EEVblog Electronics Community Forum

Products => Test Equipment => Topic started by: toastedcrumpets on November 05, 2018, 02:57:32 pm

Title: Is there a bandwidth hack for the GW Instek GDS-2000A series?
Post by: toastedcrumpets on November 05, 2018, 02:57:32 pm

I know there's hacks for the GDS-1000 and GDS-2000E series scopes, but what about the GDS-2000A?
https://www.eevblog.com/forum/testgear/possible-gw-instek-gds-1000b-hack/ (https://www.eevblog.com/forum/testgear/possible-gw-instek-gds-1000b-hack/)

I couldn't see any info on there or via searching the forum. I've got a GDS-2074A and two GDS-2202A's via surplus auctions so I'm even willing to be a bit adventurous with one of them if someone has a suggestion?

Title: Re: Is there a bandwidth hack for the GW Instek GDS-2000A series?
Post by: tv84 on November 05, 2018, 10:15:55 pm

Are they similar to E versions??

Do you have any FW versions that you can send?

Title: Re: Is there a bandwidth hack for the GW Instek GDS-2000A series?
Post by: toastedcrumpets on November 08, 2018, 03:44:22 pm

They are very similar looking externally to E versions, but E versions are a later design.
https://www.gwinstek.com/en-global/products/detail/GDS-2000A (https://www.gwinstek.com/en-global/products/detail/GDS-2000A)
The firmware is linked here:
https://www.gwinstek.com/en-global/products/downloadSeriesDownNew/795/94 (https://www.gwinstek.com/en-global/products/downloadSeriesDownNew/795/94)

Title: Re: Is there a bandwidth hack for the GW Instek GDS-2000A series?
Post by: toastedcrumpets on November 08, 2018, 03:54:35 pm

I just tried running the python script on the 1.30 firmware on the GDS-1000 hack but it doesn't find the magic bytes that its looking for. Did they re-encode the firmware to prevent this unpacking from working?

Title: Re: Is there a bandwidth hack for the GW Instek GDS-2000A series?
Post by: seronday on November 09, 2018, 11:21:45 am

toastedcrumpets.
Have you tried following the step by step instructions in post 15 of this thread,
 https://www.eevblog.com/forum/testgear/possible-gw-instek-gds-1000b-hack/msg1474272/#msg1474272 (https://www.eevblog.com/forum/testgear/possible-gw-instek-gds-1000b-hack/msg1474272/#msg1474272)
It is quite possible that this will also work on the GDS2000A series.

Title: Re: Is there a bandwidth hack for the GW Instek GDS-2000A series?
Post by: tv84 on November 10, 2018, 11:23:18 am

Without wasting much time, I looked into the A version that you referenced and one can easily extract several files. I think the most interesting to your quest would be the filesystem.

In the FW_GDS-2000A_V1.30 firmware you can find the filesystem block at offset 0x1D9911 (with a size of 0xA40000 bytes). It's a JFFS2 image.

If you extract all the contents of the JFFS2 image you'll see the "gds2000a" application inside the /bin directory.

The .upg FW file format from GDS2000A is different from the GDS2000E, because the processors are completely different (one is Blackfin and the other is ARM).

Example of a gds2000a .ELF file:

Code: [Select]

00000000                 Magic: 7F454C46    ELF File OK
00000004                Format: 32-bits
00000005                  Data: Little endian
00000006               Version: 1
00000007                OS/ABI: System V (often set to this)
00000008           ABI Version: 0
00000010           Object Type: Executable
00000012       Instruction Set: AD Blackfin
00000014               Version: 1
00000018           Entry Point: 000FB850
0000001C  Program Header Table: 00000034
00000020  Section Header Table: 00A98220
00000024                 Flags: 00000002
00000028           Header Size: 00000034
0000002A  Program Headers Size: 00000020
0000002C     # Program Headers: 7
0000002E  Section Headers Size: 00000028
00000030     # Section Headers: 27
00000032 SH String Table Index: 26
**********  PROGRAM HEADERS:
          SegmType  SegmOffs  VirtAddr  PhysAddr  FilSegSz  MemSegSz  Flags     Align
00000034  PHDR      00000034  00000034  00000034  000000E0  000000E0  00000005  00000004
00000054  INTERP    00000114  00000114  00000114  00000014  00000014  00000004  00000001
  00000114  [Requesting program interpreter: /lib/ld-uClibc.so.0 ]
00000074  LOAD      00000000  00000000  00000000  0060B90C  0060B90C  00000005  00001000
00000094  LOAD      0060B90C  0060C90C  0060C90C  0047EDF4  00EC0468  00000006  00001000
000000B4  DYNAMIC   0073815C  0073915C  0073915C  000000D8  000000D8  00000006  00000004
000000D4  6474E550  0060B8E8  0060B8E8  0060B8E8  00000024  00000024  00000004  00000004
000000F4  6474E551  00000000  00000000  00000000  00000000  00020000  00000007  00000008
**********  SECTION HEADERS:
         [Nr] Name                          Type       VirtAddr Offset  Size    ES Flg Lk Inf Al
00A98220 [ 0]                               NULL       00000000 0000000 0000000 00 000  0   0 00
00A98248 [ 1] .interp                       PROGBITS   00000114 0000114 0000014 00 002  0   0 01
00A98270 [ 2] .hash                         HASH       00000128 0000128 0025358 04 002  3   0 04
00A98298 [ 3] .dynsym                       DYNSYM     00025480 0025480 0054B90 10 002  4   1 04
00A982C0 [ 4] .dynstr                       STRTAB     0007A010 007A010 0057E9C 00 002  0   0 01
00A982E8 [ 5] .gnu.version                  0x6FFFFFFF 000D1EAC 00D1EAC 000A972 02 002  3   0 02
00A98310 [ 6] .gnu.version_r                0x6FFFFFFE 000DC820 00DC820 0000020 00 002  4   1 04
00A98338 [ 7] .rel.dyn                      REL        000DC840 00DC840 001D908 08 002  3   0 04
00A98360 [ 8] .rel.plt                      REL        000FA148 00FA148 00007A0 08 002  3  10 04
00A98388 [ 9] .init                         PROGBITS   000FA8E8 00FA8E8 000001A 00 006  0   0 01
00A983B0 [10] .plt                          PROGBITS   000FA904 00FA904 0000F4A 00 006  0   0 04
00A983D8 [11] .text                         PROGBITS   000FB850 00FB850 03B922C 00 006  0   0 04
00A98400 [12] .fini                         PROGBITS   004B4A7C 04B4A7C 0000014 00 006  0   0 01
00A98428 [13] .rodata                       PROGBITS   004B4AA0 04B4AA0 010B438 00 002  0   0 20
00A98450 [14] .rofixup                      PROGBITS   005BFED8 05BFED8 004BA10 00 002  0   0 04
00A98478 [15] .eh_frame_hdr                 PROGBITS   0060B8E8 060B8E8 0000024 00 002  0   0 04
00A984A0 [16] .eh_frame                     PROGBITS   0060C90C 060B90C 000008C 00 003  0   0 04
00A984C8 [17] .ctors                        PROGBITS   0060C998 060B998 0000008 00 003  0   0 04
00A984F0 [18] .dtors                        PROGBITS   0060C9A0 060B9A0 0000008 00 003  0   0 04
00A98518 [19] .jcr                          PROGBITS   0060C9A8 060B9A8 0000004 00 003  0   0 04
00A98540 [20] .data.rel.ro                  PROGBITS   0060C9AC 060B9AC 012C7B0 00 003  0   0 04
00A98568 [21] .dynamic                      DYNAMIC    0073915C 073815C 00000D8 08 003  4   0 04
00A98590 [22] .data                         PROGBITS   00739234 0738234 0346540 00 003  0   0 04
00A985B8 [23] .got                          PROGBITS   00A7F778 0A7E778 000BF88 00 003  0   0 08
00A985E0 [24] .bss                          NOBITS     00A8B700 0A8A700 0A41674 00 003  0   0 20
00A98608 [25] .comment                      PROGBITS   00000000 0A8A700 000DA49 00 000  0   0 01
00A98630 [26] .shstrtab                     STRTAB     00000000 0A98149 00000D4 00 000  0   0 01

Example of a gds1000b .ELF file  (same type as gds2000e):

Code: [Select]

00000000                 Magic: 7F454C46    ELF File OK
00000004                Format: 32-bits
00000005                  Data: Little endian
00000006               Version: 1
00000007                OS/ABI: System V (often set to this)
00000008           ABI Version: 0
00000010           Object Type: Executable
00000012       Instruction Set: ARM
00000014               Version: 1
00000018           Entry Point: 0000E548
0000001C  Program Header Table: 00000034
00000020  Section Header Table: 01057968
00000024                 Flags: 05000002
00000028           Header Size: 00000034
0000002A  Program Headers Size: 00000020
0000002C     # Program Headers: 8
0000002E  Section Headers Size: 00000028
00000030     # Section Headers: 29
00000032 SH String Table Index: 28
**********  PROGRAM HEADERS:
          SegmType  SegmOffs  VirtAddr  PhysAddr  FilSegSz  MemSegSz  Flags     Align
00000034  70000001  00D37CD4  00D3FCD4  00D3FCD4  0000D488  0000D488  00000004  00000004
00000054  PHDR      00000034  00008034  00008034  00000100  00000100  00000005  00000004
00000074  INTERP    00000134  00008134  00008134  00000013  00000013  00000004  00000001
  00000134  [Requesting program interpreter: /lib/ld-linux.so.3 ]
00000094  LOAD      00000000  00008000  00008000  00D45160  00D45160  00000005  00008000
000000B4  LOAD      00D45160  00D55160  00D55160  00312614  02FBAE14  00000006  00008000
000000D4  DYNAMIC   00D4520C  00D5520C  00D5520C  00000108  00000108  00000006  00000004
000000F4  NOTE      00000148  00008148  00008148  00000020  00000020  00000004  00000004
  00000148  [Owner: GNU ] [OS: Linux 2.6.16]
00000114  6474E551  00000000  00000000  00000000  00000000  00000000  00000007  00000004
**********  SECTION HEADERS:
         [Nr] Name                          Type       VirtAddr Offset  Size    ES Flg Lk Inf Al
01057968 [ 0]                               NULL       00000000 0000000 0000000 00 000  0   0 00
01057990 [ 1] .interp                       PROGBITS   00008134 0000134 0000013 00 002  0   0 01
010579B8 [ 2] .note.ABI-tag                 NOTE       00008148 0000148 0000020 00 002  0   0 04
010579E0 [ 3] .hash                         HASH       00008168 0000168 00008A8 04 002  4   0 04
01057A08 [ 4] .dynsym                       DYNSYM     00008A10 0000A10 0001210 10 002  5   1 04
01057A30 [ 5] .dynstr                       STRTAB     00009C20 0001C20 0000AAE 00 002  0   0 01
01057A58 [ 6] .gnu.version                  0x6FFFFFFF 0000A6CE 00026CE 0000242 02 002  4   0 02
01057A80 [ 7] .gnu.version_r                0x6FFFFFFE 0000A910 0002910 00000C0 00 002  5   5 04
01057AA8 [ 8] .rel.dyn                      REL        0000A9D0 00029D0 0000030 08 002  4   0 04
01057AD0 [ 9] .rel.plt                      REL        0000AA00 0002A00 0000888 08 002  4  11 04
01057AF8 [10] .init                         PROGBITS   0000B288 0003288 000000C 00 006  0   0 04
01057B20 [11] .plt                          PROGBITS   0000B294 0003294 0000CE0 04 006  0   0 04
01057B48 [12] .text                         PROGBITS   0000BF80 0003F80 057E87C 00 006  0   0 10
01057B70 [13] .fini                         PROGBITS   0058A7FC 05827FC 0000008 00 006  0   0 04
01057B98 [14] .rodata                       PROGBITS   0058A808 0582808 07A3C93 00 002  0   0 08
01057BC0 [15] .ARM.extab                    PROGBITS   00D2E49C 0D2649C 0011838 00 002  0   0 04
01057BE8 [16] .ARM.exidx                    0x70000001 00D3FCD4 0D37CD4 000D488 00 082 12   0 04
01057C10 [17] .eh_frame                     PROGBITS   00D4D15C 0D4515C 0000004 00 002  0   0 04
01057C38 [18] .init_array                   INIT_ARRAY 00D55160 0D45160 0000004 00 003  0   0 04
01057C60 [19] .fini_array                   FINI_ARRAY 00D55164 0D45164 0000004 00 003  0   0 04
01057C88 [20] .jcr                          PROGBITS   00D55168 0D45168 0000004 00 003  0   0 04
01057CB0 [21] .data.rel.ro                  PROGBITS   00D5516C 0D4516C 00000A0 00 003  0   0 04
01057CD8 [22] .dynamic                      DYNAMIC    00D5520C 0D4520C 0000108 08 003  5   0 04
01057D00 [23] .got                          PROGBITS   00D55314 0D45314 0000458 04 003  0   0 04
01057D28 [24] .data                         PROGBITS   00D55770 0D45770 0312004 00 003  0   0 08
01057D50 [25] .bss                          NOBITS     01067778 1057774 2CA87FC 00 003  0   0 08
01057D78 [26] .comment                      PROGBITS   00000000 1057774 00000C1 01 030  0   0 01
01057DA0 [27] .ARM.attributes               0x70000003 00000000 1057835 0000037 00 000  0   0 01
01057DC8 [28] .shstrtab                     STRTAB     00000000 105786C 00000FB 00 000  0   0 01

Title: Re: Is there a bandwidth hack for the GW Instek GDS-2000A series?
Post by: toastedcrumpets on November 10, 2018, 06:56:49 pm

Thanks for the replies! I'll try the licence generator on Monday when I'm back in the office with the scopes.

tv84, how did you determine the location of the JFFS2 image, was there a magic byte you were looking for, or do you have knowledge of the processor to get this?

is it easy to repack this stuff into a JFFS2 image, or are there checksums/signing to get around?

Title: Re: Is there a bandwidth hack for the GW Instek GDS-2000A series?
Post by: tv84 on November 10, 2018, 07:28:49 pm

The available KG will, most probably, not work.

A more probable approach would be to get a new version of the KG that can handle the new 1000B and 2000E FWs and pray that it would be the same in the 2000A.

I disassembled (only high-level) the major areas of the UPG and once I found out the one that was called ROOTFS you only have to understand what type of FS it is. But there are some strings in there that help. binwalk also confirms it.

I think JFFS2, per se, doesn't include checksums. It's built of compressed blocks of the files and those are where the checsums/CRCs are. And, then one would have to deal with checksums at the .UPG level.

Nonetheless, trying to patch a Blackfin .ELF is pro stuff since it's not easy to get them into IDA. This part would be the hardest.

BTW, the KG program code is easily visible in the 1000B/2000E early FWs disassembly (that must have been how it was extracted). Not the same in the newer ones.

Title: Re: Is there a bandwidth hack for the GW Instek GDS-2000A series?
Post by: toastedcrumpets on November 12, 2018, 08:26:06 am

OK, just tried the licence generator and FW version 1.30 (on the 2074A) says it failed and I should "check the licence version", so no joy there.

Also tried my v1.17 firmware scope (2202A) and it didn't work either, so a downgrade to there then install of the licence isn't possible. Is there any way to dump the firmware out the scope to take a look for a generator (i.e., internal serial port)?