CB  20440000  00000270  71000010  00000010  [003102EF-0031055E]  CRC OK
0031055F - 4053  FBDF  20440400  00002AEC  4F000010  00000010  [00310573-0031305E]  CRC OK
0031305F - 40EA  D4AB  20443400  00000270  75000010  00000010  [00313073-003132E2]  CRC OK
003132E3 - 4053  E5B5  20443800  00001B88  8A000010  00000010  [003132F7-00314E7E]  CRC OK
00314E7F - 40DD  21CE  20460000  0000022C  EE000010  00000010  [00314E93-003150BE]  CRC OK
003150BF - 406E  4072  20460400  0000FDC4  47000010  00000010  [003150D3-00324E96]  CRC OK
00324E97 - 4026  2D33  20470400  0000022C  A5000010  00000010  [00324EAB-003250D6]  CRC OK
003250D7 - 40AE  F3AF  20470800  000098FB  A2000010  00000010  [003250EB-0032E9E5]  CRC OK
0032E9E6 - 4017  219D  205B0000  00169DE8  FA000020  00000020  [0032E9FA-004987E1]  CRC OK
004987E2 - 40B6  A299  207B0000  0003D6C4  3B000040  00000040  [004987F6-004D5EB9]  CRC OK
004D5EBA - 403E  FBF1  20830000  0004BBEC  18000040  00000040  [004D5ECE-00521AB9]  CRC OK
00521ABA - 0000  0000  208B0000  0000DE90  00000040  00000040  [00521ACE-0052F95D]
0052F95E - 0000  0000  208F0000  00006C5A  00000040  00000040  [0052F972-005365CB]
005365CC - 8000  0000  209B0000  00480000  00000080  00000080  [005365E0-009B65DF]

F:\zscan\original\RIGOL\DG4000_GEL\Piranha(DSP)Update_00.01.14.00.01\DG4000(DSP)update 01.14.00.01\DG4000(DSP)update\DG4000Update.GEL  /  CRC32: BDFA4DD0
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Offset     Flag  CRC   LoadAdd   Size
00000040 - 4832  59D8  20040000  0026210C  2E240004  1A000004  [00000054-0026215F]  CRC OK
00262160 - 4053  790A  20300000  000C3DF6  73000008  00000008  [00262174-00325F69]  CRC OK
00325F6A - 403F  8C44  20400000  00001661  F2000008  00000008  [00325F7E-003275DE]  CRC OK
003275DF - 4016  34ED  20440000  0000027E  8D000010  00000010  [003275F3-00327870]  CRC OK
00327871 - 4043  CA34  20440400  00002C18  03000010  00000010  [00327885-0032A49C]  CRC OK
0032A49D - 405C  632B  20443400  0000027E  22000010  00000010  [0032A4B1-0032A72E]  CRC OK
0032A72F - 4060  51F6  20443800  00001C36  93000010  00000010  [0032A743-0032C378]  CRC OK
0032C379 - 4033  A7BA  20460000  00000232  FC000010  00000010  [0032C38D-0032C5BE]  CRC OK
0032C5BF - 40F0  D041  20460400  0000FFCF  62000010  00000010  [0032C5D3-0033C5A1]  CRC OK
0033C5A2 - 403A  C82A  20470400  00000232  1C000010  00000010  [0033C5B6-0033C7E7]  CRC OK
0033C7E8 - 404C  83E8  20470800  00009C1C  D7000010  00000010  [0033C7FC-00346417]  CRC OK
00346418 - 4017  219D  205B0000  00169DE8  FA000020  00000020  [0034642C-004B0213]  CRC OK
004B0214 - 40B6  A299  207B0000  0003D6C4  3B000040  00000040  [004B0228-004ED8EB]  CRC OK
004ED8EC - 403E  FBF1  20830000  0004BBEC  18000040  00000040  [004ED900-005394EB]  CRC OK
005394EC - 0000  0000  208B0000  000126F4  00000040  00000040  [00539500-0054BBF3]
0054BBF4 - 0000  0000  208F0000  00008F2C  00000040  00000040  [0054BC08-00554B33]
00554B34 - 8000  0000  209B0000  00480000  00000080  00000080  [00554B48-009D4B47]


How did you parse these segments of the GEL file ?

Is there a tool for that?
Can this tool extract these segments as separate files ?
Can this tool calculate the checksum (CRC) of an altered segment and update the GEL file with it ?

Is it possible to disassemble the code in these segments with IDA ?

P.S.
What CPU does the DG4000 firmware run on ?
What FPGA does the DG4000 firmware run on ?
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1946
  • Country: pt
Re: DG4000 - a firmware investigation
« Reply #344 on: February 13, 2019, 04:23:01 pm »
How did you parse these segments of the GEL file ?

Is there a tool for that?
Can this tool extract these segments as separate files ?
Can this tool calculate the checksum (CRC) of an altered segment and update the GEL file with it ?

Is it possible to disassemble the code in these segments with IDA ?

P.S.
What CPU does the DG4000 firmware run on ?
What FPGA does the DG4000 firmware run on ?

1. With a special parser that I developed.

2. It doesn't extract the files because I haven't had no need for it.
 But, with the information that I show in the parsing you could do that easily with any hex editor.

3. See previous answer.

4. The ones that have executable code can be looked at in IDA.

5. I can have a look that. But, isn't there any PCB photos that let you identify the ICs involved?
 

Offline GonzoTheGreat

  • Regular Contributor
  • *
  • Posts: 116
  • Country: aq
Re: DG4000 - a firmware investigation
« Reply #345 on: February 13, 2019, 05:07:20 pm »
1. With a special parser that I developed.
Would you send me the source code for it?  I'd like to improve it.

But, with the information that I show in the parsing you could do that easily with any hex editor.
Of course
I already figured out the the checksum for each segment is the CRC16 with Poly==0x8408 and Init==0xFFFF.

Do the GEL files for the DG4000 have an encrypted footer like the GEL files for DS1000Z ?


4. The ones that have executable code can be looked at in IDA.
Isn't the code obfuscated?
Anyway, without ubiquitous executable headers (like ELF, PE, etc...), IDA might have a problem recognizing the code.

5. I can have a look that. But, isn't there any PCB photos that let you identify the ICs involved?
Not that, I know of.
Even if there were photos detailed enough to read the markings on the chips, I would expect them to be house numbers.

I have the time and burning desire to patch some bugs and strings in the CPU's code.
FPGA code is beyond my abilities, but the function calls to it are not.

« Last Edit: February 13, 2019, 05:35:26 pm by GonzoTheGreat »
 

Offline smithnerd

  • Regular Contributor
  • *
  • Posts: 106
  • Country: gb
Re: DG4000 - a firmware investigation
« Reply #346 on: February 13, 2019, 05:25:15 pm »

What CPU does the DG4000 firmware run on ?


The firmware has '(DSP)' in the filename rather than '(ARM)', which probably means it will be an Analog Devices Blackfin part, like the DS2000 uses.
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2656
  • Country: ro
Re: DG4000 - a firmware investigation
« Reply #347 on: February 13, 2019, 05:37:57 pm »
For FPGA/DSP/DAC, a nice teardown with lots of info about the inside of DG4000, by mikeselectricstuff



https://www.eevblog.com/forum/testgear/rigol-dg4062-functionarbitary-waveform-generator-teardown/

Offline GonzoTheGreat

  • Regular Contributor
  • *
  • Posts: 116
  • Country: aq
Re: DG4000 - a firmware investigation
« Reply #348 on: February 13, 2019, 05:54:24 pm »
The firmware has '(DSP)' in the filename rather than '(ARM)', which probably means it will be an Analog Devices Blackfin part, like the DS2000 uses.
Shit!
IDA 7 does not support this Analog Devices BlackFin ADSP-BF526 processor and a 3rd party BlackFin plugin is 8 years old :(
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1946
  • Country: pt
Re: DG4000 - a firmware investigation
« Reply #349 on: February 13, 2019, 06:04:56 pm »
The firmware has '(DSP)' in the filename rather than '(ARM)', which probably means it will be an Analog Devices Blackfin part, like the DS2000 uses.
Shit!
IDA 7 does not support this Analog Devices BlackFin ADSP-BF526 processor and a 3rd party BlackFin plugin is 8 years old :(

The 3rd party plugin should help, despite it's age.

If you have any particular block you are sure you would like to analyse, I can dump it for you in a way you don't need to rely on the plugin.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf