Products > Test Equipment

Rigol DSXXXX .GEL firmware file format

(1/38) > >>

janekivi:
After looking inside Rigol Digital Oscilloscope firmware file (DS1000ZUpdate.GEL)
I found this not to be very complicated. There was index with file names and
all binary data in one row. This can be extracted and may be modified if we
find out all tricks of it.
We don't like to break it - we like to make it better!

There are similarities between DS1000Z to DS6000. Only DS1000Z has index
with file names, the others have similar index structure.

We had some discussion in other threads from here:
https://www.eevblog.com/forum/testgear/new-rigol-ds1054z-oscilloscope/msg980793/#msg980793
but I make here new starting point and let's continue it here.
Who knows where we'll end up with this...

----------------------------------------------------------------------------------------------------------
After little pause we managed to solve GEL footer and made progress with new scope hacks.

04.08.2016 - Latest RigolPacker

15.04.2018 - More detailed updated GEL file format

15.04.2018 - GEL file modifications guide

15.04.2018 - Disassembly information, Functions, IDA scripts

21.04.2018 - Bootloader versions

janekivi:
For unpacking DS1000Z firmware 00.04.03.02.03 I made very noprofessional script.
It extracting all files and striping header if head = 24. You can set it to 0.

But if we like to pack someting back together we must add then this header.
So what is there. Header has 24 bytes where:
4 is file crc32
4 is some file type? Packed app has 03 00 00 00, packed gui stuff have 01, other have 00 00 00 00
4 is file lenght
4 is AA 55 55 AA (something spezial ?)
4 is Firmware version FB 7E 3D 00 -> 4030203
4 is buffer 00 00 00 00 (or for future use...?)

Danielw:
Nice work!

Maybe we could start a collaborative IDA session, I know it exists plugins for that, but I've never tried any myself.
I looked through the code and found some functions rather quick. And a lot of variables are easy to identify from printf strings.

//Daniel

BravoV:
Thank you janekivi  :-+, subscribed.

RhymeMess:
I created a small python script that is a little bit less hacky. It properly decodes the header information and extracts the offset to create the correct files. Thus this works with all the DS1000Z Firmware files I tried.
DS2000 has an entirely different structure though.

After the files, there is always an 280 bytes footer I didn't yet look into...

*edit* I didn't remove the 24 bytes file header yet...

*edit2* I updated the script to strip the 24 bytes header and decompress the file if possible. AFAIK python > 3.3 is needed for decompression, it gracefully fails if decompression is not possible.

*edit3* Update here

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod