Author Topic: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)  (Read 40496 times)

0 Members and 1 Guest are viewing this topic.

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6146
  • Country: ro
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #25 on: May 12, 2018, 10:12:29 am »
Are there no Python gurus reading this who can decrypt the release notes?
I'm no Python guru, but I do know and use Python, and I'm trying to get to decrypt the release notes, but I'm not able to obtain yet any sensible cleartext.
I'm following the "probable plaintext attack" route, trying to feed pieces of the previous release notes.

By looking at the E-SafeNet header of the 'MSO_DS1000Z Release Notes.txt', the header does not follow any more the format described in table 1 (page 9 of 'report.pdf' from https://github.com/c3c/E-Safenet).
- bytes '8-10 checksum: sum of bytes 512-1023 of the plaintext' (which were criticized in the PDF paper for leaking information about the file being a text or a binary type) are now all 00
- bytes '4-5' indicates the header will end before byte 0x00AA, and we expect 00 padding between 0x001C and 0x00AA, yet not all bytes in that range are zero. There are 32 bytes expected to be all padding zeros (from 0x0028 to 0x0047), but they are "E3 40 15 BE 5C E0 08 87 DD 42 47 D2 EE FF EE EC AF 53 B7 11 4F C7 30 0D DF EF 9E 0A 87 49 DA 07" instead of all 00. Maybe an 128 bit public key?

The research paper is from 2014. My guess is the current E-SafeNet encryption scheme is somehow different from the one used in the c3c's decryption implementation on github.

It would be interesting to see if the autocorrelation test used in section 4.1 of the PDF will still show a 512 bytes pattern for our file.

Of course, decrypting the release notes doesn't add any value to the current firmware, it is more of a curiosity exercise.  :P

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #26 on: May 12, 2018, 10:17:13 am »
Not that easy unfortunately, the whole program has to be modified for UTF-16 :(

It shouldn't make any difference to the overall program.

The UTF-16 actually makes it a lot easier because you know what half the bytes of the plaintext are (assuming it's ASCII text, every other byte will be zero).

Totally agree. Thinking on it at the moment.
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6146
  • Country: ro
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #27 on: May 12, 2018, 10:23:49 am »
I'm not sure the English release notes is UTF. My assumption will be it is still ASCII, because the English update instructions file is ASCII, too.

Also, both the Chinese and the English version of the release notes contain the same 32 unexplained bytes in the E-SafeNet header: E3 40 15 BE 5C E0 08 87 DD 42 47 D2 EE FF EE EC AF 53 B7 11 4F C7 30 0D DF EF 9E 0A 87 49 DA 07, so I assume the header and the algorithm for E-SafeNet has changed.

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #28 on: May 12, 2018, 10:25:52 am »
I'm not sure the English release notes is UTF.

Neither am I, I'm not sure where that came from. It is twice as big as before though...
« Last Edit: May 12, 2018, 10:27:34 am by Fungus »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #29 on: May 12, 2018, 10:30:55 am »
To better illustrate the theory, half of the key is already visible in this image.

Look after the 1rst row. The bytes in the odd positions are always the same.

Half done, half to go!

Look at the .BMP in the ZIP. The image clearly confirms that the file must be UTF-16.

Edit: corrected this msg just for historical reasons.
« Last Edit: May 12, 2018, 04:18:13 pm by tv84 »
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #30 on: May 12, 2018, 10:49:17 am »
To better illustrate the theory, half of the key is already visible in this image.

Look after the 1rst row. The bytes in the odd positions are always the same.

Exactly. Every odd byte is zero so when you XOR it with the key you get the key.

On the even bytes: You need to find value which gives valid ASCII when you XOR them with all the rows.

« Last Edit: May 12, 2018, 11:03:56 am by Fungus »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #31 on: May 12, 2018, 10:58:29 am »
Half of the key:

Code: [Select]
xx CA xx 8E xx 92 xx E9 xx C5 xx 1F xx 49 xx D0
xx A3 xx 21 xx D9 xx A0 xx 91 xx DC xx 27 xx BA
xx 02 xx B6 xx 61 xx 1D xx C8 xx 3C xx 7D xx 60
xx BE xx 6B xx E4 xx FA xx 47 xx 1C xx ED xx 30
xx CD xx 3F xx A2 xx C0 xx 89 xx 47 xx 16 xx A8
xx 2E xx E2 xx 8F xx 60 xx 81 xx 13 xx 0D xx DA
xx C1 xx 7B xx EF xx AF xx 1C xx 9F xx 0F xx 76
xx B9 xx 7D xx 12 xx 7C xx BE xx 22 xx D8 xx 62
xx FA xx 41 xx 85 xx C2 xx 5F xx 1E xx 02 xx 3D
xx 3F xx 17 xx EC xx 91 xx DB xx 48 xx 9E xx A5
xx 47 xx FD xx 5A xx 20 xx 9E xx B6 xx C2 xx D7
xx 98 xx 5F xx 65 xx 2E xx D5 xx 4E xx 67 xx 7E
xx 9C xx DA xx 75 xx 66 xx 01 xx E2 xx 8E xx 0F
xx 4A xx 9D xx 87 xx 39 xx 0C xx 0E xx 17 xx E4
xx 67 xx 75 xx 8F xx 3E xx 3A xx 16 xx 47 xx F6
xx C9 xx 76 xx 61 xx 28 xx C9 xx 09 xx B2 xx BF
xx 2E xx 1D xx A1 xx D9 xx 46 xx E6 xx D2 xx EB
xx 41 xx FB xx 2F xx 45 xx E4 xx 69 xx D4 xx 1D
xx 26 xx A9 xx AF xx CA xx EC xx 3A xx 1E xx CD
xx 58 xx EC xx 58 xx 2C xx 65 xx 36 xx A4 xx 7D
xx 84 xx 15 xx 41 xx 8A xx 69 xx E1 xx 60 xx 52
xx 41 xx 26 xx 10 xx 69 xx FA xx 0D xx 5C xx 44
xx 37 xx 7A xx B1 xx 81 xx 32 xx A7 xx 2F xx B4
xx 01 xx A5 xx 3D xx 44 xx B1 xx A5 xx BF xx B5
xx C5 xx 8C xx A2 xx A0 xx 60 xx 06 xx DC xx 25
xx 1E xx 61 xx 31 xx 96 xx 6F xx 6E xx 23 xx EC
xx C3 xx 44 xx ED xx 85 xx 3B xx C3 xx 38 xx BB
xx D7 xx 51 xx 15 xx 29 xx 22 xx CE xx F8 xx F7
xx 56 xx 80 xx 1A xx FD xx 37 xx 38 xx AB xx C5
xx BD xx D5 xx FA xx 43 xx A8 xx 75 xx 38 xx 53
xx 50 xx EB xx 0E xx 6B xx 58 xx EB xx FE xx BC
xx A3 xx 75 xx 96 xx C1 xx 22 xx A5 xx 7B xx 8F
 

Offline frozenfrogz

  • Frequent Contributor
  • **
  • Posts: 936
  • Country: de
  • Having fun with Arduino and Raspberry Pi
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #32 on: May 12, 2018, 11:00:47 am »
Cool :)

In case anyone wants to check what bugs actually have been fixed, please consider commenting here on the DS1000Z buglist thread, so I can keep track and update the OP.
I am going to try the update myself this weekend and start working on it accordingly.

Thank you and kind regards,
Frederik
He’s like a trained ape. Without the training.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #33 on: May 12, 2018, 11:04:28 am »
Half of the key:

Code: [Select]
xx CA xx 8E xx 92 xx E9 xx C5 xx 1F xx 49 xx D0
xx A3 xx 21 xx D9 xx A0 xx 91 xx DC xx 27 xx BA
xx 02 xx B6 xx 61 xx 1D xx C8 xx 3C xx 7D xx 60
xx BE xx 6B xx E4 xx FA xx 47 xx 1C xx ED xx 30
xx CD xx 3F xx A2 xx C0 xx 89 xx 47 xx 16 xx A8
xx 2E xx E2 xx 8F xx 60 xx 81 xx 13 xx 0D xx DA
xx C1 xx 7B xx EF xx AF xx 1C xx 9F xx 0F xx 76
xx B9 xx 7D xx 12 xx 7C xx BE xx 22 xx D8 xx 62
xx FA xx 41 xx 85 xx C2 xx 5F xx 1E xx 02 xx 3D
xx 3F xx 17 xx EC xx 91 xx DB xx 48 xx 9E xx A5
xx 47 xx FD xx 5A xx 20 xx 9E xx B6 xx C2 xx D7
xx 98 xx 5F xx 65 xx 2E xx D5 xx 4E xx 67 xx 7E
xx 9C xx DA xx 75 xx 66 xx 01 xx E2 xx 8E xx 0F
xx 4A xx 9D xx 87 xx 39 xx 0C xx 0E xx 17 xx E4
xx 67 xx 75 xx 8F xx 3E xx 3A xx 16 xx 47 xx F6
xx C9 xx 76 xx 61 xx 28 xx C9 xx 09 xx B2 xx BF
xx 2E xx 1D xx A1 xx D9 xx 46 xx E6 xx D2 xx EB
xx 41 xx FB xx 2F xx 45 xx E4 xx 69 xx D4 xx 1D
xx 26 xx A9 xx AF xx CA xx EC xx 3A xx 1E xx CD
xx 58 xx EC xx 58 xx 2C xx 65 xx 36 xx A4 xx 7D
xx 84 xx 15 xx 41 xx 8A xx 69 xx E1 xx 60 xx 52
xx 41 xx 26 xx 10 xx 69 xx FA xx 0D xx 5C xx 44
xx 37 xx 7A xx B1 xx 81 xx 32 xx A7 xx 2F xx B4
xx 01 xx A5 xx 3D xx 44 xx B1 xx A5 xx BF xx B5
xx C5 xx 8C xx A2 xx A0 xx 60 xx 06 xx DC xx 25
xx 1E xx 61 xx 31 xx 96 xx 6F xx 6E xx 23 xx EC
xx C3 xx 44 xx ED xx 85 xx 3B xx C3 xx 38 xx BB
xx D7 xx 51 xx 15 xx 29 xx 22 xx CE xx F8 xx F7
xx 56 xx 80 xx 1A xx FD xx 37 xx 38 xx AB xx C5
xx BD xx D5 xx FA xx 43 xx A8 xx 75 xx 38 xx 53
xx 50 xx EB xx 0E xx 6B xx 58 xx EB xx FE xx BC
xx A3 xx 75 xx 96 xx C1 xx 22 xx A5 xx 7B xx 8F

On the even bytes: You know bit 7 of the plaintext is zero so you know that bit in the key, too. :-)

The bottom 5 bits should mostly appear if you do the "valid ASCII" check on all the rows. That leave two bits which are difficult.
« Last Edit: May 12, 2018, 11:08:59 am by Fungus »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #34 on: May 12, 2018, 11:13:16 am »
It's precisely the same key in the DS2000 release notes.  ;)

With a bit of brute-force we can work out the whole key.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #35 on: May 12, 2018, 11:13:27 am »
A good bet would be to take the last 256 bytes of the previous release notes, convert to UTF-16 and use that as 'known plaintext'. The key might pop right out if you do that.

Try a couple of variants in case they added an extra CRLF a the end of the file or something trivial.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #36 on: May 12, 2018, 11:16:06 am »
It's precisely the same key in the DS2000 release notes.  ;)

In that case they've totally blown it. Never use your one-time-pad twice!

Just XOR together the second block of the both files and you'll get the complete key.

Edit: No, hang on, that's not right... let me think.

Edit2: Nope, you get the XOR of the two plaintext.

I think the best bet is what I said in the previous post: Assume the last 256 bytes of the new file is the same as the previous one. The key should pop right out.


« Last Edit: May 12, 2018, 11:26:37 am by Fungus »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #37 on: May 12, 2018, 11:25:12 am »

Your last 256 bytes tactic might be the way to go. But, by hand, without UTF conversions.

Start with a bottom-up technique! :)
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #38 on: May 12, 2018, 11:27:59 am »

Edit2: Nope, you get the XOR of the two plaintext.


Yep. No use.
 

Offline konnor

  • Contributor
  • Posts: 49
  • Country: ru
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #39 on: May 12, 2018, 01:07:34 pm »
I superficially looked update.
Result:
- No new functions, only bugfixed
- No any changes on resoures (help, menu, images, etc)
- function, that determines the version of the board, is complete rewritten.
Old Function:
Code: [Select]
P4:4003B698 CPLD_GetBoardVersion                    ; CODE XREF: IsLogicalAnalyserPresent_+14p
P4:4003B698                                         ; UpdateBoardVersion+20p
P4:4003B698                                         ; Circuits_StartInit_13_1+10Cp
P4:4003B698                                         ; KBD_StartInit+190p
P4:4003B698                                         ; IsLogicalAnalyserPresent+20p
P4:4003B698                                         ; SetupDS1104Z+174p
P4:4003B698                                         ; TestPresenceDevices+Cp
P4:4003B698
P4:4003B698 IoBuffer        = -0x18
P4:4003B698 Buff            = -0x14
P4:4003B698
P4:4003B698                 STMFD   SP!, {R4,R5,LR} ; Store Block to Memory
P4:4003B69C                 SUB     SP, SP, #0xC    ; Rd = Op1 - Op2
P4:4003B6A0                 LDR     R0, =pSPI2_BusHandle ; Load from Memory
P4:4003B6A4                 LDR     R4, [R0]        ; Load from Memory
P4:4003B6A8                 MOVS    R0, SP          ; Rd = Op2
P4:4003B6AC                 MOV     R1, #0          ; Rd = Op2
P4:4003B6B0                 STRH    R1, [R0,#0x18+IoBuffer] ; Store to Memory
P4:4003B6B4                 CMP     R4, #0          ; Set cond. codes on Op1 - Op2
P4:4003B6B8                 BNE     loc_4003B6C4    ; Branch
P4:4003B6BC                 MOV     R0, #0          ; Rd = Op2
P4:4003B6C0                 B       locret_4003B78C ; Branch
P4:4003B6C4 ; ---------------------------------------------------------------------------
P4:4003B6C4
P4:4003B6C4 loc_4003B6C4                            ; CODE XREF: CPLD_GetBoardVersion+20j
P4:4003B6C4                 MOV     R1, #SPI2_CS_CPLD ; Rd = Op2
P4:4003B6C8                 STR     R1, [SP,#0x18+Buff] ; Store to Memory
P4:4003B6CC                 ADD     R2, SP, #0x18+Buff ; Buff
P4:4003B6D0                 MOV     R1, IO_IOCTL_SPI_SET_CS ; Code
P4:4003B6D8                 MOVS    R0, R4          ; hFile
P4:4003B6DC                 BL      io_ioctl        ; Code:
P4:4003B6DC                                         ; (nr & 0xFF)
P4:4003B6DC                                         ; (type&0xFF) << 8
P4:4003B6DC                                         ; (size&0x3FFF) <<16
P4:4003B6DC                                         ; (dir & 3) << 30
P4:4003B6DC                                         ;
P4:4003B6DC                                         ; Size&dir = 0
P4:4003B6E0 ;-- 7,0 -> SPI
P4:4003B6E0                 MOV     R1, #7          ; Rd = Op2
P4:4003B6E4                 STRB    R1, [SP,#0x18+IoBuffer] ; Store to Memory
P4:4003B6E8                 MOV     R1, #0          ; Rd = Op2
P4:4003B6EC                 STRB    R1, [SP,#0x18+IoBuffer+1] ; Store to Memory
P4:4003B6F0                 MOV     R2, #2          ; len
P4:4003B6F4                 MOVS    R1, SP          ; Buffer
P4:4003B6F8                 MOVS    R0, R4          ; hOut
P4:4003B6FC                 BL      write           ; Branch with Link
P4:4003B700                 MOV     R1, #1          ; denominator
P4:4003B704                 BL      __aeabi_uidivmod ; Íà âûõîäå:
P4:4003B704                                         ; R0 - ðåçóëüòàò äåëåíèÿ
P4:4003B704                                         ; R1 - îñòàòîê äåëåíèÿ
P4:4003B708                 MOV     R0, #20         ; microseconds
P4:4003B70C                 BL      Delay_mks_      ; Branch with Link
P4:4003B710 ;---
P4:4003B710                 MOV     R2, #2          ; Len
P4:4003B714                 MOVS    R1, SP          ; Buffer
P4:4003B718                 MOVS    R0, R4          ; hFile
P4:4003B71C                 BL      read            ; Branch with Link
P4:4003B720                 MOV     R1, #1          ; denominator
P4:4003B724                 BL      __aeabi_uidivmod ; Íà âûõîäå:
P4:4003B724                                         ; R0 - ðåçóëüòàò äåëåíèÿ
P4:4003B724                                         ; R1 - îñòàòîê äåëåíèÿ
P4:4003B728 ;--
P4:4003B728                 LDRB    R0, [SP,#0x18+IoBuffer+1] ; Load from Memory
P4:4003B72C                 MOVS    R5, R0,LSL#8    ; Rd = Op2
P4:4003B730 ;- 6,0 -> SPI
P4:4003B730                 MOV     R1, #6          ; Rd = Op2
P4:4003B734                 STRB    R1, [SP,#0x18+IoBuffer] ; Store to Memory
P4:4003B738                 MOV     R1, #0          ; Rd = Op2
P4:4003B73C                 STRB    R1, [SP,#0x18+IoBuffer+1] ; Store to Memory
P4:4003B740                 MOV     R2, #2          ; len
P4:4003B744                 MOVS    R1, SP          ; Buffer
P4:4003B748                 MOVS    R0, R4          ; hOut
P4:4003B74C                 BL      write           ; Branch with Link
P4:4003B750                 MOV     R1, #1          ; denominator
P4:4003B754                 BL      __aeabi_uidivmod ; Íà âûõîäå:
P4:4003B754                                         ; R0 - ðåçóëüòàò äåëåíèÿ
P4:4003B754                                         ; R1 - îñòàòîê äåëåíèÿ
P4:4003B758                 MOV     R0, #20         ; microseconds
P4:4003B75C                 BL      Delay_mks_      ; Branch with Link
P4:4003B760 ;--
P4:4003B760                 MOV     R2, #2          ; Len
P4:4003B764                 MOVS    R1, SP          ; Buffer
P4:4003B768                 MOVS    R0, R4          ; hFile
P4:4003B76C                 BL      read            ; Branch with Link
P4:4003B770                 MOV     R1, #1          ; denominator
P4:4003B774                 BL      __aeabi_uidivmod ; Íà âûõîäå:
P4:4003B774                                         ; R0 - ðåçóëüòàò äåëåíèÿ
P4:4003B774                                         ; R1 - îñòàòîê äåëåíèÿ
P4:4003B778                 LDRB    R0, [SP,#0x18+IoBuffer+1] ; Load from Memory
P4:4003B77C                 ORRS    R5, R0, R5      ; Rd = Op1 | Op2
P4:4003B780                 MOVS    R0, R5          ; Rd = Op2
P4:4003B784                 MOV     R0, R0,LSL#16   ; Rd = Op2
P4:4003B788                 MOVS    R0, R0,LSR#16   ; Rd = Op2
P4:4003B78C
P4:4003B78C locret_4003B78C                         ; CODE XREF: CPLD_GetBoardVersion+28j
P4:4003B78C                 LDMFD   SP!, {R1-R5,PC} ; Load Block from Memory
P4:4003B78C ; End of function CPLD_GetBoardVersion


New Function (with two subroutines):
Code: [Select]
P4_rw:4003B698 CPLD_GetBoardVersion                    ; CODE XREF: IsLogicalAnalyserPresent_+14p
P4_rw:4003B698                                         ; UpdateBoardVersion+20p
P4_rw:4003B698                                         ; Circuits_StartInit_13_1+10Cp
P4_rw:4003B698                                         ; KBD_StartInit+190p
P4_rw:4003B698                                         ; IsLogicalAnalyserPresent+20p
P4_rw:4003B698                                         ; SetupDS1104Z+174p
P4_rw:4003B698                                         ; TestPresenceDevices+Cp
P4_rw:4003B698
P4_rw:4003B698 IoBuffer        = -0x28
P4_rw:4003B698 var_24          = -0x24
P4_rw:4003B698 Array           = -0x20
P4_rw:4003B698
P4_rw:4003B698                 STMFD   SP!, {R4-R7,LR} ; Store Block to Memory
P4_rw:4003B69C                 SUB     SP, SP, #0x14   ; Rd = Op1 - Op2
P4_rw:4003B6A0                 LDR     R0, =pSPI2_BusHandle ; Load from Memory
P4_rw:4003B6A4                 LDR     R4, [R0]        ; Load from Memory
P4_rw:4003B6A8                 MOVS    R0, SP          ; Rd = Op2
P4_rw:4003B6AC                 MOV     R1, #0          ; Rd = Op2
P4_rw:4003B6B0                 STR     R1, [R0,#0x28+IoBuffer] ; Store to Memory
P4_rw:4003B6B4                 MOV     R6, #0          ; Rd = Op2
P4_rw:4003B6B8                 MOV     R5, #0          ; Rd = Op2
P4_rw:4003B6BC                 ADD     R0, SP, #0x28+Array ; Rd = Op1 + Op2
P4_rw:4003B6C0                 MOV     R1, #0          ; Rd = Op2
P4_rw:4003B6C4                 MOV     R2, #0          ; Rd = Op2
P4_rw:4003B6C8                 MOV     R3, #0          ; Rd = Op2
P4_rw:4003B6CC                 STMIA   R0!, {R1-R3}    ; Store Block to Memory
P4_rw:4003B6D0                 SUBS    R0, R0, #0xC    ; Rd = Op1 - Op2
P4_rw:4003B6D4 ;--
P4_rw:4003B6D4                 CMP     R4, #0          ; Set cond. codes on Op1 - Op2
P4_rw:4003B6D8                 BNE     loc_4003B6E4    ; Branch
P4_rw:4003B6DC                 MOV     R0, #0          ; Rd = Op2
P4_rw:4003B6E0                 B       RetFunc         ; Branch
P4_rw:4003B6E4 ; ---------------------------------------------------------------------------
P4_rw:4003B6E4
P4_rw:4003B6E4 loc_4003B6E4                            ; CODE XREF: CPLD_GetBoardVersion+40j
P4_rw:4003B6E4                 MOV     R1, #1          ; Rd = Op2
P4_rw:4003B6E8                 STR     R1, [SP,#0x28+var_24] ; Store to Memory
P4_rw:4003B6EC                 ADD     R2, SP, #0x28+var_24 ; Rd = Op1 + Op2
P4_rw:4003B6F0                 MOV     R1, 0xE14
P4_rw:4003B6F8                 MOVS    R0, R4          ; Rd = Op2
P4_rw:4003B6FC                 BL      io_ioctl        ; Branch with Link
P4_rw:4003B700 ;----
P4_rw:4003B700                 MOV     R5, #0          ; Rd = Op2
P4_rw:4003B704                 B       loc_4003B78C    ; Branch
P4_rw:4003B708 ; ---------------------------------------------------------------------------
P4_rw:4003B708
P4_rw:4003B708 Repeat6Answer                           ; CODE XREF: CPLD_GetBoardVersion+D0j
P4_rw:4003B708                 ADDS    R6, R6, #1      ; Rd = Op1 + Op2
P4_rw:4003B70C
P4_rw:4003B70C loc_4003B70C                            ; CODE XREF: CPLD_GetBoardVersion+178j
P4_rw:4003B70C                 ANDS    R6, R6, #0xFF   ; Rd = Op1 & Op2
P4_rw:4003B710                 CMP     R6, #5          ; Set cond. codes on Op1 - Op2
P4_rw:4003B714                 BCS     loc_4003B76C    ; Branch
P4_rw:4003B718 ;---
P4_rw:4003B718                 MOV     R1, #6          ; Rd = Op2
P4_rw:4003B71C                 STRB    R1, [SP,#0x28+IoBuffer] ; Store to Memory
P4_rw:4003B720                 MOV     R1, #0          ; Rd = Op2
P4_rw:4003B724                 STRB    R1, [SP,#0x28+IoBuffer+1] ; Store to Memory
P4_rw:4003B728                 MOV     R2, #2          ; Rd = Op2
P4_rw:4003B72C                 MOVS    R1, SP          ; Rd = Op2
P4_rw:4003B730                 MOVS    R0, R4          ; Rd = Op2
P4_rw:4003B734                 BL      write           ; Branch with Link
P4_rw:4003B738                 MOV     R1, #1          ; Rd = Op2
P4_rw:4003B73C                 BL      __aeabi_uidivmod ; Branch with Link
P4_rw:4003B740                 MOV     R0, #0x14       ; Rd = Op2
P4_rw:4003B744                 BL      Delay_mks_      ; Branch with Link
P4_rw:4003B748                 MOV     R2, #2          ; Rd = Op2
P4_rw:4003B74C                 MOVS    R1, SP          ; Rd = Op2
P4_rw:4003B750                 MOVS    R0, R4          ; Rd = Op2
P4_rw:4003B754                 BL      read            ; Branch with Link
P4_rw:4003B758                 MOV     R1, #1          ; Rd = Op2
P4_rw:4003B75C                 BL      __aeabi_uidivmod ; Branch with Link
P4_rw:4003B760                 LDRB    R0, [SP,#0x28+IoBuffer] ; Load from Memory
P4_rw:4003B764                 CMP     R0, #6          ; Set cond. codes on Op1 - Op2
P4_rw:4003B768                 BNE     Repeat6Answer   ; Branch
P4_rw:4003B76C
P4_rw:4003B76C loc_4003B76C                            ; CODE XREF: CPLD_GetBoardVersion+7Cj
P4_rw:4003B76C                 LDRB    R0, [SP,#0x28+IoBuffer+1] ; Load from Memory
P4_rw:4003B770                 ORRS    R7, R0, R7      ; Rd = Op1 | Op2
P4_rw:4003B774                 MOVS    R0, R5          ; Rd = Op2
P4_rw:4003B778                 ANDS    R0, R0, #0xFF   ; Rd = Op1 & Op2
P4_rw:4003B77C                 MOVS    R0, R0,LSL#1    ; Rd = Op2
P4_rw:4003B780                 ADD     R1, SP, #0x28+Array ; Rd = Op1 + Op2
P4_rw:4003B784                 STRH    R7, [R0,R1]     ; Store to Memory
P4_rw:4003B788                 ADDS    R5, R5, #1      ; Rd = Op1 + Op2
P4_rw:4003B78C
P4_rw:4003B78C loc_4003B78C                            ; CODE XREF: CPLD_GetBoardVersion+6Cj
P4_rw:4003B78C                 ANDS    R5, R5, #0xFF   ; Rd = Op1 & Op2
P4_rw:4003B790                 CMP     R5, #5          ; Set cond. codes on Op1 - Op2
P4_rw:4003B794                 BCS     loc_4003B814    ; Branch
P4_rw:4003B798                 MOV     R6, #0          ; Rd = Op2
P4_rw:4003B79C                 B       loc_4003B7A4    ; Branch
P4_rw:4003B7A0 ; ---------------------------------------------------------------------------
P4_rw:4003B7A0
P4_rw:4003B7A0 No7Answer                               ; CODE XREF: CPLD_GetBoardVersion+168j
P4_rw:4003B7A0                 ADDS    R6, R6, #1      ; Rd = Op1 + Op2
P4_rw:4003B7A4
P4_rw:4003B7A4 loc_4003B7A4                            ; CODE XREF: CPLD_GetBoardVersion+104j
P4_rw:4003B7A4                 ANDS    R6, R6, #0xFF   ; Rd = Op1 & Op2
P4_rw:4003B7A8                 CMP     R6, #5          ; Set cond. codes on Op1 - Op2
P4_rw:4003B7AC                 BCS     loc_4003B804    ; Branch
P4_rw:4003B7B0 ;---
P4_rw:4003B7B0                 MOV     R1, #7          ; Rd = Op2
P4_rw:4003B7B4                 STRB    R1, [SP,#0x28+IoBuffer] ; Store to Memory
P4_rw:4003B7B8                 MOV     R1, #0          ; Rd = Op2
P4_rw:4003B7BC                 STRB    R1, [SP,#0x28+IoBuffer+1] ; Store to Memory
P4_rw:4003B7C0                 MOV     R2, #2          ; Rd = Op2
P4_rw:4003B7C4                 MOVS    R1, SP          ; Rd = Op2
P4_rw:4003B7C8                 MOVS    R0, R4          ; Rd = Op2
P4_rw:4003B7CC                 BL      write           ; Branch with Link
P4_rw:4003B7D0                 MOV     R1, #1          ; Rd = Op2
P4_rw:4003B7D4                 BL      __aeabi_uidivmod ; Branch with Link
P4_rw:4003B7D8                 MOV     R0, #0x14       ; Rd = Op2
P4_rw:4003B7DC                 BL      Delay_mks_      ; Branch with Link
P4_rw:4003B7E0                 MOV     R2, #2          ; Rd = Op2
P4_rw:4003B7E4                 MOVS    R1, SP          ; Rd = Op2
P4_rw:4003B7E8                 MOVS    R0, R4          ; Rd = Op2
P4_rw:4003B7EC                 BL      read            ; Branch with Link
P4_rw:4003B7F0                 MOV     R1, #1          ; Rd = Op2
P4_rw:4003B7F4                 BL      __aeabi_uidivmod ; Branch with Link
P4_rw:4003B7F8                 LDRB    R0, [SP,#0x28+IoBuffer] ; Load from Memory
P4_rw:4003B7FC                 CMP     R0, #7          ; Set cond. codes on Op1 - Op2
P4_rw:4003B800                 BNE     No7Answer       ; Branch
P4_rw:4003B804
P4_rw:4003B804 loc_4003B804                            ; CODE XREF: CPLD_GetBoardVersion+114j
P4_rw:4003B804                 LDRB    R0, [SP,#0x28+IoBuffer+1] ; Load from Memory
P4_rw:4003B808                 MOVS    R7, R0,LSL#8    ; Rd = Op2
P4_rw:4003B80C                 MOV     R6, #0          ; Rd = Op2
P4_rw:4003B810                 B       loc_4003B70C    ; Branch
P4_rw:4003B814 ; ---------------------------------------------------------------------------
P4_rw:4003B814
P4_rw:4003B814 loc_4003B814                            ; CODE XREF: CPLD_GetBoardVersion+FCj
P4_rw:4003B814                 MOV     R1, #5          ; Length
P4_rw:4003B818                 ADD     R0, SP, #0x28+Array ; Array
P4_rw:4003B81C                 BL      NewBoardVersionAnalyser ; Branch with Link
P4_rw:4003B820                 MOVS    R7, R0          ; Rd = Op2
P4_rw:4003B824                 MOVS    R0, R7          ; Rd = Op2
P4_rw:4003B828                 MOV     R0, R0,LSL#16   ; Rd = Op2
P4_rw:4003B82C                 MOVS    R0, R0,LSR#16   ; Rd = Op2
P4_rw:4003B830
P4_rw:4003B830 RetFunc                                 ; CODE XREF: CPLD_GetBoardVersion+48j
P4_rw:4003B830                 ADD     SP, SP, #0x14   ; Rd = Op1 + Op2
P4_rw:4003B834                 LDMFD   SP!, {R4-R7,PC} ; Load Block from Memory
P4_rw:4003B834 ; End of function CPLD_GetBoardVersion




P4_rw:4003C0EC ; int __cdecl NewBoardVersionRecodeFind(__int16 *, int Len, __int16 FindCode)
P4_rw:4003C0EC NewBoardVersionRecodeFind               ; CODE XREF: NewBoardVersionAnalyser+44p
P4_rw:4003C0EC                                         ; NewBoardVersionAnalyser+74p
P4_rw:4003C0EC R12_Index = R12
P4_rw:4003C0EC                 STMFD   SP!, {LR}       ; Store Block to Memory
P4_rw:4003C0F0                 MOV     R3, #0          ; Rd = Op2
P4_rw:4003C0F4                 MOV     R12_Index, #0   ; Rd = Op2
P4_rw:4003C0F8                 B       loc_4003C128    ; Branch
P4_rw:4003C0FC ; ---------------------------------------------------------------------------
P4_rw:4003C0FC
P4_rw:4003C0FC loc_4003C0FC                            ; CODE XREF: NewBoardVersionRecodeFind+50j
P4_rw:4003C0FC                 MOVS    LR, R12_Index   ; Rd = Op2
P4_rw:4003C100                 MOV     LR, LR,LSL#16   ; Rd = Op2
P4_rw:4003C104                 MOVS    LR, LR,LSR#16   ; Rd = Op2
P4_rw:4003C108                 MOVS    LR, LR,LSL#1    ; Rd = Op2
P4_rw:4003C10C                 LDRH    LR, [LR,R0]     ; Load from Memory
P4_rw:4003C110                 MOV     R2, R2,LSL#16   ; Rd = Op2
P4_rw:4003C114                 MOVS    R2, R2,LSR#16   ; Rd = Op2
P4_rw:4003C118                 CMP     LR, R2          ; Set cond. codes on Op1 - Op2
P4_rw:4003C11C                 BNE     loc_4003C124    ; Branch
P4_rw:4003C120                 ADDS    R3, R3, #1      ; Rd = Op1 + Op2
P4_rw:4003C124
P4_rw:4003C124 loc_4003C124                            ; CODE XREF: NewBoardVersionRecodeFind+30j
P4_rw:4003C124                 ADDS    R12_Index, R12_Index, #1 ; Rd = Op1 + Op2
P4_rw:4003C128
P4_rw:4003C128 loc_4003C128                            ; CODE XREF: NewBoardVersionRecodeFind+Cj
P4_rw:4003C128                 MOV     R12_Index, R12_Index,LSL#16 ; Rd = Op2
P4_rw:4003C12C                 MOVS    R12_Index, R12_Index,LSR#16 ; Rd = Op2
P4_rw:4003C130                 MOV     R1, R1,LSL#16   ; Rd = Op2
P4_rw:4003C134                 MOVS    R1, R1,LSR#16   ; Rd = Op2
P4_rw:4003C138                 CMP     R12_Index, R1   ; Set cond. codes on Op1 - Op2
P4_rw:4003C13C                 BCC     loc_4003C0FC    ; Branch
P4_rw:4003C140                 MOVS    R0, R3          ; Rd = Op2
P4_rw:4003C144                 MOV     R0, R0,LSL#16   ; Rd = Op2
P4_rw:4003C148                 MOVS    R0, R0,LSR#16   ; Rd = Op2
P4_rw:4003C14C                 LDMFD   SP!, {PC}       ; Load Block from Memory
P4_rw:4003C14C ; End of function NewBoardVersionRecodeFind
P4_rw:4003C14C
P4_rw:4003C150
P4_rw:4003C150 ; =============== S U B R O U T I N E =======================================
P4_rw:4003C150
P4_rw:4003C150
P4_rw:4003C150 ; int __cdecl NewBoardVersionAnalyser(__int16 *Array, int Length)
P4_rw:4003C150 NewBoardVersionAnalyser                 ; CODE XREF: CPLD_GetBoardVersion+184p
P4_rw:4003C150                 STMFD   SP!, {R4-R8,LR} ; Store Block to Memory
P4_rw:4003C154                 MOVS    R4, R0          ; Rd = Op2
P4_rw:4003C158                 MOVS    R5, R1          ; Rd = Op2
P4_rw:4003C15C                 MOV     R6, #0          ; Rd = Op2
P4_rw:4003C160                 LDRH    R0, [R4]        ; Load from Memory
P4_rw:4003C164                 MOVS    R6, R0          ; Rd = Op2
P4_rw:4003C168                 MOV     R7, #0          ; Rd = Op2
P4_rw:4003C16C                 B       loc_4003C1F4    ; Branch
P4_rw:4003C170 ; ---------------------------------------------------------------------------
P4_rw:4003C170
P4_rw:4003C170 loc_4003C170                            ; CODE XREF: NewBoardVersionAnalyser+B8j
P4_rw:4003C170                 MOVS    R0, R7          ; Rd = Op2
P4_rw:4003C174                 MOV     R0, R0,LSL#16   ; Rd = Op2
P4_rw:4003C178                 MOVS    R0, R0,LSR#16   ; Rd = Op2
P4_rw:4003C17C                 MOVS    R0, R0,LSL#1    ; Rd = Op2
P4_rw:4003C180                 LDRH    R2, [R0,R4]     ; FindCode
P4_rw:4003C184                 MOVS    R1, R5          ; Rd = Op2
P4_rw:4003C188                 MOV     R1, R1,LSL#16   ; Rd = Op2
P4_rw:4003C18C                 MOVS    R1, R1,LSR#16   ; Len
P4_rw:4003C190                 MOVS    R0, R4          ; __int16 *
P4_rw:4003C194                 BL      NewBoardVersionRecodeFind ; Branch with Link
P4_rw:4003C198                 MOVS    R8, R0          ; Rd = Op2
P4_rw:4003C19C                 MOVS    R0, R7          ; Rd = Op2
P4_rw:4003C1A0                 MOV     R0, R0,LSL#16   ; Rd = Op2
P4_rw:4003C1A4                 MOVS    R0, R0,LSR#16   ; Rd = Op2
P4_rw:4003C1A8                 MOVS    R0, R0,LSL#1    ; Rd = Op2
P4_rw:4003C1AC                 ADDS    R0, R0, R4      ; Rd = Op1 + Op2
P4_rw:4003C1B0                 LDRH    R2, [R0,#2]     ; FindCode
P4_rw:4003C1B4                 MOVS    R1, R5          ; Rd = Op2
P4_rw:4003C1B8                 MOV     R1, R1,LSL#16   ; Rd = Op2
P4_rw:4003C1BC                 MOVS    R1, R1,LSR#16   ; Len
P4_rw:4003C1C0                 MOVS    R0, R4          ; __int16 *
P4_rw:4003C1C4                 BL      NewBoardVersionRecodeFind ; Branch with Link
P4_rw:4003C1C8                 MOV     R8, R8,LSL#16   ; Rd = Op2
P4_rw:4003C1CC                 MOVS    R8, R8,LSR#16   ; Rd = Op2
P4_rw:4003C1D0                 CMP     R8, R0          ; Set cond. codes on Op1 - Op2
P4_rw:4003C1D4                 BCS     loc_4003C1F0    ; Branch
P4_rw:4003C1D8                 MOVS    R0, R7          ; Rd = Op2
P4_rw:4003C1DC                 MOV     R0, R0,LSL#16   ; Rd = Op2
P4_rw:4003C1E0                 MOVS    R0, R0,LSR#16   ; Rd = Op2
P4_rw:4003C1E4                 MOVS    R0, R0,LSL#1    ; Rd = Op2
P4_rw:4003C1E8                 ADDS    R0, R0, R4      ; Rd = Op1 + Op2
P4_rw:4003C1EC                 LDRH    R6, [R0,#2]     ; Load from Memory
P4_rw:4003C1F0
P4_rw:4003C1F0 loc_4003C1F0                            ; CODE XREF: NewBoardVersionAnalyser+84j
P4_rw:4003C1F0                 ADDS    R7, R7, #1      ; Rd = Op1 + Op2
P4_rw:4003C1F4
P4_rw:4003C1F4 loc_4003C1F4                            ; CODE XREF: NewBoardVersionAnalyser+1Cj
P4_rw:4003C1F4                 MOV     R7, R7,LSL#16   ; Rd = Op2
P4_rw:4003C1F8                 MOVS    R7, R7,LSR#16   ; Rd = Op2
P4_rw:4003C1FC                 MOV     R5, R5,LSL#16   ; Rd = Op2
P4_rw:4003C200                 MOVS    R5, R5,LSR#16   ; Rd = Op2
P4_rw:4003C204                 CMP     R7, R5          ; Set cond. codes on Op1 - Op2
P4_rw:4003C208                 BCC     loc_4003C170    ; Branch
P4_rw:4003C20C                 MOVS    R0, R6          ; Rd = Op2
P4_rw:4003C210                 MOV     R0, R0,LSL#16   ; Rd = Op2
P4_rw:4003C214                 MOVS    R0, R0,LSR#16   ; Rd = Op2
P4_rw:4003C218                 LDMFD   SP!, {R4-R8,PC} ; Load Block from Memory
P4_rw:4003C218 ; End of function NewBoardVersionAnalyser


It's possible that this should help with hang-ups during the boot phase.


- A noticeably changed function that loads data from the FPGA to the CPU.
- In one firmware update function, the checksum check is removed.

Perhaps there are still some small (in terms of code size) changes.

Address offset
Code: [Select]
;New Old delta

4003B558 4003B558 0
4003B698 4003B698 0    (changed func board_version)
4003B83C 4003B794 A8
4003B864 4003B7BC A8
4003BC80 4003BBD8 A8
4003C024 4003BF7C A8   (2 dword after)
4003C068 4003BFB8 B0
; New function
4003C0EC -
4003C150 -
4003C21C 4003C02C 1F0 (3->9 dword after)
4003C54C 4003C374 1D8 (2->3 dword after)
4003C618 4003C43C 1DC (no dword after)
4003C984 4003C7AC 1D8
4003CA2C 4003C854 1D8 (1 dword after)
4003CB44 4003C968 1DC (3->2 dword after)
4003CBA4 4003C9CC 1D8
4003C54C 4003C374 1D8
4003CA2C 4003C854 1D8
4003CE9C 4003CCC4 1D8 (changed read wave func + 1 dword after)
4003D8A0 4003D5D8 2C8
4003D9E0 4003D718 2C8 (3 dword after)
4003DA44 4003D770 2D4 (1 dword after)
4003DAC8 4003D7F8 2D0 (2->1 dword after)
4003DAEC 4003D820 2CC

4003FA3C 4003F778 2C4
40042F38 40042C74 2C4
40055CBC 400559F8 2C4
4005B3EC 4005B128 2C4
40063504 40063240 2C4
40063790 400634CC 2C4
40063848 40063584 2C4
40064164 40063EA0 2C4 (No CRC Check now)
40064330 40064090 2A0
40064B28 40064888 2A0
40066F0C 40066C6C 2A0
400682EC 4006804C 2A0
400B44F0 400B4250 2A0
400BB0F4 400BAE54 2A0
;
400F5A24 400F5788 29C
400F65B0 400F6314 29C
400F6940 400F66A4 29C
;
40149784 401494F4 290
402386B4 40238424 290
402523A4 40252114 290
;
402A4F34 402A4CB4 280
4031AFE8 4031AD68 280
40329D88 40329B08 280
4032A282 4032A002 280
4032A367 4032A0E7 280  (Reloc start)
;RAM
406BAB90 406BAB90 0 (Clear Area)
4075AEF8 4075AEF8




 
The following users thanked this post: nrxnrx

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #40 on: May 12, 2018, 01:21:34 pm »
The complete E-Safenet key is:

Code: [Select]
0xD0, 0xCA, 0x19, 0x8E, 0x9C, 0x92, 0x1E, 0xE9, 0x72, 0xC5, 0x57, 0x1F, 0x54, 0x49, 0x1A, 0xD0,
0x04, 0xA3, 0x55, 0x21, 0xE7, 0xD9, 0xC7, 0xA0, 0x4C, 0x91, 0x5C, 0xDC, 0x6C, 0x27, 0xF3, 0xBA,
0x21, 0x02, 0x89, 0xB6, 0xD8, 0x61, 0x2E, 0x1D, 0x93, 0xC8, 0xAF, 0x3C, 0x59, 0x7D, 0x91, 0x60,
0x9F, 0xBE, 0xA9, 0x6B, 0xF5, 0xE4, 0x68, 0xFA, 0xDC, 0x47, 0xDA, 0x1C, 0x35, 0xED, 0x63, 0x30,
0x06, 0xCD, 0x18, 0x3F, 0xAB, 0xA2, 0x51, 0xC0, 0xDE, 0x89, 0x3D, 0x47, 0xCF, 0x16, 0xB1, 0xA8,
0x4F, 0x2E, 0x28, 0xE2, 0x09, 0x8F, 0x78, 0x60, 0x77, 0x81, 0x6B, 0x13, 0xF9, 0x0D, 0x70, 0xDA,
0x5B, 0xC1, 0xBF, 0x7B, 0xC8, 0xEF, 0x11, 0xAF, 0x8C, 0x1C, 0xE1, 0x9F, 0xA0, 0x0F, 0x2A, 0x76,
0x8B, 0xB9, 0x97, 0x7D, 0xFB, 0x12, 0xC5, 0x7C, 0x7E, 0xBE, 0x54, 0x22, 0xC7, 0xD8, 0xEF, 0x62,
0x27, 0xFA, 0x79, 0x41, 0x87, 0x85, 0xC4, 0xC2, 0x70, 0x5F, 0x15, 0x1E, 0xE8, 0x02, 0x13, 0x3D,
0xD5, 0x3F, 0x78, 0x17, 0x61, 0xEC, 0xF3, 0x91, 0x0C, 0xDB, 0xE3, 0x48, 0x13, 0x9E, 0x8B, 0xA5,
0x74, 0x47, 0x1A, 0xFD, 0xB3, 0x5A, 0x52, 0x20, 0x2A, 0x9E, 0x29, 0xB6, 0x9B, 0xC2, 0x84, 0xD7,
0x16, 0x98, 0x5D, 0x5F, 0xEE, 0x65, 0x33, 0x2E, 0x2B, 0xD5, 0xC8, 0x4E, 0x8F, 0x67, 0x27, 0x7E,
0xB2, 0x9C, 0xE6, 0xDA, 0x61, 0x75, 0x17, 0x66, 0xE5, 0x01, 0x74, 0xE2, 0xFE, 0x8E, 0x7A, 0x0F,
0xD1, 0x4A, 0x6A, 0x9D, 0x69, 0x87, 0x3E, 0x39, 0x21, 0x0C, 0x81, 0x0E, 0x8F, 0x17, 0x78, 0xE4,
0xC7, 0x67, 0xB8, 0x75, 0x34, 0x8F, 0x00, 0x3E, 0x72, 0x3A, 0x3F, 0x16, 0x1E, 0x47, 0x8A, 0xF6,
0x04, 0xC9, 0x01, 0x76, 0xD9, 0x61, 0x8D, 0x28, 0x07, 0xC9, 0xE7, 0x09, 0x49, 0xB2, 0xEA, 0xBF,
0x14, 0x2E, 0xAD, 0x1D, 0x02, 0xA1, 0x2E, 0xD9, 0x0F, 0x46, 0xE2, 0xE6, 0xCE, 0xD2, 0x84, 0xEB,
0xB3, 0x41, 0x5D, 0xFB, 0xF0, 0x2F, 0xEF, 0x45, 0x01, 0xE4, 0x34, 0x69, 0x35, 0xD4, 0x91, 0x1D,
0xF1, 0x26, 0x39, 0xA9, 0x6E, 0xAF, 0xC7, 0xCA, 0xCC, 0xEC, 0xB7, 0x3A, 0x18, 0x1E, 0xA9, 0xCD,
0xCE, 0x58, 0x28, 0xEC, 0xDD, 0x58, 0x26, 0x2C, 0x8F, 0x65, 0x63, 0x36, 0x63, 0xA4, 0x2B, 0x7D,
0x89, 0x84, 0xD6, 0x15, 0xE6, 0x41, 0x44, 0x8A, 0x23, 0x69, 0x49, 0xE1, 0x3B, 0x60, 0x85, 0x52,
0xF9, 0x41, 0x65, 0x26, 0x7C, 0x10, 0x79, 0x69, 0xAA, 0xFA, 0xCE, 0x0D, 0x21, 0x5C, 0xE6, 0x44,
0x26, 0x37, 0x6C, 0x7A, 0x93, 0xB1, 0x1E, 0x81, 0xA0, 0x32, 0x7B, 0xA7, 0xC3, 0x2F, 0x0C, 0xB4,
0x9F, 0x01, 0x57, 0xA5, 0x3B, 0x3D, 0xE1, 0x44, 0x17, 0xB1, 0x58, 0xA5, 0x8D, 0xBF, 0xAF, 0xB5,
0x0B, 0xC5, 0x3D, 0x8C, 0x65, 0xA2, 0x97, 0xA0, 0x56, 0x60, 0x28, 0x06, 0x70, 0xDC, 0xE8, 0x25,
0x82, 0x1E, 0xD4, 0x61, 0xAC, 0x31, 0x28, 0x96, 0x42, 0x6F, 0x52, 0x6E, 0x0A, 0x23, 0x33, 0xEC,
0x28, 0xC3, 0x75, 0x44, 0x53, 0xED, 0xD3, 0x85, 0x69, 0x3B, 0xEB, 0xC3, 0x4D, 0x38, 0xA1, 0xBB,
0x80, 0xD7, 0xCD, 0x51, 0xF2, 0x15, 0xAB, 0x29, 0x0B, 0x22, 0xEF, 0xCE, 0xED, 0xF8, 0xC1, 0xF7,
0xFC, 0x56, 0xEA, 0x80, 0x73, 0x1A, 0x18, 0xFD, 0x5D, 0x37, 0x6F, 0x38, 0x70, 0xAB, 0x64, 0xC5,
0x35, 0xBD, 0x52, 0xD5, 0xEF, 0xFA, 0xB7, 0x43, 0xFF, 0xA8, 0x7A, 0x75, 0x59, 0x38, 0x87, 0x53,
0xB6, 0x50, 0xD8, 0xEB, 0xB9, 0x0E, 0xA3, 0x6B, 0x70, 0x58, 0x47, 0xEB, 0x42, 0xFE, 0x05, 0xBC,
0x1F, 0xA3, 0xE8, 0x75, 0x61, 0x96, 0xC4, 0xC1, 0x68, 0x22, 0x60, 0xA5, 0xB3, 0x7B, 0x3F, 0x8F

The last part of the release notes is:
Code: [Select]
easure
     - Fixed the bug of information display

[History]
-------------
v00.04.04.01.01  2016/09/14
    - Supported the multi-inteface of LXI
     - Fixed bugs about Measure

v00.04.04.00.07  2016/07/19
     - Added the full-screen display in the XY mode
     - Modified the Trace data of average sample mode
     - Fixed the bug of system halted for wve persistance in the Zoom mode
     - Fixed bugs about Measure

v00.04.03.02.03   2015/10/20
     - Added commands concerning the type and format of the image
     - Added four measurement items (+Pulses, -Pulses, +Edges, -Edges) and
       relate commands
     - Added commands concerning the digital filter
     - Added more information to the last setting

     - Fixed option installation
     - Fixed Intg operation

v00.04.03.01.05   2015/06/16
     - Added French in system language
    - Added the mutual communication with DG4000 Series
     - Added the digital filter
     - Supported using memory data to carry out FFT operation
     - Supported invert and format setting when reading a image remotely

     - Fixed bugs when the dta of the digital channel is saved in the CSV
       format

v00.04.03.00.01   2015/05/05
     - Added DS1104Z Plus and DS1074Z Plus

     - Fixed pass/fail test
     - Fixed FFT operation

v00.04.02.04.07   2014/12/31
     - Fixed triggering fuction
     - Fixed storage function
     - Fixed bugs of jitter in the signal under the AC or low-frequency
       coupling

v00.04.02.03.00   2014/10/21
     - Added commands concerning remote reading and download of pass/fail test
       rules
     - Improved the command set for decoding and waveform recording

     - Fixed bugs in RS232 decoding

v00.04.01.02.00   2014/07/28
     - Added traditional Chinese language for the measurement menu
     - Optimized the event table display
    - Pressed and held [Measure] to remove all the measurement items
     - Added hardware version number to the displayed system information

     - Fixed bugs in storage function
     - Fixed bugs in the Undo operation for AUTO
     - Fixed bugs i signal source function

v00.04.00.00.00   2014/03/18
     - Added remote reading of LA waveform data
     - Added commands concerning the measurement of MATH waveform
     - Optimized the prompt message of LA probe calibration

     - Fixed bugsin triggering function

v00.02.03.05.00   2014/01/27
     - Added the command set for the keypad
     - Added multiple system languages
     - Optimize the prompt message of LA probe calibration

     - Fixed bugs in frequency counter
     - Fixedbugs in storage
     - Fixed the crash problem when formatting U disk in NTFS format

v00.02.01.01.00   2013/10/31
     - Added measurement history function
     - Added the setting for measurement range
     - Adjusted the priority order of the emote interface
     - Realized the seamless integration of digital oscilloscope and the signal
       generator
     - Optimized trigger state display

     - Fixed bugs in horizontal scale

v00.02.00.01.00   2013/09/02
     - Optimized the brighness of waveform display
     - Optimized the waiting time for the slow sweep mode

v00.01.00.16.09   2013/08/14
     - Supported the remote access to memory data

v00.01.00.13.09   2013/ 07/ 25
     - Added the export function of deep memory wavform data
     - Added the delay calibration function for the channel
     - Optimized the persistence time of waveform display

     - Fixed bugs in slow sweep

v00.01.00.12.08   2013/07/10
     - Optimized the USB Device interface communication

     - Fixed bugs in print function
     - Modified the abnormal trigger level line after the AUTO operation

v00.01.00.03.00   2013/05/21
     - Fixed bugs for the expiration of the trial options

v00.01.00.02.00   2013/05/19
     - Added the isplay interface of the installed option

v00.01.00.00.05   2013/05/19
     - Released the first edition

Just have to decompress the 1st 512 bytes (LZO). Now the python guys can easily do it.
« Last Edit: May 12, 2018, 03:48:37 pm by tv84 »
 

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #41 on: May 12, 2018, 01:29:27 pm »
The complete E-Safenet key is:

Code: [Select]
0xD0, 0xCA, 0x19, 0x8E, 0x9C, 0x92, 0x1E, 0xE9, 0x72, 0xC5, 0x57, 0x1F, 0x54, 0x49, 0x1A, 0xD0,
0x04, 0xA3, 0x55, 0x21, 0xE7, 0xD9, 0xC7, 0xA0, 0x4C, 0x91, 0x5C, 0xDC, 0x6C, 0x27, 0xF3, 0xBA,
0x21, 0x02, 0x89, 0xB6, 0xD8, 0x61, 0x2E, 0x1D, 0x93, 0xC8, 0xAF, 0x3C, 0x59, 0x7D, 0x91, 0x60,
0x9F, 0xBE, 0xA9, 0x6B, 0xF5, 0xE4, 0x68, 0xFA, 0xDC, 0x47, 0xDA, 0x1C, 0x35, 0xED, 0x63, 0x30,
0x06, 0xCD, 0x18, 0x3F, 0xAB, 0xA2, 0x51, 0xC0, 0xDE, 0x89, 0x3D, 0x47, 0xCF, 0x16, 0xB1, 0xA8,
0x4F, 0x2E, 0x28, 0xE2, 0x09, 0x8F, 0x78, 0x60, 0x77, 0x81, 0x6B, 0x13, 0xF9, 0x0D, 0x70, 0xDA,
0x5B, 0xC1, 0xBF, 0x7B, 0xC8, 0xEF, 0x11, 0xAF, 0x8C, 0x1C, 0xE1, 0x9F, 0xA0, 0x0F, 0x2A, 0x76,
0x8B, 0xB9, 0x97, 0x7D, 0xFB, 0x12, 0xC5, 0x7C, 0x7E, 0xBE, 0x54, 0x22, 0xC7, 0xD8, 0xEF, 0x62,
0x27, 0xFA, 0x79, 0x41, 0x87, 0x85, 0xC4, 0xC2, 0x70, 0x5F, 0x15, 0x1E, 0xE8, 0x02, 0x13, 0x3D,
0xD5, 0x3F, 0x78, 0x17, 0x61, 0xEC, 0xF3, 0x91, 0x0C, 0xDB, 0xE3, 0x48, 0x13, 0x9E, 0x8B, 0xA5,
0x74, 0x47, 0x1A, 0xFD, 0xB3, 0x5A, 0x52, 0x20, 0x2A, 0x9E, 0x29, 0xB6, 0x9B, 0xC2, 0x84, 0xD7,
0x16, 0x98, 0x5D, 0x5F, 0xEE, 0x65, 0x33, 0x2E, 0x2B, 0xD5, 0xC8, 0x4E, 0x8F, 0x67, 0x27, 0x7E,
0xB2, 0x9C, 0xE6, 0xDA, 0x61, 0x75, 0x17, 0x66, 0xE5, 0x01, 0x74, 0xE2, 0xFE, 0x8E, 0x7A, 0x0F,
0xD1, 0x4A, 0x6A, 0x9D, 0x69, 0x87, 0x3E, 0x39, 0x21, 0x0C, 0x81, 0x0E, 0x8F, 0x17, 0x78, 0xE4,
0xC7, 0x67, 0xB8, 0x75, 0x34, 0x8F, 0x00, 0x3E, 0x72, 0x3A, 0x3F, 0x16, 0x1E, 0x47, 0x8A, 0xF6,
0x04, 0xC9, 0x01, 0x76, 0xD9, 0x61, 0x8D, 0x28, 0x07, 0xC9, 0xE7, 0x09, 0x49, 0xB2, 0xEA, 0xBF,
0x14, 0x2E, 0xAD, 0x1D, 0x02, 0xA1, 0x2E, 0xD9, 0x0F, 0x46, 0xE2, 0xE6, 0xCE, 0xD2, 0x84, 0xEB,
0xB3, 0x41, 0x5D, 0xFB, 0xF0, 0x2F, 0xEF, 0x45, 0x01, 0xE4, 0x34, 0x69, 0x35, 0xD4, 0x91, 0x1D,
0xF1, 0x26, 0x39, 0xA9, 0x6E, 0xAF, 0xC7, 0xCA, 0xCC, 0xEC, 0xB7, 0x3A, 0x18, 0x1E, 0xA9, 0xCD,
0xCE, 0x58, 0x28, 0xEC, 0xDD, 0x58, 0x26, 0x2C, 0x8F, 0x65, 0x63, 0x36, 0x63, 0xA4, 0x2B, 0x7D,
0x89, 0x84, 0xD6, 0x15, 0xE6, 0x41, 0x44, 0x8A, 0x23, 0x69, 0x49, 0xE1, 0x3B, 0x60, 0x85, 0x52,
0xF9, 0x41, 0x65, 0x26, 0x7C, 0x10, 0x79, 0x69, 0xAA, 0xFA, 0xCE, 0x0D, 0x21, 0x5C, 0xE6, 0x44,
0x26, 0x37, 0x6C, 0x7A, 0x93, 0xB1, 0x1E, 0x81, 0xA0, 0x32, 0x7B, 0xA7, 0xC3, 0x2F, 0x0C, 0xB4,
0x9F, 0x01, 0x57, 0xA5, 0x3B, 0x3D, 0xE1, 0x44, 0x17, 0xB1, 0x58, 0xA5, 0x8D, 0xBF, 0xAF, 0xB5,
0x0B, 0xC5, 0x3D, 0x8C, 0x65, 0xA2, 0x97, 0xA0, 0x56, 0x60, 0x28, 0x06, 0x70, 0xDC, 0xE8, 0x25,
0x82, 0x1E, 0xD4, 0x61, 0xAC, 0x31, 0x28, 0x96, 0x42, 0x6F, 0x52, 0x6E, 0x0A, 0x23, 0x33, 0xEC,
0x28, 0xC3, 0x75, 0x44, 0x53, 0xED, 0xD3, 0x85, 0x69, 0x3B, 0xEB, 0xC3, 0x4D, 0x38, 0xA1, 0xBB,
0x80, 0xD7, 0xCD, 0x51, 0xF2, 0x15, 0xAB, 0x29, 0x0B, 0x22, 0xEF, 0xCE, 0xED, 0xF8, 0xC1, 0xF7,
0xFC, 0x56, 0xEA, 0x80, 0x73, 0x1A, 0x18, 0xFD, 0x5D, 0x37, 0x6F, 0x38, 0x70, 0xAB, 0x64, 0xC5,
0x35, 0xBD, 0x52, 0xD5, 0xEF, 0xFA, 0xB7, 0x43, 0xFF, 0xA8, 0x7A, 0x75, 0x59, 0x38, 0x87, 0x53,
0xB6, 0x50, 0xD8, 0xEB, 0xB9, 0x0E, 0xA3, 0x6B, 0x70, 0x58, 0x47, 0xEB, 0x42, 0xFE, 0x05, 0xBC,
0x1F, 0xA3, 0xE8, 0x75, 0x61, 0x96, 0xC4, 0xC1, 0x68, 0x22, 0x60, 0xA5, 0xB3, 0x7B, 0x3F, 0x8F

The last part of the release notes is:

easure
     - Fixed the bug of information display

Just have to decompress the 1st 512 bytes (LZO). Now the python guys can easily do it.

Noob question, so the new encryption introduced is now cracked wide open now ?

Offline MattSR

  • Regular Contributor
  • *
  • Posts: 95
  • Country: au
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #42 on: May 12, 2018, 01:37:21 pm »
tv84 - great work!

How did you do it!?!
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #43 on: May 12, 2018, 01:37:59 pm »
Noob question, so the new encryption introduced is now cracked wide open now ?

Yes, but this was used only in the release notes. Nothing to do with the app compiled code. No change there.

Maybe the source code is also encrypted with this key... :)
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #44 on: May 12, 2018, 01:42:54 pm »
tv84 - great work!

How did you do it!?!

As Fungus was saying and I confirmed, the UTF-16 served as a confirmation of the method. Then, I just took the last 512 bytes of the previous release notes and XORed them with the last 512 bytes of this new release notes. Piece of cake.

BTW, without decompressing the LZO, the beginning of the release notes says something like:

ÿþ
[Supported Model] ¤
All the?
SO/DS10? Z Series Digita?Osci? o?opÌ
[La?st Revision?
¼¤2018/04/28l[UpdÜ  }Ctnts]?- m
(3n5d%6Dl¬- FixÔ-ç*lo?%t  bug of lxi-web?¤       t64* average m

So it seems it fixes a bug in the LXI-Web.

 

Offline Adrian_Arg.

  • Frequent Contributor
  • **
  • Posts: 420
  • Country: ar
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #45 on: May 12, 2018, 02:25:20 pm »
novice question, the error of pluses, I have it already corrected by a Konnor file, but I can not find it RNAGe RNAG
 

Offline JDubU

  • Frequent Contributor
  • **
  • Posts: 438
  • Country: us
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #46 on: May 12, 2018, 02:35:55 pm »
tv84.

Wow, really nice work!
Any chance you could decrypt the new release note for the DS2000A firmware as well?

http://www.rigol.com/File/ProductSoftWare/20180509/DS2000(DSP)update.rar

 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #47 on: May 12, 2018, 03:44:24 pm »
Here are fully decrypted release notes.

Enjoy!
 
The following users thanked this post: bitwelder, JDubU, ted572, s8548a, joeyjoejoe, zybizg

Offline JohnPen

  • Regular Contributor
  • *
  • Posts: 240
  • Country: gb
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #48 on: May 12, 2018, 03:48:52 pm »
tv84  Many thanks for the decryption.

John
 

Offline bitwelder

  • Frequent Contributor
  • **
  • Posts: 964
  • Country: fi
Re: New firmware Rigol DS1000Z 00.04.04.03.05 2018-05-09 (2018-02-28)
« Reply #49 on: May 12, 2018, 04:14:48 pm »
So the used 'key' doesn't seem to be any password/passphrase or other readable string, but rather a cryptographic nonce (except it has been used at least twice!)
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf