Products > Test Equipment

Rigol DSXXXX .GEL firmware file format

<< < (21/38) > >>

Macbeth:
It's amusing to see this firmware .GEL cracking. I don't have a DSXXXX but I do have a DM3058 and its firmware is in an unencrypted format.

Much like this thread I have memory mapped lots of plain text strings, private storage for calibration data, found plenty of instances of obvious IEEE floating points. I've also found all the large and small character maps for English and Chinese characters.

I have an unhealthy reason for this, because I used Rigols Ultrasensor software and it bricked my DM3058. Long story, but I didn't trust sending it back to them for unbricking and then using Ultrasensor again and bricking it all over.

I learned how to JTAG program it myself. Now I want to use it as a testbed to learn IDA with Blackfin. But then again I keep finding something better to do!  :-DD

laj:

--- Quote from: smithnerd on July 23, 2016, 04:33:05 pm ---I've been looking at SparrowBootloader.sb with this:

https://github.com/eewiki/elftosb


--- Code: ---$ ./sbtool SparrowBootloader.sb
---- Boot image header ----
Signature 1:           STMP
Signature 2:           sgtl
Format version:        1.1
Flags:                 0x0000
Image blocks:          19764
First boot tag block:  9
First boot section ID: 0x00000000
Key count:             1
Key dictionary block:  7
Header blocks:         6
Section count:         1
Section header size:   1
Timestamp:             446216079000000
Product version:       999.999.999
Component version:     999.999.999
Drive tag:             0x0000
SHA-1 digest of header:
    0x00000000: 2d 5c 14 b8 10 81 fe 5f ee e2 09 ee 75 55 fe 80
    0x00000010: bb 35 50 44
Header digest is correct.

---- Section table ----
Section 0:
    Identifier: 0x0
    Offset:     10 blocks (160 bytes)
    Length:     19752 blocks (316032 bytes)
    Flags:      0x00000001
                0x1 = ROM_SECTION_BOOTABLE

---- Key dictionary ----
error: the image is encrypted but no key was provided
--- End code ---

It should be encrypted with AES-128, the key for which is burned into the OTP area of the i.MX28. Hopefully though, it might only be using 'encrypted boot' mode and not the 'high assurance boot' mode.

--- End quote ---
Have a look at sbtool's "-z" option (Zero-Key)
 As in "sbtool -V -d -z SparrowBootloader.sb"  or "sbtool -V -d -b -x 0 -z SparrowBootloader.sb >sp.bin"

smithnerd:
Crikey.

janekivi:
Of course You can use all the tools available in here, made by all of us.
(Yes, I forgot paper and pencil, I'm a big paper user overall)
I compiled with C this sbtool for windows, if anyone need.
win_sbtool.zip
It is acting funny and outcome is not correct.

laj:
Another alternative (on *nix) to sbtool from elftosb, is mxssb from uboot (at denx.de/mxssb.git)
below is a patch to let it extract the individual csf parts into raw bin dump's

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod