Products > Test Equipment

Rigol DSXXXX .GEL firmware file format

<< < (32/38) > >>

janekivi:
*****************************************************************************

For playing with your GEL and oscilloscope:

*****************************************************************************
Unbricing the scope may be the first thing.

If something is wrong with app, bootloader don't load it at next boot and all lights are blinking.
You need probably some older and smaller USB flash drive and known good GEL on it to proceed
with boottime update:
http://int.rigol.com/File/ProductSoftWare/20151124/Firmware%20update%20instruction.pdf
(I think the version must be the same or newer, but I update this information if someone report
something new about this)

*****************************************************************************
GEL header is starting with Model number like DS1000Z. Altering this row bring up new text
only in update message and has no other known effect known

*****************************************************************************
Firmware version is presented in GEL header and in all parts headers. They are safe
to change but there are some consequences. Altering it in GEL header second row

--- Code: ---00000000 | 44 53 31 30 30 30 5A 00 00 00 00 00 00 00 00 00 | DS1000Z         
00000010 | 30 30 2E 30 34 2E 30 34 2E 30 33 2E 30 32 00 00 | 00.04.04.03.02 

--- End code ---
is resulting message change when scope finds GEL on flash drive. It compares it with version
number from previous SparrowApp.out header which is saved to /SYS/ directory during last
update.
There may be written any number and nothing much happening. Replacing ASCII-ANSI numbers
in main header bring up different update menu messages depending what you have in previous
app header and what  position you change:


--- Code: ---"A newer software version detected. Update?"
"An older software version detected. Update?"
"The same software version detected. Update?"
"Warning:the software branch is different. Update?"
"A temporary software detected.Update?"
"An official software detected. Update?
--- End code ---

In SparrowApp header is version number in HEX

--- Code: ---00000000 | B2 BD E7 A7 03 00 00 00 FB 91 10 00 AA 55 55 AA | ²½?§    ?‘  ?UU?
00000010 | 6E A6 3D 00 00 00 00 00                         | n¦=             

--- End code ---
00 3D A6 6E - 4040302
If you change something in here, it will be saved and used to compare next software number in GEL
header. For example, if you write there 6D A6 3D 00, it brings up message "A newer software version
detected" after reboot if it sees the same GEL file on the inserted USB.
You can reset your experiments by correcting numbers in all headers and making new update.
But there are no other side effects detected. In system information are all correct number probably
from SparrowApp. So, changing those numbers is making no change in actual software version
and don't allow any downgrade. (We talk about this later)
 
*****************************************************************************
Logo in firmware can be safely modified.
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg984434/#msg984434
In next discussion is covered its format and other details

*****************************************************************************
guiPicData can basically be modified the same way.
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg985362/#msg985362
This is packed file from every graphics used in scope GUI. guiPicData compression is optional.
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg987165/#msg987165

*****************************************************************************
guiResData is explained little bit by konnor
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1478454/#msg1478454

*****************************************************************************


*****************************************************************************
Footer...
Modifying its contents allow you to change app easily. Otherwise you need to match original
CRC32 of SparrowApp.out. This of course can be done with any CRCManipulator which is
adding 4 bytes to the end of the file to achieve desired CRC32.
Simplest footer I found this far is 54 bytes (0x36). It must contain 13 bytes from original and
required attributes.
--------------------------------------------------------------------------------------------
00000000 | 13 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00 |                 
00000010 | 00 00 00 00 0E 30 30 2E 30 34 2E 30 34 2E 30 30 |      00.04.04.00
00000020 | 2E 30 37 B2 5D 43 F6 00 00 00 00 00 00 00 00 00 | .07²]Cö         
00000030 | 00 00 00 00 00 00 00 00 00 00                               |                 
--------------------------------------------------------------------------------------------
First 4 bytes are first part length
Next 4 bytes are first part bitmask ?
Next 4 bytes are second part length
Next 4 bytes are second part bitmask ?
Next 4 bytes are footer length
Next 13 bytes are footer first part - the decoded footer contents
Next 13 bytes are footer second part

My first try was with the same footer length and all its components. I was filling all unused
components with 00. The same way can footer made with any length. As shown here by tv84:
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/msg1479419/#msg1479419

I did test with shorter footer too like:
00000000 | 13 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00  |
00000010 | 00 00 00 00 0E 30 30 2E 30 34 2E 30 34 2E 30 33  |      00.04.04.03
00000020 | 2E 30 32 41 13 AC 82                                               | .02A ¬‚
but this is working probably by reading following zeroes from memory as required
second part data.

Do not change the firmware version higher than you have it in the oscilloscope.
This is going to be your highest version number the scope have used. Firmware with
smaller version number isn't allowed to save. It is best to have it always "your scope
highest version number".
Otherwise you must alter every future update file!

May be there comes handy Rigol SuperFlash which allow you to reset your scope...
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517
I did some tests and it allow you to update any file and version is saved from it.

Best practice is not to use GEL files made by other people from now, make your own!

*****************************************************************************
Downgrade can be very easily achieved by using footer manipulation.
You can take previous firmware file and replace his footer. There must be changed
"your scope highest version number" (see in footer section).
For example:
you have 00.04.04.03.02 in the scope. You take 00.04.04.01.01 GEL file and strip it 280 byte
footer. For new footer you need SparrowApp.out CRC32 from its header at 0x00000280
which you know by looking from header where are file beginning addresses. So it is 41 13 AC 82.
Your scope highest version number = 00.04.04.03.02 so far and new footer must look like:

00000000 | 13 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00  |
00000010 | 00 00 00 00 0E 30 30 2E 30 34 2E 30 34 2E 30 33  |      00.04.04.03
00000020 | 2E 30 32 41 13 AC 82 00 00 00 00 00 00 00 00 00  | .02A ¬‚
00000030 | 00 00 00 00 00 00                                                    |

Nothing else is necessary to change, only footer length in header. There is nothing
serious if you forget this. Afterwards you can reflash 00.04.04.03.02 back.
But if you alter "your scope highest version number" you must alter it again to
allow it to be at least the same as in your previous file.
May be there comes handy Rigol SuperFlash which allow you to reset your scope...
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1473517/#msg1473517
I did some tests and it allow you to update any file and version is saved from it.

Best practice is not to use GEL files made by other people from now, make your own!

*****************************************************************************




... to be continued

janekivi:
I like to see some more disassembly like from update version calculation.
What is "An official software..." and how they affect update. There are more interesting functions.

I saw function names from konnor DS1000Z-00.04.04.03.02 SparrowApp and made IDA script from it.
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1467137/#msg1467137

He made new one, mine is updated too.
https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/msg1478726/#msg1478726



I add more here if I found.

tv84:
Footer deobfuscated (as janekivi explained).

And, now that we understand what is the other int32 in the files header (software branch), here is an updated parsing of all the DS1000 GELs available.

Regarding the update messages showed by the scope when updating, the different msgs are decided by:

if (gelBranch == scopeBranch)
  gelVer == scopeVer -> same FW
  gelVer <  scopeVer -> older FW
  gelVer >  scopeVer -> newer FW

else if (gelBranch > 0)
  gelVer(high16) >=  scopeVer(high16) -> temporary FW
  gelVer(high16) <   scopeVer(high16) -> different SW branch

else
  gelVer(high16) >=  scopeVer(high16) -> official FW           
  gelVer(high16) <   scopeVer(high16) -> different SW branch

tv84:
Regarding the SparrowBootloader.sb known versions:

BootVersion 0.0.0.11 (GEL 02.00.01.00 02-09-2013) -> SparrowBootloader.sb with creation time: 02-08-2013 12:00:21
BootVersion 0.0.0.12 (GEL 02.01.01.00 31-10-2013) -> SparrowBootloader.sb with creation time: 25-09-2013 13:54:22
BootVersion 0.0.1.0 (GEL 04.00.00.00 18-03-2014) -> SparrowBootloader.sb with creation time: 20-02-2014 12:54:39
BootVersion 0.0.1.1 (GEL 04.01.02.00 28-07-2014) -> SparrowBootloader.sb with creation time: 04-05-2014 19:30:44
BootVersion 0.0.1.2 (taken from a MSO dump       ) -> SparrowBootloader.sb with creation time: 16-09-2014 14:04:36
BootVersion 0.0.1.2 (GEL 04.02.03.00 21-10-2014) -> SparrowBootloader.sb with creation time: 17-10-2014 10:14:44
BootVersion 0.0.1.3 (GEL 04.02.04.07 31-12-2014) -> I haven't yet seen this bootloader!
BootVersion 0.0.1.4 (GEL 04.04.01.01 14-09-2016) -> SparrowBootloader.sb with creation time: 27-04-2015 14:28:39
BootVersion 0.0.1.5 (taken from a dump               ) -> SparrowBootloader.sb with creation time: 16-11-2017 14:03:38

If anyone has others, please post.

The bootloader blocks parsing is attached.

Shock:

--- Quote from: tv84 on April 17, 2018, 08:11:07 pm ---Regarding the SparrowBootloader.sb known versions:

GEL 4.0.0.0 -> SparrowBootloader.sb with creation time: 20-02-2014 12:54:39
BootVersion 0.0.1.2 -> SparrowBootloader.sb with creation time: 17-10-2014 10:14:44
GEL 4.4.1.1 -> SparrowBootloader.sb with creation time: 27-04-2015 14:28:39

If anyone has others, please post.

--- End quote ---

0.04.04.03.02 2017/02/06 almost suggests it might have the file as the release notes mentioned a bootloader fix, but it's not listed in the header. Have you checked that version?

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod