Products > Test Equipment
Rigol DSXXXX .GEL firmware file format
<< < (30/38) > >>
janekivi:
 As we know only some things and can't make new correct firmware file, there is not much more to show.
For me this is schi-fi so they disassembled some functions and guided me what the scope checks. I made
all kind of changes in my already hacked GEL (my TV screen logo) and did hardware testings. I did try all
with notepad and calculator and using hex editor made 500mb worth of new files. Of course they didn't
work and scope was bricked many times. When they reached to the last crucial function, my last file did
work. So this is manually hacked together workaround to replace SparrowAPP and worked in those
special conditions I currently have.

 They made good work even not having a scope and using my memory dumps and test results. But this
is not the end as I like to know more what there is going on. Like what is inside footer exactly and how
the firmware version is checked. If You like to help with disassembly, we can widen our team. There are
all kind of cryptic and complex functions and we don't know what they are doing too. Half of software is
running scope and second half is keeping us away...
 One day we come up with something to show, I hope.
tv84:

--- Quote from: technogeeky on March 11, 2018, 06:12:07 am ---What kind of level of reverse engineering did you guys do? Is there assembly or source to look at?

--- End quote ---

This was never a task to be kept secret. Resuming, there are 2 .IDBs (a big one from the APP and another from bootloader) to play around.

They are somewhat commented in some critical areas but most of the things are unknown.

We focused on the primary goal but now many other things will be possible.

Once the footer processing got identified, things evolved very quickly. Then with a bit of luck and plenty of grit we discovered a workaround.

The footer only does (as far as we understand it) a obfuscation of the CRC of the APP. It's not encryption, it's not hashing. The footer is processed in 3 blocks: 0x80 bytes + 0x80 bytes + 0x04 bytes (and the 20 bytes header indicates the number os bytes, etc of those blocks).

So you can't change the APP because you would have to change it's CRC and the footer validation prevents that. Unless you go around it...  ;)

The footer is processed by the function below. As you can see they went to great troubles to obfuscate the thing.

In order to understand the footer we need to reverse all those functions. Any help is more than welcome!
janekivi:
I think exactly this "chinese" function I like to see translated to me, at least in "english".
janekivi:

--- Quote from: MarkF on July 24, 2016, 07:52:53 pm ---Any chance of finding a way to swap out the small font?

--- End quote ---
After many years I was thinking here... what font did you think back then?
All other stuff can't be resized, you need then bigger screen to fit them,
but for those there is font size to choose:
janekivi:
Some time ago I just run sbtool source through compiler to get windows version
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg991398/#msg991398
but this wasn't the brightest idea... If you redirect output to a file, this is not binary file any more
and windows is adding 0D everywhere before 0A. This is end of line for him.
How to solve this... I did add extra option for this.
-s filename
Now it is possible to save decrypted section output to a binary file:

sbtool -z -x 0 -s bootloader SparrowBootloader.sb

sbtool - executable utility (sbtool.exe)
-z        - zero key is used for decryption
-x        - extract section
0         - section index
-s        - save output to a binary file
bootloader - new output file name
SparrowBootloader.sb - file to be processed

Now the output seems to be correct...


--- Code: ---C:\Sbtool>sbtool -z -x 0 -s output SparrowBootloader.sb
---- Boot image header ----
Signature 1:           STMP
Signature 2:           sgtl
Format version:        1.1
Flags:                 0x0000
Image blocks:          19764
First boot tag block:  9
First boot section ID: 0x00000000
Key count:             1
Key dictionary block:  7
Header blocks:         6
Section count:         1
Section header size:   1
Timestamp:             446216079000000
Product version:       999.999.999
Component version:     999.999.999
Drive tag:             0x0000
SHA-1 digest of header:
    0x00000000: 2d 5c 14 b8 10 81 fe 5f ee e2 09 ee 75 55 fe 80
    0x00000010: bb 35 50 44
Header digest is correct.

---- Section table ----
Section 0:
    Identifier: 0x0
    Offset:     10 blocks (160 bytes)
    Length:     19752 blocks (316032 bytes)
    Flags:      0x00000001
                0x1 = ROM_SECTION_BOOTABLE

---- Key dictionary ----

Default key was found in key dictionary.

Data encryption key:
    0x00000000: 9f e8 30 4c bf d7 b7 7c c6 66 cd 98 de bd 69 07

---- SHA-1 digest of entire image ----
    0x00000000: fe 61 57 33 93 5d 97 24 a6 22 be 3b ae 28 55 52
    0x00000010: f0 12 97 f1
Image digest is correct.

---- Boot tags ----
0000: @ block 000009 | id=0x00000000 | length=019752 | flags=0x00000001
        0x1 = ROM_SECTION_BOOTABLE

C:\Sbtool>sbtool -z -x 0 -s output1 SparrowBootloader1.sb
---- Boot image header ----
Signature 1:           STMP
Signature 2:           sgtl
Format version:        1.1
Flags:                 0x0000
Image blocks:          20539
First boot tag block:  9
First boot section ID: 0x00000000
Key count:             1
Key dictionary block:  7
Header blocks:         6
Section count:         1
Section header size:   1
Timestamp:             483460119000000
Product version:       999.999.999
Component version:     999.999.999
Drive tag:             0x0000
SHA-1 digest of header:
    0x00000000: 49 d6 c3 73 8f a6 fd 2a e9 05 aa f7 e0 90 e7 ef
    0x00000010: 79 ba 54 63
Header digest is correct.

---- Section table ----
Section 0:
    Identifier: 0x0
    Offset:     10 blocks (160 bytes)
    Length:     20527 blocks (328432 bytes)
    Flags:      0x00000001
                0x1 = ROM_SECTION_BOOTABLE

---- Key dictionary ----

Default key was found in key dictionary.

Data encryption key:
    0x00000000: 46 a9 67 2a 46 19 03 68 62 22 30 9f 13 ed 63 02

---- SHA-1 digest of entire image ----
    0x00000000: c0 27 4b 0b 57 c7 68 78 49 ab 8d 04 2f 3e 3c 23
    0x00000010: 14 2d 9d 42
Image digest is correct.

---- Boot tags ----
0000: @ block 000009 | id=0x00000000 | length=020527 | flags=0x00000001
        0x1 = ROM_SECTION_BOOTABLE
--- End code ---
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod