Author Topic: Need help hacking DP832 for multicolour option.  (Read 61068 times)

0 Members and 2 Guests are viewing this topic.

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Need help hacking DP832 for multicolour option.
« on: December 24, 2015, 09:08:58 pm »
Hello,

I'm sorry if this has been asked before and I'm not sure if this is the proper sub-forum to ask in.   If it's not, I apologize and maybe a moderator could move the post.   I have a Rigol 832 Programmable Power Supply.   It's been absolutely wonderful.   I found the keygen a long time ago to upgrade the unit.   One of the upgrade no longer works.   I can't remember which one but I remember reading that if I upgraded the firmware, the one option would be removed.   I wanted to know if that ever got fixed?   I can try and find out what option it was that disabled by the firmware upgrade if needed.   I can't seem to find the forum anymore with the keygen.  I thought it was here on EEVBlog.

Anyway, on to my main question.   The DP832A has a multi-colour option for the main screen.   You know, where you can have more than one colour displayed at the same time.   I was curious if there was any way to get this on the original DP832?   I'd like to keep the classic UI if at all possible.   Does anyone know if what I want is doable and if so, how I'd go about doing it?   Thank you.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #1 on: December 24, 2015, 10:04:57 pm »
TBH, even the DP832A "classic" version of the DP832 screen Rigol was forced to include with its 3 colours isn't as nice as the cheaper DP832, at least to most of us. The 'A' does have colour coded buttons and front panel stuff but really all anyone is interested in are the features not the fluff.

One thing the classic DP832 has is when the output is switched off the V and A all go to 0.000 while the DP832A classic just blanks.

I would personally like Rigol to keep the voltmeter switched on much like my HP6632B does it rather than display blank or hard coded 0.000
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #2 on: December 25, 2015, 12:09:50 am »
I thought the screens were the same.   That the screen in my DP832 is the same screen that's in the DP832A.   I thought it was just firmware or something along that route that makes it so I can only display one colour, more less, on the screen at one time.   Am I wrong in this assumption?
 

Offline nidlaX

  • Frequent Contributor
  • **
  • Posts: 650
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #3 on: December 25, 2015, 02:00:06 am »
Dump the firmware, disassemble it, add color coding.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #4 on: December 25, 2015, 03:01:08 am »
It doesn't have any security bits set or anything?   I guess I could always just download the firmware from their website and go from there.   Thanks.   Has this been done before?   It'd be nice if there was some sort of how-to to follow.   Perhaps I could download the firmware for the DP832A and use that as a reference.   Thanks for the information.
 

Offline analogNewbie

  • Contributor
  • Posts: 46
  • Country: cn
Re: Need help hacking DP832 for multicolour option.
« Reply #5 on: December 25, 2015, 11:36:09 am »
of cause you van download the firmware from rigol site. However, you dont know the file format of the firmware file.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #6 on: December 25, 2015, 06:03:22 pm »
Right.   I don't know the file format of the firmware.   If they're using something like a PIC though, I should be able to load the bin file I'd think in MPLAB X to get the disassembled version.   I'm still really knew to all of this hardware stuff.   I'm trying to learn but there's a lot to learn!   I really appreciate all the help that people provide when I have questions though.   Merry Christmas!
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #7 on: December 25, 2015, 07:33:55 pm »
Most Rigol stuff I've encountered is Blackfin DSP, certainly not PIC  :-DD. The Blackfin will usually have a LDR format firmware.

Here's something on Rigol .GEL files https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/120/
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #8 on: December 26, 2015, 12:15:53 am »
Thank you so much!   Unfortunately, because I'm so new at the hardware stuff, I only have limited experience with PICs.   I really appreciate this information though.   It's pointing me in the right direction, thank you!!
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #9 on: December 28, 2015, 12:26:31 am »
Just got a quick question.   My understanding is that the hardware in the DP832 and the hardware in the DP832A are identical.   Does anyone know if this is true?   If it is, I'm guessing the DP832A firmware must check something like the serial number to see if the unit is a DP832 or a DP832A.   If the serial number isn't within a certain range, maybe the DP832A firmware would refuse to install on the DP832.   Am I right in these assumptions or are there physical differences between the two units?
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #10 on: December 30, 2015, 02:38:46 am »
I've watched the teardown video for the Rigol DP832.   It does appear to be the same hardware as the DP832A.   When looking for a firmware, I could only find one file for the DP832 and the DP832A.   Therefore, I'm left to assume the DP832 and the DP832A use the exact same firmware.   So chances are good the firmware just checks something like serial number to see if it should enable the multicoloured screen and all the available options or if it should turn the options off and show the one coloured screen.

I've been looking at the firmware in a hex editor and looking at the various Blackfin datasheets.   I don't think these files are for a Blackfin.   I noticed with the link that was posted for the Rigol scopes, they show the model number of the scope right at the beginning of the .GEL files.   We don't get that with these firmware files.

When I run the Linux file command on the files though, the bootloader .GEL file shows: hp200 (68010) BSD.     I wonder if that's a Motorola 68010 processor in there or if maybe file is mistaken.  I know when I look at the application firmware, not the bootloader, I see a pattern every so often (more near the endish).   00h through whatever xxh in a row.   First one is at offset 8c and goes to offset 011c.   It goes 00h - 90h.   Second one starts at 06608c and goes to offset 0660cb.    It's 00h - 3Fh but it goes 00 01 02 03 04 05 06 07 08 09 0A 0B 1A FD AE F0 10 11 12 13...    There's a whole bunch of them like that.    I figure maybe the .GEL file is kind of like an archive or something and these mark the start or end of a file or something?   In the middles, there's a whole bunch that don't count very high and they have a little bit of data (maybe 40h bytes or so) before the next set starts.
 

Offline Stupid Beard

  • Regular Contributor
  • *
  • Posts: 221
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #11 on: December 30, 2015, 03:29:51 am »
When I run the Linux file command on the files though, the bootloader .GEL file shows: hp200 (68010) BSD.     I wonder if that's a Motorola 68010 processor in there or if maybe file is mistaken.

Have you tried binwalk?

Edit: The GEL file will be an archive of some sort. There is firmware for at least the main CPU, the analog boards, and probably assorted other things like FPGAs.
« Last Edit: December 30, 2015, 03:33:41 am by Stupid Beard »
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #12 on: December 30, 2015, 03:58:16 am »
Thanks!   I have not tried binwalk but I will give that a shot tomorrow.   I figured one of the two .GEL files was an archive.   The bootloader one though I figured wasn't an archive but just code for whatever CPU was in there.   I might be wrong on that though.   I was hoping to find away to extract the files from at least one of the .GEL files.   Figured that'd be good progress.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #13 on: December 30, 2015, 07:23:21 pm »
Looking at one of Dave's early teardown photos it's using a Freescale (now known as NXP) i.MX283 ARM9 core Applications Processor

ETA: The 10 pin header is most likely it's JTAG port ;)
« Last Edit: December 30, 2015, 07:29:37 pm by Macbeth »
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #14 on: December 30, 2015, 10:35:46 pm »
Looking at one of Dave's early teardown photos it's using a Freescale (now known as NXP) i.MX283 ARM9 core Applications Processor

ETA: The 10 pin header is most likely it's JTAG port ;)

Thank you for this information!   Are you 100% sure on the processor there?   The teardown video I saw that I believe Dave posted had the CPU but it was etched off with a laser or something.  Some of the font was still visible.   A user commented saying the CPU was made by Silicon Image and that he recognized the font.   Just curious as to whether you're certain it's the Freescale MX283 ARM9 or if it's just an educated guess.   Either way, it'll get me pointed in the right direction.

I don't really have much experience with JTAG stuff.   I JTAGGED a video game console once.   I wonder if there's a way for me to tell for certain if it's a JTAG port or not and what the pinouts are.   Thanks for all the help!
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #15 on: December 31, 2015, 11:50:38 am »
I posted Daves photo and it's clear as day. You have the supporting RAM and flash chips next to it, crystal and JTAG header. The LCD flatflex cable is there and the PCB is labelled DP800_DigitalBoard...  :-//

The IC that had it's ID removed was something else entirely.

The JTAG pinout will most likely be the standard 10 pin ARM layout. Buzz out the VCC and GNDs to make sure.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #16 on: December 31, 2015, 07:00:35 pm »
I posted Daves photo and it's clear as day. You have the supporting RAM and flash chips next to it, crystal and JTAG header. The LCD flatflex cable is there and the PCB is labelled DP800_DigitalBoard...  :-//

The IC that had it's ID removed was something else entirely.

The JTAG pinout will most likely be the standard 10 pin ARM layout. Buzz out the VCC and GNDs to make sure.

You're awesome!   Thank you!   For some reason, I missed the link of the photo you posted!     What does buzz out mean?   I really appreciate all the help on this!
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #17 on: December 31, 2015, 08:24:08 pm »
Buzz out = continuity test on your DMM. Are you sure you are up to this? It is not an easy job. All the dumping the firmware using JTAG and stuff is the easy bit. Reverse engineering the code is another matter!
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #18 on: December 31, 2015, 08:35:19 pm »
Oh, you want to use something like OpenOCD and also UrJTAG.

You might find your linux distro has them available by apt-get for easy installation.

Of course you need a supported hardware adapter as well. I have an Olimex USB-OCD that I got for £20 on ebay. I also have a dirt cheap USB Blaster which I think is good enough for dumping code, but not so much for ARM debugging.

Well, happy new year and good luck  :-+
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #19 on: December 31, 2015, 10:45:48 pm »
Buzz out = continuity test on your DMM. Are you sure you are up to this? It is not an easy job. All the dumping the firmware using JTAG and stuff is the easy bit. Reverse engineering the code is another matter!

I want to try Macbeth.   I know I don't understand everything and will probably fail miserably but I love learning and I really want to try very hard.   I look at it like this, worst case, I fail but I will still learn something in the process.   I used to be pretty good at writing code, back in the day.   I was a system programmer and worked for a corporation called Deposit Computer Services, Inc until 2005 or so.   My ability to write code is a bit rusty.   I got a few good books on C now though.   C Programming - A Modern Approach - 2nd Edition by K.N. King and then I have the Red Dragon Book (AKA, Compilers - Principles, Techniques and Tools).  Thanks for all the help though.   I greatly appreciate how everyone's been so helpful and understanding.
 

Offline Stupid Beard

  • Regular Contributor
  • *
  • Posts: 221
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #20 on: December 31, 2015, 11:32:58 pm »
Buzz out = continuity test on your DMM. Are you sure you are up to this? It is not an easy job. All the dumping the firmware using JTAG and stuff is the easy bit. Reverse engineering the code is another matter!

I want to try Macbeth.   I know I don't understand everything and will probably fail miserably but I love learning and I really want to try very hard.   I look at it like this, worst case, I fail but I will still learn something in the process.   I used to be pretty good at writing code, back in the day.   I was a system programmer and worked for a corporation called Deposit Computer Services, Inc until 2005 or so.   My ability to write code is a bit rusty.   I got a few good books on C now though.   C Programming - A Modern Approach - 2nd Edition by K.N. King and then I have the Red Dragon Book (AKA, Compilers - Principles, Techniques and Tools).  Thanks for all the help though.   I greatly appreciate how everyone's been so helpful and understanding.

For reverse engineering programming knowledge helps (a lot), but it's only a small part of the skillset required. You don't need to be able to write code so much as to read assembly language and relate what you're reading to what the C/C++/whatever compiler spits out. You also need a good disassembler and at least some knowledge of the CPU.

If you have no experience in it, you should be able to find a lot of information and tutorials online. It doesn't really matter what processor or languages they're for. I'd suggest starting by disassembling test programs for your desktop computer. Processors and compilers all work in more or less the same way so skills gained on one are usually easily related to others, and it will be a lot easier to try things out and see what's going on with your computer than an embedded thing.

Good luck, it's a pretty large can of worms that you are opening ;)
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #21 on: December 31, 2015, 11:40:15 pm »
Oh, you want to use something like OpenOCD and also UrJTAG.

You might find your linux distro has them available by apt-get for easy installation.

Of course you need a supported hardware adapter as well. I have an Olimex USB-OCD that I got for £20 on ebay. I also have a dirt cheap USB Blaster which I think is good enough for dumping code, but not so much for ARM debugging.

Well, happy new year and good luck  :-+

I was thinking of going for something like this:

https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/

I'm sure these questions are pretty basic for you but what's the USB Blaster for?   From what I've read, they're for Altera devices.  For programming, debugging and emulation.   Anyway, for the USB Blaster, do you think this would be a nice one?

https://www.buyaltera.com/PartDetail?partId=5638362

It's the Altera USB Blaster II
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #22 on: December 31, 2015, 11:52:01 pm »
Buzz out = continuity test on your DMM. Are you sure you are up to this? It is not an easy job. All the dumping the firmware using JTAG and stuff is the easy bit. Reverse engineering the code is another matter!

I want to try Macbeth.   I know I don't understand everything and will probably fail miserably but I love learning and I really want to try very hard.   I look at it like this, worst case, I fail but I will still learn something in the process.   I used to be pretty good at writing code, back in the day.   I was a system programmer and worked for a corporation called Deposit Computer Services, Inc until 2005 or so.   My ability to write code is a bit rusty.   I got a few good books on C now though.   C Programming - A Modern Approach - 2nd Edition by K.N. King and then I have the Red Dragon Book (AKA, Compilers - Principles, Techniques and Tools).  Thanks for all the help though.   I greatly appreciate how everyone's been so helpful and understanding.

For reverse engineering programming knowledge helps (a lot), but it's only a small part of the skillset required. You don't need to be able to write code so much as to read assembly language and relate what you're reading to what the C/C++/whatever compiler spits out. You also need a good disassembler and at least some knowledge of the CPU.

If you have no experience in it, you should be able to find a lot of information and tutorials online. It doesn't really matter what processor or languages they're for. I'd suggest starting by disassembling test programs for your desktop computer. Processors and compilers all work in more or less the same way so skills gained on one are usually easily related to others, and it will be a lot easier to try things out and see what's going on with your computer than an embedded thing.

Good luck, it's a pretty large can of worms that you are opening ;)

Thank you for the information.   I know a little bit.   I know I need a way to disassemble the firmware once I dump it using the JTAG stuff.   I need a disassembler that can understand the i.MX283 ARM927EJ-S instruction set.  I know I need to learn this instruction set but I figure it probably wouldn't be a crazy hard thing to learn.  I used to have this little MP3 type player called an Archos and that had an ARM processor of one sort or another inside it.   I didn't think it was that hard learning the assembly for it but it was an older ARM processor.  I know with the PICs I've been playing with, the instruction sets are small.   The PIC I'm playing with now (PIC16F628A) only has something like 54 instructions.    I figured everything would be done in assembly.   Once my wife is done fixing this tablet in the work room, I'll fire up my Linux box and install OpenOCD.   Hopefully there's some sort of emulator out there where I can play with the ARM9 code on my machine and compile some test programs and fire up GDB (or whatever equivalent the ARM9 toolchain comes with) to play around with them.

The hardware, for me, is the hardest part.   I just started learning how to make circuit boards and don't have much experience in that area at all!   I made a device that counts in binary (up and down) when you press a button!   It lights up LEDs to show the binary number.   I've written code most of my life and I've played with assembly on and off.   After the Marine Corps, something happened to my brain and things got a bit messed up.   Had to take a break for a bit but I'm ready to learn everything I can now.

I think it's going to be fun once I get the hardware to dump the firmware directly.   I shouldn't have to worry about the GEL files then.
 

Offline Stupid Beard

  • Regular Contributor
  • *
  • Posts: 221
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #23 on: December 31, 2015, 11:55:42 pm »
qemu is the usual emulator. There should be packages in whatever linux distro you use.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #24 on: January 01, 2016, 08:15:27 pm »
So I ordered the ARM-USB-OCD-H made by Olimex.   I also ordered a 20-pin to 10-pin adapter from them.   I reread what I wrote the other night and wanted to clarify right now.  I didn't mean to down play how hard the software part of this was going to be.   I know once I get the firmware, it's going to take a very long time for me to analyze it and figure out what exactly everything does.   What I was trying to convey is I believe I understand the software part of this project and know what exactly needs to be done, whereas with the hardware, I'm a bit confused.   I don't really understand what the USB Blaster's for if I have the JTAG device from Olimex.   Does it just allow me to do in-circuit debugging or something?  Once I get my ARM-USB-OCD-H device, I'll rip apart the power supply and buzz those pins in the picture.   They're the ten pins above the CPU and to the right a little, near the edge of the board, right?   Thanks!
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #25 on: January 01, 2016, 08:26:26 pm »
You don't need the USB Blaster. I only mentioned it as it costs next to nothing and you mentioned you had used JTAG before and it's a popular (for Altera) dongle and could (possibly) at least be used with urJTAG to dump the flash.

If you get the Olimex that should be all you need.

Also something called Hex-Rays IDA is apparently very useful and appears to support reverse engineering this processor. It can be very expensive though ;) Which reminds me I have a demo version I need to learn how to use. I've got a PDF manual for it somewhere.
« Last Edit: January 01, 2016, 08:36:11 pm by Macbeth »
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #26 on: January 01, 2016, 10:15:39 pm »
You don't need the USB Blaster. I only mentioned it as it costs next to nothing and you mentioned you had used JTAG before and it's a popular (for Altera) dongle and could (possibly) at least be used with urJTAG to dump the flash.

If you get the Olimex that should be all you need.

Also something called Hex-Rays IDA is apparently very useful and appears to support reverse engineering this processor. It can be very expensive though ;) Which reminds me I have a demo version I need to learn how to use. I've got a PDF manual for it somewhere.

Thank you Macbeth!   I ordered the Olimex ARM-USB-OCD-H adapter with the ARM-JTAG-20-10 adapter (which allows me to plug the ARM-USB-OCD-H adapter into an ARM 10-pin mini-JTAG connector.   All I did before was solder some wires to a Xbox 360 to JTAG it.  I was following some how-to.

So, I've been studying the datasheet for this ARM processor a bit.   I had some questions.   I see in the datasheet, there's a DEBUG signal (B9 on the BGA chip for this processor).   The datasheet says:
Code: [Select]
This pin is used for JTAG interface.
DEBUG=0: JTAG interface works for boundary scan.
DEBUG=1: JTAG interface works for ARM debugging.

Would I need to set this pin HIGH, LOW or just leave it as it is?   I don't really know what boundary scans are.   I also see there's some security for this chip, which I didn't find surprising.   But I see in the datasheet:
Code: [Select]
Security features:
— Read-only unique ID for Digital Rights Management (DRM) algorithms
— Secure boot using 128-bit AES hardware decryption
— SHA-1 and SHA256 hashing hardware
— High assurance boot (HAB4)

Does this mean that when I hook up the JTAG unit and try dumping the firmware using OpenOCD, the firmware might be encrypted?   I've also been reading up how to dump firmware using OpenOCD.   I know some smart people found a way to dump the firmware on a device that uses an ARM processor.   Some security bits were set that prevented read access to protected memory.   Only instructions in protected memory could read the data from protected memory.   However, it was fairly easy for the people to bypass this by loading an address in one of the registers, stepping through the code in protected memory and then checking the values of the registers until one changed.   They were able to find a LOAD instruction and that's all the needed in order to dump the firmware.   They even provided a nice Ruby script that would connect to OpenOCD and dump the firmware for you.

I mean, it'd have to be modified for different processors but I was thinking maybe I'd have to do something like that.   I've been studying the datasheet but I don't really see how I'm supposed to tell how big the firmware is and where it'd be located in memory.   It's definitely a learning experience, I'll say that much!    I also have an old router that might have a JTAG port.   Perhaps I could play with that to get a little experience.   If I ruin the router, no big deal.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #27 on: January 01, 2016, 11:39:50 pm »
Dave has a great vid on JTAG boundary scan. You will probably want BSDL files for your processor and flash etc.

I have to admit I have only got as far as dumping and programming firmware on my Rigol DM3058, which happens to be in unencrypted Blackfin LDR format (most Rigol stuff seems to be Analog Devices Blackfin DSP). I had to learn all this just to recover my DMM which had bricked itself after I used some obscure Rigol software not compatible with my firmware version, the alternative would have been sending it back under warranty but that would have cost me shipping and took weeks and is very, very boring. I learned how to extract LDR+data from the firmware and reflash in the weekend.

My own goal is to reverse engineer this firmware just for the hell of it and fix the bugs Rigol are too lazy to bother with and perhaps make the meter do what I want. But that's on the backburner now.

For all the ARM stuff - I don't have a clue, sorry!
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #28 on: January 01, 2016, 11:49:43 pm »
Oh for the size of the flash - just lookup the Hynix partnumber. There must be a memory map in the datasheet. I haven't checked for your ARM, but for Blackfin it's 0x20000000 and is easy to read with urJTAG when you set it up to read the flash chip (probably via BSDL behind the scenes).

If the flash is encrypted then yes you will need to use the hack you have found. Very interesting! My ARM experience is Raspberry Pi's only I'm afraid with none of this JTAG stuff  :scared:
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #29 on: January 02, 2016, 12:16:33 am »
Thanks for all the help Macbeth!   Hopefully when my Olimex device comes, I'll find it's not very hard at all.   If it does turn out to be encrypted though, I might not be able to go any further at all.    I'll look into the various things you mentioned in the meantime.   Like the memory map and size of the Hynix firmware.   I'd be nice if I could get an unencrypted copy of the firmware.   Maybe I could even figure out the format of the .GEL files.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #30 on: January 04, 2016, 09:12:27 pm »
I just wanted to update you guys.   I got the ARM-USB-OCD-H JTAG device coming but I don't think it's going to help.   I've been reading up on the security of the i.MX283 processor in the Rigol DP832.   From what I've read ( http://cache.nxp.com/files/32bit/doc/app_note/AN4555.pdf?fpsp=1&WT_TYPE=Application%20Notes&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&fileExt=.pdf )
it seems that the bootloader gets signed and if the code changes but the signature doesn't match, then it'll refuse to start.   It seems the packages on the FLASH might be signed as well.   They use some elftosb program to sign them or something.    If I'm not mistaken (and I very well can be, I don't really understand the whole encryption stuff very well), even if I could extract the bootloader and flash contents, I won't be able to change them at all.

I wonder how the person who wrote the keygen for the DP832 managed to figure out how to successfully write it.   Did they somehow manage to extract the firmware or information from the flash chip on there?
 

Offline apelly

  • Supporter
  • ****
  • Posts: 1039
  • Country: nz
Re: Need help hacking DP832 for multicolour option.
« Reply #31 on: January 04, 2016, 09:51:29 pm »
It was a while ago now, but if you read the first few hundred posts in the sniffing the rigol bus thread there is a lot of useful stuff posted by cybernet. The thread degenerates into noobs asking for help after a while, but the beginning is very cool. I think that's the one where the certificate signing stuff for the dg4000 was discovered too, but there is another thread for hacking the dg4000 which also contains interesting information.

Good luck!
I'd rather a Google clue, link, or some theory than "do this" (generally)
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #32 on: January 04, 2016, 10:16:51 pm »
It was a while ago now, but if you read the first few hundred posts in the sniffing the rigol bus thread there is a lot of useful stuff posted by cybernet. The thread degenerates into noobs asking for help after a while, but the beginning is very cool. I think that's the one where the certificate signing stuff for the dg4000 was discovered too, but there is another thread for hacking the dg4000 which also contains interesting information.

Good luck!

Thank you!   I'll search the forums for the topic you're talking about here.   I've seen people talk about sniffing buses before.   Maybe I should invest in some equipment so I can do that too.   Sounds really cool.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #33 on: January 04, 2016, 10:30:19 pm »
Is this the forum that you're talking about?   https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/

Seems to be about the Rigol DS1102E.   Perhaps I can still learn a lot from it though.   I don't have a logic analyzer.   I'd love to purchase one but I'm not certain if I want a benchtop model or a portable one.   I kind of like some of the portable ones I've seen on the net (the ones that hook up to a PC via USB).   Just not sure if they're as good and if they are, which ones to get.
 

Offline apelly

  • Supporter
  • ****
  • Posts: 1039
  • Country: nz
Re: Need help hacking DP832 for multicolour option.
« Reply #34 on: January 05, 2016, 02:20:54 am »
That's the one. It's a long time since I read the first post. You're right, but it's about the ds2000 and other rigol products too. It's worth your time to read it. Really.

Can't find the other one right now, but it'll be referred to in the i2c thread for sure.
I'd rather a Google clue, link, or some theory than "do this" (generally)
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #35 on: January 05, 2016, 03:42:01 am »
That's the one. It's a long time since I read the first post. You're right, but it's about the ds2000 and other rigol products too. It's worth your time to read it. Really.

Can't find the other one right now, but it'll be referred to in the i2c thread for sure.

Thank you.   I've already started reading the thread.   I've searched through it as well, looking for keywords like DP832.   I see a user claims he was able to disassemble the firmware somehow in order to modify the Riglol program to generate proper keys for the newer firmwares.    I wonder if he actually disassembled it and if so, how did he manage to get a copy?   Right now, I don't think there's any known ways to decode / decrypt / whatever the .GEL files.  It'd be nice if I could figure out how they did it.   I've also been reading up on OpenOCD and trying to figure out how to actually try to do the various things I want to do once I get my JTAG device in the mail.

From what I've seen, I'm going to need to know the flash segment address (this might be the wrong word here) in order to read the flash to a .hex / .bin file.   I'm going to need to figure out what the RAM segment is in order to do a memory dump.   I was expecting these addresses to be in the datasheet for the i.MX283 but I didn't find them there.   I continued to look in the various documents on NXP's website for the i.MX283 and found the memory map layout in the i.MX28 Applications Processor Reference Manual ( http://cache.nxp.com/files/32bit/doc/data_sheet/IMX28CEC.pdf?fpsp=1&WT_TYPE=Data%20Sheets&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&fileExt=.pdf ) on page 135 of 2733!   However, I'm not sure which ones I need.   I see stuff like On-Chip RAM, On-Chip RAM alias, External Memory, On-Chip ROM, etc.   Don't see anything for flash like I do with some of the other datasheets out there.

I also wanted to say though that I'm extremely thankful for all the help everyone here on EEVBlog has provided to me.   I know most of the users here are experts in the electronic world and I know I don't know very much at all.   But everyone's been extremely supportive in trying to help me accomplish what I want to do and answer all the dumb questions I have!   Thank you guys.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #36 on: January 07, 2016, 09:40:43 pm »
So I'm waiting for my ARM-USB-OCD-H JTAGGING device to come.   I learn that OpenOCD doesn't support the NAND flash controller on the i.MX28 processors.   This is disappointing.   I also want to say I remember reading something in the programming reference guide that the NAND works in parallel mode.   From reading stuff on the internet, from what I can tell, I will not be able to use one of those clips that you just put over the NAND chip and read and write to it directly, in circuit, while the device is on (like the E3 Flasher for the PS3 for example).   I think getting this NAND dump is going to be a bit harder than I originally was hoping for.

Anyway, I went back to looking at the GEL files.   I see patterns but can't really make sense out of them.   I've tried bit shifting them, doing bitwise manipulation on them (AND, OR, XOR) but I can't seem to get anything useful out of.   Maybe you guys can make some sense out of it and see something that I just don't?   For example, the first 32 bytes of code, I see a pattern...

Code: [Select]
28 23 10 00 78 B9 FB BB 7C 7D D0 7F 20 BE 82 83     /* Notice here, starting at offset 5, we have 78. If we count up in hex though, we get:
                    78 79 7A 7B 7C 7D 7E 7F...                           See how 78, 7C, 7D, and 7F line up? */

83 84 86 87 27 89 8A 8B 28 CA 8E 8F A8 81 31 78      /* We see this again...
          86 87 88 89 8A 8B 8C 8D 8E 8F...                           86, 87, 89, 8A, 8B, 8E and 8F line up. */


Now, if I create a table, the pattern becomes a bit more clear.
Code: [Select]
     x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF x0 x1 x2 x3
   ---------------------------------------------------
7x | 28 23 10 00 78 B9 FB BB 7C 7D D0 7F 20 BE 82 83 | 83
8x | 83 84 86 87 27 89 8A 8B 28 CA 8E 8F A8 81 31 78 | 93
9x | AC 85 35 7C B0 89 39 80 B4 8D 3D 84 B8 91 41 88 | A3
Ax | A4 A5 A6 A7 BC 99 49 90 C0 9D 4D 94 A8 EB BA B3 | B3
Bx | 30 F1 BE B7 34 F5 C2 BB 38 F9 C6 BF 3C FD CA C3 | C3
Cx | 40 01 CE C7 20 EB D2                            | D3
Cx |                      CB CC CD CE CF D0 D1 D2 D3 | D3 (continued)
Dx | D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF E0 E1 E2 E3 | E3
Ex | E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF F0 F1 F2 F3 | F3
Fx | F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF 00 01 02 03 | 03
0x | 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 | 13
1x | 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 | 23
2x | 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 | 33
3x | 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 | 43
4x | 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 | 53
5x | 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61 62 63 | 63
6x | 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 | 73
7x | 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 80 81 82 83 | 83
8x | 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 90          | 93

That's the first 285 bytes.   Starting at offset 57h, it starts counting up, in a row, from CBh to FFh then 00h to 90h.   I use that to create the numbers before and after the |'s.    Maybe we're supposed to remove the numbers that match up?   I'll give an example.   First row,
we see the 7x that I added, so the numbers to remove will start with a 7.   Then, the little grid above us tells us what the last number in the row has to be in order for us to remove it.   So, we look at:
Code: [Select]
     x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF x0 x1 x2 x3
   ---------------------------------------------------
7x | 28 23 10 00 78 B9 FB BB 7C 7D D0 7F 20 BE 82 83 | 83

The first number, 28, does it start with a 7?   Nope, move on.   Does 23 start with a 7?  Nope, move on....we keep going to get to 78 at offset 05h.   Does that start with a 7?  Yup.  We look up to see what number it has to end in.   In this case, an 8.  Does it end in an 8?  Yup.  Remove it.   On to the next ones.   We remove 7C, 7D, 7F, 82 and 83.    So maybe the first lines in the .GEL file are really
Code: [Select]
28 23 10 00 B9 FB BB D0 20 BE

You see, I thought I was onto something there for a second, but I can't make sense out of 0x28 0x23 0x10 0x00 0xB9 0xFB 0xBB 0xD0 0x20 0XBE.    Maybe someone smarter than me could see something that I'm missing here?   Thanks!
 

Offline dadler

  • Supporter
  • ****
  • Posts: 851
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #37 on: January 07, 2016, 09:46:27 pm »
Maybe you will find this useful:

http://www.gotroot.ca/rigol/degel-0.1.tar.gz
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #38 on: January 08, 2016, 01:06:36 am »
Maybe you will find this useful:

http://www.gotroot.ca/rigol/degel-0.1.tar.gz

Thank you for the link but that doesn't really work with the DP832's for one reason or another.   For example, that degel program looks for a header which doesn't seem to be here, at least not like in the other .GEL files.   The ones I've seen (like DG10x2Update.gel) starts with RIGOL:DG1:UPDATE FILE ALL

I've tried to figure out how to get RIGOL from the hex values in the DP832's software update.gel file.   It starts with 0x28 0x23 0x10.   If you XOR 0x7A to 0x28, you get 0x52 (R).   If you XOR 0x6A to 0x23 you get 0x49 (I).   I thought I had a pattern there.   XOR the first offset by 0x7A to get R, XOR the second offset by 0x6A to get I, but to get G for the third offset, you need to XOR it (0x10) by 0x57.   No pattern there :(
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #39 on: January 08, 2016, 01:16:14 am »
I mean I seen a little pattern there.   These are the bytes in hex in the Update file...and the values I have to XOR them with to get RIGOL

Code: [Select]
Bytes   XOR Value     Output (in ASCII)
0x28    0x7A              R
0x23    0x6A              I
0x10    0x57              G
0x00    0x4F              O
0x78    0x34              L

See a bit of a pattern there?    The XOR's most significant value starts at 7 and counts down by a whole number each time.   7, 6, 5, 4, 3.    Just can't figure out the last numbers there.   I can't see the pattern, A, A, 7, F, 4...
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #40 on: January 08, 2016, 01:26:33 am »
LOL. Before all this crypto key stuff I used to encrypt files with XOR.Just because I may use a plaintext password as the cipher didn't mean I wouldn't keep re-xor encrypting that password byte by byte as I went...

and this was on the BBC Micro back in the '80s!

However the old ones are the best. Good to see XOR is still used  ;)
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #41 on: January 08, 2016, 01:51:32 am »
LOL. Before all this crypto key stuff I used to encrypt files with XOR.Just because I may use a plaintext password as the cipher didn't mean I wouldn't keep re-xor encrypting that password byte by byte as I went...

and this was on the BBC Micro back in the '80s!

However the old ones are the best. Good to see XOR is still used  ;)
Well, I don't know if my XOR results are just coincidence or not.   Doesn't seem to work so well after RIGOL.  Or maybe the header's changed a bit.  If I could find a pattern for the least significant digits (7A, 6A, 57, 4F, 34) I'd be certain there was something to this.
 
The following users thanked this post: Dwaine

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #42 on: January 08, 2016, 02:14:38 am »
Perhaps there is no "Rigol" header, and the firmware is exactly in the format the MX28 expects?

I know when I had to recover my bricked Rigol DM3058 only the start of the flash firmware was a RIGOL string, everything after that was in Blackfin LDR format as I found by reading the datasheet (or tome!). So I stripped that out and JTAG uploaded the rest verbatim to flash and all was well.

Perhaps there is no "Rigol" header and this firmware is purely in the MX28 format? You may be chasing a red herring.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #43 on: January 08, 2016, 02:28:20 am »
Perhaps there is no "Rigol" header, and the firmware is exactly in the format the MX28 expects?

I know when I had to recover my bricked Rigol DM3058 only the start of the flash firmware was a RIGOL string, everything after that was in Blackfin LDR format as I found by reading the datasheet (or tome!). So I stripped that out and JTAG uploaded the rest verbatim to flash and all was well.

Perhaps there is no "Rigol" header and this firmware is purely in the MX28 format? You may be chasing a red herring.

I thought that myself but I don't think that's the case.   That was my original assumption Macbeth.   But I dunno, I was looking at the datasheet and trying to analyze the Bootloader .GEL file and the bits just don't seem to match up.   Some of the unused bits are set, some aren't.   Some conflict.  There's also the whole tablet thing.   At the very start of the .GEL file, if you compare x offset to 73 + x, a lot of them will match.    There's giant sections where the Software .GEL file will show stuff like 0xCBh to 0xFFh and then go to 0x00h to 0x90h.   The 73 + x rule always matches with those weird sections.    Like if you start at the first sector (sector 0), there's a 0x28 there.   The table thing I discovered would be 0x74 at that place.   The next value in the firmware is 0x23.   The table would be 0x75...if you go all the way up to where 0xCB is in the .GEL file, when the run starts, the tablet thing holds true.  It'll equal 0xCB.   This holds true for the whole .GEL file.   It'd be weird for some sort of processor I'd think to have instructions like that.  Like the whole file is filled with 0x74 through 0xFF then it just repeats, 0x00 through 0xFF.   There's some real data some places, other places it's just the pattern showing through.

I assumed (and might be wrong here) that the Software.GEL file actually holds NAND data.   Someone dumped their NAND by removing the physical chip from the system and hooking it up to some NAND reader.   He showed a screenshot of the first few bytes in there.   They don't look anything like the .GEL file.   You can see stuff like DP830   DP831    DP832, etc.   When I look for strings in the GEL file, I find none.   Absolutely none.   I'd think I'd see at least something there.

Thanks for the help though!   Much appreciated.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #44 on: January 08, 2016, 03:21:16 am »
The statistics are real weird as well, which makes me think it's some sort of archive.   It's wavey.   I used HxD and clicked the Statistics button and it shows a bar graph of each value in the file, from 00h to FFh.   It shows how frequent the value is found.   And there's definitely a pattern there!   For example, there's about equal numbers of 1A's as there are 2A's as there are 3A's.   But the #A's aren't as frequent as something like 9h, 19h, 29h, which are all just about equally as prevalent.
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #45 on: September 18, 2016, 05:23:05 am »
Hi DP832 users,

my first post here on the forum.
It's been a while since the last post on this topic, but I'll give it a go.

I had a look at the GEL file from DP800(Software)Update(Normal)_00.01.13.00.01 and found some interesting stuff:

Start at the first byte of the file and subtract 0x74, at the second byte subtract 0x75, at the third byte 0x76, and so on...
When you reach 0xFF the next byte gets 0x00 (nothing, really) subtracted, and again and again...

If the entire file is processed like this, it reveals some interesting stuff further into the file. Don't know what the exact meaning of those is, however.

Here is a short C-program I used to do this:
Code: [Select]
// rewrite Rigol DP800 GEL file
#include "stdafx.h"
#include <stdlib.h>

#define OFFS 116 // Offset at start of File (0x74)

// Main
int main ( int argc, char *argv[] )
{
FILE *infile;
FILE *outfile;

if(argc < 2)
{
printf("Usage : %s [input]\n", *argv);
return EXIT_FAILURE;
}

// Open input file
infile = fopen(argv[1], "rb");
if(infile != NULL)
printf("File found\n");
else
{
printf("Error while opening!\n");
return EXIT_FAILURE;
}

// Open output file
outfile = fopen("DP800Update_descrambled_GEL.txt", "wb");

int ch; // current read char
int i = 0; // counter

while ((ch = fgetc(infile)) != EOF) // read until EOL
{
ch = ((ch + 256 - i - OFFS) % 256); // subtract offset
fprintf(outfile, "%c", ch); // write new char
i = ((i + 1) % 256); // increment counter
}
fclose(infile);
fclose(outfile);
printf("done!");

return EXIT_SUCCESS;
}

Hopefully this helps somewhere.

Cheers,

Volki
 
The following users thanked this post: WhichEnt2, tossu

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #46 on: September 18, 2016, 06:07:53 pm »
Hello Volki,

We're in the process of having a baby in the near future and I'm trying to redo the baby's room (put down hardwood floor).  I don't have a lot of free time right now, but after you run the encrypted firmware through your program, what do the first couple bytes of the file look like?   A lot of the Rigol stuff seem to start with the model of the device, like DP800, for instance.   Thanks.
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #47 on: September 18, 2016, 10:33:38 pm »
Hi,

just confirmed that this same thing works with DP800(Software)Update(Normal)_00.01.14.00.03 firmware as well.

The first bytes of the files don't make much sense. No DP800 or anything (at least I didn't see it).

Here are the first 512 bytes of 00.01.13.00.01:
Code: [Select]
B4 AE 9A 89 00 40 A0 A1 00 00 52 00 58 3D 00 00
FF FF 00 00 9F 00 00 00 54 3D 00 00 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
00 00 00 00 14 F0 9F E5 14 F0 9F E5 B0 3A 08 00
34 3C 08 00 34 3C 08 00 34 3C 08 00 34 3C 08 00
34 3C 08 00 40 01 08 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 C0 9F E5
1C FF 2F E1 35 11 08 00 00 C0 9F E5 1C FF 2F E1
F1 03 08 00 00 C0 9F E5 1C FF 2F E1 71 11 08 00
00 C0 9F E5 1C FF 2F E1 E5 02 08 00 08 B4 02 4B
9C 46 08 BC 60 47 C0 46 38 2A 08 00 04 E0 4E E2
0F 40 2D E9 04 D0 4D E2 00 80 A0 E3 FF 90 E0 E3
FE 9C C9 E3 00 A0 99 E5 0A 80 B0 E1 93 B0 E0 E3
FC BC CB E3 55 00 A0 E3 00 00 8B E5 08 00 18 E3
30 00 00 0A 24 E9 9F E5 00 C0 DE E5 C8 34 9F E5
04 20 D3 E5 02 00 5C E1 02 00 00 3A 0C 19 9F E5
00 90 A0 E3 00 90 C1 E5 CB A0 E0 E3 F2 AC CA E3
40 BA A0 E3 00 B0 8A E5 01 00 A0 E3 D2 FF FF EB
E8 08 9F E5 00 E0 D0 E5 8E C0 B0 E1 88 34 9F E5
03 20 9C E0 BC 13 D2 E1 01 96 B0 E1 FB A0 E0 E3
F9 AC CA E3 00 90 8A E5 01 00 A0 E3 C6 FF FF EB

And here for 00.01.14.00.03:
Code: [Select]
B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
FF FF 00 00 9F 00 00 00 9C 3D 00 00 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
00 00 00 00 14 F0 9F E5 14 F0 9F E5 F8 3A 08 00
7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
7C 3C 08 00 58 22 08 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 B5 06 48
00 68 40 07 40 0F 00 06 00 0E 07 28 00 D3 00 20
00 06 00 0E 08 BC 18 47 20 0D FF FF 10 B5 04 00
20 78 A1 78 00 06 00 0E 01 28 00 D1 2A E1 0F D3
03 28 00 D1 66 E3 00 D2 64 E2 05 28 01 D1 00 F0
E1 FC 01 D2 00 F0 4C FC 06 28 01 D1 00 F0 5A FD
02 20 60 70 09 06 09 0E 01 29 6A D1 01 20 E0 70
02 20 20 71 02 20 60 71 02 20 A0 71 80 20 20 81
40 20 60 81 B0 20 C0 00 20 82 90 20 C0 00 60 82
A0 20 C0 00 E0 82 06 20 20 76 04 20 60 76 BA 48
A0 87 BA 48 E0 87 44 20 B7 49 21 52 46 20 B7 49
21 52 62 79 04 20 42 43 00 21 B4 20 40 00 20 18
00 F0 9E FF 62 79 04 20 42 43 FF 21 C2 20 40 00
20 18 00 F0 95 FF A2 79 04 20 42 43 00 21 BC 20
40 00 20 18 00 F0 8C FF A2 79 04 20 42 43 FF 21

Cheers,

Volki
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #48 on: September 19, 2016, 05:19:58 am »
You mention some interesting stuff further in the file.   What type of interesting stuff is further in the file?   Is it plain text ASCII?
 

Offline dav

  • Regular Contributor
  • *
  • Posts: 133
  • Country: it
Re: Need help hacking DP832 for multicolour option.
« Reply #49 on: September 19, 2016, 10:51:07 am »
@Spork Schivago:
There is some text; take a look yourself with an hex editor.
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #50 on: September 19, 2016, 11:49:31 am »
There are a lot of bitmaps in RGB565, one after the other, in different sizes. Some parts that look like code in between.
Some html/xml and javascript (with some "~" every 128 bytes),
Some filenames with a hint to "E:\MQX\Freescale MQX 3.7 ARM9 imx287evk_rev2\Freescale MQX 3.7 ARM9 imx287evk",
Some strings seem to be model numbers (namely DP831A, DP832A, DP821A, DP811A, DP812A, DP813A, DP841A, DP831, DP832, DP821, DP811, DP812, DP813, DP841)

So far I could not identify a structure of it all.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #51 on: September 19, 2016, 05:55:11 pm »
Thank you guys so much!

So, from the sounds of it, Volki successfully decrypted the firmware update.   Do you guys think that's safe to assume?   There was some program I ran across a while back...a program made for Rigol .GEL files.   It could extract the files or something.   I wonder if that program would work now with the decrypted DP832 firmware...
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #52 on: September 19, 2016, 06:38:53 pm »
I don't know a lot about flash or anything, but looking through the descrambled GEL file, at offset: 3091B5, I see:
Code: [Select]
<link hEref
I know with HTML, that should be
Code: [Select]
<link href.   Maybe that E in there has something to do with the flash, like where that bit of code gets written to...or maybe there's a little more to descrambling this file, or maybe it's compressed some how.   What do you guys think?

Further down the file, the www's aren't right.   Like at offset: 3092A6 and 309304
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #53 on: September 19, 2016, 09:35:00 pm »
These inconsistencies in plain xml '<hEref' appear in regular intervals, i.e. like every 128 bytes (find '~' mostly) inside a logical block, that's why I think it's part of a bigger package. I'm not really experienced in this.

Other things I observed are a lot of bitmaps in RGB565. If you see the descrambled file as a bitstream, run it through a raw pixel viewer and adjust the width correctly, you see a lot of bitmaps. The first one looks like a clock face, then comes more unidentified data and then a whole collection of more bitmaps. For ecample, I also found the 'middle balls' of the normal view in DP8xxA models.
Other bitmaps are the LXI logo, RIGOL logo, all in diverse colours. Haven't got any at hand to attach atm.
But these bitmaps do not have a header of some sort. They are just next to each other.
However, I didn't find a section with indexes and size information of the single bitmaps, yet. So, these might be part of a bigger package again.
So I keep on searching for some kind of index table.
I couldn't make any sense of the first 256 or so bytes in the file, yet.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #54 on: September 19, 2016, 09:50:28 pm »
Excellent hacking! It seems a lot of work to get multicolour but the journey is far more interesting than the goal!
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #55 on: September 19, 2016, 10:03:12 pm »
These inconsistencies in plain xml '<hEref' appear in regular intervals, i.e. like every 128 bytes (find '~' mostly) inside a logical block, that's why I think it's part of a bigger package. I'm not really experienced in this.
I noticed the same pattern.   Also, with the www's, the ones that have the messed up text, almost all of them start with a y with a ' over it.   And then there's a w and a lot have the ~.   Like http://y(with the ' over it)w~.   I saw one that had a capital Z instead of the ~ (or maybe instead of the funky y).

Other things I observed are a lot of bitmaps in RGB565. If you see the descrambled file as a bitstream, run it through a raw pixel viewer and adjust the width correctly, you see a lot of bitmaps. The first one looks like a clock face, then comes more unidentified data and then a whole collection of more bitmaps. For example, I also found the 'middle balls' of the normal view in DP8xxA models.
Other bitmaps are the LXI logo, RIGOL logo, all in diverse colours. Haven't got any at hand to attach atm.
But these bitmaps do not have a header of some sort. They are just next to each other.
However, I didn't find a section with indexes and size information of the single bitmaps, yet. So, these might be part of a bigger package again.
So I keep on searching for some kind of index table.
I couldn't make any sense of the first 256 or so bytes in the file, yet.

You know more about bitmaps than I do.   I too couldn't find an index but I think there has to be one somewheres.   Perhaps in the first 256 bytes or so.   I'm wondering if the first few bytes of the file get decrypted / descrambled differently.

If I were to take a guess, I'd bet the file header for this firmware update might not be too much different than some of the other Rigol firmwares.   Perhaps that could help?   I was reading for the DSxxxx's that Rigol makes, if I understand them correctly, the index for the files is in the beginning of the update file.   I know when I worked as a programmer for Deposit Computer Services, Inc, whenever we got a new customer, I'd find the source code from another customer that wanted something similar and I'd just modify the code a little bit to make it fit, rather than writing the whole thing from scratch.   I bet Rigol's programmers do the same.   The header might not be too much different from the headers in their other files.   Just properly decrypting it, there might be more to it than the 75, 76, 77, etc thing.

I cannot seem to find any termination strings that might separate one file from another.   I think an index has to be used.   Something with offset, filelength and filename and probably some sort of checksum.   Also, somewheres, I almost remember finding the ends of the various Rigol DP832 firmwares had something special about them, like it was all the same values, the last 500 and some bytes or something.   I thought I posted about that somewhere here, in this thread.   Maybe there's a footer.

You did great work though and got much further than I did.   I had given up on this.   Thank you!!!!
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #56 on: September 30, 2016, 11:27:00 am »
I've compared the current (00.01.14.00.01) GEL file that was de-scrambled as before, with an older version (00.01.09.00.01). Here is what they look like:

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78


The (00.01.09.00.01) version is not scrambled and misses the first 4 Bytes: B4 AE 9A 89. From there on, the structure aligns pretty good. Only a few bytes are different, either addresses or length information...

I looked through the bitmaps I could find in (00.01.14.00.03) and made a collection of them here.
Furthermore I could find a lot of 1 bit per pixel character sets with all sorts of special characters. Amongst them are also the 7-segment numbers in different sizes for the main display. Haven't indexed those, though.

Still looking at it and not getting an idea what the overall structure could be. Any more ideas? Any disassemblers?
 
The following users thanked this post: Spork Schivago

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #57 on: September 30, 2016, 11:43:23 am »
I cannot seem to find any termination strings that might separate one file from another.   I think an index has to be used.   Something with offset, filelength and filename and probably some sort of checksum.   Also, somewheres, I almost remember finding the ends of the various Rigol DP832 firmwares had something special about them, like it was all the same values, the last 500 and some bytes or something.   I thought I posted about that somewhere here, in this thread.   Maybe there's a footer.

Some bitmaps in the file can be found in different colors (for the different DP800 variants). They are directly adjacent to each other in the code. But sometimes they are also separated by 2 bytes: 00 00. Didn't find a reason for that and why it is only sometimes...

The different variants can be found in location 0x2F172C:
Code: [Select]
44 50 38 33 31 41 00 00 44 50 38 33 32 41 00 00  |  DP831A..DP832A..
44 50 38 32 31 41 00 00 44 50 38 31 31 41 00 00  |  DP821A..DP811A..
44 50 38 31 32 41 00 00 44 50 38 31 33 41 00 00  |  DP812A..DP813A..
44 50 38 34 31 41 00 00 44 50 38 33 31 00 00 00  |  DP841A..DP831...
44 50 38 33 32 00 00 00 44 50 38 32 31 00 00 00  |  DP832...DP821...
44 50 38 31 31 00 00 00 44 50 38 31 32 00 00 00  |  DP811...DP812...
44 50 38 31 33 00 00 00 44 50 38 34 31 00 00 00  |  DP813...DP841...
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #58 on: September 30, 2016, 05:44:29 pm »
Could this be a lookup table for model numbers that are pre-programmed in the devices flash area along with serial number and calibration, etc?

Would it by as simple as changing byte 0x2F1771 from 00 to 41 'A' and perhaps byte 0x2F1739 from 41 to 00 for consistency but also just in case a simple checksum is used?

Nah, that seems to easy  :-DD
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #59 on: September 30, 2016, 06:46:43 pm »
Could this be a lookup table for model numbers that are pre-programmed in the devices flash area along with serial number and calibration, etc?

Would it by as simple as changing byte 0x2F1771 from 00 to 41 'A' and perhaps byte 0x2F1739 from 41 to 00 for consistency but also just in case a simple checksum is used?

Nah, that seems to easy  :-DD
I too found the variants at 0x2F172C but I think there has to be a checksum that would prevent the firmware from being loaded.   Someone with more time than me right now could try a simple test.   Turn on their power supply, find a text string in some menu.   Search the descrambled file for this string and make sure it's only found once in the file.   Then just change a letter.   Flash the firmware and see if it's changed in the menu.

If there's some sort of checksum, I'd imagine the power supply would refuse to accept the firmware.   Another thing would be to make sure you can flash the same version firmware that's already installed on the machine.

For example, if your DP832 has firmware 00.01.14.00.01, make sure you can flash a normal version of firmware 00.01.14.00.01.    Otherwise, we could have issues.   Let's say someone's running firmware 00.01.09.00.01 and they flash a modified version of 00.01.14.00.01.   Then they go to undo their changes and try flashing 00.01.14.00.01 again.   The machine might refuse the firmware saying it's already up-to-date.   That could greatly reduce someone's chances to finding a multi-coloured option for the DP832's.   They might only have a couple chances at it.

Can someone upload the source code to re-scramble the files?   I wonder what would happen if someone removed those first 4 bytes in the descrambled file and try flashing it, descrambled like....maybe those first four say the file's encrypted or something?
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #60 on: September 30, 2016, 07:02:50 pm »
Ok, I didn't rescramble the file but modified my original 1.14 using the same '74 offset' formula.

So I changed

2F1379 from EE to AD
2F1771 from E5 to 5C

Reflashed using USB and the help button at the '...' elipses, it didn't spit back any errors and appeared to accept the file, flashed ok and asked me to power off and on.

Unfortunately it hasn't made the blindest difference  (at least that I have found so far. Perhaps a SCPI command or the webserver will report back the wrong model?) :-DD
 
The following users thanked this post: Spork Schivago

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #61 on: September 30, 2016, 07:16:15 pm »
I've compared the current (00.01.14.00.01) GEL file that was de-scrambled as before, with an older version (00.01.09.00.01). Here is what they look like:

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78


The (00.01.09.00.01) version is not scrambled and misses the first 4 Bytes: B4 AE 9A 89. From there on, the structure aligns pretty good. Only a few bytes are different, either addresses or length information...

I looked through the bitmaps I could find in (00.01.14.00.03) and made a collection of them here.
Furthermore I could find a lot of 1 bit per pixel character sets with all sorts of special characters. Amongst them are also the 7-segment numbers in different sizes for the main display. Haven't indexed those, though.

Still looking at it and not getting an idea what the overall structure could be. Any more ideas? Any disassemblers?

The bottom of 00.01.09.00.01 seems to repeat itself a bit, but the bottom of the newer version doesn't.

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78



Maybe the 9F E5's are some sort of terminator though?

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78

Or maybe the four bytes there, like 18 F0 9F E5 are offsets?

There's gotta be some version string somewheres here.   I'd really think this is some sort of header.   I'd think it'd contain the version string, size of the file, etc.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #62 on: September 30, 2016, 07:18:38 pm »
Ok, I didn't rescramble the file but modified my original 1.14 using the same '74 offset' formula.

So I changed

2F1379 from EE to AD
2F1771 from E5 to 5C

Reflashed using USB and the help button at the '...' elipses, it didn't spit back any errors and appeared to accept the file, flashed ok and asked me to power off and on.

Unfortunately it hasn't made the blindest difference  (at least that I have found so far. Perhaps a SCPI command or the webserver will report back the wrong model?) :-DD

You can flash the same version firmware over and over again?   Perhaps you'd like to go into the menu, find some text string, and do what I suggested earlier?   Just change the text a little and see if it makes any difference.   I wouldn't try modifying the webpage stuff at all, but the actual text string in one of the menus....if that's successful, then we can assume perhaps there's no checksum's at all?   That'd be great news....
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #63 on: September 30, 2016, 08:17:50 pm »
I keep on trying to upload 00.01.14.00.03 in a zip file and it looks like it goes, but my posts don't get posted here for some reason.   Not sure where they're going.   But after I post, it takes me this Start new message page, as if I'm trying to PM someone.   I don't see why I cannot upload the zip file.   It's 9,244KB in size.   Any ideas?    I thought with closer firmware numbers, there wouldn't be so many changes and maybe it'd be easier to figure out the stuff, like the header of the file, etc.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #64 on: September 30, 2016, 08:25:32 pm »
Ok, I chose to change the installed options text at 277BC0 from ":Official" to ":Hacked!" so the encoded bytes are

5E 6D 87 8A 93 8E B8 4C 2C

Reflashed and unfortunately the options still showed as ":Official" so perhaps it is ignoring the upgrade? I then tried the "Update analog board 1 & 2" step just in case but no luck.

So I downgraded using official 1.13 - that installed and reported version correctly.

I then re-installed my hacked 1.14 which gave all indication of installing ok, but the Sys Info still showed 1.13 and of course my hack did not work.

I then installed proper 1.14 which installed ok, and now Sys Info does show 1.14.

So I give up. That's it for tonight!  ;)
 
The following users thanked this post: Spork Schivago

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #65 on: September 30, 2016, 08:55:48 pm »
Ok, I chose to change the installed options text at 277BC0 from ":Official" to ":Hacked!" so the encoded bytes are

5E 6D 87 8A 93 8E B8 4C 2C

Reflashed and unfortunately the options still showed as ":Official" so perhaps it is ignoring the upgrade? I then tried the "Update analog board 1 & 2" step just in case but no luck.

So I downgraded using official 1.13 - that installed and reported version correctly.

I then re-installed my hacked 1.14 which gave all indication of installing ok, but the Sys Info still showed 1.13 and of course my hack did not work.

I then installed proper 1.14 which installed ok, and now Sys Info does show 1.14.

So I give up. That's it for tonight!  ;)

Just so I'm understanding you correctly, you had a hacked 1.14, you installed it, it seemed to install correctly.   But the hack didn't go through, so you installed an unhacked 1.13, checked the version, it showed 1.13.   Then you went and installed your hacked 1.14 again, checked the version, and it still showed 1.13, is that correct?

It seems there is in fact a checksum somewheres...Are there any logs that get stored anywhere on the device when a firmware update is performed?   Also, when you install the hacked firmware, are you re-encoding them or does the power supply seem to accept the decrypted / unscrambled versions?  Thanks for trying!
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #66 on: September 30, 2016, 09:34:11 pm »
Just so I'm understanding you correctly, you had a hacked 1.14, you installed it, it seemed to install correctly.   But the hack didn't go through, so you installed an unhacked 1.13, checked the version, it showed 1.13.   Then you went and installed your hacked 1.14 again, checked the version, and it still showed 1.13, is that correct?

Yep!

Quote
It seems there is in fact a checksum somewheres...Are there any logs that get stored anywhere on the device when a firmware update is performed?   Also, when you install the hacked firmware, are you re-encoding them or does the power supply seem to accept the decrypted / unscrambled versions?  Thanks for trying!

Spork, the first attempt I simply swapped the bytes for 'DP832\0' and 'DP832A' (but re-encoded using the offset 0x74 algorithm, purely using http://www.hexedit.com/ and manually with its calculator. This is on the original 1.14 file, not the decoded one.

Though the PSU appeared to accept it and reported "Upgrade successful!" it made no difference. I did choose to swap the bytes instead of just changing 1 byte because I guessed there may be a checksum and simple checksum algo's will still work if bytes are just swapped.

So I then chose to do something more blatant as in change some obvious text but without any attempt at covering for a simple checksum. I did not unscramble/decrypt the whole file, just changed the bytes using the 74 offset algo and HexEdit. No joy with that but no error messages stating anything wrong with the update. Indeed it appeared to go just fine!

Regarding limited chances at upgrading firmwares, it looks like downgrades and upgrades work just fine. I think it is only the bootloader that you can't downgrade but that is for firmwares with a bootloader <1.09 IIRC and the firmware we are playing with (so far) is not the bootloader.
« Last Edit: September 30, 2016, 09:37:26 pm by Macbeth »
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #67 on: September 30, 2016, 10:56:50 pm »
So I then chose to do something more blatant as in change some obvious text but without any attempt at covering for a simple checksum. I did not unscramble/decrypt the whole file, just changed the bytes using the 74 offset algo and HexEdit. No joy with that but no error messages stating anything wrong with the update. Indeed it appeared to go just fine!

Regarding limited chances at upgrading firmwares, it looks like downgrades and upgrades work just fine. I think it is only the bootloader that you can't downgrade but that is for firmwares with a bootloader <1.09 IIRC and the firmware we are playing with (so far) is not the bootloader.
At least that's good news that you can flash over and over again, as it seems.
Might be worth trying changes in all the different parts of the software now: changing bitmaps, changing HTML code, etc. See which changes are accepted until it breaks.
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #68 on: October 01, 2016, 01:02:46 am »
Maybe an interesting find and a pointer into the right direction (pun intended  ^-^):

In the header of (00.01.14.00.03) we find:
000000: B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
000010: FF FF 00 00 9F 00 00 00 9C 3D 00 00 18 F0 9F E5
000020: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
000030: 00 00 00 00 14 F0 9F E5 14 F0 9F E5 F8 3A 08 00
000040: 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
000050: 7C 3C 08 00 58 22 08 00 00 00 00 00 00 00 00 00
000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The addresses 0x00A03D and 0x009C3D and surrounding looks like this:
003D80: 52 55 D5 00 00 00 00 00 00 00 00 00 00 00 00 00
003D90: 77 77 F7 00 FA FA FA 00 FA FA FA 00 00 00 00 00  <-- This is address 0x3D9C from the header
003DA0: A5 00 00 00 00 00 55 55 55 55 00 00 64 00 00 00  <-- This address is 0x3DA0 from the header
003DB0: 01 00 01 00 01 00 00 00 00 40 AB 61 00 00 00 00
003DC0: A1 6D 33 00 FF FF 00 00 9F 00 00 00 52 49 47 4F  <-- RIGO
003DD0: 4C 4C 00 00 00 00 00 00 00 00 00 00 18 F0 9F E5  <-- L
003DE0: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
003DF0: FF FF FF FF 18 F0 9F E5 18 F0 9F E5 DC E8 26 40
003E00: 38 1D 06 40 70 1D 06 40 A8 1D 06 40 E0 1D 06 40
003E10: FF FF FF FF 50 1E 06 40 90 1E 06 40 01 01 00 00
003E20: 40 00 00 00 00 33 6D 40 00 00 00 00 F0 41 2D E9
003E30: 00 60 B0 E1 00 70 A0 E3 9C 0E 9F E5 D7 80 D0 E1
003E40: 08 00 B0 E1 00 0C A0 E1 40 0C B0 E1 80 12 80 E0
003E50: 88 0E 9F E5 01 02 90 E0 00 10 A0 E3 0C 12 C0 E5
003E60: 06 00 B0 E1 00 08 A0 E1 20 08 B0 E1 02 10 A0 E3
003E70: 4C 1D 81 E3 01 00 50 E1 10 00 00 0A 12 10 A0 E3


Notice the "RIGOL" string at 0x003DCC and the recurring 18F09FE5 pattern from the header.

A similar thing seems to happen in 1.09 GEL file and 1.13 GEL files.
Maybe worth looking into this one, as this might be an address reference.

Bytes 55 55 55 55 are some sort of a marker. It does not look like a valid armv5 instruction. However the uint32 that end with some sort of Ex (E0, E1, E3, E5, E9) might be some code bits.

I guess I have to figure out how http://www.hexedit.com/ can be used effectively now.  ;)
 
The following users thanked this post: Spork Schivago

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #69 on: October 01, 2016, 01:14:36 am »
Just so I'm understanding you correctly, you had a hacked 1.14, you installed it, it seemed to install correctly.   But the hack didn't go through, so you installed an unhacked 1.13, checked the version, it showed 1.13.   Then you went and installed your hacked 1.14 again, checked the version, and it still showed 1.13, is that correct?

Yep!

Quote
It seems there is in fact a checksum somewheres...Are there any logs that get stored anywhere on the device when a firmware update is performed?   Also, when you install the hacked firmware, are you re-encoding them or does the power supply seem to accept the decrypted / unscrambled versions?  Thanks for trying!
...I did choose to swap the bytes instead of just changing 1 byte because I guessed there may be a checksum and simple checksum algo's will still work if bytes are just swapped....

What do you consider to be a simple checksum algorithm?   I figured they were probably using something like SHA1 or SHA256.   With those types of algorithms, byte swapping will change the checksum.   MD5 has a lot more collisions than originally thought and I don't think any good coder would use MD5 checksums, but I guess they could.   There's open source programs that implement SHA type checksums so it wouldn't be hard for a programmer to implement the more secure types.

I don't mean to argue with you or anything.   I'm just a bit confused.   If I understand everything correctly, byte swapping would change the checksum if an SHA type algorithm was used, right?   Is SHA not considered simple?   Thanks for sharing what you did and your thinking behind it.   I really appreciate all the help people have provided on trying to get this working.   It seems I'm not the only one interested in making this multi-coloured option work.

I really want to get a collection of the different versions of firmware for the DP832 / DP832A.   Anything under 1.09 isn't encrypted?   If anyone can send me links to the rest of the versions, after our baby is born, I might have some down time and might be able to play more with this.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #70 on: October 01, 2016, 01:18:51 am »
So I then chose to do something more blatant as in change some obvious text but without any attempt at covering for a simple checksum. I did not unscramble/decrypt the whole file, just changed the bytes using the 74 offset algo and HexEdit. No joy with that but no error messages stating anything wrong with the update. Indeed it appeared to go just fine!

Regarding limited chances at upgrading firmwares, it looks like downgrades and upgrades work just fine. I think it is only the bootloader that you can't downgrade but that is for firmwares with a bootloader <1.09 IIRC and the firmware we are playing with (so far) is not the bootloader.
At least that's good news that you can flash over and over again, as it seems.
Might be worth trying changes in all the different parts of the software now: changing bitmaps, changing HTML code, etc. See which changes are accepted until it breaks.

So far, if I understand Macbeth correctly, all changes are ignored.   It would be worth trying changes though.   We should start working on trying to figure out the checksum routine.   I'll open a hex editor on the decrypted firmware.   If I remember correctly though, different versions of the firmware had some similarities at the end of them.   Maybe that was some sort of checksum?    I know some of the firmware I played with, the header had a checksum, the different parts had checksums, etc.

For example, the header might have a checksum (perhaps that end bit after all those 00's?)   Then maybe the flash section, after all the websites or something, there might be some checksum there.   Then at the end, there might be one for the entire size of the file, etc.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #71 on: October 01, 2016, 01:23:51 am »
Maybe an interesting find and a pointer into the right direction (pun intended  ^-^):

In the header of (00.01.14.00.03) we find:
000000: B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
000010: FF FF 00 00 9F 00 00 00 9C 3D 00 00 18 F0 9F E5
000020: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
000030: 00 00 00 00 14 F0 9F E5 14 F0 9F E5 F8 3A 08 00
000040: 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
000050: 7C 3C 08 00 58 22 08 00 00 00 00 00 00 00 00 00
000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The addresses 0x00A03D and 0x009C3D and surrounding looks like this:
003D80: 52 55 D5 00 00 00 00 00 00 00 00 00 00 00 00 00
003D90: 77 77 F7 00 FA FA FA 00 FA FA FA 00 00 00 00 00  <-- This is address 0x3D9C from the header
003DA0: A5 00 00 00 00 00 55 55 55 55 00 00 64 00 00 00  <-- This address is 0x3DA0 from the header
003DB0: 01 00 01 00 01 00 00 00 00 40 AB 61 00 00 00 00
003DC0: A1 6D 33 00 FF FF 00 00 9F 00 00 00 52 49 47 4F  <-- RIGO
003DD0: 4C 4C 00 00 00 00 00 00 00 00 00 00 18 F0 9F E5  <-- L
003DE0: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
003DF0: FF FF FF FF 18 F0 9F E5 18 F0 9F E5 DC E8 26 40
003E00: 38 1D 06 40 70 1D 06 40 A8 1D 06 40 E0 1D 06 40
003E10: FF FF FF FF 50 1E 06 40 90 1E 06 40 01 01 00 00
003E20: 40 00 00 00 00 33 6D 40 00 00 00 00 F0 41 2D E9
003E30: 00 60 B0 E1 00 70 A0 E3 9C 0E 9F E5 D7 80 D0 E1
003E40: 08 00 B0 E1 00 0C A0 E1 40 0C B0 E1 80 12 80 E0
003E50: 88 0E 9F E5 01 02 90 E0 00 10 A0 E3 0C 12 C0 E5
003E60: 06 00 B0 E1 00 08 A0 E1 20 08 B0 E1 02 10 A0 E3
003E70: 4C 1D 81 E3 01 00 50 E1 10 00 00 0A 12 10 A0 E3


Notice the "RIGOL" string at 0x003DCC and the recurring 18F09FE5 pattern from the header.

A similar thing seems to happen in 1.09 GEL file and 1.13 GEL files.
Maybe worth looking into this one, as this might be an address reference.

Bytes 55 55 55 55 are some sort of a marker. It does not look like a valid armv5 instruction. However the uint32 that end with some sort of Ex (E0, E1, E3, E5, E9) might be some code bits.

I guess I have to figure out how http://www.hexedit.com/ can be used effectively now.  ;)

When you say This is address 0x3D9C from the header, you mean from offset 0, right?   You haven't found where the header actually ends yet, have you?   That'd be nice.   Regardless, I too thought maybe there where some addresses in the beginning there but just didn't have time to explore it yet.   In the 1.09 firmware, I thought maybe the 18 F0 9F E5 was an address somewhere.   You guys are making great progress!   
 

Offline stj

  • Super Contributor
  • ***
  • Posts: 2156
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #72 on: October 01, 2016, 01:41:18 am »
a slight change of subject - only slight.

maybe you should try to find out how the code determines the model.
does it identify the model when you change the firmware, and flash the apropriate files,
or does it install everything and then determine which files to use every time it's powered up?

does it have an eeprom?
 
The following users thanked this post: Spork Schivago

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #73 on: October 01, 2016, 02:09:03 am »
a slight change of subject - only slight.

maybe you should try to find out how the code determines the model.
does it identify the model when you change the firmware, and flash the apropriate files,
or does it install everything and then determine which files to use every time it's powered up?

does it have an eeprom?

This could be hard to find out.   Last time I tried dumping the flash, OpenOCD didn't fully support this processor.   At the time, the flash wasn't supported, so there was no way to dump it.   I figured (just a straight up guess) that the firmware is the same on the DP832 and the DP832A.   Just at startup, there's some sort of serial number check.   I figured it's kinda like the unlock codes.   You got the right code, it unlocks the features.   You got the right serial number, it'll enable the multi-coloured screen.   That was just my guess though.


At offset 310, you can see what appears to be more addresses.   Memory pointers or something?   Perhaps file sizes or parts of the index?   I don't know, but there's definitely some sort of pattern, in the 1.14.00.03 descrambled file at least.

I don't know where they start so the beginning of these bytes might actually be the end of one address and the beginning of the second, but I see stuff like:
Code: [Select]
00 00 21 21 54 D0 20 40      <-- starts at offset 315h
00 01 21 21 54 FF 20 A2
30 01 21 21 54 D1 20 40
00 01 21 21 54 FF 20 A4
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #74 on: October 01, 2016, 02:35:18 am »
What do you guys make of offset 0x30A69B?   We're still missing something on the decryption or this file is somehow compressed, but I don't think it's compressed.   There's to much text.   Text compresses real easy like.

I see a comment:
Code: [Select]
//window.alert("oh yeah!\nö ~SOng is a pig!");

oh yeah!   then a new line.    But the funky o with two dots over it, the squigly ~, stuff like that I don't think's right.   There's a lot of ý's where there shouldn't be.   Maybe if we could work on getting a bit cleaner descrambling program, we'd see things a bit differently?
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #75 on: October 01, 2016, 04:49:24 am »
What's the bootloader code look like unscrambled?   I have searched through the file looking for some sort of table.   I've found html files, css files, etc.   But there's very few file names.   I found a couple, here's their offsets:
Code: [Select]
Offset 002E8FF8: /images/nav_1_0.jpg
Offset 00285CEC: /DP800A_NetworkSettings.html
Offset 00285D0C: /DP800A_setting_pswrong.html
Offset 002BA170: /RG1000NetworkSettings.css
Offset 002BA18C: /DP800A_NetworkStatus.html
Offset 002BA1C4: /DP800A_WelcomePage.html
Offset 002BAAC4: /RG1000WelcomePage.css
Offset 002BAADC: /DP800A_Security.html
Offset 002BAAF4: /DP800A_successful.html
Offset 002BAB0C: /images/logo_DP800.jpg
Offset 002E8FA8: /RG1000Security.css
Offset 002E8FBC: /DP800A_Help.html
Offset 002E8FD0: /images/logo.jpg
Offset 002E8FE4: /images/nav_1.jpg
Offset 002E8FF8: /images/nav_1_0.jpg
Offset 002E900C: /images/nav_2.jpg
Offset 002E9020: /images/nav_2_0.jpg
Offset 002E9034: /images/nav_3.jpg
Offset 002E9048:/images/nav_3_0.jpg

There were more, but I got tired.   I tried finding how those names were related the data and I couldn't find anything.    For example, I thought there'd be a good chance the /images/logo.jpg file would exist.    So, I searched for hex values like 2E8FD0   and D08F2E.  I found D08F2E at offset: 21A7D4

I found a bunch of other addresses in that area and tried going to what they said, and they took me places, some of them seem to line up and I thought I found the table, but then some of them didn't.   I give up for the night and I'm going to bed.   Maybe someone else can figure it out though.
 

Offline stj

  • Super Contributor
  • ***
  • Posts: 2156
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #76 on: October 01, 2016, 05:03:44 am »
What do you guys make of offset 0x30A69B?   We're still missing something on the decryption or this file is somehow compressed, but I don't think it's compressed.   There's to much text.   Text compresses real easy like.

I see a comment:
Code: [Select]
//window.alert("oh yeah!\nö ~SOng is a pig!");

oh yeah!   then a new line.    But the funky o with two dots over it, the squigly ~, stuff like that I don't think's right.   There's a lot of ý's where there shouldn't be.   Maybe if we could work on getting a bit cleaner descrambling program, we'd see things a bit differently?

"nö ~SOng" - is a font issue - use something else to view it such as UTF-8
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #77 on: October 01, 2016, 04:01:55 pm »
What do you guys make of offset 0x30A69B?   We're still missing something on the decryption or this file is somehow compressed, but I don't think it's compressed.   There's to much text.   Text compresses real easy like.

I see a comment:
Code: [Select]
//window.alert("oh yeah!\nö ~SOng is a pig!");

oh yeah!   then a new line.    But the funky o with two dots over it, the squigly ~, stuff like that I don't think's right.   There's a lot of ý's where there shouldn't be.   Maybe if we could work on getting a bit cleaner descrambling program, we'd see things a bit differently?

"nö ~SOng" - is a font issue - use something else to view it such as UTF-8

I have tried UTF-8 but it doesn't seem to make a difference.   Are you sure that's an issue?   There's some strings like:
Code: [Select]
http://ýw~.w3.org/TR/html4/loose.dtd

That's at offset 0x00309133

I'm using HxD and right now have the character set set to ANSI.  I change it to the various different options and none show www.   So, with it set to ANSI, I copy the text, then I open notepad.   I paste the text.   I go to File -> Save As and I set it to UTF-8.   I reopen the text, it's the same.   I paste the text again, now that Notepad is in UTF-8 mode, still the same.   Is there a better hex editor?   I like how HxD can do the various checksums (even custom ones), I like how I can set how many bytes to group together and how many bytes to display per row....It's still lacking though and I don't think it's going to be updated any time soon.

It'd be nice to be able to see the bytes in something besides hex, for instance...Being able to set the encoding to UTF-8 would be nice.   Being able to do a side-by-side comparison of different windows would be nice.   Kinda like how Volkimel displayed the differences between the firmwares, with the underlines and stuff like that.   Any suggestions on a better hex editor for Windows?

I got a little bit of time today.   I want to download the source to Volkimel's program, setup a compiler, make an executable.   I'd like to add some simple command line switches or write a second program that reencrypts the firmware.   If anyone has already done this and just wants to share the source code, I'd greatly appreciate it.   I haven't written a C program for the PC in a long time and it'll take me a bit to walk through the code.   I was looking at the C program Volkimel wrote and I don't fully understand it yet.   That's an issue.   I used to be a C programmer and got paid for writing code.   I shouldn't have trouble understanding this!   It's just been so long.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #78 on: October 01, 2016, 05:45:30 pm »
In Windows, Notepad++ is the choice..
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #79 on: October 01, 2016, 07:18:41 pm »
Spork,

I just wrote a simpler version in Python and added a -r command line option for re-scrambling. :-+

No need for C compilers and .exe files ;) Install Python 2.7 if you don't have it already, and yes Notepad++ is what I use in Windows.

Code: [Select]
# DP800 file descrambler

import argparse

parser = argparse.ArgumentParser(description='Descramble a Rigol DP800 .GEL file')
parser.add_argument('-r', '--rescramble', action='store_true',help='convert back to original format')
parser.add_argument('infile', help='input filename')
parser.add_argument('outfile', help='output filename')
args = parser.parse_args()

with open(args.infile, 'rb') as infile:
    buf = bytearray(infile.read())
    infile.close()

offset = 116

for i in range(len(buf)):
    if args.rescramble:
        b = buf[i] + offset
        if b>255: b-=256
    else:
        b = buf[i] - offset
        if b<0: b += 256

    buf[i] = b
    offset += 1
    if offset > 255: offset=0

with open(args.outfile, 'wb') as outfile:
    outfile.write(buf)
    outfile.close()
« Last Edit: October 01, 2016, 07:47:02 pm by Macbeth »
 
The following users thanked this post: tv84, Spork Schivago, WhichEnt2

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #80 on: October 01, 2016, 08:17:37 pm »
Spork,

I just wrote a simpler version in Python and added a -r command line option for re-scrambling. :-+

No need for C compilers and .exe files ;) Install Python 2.7 if you don't have it already, and yes Notepad++ is what I use in Windows.

Code: [Select]
# DP800 file descrambler

import argparse

parser = argparse.ArgumentParser(description='Descramble a Rigol DP800 .GEL file')
parser.add_argument('-r', '--rescramble', action='store_true',help='convert back to original format')
parser.add_argument('infile', help='input filename')
parser.add_argument('outfile', help='output filename')
args = parser.parse_args()

with open(args.infile, 'rb') as infile:
    buf = bytearray(infile.read())
    infile.close()

offset = 116

for i in range(len(buf)):
    if args.rescramble:
        b = buf[i] + offset
        if b>255: b-=256
    else:
        b = buf[i] - offset
        if b<0: b += 256

    buf[i] = b
    offset += 1
    if offset > 255: offset=0

with open(args.outfile, 'wb') as outfile:
    outfile.write(buf)
    outfile.close()

Macbeth, thanks for the Python script.   I'm a bit of a C fan personally and I might just use your Python script to rewrite the C code to process it.   Not that there's anything wrong with Python.   It's a very nice language and everything.

So, Notepad++, I've heard of this, but it's an actual hex editor that can do everything that I'm looking for?   If it's the program I'm thinking of, it's been around for a very long time, when I was in high school.   Back then, I remember it just being a fancy text editor...I'll check it out.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #81 on: October 01, 2016, 09:36:37 pm »
Python... nice!... this is my first attempt at a Python script from scratch and I'll have you know it was a serious PITA! Tabs vs spaces fighting each other ! :-DD

Yeah, good old 'C' is my ultimate fallback and what I use for microcontrollers, short of pure assembler, but all the fashionable kids are doing it in Python, and to be fair interpreted stuff is nicer/easier to play with.

Notepad++ is a text editor with programmers in mind. My Windows Hex editor is free from www.hexedit.com, I've not tried HxD. I will give it a shot...
« Last Edit: October 01, 2016, 09:39:58 pm by Macbeth »
 
The following users thanked this post: Spork Schivago

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #82 on: October 01, 2016, 10:51:45 pm »
Python... nice!... this is my first attempt at a Python script from scratch and I'll have you know it was a serious PITA! Tabs vs spaces fighting each other ! :-DD

Yeah, good old 'C' is my ultimate fallback and what I use for microcontrollers, short of pure assembler, but all the fashionable kids are doing it in Python, and to be fair interpreted stuff is nicer/easier to play with.

Notepad++ is a text editor with programmers in mind. My Windows Hex editor is free from www.hexedit.com, I've not tried HxD. I will give it a shot...

Yeah, I have to agree about the Python.   I've seen a lot about it recently and started learning it from the free MIT courses.   For an interpreted language, it's not too shabby.    I'm slowly getting into PICs.   I just don't have enough free time and too many projects.    C is my favourite, even for the PICs although assembly might be a little more efficient (for microcontrollers I mean).   For being a high level language, the C compilers I generally use seem to pretty optimized.   My all time favourite is the GNU C compiler.

So Notepad++ isn't what I'm looking for.   I'm looking for a better hex editor for Windows.  I'll check out hex edit.   HxD is free as well.   It was promising but I think it's dead now.   The checksum features are nice though.   It can calculate all the way up to SHA-512.  You can pick just one, or certain ones, or all of them, you can have it use custom checksums, you can have it run a checksum on the whole file or just the selection.
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #83 on: October 02, 2016, 12:51:30 am »
Spork,

I just wrote a simpler version in Python and added a -r command line option for re-scrambling. :-+

No need for C compilers and .exe files ;) Install Python 2.7 if you don't have it already, and yes Notepad++ is what I use in Windows.

Very nice, Macbeth. Thanks.
Being a microcontroller programmer by trade, it was easier for me to just get a quick C console .exe together. Just because, I knew what I was doing and I was excited to see this pattern.
But Python is of course a nice language for this kind of work. I didn't have Python installed on the machine I'm doing this with.

I was looking more into the structure of the GEL file, again. Haven't tried any reflashing my DP832, yet. It's still happily running on 00.01.13.00.01 with all options.

Now, simply put "18 F0 9F E5" into Google and see what comes out: A few websites suggest it is the vector table of an ARMv5 architecture, leaving the correct space at 0x00000014 and doing the correct stuff at the few vectors.
So, when disassembling this, we could figure out where the reset vector branches, make it our main() and disassemble from there. That's a task for someone who knows what he's doing. :)

So far, I only took it as indication that we have to concentrate on the few bytes before the first "18 F0 9F E5". I would guess that's the header then.

For 1.14 it looks like this:
0x000000: B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
0x000010: FF FF 00 00 9F 00 00 00 9C 3D 00 00


In this bit of hex code there are "A0 3D 00 00", followed by "FF FF 00 00", and "9C 3D 00 00". If you read these backwards (different endianess, I'm always getting confused, which is which) these are addresses or offsets that point close to another structure like the header:

Again, in 1.14 it is here:
0x003D9C: 00 00 00 00 A5 00 00 00 00 00 55 55 55 55 00 00
0x003DAC: 64 00 00 00 01 00 01 00 01 00 00 00 00 40 AB 61
0x003DBC: 00 00 00 00 A1 6D 33 00 FF FF 00 00 9F 00 00 00
0x003DCC: 52 49 47 4F 4C 4C 00 00 00 00 00 00 00 00 00 00

The GEL file continues with "18 F0 9F E5" again, so I guess the structure is done after these 64 bytes.

Like in the first 28 Bytes at 0x000000 there seems to be another address or offset before the "FF FF 00 00", again here. It is "A1 6D 33 00".
If you take this as another offset to 0x003DDC (where the ARM Vector table starts) and jump to location (0x003DDC + 0x336DA1 = 0x33AB7D), you are exactly 64 Bytes from the end of the GEL file.

The last 64 Bytes in 1.14 look like this:
33AB7D: 9F 00 00 00 68 FC 5A AA 5F 2A A7 CF CF BC 40 37 <-- maybe checksums here?
33AB8D: 1C 20 81 2A 66 8F D4 A9 90 24 05 00 90 24 05 00  <-- repeating pattern starts here...
33AB9D: 90 24 05 00 90 24 05 00 90 24 05 00 90 24 05 00
33ABAD: 90 24 05 00 90 24 05 00 90 24 05 00 91 24 05 00  <-- ...except for one more bit in the last "91"

There is also the "9F 00 00 00" again.

Softwares 1.13 and 1.14 have the same structure.

The same thing is happening in the 1.09 software that did not have the scrambling and did not have the mystical "B4 AE 9A 89" in the beginning.
The last 64 Bytes of 1.09 look like this:
3233C5: 9F 00 00 00 46 4E 7D 13 0B 73 66 35 70 07 E4 93 <-- maybe checksums here?
3233D5: 84 BC F8 1B E9 F5 3C 2F D7 FF 04 00 D7 FF 04 00  <-- repeating pattern starts here...
3233E5: D7 FF 04 00 D7 FF 04 00 D7 FF 04 00 D7 FF 04 00
3233F5: D7 FF 04 00 D7 FF 04 00 D7 FF 04 00 DE FF 04 00  <-- ...except for two bits in the last "DE" (one on, one off)


Maybe the few bytes after "9F 00 00 00" and before the repeating pattern are finally checksums of different blocks. I didn't check on them.

I'm just thinking out loud here, to what I find.

So Notepad++ isn't what I'm looking for.   I'm looking for a better hex editor for Windows.  I'll check out hex edit.   HxD is free as well.   It was promising but I think it's dead now.   The checksum features are nice though.   It can calculate all the way up to SHA-512.  You can pick just one, or certain ones, or all of them, you can have it use custom checksums, you can have it run a checksum on the whole file or just the selection.

I also use all of those tools. They are really helpful. The HEX plugin for my version of NP++ has some issues when copy and pasting HEX code, though, so I don't rely on it.
I couldn't figure out how to copy a block of HEX bytes including their addresses. So far I do a lot of manual editing and trying not to get confused after that. :)
 
The following users thanked this post: Spork Schivago

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #84 on: October 02, 2016, 02:24:56 am »
I noticed the repeating pattern at the end there as well.   I was trying to figure out the checksum and was trying to figure out what to run the checksum algorithms against (I couldn't figure out exactly where to stop).   I tried a few beginnings.   I tried without the first 4 bytes and without the first 128 bytes and without the first 256 bytes and 512 bytes, etc.

I'm either going to install Python or write the C program to rescramble the firmware and I'll try flashing on my machine.   I want to try a few things.   Because we can downgrade, I wanted to try removing those first four bytes and flashing an unscrambled, unedited file.   I wonder if the bits say something, like this is a compressed file, etc.   It could also maybe be the size of the file?

I really want to start flashing my unit but every time I sit down on the PC to start writing the program to rescramble the firmware, I get distracted.   Now my wife wants to watch a movie.   You and Macbeth know a lot more about microcontrollers than I do.   I don't know what a vector table is, for example.

Macbeth, you're certain the modified firmware didn't take?   For example, not trying to change a version number or anything, just maybe some HTML or something, going from a lower firmware to a modified higher firmware, checking the version number, and it's still the lower version, right?
 

Offline whatchitfoool

  • Contributor
  • Posts: 33
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #85 on: October 17, 2016, 08:27:31 am »
Anyone have an update on the state of the project?
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #86 on: October 17, 2016, 06:50:03 pm »
I believe the firmware files might have been successfully decoded.   We know at least some of them have been.   I think we might still be missing some of the decryption scheme but maybe not.   We haven't been able to actually update the device using a modified firmware image though.   We're thinking maybe there's some sort of checksum routine in the firmware file.

At this point, I think it's best to try and figure out the format of the firmware file, but that can take a bit of work.   Someone with experience with the processor used in these power supplies might be beneficial.

Our baby came Saturday, October 15th, at 7:40AM.   Chloe Lee Swarthout, weighing 8 lbs, 12.7 ounces, being 20 3/4" long.   She's healthy.   My wife had some complications during the pregnancy and was delivering from 11:45PM Friday until 7:40AM Saturday.   The midwife had to leave early on and came back around 5:30am and yelled at the nurse and kicked her out.   The baby was in the wrong position and she said she shouldn't had let Jess go that long pushing.   She should have known that baby wasn't coming out.   So, she had Jess lay down on her side and sleep for an hour and a half or so.   At 7:20AM, she brought a new nurse in and tried again.   20 minutes later, the baby was here!

Jess was coming in and out of during the delivery.  Her blood pressure was really low and I don't think she remembers most of it, so that's good.   But we just got home today from the hospital and are slowly adjusting to be new parents!   I probably won't be on for a bit to answer questions though.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #87 on: October 17, 2016, 09:08:50 pm »
I wish mother and baby well! You need a bracing glass of something or other too  :-+

Don't be too hard on the nurses, everything is amplified in these situations, and lets not forget that only a few decades ago it was normal for a 1 in 10 chance complete loss of life of mother, baby, or both during childbirth.  :scared:

This is one reason I am glad for the NHS in the UK and utterly bewildered at the "green" Guardianistas who decide to "give birth naturally" with feckin' "doolahs" or whatever these mystics are called  :palm: Yeah that birthing pool of natural yoghurt is great until the complications happen!  :-D
 
The following users thanked this post: Spork Schivago

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #88 on: October 17, 2016, 11:31:23 pm »
....   But we just got home today from the hospital and are slowly adjusting to be new parents!   I probably won't be on for a bit to answer questions though...

Wish your wife speedy recovery and for baby to be healthy and to bring joy to the family.. All the best and congrats!!
 
The following users thanked this post: Spork Schivago

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #89 on: October 18, 2016, 01:12:59 am »
I wish mother and baby well! You need a bracing glass of something or other too  :-+

Don't be too hard on the nurses, everything is amplified in these situations, and lets not forget that only a few decades ago it was normal for a 1 in 10 chance complete loss of life of mother, baby, or both during childbirth....

I've been looking at it as at least my wife and baby are okay and that it could have been much worse, you know?   Although Jess is hurting, she'll recover with time.   It could take up to a month but at least she's still here, you know?  And the baby is healthy as well.   That's great.

Also, the midwife left because of an emergency.   So if she had stayed, maybe someone wouldn't have made it?   I guess in the end, we're just thankful everything worked itself out.
 

Offline Dwaine

  • Frequent Contributor
  • **
  • Posts: 268
  • Country: ca
Re: Need help hacking DP832 for multicolour option.
« Reply #90 on: December 31, 2016, 12:02:36 pm »
Did anyone get any further ahead decoding the file structure?
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 650
Re: Need help hacking DP832 for multicolour option.
« Reply #91 on: December 31, 2016, 01:36:16 pm »
Did anyone get any further ahead decoding the file structure?
Not as I know. As there is no license code for this, I assume this can only be done by either hacking and installing an existing firmware update package or by changing the files on the internal flash.
It does not look like this will happen in a near future.

 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #92 on: December 31, 2016, 05:51:25 pm »
Did anyone get any further ahead decoding the file structure?

There were people who claimed to have dump the firmware directly from the flash on this unit.   I've contacted all the people I could find who said they were able to dump it, to see if they'd provide me with a copy, but I never got a response.   I went out and bought a JTAG device, just to find out OpenOCD didn't support the flash with this CPU, so I wasn't able to dump it myself.   That was a while back.   Maybe now they do support the flash with this CPU?   The CPU, if I remember correctly, has some fancy security features.   I want to say there was something about making it really hard to read the flash, something with encryption, I dunno.

Anyway, if we could get a copy of the flash on the drive, maybe we'd have better luck decrypting the firmware .GEL files?   It almost seems like the decryption program that the one person wrote isn't quote right.   If you look through a "decrypted" .GEL file, you'll see stuff like ht~1p:// instead of http:// (that's just an example, I don't think it's ht~1p://, I just don't remember what they look like).   I was thinking maybe there's a little bit more to decrypting the files, but I could be wrong.   I just thought that was wrong.   That we should be seeing those strings as http.

I think there's some sort of checksum in the firmware that tells if the firmware's been modified or not.   I think that would be the next step, finding where the checksum is and figuring out how it's calculated.   It might be impossible, I dunno.   There could be multiple checksums.   There might be one for each section and then one for the entire file.   At the very end of the files for the different firmware versions, I found similar bytes.   I thought maybe that was some sort of checksum.

There's probably some table of contents, something that says where the files are located and how many bytes are in each file.  I couldn't really find anything in the .GEL file.   Perhaps this information is in another file?   I dunno.   There's gotta be a way to say this is the start of one file, this is the end of this file, either a special character or some sort of table.   That's something that'd need to be done.   Usually files on flash have filenames, right?   Or isn't that always the case?   I have limited experience with flash.   I've been looking at it more like a hard drive with some sort of filesystem.   Maybe it's not like that at all though?   If it is, there should be filenames somewheres as well.
 

Offline toxuin

  • Contributor
  • Posts: 8
  • Country: ca
Re: Need help hacking DP832 for multicolour option.
« Reply #93 on: January 09, 2017, 08:36:10 pm »
Looking at the unscrambled file with binwalk shows there are many LZMA-compressed chunks – could this be packaged firmwares for various chips on board? But sadly, extraction is not possible because of damaged archive.
I suspect it has something to do with the infamous ht~p:/ bug – as it damages strings it damages the compressed structures. Unscrambling has to have more to it.

I've took a look at gotroot's keygen and it has a dp832 private key – not sure if we need it or not, but might be useful. Apart from that there is a lot of wicked crypto stuff that must come (at least an idea how to do it) from a disassembled binary, no doubt.
 
The following users thanked this post: Spork Schivago

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #94 on: January 10, 2017, 01:47:42 am »
My wife had a baby and I don't have a lot of free time anymore.   But this is great news.   We should look at how often that ~ appears.   If I remember correctly, it was x number of bytes into the file.   For example, everything 74th byte, there'd be a ~, which made me start thinking maybe the code to decrypt was 100% right, but maybe it wouldn't need much to fix at all.    ~ is ASCII 126 decimal or 7E hex.    t is 116 decimal or 74 hex.   It's only 10 digits off.

I wanted to write the decryption / encryption program in C but lost the free time.   I'll try to find it again and maybe we can try stepping through this one more time.
 

Offline smithnerd

  • Regular Contributor
  • *
  • Posts: 104
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #95 on: January 27, 2017, 06:40:54 am »
Looking at the unscrambled file with binwalk shows there are many LZMA-compressed chunks – could this be packaged firmwares for various chips on board? But sadly, extraction is not possible because of damaged archive.
I suspect it has something to do with the infamous ht~p:/ bug – as it damages strings it damages the compressed structures. Unscrambling has to have more to it.

I believe those extra bytes ('~' etc) are an artefact of the html files being encoded in a TFS filesystem, within the firmware executable. I've seen it before in the DS1054Z firmware.

Binwalk is a handy tool, but you often get false positives for LZMA because the header is so simple. You need to examine each one to check how plausible it is as LZMA stream data, and bear in mind that in the DS1054Z GEL files, they are using a non-standard LZMA implementation - what should be a 64-bit uncompressed size field is a pair of 32-bit values representing compressed/uncompressed sizes.

I had a quick scroll through a hexdump of the DP800 firmware, and I see some good long chunks of properly aligned ARM code. It looks correctly decoded to me.
 
The following users thanked this post: Spork Schivago

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #96 on: January 28, 2017, 01:46:28 am »
Than that means we're back to trying to figure out what type of checksum routine / signature they're using.   I thought I remember seeing the same bytes at the end of two different versions of the encrypted firmware that I thought might have been some sort of signature or checksum routine.   That was long time ago though.
 

Offline ollihd

  • Regular Contributor
  • *
  • Posts: 95
  • Country: fi
    • HeyDay Pro
Re: Need help hacking DP832 for multicolour option.
« Reply #97 on: March 30, 2017, 07:46:21 pm »
Any updates on this?
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #98 on: April 02, 2017, 10:08:30 pm »
I've compared the current (00.01.14.00.01) GEL file that was de-scrambled as before, with an older version (00.01.09.00.01). Here is what they look like:

DP800Update.GEL (00.01.09.00.01)                    DP800Update_descrambled.GEL (00.01.14.00.01)   
----------------------------------------------------------------------------------------------------
                                                 |                                      B4 AE 9A 89
00 40 CE 08 00 00 52 00 20 35 00 00 FF FF 00 00  |  00 40 81 40 00 00 52 00 A0 3D 00 00 FF FF 00 00
9F 00 00 00 20 35 00 00 18 F0 9F E5 18 F0 9F E5  |  9F 00 00 00 9C 3D 00 00 18 F0 9F E5 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00  |  18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 00 00
14 F0 9F E5 14 F0 9F E5 78 33 08 00 FC 34 08 00  |  14 F0 9F E5 14 F0 9F E5 F8 3A 08 00 7C 3C 08 00
FC 34 08 00 FC 34 08 00 FC 34 08 00 FC 34 08 00  |  7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
40 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00  |  58 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 C0 9F E5 1C FF 2F E1  |  00 00 00 00 00 00 00 00 00 B5 06 48 00 68 40 07
E1 0E 08 00 00 C0 9F E5 1C FF 2F E1 C1 03 08 00  |  40 0F 00 06 00 0E 07 28 00 D3 00 20 00 06 00 0E
00 C0 9F E5 1C FF 2F E1 1D 0F 08 00 00 C0 9F E5  |  08 BC 18 47 20 0D FF FF 10 B5 04 00 20 78 A1 78


The (00.01.09.00.01) version is not scrambled and misses the first 4 Bytes: B4 AE 9A 89. From there on, the structure aligns pretty good. Only a few bytes are different, either addresses or length information...

I looked through the bitmaps I could find in (00.01.14.00.03) and made a collection of them here.
Furthermore I could find a lot of 1 bit per pixel character sets with all sorts of special characters. Amongst them are also the 7-segment numbers in different sizes for the main display. Haven't indexed those, though.

Still looking at it and not getting an idea what the overall structure could be. Any more ideas? Any disassemblers?

I wonder what would happen if you removed the B4 AE 9A 89 in the 00.01.14.00.03 file and did a byte-swap somewheres.   Maybe those 4 bytes are some sort of flags....
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #99 on: January 19, 2018, 11:15:49 pm »
Does anyone have the previous DP800 firmware versions available? I would like to give a try at decoding something...

1.11, 1.13, 1.14 here (all seem to use bootloader 1.09) https://mega.nz/#F!6dll0ZCS!KwD7sHGZLU3D7Kr8u03ifA
 
The following users thanked this post: tv84

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #100 on: January 19, 2018, 11:59:25 pm »
Here is my quick parsing of the DP800 v00.01.14.00.03 GELs:

Code: [Select]
DP800(Software)Update(Normal)_00.01.14.00.03:
Offset     Checksum???                 Block Size    Type
00000004 - 00 40 81 40 | 00 00 52 00 | A0 3D 00 00 | FF FF 00 00 | 9F 00 00 00  (block header)
  00000018 - 9C 3D 00 00 (size of the block that follows)
  [0000001C - 00003DB7] ARM code (little-endian) Loading address = 0x00080000

00003DB8 - 00 40 AB 61 | 00 00 00 00 | A1 6D 33 00 | FF FF 00 00 | 9F 00 00 00  (block header)
  00003DCC - ("RIGOLL" string)
  [00003DDC - 0033AB6C] ARM code (little-endian) Loading address = 0x3FFFFFB4

0033AB6D - 00 90 00 00 | 14 02 00 00 | 3C 00 00 00 | 14 FF 00 00 | 9F 00 00 00  (block header)
  [0033AB81 - 0033ABBC] Looks like it contains a 20-byte hash (or something encrypted...)

------------------------------------------------------------------------------------------------

DP800(Software)Update(Bootloader)_01.09:
Offset     Checksum???                 Block Size    Type
00000000 - 00 C8 33 27 | 00 00 00 00 | 20 0E 04 00 | 31 00 00 00 | 9F 00 00 00  (block header)

         ***  Header  ***
00000014          Header SHA-1: 31D47AF0F62F94737E737D3D9F4184DBACC44DAD  [00000028-00000073]  HASH OK
00000028           Signature 1: STMP  MAGIC OK
0000002C        Format Version: 1.1
0000002E                 Flags: 0x0000
00000030            Image Size: 00040E20
00000034   1st Boot Tag Offset: 000000A4
00000038   1st Boot Section ID:
0000003C     # Encryption Keys: 1
0000003E  Key Dictionary Start: 00000084
00000040           Header Size: 00000060
00000042     # Section Headers: 1
00000044   Section Header Size: 16 bytes
00000046        Random Padding: 0xC0B2
00000048           Signature 2: sgtl  (Sigmatel?)
0000004C         Creation Time: 26-03-2014 15:19:10
00000054       Product Version: 999.999.999
00000060     Component Version: 999.999.999
0000006C             Drive Tag: 0x0000
0000006E        Random Padding: 0xEFD4BC0FAC83
         ***  Sections Table  ***
00000074   ID:      | Ofs: 000000B4 | Len: 00040D60 | Flg: 00000001 - ROM_SECTION_BOOTABLE
         ***  Key Dictionary  ***
00000084  OTP Key0 Hash: 9A78EED8ABA28234DA5C39E00B28942E  CBC-MAC_AES OK
         ***  Session Key (decrypted)  ***
00000094  Key: 7B686FA69EF90D53A53CDCDE074B6E44  (using OTP Key0)
         ***  Sections (decrypted)  ***
000000A4  TAG  | 0001 | Sect ID:      | Len: 00040D60 | Flg: 00000001 - ROM_SECTION_BOOTABLE
000000B4  LOAD | 0000 | Adr: 00000000 | Len: 00000040 | CRC: BAF6AF35  CRC OK
00000104  LOAD | 0000 | Adr: 00000400 | Len: 00004D14 | CRC: 8A1A8B63  CRC OK
00004E34  FILL | 0000 | Adr: 00018000 | Len: 00001960 | Ptn: 00000000
00004E44  LOAD | 0000 | Adr: 00008000 | Len: 00000020 | CRC: 1809D243  CRC OK
00004E74  CALL | 0001 | Adr: 00008000 | Len: 00000000 | Arg: 00000000
00004E84  LOAD | 0000 | Adr: 00000000 | Len: 00000040 | CRC: E853D834  CRC OK
00004ED4  LOAD | 0000 | Adr: 41000000 | Len: 0003BEB4 | CRC: FE3E32E7  CRC OK
00040DA4  FILL | 0000 | Adr: 41300000 | Len: 00001900 | Ptn: 00000000
00040DB4  FILL | 0000 | Adr: 41301900 | Len: 00002404 | Ptn: 00000000
00040DC4  FILL | 0000 | Adr: 41700000 | Len: 004C4B40 | Ptn: 00000000
00040DD4  LOAD | 0000 | Adr: 00008000 | Len: 00000020 | CRC: 7846C59D  CRC OK
00040E04  JUMP | 0001 | Adr: 00008000 | Len: 00000000 | Arg: 00000000
         ***  File SHA-1 Hash (decrypted)  ***
00040E14  File SHA-1: 8A2D9884D7A265264E43E719A1BE297DFB784EF9  [00000014-00040E13]  HASH OK

I think that the 1st 4 bytes of a encoded .GEL indicate the filetype/encoding (28 23 10 00) and shouldn't be decoded.

So I use only (C#):
Code: [Select]
            for (int i1 = 0x04, mask = 0x78; i1 < buffer.Length; i1++, mask++)
                buffer[i1] += (byte)(256 - mask);
« Last Edit: January 20, 2018, 10:07:16 am by tv84 »
 
The following users thanked this post: Spork Schivago, tossu

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #101 on: January 20, 2018, 09:05:46 pm »
Parsing of versions:  (thank you to dav and ted572 for sending them)

00.01.03.00.02
00.01.05.00.00
00.01.06.00.00
00.01.08.00.02
00.01.09.00.01
00.01.10.00.03
00.01.11.00.00
00.01.13.00.01
00.01.14.00.03

Conclusions so far:
- 1st byte in the 1st block header is used to decode the file.
- 2nd byte is a flag byte with these meanings:
   X------- last block
   -X------ block has CRC
   ---X---- FRAM block (1 = saves to FRAM; 0 = saves to FLASH)
   ----X--- bootloader block
   -----X-- no block contents ?

- 2nd word in block headers is a CRC16 of the block.
- Special focus on the contents of the block with size=0x3C bytes (that is directly saved in the FRAM).
- if you look the final words in the 0x3C block, it seems to increment with each version. Maybe it's directly related to the firmware version/release date.

Code: [Select]
DP800(Software)Update(Normal)_00.01.03.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002EEF09 | 00000000 | 00000000
00000014  Block #1: [00000014-002EEF1C]

002EEF1D  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 00000000 | 00000000
002EEF31  Hash/Encrypt ??:  3FF75ED5D6F06206F304DBD9BAA1A75E7459FC21
002EEF45  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B180
002EEF59  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B189
002EEF31  Block #2: [002EEF31-002EEF6C]

002EEF6D  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 00002384 | 00000000 | 00000000
002EEF81  Block Size: 00002384
002EEF91  Block #3: [002EEF91-002F1304]

002F1305  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F1319  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.05.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F6391 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F63A4]

002F63A5  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F63B9  Hash/Encrypt ??:  D5B2A1A71C6EBB7944B17F03AB122FF162031E59
002F63CD  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD28
002F63E1  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD29
002F63B9  Block #2: [002F63B9-002F63F4]

002F63F5  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 000024E4 | 0000FFFF | 00000000
002F6409  Block Size: 000024E4
002F6419  Block #3: [002F6419-002F88EC]

002F88ED  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F8901  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.06.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F7661 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F7674]

002F7675  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F7689  Hash/Encrypt ??:  42A86549B434F4D06827669679D7F06A6CBC505B
002F769D  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF09
002F76B1  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF10
002F7689  Block #2: [002F7689-002F76C4]

002F76C5  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00002698 | 0000FFFF | 00000000
002F76D9  Block Size: 00002698
002F76E9  Block #3: [002F76E9-002F9D70]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.08.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 00308A9D | 0000FFFF | 00000000
00000014  Block #1: [00000014-00308AB0]

00308AB1  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
00308AC5  Hash/Encrypt ??:  CB1F0C46AC83A6E18455705ED7EFD0C07C83E23E
00308AD9  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAA9
00308AED  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAAC
00308AC5  Block #2: [00308AC5-00308B00]

00308B01  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00003520 | 0000FFFF | 00000000
00308B15  Block Size: 00003520
00308B25  Block #3: [00308B25-0030C034]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.09.00.01

00000000  Header - Mask: 00 | Flags: 40 | 08CE | 00520000 | Size: 00003520 | 0000FFFF | 0000009F
00000014  Block Size: 00003520
00000024  Block #1: [00000024-00003533]

00003534  Header - Mask: 00 | Flags: 40 | 301D | 00000000 | Size: 0031FE6D | 0000FFFF | 0000009F
00003548  String1: RIGOLL
00003558  Block #2: [00003558-003233B4]

003233B5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003233C9  Hash/Encrypt ??:  464E7D130B7366357007E49384BCF81BE9F53C2F
003233DD  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFD7
003233F1  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFDE
003233C9  Block #3: [003233C9-00323404]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.10.00.03

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | 5732 | 00000000 | Size: 0031DA25 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-003210E4]

003210E5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003210F9  Hash/Encrypt ??:  FC3999DF41FAC462946CE1BDC6E069E74D523C9C
0032110D  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC36
00321121  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC3F
003210F9  Block #3: [003210F9-00321134]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.11.00.00

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | DC62 | 00000000 | Size: 00322285 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-00325944]

00325945  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
00325959  Hash/Encrypt ??:  A92B0C1660C0424D48D19499AE7BF4C70F647AA4
0032596D  UInt32    (???):  00050373 00050373 00050373 00050373 00050373
00325981  UInt32    (???):  00050373 00050373 00050373 00050373 0005037A
00325959  Block #3: [00325959-00325994]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.13.00.01

00000004  Header - Mask: 00 | Flags: 40 | A1A0 | 00520000 | Size: 00003D58 | 0000FFFF | 0000009F
00000018  Block Size: 00003D54
0000001C  Block #1: [0000001C-00003D6F]

00003D70  Header - Mask: 00 | Flags: 40 | 2D14 | 00000000 | Size: 00335605 | 0000FFFF | 0000009F
00003D84  String1: RIGOLL
00003D94  Block #2: [00003D94-00339388]

00339389  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033939D  Hash/Encrypt ??:  8A968039CF72794BA2BB2762B0708CBD822456D1
003393B1  UInt32    (???):  00052233 00052233 00052233 00052233 00052233
003393C5  UInt32    (???):  00052233 00052233 00052233 00052233 0005223A
0033939D  Block #3: [0033939D-003393D8]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.14.00.03

00000004  Header - Mask: 00 | Flags: 40 | 4081 | 00520000 | Size: 00003DA0 | 0000FFFF | 0000009F
00000018  Block Size: 00003D9C
0000001C  Block #1: [0000001C-00003DB7]

00003DB8  Header - Mask: 00 | Flags: 40 | 61AB | 00000000 | Size: 00336DA1 | 0000FFFF | 0000009F
00003DCC  String1: RIGOLL
00003DDC  Block #2: [00003DDC-0033AB6C]

0033AB6D  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033AB81  Hash/Encrypt ??:  68FC5AAA5F2AA7CFCFBC40371C20812A668FD4A9
0033AB95  UInt32    (???):  00052490 00052490 00052490 00052490 00052490
0033ABA9  UInt32    (???):  00052490 00052490 00052490 00052490 00052491
0033AB81  Block #3: [0033AB81-0033ABBC]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.06

00000000  Header - Mask: 00 | Flags: C8 | 8E34 | 00000000 | Size: 00040C70 | 000000B3 | 0000009F
00000014  Block #1: [00000014-00040C83]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.09

00000000  Header - Mask: 00 | Flags: C8 | 2733 | 00000000 | Size: 00040E20 | 00000031 | 0000009F
00000014  Block #1: [00000014-00040E33]


If anyone has the FW versions that are not listed here please repost or send me a pm:
00.01.01.02.04
00.01.02.00.03
00.01.04.00.02

Edit: 2/1/2020 Fill some "flag" explanations
« Last Edit: January 02, 2020, 03:36:05 pm by tv84 »
 
The following users thanked this post: Spork Schivago, toxuin

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #102 on: February 13, 2018, 01:23:20 am »
Parsing of versions:  (thank you to dav and ted572 for sending them)

00.01.03.00.02
00.01.05.00.00
00.01.06.00.00
00.01.08.00.02
00.01.09.00.01
00.01.10.00.03
00.01.11.00.00
00.01.13.00.01
00.01.14.00.03

Conclusions so far:
- 1st byte in the 1st block header is used to decode the file.
- 2nd byte is a flag byte with these meanings:
   X------- last block
   -X------ normal block ?
   ---X---- special block 0x3C
   ----X--- bootloader block
   -----X-- no block contents ?

- 2nd word in block headers seems to be a CRC/checksum.
- Special focus on the contents of the block with size=0x3C bytes.
- if you look the final words in the 0x3C block, it seems to increment with each version. Maybe it's directly related to the firmware version/release date.

Code: [Select]
DP800(Software)Update(Normal)_00.01.03.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002EEF09 | 00000000 | 00000000
00000014  Block #1: [00000014-002EEF1C]

002EEF1D  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 00000000 | 00000000
002EEF31  Hash/Encrypt ??:  3FF75ED5D6F06206F304DBD9BAA1A75E7459FC21
002EEF45  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B180
002EEF59  UInt32    (???):  0004B180 0004B180 0004B180 0004B180 0004B189
002EEF31  Block #2: [002EEF31-002EEF6C]

002EEF6D  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 00002384 | 00000000 | 00000000
002EEF81  Block Size: 00002384
002EEF91  Block #3: [002EEF91-002F1304]

002F1305  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F1319  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.05.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F6391 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F63A4]

002F63A5  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F63B9  Hash/Encrypt ??:  D5B2A1A71C6EBB7944B17F03AB122FF162031E59
002F63CD  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD28
002F63E1  UInt32    (???):  0004BD28 0004BD28 0004BD28 0004BD28 0004BD29
002F63B9  Block #2: [002F63B9-002F63F4]

002F63F5  Header - Mask: 00 | Flags: 00 | 0000 | 00520000 | Size: 000024E4 | 0000FFFF | 00000000
002F6409  Block Size: 000024E4
002F6419  Block #3: [002F6419-002F88EC]

002F88ED  Header - Mask: 00 | Flags: 94 | 0000 | 00000000 | Size: 00000010 | 0000FFFF | 00000000
002F8901  EOF - No Block contents!
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.06.00.00

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 002F7661 | 0000FFFF | 00000000
00000014  Block #1: [00000014-002F7674]

002F7675  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
002F7689  Hash/Encrypt ??:  42A86549B434F4D06827669679D7F06A6CBC505B
002F769D  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF09
002F76B1  UInt32    (???):  0004BF09 0004BF09 0004BF09 0004BF09 0004BF10
002F7689  Block #2: [002F7689-002F76C4]

002F76C5  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00002698 | 0000FFFF | 00000000
002F76D9  Block Size: 00002698
002F76E9  Block #3: [002F76E9-002F9D70]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.08.00.02

00000000  Header - Mask: 00 | Flags: 00 | 0000 | 00000000 | Size: 00308A9D | 0000FFFF | 00000000
00000014  Block #1: [00000014-00308AB0]

00308AB1  Header - Mask: 00 | Flags: 10 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 00000000
00308AC5  Hash/Encrypt ??:  CB1F0C46AC83A6E18455705ED7EFD0C07C83E23E
00308AD9  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAA9
00308AED  UInt32    (???):  0004DAA9 0004DAA9 0004DAA9 0004DAA9 0004DAAC
00308AC5  Block #2: [00308AC5-00308B00]

00308B01  Header - Mask: 00 | Flags: 80 | 0000 | 00520000 | Size: 00003520 | 0000FFFF | 00000000
00308B15  Block Size: 00003520
00308B25  Block #3: [00308B25-0030C034]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.09.00.01

00000000  Header - Mask: 00 | Flags: 40 | 08CE | 00520000 | Size: 00003520 | 0000FFFF | 0000009F
00000014  Block Size: 00003520
00000024  Block #1: [00000024-00003533]

00003534  Header - Mask: 00 | Flags: 40 | 301D | 00000000 | Size: 0031FE6D | 0000FFFF | 0000009F
00003548  String1: RIGOLL
00003558  Block #2: [00003558-003233B4]

003233B5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003233C9  Hash/Encrypt ??:  464E7D130B7366357007E49384BCF81BE9F53C2F
003233DD  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFD7
003233F1  UInt32    (???):  0004FFD7 0004FFD7 0004FFD7 0004FFD7 0004FFDE
003233C9  Block #3: [003233C9-00323404]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.10.00.03

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | 5732 | 00000000 | Size: 0031DA25 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-003210E4]

003210E5  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
003210F9  Hash/Encrypt ??:  FC3999DF41FAC462946CE1BDC6E069E74D523C9C
0032110D  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC36
00321121  UInt32    (???):  0004FC36 0004FC36 0004FC36 0004FC36 0004FC3F
003210F9  Block #3: [003210F9-00321134]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.11.00.00

00000004  Header - Mask: 00 | Flags: 40 | E89F | 00520000 | Size: 00003694 | 0000FFFF | 0000009F
00000018  Block Size: 00003690
0000001C  Block #1: [0000001C-000036AB]

000036AC  Header - Mask: 00 | Flags: 40 | DC62 | 00000000 | Size: 00322285 | 0000FFFF | 0000009F
000036C0  String1: RIGOLL
000036D0  Block #2: [000036D0-00325944]

00325945  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
00325959  Hash/Encrypt ??:  A92B0C1660C0424D48D19499AE7BF4C70F647AA4
0032596D  UInt32    (???):  00050373 00050373 00050373 00050373 00050373
00325981  UInt32    (???):  00050373 00050373 00050373 00050373 0005037A
00325959  Block #3: [00325959-00325994]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.13.00.01

00000004  Header - Mask: 00 | Flags: 40 | A1A0 | 00520000 | Size: 00003D58 | 0000FFFF | 0000009F
00000018  Block Size: 00003D54
0000001C  Block #1: [0000001C-00003D6F]

00003D70  Header - Mask: 00 | Flags: 40 | 2D14 | 00000000 | Size: 00335605 | 0000FFFF | 0000009F
00003D84  String1: RIGOLL
00003D94  Block #2: [00003D94-00339388]

00339389  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033939D  Hash/Encrypt ??:  8A968039CF72794BA2BB2762B0708CBD822456D1
003393B1  UInt32    (???):  00052233 00052233 00052233 00052233 00052233
003393C5  UInt32    (???):  00052233 00052233 00052233 00052233 0005223A
0033939D  Block #3: [0033939D-003393D8]
*****************************************************************************************
DP800(Software)Update(Normal)_00.01.14.00.03

00000004  Header - Mask: 00 | Flags: 40 | 4081 | 00520000 | Size: 00003DA0 | 0000FFFF | 0000009F
00000018  Block Size: 00003D9C
0000001C  Block #1: [0000001C-00003DB7]

00003DB8  Header - Mask: 00 | Flags: 40 | 61AB | 00000000 | Size: 00336DA1 | 0000FFFF | 0000009F
00003DCC  String1: RIGOLL
00003DDC  Block #2: [00003DDC-0033AB6C]

0033AB6D  Header - Mask: 00 | Flags: 90 | 0000 | 00000214 | Size: 0000003C | 0000FFFF | 0000009F
0033AB81  Hash/Encrypt ??:  68FC5AAA5F2AA7CFCFBC40371C20812A668FD4A9
0033AB95  UInt32    (???):  00052490 00052490 00052490 00052490 00052490
0033ABA9  UInt32    (???):  00052490 00052490 00052490 00052490 00052491
0033AB81  Block #3: [0033AB81-0033ABBC]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.06

00000000  Header - Mask: 00 | Flags: C8 | 8E34 | 00000000 | Size: 00040C70 | 000000B3 | 0000009F
00000014  Block #1: [00000014-00040C83]
*****************************************************************************************
DP800(Software)Update(Bootloader)_01.09

00000000  Header - Mask: 00 | Flags: C8 | 2733 | 00000000 | Size: 00040E20 | 00000031 | 0000009F
00000014  Block #1: [00000014-00040E33]

If anyone has the FW versions that are not listed here please repost or send me a pm:
00.01.01.02.04
00.01.02.00.03
00.01.04.00.02

Wow, you've made some real progress here!   Can you please share the source code you're using to parse the files?   The one that shows stuff like:

Code: [Select]
DP800(Software)Update(Bootloader)_01.06

00000000  Header - Mask: 00 | Flags: C8 | 8E34 | 00000000 | Size: 00040C70 | 000000B3 | 0000009F
00000014  Block #1: [00000014-00040C83]

Unfortunately, I think C# is mainly for Windows, although I guess there's a Mono C# compiler.   But you're okay with sharing the code, maybe I could convert it to normal C real quick like and repost for Linux users?

I had made a collection of the various firmwares that I found for the unit.   I will check on my Linux box and see if the ones you requested are there or not.

I had given up on this project because we had a daughter and that kind of changed priorities a lot.   I am very impressed with the work that the community has done, including your work.   You guys are amazing and discovered stuff I would have never have discovered.

That's what I love about forums.   It's a place for society to come together and work on stuff together.   I might not think of something, but you may.   Or vice-versa.   And together, we might be able to solve some pretty interesting problems.

Now I don't know a lot about cryptology, but for the bootloader code....the SHA-1 for the header, that's just a SHA-1 checksum of the contents, right?   It's not anything to deal with signing, is it?    Because my understanding is that brute-forcing an SHA-1 private key is not going to happen anytime soon, and I'm really hoping they're not signed with a private key.

But I did notice, as I mentioned on previous pages somewheres, that the last x amount of bytes in the firmware files match, and I thought perhaps that was some sort of signature, but I probably was wrong.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #103 on: April 01, 2018, 04:42:12 am »
Who needed the memory dump again and could they please provide me with the directions?   I got so caught up with my life (daughter, wife, trying to start a new legal business, earning money to pay for all the software / hardware we need to stay legal, etc) that I totally forgot all about it!

But I do have a Rigol DP832 that I'll be more than happy to provide the memory dump, if they just provide the directions on how to do so.

Thanks!
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #104 on: April 04, 2019, 09:56:12 pm »
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

Offline toxuin

  • Contributor
  • Posts: 8
  • Country: ca
Re: Need help hacking DP832 for multicolour option.
« Reply #105 on: April 04, 2019, 09:58:19 pm »
Whoa, that's a breakthrough!

I would appreciate a write-up on how you came up with this, if that's not too much work. This sounds awesome!

PS. Is this trick reversible?
 
The following users thanked this post: Synthtech, ppsilva

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #106 on: April 04, 2019, 10:07:59 pm »
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

tossu,  :clap: :clap: :clap:

I don't know what you did but that sounds interesting!!!

 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #107 on: April 04, 2019, 10:24:03 pm »
I'd be happy to do a write-up! I expected hardly anyone to be interested in this hack anymore. Just give me some time.

I just tested that the hack can be reversed by setting the model back to DP832.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #108 on: April 04, 2019, 10:27:33 pm »
How about DP831 ?
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #109 on: April 04, 2019, 10:47:05 pm »
How about DP831 ?

I'd try setting the model to DP831A. I don't have a DP831 to test with, but DP831A is a recognized string constant. I don't see why it shouldn't work.

Edit: Pictures of my hacked DP832
« Last Edit: April 04, 2019, 11:12:08 pm by tossu »
 
The following users thanked this post: 2N3055

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #110 on: April 04, 2019, 10:58:28 pm »
How about DP831 ?

I'd try setting the model to DP831A. I don't have a DP831 to test with, but DP831A is a recognized string constant. I don't see why it shouldn't work.
Thanks!
I'll give it a go and report back..
 

Offline PTR_1275

  • Frequent Contributor
  • **
  • Posts: 560
  • Country: au
Re: Need help hacking DP832 for multicolour option.
« Reply #111 on: April 04, 2019, 11:18:04 pm »
So changing it to the coloured display doesn’t give you that horrible triangular split display?? (The one with the circle in the middle and the settings top left, top rightand bottom middle) Personally that screen layout is the reason I avoided the 832a...
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #112 on: April 04, 2019, 11:21:53 pm »
So changing it to the coloured display doesn’t give you that horrible triangular split display?? (The one with the circle in the middle and the settings top left, top rightand bottom middle) Personally that screen layout is the reason I avoided the 832a...

It does, but DP832A has a DP832-like colorful display mode as an alternative.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2559
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #113 on: April 04, 2019, 11:52:15 pm »
Fantastic hacking work!

Even though I prefer the plain '7 segment font' DP832 display over the DP832A anyway, I wonder if the random reboots that DP832 owners suffer from for absolutely no rhyme or reason will vanish when software converting to a DP832A, like there was some sick fuck that deliberately sabotaged these PSU's by software methods only? Much like the scum involved in HP inkjet printers and cartridges malarky?  :wtf:
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 459
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #114 on: April 05, 2019, 03:22:22 am »
Worked for me, thanks!
 

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 174
Re: Need help hacking DP832 for multicolour option.
« Reply #115 on: April 05, 2019, 05:14:15 am »
Well, this just moved the 832 back up on my list of potential adds. Good work!

-j
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2362
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #116 on: April 05, 2019, 06:36:25 am »
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

Very nice finding, thank you!  :-+

In the beginning, the difference between DP832 and DP832A use to be that the "A" variant came with all the features unlocked from the factory, and a new weird and multicolour display scheme.

With the latest firmware, are the differences between DP832 and DP832A still the same?  Was there any new functionality added in the meantime to the DP832A only?

Online TurboTom

  • Frequent Contributor
  • **
  • Posts: 748
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #117 on: April 05, 2019, 09:17:58 am »
 :-+ DP811 -> DP811A works a treat!

I like the "proper" fonts so much more than the simulated 7-Segment digits that even are shown dimmed when "off" (what a stupid idea).
Kudos to you @tossu and thank you very much for sharing!

Cheers,
Thomas
 
The following users thanked this post: PeDre

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 650
Re: Need help hacking DP832 for multicolour option.
« Reply #118 on: April 05, 2019, 09:27:44 am »
Thank you Tossu!

@all: do I really still need Ultrasigma to send SCPI commands or is there a smaller tool around? I remember Ultrasigma being huge and if possible I would like to avoid installing it just for this hack. Though if there is now way around, i would do a backup->install->hack->restore to get rid of it  quickly. Thanks.
 

Online TurboTom

  • Frequent Contributor
  • **
  • Posts: 748
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #119 on: April 05, 2019, 09:39:22 am »
Under Windows, you can just telnet to the Power Supply (provided you're using an ethernet connection):

Figure out its IP address

Start a console (cmd)

telnet [IP_Address] 5555

Now just enter (or copy&paste) the SCPI command -- voila.
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 650
Re: Need help hacking DP832 for multicolour option.
« Reply #120 on: April 05, 2019, 09:43:48 am »
Thanks. I will try it right away!
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 650
Re: Need help hacking DP832 for multicolour option.
« Reply #121 on: April 05, 2019, 10:17:11 am »
Mmmmh - not working.  Should I get a feedback from the DP832? I am able to open telnet. Any entered character is shown as a space on the screen; after entering the string manually (or copy/paste) nothing happens (I am pressing ENTER after entering the string. There is no visible feedback from the power supply. Is this correct?
Rebooting then changes nothing - shows still DP832 in system info screen.
I tried an old 1GB USB stick and formatted with 16Kbyte blocks. I will now try another USB stick (4 GByte and 64KByte blocks) and I as I do not have the latest firmware installed, I will try this too.
 

Online TurboTom

  • Frequent Contributor
  • **
  • Posts: 748
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #122 on: April 05, 2019, 10:40:59 am »
I also didn't get a response from the power supply via telnet when I did so. It may be worth to try another command that will return a value like for example:

:SYSTem:VERSion?

This should return "1999.0" (SCPI version on the device). If this works and you're sending the correct command, you should really check the USB drive you're using. I was successful with a quite old 8GB thumb drive labeled "Verbatim" that I also use for firmware updates. But I followed @tossu's instructions to format it and then only copy the provided file on it. Worked for both my DP832 and DP811.

Good luck,
Thomas
« Last Edit: April 05, 2019, 11:07:59 am by TurboTom »
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 650
Re: Need help hacking DP832 for multicolour option.
« Reply #123 on: April 05, 2019, 10:55:31 am »
Thanks Tom,
I was running firmware 1.04 :wtf:. Yeah pretty old but as everything was working fine, there was no need. As a firmware update to 1.11. did solve the problem above, anybody should check his/her version first and then do an update if needed. I will now update to 1.14. (1.11. was -according to Rigol- a needed step inbetween).
 
The following users thanked this post: Sully

Offline rfspezi

  • Regular Contributor
  • *
  • Posts: 118
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #124 on: April 05, 2019, 11:34:01 am »
Are you using the Ultra Sigma Software from Rigol to send the SCPI command?
I tried to download that software several times from the Rigol homepage, however it takes ages and finally is corrupt.  :-\
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 650
Re: Need help hacking DP832 for multicolour option.
« Reply #125 on: April 05, 2019, 11:56:29 am »
No I used telnet as Tom mentioned above.
 

Offline rfspezi

  • Regular Contributor
  • *
  • Posts: 118
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #126 on: April 05, 2019, 12:10:56 pm »
No I used telnet as Tom mentioned above.

Thank you!
Hack works :)
 

Offline jancumps

  • Supporter
  • ****
  • Posts: 1246
  • Country: be
  • New Low
Re: Need help hacking DP832 for multicolour option.
« Reply #127 on: April 05, 2019, 12:11:40 pm »
you need to run ultra sigma to load the drivers. I haven’t tried pure tcp/ip to send scpi, I can give that a try ...

ah, already confirmed.
 

Offline rfspezi

  • Regular Contributor
  • *
  • Posts: 118
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #128 on: April 05, 2019, 12:26:19 pm »
PS. Is this trick reversible?

Good question :)
 

Online TurboTom

  • Frequent Contributor
  • **
  • Posts: 748
  • Country: de
 


Online _Wim_

  • Frequent Contributor
  • **
  • Posts: 822
  • Country: be
Re: Need help hacking DP832 for multicolour option.
« Reply #131 on: April 05, 2019, 12:37:16 pm »
I would appreciate a write-up on how you came up with this, if that's not too much work.

@Tossu, first of all great work!  :-+

I also would appreciate some write-up on how you came to this, because this method is maybe applicable to other rigol gear as wel. I tried to use this on my DG1032Z (upgrade to DG1062Z) but after I send the SCPI-command the communication locked up (does not respond to *IDN? any longer) and had to reboot.

On my DP832 it worked flawlessly.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #132 on: April 05, 2019, 12:39:51 pm »
Copied file to FAT formatted empty USB stick, telnet to 5555 port and pasted:

:PROJ:SET MODEL,DP831A

Enter and reboot. Worked perfectly.
Thanks!
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 459
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #133 on: April 05, 2019, 12:45:18 pm »
I also didn't get a response from the power supply via telnet when I did so. It may be worth to try another command that will return a value like for example:

:SYSTem:VERSion?

This should return "1999.0" (SCPI version on the device). If this works and you're sending the correct command, you should really check the USB drive you're using. I was successful with a quite old 8GB thumb drive labeled "Verbatim" that I also use for firmware updates. But I followed @tossu's instructions to format it and then only copy the provided file on it. Worked for both my DP832 and DP811.

Good luck,
Thomas

I also had issues with the first USB drive I tried. Formatted and copied the file onto it, stuck in back of DP832, connected with telnet, but when I would send the SCPI command, the screen on the DP832 would show something like "Incorrect command". I switched to an older 512MB verbatim USB drive, formatted, and this time when I sent the SCPI command I'm pretty sure the DP832 didn't show any indication it had worked (no message on the screen or beep), until I rebooted it. Once it was rebooted though I was able to change the display mode to the DP832A ones.
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 4340
  • Country: nl
Re: Need help hacking DP832 for multicolour option.
« Reply #134 on: April 05, 2019, 06:12:58 pm »
Thanks @tossu, that was brilliant!  :-+
Keyboard error: Press F1 to continue.
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #135 on: April 05, 2019, 08:28:47 pm »
A DP800 should reply OK if the :PROJ:SET MODEL,DP832A command was successful. It does that, if the command is sent from the USB interface. If it is sent from the LAN interface, it won't reply anything or accept new commands until the connection is closed.

:PROJ:SET is probably not meant to be used from LAN, and it might be crashing the server process.

I tried to use this on my DG1032Z (upgrade to DG1062Z) but after I send the SCPI-command the communication locked up (does not respond to *IDN? any longer) and had to reboot.

On my DP832 it worked flawlessly.

It might be working on DP800 by coincidence. Did you try to use the USB interface?
« Last Edit: April 05, 2019, 08:39:01 pm by tossu »
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2362
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #136 on: April 05, 2019, 10:56:29 pm »
WOW, way nicer display, easier to read (DP832A/Classic).  :-+
https://www.albinoblacksheep.com/flash/thankyou

Tried the upgrade with a 4GB AData USB.  Worked flawless.

The upgrade from DP832 to DP832A is reversible, can be set as you like at any time as long as the USB drive is plugged in.  Did it by LAN.  No OK response to the change model SCPI command, but it worked. 

DP832


DP832A


To be honest, I didn't expect the color display to make such a big difference, yet it does.  And the digits are not 7 segments any more, much easier to read now.  Very nice surprise.
 :D

After changing the model and powering it off/on again, pressed the 'Display' button then clicked 'Disp Mode' button until is selected 'Dips Mode: Classic', then pressed the 'Display' button again, and that's it.

DP832A


DP832A


Now, to upgrade to the latest firmware, too, what is the latest available for DP800, and how do I interrogate for the installed firmware version, please?
« Last Edit: April 05, 2019, 11:47:16 pm by RoGeorge »
 

Offline maginnovision

  • Super Contributor
  • ***
  • Posts: 1701
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #137 on: April 05, 2019, 11:51:04 pm »
Now you all need to change the channel on LEDs to match the screens.
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2362
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #138 on: April 06, 2019, 01:08:45 am »
No need to change the LEDs.  A simple highlight with marker will be enough.

It happened to me in the past to power up other channel than the intended one, so coloring the buttons and the banana plugs might not be a bad idea.

About the firmware update, the latest versions are:
- bootloader 01.09
- software 00.01.14.00.03
downloaded today from https://www.rigolna.com/products/dc-power-loads/dp800/

When asked for credentials, enter whatever.

To see the installed firmware details press 'Utility' -> 'Sys Info' -> 'M1' -> 'M3' -> 'M2'
Where M1...M5 are the buttons under the screen.


Offline PeDre

  • Regular Contributor
  • *
  • Posts: 102
  • Country: at
    • Private Website
 
The following users thanked this post: RoGeorge

Offline hansibull

  • Regular Contributor
  • *
  • Posts: 89
  • Country: no
Re: Need help hacking DP832 for multicolour option.
« Reply #140 on: April 06, 2019, 08:43:33 am »
There is a newer firmware v00.01.16.00.02:
http://www.rigol.com/Support/SoftDownload/3
http://www.rigol.com/File/ModelSoftWare/20190328/DP800(ARM)update.rar

Peter

Does anybody know what's been changed in the latest firmware version? And can anybody verify that work with the hack tossu released?
 

Online TurboTom

  • Frequent Contributor
  • **
  • Posts: 748
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #141 on: April 06, 2019, 08:59:11 am »
On both of my PSUs (DP832 and DP811), F/W 01.16.00.02 was installed prior to applying @tossu's patch via LAN. Worked without any problem.

Obviously, installing the new firmware after applying the patch will have to work because it's supposed to work on "official" DP800A devices as well. And it pretty much seems the patch turns a non-A instrument into an "A"-version without any (technical) difference to an official one (...maybe someone may start a business by offering the "Hello Kitty" bezels for upgrade... )  :-DD .
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2362
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #142 on: April 06, 2019, 10:17:37 am »
I just upgraded the firmware to DP800 00.01.16.00.02 2019-03-28 (for a DP832 transformed yesterday into DP832A using tossu hack - thanks again, great finding).

The new firmware seems to be working fine, except the DNS address in the LAN settings (mine are set to manual LAN settings.  After a power off/on cycle, the DNS will always point to 88.218.37.64  :-//

Code: [Select]
!!!!! For Firmware DP800 00.01.16.00.02 2019-03-28 the DNS address seems hardcoded to 88.218.37.64 !!!!!
========================================================================================================
IP address 88.218.37.64 location
Country:Spain
Region:Madrid
City:Madrid
Longitude:-3.7026
Latitude:40.4165
Time Zone:Europe/Madrid
Postal Code:28050


IP Whois Information For 88.218.37.64
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '88.218.36.0 - 88.218.39.255'

% Abuse contact for '88.218.36.0 - 88.218.39.255' is '@airbnb.com'

inetnum: 88.218.36.0 - 88.218.39.255
netname: IE-AIRBNB-20181214
country: IE
org: ORG-AU44-RIPE
admin-c: ARA114-RIPE
tech-c: MA19860-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: ie-airbnb-1-mnt
created: 2018-12-14T12:50:04Z
last-modified: 2018-12-14T12:50:04Z
source: RIPE

organisation: ORG-AU44-RIPE
org-name: AIRBNB IRELAND ULC
org-type: LIR
address: The Watermarque Building South Lotts Road, Ringsend
address: 4
address: Dublin
address: IRELAND
admin-c: ARA114-RIPE
tech-c: MA19860-RIPE
abuse-c: AR38143-RIPE
mnt-ref: ie-airbnb-1-mnt
mnt-by: RIPE-NCC-HM-MNT
mnt-by: ie-airbnb-1-mnt
created: 2016-10-31T08:25:02Z
last-modified: 2017-05-08T12:17:29Z
source: RIPE # Filtered
phone: +14157280000

person: Eoin Hession
address: The Watermarque Building South Lotts Road, Ringsend
address: 4
address: Dublin
address: IRELAND
phone: +14157280000
nic-hdl: ARA114-RIPE
mnt-by: ie-airbnb-1-mnt
created: 2016-10-31T08:25:01Z
last-modified: 2016-11-22T21:48:25Z
source: RIPE

person: Eric Lee
address: 888 Brannan Street, San Francisco, CA 94114
phone: +14087506453
nic-hdl: MA19860-RIPE
mnt-by: ie-airbnb-1-mnt
created: 2016-11-22T21:54:00Z
last-modified: 2018-12-14T09:08:49Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.93.2 (BLAARKOP)

Anybody else having problems setting the DNS address in the DP800 LAN settings, please?

Offline tautech

  • Super Contributor
  • ***
  • Posts: 18341
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Need help hacking DP832 for multicolour option.
« Reply #143 on: April 06, 2019, 10:21:19 am »
Oh dear, seems you're also in Spain, Ireland and San Fran.   :clap:
Avid Rabid Hobbyist
 

Offline hansibull

  • Regular Contributor
  • *
  • Posts: 89
  • Country: no
Re: Need help hacking DP832 for multicolour option.
« Reply #144 on: April 06, 2019, 10:47:56 am »
Oh dear, seems you're also in Spain, Ireland and San Fran.   :clap:

I've never heard of this before. Care to explain?  :)

I successfully hacked my DP832 and turned it into a DP832A. I didn't bother updating the firmware, so I'm still at 01.14. However, one quirk I found was that the USB stick has to be connected after the PSU have booted. It's not visible if the USB stick is plugged in when the PSU is turned off.

The PSU never gave me a response on the screen, even though the hack was applied. However, when I returned to the main screen (without rebooting I noticed the negative value of CH3. Somehow a minus sign has snuck in there. When I rebooted I was greeted with a colorful DP832A screen. The minus sign was gone.
« Last Edit: April 06, 2019, 10:53:35 am by hansibull »
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 18341
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Need help hacking DP832 for multicolour option.
« Reply #145 on: April 06, 2019, 10:57:38 am »
Oh dear, seems you're also in Spain, Ireland and San Fran.   :clap:

I've never heard of this before. Care to explain?  :)
Study the code in RoGeorge's post.  ;)
Avid Rabid Hobbyist
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2362
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #146 on: April 06, 2019, 12:54:03 pm »
Oh dear, seems you're also in Spain, Ireland and San Fran.   :clap:

I've never heard of this before. Care to explain?  :)
Study the code in RoGeorge's post.  ;)

That's no code, it's the result of a 'whois 88.218.37.64' search.  Each routable IPv4 is stored in IANA (Internet Assigned Numbers Authority) database, together with some public information about the owner of the routable IP.

For whatever reason, my DP800 disregards my manual setting for the DNS address, and instead it always shows the 88.218.37.64 as a DNS, which seems to be some computer from Madrid.  The company that has that computer with the IP 88.218.37.64 is 'Airbnb Ireland' from Doublin, and so on.

A DNS is used when a computer (in this case my DP832) wants to contact some other internet address by name.  Changing the DNS or enforcing a DNS other than the desired one can be the sign of a security breach.  I hope this is just a bug, and not a security threat.

Anybody with the latest FW and manual IP care to check the DP832 settings please? (to check press 'Utility' -> 'IO Config' -> 'LAN')
Do you have the DNS set to 88.218.37.64 after a power cycle, like this?

« Last Edit: April 06, 2019, 12:57:01 pm by RoGeorge »
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #147 on: April 06, 2019, 02:50:31 pm »
Anybody with the latest FW and manual IP care to check the DP832 settings please? (to check press 'Utility' -> 'IO Config' -> 'LAN')
Do you have the DNS set to 88.218.37.64 after a power cycle, like this?

I upgraded my DP832 to 1.16, and it is doing the same thing. The DNS is set to 88.218.37.64 when a "LAN connected" notification is shown. However, the value I've set is restored if I go back to the DNS settings. I noticed FW 1.14 changes the DNS as well, but it sets it to 0.0.0.0.

I took a quick look at a DG1032Z firmware I found somewhere. I think it's version 1.06. It has a very similar check for the same magic value at sector 0x78EC.

Could someone eager to hack (or brick) their DG1032Z send these commands to it, preferably via USB, and post the results here? The keyfile.bin I made for DP832 should work.
Code: [Select]
:PROJ:STAT MCALTIMES,QUERY
*IDN?
:PROJ:STAT MODEL,DG1062Z
*IDN?

The first command is just a sanity check. It should print CH1 = <some number>, CH2 = <some number>.
 
The following users thanked this post: WhichEnt2

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2362
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #148 on: April 06, 2019, 03:40:14 pm »
No DG1032Z here.

Tried it on a DG4102 instead, over LAN, and ':PROJ:STAT MCALTIMES,QUERY' doesn't seem to be recognized.  There is no reply over LAN, and the generator's screen shortly displays the message "Error generated by remote interface command!", which is the same message as the one displayed for any unrecognized SCPI command.  After that, *IDN? is working just fine.

Also tried ':PROJ:STAT MODEL,DG4162' with the same result.

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2362
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #149 on: April 06, 2019, 04:24:01 pm »
Tried it on DG4102 again, this time over USB, and the results are the same:  no SCPI response, only an error message displayed on the DG4102 screen as it would be an unrecognized command, "Error generated by remote interface command!".

Code: [Select]
~$ echo "*IDN?" > /dev/usbtmc1; cat /dev/usbtmc1
Rigol Technologies,DG4102,DG4E17xxxxxx3,00.01.12
cat: /dev/usbtmc1: Connection timed out
~$ echo ":PROJ:STAT MCALTIMES,QUERY" > /dev/usbtmc1; cat /dev/usbtmc1
cat: /dev/usbtmc1: Connection timed out
~$ echo "*IDN?" > /dev/usbtmc1; cat /dev/usbtmc1
Rigol Technologies,DG4102,DG4E17xxxxxx3,00.01.12
cat: /dev/usbtmc1: Connection timed out
~$ echo ":PROJ:STAT MODEL,DG4162" > /dev/usbtmc1; cat /dev/usbtmc1
cat: /dev/usbtmc1: Connection timed out
~$ echo "*IDN?" > /dev/usbtmc1; cat /dev/usbtmc1
Rigol Technologies,DG4102,DG4E17xxxxxx3,00.01.12
cat: /dev/usbtmc1: Connection timed out

~$ #power cycled the DG4102 here

~$ echo "*IDN?" > /dev/usbtmc1; cat /dev/usbtmc1
Rigol Technologies,DG4102,DG4E17xxxxxx3,00.01.12
cat: /dev/usbtmc1: Connection timed out
~$

USB drive formatted FAT32, then copied only the 'keyfile.bin', plugged in the DG4102 at all times.  When it was plugged in the first time, the USB drive was recognized just fine by the generator.
« Last Edit: April 16, 2019, 07:53:42 pm by RoGeorge »
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #150 on: April 06, 2019, 05:57:42 pm »
Tried it on DG4102 again, this time over USB, and the results are the same:  no SCPI response, only an error message displayed on the DG4102 screen as it would be an unrecognized command, "Error generated by remote interface command!".

That is to be expected if hidden commands are not enabled by whatever switch DG4102 is using.

I'm afraid my hack can't easily be modified for the DG4000 series. Doesn't it have a Blackfin CPU like most of the older Rigol products? If it does, it has to use a different RTOS also. I'm using Ghidra which can't disassemble Blackfin code, and reverse engineering parts of the OS would take significant amount of time anyway. Although, if they are using the same kind of manufacturing process for the DG4000 series, it would probably be enough to get the magic value and sector from the application code.

I was able to decode the command table of DG4000 firmware. It has a :PROJ:STAT command and some promising strings like MODEL and SN.

 

Offline rfspezi

  • Regular Contributor
  • *
  • Posts: 118
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #151 on: April 06, 2019, 07:03:33 pm »
In my oppinion, the colours are not very well chosen concerning the combination of RGB pixel appearance to the human eye.
They appear too uneven in brightness when deactivated.

The combination i'd love to see is the font of the DP832A mode but other colours - even monochrome as in the DP832 mode would be ok.
Maybe the RGB values can be found and replaces in the binary.  ^-^
« Last Edit: April 06, 2019, 07:06:00 pm by rfspezi »
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #152 on: April 06, 2019, 07:48:36 pm »
The combination i'd love to see is the font of the DP832A mode but other colours - even monochrome as in the DP832 mode would be ok.
Maybe the RGB values can be found and replaces in the binary.  ^-^

I'm quite sure the color values can be found. The problem is that the firmware seems to be checksummed or signed. Earlier in this thread a simple string replacement of model names was tried, and the modified firmware would not be flashed. Even the checksum for flashing could probably be figured out, but if the bootloaded has an another check, your PSU might become bricked. Does anyone know if the firmware is flashed by the bootloader or the main firmware itself? It might be done by the bootloader based on the upgrade instructions.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #153 on: April 06, 2019, 07:58:08 pm »
tossu, I think it's the bootloader since the .GEL reference only appears in BL.

From my code analysis you discovered the USB_vendor_disk string that must be present in order for the commands to  change MODEL and/or SN to work, right?
 
The following users thanked this post: tossu

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #154 on: April 06, 2019, 08:43:05 pm »
From my code analysis you discovered the USB_vendor_disk string that must be present in order for the commands to  change MODEL and/or SN to work, right?

What's a USB_vendor_disk? It don't recognize that indentifier. The only usb vendor disk thing I could find with Google was a reference in the MSO5000 hacking thread. I'm not at all familiar with that.

But yes, I discovered the value that must be present on a USB drive. Finding the value was easy. I spend more time than I'd like to admit decompiling the firmware before I took a look at MQX RTOS sources and found out that the value had to be on a USB drive.
« Last Edit: April 06, 2019, 08:49:53 pm by tossu »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #155 on: April 06, 2019, 08:50:51 pm »
There is another specimen of USB_vendor_disk that is recognized by other Rigol equipments. It possesses a specific XXTEA encrypted sector.

You've discovered a simpler one used on other equipment models. That was a big reversing job since the code is not obvious at all (I've just looked into it)!

Now, let's try and see which other models recognize this USB_disk.

Again, great job!


Edit: Just by looking at the .GEL file types, I would say that this method works, at least, for all

DP800 , DL3000 and DG1000(Z)
« Last Edit: April 15, 2019, 10:39:47 pm by tv84 »
 
The following users thanked this post: thm_w, tossu

Offline WhichEnt2

  • Regular Contributor
  • *
  • Posts: 98
  • Country: ru
Re: Need help hacking DP832 for multicolour option.
« Reply #156 on: April 06, 2019, 09:16:16 pm »
Could someone eager to hack (or brick) their DG1032Z send these commands to it, preferably via USB, and post the results here? The keyfile.bin I made for DP832 should work.
Would like to check it on DG1022Z as soon as it arrives.
Short pieces, high value, small period, huge amount, long delay.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #157 on: April 06, 2019, 09:20:01 pm »
I managed to reverse engineer the firmware and found a hidden command which can be used to change the model. Huge thanks to volkimel and tv84 for descrambling and parsing the firmware!

First, create a USB drive with magic value "80 DF 20 10 90 20 62 80" in sector 0x58E0. You can format a drive as FAT and copy keyfile.bin from the attached zip to it. The keyfile is filled with the magic pattern, and the chances are that it gets placed over the right sector.

After that, insert the drive to your DP832 and send the following SCPI command to it.
Code: [Select]
:PROJ:SET MODEL,DP832A

Reboot, and you should be greeted with a colorful display.

Tossu and TV84, I cannot thank you guys enough for your help with this project, along with everyone else who provided insight and tried helping in hacking this!    This was something I wanted for a very long time and just found out today that it was finally hacked!   THANK YOU GUYS SOOOOOO MUCH!!!!!!!!
 

Offline hansibull

  • Regular Contributor
  • *
  • Posts: 89
  • Country: no
Re: Need help hacking DP832 for multicolour option.
« Reply #158 on: April 06, 2019, 09:29:09 pm »
In my opinion, the colors are not very well chosen concerning the combination of RGB pixel appearance to the human eye.
They appear too uneven in brightness when deactivated.

The combination I'd love to see is the font of the DP832A mode but other colors - even monochrome as in the DP832 mode would be ok.
Maybe the RGB values can be found and replace in the binary.  ^-^

THIS! As much as I like the DP832A font it would probably take some time to get used to the new yellow, purple and blue colors. A firmware hack with a different palette would be fantastic. What colors would you guys prefer to have instead? IMO plain white for all three channels would be nice  8)

 

Online TurboTom

  • Frequent Contributor
  • **
  • Posts: 748
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #159 on: April 06, 2019, 09:58:45 pm »
Actually, the choice of the color palette like it's been on the "non-A-configuration" but with the fonts / layout of the "A-classic" would be my favorite. Anyway, I'm happy the way it is right now.  :)


P.S. I've also been playing around with my DG4102 and the prepared USB disk. Same result as @RoGeorge. Also somewhat strange behavior of the LXI interface via telnet but that's probably the result of the completely different underlying hardware (BlackFin) compared to the DP800 series (i.MX28 processor).
« Last Edit: April 06, 2019, 10:13:49 pm by TurboTom »
 

Offline rfspezi

  • Regular Contributor
  • *
  • Posts: 118
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #160 on: April 06, 2019, 10:07:55 pm »
What colors would you guys prefer to have instead? IMO plain white for all three channels would be nice  8)

White would be my favourite too.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #161 on: April 06, 2019, 11:02:04 pm »
P.S. I've also been playing around with my DG4102 and the prepared USB disk. Same result as @RoGeorge. Also somewhat strange behavior of the LXI interface via telnet but that's probably the result of the completely different underlying hardware (BlackFin) compared to the DP800 series (i.MX28 processor).

Tom, I've got no indication that this might work on that BF machine. But, maybe there is a similar one...  ;)
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #162 on: April 06, 2019, 11:08:05 pm »
Just confirmed that the DL3000 is exactly as the DP800  (the disk sector is also 0x58E0). And same byte sequence.

Can anyone try a DL3000 to DL3000A conversion?

 

Offline hansibull

  • Regular Contributor
  • *
  • Posts: 89
  • Country: no
Re: Need help hacking DP832 for multicolour option.
« Reply #163 on: April 06, 2019, 11:15:29 pm »
Just confirmed that the DL3000 is exactly as the DP800  (the disk sector is also 0x58E0). And same byte sequence.

Can anyone try a DL3000 to DL3000A conversion?

There is a DL3000 at work which is rarely used. I may try applying the hack on Monday. Same procedure and SCPI command as on the DP832?
Should I update to the latest firmware version before applying the hack? And is there a real chance of bricking it?

EDIT:
It seems like a stock DL3021 can't use the LAN port without buying an upgrade. Is it possible to apply the SCPI command using RS-232?
« Last Edit: April 06, 2019, 11:30:15 pm by hansibull »
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #164 on: April 07, 2019, 01:40:18 am »
OK, I promised a write-up of my hacking process earlier. I've left out some things I did if they didn't end up anywhere, but feel free to skip the first part still. It's night already and I'm tired and writing in English. Not much can be expected. I finally got to it so here it comes!

Premilinary work

I started with a firmware version 1.14 descrambled with the method previously discovered in this thread. The first thing to do was of course to run binwalk and strings on it. Binwalk found a lot of ARM instructions and the entropy plot seemed sensible. I read the list of strings carefully and found some interesting: MODEL, FACTORYON, FACTORYOFF, MANUFACTUREON, MANUFACTUREOFF. They looked a lot like SCPI commands.

I tried a lot of plausible combinations like :SYSTEM:FACTORYON programmatically. I got just a bunch of false results because the SCPI server crashes easily and starts to do weird things.

I wanted to disassemble the firmware, and luckily the loading address had already been figured out. Search for references to those interesting string constants found something. One function, insted of it's normal thing, sets a variable to 1 if parameter FACTORYON is passed to it while some condition is true. The function usually takes ON, 1, OFF or 0 as a parameter. The DP800 programming manual list only a few of those. I tried all of them them but those returned errors. That was very much expected. Following functions calls for the condition would just find more and more complex code with indirect references.

At this point, I figured out I had been living under a rock, and there's a new decompiler called Ghidra. I wanted to try it so I redid all of my previous work with it. It didn't take much time at all, but neither did it help me any further. I started to look for other commands. I found a one which can set a MODEL or SN, but it checks for the same condition before it does anything.

A dump of RAM would've helped me a lot, and there was a command for it. To use it, I had to get it's name. The names were stored in a tree-like structure which had to be parsed. By chance I came across a simple Perl script for printing DS1054Z command structure. I quickly rewrote it in Python and had a list of commands on the first try. I modified it to print command IDs and conditional parts properly. The command list is attached if you want to have a look.

Now I could start dumping the memory with command :PROJect:MEMOry:READ?. Figuring out it's parameters was easy with a help of a decompiler. The first kilobyte of the flash could be read with :PROJ:MEMO:READ? FLASH,0,1024 and it was sensible. To test it I dumped the flash. There was just the firmware I already had. Luckily the command could also read RAM by changing the first parameter. I tried to read the RAM but the output made no sense. I read the decompiled source again and was sure I was using the command right. Instead, the command either had a placeholder implementation or was missing a call to atoi. It read from the address of the second parameter instead of the numeric value and would just echo back the parameters. I had to do more static analysis without a memory dump.

Decompilation and a hack

The offset and the loading address of the firmware are known thanks to previous efforts in this thread. The array of pointers to command handlers is easy to find. Just find one handler with a known string and follow the cross references. Names of the commands are stored in an another large structure which can be parsed with a script made for DS1054Z. It has pointers to all the command names and is easily found with xrefs.

The command handler which can change the model references strings MODEL an SN. The former is long enough to be found with any string search. The handler calls a function which does the USB drive check. Unless it returs zero, the handler does nothing and returns an error. A pointer to the command can be found by following xrefs back to the command handler array. Based on it's index, name :PROJect:SET can be found from the command name structure.

The USB drive check function has many arbitary values. By calling a second function, it does a memcpy-like operation of 8 bytes from 0x58E0 to an array in the stack and compares those against hard coded constants. The second function has a pattern which looks very much like "allocate, read something, memcpy, free". At least the vectorized memcpy is easy to recognize.

The function which does the reading is unfortunately the most difficult to understand. I uses a lot of pointers and arbitary values. It also has a slightly different style to it. This hints that it might be a part of an OS driver. Strings reveal that the firmware contains version 3.7 of MQX RTOS. It's sources are available, and they contain symbolic values for some of the immediate values used in the fuction. One, MFS_READ_FAULT, is used only in three places. One of those is function MFS_Read_device_sector. It's source matches the decompiler output perfectly. The last thing to do with the code is go back and get the 8 byte value from the disassembly. Some mental math has to be done to get endianness right.

When the value is written to the start of sector 0x58E0 of a USB drive, the command :PROJect:SET will work. I took the easy route and did the file copy trick. Mainly because I didn't bother to check if a valid file system is required or if it's sector 0x58E0 of the drive or a partition or something.

Afterthoughts

I think it took me three or four evenings of messing around with my DP832 in total. Most of it was spend trying to dump the memory and trying some things I've left out. I didn't help that I had never read ARM assembly or used Ghidra before. I think Ghidra is an excelent tool and in some ways better than a, um, free version of another interactive disassembler.

I've decompiled some of the other commands. The unit can be set to some factory mode with command :SYST:BEEP FACTORYON if the magic USB drive is inserted. In that mode the model can be set with :SYST:LOCK DP832A$, but I don't think it enables anything else. :DIGItal:IO commands seemed somewhat interesting by their name, but they don't seem to be doing anything.

The :PROJ:SET command should return OK but crashes the command line if it's send via LAN. I think it safer to test it via USB on other Rigol models. However, on DP832 it seems to be working quite well.

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #165 on: April 07, 2019, 02:15:07 am »
There is another specimen of USB_vendor_disk that is recognized by other Rigol equipments. It possesses a specific XXTEA encrypted sector.

You've discovered a simpler one used on other equipment models. That was a big reversing job since the code is not obvious at all (I've just looked into it)!

It seems you got a hang of my hack pretty quickly before any explanation. I assume you got figured it out completely as you were able to check it for other models. Did the magic values help? What's the another specimen? Could you tell how did you thought I did it? I haven't really read other Rigol hacking threads so I might be asking some stupid questions. If that's the case, please point me to the right direction.
 
The following users thanked this post: ppsilva

Offline WhichEnt2

  • Regular Contributor
  • *
  • Posts: 98
  • Country: ru
Re: Need help hacking DP832 for multicolour option.
« Reply #166 on: April 07, 2019, 07:29:16 am »
tossu, how do you look into DG1000Z firmware? I tried the python version of descrambler, but output is a complete mess, not anyting readable in strings output at all.
Short pieces, high value, small period, huge amount, long delay.
 

Offline ealex

  • Frequent Contributor
  • **
  • Posts: 289
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #167 on: April 07, 2019, 07:37:46 am »
thanks for the hack.

quick hint for linux users: if you connect it via USB it will be detected as an usbtmcX device:
Code: [Select]
[38355.860413] usb 5-1.2: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 80, changing to 10
[38355.860415] usb 5-1.2: config 1 interface 0 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 64
[38355.860417] usb 5-1.2: config 1 interface 0 altsetting 0 bulk endpoint 0x3 has invalid maxpacket 64
[38355.861908] usb 5-1.2: New USB device found, idVendor=1ab1, idProduct=0e11, bcdDevice= 0.02
[38355.861909] usb 5-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[38355.861910] usb 5-1.2: Product: DP800 Serials
[38355.861912] usb 5-1.2: Manufacturer: Rigol Technologies.
[38355.861913] usb 5-1.2: SerialNumber: DP8C163953058
[38355.939460] usbcore: registered new interface driver usbtmc

it's a simple char device -> you can use echo and cat to access it:
Code: [Select]
# echo ":SYSTem:VERSion?" > /dev/usbtmc3
# cat /dev/usbtmc3
1999.0
^C^C^C^C
# echo ":PROJ:SET MODEL,DP832A" > /dev/usbtmc3

it works with a FAT16 partition on a newer USB stick - just make it the first partition on the stick
 
The following users thanked this post: Spork Schivago, WhichEnt2

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #168 on: April 07, 2019, 10:13:33 am »
It seems you got a hang of my hack pretty quickly before any explanation. I assume you got figured it out completely as you were able to check it for other models. Did the magic values help? What's the another specimen? Could you tell how did you thought I did it? I haven't really read other Rigol hacking threads so I might be asking some stupid questions. If that's the case, please point me to the right direction.

You took advantage of my parsings but you deserve full credit for this discovery!  :clap:  (the main reason of my parsings is to allow the kind of work you did)

In the meantime, the method has been confirmed to work on DG1000Z (as expected, even with a different sector). Of course, I was only able to somewhat understand what you did based on the magic values that you published. Even after your explanation is not something very easy to recreate without diving into the MQX toolchain.

The other specimen can be used, for example, in the DS1054Z and also in the MSO5000/7000 (it's for ARM only)

You can have a taste of it, here:
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517

Based on known Rigol's way of doing things, it was not hard to figure out what you had accomplished (even if you were not fully aware at the time). Without previous knoweledge of Rigol hacks it's even more amazing!

Even the "brute-force" method of the file in the disk is poetry.  BTW , it wouldn't work in the other specimen because the sector is one of the disk reserved sectors.
 
The following users thanked this post: volkimel, tossu

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #169 on: April 07, 2019, 10:37:03 am »

In the meantime, the method has been confirmed to work on DG1000Z (as expected, even with a different sector).


Does DG1000Z work with same magic sector as DP800 or it is another one.. Syntax for a model command is the same I presume?
Thks!
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #170 on: April 07, 2019, 10:40:19 am »

In the meantime, the method has been confirmed to work on DG1000Z (as expected, even with a different sector).


Does DG1000Z work with same magic sector as DP800 or it is another one.. Syntax for a model command is the same I presume?
Thks!

It's a different sector but tossu file works also with that sector. Syntax should be the same.
 

Offline hansibull

  • Regular Contributor
  • *
  • Posts: 89
  • Country: no
Re: Need help hacking DP832 for multicolour option.
« Reply #171 on: April 07, 2019, 10:53:48 am »
Would this sort of hack work on the Rigol DG1022 (non Z) as well? I have a DG1022 on my bench and would love to turn it into a DG1022A.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #172 on: April 07, 2019, 11:17:13 am »
Would this sort of hack work on the Rigol DG1022 (non Z) as well? I have a DG1022 on my bench and would love to turn it into a DG1022A.

The FW is the same, right?  If so, I think it would but you are all on your own. I've done no tests since I don't have the equipment.

The test done was DG1022Z -> DG1062Z.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #173 on: April 07, 2019, 11:18:18 am »
DG1000Z doesn't work over telnet.. It hangs the AWG completely (not responsive to buttons)..
Will try over USB, installing UltraSigma..
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #174 on: April 07, 2019, 11:25:55 am »
Over USB on the first try all went well.. Even got OK\n response..
Reboot and it works..

And now only Arb16M   ::)

@tossu  premium work kudos.. thanks a bunch
and as always thanks to tv84..
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #175 on: April 07, 2019, 12:19:41 pm »
tossu, how do you look into DG1000Z firmware? I tried the python version of descrambler, but output is a complete mess, not anyting readable in strings output at all.

It uses the same scrambling algorithm but a different starting value. I took advantage of the fact that firmwares usually have long strings of zeroes and those make distinctive patterns of increasing numbers. If the right value of just one byte is known, the offset can be calculated.

The FW is the same, right?  If so, I think it would but you are all on your own. I've done no tests since I don't have the equipment.

DG1022 is the old, DS1052E era function generator. I don't think it's going to work.
 
The following users thanked this post: Spork Schivago, WhichEnt2

Offline mleyden

  • Contributor
  • Posts: 18
  • Country: ie
Re: Need help hacking DP832 for multicolour option.
« Reply #176 on: April 07, 2019, 12:37:20 pm »
DG1022Z -> DG1062Z successful over LAN (using same USB stick that did my DP832 -> DP832A upgrade):

>telnet 192.168.1.XXX 5555
*IDN?
Rigol Technologies,DG1022Z,DG1ZA183______,03.01.12
:PROJ:STAT MODEL,DG1062Z
*IDN?
Rigol Technologies,DG1062Z,DG1ZA183______,03.01.12


Thanks!
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 459
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #177 on: April 07, 2019, 12:44:07 pm »
DG1000Z doesn't work over telnet.. It hangs the AWG completely (not responsive to buttons)..
Will try over USB, installing UltraSigma..

Maybe stupid question, but going to ask anyways. At least on the DP832, once you connect (or maybe once you send the first command) over telnet, the power supply locks out the buttons on the front panel. If you want to resume controlling the power supply from the front panel, you have to hit the back button first, which takes it out of remote command mode. Is it possible the DG1000Z is the same?
 

Offline WhichEnt2

  • Regular Contributor
  • *
  • Posts: 98
  • Country: ru
Re: Need help hacking DP832 for multicolour option.
« Reply #178 on: April 07, 2019, 12:47:10 pm »
DG1022Z -> DG1062Z successful over LAN (using same USB stick that did my DP832 -> DP832A upgrade):
Did you perform full range sweep to check whether it is somewhat flat on the extended range?
Short pieces, high value, small period, huge amount, long delay.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #179 on: April 07, 2019, 12:59:42 pm »
DG1000Z doesn't work over telnet.. It hangs the AWG completely (not responsive to buttons)..
Will try over USB, installing UltraSigma..

Maybe stupid question, but going to ask anyways. At least on the DP832, once you connect (or maybe once you send the first command) over telnet, the power supply locks out the buttons on the front panel. If you want to resume controlling the power supply from the front panel, you have to hit the back button first, which takes it out of remote command mode. Is it possible the DG1000Z is the same?
No it is not in remote mode. It blocks both on telnet connection (no response after command) and instrument non responsive... Can't press local to get it back. Reboot needed.

It is 2016 instrument , maybe something is downlevel.. DG1022Zs are new ones, maybe have new boot/OS portion...
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #180 on: April 07, 2019, 01:17:46 pm »
DG1022Z -> DG1062Z successful over LAN (using same USB stick that did my DP832 -> DP832A upgrade):
Did you perform full range sweep to check whether it is somewhat flat on the extended range?
My DG1032Z is pretty much dead flat to 60 MHz
 
The following users thanked this post: WhichEnt2

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #181 on: April 07, 2019, 08:44:15 pm »
In my opinion, the colors are not very well chosen concerning the combination of RGB pixel appearance to the human eye.
They appear too uneven in brightness when deactivated.

The combination I'd love to see is the font of the DP832A mode but other colors - even monochrome as in the DP832 mode would be ok.
Maybe the RGB values can be found and replace in the binary.  ^-^

THIS! As much as I like the DP832A font it would probably take some time to get used to the new yellow, purple and blue colors. A firmware hack with a different palette would be fantastic. What colors would you guys prefer to have instead? IMO plain white for all three channels would be nice  8)

A hack might not be needed.   It might be a good idea for someone to contact Rigol, someone who owns an official DP832A, to ask if they could implement the change?   Perhaps if enough people ask quick like, they might implement it for current DP832A users, and with this hack, it'd allow the palette change.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #182 on: April 07, 2019, 09:21:46 pm »
Over USB on the first try all went well.. Even got OK\n response..
Reboot and it works..

And now only Arb16M   ::)

@tossu  premium work kudos.. thanks a bunch
and as always thanks to tv84..

I don't understand.   How do you preform the hack over USB?   Isn't the USB port needed for the magic thumb drive?   Thanks!
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #183 on: April 07, 2019, 09:23:11 pm »
tossu, how do you look into DG1000Z firmware? I tried the python version of descrambler, but output is a complete mess, not anyting readable in strings output at all.

It uses the same scrambling algorithm but a different starting value. I took advantage of the fact that firmwares usually have long strings of zeroes and those make distinctive patterns of increasing numbers. If the right value of just one byte is known, the offset can be calculated.

The FW is the same, right?  If so, I think it would but you are all on your own. I've done no tests since I don't have the equipment.

DG1022 is the old, DS1052E era function generator. I don't think it's going to work.

I always wondered how you figured out that starting value!!!!   That is smart, and good to know!   I wouldn't have thought of that.
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #184 on: April 07, 2019, 10:01:56 pm »
I don't understand.   How do you preform the hack over USB?   Isn't the USB port needed for the magic thumb drive?   Thanks!

Devices this hack applies to have two USB ports.

While comparing DP800 and DG1000Z firmwares, I found a string 586E719859AF6C obfuscated in the DG1000Z firmware. I think the corresponding string for DP800 is 5EC2D25AE85124. Those look very much like some encryption keys. Google finds one result for the DP800 string in the Rigol's I2C bus thread, but the DG1000Z one might be a new one. Maybe it can be used for something.

 
The following users thanked this post: Spork Schivago

Offline msquared

  • Contributor
  • Posts: 38
Re: Need help hacking DP832 for multicolour option.
« Reply #185 on: April 08, 2019, 12:31:33 am »
First I just want to give a HUGE THANK YOU to tossu. What an awesome way to "upgrade" a device.

So far I'm 3 for 3.
DP832 to DP832A all options enabled
DL3021 to DL3021A all options enabled
DG1032Z to DG1062Z still missing memory upgrade but output is flat out to 60MHz

All three were done over telnet using the same USB stick. It took me all of about 15 minutes to "upgrade" all 3 devices.

Thanks again.
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #186 on: April 08, 2019, 12:37:04 am »
This is far-fetched but there is code in the DG1000 firmware that sets a 16M memory related flag if the serial of the unit is "DG1ZA000000000". Command :PROJ:STAT SN,DG1ZA000000000 should be able to change the serial. I have no idea when that function is run but maybe it's worth a try.
 
The following users thanked this post: WhichEnt2

Offline msquared

  • Contributor
  • Posts: 38
Re: Need help hacking DP832 for multicolour option.
« Reply #187 on: April 08, 2019, 03:46:54 am »
That worked. The option is listed as "Trial" but I don't see a timer so maybe it'll last forever.

Thanks again!

Btw. If anyone is wondering it does require the "Special Key" to work.
 
The following users thanked this post: WhichEnt2

Offline hansibull

  • Regular Contributor
  • *
  • Posts: 89
  • Country: no
Re: Need help hacking DP832 for multicolour option.
« Reply #188 on: April 08, 2019, 10:20:19 am »
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options where now available.

Are there any devices left that this hack would possibly work on?
« Last Edit: April 08, 2019, 10:37:54 am by hansibull »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #189 on: April 08, 2019, 03:03:26 pm »
I think the corresponding string for DP800 is 5EC2D25AE85124.

That's the ECC public key of the DP832. Did you find any relation of that with the USB disk string?

With the public key 586E719859AF6C  you might upgrade riglol and generate the official license for Arb16M.

Then, it's just:

:LICense:INSTall 1234567890123456789012345678
« Last Edit: April 08, 2019, 04:58:23 pm by tv84 »
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #190 on: April 08, 2019, 07:16:09 pm »
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options where now available.

Are there any devices left that this hack would possibly work on?
Are there any known hacks for the DL3000 series that allow LAN interface, or some other way to apply the hack without having to purchase any of the keys?   Just curious.   I couldn't find any, if they do exist.
 

Offline hansibull

  • Regular Contributor
  • *
  • Posts: 89
  • Country: no
Re: Need help hacking DP832 for multicolour option.
« Reply #191 on: April 08, 2019, 08:07:30 pm »
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default, the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options were now available.

Are there any devices left that this hack would possibly work on?
Are there any known hacks for the DL3000 series that allow LAN interface, or some other way to apply the hack without having to purchase any of the keys?   Just curious.   I couldn't find any if they do exist.

Not that I'm aware of. But applying this hack does turn it into a DL3021A. And the A model has all option enabled, LAN too.
 
The following users thanked this post: Spork Schivago

Online TurboTom

  • Frequent Contributor
  • **
  • Posts: 748
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #192 on: April 08, 2019, 08:46:29 pm »
...still doesn't make the load any better...  :P

https://www.eevblog.com/forum/testgear/new-rigol-dc-load-d3000-series/msg1327086/#msg1327086

P.S. Interesting anyway that the hack is possible. Probably with a little hardware upgrade (some opamps and a few IRFP250's) a conversion to a DL3031A should also be within reach. So if you're sure you need a load only for high, slowly changing currents, this may be a good opportunity...
 
The following users thanked this post: Spork Schivago

Offline hansibull

  • Regular Contributor
  • *
  • Posts: 89
  • Country: no
Re: Need help hacking DP832 for multicolour option.
« Reply #193 on: April 08, 2019, 09:08:22 pm »
...still doesn't make the load any better...  :P

https://www.eevblog.com/forum/testgear/new-rigol-dc-load-d3000-series/msg1327086/#msg1327086

P.S. Interesting anyway that the hack is possible. Probably with a little hardware upgrade (some opamps and a few IRFP250's) a conversion to a DL3031A should also be within reach. So if you're sure you need a load only for high, slowly changing currents, this may be a good opportunity...

Whoa, I didn't know it was THAT terrible! I know the GUI is rather annoying (I'm still scratching my head every time I want to the main screen since there is no obvious back button) but this basically makes it useless for small loads. At work, we use it to stress test DC/DC converters and switchmode power supplies. So for this application, it's not really an issue. However, if I'd buy myself a DC load I would definitely get something more versatile than this.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #194 on: April 08, 2019, 09:19:54 pm »
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default, the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options were now available.

Are there any devices left that this hack would possibly work on?
Are there any known hacks for the DL3000 series that allow LAN interface, or some other way to apply the hack without having to purchase any of the keys?   Just curious.   I couldn't find any if they do exist.

Not that I'm aware of. But applying this hack does turn it into a DL3021A. And the A model has all option enabled, LAN too.
Yeah, but to apply the hack, don't you at least need the LAN option active?   Or is the RS232 active without the need for a paid Option?   Thanks!
 

Offline hansibull

  • Regular Contributor
  • *
  • Posts: 89
  • Country: no
Re: Need help hacking DP832 for multicolour option.
« Reply #195 on: April 08, 2019, 09:24:09 pm »
I can confirm that this hack works with a bone stock Rigol DL3021 as well.
I used the exact same USB stick as I did on my DP832
By default, the LAN interface is an additional option you'll have to purchase. I ended up applying the hack using the RS232 interface.

I didn't bother installing Ultra Sigma, so I just used an ASCII based serial monitor instead.
Default baud rate: 9600, 8 data bits, 1 stop bit, no parity, no hardware handshake
Just remember that you need to add CR LF as line ending

Code: [Select]
:PROJ:SET MODEL,DL3021A
After the hack was applied all options were now available.

Are there any devices left that this hack would possibly work on?
Are there any known hacks for the DL3000 series that allow LAN interface, or some other way to apply the hack without having to purchase any of the keys?   Just curious.   I couldn't find any if they do exist.

Not that I'm aware of. But applying this hack does turn it into a DL3021A. And the A model has all option enabled, LAN too.
Yeah, but to apply the hack, don't you at least need the LAN option active?   Or is the RS232 active without the need for a paid Option?   Thanks!

The RS232 interface is can be used on a stock DL3021. However, I did have to make myself a crossed gender changer because I didn't have a female-female DB9 cable.
 
The following users thanked this post: Spork Schivago

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #196 on: April 09, 2019, 04:43:59 pm »
Did anybody ever buy MEM-DG1000Z Memory Option (16Meg AWG upgrade)  for DG1000Z?
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 650
Re: Need help hacking DP832 for multicolour option.
« Reply #197 on: April 09, 2019, 05:13:12 pm »
just a short note for those who are "upgrading" to a DP832A. I had a very old firmware revision (1.04) on my DP832. With this old firmware, the hack was not working. I then updated to 1.16 (first 1.11. then 1.16) and then the hack worked.
However, somewhere during this process my DP832 lost all the calibration, thus a complete re-calibration (Edit: can be done by yourself, see here: https://www.eevblog.com/forum/testgear/rigol-dp832-firmware-updates-and-bug-list/) was needed. Though this calibration procedure takes a while, so make sure you have enough time in case this happens to you too.
« Last Edit: April 09, 2019, 09:08:33 pm by Pinkus »
 
The following users thanked this post: Spork Schivago, RoGeorge

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #198 on: April 09, 2019, 05:45:20 pm »
My DP831 was 1.14 and kept calibration going to 1.16
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 2362
  • Country: ro
Re: Need help hacking DP832 for multicolour option.
« Reply #199 on: April 09, 2019, 08:48:31 pm »
just a short note for those who are "upgrading" to a DP832A. I had a very old firmware revision (1.04) on my DP832. With this old firmware, the hack was not working. I then updated to 1.16 (first 1.11. then 1.16) and then the hack worked.
However, somewhere during this process my DP832 lost all the calibration, thus a complete re-calibration was needed. This takes a while, so make sure you have enough time in case this happens to you too.

Mine didn't lost the calibration when upgraded from DP832 to DP832A, but the firmware was already at 1.14.

Couldn't find the info in the DP800 User Manual, it say to contact Rigol.
What is the password and the procedure for DP800 manual calibration, please?
« Last Edit: April 16, 2019, 07:52:45 pm by RoGeorge »
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2537
  • Country: hr
Re: Need help hacking DP832 for multicolour option.
« Reply #200 on: April 09, 2019, 09:06:10 pm »
just a short note for those who are "upgrading" to a DP832A. I had a very old firmware revision (1.04) on my DP832. With this old firmware, the hack was not working. I then updated to 1.16 (first 1.11. then 1.16) and then the hack worked.
However, somewhere during this process my DP832 lost all the calibration, thus a complete re-calibration was needed. This takes a while, so make sure you have enough time in case this happens to you too.

Mine didn't lost the calibration when upgraded from DP832 to DP832, but the firmware was already at 1.14.

Couldn't find the info in the DP800 User Manual, it say to contact Rigol.
What is the password and the procedure for DP800 manual calibration, please?


2012
 
The following users thanked this post: Spork Schivago, RoGeorge

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 650
Re: Need help hacking DP832 for multicolour option.
« Reply #201 on: April 09, 2019, 09:16:31 pm »
Quote
Couldn't find the info in the DP800 User Manual, it say to contact Rigol.
What is the password and the procedure for DP800 manual calibration, please?
I added a link in my post above. See at the first page of the link, there are links to the calibration procedure.  The automatic calibration by a python script (if you have a SCPI/LXI ready-DMM available) is using the password "11111"; for the manual calibration "2012" will be the correct one.
Though I tried the manual calibration first and was annoyed quickly about the long and pesky procedure. I then used the python script posted several times here in the forum (e.g. see link above). Instead of manually reading and entering the numbers for two hours I decided to dig into the python stuff (which took longer than 2 hours ... but I learned something new by this, so it was worth it).
« Last Edit: April 09, 2019, 09:18:02 pm by Pinkus »
 
The following users thanked this post: Spork Schivago, RoGeorge

Online _Wim_

  • Frequent Contributor
  • **
  • Posts: 822
  • Country: be
Re: Need help hacking DP832 for multicolour option.
« Reply #202 on: April 10, 2019, 03:54:50 pm »
I took a quick look at a DG1032Z firmware I found somewhere. I think it's version 1.06. It has a very similar check for the same magic value at sector 0x78EC.

Could someone eager to hack (or brick) their DG1032Z send these commands to it, preferably via USB, and post the results here? The keyfile.bin I made for DP832 should work.

:PROJ:STAT MCALTIMES,QUERY
*IDN?
:PROJ:STAT MODEL,DG1062Z
*IDN?

I can do this, but only next week.
« Last Edit: April 10, 2019, 03:58:58 pm by _Wim_ »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #203 on: April 10, 2019, 05:10:46 pm »
I think it's better to not mess with:

:PROJ:STAT MCALTIMES,QUERY

Just do the:

:PROJ:STAT MODEL,DG1062Z

And you'll have a new model!
 

Online _Wim_

  • Frequent Contributor
  • **
  • Posts: 822
  • Country: be
Re: Need help hacking DP832 for multicolour option.
« Reply #204 on: April 10, 2019, 07:18:55 pm »
I think it's better to not mess with:

:PROJ:STAT MCALTIMES,QUERY

Just do the:

:PROJ:STAT MODEL,DG1062Z

And you'll have a new model!

Thanks. I will give this a try when I am back at home.
 

Offline stj

  • Super Contributor
  • ***
  • Posts: 2156
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #205 on: April 10, 2019, 08:27:58 pm »
has anybody tried this on the scopes?

on the ds1000z series, it may be usefull in the future to switch it to the MSO variant.
also, although i'm not sure, it was the case that Riglol didnt work on the 2000 and 4000 series.
 
The following users thanked this post: Spork Schivago

Online TurboTom

  • Frequent Contributor
  • **
  • Posts: 748
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #206 on: April 10, 2019, 08:38:51 pm »
I doubt that the hack will work on DS/MSO 2000 and 4000 platforms since these are based on Blackfin DSPs (just like the DG4000) and not the iMX SOCs that are used in the machines that are apparantly/proven to be hackable with the described approach. Yet, turning the DS1000Z into an MSO may appear attractive to some, especially since there is this parallel thread approaching a "DIY" probe adapter for the MSO1000Z and MSO5000 platforms.

Cheers,
Thomas
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #207 on: April 10, 2019, 10:09:51 pm »
has anybody tried this on the scopes?

on the ds1000z series, it may be usefull in the future to switch it to the MSO variant.
also, although i'm not sure, it was the case that Riglol didnt work on the 2000 and 4000 series.

It's almost guaranteed that you can convert a DS1000Z into a MSO but, in the end, you need the additional HW.

They use the same FW, although each one uses a licensing scheme/functions different. But both methods are present in the FW.

Of course you would have to flash a key_block into the DS in order for it to behave as a MSO. Remember all the "rigup machines" take their private keys from a block that's in their flash.

As the DS doesnt have that block, you would have to create it besides "changing model".

It could be that the simple insertion of the key_block (in the flash) is the trigger to a model change!

 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #208 on: April 12, 2019, 01:36:44 pm »
Out of curiosity, what does the :PROJ:STAT MCALTIMES,QUERY command do?   I searched the net and all I could find was something from this thread on page 7 that has been edited or is missing from some other reason.   Google Cache was no help.

Does it query calibration times?   What's the M for I wonder?  Also, why would that command be a bad idea to run?
 

Offline WhichEnt2

  • Regular Contributor
  • *
  • Posts: 98
  • Country: ru
Re: Need help hacking DP832 for multicolour option.
« Reply #209 on: April 12, 2019, 01:52:30 pm »
I searched the net and all I could find was something from this thread on page 7 that has been edited or is missing from some other reason.   Google Cache was no help.
I bet it's the last post on page 6 has been moved from page 7 by someone deleting post somwhere in the thread.
Compare it's contents: cat: /dev/usbtmc1: Connection timed out ~$ echo ":PROJ:STAT MCALTIMES,QUERY" vs https://www.eevblog.com/forum/testgear/need-help-hacking-dp832-for-multicolour-option/msg2324442/#msg2324442
Short pieces, high value, small period, huge amount, long delay.
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #210 on: April 12, 2019, 02:39:46 pm »
Out of curiosity, what does the :PROJ:STAT MCALTIMES,QUERY command do?   I searched the net and all I could find was something from this thread on page 7 that has been edited or is missing from some other reason.   Google Cache was no help.

Does it query calibration times?   What's the M for I wonder?  Also, why would that command be a bad idea to run?

It just prints the values of two variables. I'd guess it's counting how many times a manual calibration is done. I don't see why running the command would break anything but it would be completely unnecessary. People had problems upgrading their DG1000Z's, so I wanted to see if the :PROJ:STAT command would work at all. That post was by no means intented to be a guide.
 

Offline WhichEnt2

  • Regular Contributor
  • *
  • Posts: 98
  • Country: ru
Re: Need help hacking DP832 for multicolour option.
« Reply #211 on: April 15, 2019, 04:29:21 pm »
With the public key 586E719859AF6C  you might upgrade riglol and generate the official license for Arb16M.
Doesn't it requrie additional research for obtaining option code(s) from firmware?
Short pieces, high value, small period, huge amount, long delay.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #212 on: April 15, 2019, 05:07:57 pm »
Doesn't it requrie additional research for obtaining option code(s) from firmware?

Arb16M option code is JBNE.
 
The following users thanked this post: WhichEnt2

Offline WhichEnt2

  • Regular Contributor
  • *
  • Posts: 98
  • Country: ru
Re: Need help hacking DP832 for multicolour option.
« Reply #213 on: May 01, 2019, 01:45:21 pm »
With the public key 586E719859AF6C  you might upgrade riglol and generate the official license for Arb16M.
Looks like this task is not just too straight and involves recovering private key from a public key.
Short pieces, high value, small period, huge amount, long delay.
 

Offline BLF Lexel

  • Contributor
  • Posts: 9
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #214 on: May 02, 2019, 07:11:02 am »
I got the problem getting a connection with my DP811

I can ping it at 192.168.178.22 but when I use Telnet on port 5555 I get no connection

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Windows\system32>ping 192.168.178.22

Ping wird ausgeführt für 192.168.178.22 mit 32 Bytes Daten:
Antwort von 192.168.178.22: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.178.22: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.178.22: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.178.22: Bytes=32 Zeit<1ms TTL=64

Ping-Statistik für 192.168.178.22:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms

C:\Windows\system32>telnet 192.168.178.22 5555
Verbindungsaufbau zu 192.168.178.22...Es konnte keine Verbindung mit dem Host he
rgestellt werden, auf Port 5555: Verbindungsfehler
« Last Edit: May 02, 2019, 07:43:31 am by BLF Lexel »
 

Offline BLF Lexel

  • Contributor
  • Posts: 9
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #215 on: May 02, 2019, 08:30:54 am »
I get no connection
I also installed IVI and tried USB
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 4340
  • Country: nl
Re: Need help hacking DP832 for multicolour option.
« Reply #216 on: May 02, 2019, 08:38:29 am »
I think the interfaces are optional for the DP811, same as DP832?
Keyboard error: Press F1 to continue.
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 650
Re: Need help hacking DP832 for multicolour option.
« Reply #217 on: May 02, 2019, 08:51:34 am »
Quote
I think the interfaces are optional for the DP811, same as DP832?
Exactly what I thought: did you enable the options before (especially Rigol DP8-INTERFACE)?
 

Offline BLF Lexel

  • Contributor
  • Posts: 9
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #218 on: May 02, 2019, 11:17:19 am »
just RS232 is unofficial with Riglol rest is enabled
 

Offline BLF Lexel

  • Contributor
  • Posts: 9
  • Country: de
Re: Need help hacking DP832 for multicolour option.
« Reply #219 on: May 09, 2019, 12:58:31 pm »
I revived a very old PC in basement and now got my
DP811
DP832
and new DG1022Z
fully upgraded

seemy my network did not like Telnet at all
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #220 on: May 15, 2019, 12:05:20 pm »
That's wonderful news! :-+
Thanks a lot for putting in the effort and sharing it, tossu!
I had almost given up on this, because the last bit of disassembly skills are missing!
And now, after a while not looking at it, huge progress was made!

Of course I had to try it out and it worked a treat. Got a DP832A with all options now!  :)

Used a rather old SanDisk Cruzer mini 512MB USB stick and connected with PuTTY via LAN. Really, really simple!

The software on my DP832 was and is still 00.01.13.00.01. This will change now as well.
Thanks to everyone who spend time and effort on this topic!

Cheers!
 

Offline Smokey

  • Super Contributor
  • ***
  • Posts: 1613
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #221 on: May 21, 2019, 02:05:38 am »
...I wonder if the random reboots that DP832 owners suffer from for absolutely no rhyme or reason will vanish when software converting to a DP832A...

I had the random reboot problem and sent the thing in for repair.  They replaced boards, so I'd doubt it's purely a software issue that you can fix like this.  Bummer.
 

Offline starec

  • Contributor
  • Posts: 5
  • Country: sk
Re: Need help hacking DP832 for multicolour option.
« Reply #222 on: May 24, 2019, 11:40:24 am »
With the public key 586E719859AF6C  you might upgrade riglol and generate the official license for Arb16M.
Doesn't it requrie additional research for obtaining option code(s) from firmware?

i've calculated the private key for you: 7412E98108CAB0
but it isn't so straight to generate license using riglol because of slight modified algorithms used in DG1000Z

 
The following users thanked this post: thm_w

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #223 on: May 24, 2019, 03:49:44 pm »
slight modified algorithms used in DG1000Z

= riglol 1.03d
 

Offline starec

  • Contributor
  • Posts: 5
  • Country: sk
Re: Need help hacking DP832 for multicolour option.
« Reply #224 on: May 24, 2019, 04:33:22 pm »
= riglol 1.03d
Ok, this one is almost working. You need however change some things:
B32 alphabet - ascii_map[] = "MNBVCXZASDFGHJKLPUYTREWQ23456789"
and arrays in fn format_license_dp832_109 as follows
    const int map1[] = {3, 0xE, 0x13, 9, 0x1A, 5, 7, 0x11, 0xC, 0x18, 6, 0x16};
    const int map2[] = {4, 0xB, 0x10, 0x17, 0, 8, 0x14, 0x1B, 2, 0xD, 0xF, 0x15};
    const int map3[] = {1, 0xA, 0x12, 0x19};
 

Offline Trident900fi

  • Contributor
  • Posts: 12
  • Country: fr
Re: Need help hacking DP832 for multicolour option.
« Reply #225 on: May 26, 2019, 09:41:00 am »
To update your Rigol DL3021 to DL3021A, here is the complete procedure, without the need of buying the LAN option...
You need:
-Computer with RS232 port
-USB stick formatted in FAT32 with the file keyfile.bin from Tossu (many thanks for the hack !)
-Cross cabel RS232 female-female (2->3; 3->2; 5->5)
-Free software Termite from Compuphase (https://www.compuphase.com/software_termite.htm)

Connect everything together. Start the computer first and launch Termite.
Termite Serial port settings:
-Port COM1 (depend on your computer)
-Baud rate 9600
-Data bits 8
-Stop bits 1
-Parity none
-Flow control none
-Forward none
-Transmitted text Append CR-LF

Turn on the DL3021
To check the connection, you can try to type *IDN? in the Termite command line.
He will return the model of your device.
Type in Termite :PROJ:SET MODEL,DL3021A
That all  :D

 
The following users thanked this post: core

Offline Wintel

  • Contributor
  • Posts: 18
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #226 on: May 26, 2019, 07:29:44 pm »
To update your Rigol DL3021 to DL3021A, here is the complete procedure, without the need of buying the LAN option...
You need:
-Computer with RS232 port
-USB stick formatted in FAT32 with the file keyfile.bin from Tossu (many thanks for the hack !)
-Cross cabel RS232 female-female (2->3; 3->2; 5->5)
-Free software Termite from Compuphase (https://www.compuphase.com/software_termite.htm)

Connect everything together. Start the computer first and launch Termite.
Termite Serial port settings:
-Port COM1 (depend on your computer)
-Baud rate 9600
-Data bits 8
-Stop bits 1
-Parity none
-Flow control none
-Forward none
-Transmitted text Append CR-LF

Turn on the DL3021
To check the connection, you can try to type *IDN? in the Termite command line.
He will return the model of your device.
Type in Termite :PROJ:SET MODEL,DL3021A
That all  :D

Can hack the DC Load DL3021 to DL3031A?  Like the DG811 to DG992?

 

Offline Trident900fi

  • Contributor
  • Posts: 12
  • Country: fr
Re: Need help hacking DP832 for multicolour option.
« Reply #227 on: May 26, 2019, 10:11:25 pm »
To update your Rigol DL3021 to DL3021A, here is the complete procedure, without the need of buying the LAN option...
You need:
-Computer with RS232 port
-USB stick formatted in FAT32 with the file keyfile.bin from Tossu (many thanks for the hack !)
-Cross cabel RS232 female-female (2->3; 3->2; 5->5)
-Free software Termite from Compuphase (https://www.compuphase.com/software_termite.htm)

Connect everything together. Start the computer first and launch Termite.
Termite Serial port settings:
-Port COM1 (depend on your computer)
-Baud rate 9600
-Data bits 8
-Stop bits 1
-Parity none
-Flow control none
-Forward none
-Transmitted text Append CR-LF

Turn on the DL3021
To check the connection, you can try to type *IDN? in the Termite command line.
He will return the model of your device.
Type in Termite :PROJ:SET MODEL,DL3021A
That all  :D

Can hack the DC Load DL3021 to DL3031A?  Like the DG811 to DG992?
No, it's not possible, it's not the same hardware inside...
Maybe, if you add the missing components  ;)
 

Offline joad

  • Newbie
  • Posts: 4
  • Country: se
Re: Need help hacking DP832 for multicolour option.
« Reply #228 on: June 01, 2019, 06:13:59 pm »
Where do I find the script för extracting all scpi commands like on the DP 800 "dp800_all_commands.txt"

Im looking for scpi commands for calibrating the DL3000.
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #229 on: June 06, 2019, 07:52:53 pm »
Where do I find the script för extracting all scpi commands like on the DP 800 "dp800_all_commands.txt"

Im looking for scpi commands for calibrating the DL3000.

There is no fully automated script unless someone else has made one.

Here is a list of commands I have extracted from some version of the DL3000 firmware. There seems to be a bunch of calibration related commands. I hope you will find those usefull.
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #230 on: June 07, 2019, 03:11:26 pm »
This isn't working for me, I tried 2 different USB drives, formatted FAT32 with just the xxx.bin file on them and my gear says it sees a USB drive.

I am directly connected by LAN and can see my DP832 and DG1022Z in RigolBildschirmkopie after search, I can select them then connect to with the SCPI Commant terminal, issue the *IDN? command to them and see the expected response when I hit [Send & Receive] but when I try to send :PROJ:SET MODEL,DP832A/DG1062Z, in both cases I get a response of...

"There was an error when sending the SCPI command" and after that, the device I just tried to send the :PROJ:SET MODEL,XXXX command to is not seen in RigolBildschirmkopie after search until I cycle power.

I tried using telnet via an admin-level windows powershell (Win 10) but that hangs after I type "telnet 10.0.0.xxx 5555".

Any ideas?
If at first you don't succeed, get a bigger hammer
 

Offline PeDre

  • Regular Contributor
  • *
  • Posts: 102
  • Country: at
    • Private Website
Re: Need help hacking DP832 for multicolour option.
« Reply #231 on: June 07, 2019, 03:21:31 pm »
"There was an error when sending the SCPI command" and after that, the device I just tried to send the :PROJ:SET MODEL,XXXX command to is not seen in RigolBildschirmkopie after search until I cycle power.

This error is displayed if the device does not confirm that it has received the command. Unfortunately the Rigol devices do not comply with the VXI (LAN) and USBTMC standard.
In this case the command was sent correctly.

Peter
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #232 on: June 07, 2019, 03:41:21 pm »
"There was an error when sending the SCPI command" and after that, the device I just tried to send the :PROJ:SET MODEL,XXXX command to is not seen in RigolBildschirmkopie after search until I cycle power.

This error is displayed if the device does not confirm that it has received the command. Unfortunately the Rigol devices do not comply with the VXI (LAN) and USBTMC standard.
In this case the command was sent correctly.

Peter
Thanks for the reply but the device is not changed to the new model?
If at first you don't succeed, get a bigger hammer
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #233 on: June 07, 2019, 03:49:36 pm »
Any ideas?

Try linux to send the command.
 

Online _Wim_

  • Frequent Contributor
  • **
  • Posts: 822
  • Country: be
Re: Need help hacking DP832 for multicolour option.
« Reply #234 on: June 07, 2019, 03:56:58 pm »
Thanks for the reply but the device is not changed to the new model?

For the DG1062, the command is :PROJ:STAT MODEL,DG1062Z  (not SET, but maybe both work). I seem to remember I had to put a space between model and the modelnumber :PROJ:STAT MODEL, DG1062Z
 

Online _Wim_

  • Frequent Contributor
  • **
  • Posts: 822
  • Country: be
Re: Need help hacking DP832 for multicolour option.
« Reply #235 on: June 07, 2019, 04:00:32 pm »
Any ideas?

Are you sure you can see the contents of the USB key from the Rigol device? You can try to save a file to the key first to ensure you can correctly read the usb key (the Rigol deveices are very picky about the USB keys)
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #236 on: June 07, 2019, 04:45:20 pm »
Any ideas?

Are you sure you can see the contents of the USB key from the Rigol device? You can try to save a file to the key first to ensure you can correctly read the usb key (the Rigol deveices are very picky about the USB keys)
I tried to save a file to the USB drive on the DP832 and it worked just fine.
I tried the :PROJ:STAT MODEL, DG1062Z command via RigolBildschirmkopie and it gave the same error.

I might have suspected firmware upgrade differences but it seems unlikely I'd get the same issue on both if device itself were the problem and the DG1022Z and the DP832 are pretty recently updated (not quite the latest).

Maybe it's the USB drive.  Is there some way I can check that the keyfile.bin file is in the correct location?
If at first you don't succeed, get a bigger hammer
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #237 on: June 07, 2019, 05:00:42 pm »
When I send :PROJ:STAT MODEL, DG1062Z to the DG1022Z it (briefly) says on the DG1022Z screen
"error generated by remote interface command"
If at first you don't succeed, get a bigger hammer
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #238 on: June 07, 2019, 05:04:18 pm »
Any ideas?

Try linux to send the command.
I'm running up my (old) Ubuntu 16.04 laptop up, what do I need to run to get to the place where I can send a SCPI command to the Rigols?  I'm not a Linux person.
If at first you don't succeed, get a bigger hammer
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #239 on: June 07, 2019, 05:06:00 pm »
Any ideas?

Try linux to send the command.
I'm running up my (old) Ubuntu 16.04 laptop up, what do I need to run to get to the place where I can send a SCPI command to the Rigols?  I'm not a Linux person.

You telnet to 10.0.0.xxx 5555 and write the command directly.
« Last Edit: June 08, 2019, 08:53:52 am by tv84 »
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #240 on: June 07, 2019, 05:22:34 pm »
I get into Ubuntu terminal with Ctl-Alt-T and get to a command prompt, it didn't recognize telnet

So I tried sudo apt-get install xinetd telnetd and it prompted me for password then it says...

"Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?

As I said, I'm not a Linux person

[EDIT] I got past that, I was able to run sudo apt-get install -y xinetd telnetd

and it seemed to work but now I can't get telnet to run when I try to...

telnet 10.0.0.128:5555 I get

"could not resolve 10.0.0.128:5555: name or service not known"

I tried rebooting
« Last Edit: June 07, 2019, 07:14:37 pm by Gandalf_Sr »
If at first you don't succeed, get a bigger hammer
 

Offline smithnerd

  • Regular Contributor
  • *
  • Posts: 104
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #241 on: June 08, 2019, 04:24:10 am »
Replace the colon with a space:

Code: [Select]
telnet 10.0.0.128 5555
host:port is a common convention for many UNIX tools, but not telnet (it is ancient).
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1435
  • Country: pt
Re: Need help hacking DP832 for multicolour option.
« Reply #242 on: June 08, 2019, 08:48:41 am »
host:port is a common convention for many UNIX tools, but not telnet (it is ancient).

My bad!  |O   (addicted to automatic logins...)


Assuming that the IP of your DG is 10.0.0.128, do:

"nmap -p- 10.0.0.128" in the linux prompt
« Last Edit: June 08, 2019, 08:56:03 am by tv84 »
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #243 on: June 08, 2019, 02:16:49 pm »
OK, so I can telnet to the DP832 from Linux.

nmap -p- 10.0.0.128 gives the following open ports... 80,111,617,618,619,555 all /tcp and the line for 5555 is...

5555/tcp open  freeciv

I can "telnet 10.0.0.128 5555" and get a message saying "connected to 10.0.0.128"

I can issue *IDN? and get the expected response but when I issue the command ":PROJ:SET MODEL,DP832A the screen of the DP832 flashes up a box saying "remote command incorrect" and there's no response on the telnet terminal.

Tried 2 different USB drives (still may be the issue) and I tried putting the USB drive(s) in before and after boot up.
If at first you don't succeed, get a bigger hammer
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #244 on: June 08, 2019, 02:21:39 pm »
Trying the DG1022Z I can telnet to it and issue the ":PROJ:STAT MODEL,DG1062Z" command but again, the screen pops up with an "error generated by remote interface command" pop up message
If at first you don't succeed, get a bigger hammer
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #245 on: June 08, 2019, 02:40:14 pm »
OK, all issues solved!

The problem was the USB drive; I tried a 3rd drive, an old Verbatim 2GByte drive - I don't know if this was a cause of my problems but when I formatted the other 2 drives from Windows 10 Explorer, the allocation unit size was set to 4096 and when I formatted the Verbatim, I changed it to "Default Allocation Size" and gave the drive a volume label of "Rigol"; then I copied the single keyfile.bin file to it.

I plugged it in while the equipment was still running and went through all the previous steps in Ubuntu terminal and this time I got no error messages on the PSU or AWG and no response on the telnet terminal after issuing the :PROJ:SET/STAT commands but the *IDN? command revealed that the changes had been successfully applied, in the case of the DP832(A), it needed a reboot before it would respond.

I used the :PROJ:STAT to do the DG1022Z and :PROJ:SET to do the DP832, no space was needed after the comma e.g.
:PROJ:STAT MODEL,DG1062Z works fine

Thanks for all the help guys :D
« Last Edit: June 08, 2019, 06:43:45 pm by Gandalf_Sr »
If at first you don't succeed, get a bigger hammer
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 14901
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #246 on: June 08, 2019, 11:00:50 pm »
Confirmed another DG1022Z upgraded to DG1062Z





Hardware is definitely ok. Flat response to 60MHz. Couldn't get USB stick to work properly to start with. Used diskpart to create a 2Gb partition at the start of the USB disk and formatted it FAT32 quick, then added keyfile.bin. Telnet did SFA other than throw errors. Assumed it was windows' telnet client being crap so I knocked up a small C# program to send the command:

Code: [Select]
using System;
using System.IO;
using System.Net.Sockets;

class Program
{
    static void Main(string[] args)
    {
        using (var client = new TcpClient("192.168.178.31", 5555))
        using (var networkStream = client.GetStream())
        using (var writer = new StreamWriter(networkStream))
        using (var reader = new StreamReader(networkStream))
        {
            writer.AutoFlush = true;
            writer.Write(":PROJ:STAT MODEL,DG1062Z\n");
            Console.WriteLine(reader.ReadLine());
        }
    }
}

Bingo! Big thanks to the reverse engineers  :-+
 

Offline 1anX

  • Regular Contributor
  • *
  • Posts: 190
  • Country: au
Re: Need help hacking DP832 for multicolour option.
« Reply #247 on: June 09, 2019, 12:13:39 am »
Can you please detail how to use the C program to hack the DG1022Z.
I have a DG1022Z unit that I would love to run at 60MHz.
Just need a sequence of (simple) steps I can follow to get there. Any help much appreciated!
 

Offline FuzzyOtter

  • Contributor
  • Posts: 14
  • Country: ca
Re: Need help hacking DP832 for multicolour option.
« Reply #248 on: June 09, 2019, 04:13:12 am »
Long time listener, first time caller. Massive thanks to tossu for sharing his efforts here and helping the rest of us. I bought myself a DP832 some time ago and while it's been a fantastic bench supply, I was annoyed that it lacked the multi-colour display abilities of it's big brother. Your discovery is exactly what I was hoping for! I was able to apply the change quickly and easily. It's a relatively minor quality of life improvement, but it has made the power supply feel complete!

I wanted to share a few notes for others just in case anyone gets snagged up:

  • The USB drive must be formatted as FAT, not FAT32 or exFAT. On Windows, USB sticks with a partition size over 4GB in size will not show "FAT" in the possible format options. To get around this, you can use Window's Disk Management utility (Run "diskmgmt.msc" from a Run dialog or type it in the Start menu) to delete the single large partition, and then create a new one 3.5GB or smaller. This will let you format it as FAT. I have no small USB sticks kicking around and was forced to do this, and I can confirm it works just fine.
  • I could not get the Windows telnet client to work... it would sit on the "Connecting to..." stage forever. The DP832 was pingable on the network, and the IP address + port was correct, so I am not sure what the issue was. I ended up using PuTTy to connect via telnet and issue the SCPI command, which worked perfectly.
  • All of the licenses that I applied before this modification were still there afterwards.

Thank you again!
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #249 on: June 09, 2019, 12:01:25 pm »
Can you please detail how to use the C program to hack the DG1022Z.
I have a DG1022Z unit that I would love to run at 60MHz.
Just need a sequence of (simple) steps I can follow to get there. Any help much appreciated!
What forms of computer do you own?  There are only 2 'challenges':

1. Get an (old) USB stick formatted correctly
2. Get some form of telnet communicating with your DG1022Z via LAN (or maybe USB).

You can Google telnet and find all sorts of options - windows 10 command prompt worked for me after adding telnet to windows but it's sort of clunky as there are no success messages after typing telnet <IP_address> 5555 (e.g. 10.0.0.123 5555) you just see a blank screen but, once you have telneted to your DG1022Z, try the *IDN? command and you should see a line of information returned like...

Rigol Technologies,DG1022Z,DG1ZAxxxxxxxxx,03.01.12

If you get this far, all you have to do is create and plug in the correctly formatted USB stick to the front of your DG1022Z and issue the command...

:PROJ:STAT MODEL,DG1062Z

If you're successful, you will get no response over telnet and there will be no messages on the screen of the DG1022Z.
If you see an "error generated by remote interface command" briefly popping up on the DG1022Z screen, then you probably have an issue with your USB drive.

How to create the USB stick and how to telnet are covered in multiple places in this thread.

One thing I've noticed is that saved configurations through the store>browser menu won't load after upgrade with an 'incorrect format' message.  You have to recreate and resave over the old stored info and then it works so some may want to take pictures of your saved configs.
« Last Edit: June 09, 2019, 12:05:28 pm by Gandalf_Sr »
If at first you don't succeed, get a bigger hammer
 
The following users thanked this post: fivefish

Offline 1anX

  • Regular Contributor
  • *
  • Posts: 190
  • Country: au
Re: Need help hacking DP832 for multicolour option.
« Reply #250 on: June 10, 2019, 06:53:11 am »
I have win 10 PCs but could run Linux of a USB mem stick if needed.
Thanks for the info, I will give it a try!
 

Offline Gandalf_Sr

  • Super Contributor
  • ***
  • Posts: 1631
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #251 on: June 10, 2019, 09:43:56 am »
I have win 10 PCs but could run Linux of a USB mem stick if needed.
Thanks for the info, I will give it a try!
I tried Windows and Ubuntu but, in the end, the issue was the thumb drive and I eventually made it all work using telnet from a command prompt in Win 10 with telnet service added.  As I already said; if you can telnet and get a response to *IDN? but then see "error generated by remote interface command" popping up briefly when you try to send the :PROJ:STAT MODEL,DG1062Z command, then the issue is with the USB drive - a recent comment says the drive has to be formatted in FAT but mine was FAT32.

Good luck
If at first you don't succeed, get a bigger hammer
 

Offline tossu

  • Contributor
  • Posts: 19
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #252 on: June 10, 2019, 05:56:44 pm »
Preparing the USB drive is, indeed, quite a persnickety process. The file won't end up in the right sector if the partition is too large.

To make that easier, I made a disk image that can be written directly to any USB drive with a dd-like utility. On Windows I like to use Win32 Disk Imager.
 
The following users thanked this post: thm_w, Chris56000, bd139, nicolasg

Offline bson

  • Supporter
  • ****
  • Posts: 1649
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #253 on: June 11, 2019, 03:57:03 am »
Neat hack, and the fonts are a huge improvement over the faux 7-segment ones!  :-+
 

Offline 1anX

  • Regular Contributor
  • *
  • Posts: 190
  • Country: au
Re: Need help hacking DP832 for multicolour option.
« Reply #254 on: June 11, 2019, 05:50:13 am »
Thank you all so much!
My DG1022Z now running full speed as a DG1062Z.
Simply sent the command :PROJ:STAT MODEL,DG1062Z through Rigol's, Ultra Sigma software, connected thru USB.
Used USB and Ultra Sigma to hack my DP832 to DP832A without a hitch! Dont really know if the colour display is a step forward or backward  :)
Its certainly made the display more customisable and thats gotta be a good thing.

Probably pushing my luck but has anyone had success unlocking the 16Mb ARB memory?
« Last Edit: June 11, 2019, 06:48:31 am by 1anX »
 

Offline