Author Topic: Need help hacking DP832 for multicolour option.  (Read 151961 times)

0 Members and 1 Guest are viewing this topic.

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #50 on: September 19, 2016, 11:49:31 am »
There are a lot of bitmaps in RGB565, one after the other, in different sizes. Some parts that look like code in between.
Some html/xml and javascript (with some "~" every 128 bytes),
Some filenames with a hint to "E:\MQX\Freescale MQX 3.7 ARM9 imx287evk_rev2\Freescale MQX 3.7 ARM9 imx287evk",
Some strings seem to be model numbers (namely DP831A, DP832A, DP821A, DP811A, DP812A, DP813A, DP841A, DP831, DP832, DP821, DP811, DP812, DP813, DP841)

So far I could not identify a structure of it all.
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #51 on: September 19, 2016, 05:55:11 pm »
Thank you guys so much!

So, from the sounds of it, Volki successfully decrypted the firmware update.   Do you guys think that's safe to assume?   There was some program I ran across a while back...a program made for Rigol .GEL files.   It could extract the files or something.   I wonder if that program would work now with the decrypted DP832 firmware...
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #52 on: September 19, 2016, 06:38:53 pm »
I don't know a lot about flash or anything, but looking through the descrambled GEL file, at offset: 3091B5, I see:
Code: [Select]
<link hEref
I know with HTML, that should be
Code: [Select]
<link href.   Maybe that E in there has something to do with the flash, like where that bit of code gets written to...or maybe there's a little more to descrambling this file, or maybe it's compressed some how.   What do you guys think?

Further down the file, the www's aren't right.   Like at offset: 3092A6 and 309304
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #53 on: September 19, 2016, 09:35:00 pm »
These inconsistencies in plain xml '<hEref' appear in regular intervals, i.e. like every 128 bytes (find '~' mostly) inside a logical block, that's why I think it's part of a bigger package. I'm not really experienced in this.

Other things I observed are a lot of bitmaps in RGB565. If you see the descrambled file as a bitstream, run it through a raw pixel viewer and adjust the width correctly, you see a lot of bitmaps. The first one looks like a clock face, then comes more unidentified data and then a whole collection of more bitmaps. For ecample, I also found the 'middle balls' of the normal view in DP8xxA models.
Other bitmaps are the LXI logo, RIGOL logo, all in diverse colours. Haven't got any at hand to attach atm.
But these bitmaps do not have a header of some sort. They are just next to each other.
However, I didn't find a section with indexes and size information of the single bitmaps, yet. So, these might be part of a bigger package again.
So I keep on searching for some kind of index table.
I couldn't make any sense of the first 256 or so bytes in the file, yet.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2571
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #54 on: September 19, 2016, 09:50:28 pm »
Excellent hacking! It seems a lot of work to get multicolour but the journey is far more interesting than the goal!
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #55 on: September 19, 2016, 10:03:12 pm »
These inconsistencies in plain xml '<hEref' appear in regular intervals, i.e. like every 128 bytes (find '~' mostly) inside a logical block, that's why I think it's part of a bigger package. I'm not really experienced in this.
I noticed the same pattern.   Also, with the www's, the ones that have the messed up text, almost all of them start with a y with a ' over it.   And then there's a w and a lot have the ~.   Like http://y(with the ' over it)w~.   I saw one that had a capital Z instead of the ~ (or maybe instead of the funky y).

Other things I observed are a lot of bitmaps in RGB565. If you see the descrambled file as a bitstream, run it through a raw pixel viewer and adjust the width correctly, you see a lot of bitmaps. The first one looks like a clock face, then comes more unidentified data and then a whole collection of more bitmaps. For example, I also found the 'middle balls' of the normal view in DP8xxA models.
Other bitmaps are the LXI logo, RIGOL logo, all in diverse colours. Haven't got any at hand to attach atm.
But these bitmaps do not have a header of some sort. They are just next to each other.
However, I didn't find a section with indexes and size information of the single bitmaps, yet. So, these might be part of a bigger package again.
So I keep on searching for some kind of index table.
I couldn't make any sense of the first 256 or so bytes in the file, yet.

You know more about bitmaps than I do.   I too couldn't find an index but I think there has to be one somewheres.   Perhaps in the first 256 bytes or so.   I'm wondering if the first few bytes of the file get decrypted / descrambled differently.

If I were to take a guess, I'd bet the file header for this firmware update might not be too much different than some of the other Rigol firmwares.   Perhaps that could help?   I was reading for the DSxxxx's that Rigol makes, if I understand them correctly, the index for the files is in the beginning of the update file.   I know when I worked as a programmer for Deposit Computer Services, Inc, whenever we got a new customer, I'd find the source code from another customer that wanted something similar and I'd just modify the code a little bit to make it fit, rather than writing the whole thing from scratch.   I bet Rigol's programmers do the same.   The header might not be too much different from the headers in their other files.   Just properly decrypting it, there might be more to it than the 75, 76, 77, etc thing.

I cannot seem to find any termination strings that might separate one file from another.   I think an index has to be used.   Something with offset, filelength and filename and probably some sort of checksum.   Also, somewheres, I almost remember finding the ends of the various Rigol DP832 firmwares had something special about them, like it was all the same values, the last 500 and some bytes or something.   I thought I posted about that somewhere here, in this thread.   Maybe there's a footer.

You did great work though and got much further than I did.   I had given up on this.   Thank you!!!!
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #56 on: September 30, 2016, 11:27:00 am »
I've compared the current (00.01.14.00.01) GEL file that was de-scrambled as before, with an older version (00.01.09.00.01). Here is what they look like:

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78


The (00.01.09.00.01) version is not scrambled and misses the first 4 Bytes: B4 AE 9A 89. From there on, the structure aligns pretty good. Only a few bytes are different, either addresses or length information...

I looked through the bitmaps I could find in (00.01.14.00.03) and made a collection of them here.
Furthermore I could find a lot of 1 bit per pixel character sets with all sorts of special characters. Amongst them are also the 7-segment numbers in different sizes for the main display. Haven't indexed those, though.

Still looking at it and not getting an idea what the overall structure could be. Any more ideas? Any disassemblers?
 
The following users thanked this post: Spork Schivago

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #57 on: September 30, 2016, 11:43:23 am »
I cannot seem to find any termination strings that might separate one file from another.   I think an index has to be used.   Something with offset, filelength and filename and probably some sort of checksum.   Also, somewheres, I almost remember finding the ends of the various Rigol DP832 firmwares had something special about them, like it was all the same values, the last 500 and some bytes or something.   I thought I posted about that somewhere here, in this thread.   Maybe there's a footer.

Some bitmaps in the file can be found in different colors (for the different DP800 variants). They are directly adjacent to each other in the code. But sometimes they are also separated by 2 bytes: 00 00. Didn't find a reason for that and why it is only sometimes...

The different variants can be found in location 0x2F172C:
Code: [Select]
44 50 38 33 31 41 00 00 44 50 38 33 32 41 00 00  |  DP831A..DP832A..
44 50 38 32 31 41 00 00 44 50 38 31 31 41 00 00  |  DP821A..DP811A..
44 50 38 31 32 41 00 00 44 50 38 31 33 41 00 00  |  DP812A..DP813A..
44 50 38 34 31 41 00 00 44 50 38 33 31 00 00 00  |  DP841A..DP831...
44 50 38 33 32 00 00 00 44 50 38 32 31 00 00 00  |  DP832...DP821...
44 50 38 31 31 00 00 00 44 50 38 31 32 00 00 00  |  DP811...DP812...
44 50 38 31 33 00 00 00 44 50 38 34 31 00 00 00  |  DP813...DP841...
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2571
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #58 on: September 30, 2016, 05:44:29 pm »
Could this be a lookup table for model numbers that are pre-programmed in the devices flash area along with serial number and calibration, etc?

Would it by as simple as changing byte 0x2F1771 from 00 to 41 'A' and perhaps byte 0x2F1739 from 41 to 00 for consistency but also just in case a simple checksum is used?

Nah, that seems to easy  :-DD
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #59 on: September 30, 2016, 06:46:43 pm »
Could this be a lookup table for model numbers that are pre-programmed in the devices flash area along with serial number and calibration, etc?

Would it by as simple as changing byte 0x2F1771 from 00 to 41 'A' and perhaps byte 0x2F1739 from 41 to 00 for consistency but also just in case a simple checksum is used?

Nah, that seems to easy  :-DD
I too found the variants at 0x2F172C but I think there has to be a checksum that would prevent the firmware from being loaded.   Someone with more time than me right now could try a simple test.   Turn on their power supply, find a text string in some menu.   Search the descrambled file for this string and make sure it's only found once in the file.   Then just change a letter.   Flash the firmware and see if it's changed in the menu.

If there's some sort of checksum, I'd imagine the power supply would refuse to accept the firmware.   Another thing would be to make sure you can flash the same version firmware that's already installed on the machine.

For example, if your DP832 has firmware 00.01.14.00.01, make sure you can flash a normal version of firmware 00.01.14.00.01.    Otherwise, we could have issues.   Let's say someone's running firmware 00.01.09.00.01 and they flash a modified version of 00.01.14.00.01.   Then they go to undo their changes and try flashing 00.01.14.00.01 again.   The machine might refuse the firmware saying it's already up-to-date.   That could greatly reduce someone's chances to finding a multi-coloured option for the DP832's.   They might only have a couple chances at it.

Can someone upload the source code to re-scramble the files?   I wonder what would happen if someone removed those first 4 bytes in the descrambled file and try flashing it, descrambled like....maybe those first four say the file's encrypted or something?
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2571
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #60 on: September 30, 2016, 07:02:50 pm »
Ok, I didn't rescramble the file but modified my original 1.14 using the same '74 offset' formula.

So I changed

2F1379 from EE to AD
2F1771 from E5 to 5C

Reflashed using USB and the help button at the '...' elipses, it didn't spit back any errors and appeared to accept the file, flashed ok and asked me to power off and on.

Unfortunately it hasn't made the blindest difference  (at least that I have found so far. Perhaps a SCPI command or the webserver will report back the wrong model?) :-DD
 
The following users thanked this post: Spork Schivago

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #61 on: September 30, 2016, 07:16:15 pm »
I've compared the current (00.01.14.00.01) GEL file that was de-scrambled as before, with an older version (00.01.09.00.01). Here is what they look like:

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78


The (00.01.09.00.01) version is not scrambled and misses the first 4 Bytes: B4 AE 9A 89. From there on, the structure aligns pretty good. Only a few bytes are different, either addresses or length information...

I looked through the bitmaps I could find in (00.01.14.00.03) and made a collection of them here.
Furthermore I could find a lot of 1 bit per pixel character sets with all sorts of special characters. Amongst them are also the 7-segment numbers in different sizes for the main display. Haven't indexed those, though.

Still looking at it and not getting an idea what the overall structure could be. Any more ideas? Any disassemblers?

The bottom of 00.01.09.00.01 seems to repeat itself a bit, but the bottom of the newer version doesn't.

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78



Maybe the 9F E5's are some sort of terminator though?

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78

Or maybe the four bytes there, like 18 F0 9F E5 are offsets?

There's gotta be some version string somewheres here.   I'd really think this is some sort of header.   I'd think it'd contain the version string, size of the file, etc.
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #62 on: September 30, 2016, 07:18:38 pm »
Ok, I didn't rescramble the file but modified my original 1.14 using the same '74 offset' formula.

So I changed

2F1379 from EE to AD
2F1771 from E5 to 5C

Reflashed using USB and the help button at the '...' elipses, it didn't spit back any errors and appeared to accept the file, flashed ok and asked me to power off and on.

Unfortunately it hasn't made the blindest difference  (at least that I have found so far. Perhaps a SCPI command or the webserver will report back the wrong model?) :-DD

You can flash the same version firmware over and over again?   Perhaps you'd like to go into the menu, find some text string, and do what I suggested earlier?   Just change the text a little and see if it makes any difference.   I wouldn't try modifying the webpage stuff at all, but the actual text string in one of the menus....if that's successful, then we can assume perhaps there's no checksum's at all?   That'd be great news....
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #63 on: September 30, 2016, 08:17:50 pm »
I keep on trying to upload 00.01.14.00.03 in a zip file and it looks like it goes, but my posts don't get posted here for some reason.   Not sure where they're going.   But after I post, it takes me this Start new message page, as if I'm trying to PM someone.   I don't see why I cannot upload the zip file.   It's 9,244KB in size.   Any ideas?    I thought with closer firmware numbers, there wouldn't be so many changes and maybe it'd be easier to figure out the stuff, like the header of the file, etc.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2571
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #64 on: September 30, 2016, 08:25:32 pm »
Ok, I chose to change the installed options text at 277BC0 from ":Official" to ":Hacked!" so the encoded bytes are

5E 6D 87 8A 93 8E B8 4C 2C

Reflashed and unfortunately the options still showed as ":Official" so perhaps it is ignoring the upgrade? I then tried the "Update analog board 1 & 2" step just in case but no luck.

So I downgraded using official 1.13 - that installed and reported version correctly.

I then re-installed my hacked 1.14 which gave all indication of installing ok, but the Sys Info still showed 1.13 and of course my hack did not work.

I then installed proper 1.14 which installed ok, and now Sys Info does show 1.14.

So I give up. That's it for tonight!  ;)
 
The following users thanked this post: Spork Schivago

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #65 on: September 30, 2016, 08:55:48 pm »
Ok, I chose to change the installed options text at 277BC0 from ":Official" to ":Hacked!" so the encoded bytes are

5E 6D 87 8A 93 8E B8 4C 2C

Reflashed and unfortunately the options still showed as ":Official" so perhaps it is ignoring the upgrade? I then tried the "Update analog board 1 & 2" step just in case but no luck.

So I downgraded using official 1.13 - that installed and reported version correctly.

I then re-installed my hacked 1.14 which gave all indication of installing ok, but the Sys Info still showed 1.13 and of course my hack did not work.

I then installed proper 1.14 which installed ok, and now Sys Info does show 1.14.

So I give up. That's it for tonight!  ;)

Just so I'm understanding you correctly, you had a hacked 1.14, you installed it, it seemed to install correctly.   But the hack didn't go through, so you installed an unhacked 1.13, checked the version, it showed 1.13.   Then you went and installed your hacked 1.14 again, checked the version, and it still showed 1.13, is that correct?

It seems there is in fact a checksum somewheres...Are there any logs that get stored anywhere on the device when a firmware update is performed?   Also, when you install the hacked firmware, are you re-encoding them or does the power supply seem to accept the decrypted / unscrambled versions?  Thanks for trying!
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2571
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #66 on: September 30, 2016, 09:34:11 pm »
Just so I'm understanding you correctly, you had a hacked 1.14, you installed it, it seemed to install correctly.   But the hack didn't go through, so you installed an unhacked 1.13, checked the version, it showed 1.13.   Then you went and installed your hacked 1.14 again, checked the version, and it still showed 1.13, is that correct?

Yep!

Quote
It seems there is in fact a checksum somewheres...Are there any logs that get stored anywhere on the device when a firmware update is performed?   Also, when you install the hacked firmware, are you re-encoding them or does the power supply seem to accept the decrypted / unscrambled versions?  Thanks for trying!

Spork, the first attempt I simply swapped the bytes for 'DP832\0' and 'DP832A' (but re-encoded using the offset 0x74 algorithm, purely using http://www.hexedit.com/ and manually with its calculator. This is on the original 1.14 file, not the decoded one.

Though the PSU appeared to accept it and reported "Upgrade successful!" it made no difference. I did choose to swap the bytes instead of just changing 1 byte because I guessed there may be a checksum and simple checksum algo's will still work if bytes are just swapped.

So I then chose to do something more blatant as in change some obvious text but without any attempt at covering for a simple checksum. I did not unscramble/decrypt the whole file, just changed the bytes using the 74 offset algo and HexEdit. No joy with that but no error messages stating anything wrong with the update. Indeed it appeared to go just fine!

Regarding limited chances at upgrading firmwares, it looks like downgrades and upgrades work just fine. I think it is only the bootloader that you can't downgrade but that is for firmwares with a bootloader <1.09 IIRC and the firmware we are playing with (so far) is not the bootloader.
« Last Edit: September 30, 2016, 09:37:26 pm by Macbeth »
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #67 on: September 30, 2016, 10:56:50 pm »
So I then chose to do something more blatant as in change some obvious text but without any attempt at covering for a simple checksum. I did not unscramble/decrypt the whole file, just changed the bytes using the 74 offset algo and HexEdit. No joy with that but no error messages stating anything wrong with the update. Indeed it appeared to go just fine!

Regarding limited chances at upgrading firmwares, it looks like downgrades and upgrades work just fine. I think it is only the bootloader that you can't downgrade but that is for firmwares with a bootloader <1.09 IIRC and the firmware we are playing with (so far) is not the bootloader.
At least that's good news that you can flash over and over again, as it seems.
Might be worth trying changes in all the different parts of the software now: changing bitmaps, changing HTML code, etc. See which changes are accepted until it breaks.
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #68 on: October 01, 2016, 01:02:46 am »
Maybe an interesting find and a pointer into the right direction (pun intended  ^-^):

In the header of (00.01.14.00.03) we find:
000000: B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
000010: FF FF 00 00 9F 00 00 00 9C 3D 00 00 18 F0 9F E5
000020: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
000030: 00 00 00 00 14 F0 9F E5 14 F0 9F E5 F8 3A 08 00
000040: 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
000050: 7C 3C 08 00 58 22 08 00 00 00 00 00 00 00 00 00
000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The addresses 0x00A03D and 0x009C3D and surrounding looks like this:
003D80: 52 55 D5 00 00 00 00 00 00 00 00 00 00 00 00 00
003D90: 77 77 F7 00 FA FA FA 00 FA FA FA 00 00 00 00 00  <-- This is address 0x3D9C from the header
003DA0: A5 00 00 00 00 00 55 55 55 55 00 00 64 00 00 00  <-- This address is 0x3DA0 from the header
003DB0: 01 00 01 00 01 00 00 00 00 40 AB 61 00 00 00 00
003DC0: A1 6D 33 00 FF FF 00 00 9F 00 00 00 52 49 47 4F  <-- RIGO
003DD0: 4C 4C 00 00 00 00 00 00 00 00 00 00 18 F0 9F E5  <-- L
003DE0: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
003DF0: FF FF FF FF 18 F0 9F E5 18 F0 9F E5 DC E8 26 40
003E00: 38 1D 06 40 70 1D 06 40 A8 1D 06 40 E0 1D 06 40
003E10: FF FF FF FF 50 1E 06 40 90 1E 06 40 01 01 00 00
003E20: 40 00 00 00 00 33 6D 40 00 00 00 00 F0 41 2D E9
003E30: 00 60 B0 E1 00 70 A0 E3 9C 0E 9F E5 D7 80 D0 E1
003E40: 08 00 B0 E1 00 0C A0 E1 40 0C B0 E1 80 12 80 E0
003E50: 88 0E 9F E5 01 02 90 E0 00 10 A0 E3 0C 12 C0 E5
003E60: 06 00 B0 E1 00 08 A0 E1 20 08 B0 E1 02 10 A0 E3
003E70: 4C 1D 81 E3 01 00 50 E1 10 00 00 0A 12 10 A0 E3


Notice the "RIGOL" string at 0x003DCC and the recurring 18F09FE5 pattern from the header.

A similar thing seems to happen in 1.09 GEL file and 1.13 GEL files.
Maybe worth looking into this one, as this might be an address reference.

Bytes 55 55 55 55 are some sort of a marker. It does not look like a valid armv5 instruction. However the uint32 that end with some sort of Ex (E0, E1, E3, E5, E9) might be some code bits.

I guess I have to figure out how http://www.hexedit.com/ can be used effectively now.  ;)
 
The following users thanked this post: Spork Schivago

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #69 on: October 01, 2016, 01:14:36 am »
Just so I'm understanding you correctly, you had a hacked 1.14, you installed it, it seemed to install correctly.   But the hack didn't go through, so you installed an unhacked 1.13, checked the version, it showed 1.13.   Then you went and installed your hacked 1.14 again, checked the version, and it still showed 1.13, is that correct?

Yep!

Quote
It seems there is in fact a checksum somewheres...Are there any logs that get stored anywhere on the device when a firmware update is performed?   Also, when you install the hacked firmware, are you re-encoding them or does the power supply seem to accept the decrypted / unscrambled versions?  Thanks for trying!
...I did choose to swap the bytes instead of just changing 1 byte because I guessed there may be a checksum and simple checksum algo's will still work if bytes are just swapped....

What do you consider to be a simple checksum algorithm?   I figured they were probably using something like SHA1 or SHA256.   With those types of algorithms, byte swapping will change the checksum.   MD5 has a lot more collisions than originally thought and I don't think any good coder would use MD5 checksums, but I guess they could.   There's open source programs that implement SHA type checksums so it wouldn't be hard for a programmer to implement the more secure types.

I don't mean to argue with you or anything.   I'm just a bit confused.   If I understand everything correctly, byte swapping would change the checksum if an SHA type algorithm was used, right?   Is SHA not considered simple?   Thanks for sharing what you did and your thinking behind it.   I really appreciate all the help people have provided on trying to get this working.   It seems I'm not the only one interested in making this multi-coloured option work.

I really want to get a collection of the different versions of firmware for the DP832 / DP832A.   Anything under 1.09 isn't encrypted?   If anyone can send me links to the rest of the versions, after our baby is born, I might have some down time and might be able to play more with this.
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #70 on: October 01, 2016, 01:18:51 am »
So I then chose to do something more blatant as in change some obvious text but without any attempt at covering for a simple checksum. I did not unscramble/decrypt the whole file, just changed the bytes using the 74 offset algo and HexEdit. No joy with that but no error messages stating anything wrong with the update. Indeed it appeared to go just fine!

Regarding limited chances at upgrading firmwares, it looks like downgrades and upgrades work just fine. I think it is only the bootloader that you can't downgrade but that is for firmwares with a bootloader <1.09 IIRC and the firmware we are playing with (so far) is not the bootloader.
At least that's good news that you can flash over and over again, as it seems.
Might be worth trying changes in all the different parts of the software now: changing bitmaps, changing HTML code, etc. See which changes are accepted until it breaks.

So far, if I understand Macbeth correctly, all changes are ignored.   It would be worth trying changes though.   We should start working on trying to figure out the checksum routine.   I'll open a hex editor on the decrypted firmware.   If I remember correctly though, different versions of the firmware had some similarities at the end of them.   Maybe that was some sort of checksum?    I know some of the firmware I played with, the header had a checksum, the different parts had checksums, etc.

For example, the header might have a checksum (perhaps that end bit after all those 00's?)   Then maybe the flash section, after all the websites or something, there might be some checksum there.   Then at the end, there might be one for the entire size of the file, etc.
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #71 on: October 01, 2016, 01:23:51 am »
Maybe an interesting find and a pointer into the right direction (pun intended  ^-^):

In the header of (00.01.14.00.03) we find:
000000: B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
000010: FF FF 00 00 9F 00 00 00 9C 3D 00 00 18 F0 9F E5
000020: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
000030: 00 00 00 00 14 F0 9F E5 14 F0 9F E5 F8 3A 08 00
000040: 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
000050: 7C 3C 08 00 58 22 08 00 00 00 00 00 00 00 00 00
000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The addresses 0x00A03D and 0x009C3D and surrounding looks like this:
003D80: 52 55 D5 00 00 00 00 00 00 00 00 00 00 00 00 00
003D90: 77 77 F7 00 FA FA FA 00 FA FA FA 00 00 00 00 00  <-- This is address 0x3D9C from the header
003DA0: A5 00 00 00 00 00 55 55 55 55 00 00 64 00 00 00  <-- This address is 0x3DA0 from the header
003DB0: 01 00 01 00 01 00 00 00 00 40 AB 61 00 00 00 00
003DC0: A1 6D 33 00 FF FF 00 00 9F 00 00 00 52 49 47 4F  <-- RIGO
003DD0: 4C 4C 00 00 00 00 00 00 00 00 00 00 18 F0 9F E5  <-- L
003DE0: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
003DF0: FF FF FF FF 18 F0 9F E5 18 F0 9F E5 DC E8 26 40
003E00: 38 1D 06 40 70 1D 06 40 A8 1D 06 40 E0 1D 06 40
003E10: FF FF FF FF 50 1E 06 40 90 1E 06 40 01 01 00 00
003E20: 40 00 00 00 00 33 6D 40 00 00 00 00 F0 41 2D E9
003E30: 00 60 B0 E1 00 70 A0 E3 9C 0E 9F E5 D7 80 D0 E1
003E40: 08 00 B0 E1 00 0C A0 E1 40 0C B0 E1 80 12 80 E0
003E50: 88 0E 9F E5 01 02 90 E0 00 10 A0 E3 0C 12 C0 E5
003E60: 06 00 B0 E1 00 08 A0 E1 20 08 B0 E1 02 10 A0 E3
003E70: 4C 1D 81 E3 01 00 50 E1 10 00 00 0A 12 10 A0 E3


Notice the "RIGOL" string at 0x003DCC and the recurring 18F09FE5 pattern from the header.

A similar thing seems to happen in 1.09 GEL file and 1.13 GEL files.
Maybe worth looking into this one, as this might be an address reference.

Bytes 55 55 55 55 are some sort of a marker. It does not look like a valid armv5 instruction. However the uint32 that end with some sort of Ex (E0, E1, E3, E5, E9) might be some code bits.

I guess I have to figure out how http://www.hexedit.com/ can be used effectively now.  ;)

When you say This is address 0x3D9C from the header, you mean from offset 0, right?   You haven't found where the header actually ends yet, have you?   That'd be nice.   Regardless, I too thought maybe there where some addresses in the beginning there but just didn't have time to explore it yet.   In the 1.09 firmware, I thought maybe the 18 F0 9F E5 was an address somewhere.   You guys are making great progress!   
 

Offline stj

  • Super Contributor
  • ***
  • Posts: 2153
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #72 on: October 01, 2016, 01:41:18 am »
a slight change of subject - only slight.

maybe you should try to find out how the code determines the model.
does it identify the model when you change the firmware, and flash the apropriate files,
or does it install everything and then determine which files to use every time it's powered up?

does it have an eeprom?
 
The following users thanked this post: Spork Schivago

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #73 on: October 01, 2016, 02:09:03 am »
a slight change of subject - only slight.

maybe you should try to find out how the code determines the model.
does it identify the model when you change the firmware, and flash the apropriate files,
or does it install everything and then determine which files to use every time it's powered up?

does it have an eeprom?

This could be hard to find out.   Last time I tried dumping the flash, OpenOCD didn't fully support this processor.   At the time, the flash wasn't supported, so there was no way to dump it.   I figured (just a straight up guess) that the firmware is the same on the DP832 and the DP832A.   Just at startup, there's some sort of serial number check.   I figured it's kinda like the unlock codes.   You got the right code, it unlocks the features.   You got the right serial number, it'll enable the multi-coloured screen.   That was just my guess though.


At offset 310, you can see what appears to be more addresses.   Memory pointers or something?   Perhaps file sizes or parts of the index?   I don't know, but there's definitely some sort of pattern, in the 1.14.00.03 descrambled file at least.

I don't know where they start so the beginning of these bytes might actually be the end of one address and the beginning of the second, but I see stuff like:
Code: [Select]
00 00 21 21 54 D0 20 40      <-- starts at offset 315h
00 01 21 21 54 FF 20 A2
30 01 21 21 54 D1 20 40
00 01 21 21 54 FF 20 A4
 

Offline Spork SchivagoTopic starter

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #74 on: October 01, 2016, 02:35:18 am »
What do you guys make of offset 0x30A69B?   We're still missing something on the decryption or this file is somehow compressed, but I don't think it's compressed.   There's to much text.   Text compresses real easy like.

I see a comment:
Code: [Select]
//window.alert("oh yeah!\nö ~SOng is a pig!");

oh yeah!   then a new line.    But the funky o with two dots over it, the squigly ~, stuff like that I don't think's right.   There's a lot of ý's where there shouldn't be.   Maybe if we could work on getting a bit cleaner descrambling program, we'd see things a bit differently?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf