Products > Test Equipment

Rigol DSXXXX .GEL firmware file format

<< < (22/38) > >>

Userli:
I found that the version number in the individual file headers is not used.
One can change them without any effect.
I also exchanged the 2nd part of the footer, which was found identical in two versions by janekivi, by another one and the installation failed.
This shows that it is used when checking the file integrity.

Furthermore I managed to disassemble the ELF file in SparrowApp using Hex-Rays IDA demo.
It would be helpful to find the installation routine and maybe the integrity check.
Seeing the size of the code, this is by far not obvious.
Interesting is the string:
An older software version detected. Update?
 

smithnerd:
The bootloader looks less daunting. It's only ~300k and it has much of the same upgrade functionality. Trouble is, the IDA demo can only read ELF files...

My current theory is that the second part of the footer is a cryptographic nonce or just an obfuscation (e.g. it gets XORed with the other half for the actual hash).

Edit:

Which is this (for 4.4.0.7):


--- Code: ---$ hd footxor
00000000  11 5a 11 39 f5 d6 0c d7  fd 99 26 24 7b 94 7c 52  |.Z.9......&${.|R|
00000010  1a b9 17 d0 c7 19 5f f2  2d 8a d4 8e 13 2f 54 05  |......_.-..../T.|
00000020  34 fd f8 c1 a5 0c 46 3f  4d df 23 e2 da 03 00 a4  |4.....F?M.#.....|
00000030  20 15 62 9a 98 7d 14 18  0d 90 c7 9b 9b 91 9d e6  | .b..}..........|
00000040  44 6a 90 2d 77 9a 1f 2e  4c 2c 9a 35 81 aa 62 40  |Dj.-w...L,.5..b@|
00000050  ff 17 55 f3 0b 52 0c af  ed a6 98 4c e9 88 1c a9  |..U..R.....L....|
00000060  a1 d4 a0 3a 3a b1 d5 12  9f 17 dd a7 ec cf c1 1c  |...::...........|
00000070  9b 4b 54 03 bc 7f 4b 8b  76 9d 0f 6a 38 ac c1 29  |.KT...K.v..j8..)|

--- End code ---

janekivi:
No no no
I think first 20 bytes is header and last 4 is footer and then You have 256 bytes to play with.
Where first 128 is something and last 128 is the same in at least two firmware files.

80 00 00 00 01 00 00 00 80 00 00 00 01 00 00 00 04 00 00 00
128 bytes
128 bytes
01 00 01 00

Or of course there is some other explanation...

Userli:
I had a look at the bootloader binaries exported by sbtool.exe.
The 6 code parts are concatenated and each has the following format:
16byte header:
 - uint8 checksum
 - uint8 command type
 - uint16 flags
 - uint32 memory address
 - uint32 length
 - uint32 additional data
payload as given by length.

Looking at the 5th part, however, the length in the header says 0x49acc .
This would make that part end in the middle of a string section.
The next header starts at 0x04DFF1, which makes it more probable, that the part ends just before.
The first part shows the same: length given 0x3C, according to header position 0x40 .
Maybe a bug in sbtool?

Userli:
I added the possibility to see the boot loader details to RigolPacker.
Furthermore you can now convert it to an ELF file, which you can then disassemble with IDA.
To do so, open the GEL file containing the bootloader.
Double click on /sys/SparrowBootloader.sb
In the new window click on "Convert to ELF"
In the next window click "save to file".
Now you can open this file in IDA.
Ignore the warning about invalid sections.

The new version is attached.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod