Author Topic: Need help hacking DP832 for multicolour option.  (Read 62557 times)

0 Members and 1 Guest are viewing this topic.

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2561
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #25 on: January 01, 2016, 08:26:26 pm »
You don't need the USB Blaster. I only mentioned it as it costs next to nothing and you mentioned you had used JTAG before and it's a popular (for Altera) dongle and could (possibly) at least be used with urJTAG to dump the flash.

If you get the Olimex that should be all you need.

Also something called Hex-Rays IDA is apparently very useful and appears to support reverse engineering this processor. It can be very expensive though ;) Which reminds me I have a demo version I need to learn how to use. I've got a PDF manual for it somewhere.
« Last Edit: January 01, 2016, 08:36:11 pm by Macbeth »
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #26 on: January 01, 2016, 10:15:39 pm »
You don't need the USB Blaster. I only mentioned it as it costs next to nothing and you mentioned you had used JTAG before and it's a popular (for Altera) dongle and could (possibly) at least be used with urJTAG to dump the flash.

If you get the Olimex that should be all you need.

Also something called Hex-Rays IDA is apparently very useful and appears to support reverse engineering this processor. It can be very expensive though ;) Which reminds me I have a demo version I need to learn how to use. I've got a PDF manual for it somewhere.

Thank you Macbeth!   I ordered the Olimex ARM-USB-OCD-H adapter with the ARM-JTAG-20-10 adapter (which allows me to plug the ARM-USB-OCD-H adapter into an ARM 10-pin mini-JTAG connector.   All I did before was solder some wires to a Xbox 360 to JTAG it.  I was following some how-to.

So, I've been studying the datasheet for this ARM processor a bit.   I had some questions.   I see in the datasheet, there's a DEBUG signal (B9 on the BGA chip for this processor).   The datasheet says:
Code: [Select]
This pin is used for JTAG interface.
DEBUG=0: JTAG interface works for boundary scan.
DEBUG=1: JTAG interface works for ARM debugging.

Would I need to set this pin HIGH, LOW or just leave it as it is?   I don't really know what boundary scans are.   I also see there's some security for this chip, which I didn't find surprising.   But I see in the datasheet:
Code: [Select]
Security features:
— Read-only unique ID for Digital Rights Management (DRM) algorithms
— Secure boot using 128-bit AES hardware decryption
— SHA-1 and SHA256 hashing hardware
— High assurance boot (HAB4)

Does this mean that when I hook up the JTAG unit and try dumping the firmware using OpenOCD, the firmware might be encrypted?   I've also been reading up how to dump firmware using OpenOCD.   I know some smart people found a way to dump the firmware on a device that uses an ARM processor.   Some security bits were set that prevented read access to protected memory.   Only instructions in protected memory could read the data from protected memory.   However, it was fairly easy for the people to bypass this by loading an address in one of the registers, stepping through the code in protected memory and then checking the values of the registers until one changed.   They were able to find a LOAD instruction and that's all the needed in order to dump the firmware.   They even provided a nice Ruby script that would connect to OpenOCD and dump the firmware for you.

I mean, it'd have to be modified for different processors but I was thinking maybe I'd have to do something like that.   I've been studying the datasheet but I don't really see how I'm supposed to tell how big the firmware is and where it'd be located in memory.   It's definitely a learning experience, I'll say that much!    I also have an old router that might have a JTAG port.   Perhaps I could play with that to get a little experience.   If I ruin the router, no big deal.
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2561
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #27 on: January 01, 2016, 11:39:50 pm »
Dave has a great vid on JTAG boundary scan. You will probably want BSDL files for your processor and flash etc.

I have to admit I have only got as far as dumping and programming firmware on my Rigol DM3058, which happens to be in unencrypted Blackfin LDR format (most Rigol stuff seems to be Analog Devices Blackfin DSP). I had to learn all this just to recover my DMM which had bricked itself after I used some obscure Rigol software not compatible with my firmware version, the alternative would have been sending it back under warranty but that would have cost me shipping and took weeks and is very, very boring. I learned how to extract LDR+data from the firmware and reflash in the weekend.

My own goal is to reverse engineer this firmware just for the hell of it and fix the bugs Rigol are too lazy to bother with and perhaps make the meter do what I want. But that's on the backburner now.

For all the ARM stuff - I don't have a clue, sorry!
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2561
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #28 on: January 01, 2016, 11:49:43 pm »
Oh for the size of the flash - just lookup the Hynix partnumber. There must be a memory map in the datasheet. I haven't checked for your ARM, but for Blackfin it's 0x20000000 and is easy to read with urJTAG when you set it up to read the flash chip (probably via BSDL behind the scenes).

If the flash is encrypted then yes you will need to use the hack you have found. Very interesting! My ARM experience is Raspberry Pi's only I'm afraid with none of this JTAG stuff  :scared:
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #29 on: January 02, 2016, 12:16:33 am »
Thanks for all the help Macbeth!   Hopefully when my Olimex device comes, I'll find it's not very hard at all.   If it does turn out to be encrypted though, I might not be able to go any further at all.    I'll look into the various things you mentioned in the meantime.   Like the memory map and size of the Hynix firmware.   I'd be nice if I could get an unencrypted copy of the firmware.   Maybe I could even figure out the format of the .GEL files.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #30 on: January 04, 2016, 09:12:27 pm »
I just wanted to update you guys.   I got the ARM-USB-OCD-H JTAG device coming but I don't think it's going to help.   I've been reading up on the security of the i.MX283 processor in the Rigol DP832.   From what I've read ( http://cache.nxp.com/files/32bit/doc/app_note/AN4555.pdf?fpsp=1&WT_TYPE=Application%20Notes&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&fileExt=.pdf )
it seems that the bootloader gets signed and if the code changes but the signature doesn't match, then it'll refuse to start.   It seems the packages on the FLASH might be signed as well.   They use some elftosb program to sign them or something.    If I'm not mistaken (and I very well can be, I don't really understand the whole encryption stuff very well), even if I could extract the bootloader and flash contents, I won't be able to change them at all.

I wonder how the person who wrote the keygen for the DP832 managed to figure out how to successfully write it.   Did they somehow manage to extract the firmware or information from the flash chip on there?
 

Offline apelly

  • Supporter
  • ****
  • Posts: 1039
  • Country: nz
Re: Need help hacking DP832 for multicolour option.
« Reply #31 on: January 04, 2016, 09:51:29 pm »
It was a while ago now, but if you read the first few hundred posts in the sniffing the rigol bus thread there is a lot of useful stuff posted by cybernet. The thread degenerates into noobs asking for help after a while, but the beginning is very cool. I think that's the one where the certificate signing stuff for the dg4000 was discovered too, but there is another thread for hacking the dg4000 which also contains interesting information.

Good luck!
I'd rather a Google clue, link, or some theory than "do this" (generally)
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #32 on: January 04, 2016, 10:16:51 pm »
It was a while ago now, but if you read the first few hundred posts in the sniffing the rigol bus thread there is a lot of useful stuff posted by cybernet. The thread degenerates into noobs asking for help after a while, but the beginning is very cool. I think that's the one where the certificate signing stuff for the dg4000 was discovered too, but there is another thread for hacking the dg4000 which also contains interesting information.

Good luck!

Thank you!   I'll search the forums for the topic you're talking about here.   I've seen people talk about sniffing buses before.   Maybe I should invest in some equipment so I can do that too.   Sounds really cool.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #33 on: January 04, 2016, 10:30:19 pm »
Is this the forum that you're talking about?   https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/

Seems to be about the Rigol DS1102E.   Perhaps I can still learn a lot from it though.   I don't have a logic analyzer.   I'd love to purchase one but I'm not certain if I want a benchtop model or a portable one.   I kind of like some of the portable ones I've seen on the net (the ones that hook up to a PC via USB).   Just not sure if they're as good and if they are, which ones to get.
 

Offline apelly

  • Supporter
  • ****
  • Posts: 1039
  • Country: nz
Re: Need help hacking DP832 for multicolour option.
« Reply #34 on: January 05, 2016, 02:20:54 am »
That's the one. It's a long time since I read the first post. You're right, but it's about the ds2000 and other rigol products too. It's worth your time to read it. Really.

Can't find the other one right now, but it'll be referred to in the i2c thread for sure.
I'd rather a Google clue, link, or some theory than "do this" (generally)
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #35 on: January 05, 2016, 03:42:01 am »
That's the one. It's a long time since I read the first post. You're right, but it's about the ds2000 and other rigol products too. It's worth your time to read it. Really.

Can't find the other one right now, but it'll be referred to in the i2c thread for sure.

Thank you.   I've already started reading the thread.   I've searched through it as well, looking for keywords like DP832.   I see a user claims he was able to disassemble the firmware somehow in order to modify the Riglol program to generate proper keys for the newer firmwares.    I wonder if he actually disassembled it and if so, how did he manage to get a copy?   Right now, I don't think there's any known ways to decode / decrypt / whatever the .GEL files.  It'd be nice if I could figure out how they did it.   I've also been reading up on OpenOCD and trying to figure out how to actually try to do the various things I want to do once I get my JTAG device in the mail.

From what I've seen, I'm going to need to know the flash segment address (this might be the wrong word here) in order to read the flash to a .hex / .bin file.   I'm going to need to figure out what the RAM segment is in order to do a memory dump.   I was expecting these addresses to be in the datasheet for the i.MX283 but I didn't find them there.   I continued to look in the various documents on NXP's website for the i.MX283 and found the memory map layout in the i.MX28 Applications Processor Reference Manual ( http://cache.nxp.com/files/32bit/doc/data_sheet/IMX28CEC.pdf?fpsp=1&WT_TYPE=Data%20Sheets&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&fileExt=.pdf ) on page 135 of 2733!   However, I'm not sure which ones I need.   I see stuff like On-Chip RAM, On-Chip RAM alias, External Memory, On-Chip ROM, etc.   Don't see anything for flash like I do with some of the other datasheets out there.

I also wanted to say though that I'm extremely thankful for all the help everyone here on EEVBlog has provided to me.   I know most of the users here are experts in the electronic world and I know I don't know very much at all.   But everyone's been extremely supportive in trying to help me accomplish what I want to do and answer all the dumb questions I have!   Thank you guys.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #36 on: January 07, 2016, 09:40:43 pm »
So I'm waiting for my ARM-USB-OCD-H JTAGGING device to come.   I learn that OpenOCD doesn't support the NAND flash controller on the i.MX28 processors.   This is disappointing.   I also want to say I remember reading something in the programming reference guide that the NAND works in parallel mode.   From reading stuff on the internet, from what I can tell, I will not be able to use one of those clips that you just put over the NAND chip and read and write to it directly, in circuit, while the device is on (like the E3 Flasher for the PS3 for example).   I think getting this NAND dump is going to be a bit harder than I originally was hoping for.

Anyway, I went back to looking at the GEL files.   I see patterns but can't really make sense out of them.   I've tried bit shifting them, doing bitwise manipulation on them (AND, OR, XOR) but I can't seem to get anything useful out of.   Maybe you guys can make some sense out of it and see something that I just don't?   For example, the first 32 bytes of code, I see a pattern...

Code: [Select]
28 23 10 00 78 B9 FB BB 7C 7D D0 7F 20 BE 82 83     /* Notice here, starting at offset 5, we have 78. If we count up in hex though, we get:
                    78 79 7A 7B 7C 7D 7E 7F...                           See how 78, 7C, 7D, and 7F line up? */

83 84 86 87 27 89 8A 8B 28 CA 8E 8F A8 81 31 78      /* We see this again...
          86 87 88 89 8A 8B 8C 8D 8E 8F...                           86, 87, 89, 8A, 8B, 8E and 8F line up. */


Now, if I create a table, the pattern becomes a bit more clear.
Code: [Select]
     x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF x0 x1 x2 x3
   ---------------------------------------------------
7x | 28 23 10 00 78 B9 FB BB 7C 7D D0 7F 20 BE 82 83 | 83
8x | 83 84 86 87 27 89 8A 8B 28 CA 8E 8F A8 81 31 78 | 93
9x | AC 85 35 7C B0 89 39 80 B4 8D 3D 84 B8 91 41 88 | A3
Ax | A4 A5 A6 A7 BC 99 49 90 C0 9D 4D 94 A8 EB BA B3 | B3
Bx | 30 F1 BE B7 34 F5 C2 BB 38 F9 C6 BF 3C FD CA C3 | C3
Cx | 40 01 CE C7 20 EB D2                            | D3
Cx |                      CB CC CD CE CF D0 D1 D2 D3 | D3 (continued)
Dx | D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF E0 E1 E2 E3 | E3
Ex | E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF F0 F1 F2 F3 | F3
Fx | F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF 00 01 02 03 | 03
0x | 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 | 13
1x | 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 | 23
2x | 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 | 33
3x | 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 | 43
4x | 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 | 53
5x | 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61 62 63 | 63
6x | 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 | 73
7x | 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 80 81 82 83 | 83
8x | 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 90          | 93

That's the first 285 bytes.   Starting at offset 57h, it starts counting up, in a row, from CBh to FFh then 00h to 90h.   I use that to create the numbers before and after the |'s.    Maybe we're supposed to remove the numbers that match up?   I'll give an example.   First row,
we see the 7x that I added, so the numbers to remove will start with a 7.   Then, the little grid above us tells us what the last number in the row has to be in order for us to remove it.   So, we look at:
Code: [Select]
     x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF x0 x1 x2 x3
   ---------------------------------------------------
7x | 28 23 10 00 78 B9 FB BB 7C 7D D0 7F 20 BE 82 83 | 83

The first number, 28, does it start with a 7?   Nope, move on.   Does 23 start with a 7?  Nope, move on....we keep going to get to 78 at offset 05h.   Does that start with a 7?  Yup.  We look up to see what number it has to end in.   In this case, an 8.  Does it end in an 8?  Yup.  Remove it.   On to the next ones.   We remove 7C, 7D, 7F, 82 and 83.    So maybe the first lines in the .GEL file are really
Code: [Select]
28 23 10 00 B9 FB BB D0 20 BE

You see, I thought I was onto something there for a second, but I can't make sense out of 0x28 0x23 0x10 0x00 0xB9 0xFB 0xBB 0xD0 0x20 0XBE.    Maybe someone smarter than me could see something that I'm missing here?   Thanks!
 

Offline dadler

  • Supporter
  • ****
  • Posts: 848
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #37 on: January 07, 2016, 09:46:27 pm »
Maybe you will find this useful:

http://www.gotroot.ca/rigol/degel-0.1.tar.gz
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #38 on: January 08, 2016, 01:06:36 am »
Maybe you will find this useful:

http://www.gotroot.ca/rigol/degel-0.1.tar.gz

Thank you for the link but that doesn't really work with the DP832's for one reason or another.   For example, that degel program looks for a header which doesn't seem to be here, at least not like in the other .GEL files.   The ones I've seen (like DG10x2Update.gel) starts with RIGOL:DG1:UPDATE FILE ALL

I've tried to figure out how to get RIGOL from the hex values in the DP832's software update.gel file.   It starts with 0x28 0x23 0x10.   If you XOR 0x7A to 0x28, you get 0x52 (R).   If you XOR 0x6A to 0x23 you get 0x49 (I).   I thought I had a pattern there.   XOR the first offset by 0x7A to get R, XOR the second offset by 0x6A to get I, but to get G for the third offset, you need to XOR it (0x10) by 0x57.   No pattern there :(
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #39 on: January 08, 2016, 01:16:14 am »
I mean I seen a little pattern there.   These are the bytes in hex in the Update file...and the values I have to XOR them with to get RIGOL

Code: [Select]
Bytes   XOR Value     Output (in ASCII)
0x28    0x7A              R
0x23    0x6A              I
0x10    0x57              G
0x00    0x4F              O
0x78    0x34              L

See a bit of a pattern there?    The XOR's most significant value starts at 7 and counts down by a whole number each time.   7, 6, 5, 4, 3.    Just can't figure out the last numbers there.   I can't see the pattern, A, A, 7, F, 4...
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2561
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #40 on: January 08, 2016, 01:26:33 am »
LOL. Before all this crypto key stuff I used to encrypt files with XOR.Just because I may use a plaintext password as the cipher didn't mean I wouldn't keep re-xor encrypting that password byte by byte as I went...

and this was on the BBC Micro back in the '80s!

However the old ones are the best. Good to see XOR is still used  ;)
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #41 on: January 08, 2016, 01:51:32 am »
LOL. Before all this crypto key stuff I used to encrypt files with XOR.Just because I may use a plaintext password as the cipher didn't mean I wouldn't keep re-xor encrypting that password byte by byte as I went...

and this was on the BBC Micro back in the '80s!

However the old ones are the best. Good to see XOR is still used  ;)
Well, I don't know if my XOR results are just coincidence or not.   Doesn't seem to work so well after RIGOL.  Or maybe the header's changed a bit.  If I could find a pattern for the least significant digits (7A, 6A, 57, 4F, 34) I'd be certain there was something to this.
 
The following users thanked this post: Dwaine

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2561
  • Country: gb
Re: Need help hacking DP832 for multicolour option.
« Reply #42 on: January 08, 2016, 02:14:38 am »
Perhaps there is no "Rigol" header, and the firmware is exactly in the format the MX28 expects?

I know when I had to recover my bricked Rigol DM3058 only the start of the flash firmware was a RIGOL string, everything after that was in Blackfin LDR format as I found by reading the datasheet (or tome!). So I stripped that out and JTAG uploaded the rest verbatim to flash and all was well.

Perhaps there is no "Rigol" header and this firmware is purely in the MX28 format? You may be chasing a red herring.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #43 on: January 08, 2016, 02:28:20 am »
Perhaps there is no "Rigol" header, and the firmware is exactly in the format the MX28 expects?

I know when I had to recover my bricked Rigol DM3058 only the start of the flash firmware was a RIGOL string, everything after that was in Blackfin LDR format as I found by reading the datasheet (or tome!). So I stripped that out and JTAG uploaded the rest verbatim to flash and all was well.

Perhaps there is no "Rigol" header and this firmware is purely in the MX28 format? You may be chasing a red herring.

I thought that myself but I don't think that's the case.   That was my original assumption Macbeth.   But I dunno, I was looking at the datasheet and trying to analyze the Bootloader .GEL file and the bits just don't seem to match up.   Some of the unused bits are set, some aren't.   Some conflict.  There's also the whole tablet thing.   At the very start of the .GEL file, if you compare x offset to 73 + x, a lot of them will match.    There's giant sections where the Software .GEL file will show stuff like 0xCBh to 0xFFh and then go to 0x00h to 0x90h.   The 73 + x rule always matches with those weird sections.    Like if you start at the first sector (sector 0), there's a 0x28 there.   The table thing I discovered would be 0x74 at that place.   The next value in the firmware is 0x23.   The table would be 0x75...if you go all the way up to where 0xCB is in the .GEL file, when the run starts, the tablet thing holds true.  It'll equal 0xCB.   This holds true for the whole .GEL file.   It'd be weird for some sort of processor I'd think to have instructions like that.  Like the whole file is filled with 0x74 through 0xFF then it just repeats, 0x00 through 0xFF.   There's some real data some places, other places it's just the pattern showing through.

I assumed (and might be wrong here) that the Software.GEL file actually holds NAND data.   Someone dumped their NAND by removing the physical chip from the system and hooking it up to some NAND reader.   He showed a screenshot of the first few bytes in there.   They don't look anything like the .GEL file.   You can see stuff like DP830   DP831    DP832, etc.   When I look for strings in the GEL file, I find none.   Absolutely none.   I'd think I'd see at least something there.

Thanks for the help though!   Much appreciated.
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #44 on: January 08, 2016, 03:21:16 am »
The statistics are real weird as well, which makes me think it's some sort of archive.   It's wavey.   I used HxD and clicked the Statistics button and it shows a bar graph of each value in the file, from 00h to FFh.   It shows how frequent the value is found.   And there's definitely a pattern there!   For example, there's about equal numbers of 1A's as there are 2A's as there are 3A's.   But the #A's aren't as frequent as something like 9h, 19h, 29h, which are all just about equally as prevalent.
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #45 on: September 18, 2016, 05:23:05 am »
Hi DP832 users,

my first post here on the forum.
It's been a while since the last post on this topic, but I'll give it a go.

I had a look at the GEL file from DP800(Software)Update(Normal)_00.01.13.00.01 and found some interesting stuff:

Start at the first byte of the file and subtract 0x74, at the second byte subtract 0x75, at the third byte 0x76, and so on...
When you reach 0xFF the next byte gets 0x00 (nothing, really) subtracted, and again and again...

If the entire file is processed like this, it reveals some interesting stuff further into the file. Don't know what the exact meaning of those is, however.

Here is a short C-program I used to do this:
Code: [Select]
// rewrite Rigol DP800 GEL file
#include "stdafx.h"
#include <stdlib.h>

#define OFFS 116 // Offset at start of File (0x74)

// Main
int main ( int argc, char *argv[] )
{
FILE *infile;
FILE *outfile;

if(argc < 2)
{
printf("Usage : %s [input]\n", *argv);
return EXIT_FAILURE;
}

// Open input file
infile = fopen(argv[1], "rb");
if(infile != NULL)
printf("File found\n");
else
{
printf("Error while opening!\n");
return EXIT_FAILURE;
}

// Open output file
outfile = fopen("DP800Update_descrambled_GEL.txt", "wb");

int ch; // current read char
int i = 0; // counter

while ((ch = fgetc(infile)) != EOF) // read until EOL
{
ch = ((ch + 256 - i - OFFS) % 256); // subtract offset
fprintf(outfile, "%c", ch); // write new char
i = ((i + 1) % 256); // increment counter
}
fclose(infile);
fclose(outfile);
printf("done!");

return EXIT_SUCCESS;
}

Hopefully this helps somewhere.

Cheers,

Volki
 
The following users thanked this post: WhichEnt2, tossu

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #46 on: September 18, 2016, 06:07:53 pm »
Hello Volki,

We're in the process of having a baby in the near future and I'm trying to redo the baby's room (put down hardwood floor).  I don't have a lot of free time right now, but after you run the encrypted firmware through your program, what do the first couple bytes of the file look like?   A lot of the Rigol stuff seem to start with the model of the device, like DP800, for instance.   Thanks.
 

Offline volkimel

  • Contributor
  • Posts: 10
  • Country: 00
Re: Need help hacking DP832 for multicolour option.
« Reply #47 on: September 18, 2016, 10:33:38 pm »
Hi,

just confirmed that this same thing works with DP800(Software)Update(Normal)_00.01.14.00.03 firmware as well.

The first bytes of the files don't make much sense. No DP800 or anything (at least I didn't see it).

Here are the first 512 bytes of 00.01.13.00.01:
Code: [Select]
B4 AE 9A 89 00 40 A0 A1 00 00 52 00 58 3D 00 00
FF FF 00 00 9F 00 00 00 54 3D 00 00 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
00 00 00 00 14 F0 9F E5 14 F0 9F E5 B0 3A 08 00
34 3C 08 00 34 3C 08 00 34 3C 08 00 34 3C 08 00
34 3C 08 00 40 01 08 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 C0 9F E5
1C FF 2F E1 35 11 08 00 00 C0 9F E5 1C FF 2F E1
F1 03 08 00 00 C0 9F E5 1C FF 2F E1 71 11 08 00
00 C0 9F E5 1C FF 2F E1 E5 02 08 00 08 B4 02 4B
9C 46 08 BC 60 47 C0 46 38 2A 08 00 04 E0 4E E2
0F 40 2D E9 04 D0 4D E2 00 80 A0 E3 FF 90 E0 E3
FE 9C C9 E3 00 A0 99 E5 0A 80 B0 E1 93 B0 E0 E3
FC BC CB E3 55 00 A0 E3 00 00 8B E5 08 00 18 E3
30 00 00 0A 24 E9 9F E5 00 C0 DE E5 C8 34 9F E5
04 20 D3 E5 02 00 5C E1 02 00 00 3A 0C 19 9F E5
00 90 A0 E3 00 90 C1 E5 CB A0 E0 E3 F2 AC CA E3
40 BA A0 E3 00 B0 8A E5 01 00 A0 E3 D2 FF FF EB
E8 08 9F E5 00 E0 D0 E5 8E C0 B0 E1 88 34 9F E5
03 20 9C E0 BC 13 D2 E1 01 96 B0 E1 FB A0 E0 E3
F9 AC CA E3 00 90 8A E5 01 00 A0 E3 C6 FF FF EB

And here for 00.01.14.00.03:
Code: [Select]
B4 AE 9A 89 00 40 81 40 00 00 52 00 A0 3D 00 00
FF FF 00 00 9F 00 00 00 9C 3D 00 00 18 F0 9F E5
18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5
00 00 00 00 14 F0 9F E5 14 F0 9F E5 F8 3A 08 00
7C 3C 08 00 7C 3C 08 00 7C 3C 08 00 7C 3C 08 00
7C 3C 08 00 58 22 08 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 B5 06 48
00 68 40 07 40 0F 00 06 00 0E 07 28 00 D3 00 20
00 06 00 0E 08 BC 18 47 20 0D FF FF 10 B5 04 00
20 78 A1 78 00 06 00 0E 01 28 00 D1 2A E1 0F D3
03 28 00 D1 66 E3 00 D2 64 E2 05 28 01 D1 00 F0
E1 FC 01 D2 00 F0 4C FC 06 28 01 D1 00 F0 5A FD
02 20 60 70 09 06 09 0E 01 29 6A D1 01 20 E0 70
02 20 20 71 02 20 60 71 02 20 A0 71 80 20 20 81
40 20 60 81 B0 20 C0 00 20 82 90 20 C0 00 60 82
A0 20 C0 00 E0 82 06 20 20 76 04 20 60 76 BA 48
A0 87 BA 48 E0 87 44 20 B7 49 21 52 46 20 B7 49
21 52 62 79 04 20 42 43 00 21 B4 20 40 00 20 18
00 F0 9E FF 62 79 04 20 42 43 FF 21 C2 20 40 00
20 18 00 F0 95 FF A2 79 04 20 42 43 00 21 BC 20
40 00 20 18 00 F0 8C FF A2 79 04 20 42 43 FF 21

Cheers,

Volki
 

Offline Spork Schivago

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: us
Re: Need help hacking DP832 for multicolour option.
« Reply #48 on: September 19, 2016, 05:19:58 am »
You mention some interesting stuff further in the file.   What type of interesting stuff is further in the file?   Is it plain text ASCII?
 

Offline dav

  • Regular Contributor
  • *
  • Posts: 133
  • Country: it
Re: Need help hacking DP832 for multicolour option.
« Reply #49 on: September 19, 2016, 10:51:07 am »
@Spork Schivago:
There is some text; take a look yourself with an hex editor.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf