Author Topic: Need help hacking DP832 for multicolour option.  (Read 151938 times)

0 Members and 1 Guest are viewing this topic.

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #100 on: January 19, 2018, 11:59:25 pm »
Here is my quick parsing of the DP800 v00.01.14.00.03 GELs:

Code: [Select]
DP800(Software)Update(Normal)_00.01.14.00.03:
Offset     Checksum???                 Block Size    Type
00000004 - 00 40 81 40 | 00 00 52 00 | A0 3D 00 00 | FF FF 00 00 | 9F 00 00 00  (block header)
  00000018 - 9C 3D 00 00 (size of the block that follows)
  [0000001C - 00003DB7] ARM code (little-endian) Loading address = 0x00080000

00003DB8 - 00 40 AB 61 | 00 00 00 00 | A1 6D 33 00 | FF FF 00 00 | 9F 00 00 00  (block header)
  00003DCC - ("RIGOLL" string)
  [00003DDC - 0033AB6C] ARM code (little-endian) Loading address = 0x3FFFFFB4

0033AB6D - 00 90 00 00 | 14 02 00 00 | 3C 00 00 00 | 14 FF 00 00 | 9F 00 00 00  (block header)
  [0033AB81 - 0033ABBC] Looks like it contains a 20-byte hash (or something encrypted...)

------------------------------------------------------------------------------------------------

DP800(Software)Update(Bootloader)_01.09:
Offset     Checksum???                 Block Size    Type
00000000 - 00 C8 33 27 | 00 00 00 00 | 20 0E 04 00 | 31 00 00 00 | 9F 00 00 00  (block header)

         ***  Header  ***
00000014          Header SHA-1: 31D47AF0F62F94737E737D3D9F4184DBACC44DAD  [00000028-00000073]  HASH OK
00000028           Signature 1: STMP  MAGIC OK
0000002C        Format Version: 1.1
0000002E                 Flags: 0x0000
00000030            Image Size: 00040E20
00000034   1st Boot Tag Offset: 000000A4
00000038   1st Boot Section ID:
0000003C     # Encryption Keys: 1
0000003E  Key Dictionary Start: 00000084
00000040           Header Size: 00000060
00000042     # Section Headers: 1
00000044   Section Header Size: 16 bytes
00000046        Random Padding: 0xC0B2
00000048           Signature 2: sgtl  (Sigmatel?)
0000004C         Creation Time: 26-03-2014 15:19:10
00000054       Product Version: 999.999.999
00000060     Component Version: 999.999.999
0000006C             Drive Tag: 0x0000
0000006E        Random Padding: 0xEFD4BC0FAC83
         ***  Sections Table  ***
00000074   ID:      | Ofs: 000000B4 | Len: 00040D60 | Flg: 00000001 - ROM_SECTION_BOOTABLE
         ***  Key Dictionary  ***
00000084  OTP Key0 Hash: 9A78EED8ABA28234DA5C39E00B28942E  CBC-MAC_AES OK
         ***  Session Key (decrypted)  ***
00000094  Key: 7B686FA69EF90D53A53CDCDE074B6E44  (using OTP Key0)
         ***  Sections (decrypted)  ***
000000A4  TAG  | 0001 | Sect ID:      | Len: 00040D60 | Flg: 00000001 - ROM_SECTION_BOOTABLE
000000B4  LOAD | 0000 | Adr: 00000000 | Len: 00000040 | CRC: BAF6AF35  CRC OK
00000104  LOAD | 0000 | Adr: 00000400 | Len: 00004D14 | CRC: 8A1A8B63  CRC OK
00004E34  FILL | 0000 | Adr: 00018000 | Len: 00001960 | Ptn: 00000000
00004E44  LOAD | 0000 | Adr: 00008000 | Len: 00000020 | CRC: 1809D243  CRC OK
00004E74  CALL | 0001 | Adr: 00008000 | Len: 00000000 | Arg: 00000000
00004E84  LOAD | 0000 | Adr: 00000000 | Len: 00000040 | CRC: E853D834  CRC OK
00004ED4  LOAD | 0000 | Adr: 41000000 | Len: 0003BEB4 | CRC: FE3E32E7  CRC OK
00040DA4  FILL | 0000 | Adr: 41300000 | Len: 00001900 | Ptn: 00000000
00040DB4  FILL | 0000 | Adr: 41301900 | Len: 00002404 | Ptn: 00000000
00040DC4  FILL | 0000 | Adr: 41700000 | Len: 004C4B40 | Ptn: 00000000
00040DD4  LOAD | 0000 | Adr: 00008000 | Len: 00000020 | CRC: 7846C59D  CRC OK
00040E04  JUMP | 0001 | Adr: 00008000 | Len: 00000000 | Arg: 00000000
         ***  File SHA-1 Hash (decrypted)  ***
00040E14  File SHA-1: 8A2D9884D7A265264E43E719A1BE297DFB784EF9  [00000014-00040E13]  HASH OK

I think that the 1st 4 bytes of a encoded .GEL indicate the filetype/encoding (28 23 10 00) and shouldn't be decoded.

So I use only (C#):
Code: [Select]
            for (int i1 = 0x04, mask = 0x78; i1 < buffer.Length; i1++, mask++)
                buffer[i1] += (byte)(256 - mask);
« Last Edit: January 20, 2018, 10:07:16 am by tv84 »
 
The following users thanked this post: Spork Schivago, tossu

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #101 on: January 20, 2018, 09:05:46 pm »
Parsing of versions:  (thank you to dav and ted572 for sending them)

00.01.03.00.02
00.01.05.00.00
00.01.06.00.00
00.01.08.00.02
00.01.09.00.01
00.01.10.00.03
00.01.11.00.00
00.01.13.00.01
00.01.14.00.03

Conclusions so far:
- 1st byte in the 1st block header is used to decode the file.
- 2nd byte is a flag byte with these meanings:
   X------- last block
   -X------ block has CRC
   ---X---- FRAM block (1 = saves to FRAM; 0 = saves to FLASH)
   ----X--- bootloader block
   -----X-- no block contents ?

- 2nd word in block headers is a CRC16 of the block.
- Special focus on the contents of the block with size=0x3C bytes (that is directly saved in the FRAM).
- if you look the final words in the 0x3C block, it seems to increment with each version. Maybe it's directly related to the firmware version/release date.

Code: [Select]
DP800(Software)Update(Normal)_00.01.03.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002EEF09 | 00000000 | 00000000
00000014  Block #1: [00000014-002EEF1C]

002EEF1D  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 00000000 | 00000000
002EEF31  Hash/Encrypt ??:  3FF75ED5D6F06206F304DBD9BAA1A75E7459FC21
002EEF45  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B180
002EEF59  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B189
002EEF31  Block #2: [002EEF31-002EEF6C]

002EEF6D  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 00002384 | 00000000 | 00000000
002EEF81  Block Size: 00002384
002EEF91  Block #3: [002EEF91-002F1304]

002F1305  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F1319  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.05.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F6391 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F63A4]

002F63A5  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F63B9  Hash/Encrypt ??:  D5B2A1A71C6EBB7944B17F03AB122FF162031E59
002F63CD  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD28
002F63E1  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD29
002F63B9  Block #2: [002F63B9-002F63F4]

002F63F5  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 000024E4 | 0000FFFF | 00000000
002F6409  Block Size: 000024E4
002F6419  Block #3: [002F6419-002F88EC]

002F88ED  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F8901  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.06.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F7661 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F7674]

002F7675  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F7689  Hash/Encrypt ??:  42A86549B434F4D06827669679D7F06A6CBC505B
002F769D  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF09
002F76B1  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF10
002F7689  Block #2: [002F7689-002F76C4]

002F76C5  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00002698 | 0000FFFF | 00000000
002F76D9  Block Size: 00002698
002F76E9  Block #3: [002F76E9-002F9D70]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.08.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 00308A9D | 0000FFFF | 00000000
00000014  Block #1: [00000014-00308AB0]

00308AB1  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
00308AC5  Hash/Encrypt ??:  CB1F0C46AC83A6E18455705ED7EFD0C07C83E23E
00308AD9  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAA9
00308AED  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAAC
00308AC5  Block #2: [00308AC5-00308B00]

00308B01  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00003520 | 0000FFFF | 00000000
00308B15  Block Size: 00003520
00308B25  Block #3: [00308B25-0030C034]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.09.00.01

00000000  Header - Mask: 00 | Flags: 40 | 08CE | 00520000 | Size: 00003520 | 0000FFFF | 0000009F
00000014  Block Size: 00003520
00000024  Block #1: [00000024-00003533]

00003534  Header - Mask: 00 | Flags: 40 | 301D | 00000000 | Size: 0031FE6D | 0000FFFF | 0000009F
00003548  String1: RIGOLL
00003558  Block #2: [00003558-003233B4]

003233B5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003233C9  Hash/Encrypt ??:  464E7D130B7366357007E49384BCF81BE9F53C2F
003233DD  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFD7
003233F1  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFDE
003233C9  Block #3: [003233C9-00323404]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.10.00.03

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | 5732 | 00000000 | Size: 0031DA25 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-003210E4]

003210E5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003210F9  Hash/Encrypt ??:  FC3999DF41FAC462946CE1BDC6E069E74D523C9C
0032110D  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC36
00321121  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC3F
003210F9  Block #3: [003210F9-00321134]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.11.00.00

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | DC62 | 00000000 | Size: 00322285 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-00325944]

00325945  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
00325959  Hash/Encrypt ??:  A92B0C1660C0424D48D19499AE7BF4C70F647AA4
0032596D  UInt32    (???):  00050373 00050373 00050373 00050373 00050373
00325981  UInt32    (???):  00050373 00050373 00050373 00050373 0005037A
00325959  Block #3: [00325959-00325994]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.13.00.01

00000004  Header - Mask: 00 | Flags: 40 | A1A0 | 00520000 | Size: 00003D58 | 0000FFFF | 0000009F
00000018  Block Size: 00003D54
0000001C  Block #1: [0000001C-00003D6F]

00003D70  Header - Mask: 00 | Flags: 40 | 2D14 | 00000000 | Size: 00335605 | 0000FFFF | 0000009F
00003D84  String1: RIGOLL
00003D94  Block #2: [00003D94-00339388]

00339389  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033939D  Hash/Encrypt ??:  8A968039CF72794BA2BB2762B0708CBD822456D1
003393B1  UInt32    (???):  00052233 00052233 00052233 00052233 00052233
003393C5  UInt32    (???):  00052233 00052233 00052233 00052233 0005223A
0033939D  Block #3: [0033939D-003393D8]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.14.00.03

00000004  Header - Mask: 00 | Flags: 40 | 4081 | 00520000 | Size: 00003DA0 | 0000FFFF | 0000009F
00000018  Block Size: 00003D9C
0000001C  Block #1: [0000001C-00003DB7]

00003DB8  Header - Mask: 00 | Flags: 40 | 61AB | 00000000 | Size: 00336DA1 | 0000FFFF | 0000009F
00003DCC  String1: RIGOLL
00003DDC  Block #2: [00003DDC-0033AB6C]

0033AB6D  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033AB81  Hash/Encrypt ??:  68FC5AAA5F2AA7CFCFBC40371C20812A668FD4A9
0033AB95  UInt32    (???):  00052490 00052490 00052490 00052490 00052490
0033ABA9  UInt32    (???):  00052490 00052490 00052490 00052490 00052491
0033AB81  Block #3: [0033AB81-0033ABBC]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.06

00000000  Header - Mask: 00 | Flags: C8 | 8E34 | 00000000 | Size: 00040C70 | 000000B3 | 0000009F
00000014  Block #1: [00000014-00040C83]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.09

00000000  Header - Mask: 00 | Flags: C8 | 2733 | 00000000 | Size: 00040E20 | 00000031 | 0000009F
00000014  Block #1: [00000014-00040E33]


If anyone has the FW versions that are not listed here please repost or send me a pm:
00.01.01.02.04
00.01.02.00.03
00.01.04.00.02

Edit: 2/1/2020 Fill some "flag" explanations
« Last Edit: January 02, 2020, 03:36:05 pm by tv84 »
 
The following users thanked this post: Spork Schivago, toxuin

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #102 on: February 13, 2018, 01:23:20 am »
Parsing of versions:  (thank you to dav and ted572 for sending them)

00.01.03.00.02
00.01.05.00.00
00.01.06.00.00
00.01.08.00.02
00.01.09.00.01
00.01.10.00.03
00.01.11.00.00
00.01.13.00.01
00.01.14.00.03

Conclusions so far:
- 1st byte in the 1st block header is used to decode the file.
- 2nd byte is a flag byte with these meanings:
   X------- last block
   -X------ normal block ?
   ---X---- special block 0x3C
   ----X--- bootloader block
   -----X-- no block contents ?

- 2nd word in block headers seems to be a CRC/checksum.
- Special focus on the contents of the block with size=0x3C bytes.
- if you look the final words in the 0x3C block, it seems to increment with each version. Maybe it's directly related to the firmware version/release date.

Code: [Select]
DP800(Software)Update(Normal)_00.01.03.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002EEF09 | 00000000 | 00000000
00000014  Block #1: [00000014-002EEF1C]

002EEF1D  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 00000000 | 00000000
002EEF31  Hash/Encrypt ??:  3FF75ED5D6F06206F304DBD9BAA1A75E7459FC21
002EEF45  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B180
002EEF59  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B189
002EEF31  Block #2: [002EEF31-002EEF6C]

002EEF6D  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 00002384 | 00000000 | 00000000
002EEF81  Block Size: 00002384
002EEF91  Block #3: [002EEF91-002F1304]

002F1305  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F1319  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.05.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F6391 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F63A4]

002F63A5  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F63B9  Hash/Encrypt ??:  D5B2A1A71C6EBB7944B17F03AB122FF162031E59
002F63CD  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD28
002F63E1  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD29
002F63B9  Block #2: [002F63B9-002F63F4]

002F63F5  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 000024E4 | 0000FFFF | 00000000
002F6409  Block Size: 000024E4
002F6419  Block #3: [002F6419-002F88EC]

002F88ED  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F8901  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.06.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F7661 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F7674]

002F7675  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F7689  Hash/Encrypt ??:  42A86549B434F4D06827669679D7F06A6CBC505B
002F769D  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF09
002F76B1  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF10
002F7689  Block #2: [002F7689-002F76C4]

002F76C5  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00002698 | 0000FFFF | 00000000
002F76D9  Block Size: 00002698
002F76E9  Block #3: [002F76E9-002F9D70]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.08.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 00308A9D | 0000FFFF | 00000000
00000014  Block #1: [00000014-00308AB0]

00308AB1  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
00308AC5  Hash/Encrypt ??:  CB1F0C46AC83A6E18455705ED7EFD0C07C83E23E
00308AD9  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAA9
00308AED  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAAC
00308AC5  Block #2: [00308AC5-00308B00]

00308B01  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00003520 | 0000FFFF | 00000000
00308B15  Block Size: 00003520
00308B25  Block #3: [00308B25-0030C034]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.09.00.01

00000000  Header - Mask: 00 | Flags: 40 | 08CE | 00520000 | Size: 00003520 | 0000FFFF | 0000009F
00000014  Block Size: 00003520
00000024  Block #1: [00000024-00003533]

00003534  Header - Mask: 00 | Flags: 40 | 301D | 00000000 | Size: 0031FE6D | 0000FFFF | 0000009F
00003548  String1: RIGOLL
00003558  Block #2: [00003558-003233B4]

003233B5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003233C9  Hash/Encrypt ??:  464E7D130B7366357007E49384BCF81BE9F53C2F
003233DD  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFD7
003233F1  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFDE
003233C9  Block #3: [003233C9-00323404]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.10.00.03

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | 5732 | 00000000 | Size: 0031DA25 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-003210E4]

003210E5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003210F9  Hash/Encrypt ??:  FC3999DF41FAC462946CE1BDC6E069E74D523C9C
0032110D  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC36
00321121  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC3F
003210F9  Block #3: [003210F9-00321134]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.11.00.00

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | DC62 | 00000000 | Size: 00322285 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-00325944]

00325945  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
00325959  Hash/Encrypt ??:  A92B0C1660C0424D48D19499AE7BF4C70F647AA4
0032596D  UInt32    (???):  00050373 00050373 00050373 00050373 00050373
00325981  UInt32    (???):  00050373 00050373 00050373 00050373 0005037A
00325959  Block #3: [00325959-00325994]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.13.00.01

00000004  Header - Mask: 00 | Flags: 40 | A1A0 | 00520000 | Size: 00003D58 | 0000FFFF | 0000009F
00000018  Block Size: 00003D54
0000001C  Block #1: [0000001C-00003D6F]

00003D70  Header - Mask: 00 | Flags: 40 | 2D14 | 00000000 | Size: 00335605 | 0000FFFF | 0000009F
00003D84  String1: RIGOLL
00003D94  Block #2: [00003D94-00339388]

00339389  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033939D  Hash/Encrypt ??:  8A968039CF72794BA2BB2762B0708CBD822456D1
003393B1  UInt32    (???):  00052233 00052233 00052233 00052233 00052233
003393C5  UInt32    (???):  00052233 00052233 00052233 00052233 0005223A
0033939D  Block #3: [0033939D-003393D8]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.14.00.03

00000004  Header - Mask: 00 | Flags: 40 | 4081 | 00520000 | Size: 00003DA0 | 0000FFFF | 0000009F
00000018  Block Size: 00003D9C
0000001C  Block #1: [0000001C-00003DB7]

00003DB8  Header - Mask: 00 | Flags: 40 | 61AB | 00000000 | Size: 00336DA1 | 0000FFFF | 0000009F
00003DCC  String1: RIGOLL
00003DDC  Block #2: [00003DDC-0033AB6C]

0033AB6D  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033AB81  Hash/Encrypt ??:  68FC5AAA5F2AA7CFCFBC40371C20812A668FD4A9
0033AB95  UInt32    (???):  00052490 00052490 00052490 00052490 00052490
0033ABA9  UInt32    (???):  00052490 00052490 00052490 00052490 00052491
0033AB81  Block #3: [0033AB81-0033ABBC]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.06

00000000  Header - Mask: 00 | Flags: C8 | 8E34 | 00000000 | Size: 00040C70 | 000000B3 | 0000009F
00000014  Block #1: [00000014-00040C83]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.09

00000000  Header - Mask: 00 | Flags: C8 | 2733 | 00000000 | Size: 00040E20 | 00000031 | 0000009F
00000014  Block #1: [00000014-00040E33]

If anyone has the FW versions that are not listed here please repost or send me a pm:
00.01.01.02.04
00.01.02.00.03
00.01.04.00.02

Wow, you've made some real progress here!   Can you please share the source code you're using to parse the files?   The one that shows stuff like:

Code: [Select]
DP800(Software)Update(Bootloader)_01.06

00000000  Header - Mask: 00 | Flags: C8 | 8E34 | 00000000 | Size: 00040C70 | 000000B3 | 0000009F
00000014  Block #1: [00000014-00040C83]

Unfortunately, I think C# is mainly for Windows, although I guess there's a Mono C# compiler.   But you're okay with sharing the code, maybe I could convert it to normal C real quick like and repost for Linux users?

I had made a collection of the various firmwares that I found for the unit.   I will check on my Linux box and see if the ones you requested are there or not.

I had given up on this project because we had a daughter and that kind of changed priorities a lot.   I am very impressed with the work that the community has done, including your work.   You guys are amazing and discovered stuff I would have never have discovered.

That's what I love about forums.   It's a place for society to come together and work on stuff together.   I might not think of something, but you may.   Or vice-versa.   And together, we might be able to solve some pretty interesting problems.

Now I don't know a lot about cryptology, but for the bootloader code....the SHA-1 for the header, that's just a SHA-1 checksum of the contents, right?   It's not anything to deal with signing, is it?    Because my understanding is that brute-forcing an SHA-1 private key is not going to happen anytime soon, and I'm really hoping they're not signed with a private key.

But I did notice, as I mentioned on previous pages somewheres, that the last x amount of bytes in the firmware files match, and I thought perhaps that was some sort of signature, but I probably was wrong.
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #103 on: April 01, 2018, 04:42:12 am »
Who needed the memory dump again and could they please provide me with the directions?   I got so caught up with my life (daughter, wife, trying to start a new legal business, earning money to pay for all the software / hardware we need to stay legal, etc) that I totally forgot all about it!

But I do have a Rigol DP832 that I'll be more than happy to provide the memory dump, if they just provide the directions on how to do so.

Thanks!
 

Offline tossu

  • Contributor
  • Posts: 21
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #104 on: April 04, 2019, 09:56:12 pm »
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

Offline toxuin

  • Newbie
  • Posts: 8
  • Country: ca
Re: Need help hacking DP832 for multicolour option.
« Reply #105 on: April 04, 2019, 09:58:19 pm »
Whoa, that's a breakthrough!

I would appreciate a write-up on how you came up with this, if that's not too much work. This sounds awesome!

PS. Is this trick reversible?
 
The following users thanked this post: Synthtech, ppsilva, CloverGit

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #106 on: April 04, 2019, 10:07:59 pm »
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

tossu,  :clap: :clap: :clap:

I don't know what you did but that sounds interesting!!!

 

Offline tossu

  • Contributor
  • Posts: 21
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #107 on: April 04, 2019, 10:24:03 pm »
I'd be happy to do a write-up! I expected hardly anyone to be interested in this hack anymore. Just give me some time.

I just tested that the hack can be reversed by setting the model back to DP832.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 6407
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #108 on: April 04, 2019, 10:27:33 pm »
How about DP831 ?
 

Offline tossu

  • Contributor
  • Posts: 21
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #109 on: April 04, 2019, 10:47:05 pm »
How about DP831 ?

I'd try setting the model to DP831A. I don't have a DP831 to test with, but DP831A is a recognized string constant. I don't see why it shouldn't work.

Edit: Pictures of my hacked DP832
« Last Edit: April 04, 2019, 11:12:08 pm by tossu »
 
The following users thanked this post: 2N3055

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 6407
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #110 on: April 04, 2019, 10:58:28 pm »
How about DP831 ?

I'd try setting the model to DP831A. I don't have a DP831 to test with, but DP831A is a recognized string constant. I don't see why it shouldn't work.
Thanks!
I'll give it a go and report back..
 

Offline PTR_1275

  • Frequent Contributor
  • **
  • Posts: 561
  • Country: au
Re: Need help hacking DP832 for multicolour option.
« Reply #111 on: April 04, 2019, 11:18:04 pm »
So changing it to the coloured display doesn’t give you that horrible triangular split display?? (The one with the circle in the middle and the settings top left, top rightand bottom middle) Personally that screen layout is the reason I avoided the 832a...
 

Offline tossu

  • Contributor
  • Posts: 21
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #112 on: April 04, 2019, 11:21:53 pm »
So changing it to the coloured display doesn’t give you that horrible triangular split display?? (The one with the circle in the middle and the settings top left, top rightand bottom middle) Personally that screen layout is the reason I avoided the 832a...

It does, but DP832A has a DP832-like colorful display mode as an alternative.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2571
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #113 on: April 04, 2019, 11:52:15 pm »
Fantastic hacking work!

Even though I prefer the plain '7 segment font' DP832 display over the DP832A anyway, I wonder if the random reboots that DP832 owners suffer from for absolutely no rhyme or reason will vanish when software converting to a DP832A, like there was some sick fuck that deliberately sabotaged these PSU's by software methods only? Much like the scum involved in HP inkjet printers and cartridges malarky?  :wtf:
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 463
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #114 on: April 05, 2019, 03:22:22 am »
Worked for me, thanks!
 

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 176
Re: Need help hacking DP832 for multicolour option.
« Reply #115 on: April 05, 2019, 05:14:15 am »
Well, this just moved the 832 back up on my list of potential adds. Good work!

-j
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6136
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #116 on: April 05, 2019, 06:36:25 am »
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

Very nice finding, thank you!  :-+

In the beginning, the difference between DP832 and DP832A use to be that the "A" variant came with all the features unlocked from the factory, and a new weird and multicolour display scheme.

With the latest firmware, are the differences between DP832 and DP832A still the same?  Was there any new functionality added in the meantime to the DP832A only?

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1380
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #117 on: April 05, 2019, 09:17:58 am »
 :-+ DP811 -> DP811A works a treat!

I like the "proper" fonts so much more than the simulated 7-Segment digits that even are shown dimmed when "off" (what a stupid idea).
Kudos to you @tossu and thank you very much for sharing!

Cheers,
Thomas
 
The following users thanked this post: PeDre

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 768
Re: Need help hacking DP832 for multicolour option.
« Reply #118 on: April 05, 2019, 09:27:44 am »
Thank you Tossu!

@all: do I really still need Ultrasigma to send SCPI commands or is there a smaller tool around? I remember Ultrasigma being huge and if possible I would like to avoid installing it just for this hack. Though if there is now way around, i would do a backup->install->hack->restore to get rid of it  quickly. Thanks.
 

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1380
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #119 on: April 05, 2019, 09:39:22 am »
Under Windows, you can just telnet to the Power Supply (provided you're using an ethernet connection):

Figure out its IP address

Start a console (cmd)

telnet [IP_Address] 5555

Now just enter (or copy&paste) the SCPI command -- voila.
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 768
Re: Need help hacking DP832 for multicolour option.
« Reply #120 on: April 05, 2019, 09:43:48 am »
Thanks. I will try it right away!
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 768
Re: Need help hacking DP832 for multicolour option.
« Reply #121 on: April 05, 2019, 10:17:11 am »
Mmmmh - not working.  Should I get a feedback from the DP832? I am able to open telnet. Any entered character is shown as a space on the screen; after entering the string manually (or copy/paste) nothing happens (I am pressing ENTER after entering the string. There is no visible feedback from the power supply. Is this correct?
Rebooting then changes nothing - shows still DP832 in system info screen.
I tried an old 1GB USB stick and formatted with 16Kbyte blocks. I will now try another USB stick (4 GByte and 64KByte blocks) and I as I do not have the latest firmware installed, I will try this too.
 

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1380
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #122 on: April 05, 2019, 10:40:59 am »
I also didn't get a response from the power supply via telnet when I did so. It may be worth to try another command that will return a value like for example:

:SYSTem:VERSion?

This should return "1999.0" (SCPI version on the device). If this works and you're sending the correct command, you should really check the USB drive you're using. I was successful with a quite old 8GB thumb drive labeled "Verbatim" that I also use for firmware updates. But I followed @tossu's instructions to format it and then only copy the provided file on it. Worked for both my DP832 and DP811.

Good luck,
Thomas
« Last Edit: April 05, 2019, 11:07:59 am by TurboTom »
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 768
Re: Need help hacking DP832 for multicolour option.
« Reply #123 on: April 05, 2019, 10:55:31 am »
Thanks Tom,
I was running firmware 1.04 :wtf:. Yeah pretty old but as everything was working fine, there was no need. As a firmware update to 1.11. did solve the problem above, anybody should check his/her version first and then do an update if needed. I will now update to 1.14. (1.11. was -according to Rigol- a needed step inbetween).
 
The following users thanked this post: Sully

Offline rfspezi

  • Regular Contributor
  • *
  • Posts: 173
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #124 on: April 05, 2019, 11:34:01 am »
Are you using the Ultra Sigma Software from Rigol to send the SCPI command?
I tried to download that software several times from the Rigol homepage, however it takes ages and finally is corrupt.  :-\
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf