DG4000 - a firmware investigation

[GonzoTheGreat]

The 3rd party plugin should help, despite it's age.

...but how?  alas the ADSP-BF526 did not even exist then. Anyway the IDA v7 is not even compatible with this plugin because the API changed between v6 and v7.

If you have any particular block you are sure you would like to analyse, I can dump it for you in a way you don't need to rely on the plugin.

I would not even know the block at this stage of investigation.
I would like to analyze the code that controls the Burst Mode parameters.  See this bug report.

[RoGeorge]

If you want to reverse engineer the DG4000 in order to "fix bugs" for yourself, that will be highly unlikely, especially that what it is described there as bugs are, in fact, in spec DC offset, or expected behavior from a DDS type of generator.

A DDS is different from an analog generator, it first lay down a waveform in memory, then it samples that waveform.  Waveform frequency is achieved by sampling memory at different increments of addresses, so it can get into apparently weird behavior when slowly changing the frequency of a given waveform, especially for square waves or pulses.

I admit I didn't read the bugs topic very carefully, but they all looked to be expected behavior coming from a DDS architecture.

[tv84]

...but how?  alas the ADSP-BF526 did not even exist then. Anyway the IDA v7 is not even compatible with this plugin because the API changed between v6 and v7.

...

I would not even know the block at this stage of investigation.

They are very similar. You can try one of the methods of the plugin. Of course, you must use IDA <7 or adapt the plugin to the v7.

Based on what RoGeorde said and your level of knowledge about the BF, I think this is beyond your capabilities. It's beyond mine for sure!

[GonzoTheGreat]

I've checked my code. You have the CRC16 parameters wrong.

I was not wrong
Due to the way in which I process the CRC, the bits of the polynomial  are stored in reverse order. This makes the polynomial 0x8408 in my code.

Based on what RoGeorde said and your level of knowledge about the BF, I think this is beyond your capabilities. It's beyond mine for sure!

Yes, it is beyond now, but I have built and learned undocumented CPU architectures before... and the BlackFin is documented, isn't it?

[tv84]

The attached image is inside the official DG4000Update.GEL .  (I think colors are now correct: 800x480 Format16bppRgb565 )

Can anyone explain me when does it appear in the DG?

[Gandalf_Sr]

Wow, cool picture!  It must be associated with some sort of Easter egg.

[RoGeorge]

A reversed image search shows that pic listed as wallpaper hosted on many Russian and Chinese websites.   

[TurboTom]

Would the v1.08 F/W possibly re-open the door to the old BW hacking approach with the Cengen tool by @Cybernet? Skimming over the old posts didn't make it completely clear to me if the Cengen Hack was only possible up to F/V 1.06 or if it worked up to 1.08 (which all required bootloader 4.01 / 5.01).  I would actually give it a try on my machine, no risk, no fun, you know... 

P.S. All for the sake of science, of course 

[Gandalf_Sr]

Given how similar the DG4000 UI is to the DG1022Z, I wonder if the 'magic' USB drive with SCPI upgrade approach would work?

[tv84]

Given how similar the DG4000 UI is to the DG1022Z, I wonder if the 'magic' USB drive with SCPI upgrade approach would work?

In this regard, they are different. Work in progress...

[tv84]

I 've finally reversed the new format (since v1.09) of .GEL files for the DG4000.  (This has never been done before and gives hope to those who can't downgrade their FW due to the bootloader v06.xx...)

As a teaser, I show here the parsing of the v00.01.14.00.01 GEL:

Code: [Select]

00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Deobfuscating...
Header_LDR_block / CRC2 Validation   OK
Header_LDR_block / CRC3 Validation   OK
FW Signature: 0x51   OK
Offset     Flags         CRC1  CRC2  CRC3  LoadAdd   Size      LED1  LED2
00000040 - 01001000(48)  59D8  322E  241A  20040000  0026210C  0004  000004  [00000054-0026215F]  256 Bytes + .LDR block  CRC3 OK  CRC2 OK  CRC1 OK
00262160 - 01000000(40)  790A  5373  0000  20300000  000C3DF6  0008  000008  [00262174-00325F69]  FPGA bitstream          CRC2 OK  CRC1 OK
00325F6A - 01000000(40)  8C44  3FF2  0000  20400000  00001661  0008  000008  [00325F7E-003275DE]  Definitions (???)       CRC2 OK  CRC1 OK
003275DF - 01000000(40)  34ED  168D  0000  20440000  0000027E  0010  000010  [003275F3-00327870]  Strings Indexes         CRC2 OK  CRC1 OK
00327871 - 01000000(40)  CA34  4303  0000  20440400  00002C18  0010  000010  [00327885-0032A49C]  Strings                 CRC2 OK  CRC1 OK
0032A49D - 01000000(40)  632B  5C22  0000  20443400  0000027E  0010  000010  [0032A4B1-0032A72E]  Strings Indexes         CRC2 OK  CRC1 OK
0032A72F - 01000000(40)  51F6  6093  0000  20443800  00001C36  0010  000010  [0032A743-0032C378]  Strings                 CRC2 OK  CRC1 OK
0032C379 - 01000000(40)  A7BA  33FC  0000  20460000  00000232  0010  000010  [0032C38D-0032C5BE]  Strings Indexes         CRC2 OK  CRC1 OK
0032C5BF - 01000000(40)  D041  F062  0000  20460400  0000FFCF  0010  000010  [0032C5D3-0033C5A1]  Strings                 CRC2 OK  CRC1 OK
0033C5A2 - 01000000(40)  C82A  3A1C  0000  20470400  00000232  0010  000010  [0033C5B6-0033C7E7]  Strings Indexes         CRC2 OK  CRC1 OK
0033C7E8 - 01000000(40)  83E8  4CD7  0000  20470800  00009C1C  0010  000010  [0033C7FC-00346417]  Strings                 CRC2 OK  CRC1 OK
00346418 - 01000000(40)  219D  17FA  0000  205B0000  00169DE8  0020  000020  [0034642C-004B0213]  Graphics, Images        CRC2 OK  CRC1 OK
004B0214 - 01000000(40)  A299  B63B  0000  207B0000  0003D6C4  0040  000040  [004B0228-004ED8EB]  Data (0x00)             CRC2 OK  CRC1 OK
004ED8EC - 01000000(40)  FBF1  3E18  0000  20830000  0004BBEC  0040  000040  [004ED900-005394EB]  Data (0x00)             CRC2 OK  CRC1 OK
005394EC - 00000000(00)  0000  0000  0000  208B0000  000126F4  0040  000040  [00539500-0054BBF3]  Data (0x48)             CRC: 7E9A
0054BBF4 - 00000000(00)  0000  0000  0000  208F0000  00008F2C  0040  000040  [0054BC08-00554B33]  Data (0x48)             CRC: F392
00554B34 - 10000000(80)  0000  0000  0000  209B0000  00480000  0080  000080  [00554B48-009D4B47]  CPLD (???)              CRC: BD1E
           │││││
           ││││└─ 256-bytes header block (before app)
           │││└── 64-bytes footer block (after bootloader)
           ││└─── FRAM(?) write select  (default: 0 -> FLASH write select)
           │└──── CRC validation required
           └───── Last block

In the coming days I'll do some tests to (re)create some "custom" GELs. Let's see where this will end...   

[TurboTom]

F/W 01.14 was available for download from Rigol's chinese firmware archive -- before they "updated" their web site. Now, unfortunately a log-in is required to acces the files but with an on-line translator and a lot of patience, it's still possible to access the files, even for individuals not capable of reading mandarin (though I'm not sure if really everything's still available that was before).

It's really a shame that Rigol isn't keeping all their web sites' (international ones and also distributor's) download sections consistent, so regardless where their customers are located and whatever language they speak, they have access to the same soft- and firmware pool.

The way they handle this situation currently is really everything but professional. 

[RoGeorge]

Where did you find FW  00.01.14.00.01 (GEL File) for the DS4000...

Rename it from .tar to .rar before unpacking.  Version v00.01.14.00.01 2017-12-23 downloaded from rigol.com in 2018.

Code: [Select]

[Model Supported] DG4062,DG4102,DG4162,DG4202
[Latest Revision Date] 2017-12-23


[Updated Contents]
v00.01.14.00.01 2017-12-23

- Solve the abnormal output of part of the machine CH1 at normal temperature or low temperature
- Solve the keyboard board encoder causing crashes.


[Previous Versions and Updated Contents]
v00.01.13.00.00 2015-11-05

- Added Traditional Chinese in the Menu.
- The EdgeTime is too slow when the 5MHz square wave is modified to sweep frequency,
- Output can not be changed in real time when editing any wave point.
Why do you need it?

[tv84]

Hi all,

A few years ago, when Rigol introduced DG4000 FW v1.09 supported on bootloader v06.xx some of the guys (that had experimented the 200MHz BW) lost their BW settings, downgrading to 60 MHz BW.

For those ones that lost their official 100MHz/160MHz BWs, please find attached a handcrafted FW v1.08 GEL file that can be flashed with bootloaders v06.xx.

And, to finish up what member cybernet (kudos to him) started a few years ago, I attach here an  "updated and cleaned" compiled version of his famous license generator "cengen", for Windows machines. I called it v0.2 because it has some corrections/optimizations.

For those interested, I think you know what steps you need to do next. 

PS: As always, flashing involves a certain risk. So, although this has already been tested by a knowledgeable forum member, it's your responsibility.

[TurboTom]

My DG4102 from Q4/2015 that was supplied with F/W 1.09 (and somehow lost its 200MHz capabilities... ) didn't even require a recalibration (obviously) -- a sweep of +3dBm level from 1MHz to 200MHz is accurate within +-0.5dB despite an 80cm RG178 DIY interconnection cable.

A big thanks to @tv84 

[PA0PBZ]

Perfect! I was just too late buying the DG4062 and got 1.09 with it, so the license file trick didn't work. I studied cybernet's work but this processor just gives me headaches 
Anyway, liberated after all  So can we now safely update to 1.13/1.14?

[tv84]

Anyway, liberated after all  So can we now safely update to 1.13/1.14?

Yes, after correcting what needs to be corrected you can go directly to v1.14

[RoGeorge]

tv84, 1 000 000 THANK YOU!!!



My DG4102 has had from factory a FW version bigger than 1.08, so until today it could never use 'license.CEN' files generate by 'cengen' tool.  The message was Unknown format file.

Now, using your modified firmware to downgrade to FW1.08, then generate a license file to turn DG4102 into DG4202 using your cengen.exe, then upgrade to the latest FW1.14.01 from Rigol, it worked! 

Former DG4102 (max. 100MHz) is now upgraded to a DG4202 (max. 200MHz)! 

Code: [Select]

Reminder of the main steps to do the upgrade
==================================
1. Upgrade normally to latest FW1.14.01 from Rigol
2. Downgrade to modified by TV84 FW1.08
3. Use cengen.exe in Windows to generate a license file for DG4202
4. Read the CEN file with DG4102 FW1.08 modified
5. Upgrade to latest unmodified FW1.14.01 from Rigol

DG 4102 should now be seen as DG4202 and the max allowed sinus frequency should be 200MHz.



-------------------------
-The USB drive should be formatted FAT32
-DG4000Update.GEL should be copied alone on the clean formatted USB drive
-To update FW
- insert USB with desired GEL file
- power down the DG4102
- keep the 'Help' button pressed while pressing the 'Power ON' button
- release the 'Help' button when 'Utility' button starts to flash
- from there, leave the unit running, the buttons will start to blink one by one, starting with 'Ramp'
- after about 10 minutes, the DG4000 will restart itself, firmware update is now done
-To see FW version press 'Utility' -> 'System' -> 'System Info'
-To see detailed version press 'Utility' -> 'System' -> 'System Info' -> 'G1' ->'G3' -> 'G5'
    where G1...G5 are the grey buttons on the right of the screen
--------------------------


[zitt]

I bought a DG4062 base model as a Black Friday deal from their clearance/demo section.
It came with v1.12 if I recall.
So tv84's hacked firmware would allow me to reverse flash to a earlier version ... hack the firmware, and then upgrade back to v1.14?

Is there something I can do now to back up my machine before the flashing without opening the machine? There is still a 90day warranty on this clearance unit (I think).

[tv84]

Is there something I can do now to back up my machine before the flashing without opening the machine? There is still a 90day warranty on this clearance unit (I think).

Without opening it, no.

[zitt]

Without opening it, no.

Are you aware of any procedure / walk thru on how to do this?
I'm thinking maybe I'll do this when the warranty expires in a couple of months.
I feel like I may have seem some references earlier in the thread; but not 100% sure.

Am I being overly paranoid?

[RoGeorge]

Yes, you are. 

Just load the modified by tv84 firmware 1.08, then load the license file for 200 MHz, then load the latest 1.14.00.01 firmware from Rigol.  To generate the license.CEN file I used the tv84 cengen.exe in a virtual Windows XP machine (because I have Linux).  Ask about any details if in doubt.

Nothing to backup, and nothing bad will happen anyway.  Even if you manage to brick your DG4000, you can still claim the warranty, and even if they'll refused to service it, people here could still guide to un-brick it yourself.

Good luck with the 200 MHz upgrade.

[Teneyes]

Thanks for the message and great  work.
I,ll  will give it a try after Xmas
Wish you a great holiday and New Year.

[zitt]

Yes, you are. 

Agreed. I took the callenge last night. Couple of issues I had:
1) Tried a 32GB stick. Wouldn't work. Utility button never began flashing. Using an old 1GB stick I had work perfectly.
2) Couldn't figure out how to "read" the license file. I had assumed I needed to find the license entry screen. I later learned all I had to do was "read" the license.cen file from the utitlity menu.
3) V1.14 upgrade was dirt simple using the same process as the back flash.

Now my only goal is to figure out how to calibrate for above 60MHz. Looking over the document; I lack a "calibrated" DVM and Frequency Counter. I'm actually disappointed I can't use my 1GHz OSCOPE. Didn't read thru the whole document.

[TurboTom]

zitt -
did you check the level accuracy of your DG4000 after the "liberation"? I found mine to be spot on up to 200MHz (DS4102 from Q4/2015). Maybe yours also doesn't need to be calibrated at all.

P.s. If you haven't got a spectrum analyzer or a calibrated level meter, you may DIY a detector type level tester with a 50R terminator resistor (preferably 2*100R 1% 805 in parallel), a small signal, low capacitance schottky diode, a 10n smoothing capacitor and maybe a 10k load resistor, coupled to a multimeter. All this has to be assembled just a the back of a BNC connector to keep the impedance low. This "bodge" should give you a good idea of your generator's level accuracy.