Products > Test Equipment

Rigol DSXXXX .GEL firmware file format

<< < (16/38) > >>

janekivi:
Newly fixed (with help of our SparrowAPP) Signsrch http://aluigi.altervista.org/mytoolz.htm#signsrch
can recognize 36 signatures

--- Code: ---  offset   num  description [bits.endian.size]
  --------------------------------------------
  400264e1 1038 padding used in hashing algorithms (0x80 0 ... 0) [..64]
  400ae1f0 1119 Jpeg dct AA&N scale factor [double.le.64]
  4014b9ec 2249 TEA1_DS [32.le.4]
  40150d70 2057 RC5 and RC6 magic values (0xb7e15163L 0x9e3779b9L) [32.le.8&]
  401ceddc 1016 MD4 digest [32.le.24&]
  401ceddc 1036 SHA1 / SHA0 / RIPEMD-160 initialization [32.le.20&]
  401ceddc 2402 Lucifer (outerbridge) DFLTKY [..16]
  401cede8 2053 RIPEMD-128 InitState [32.le.16&]
  401f372c 3048 DMC compression [32.le.16&]
  401f3dec 648  CRC-32-IEEE 802.3 [crc32.0xedb88320 lenorev 1.1024]
  401f3dec 641  CRC-32-IEEE 802.3 [crc32.0x04c11db7 le rev int_min.1024]
  401f41ec 129  Adler CRC32 (0x191b3141) [32.le.1024]
  401f45ec 131  Adler CRC32 (0x01c26a37) [32.le.1024]
  401f49ec 133  Adler CRC32 (0xb8bc6765) [32.le.1024]
  401f4dec 652  CRC-32-IEEE 802.3 [crc32.0xedb88320 benorev 1.1024]
  401f4dec 645  CRC-32-IEEE 802.3 [crc32.0x04c11db7 be rev int_min.1024]
  401f51ec 130  Adler CRC32 (0x191b3141) [32.be.1024]
  401f55ec 132  Adler CRC32 (0x01c26a37) [32.be.1024]
  401f59ec 134  Adler CRC32 (0xb8bc6765) [32.be.1024]
  401f5e69 2295 zinflate_lengthExtraBits [32.be.116]
  401f5e6c 2294 zinflate_lengthExtraBits [32.le.116]
  401f5edd 2304 zinflate_distanceExtraBits [32.be.120]
  401f5ee0 2303 zinflate_distanceExtraBits [32.le.120]
  401f64b0 1086 Zlib dist_code [..512]
  401f66b0 1087 Zlib length_code [..256]
  401f67b0 1089 Zlib base_length [32.le.116]
  401f6824 1091 Zlib base_dist [32.le.120]
  40229148 408  CRC-16-CCITT modem/x25/kermit [crc16.0x8408 lenorev 1.512]
  40229148 401  CRC-16-CCITT modem/x25/kermit [crc16.0x1021 le rev int_min.512]
  4022a1c8 1290 __popcount_tab (compression?) [..256]
  4022a2d8 2075 Generic squared map [..16]
  4022bd40 2875 libavcodec ff_mjpeg_val_ac_luminance [..162]
  4022bde4 2876 libavcodec ff_mjpeg_val_ac_chrominance [..162]
  4022c777 3051 compression algorithm seen in the game DreamKiller [32.be.12&]
  40356877 2914 libavcodec nuppelvideo fallback_lquant [..64]
  40356a6c 1994 power2 table [16.le.30]

--- End code ---

How to read or analyze bootloader SparrowBootloader.sb in http://gotroot.ca/rigol/DS1000Z-04_00_00_00.7z

smithnerd:
I've been looking at SparrowBootloader.sb with this:

https://github.com/eewiki/elftosb


--- Code: ---$ ./sbtool SparrowBootloader.sb
---- Boot image header ----
Signature 1:           STMP
Signature 2:           sgtl
Format version:        1.1
Flags:                 0x0000
Image blocks:          19764
First boot tag block:  9
First boot section ID: 0x00000000
Key count:             1
Key dictionary block:  7
Header blocks:         6
Section count:         1
Section header size:   1
Timestamp:             446216079000000
Product version:       999.999.999
Component version:     999.999.999
Drive tag:             0x0000
SHA-1 digest of header:
    0x00000000: 2d 5c 14 b8 10 81 fe 5f ee e2 09 ee 75 55 fe 80
    0x00000010: bb 35 50 44
Header digest is correct.

---- Section table ----
Section 0:
    Identifier: 0x0
    Offset:     10 blocks (160 bytes)
    Length:     19752 blocks (316032 bytes)
    Flags:      0x00000001
                0x1 = ROM_SECTION_BOOTABLE

---- Key dictionary ----
error: the image is encrypted but no key was provided
--- End code ---

It should be encrypted with AES-128, the key for which is burned into the OTP area of the i.MX28. Hopefully though, it might only be using 'encrypted boot' mode and not the 'high assurance boot' mode.

technogeeky:
I haven't dug into this myself (I will at some point, I'm working on porting something right now for the scope).


But while digging around today, I recognized that this is an opportunity to really make the scope's help functionality useful.

I can't imagine that they would have encrypted that. We could include our own pictures, and take advantage of the multiple pages to add useful information and diagrams in.

Let me know if this is currently possible (in the sense that it will survive unpacking and repacking), and I'll get started.

Userli:
It might be a good point to give a short summary on where we are, such that it is easier to get into this thread.

It is currently possible to change the start screen image and any of the 420 small images which are used to make up the user interface.
Rigol packer supports those changes as well as the extraction of the decompressed payload for further analysis.

Still to be done are (at least)
- the change of version (for downgrading),
- changes to the application code (mostly correcting typos in strings)

The problems seen/suspected are
- the compressed application code seems to be signed, most likely taking the version number into account
  * we suspect the signature in the first half of the footer but don't know about the mechanism used
- the boot loader might use at least secure boot


-

MarkF:
Any chance of finding a way to swap out the small font?

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod