Author Topic: R&S RTM2000 has anybody hacked this scope?  (Read 1182 times)

0 Members and 1 Guest are viewing this topic.

Offline TRN

  • Regular Contributor
  • *
  • Posts: 62
  • Country: nl
R&S RTM2000 has anybody hacked this scope?
« on: October 11, 2019, 06:44:24 pm »
Hi,
I recently purchased an RTM2052 scope, and am wondering if anybody has ever attempted to hack this scope to add option licenses, or knows how to extract files from the "RTM20x2.FWU" firmware files?

regards

 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1768
  • Country: pt
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #1 on: October 11, 2019, 07:40:14 pm »
We miss a memdump...
 

Offline TRN

  • Regular Contributor
  • *
  • Posts: 62
  • Country: nl
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #2 on: October 11, 2019, 08:22:08 pm »

I am not sure how to do a memdump for this scope It's not a windows based scope, it has an embedded operating system, just like the Agilent DSO-X scopes
 

Offline TRN

  • Regular Contributor
  • *
  • Posts: 62
  • Country: nl
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #3 on: October 20, 2019, 04:03:38 pm »
Anybody has any suggestions, Hints?
 

Online KaneTW

  • Frequent Contributor
  • **
  • Posts: 473
  • Country: de
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #4 on: October 20, 2019, 06:26:29 pm »
Start with looking at the board for used MCU/FPGAs/Flash, debugging headers, etc.
 
The following users thanked this post: TRN

Offline TRN

  • Regular Contributor
  • *
  • Posts: 62
  • Country: nl
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #5 on: October 20, 2019, 06:44:17 pm »
O.K. I will do :-+
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1768
  • Country: pt
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #6 on: October 20, 2019, 07:30:33 pm »
UART, JTAG ports...
 
The following users thanked this post: TRN

Offline TRN

  • Regular Contributor
  • *
  • Posts: 62
  • Country: nl
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #7 on: February 22, 2020, 08:16:58 pm »
O.K. since I didn't have any experience with embedded systems, I did some googling and found that most embedded system software is written in C,.
So I bought a few books about embedded C, and have started to read them. Progress is slow but steady, and one of the books has touched the subject of JTAG, but I am long away from understanding how install a JTAG connector into an embedded system, which doesn't have one. (In my case the RTM2000 scope), and even further away from then how to use this for debugging.
But I guess one day I will grasp this.
Nevertheless I would like to ask the forum if somebody can point me in the right direction how to extract files from a Flash firmware update file ( In my case the RTM20x2.FWU file) on a PC instead of the embedded system it intended for?
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9586
  • Country: 00
  • Display aficionado
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #8 on: February 22, 2020, 08:28:32 pm »
O.K. since I didn't have any experience with embedded systems, I did some googling and found that most embedded system software is written in C,.
So I bought a few books about embedded C, and have started to read them. Progress is slow but steady, and one of the books has touched the subject of JTAG, but I am long away from understanding how install a JTAG connector into an embedded system, which doesn't have one. (In my case the RTM2000 scope), and even further away from then how to use this for debugging.
But I guess one day I will grasp this.
Nevertheless I would like to ask the forum if somebody can point me in the right direction how to extract files from a Flash firmware update file ( In my case the RTM20x2.FWU file) on a PC instead of the embedded system it intended for?
A lot if not most equipment has JTAG functionality. Sometimes they're kind enough to fit a port and sometimes it's pads you can use. Sometimes you need to do a bit more poking to find the correct traces as manufacturers intentionally obscure them.

https://hackaday.com/2016/12/15/the-many-faces-of-jtag/
 
The following users thanked this post: TRN

Offline TRN

  • Regular Contributor
  • *
  • Posts: 62
  • Country: nl
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #9 on: May 06, 2020, 02:42:38 pm »
Well I did some read-up on JTAG, and finally had the courage to open the scope, and look for the JTAG pads, which were easy to spot, because they are labeled as BF JTAG. (the processor  is a an ADSP-BF561)
So I soldered a 14 pin PCB header to the main-board, purchased a JTAG emulator, and downloaded a trial version of VisualDSP software.
The emulator runs fine, and I was able to download a memory dump from what I think is the contents of the flash ROM.
I tried to disassemble the dump-file with IDA pro, but IDA does not support the Blackfin processor, so I found a blackfin plugin for IDA, which has to be build with visual studio. I tried this but the build always fails, so no luck there.
I also was unable to debug the oscilloscope with Visual DSP, which caused a read error of the blackfin registered every time I halted the processor.
After switching to a trial version of crosscore studio, this has now been resolved, and I can debug the scope.
I am trying to make sense of the Blackfin weird assembly language format, but so far not much luck.
Trying to find where to set breakpoints while looking for the the routines which are used for inputting the 30 digit license keys is also an unknown to me.
I also noticed that memory dumps from for instance the Blackfin internal boot ROM yields all "0's" even though the rom is not empty.
If somebody has a working blackfin plugin for IDA pro I would appreciate it if I could get a copy.

Will keep you updated on any further progress, or if I have other questions

 If anybody is interested in a copy of the flash ROM memory dump, let me know, and I will upload it to the Mega.nz cloud
« Last Edit: May 06, 2020, 02:46:41 pm by TRN »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1768
  • Country: pt
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #10 on: May 06, 2020, 02:52:39 pm »
 :clap:  :clap:

For someone who just "bought some embedded C books": well done!

I'm interested in the dump. Please send me the link.

Attached is the BF plugin.
« Last Edit: May 06, 2020, 03:56:55 pm by tv84 »
 

Offline TRN

  • Regular Contributor
  • *
  • Posts: 62
  • Country: nl
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #11 on: May 06, 2020, 04:01:46 pm »
Here is the link: https://mega.nz/file/RnpQFK4J#Ersky1dP0kvjYFbHdMQIKCX5UpyHgAj0NVr1rru0q_Q

Thanks for the heads-up and for the plugin as well :-+
 

Offline godtec

  • Newbie
  • Posts: 1
  • Country: ca
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #12 on: May 06, 2020, 04:27:43 pm »
Have you guys ever heard of BINWALK?
You can install it with apt command in linux (ubuntu)
here is a preview of the file... Look's like there a few RBF Files in the Data file.

WARNING lots of output!!!!

CLI>  binwalk BF561_External_Memory_Dump_0x20.dat

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
133408        0x20920         CRC32 polynomial table, little endian
262208        0x40040         ELF, 32-bit LSB executable, version 1 (SYSV)
793212        0xC1A7C         CRC32 polynomial table, little endian
844576        0xCE320         CRC32 polynomial table, little endian
848672        0xCF320         CRC32 polynomial table, big endian
855611        0xD0E3B         Copyright string: "Copyright 1995-2013 Mark Adler "
860378        0xD20DA         Zlib compressed data, best compression
861534        0xD255E         Zlib compressed data, best compression
861940        0xD26F4         Zlib compressed data, best compression
863829        0xD2E55         Zlib compressed data, best compression
869236        0xD4374         GIF image data, version "89a", 1024 x 55
869591        0xD44D7         GIF image data, version "89a", 1 x 1
869626        0xD44FA         GIF image data, version "89a", 1 x 1
869661        0xD451D         GIF image data, version "89a", 153 x 116

Lots of Images...

Below looks like a RBF file..

1103844       0x10D7E4        Zip archive data, at least v2.0 to extract, compressed size: 229047, uncompressed size: 446341, name: MC_RMxV02.rbf
1332962       0x1456E2        Zip archive data, at least v2.0 to extract, compressed size: 2127, uncompressed size: 7832, name: rs_sz13.hft
1335158       0x145F76        Zip archive data, at least v2.0 to extract, compressed size: 2119, uncompressed size: 7833, name: rs_sz13b.hft
1337347       0x146803        Zip archive data, at least v2.0 to extract, compressed size: 1573, uncompressed size: 7761, name: rs_sz13m.hft
1338990       0x146E6E        Zip archive data, at least v2.0 to extract, compressed size: 2289, uncompressed size: 8852, name: rs_sz15.hft
1341348       0x1477A4        Zip archive data, at least v2.0 to extract, compressed size: 2496, uncompressed size: 8821, name: rs_sz15b.hft
1343914       0x1481AA        Zip archive data, at least v2.0 to extract, compressed size: 4060, uncompressed size: 15452, name: rs_sz25.hft
1348043       0x1491CB        Zip archive data, at least v2.0 to extract, compressed size: 4109, uncompressed size: 23353, name: rs_sz25m.hft
1352222       0x14A21E        Zip archive data, at least v2.0 to extract, compressed size: 4862, uncompressed size: 22984, name: rs_sz30.hft
1357153       0x14B561        Zip archive data, at least v2.0 to extract, compressed size: 4956, uncompressed size: 27425, name: rs_sz30m.hft
1362996       0x14CC34        End of Zip archive
4456512       0x440040        ELF, 32-bit LSB executable, version 1 (SYSV)

8412523       0x805D6B        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
8412795       0x805E7B        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit

More RBF's files.... Further Down..

36364532      0x22AE0F4       PC bitmap, Windows 3.x format,, 1024 x 768 x 4
36401706      0x22B722A       PC bitmap, Windows 3.x format,, 1024 x 768 x 4
36450492      0x22C30BC       PC bitmap, Windows 3.x format,, 1024 x 768 x 4
36712252      0x2302F3C       PNG image, 323 x 207, 8-bit/color RGB, non-interlaced
36712314      0x2302F7A       Zlib compressed data, compressed
36894980      0x232F904       Zip archive data, at least v2.0 to extract, compressed size: 3398244, uncompressed size: 5549056, name: 2G5RM500.rbf
40293294      0x266D3AE       Zip archive data, at least v2.0 to extract, compressed size: 232260, uncompressed size: 447796, name: MC_RMxV02.rbf
40525625      0x26A5F39       Zip archive data, at least v2.0 to extract, compressed size: 2525, uncompressed size: 14259, name: hm_7segment_25.hft
40528226      0x26A6962       Zip archive data, at least v2.0 to extract, compressed size: 2578, uncompressed size: 17987, name: hm_7segment_33.hft
40530880      0x26A73C0       Zip archive data, at least v2.0 to extract, compressed size: 2636, uncompressed size: 21715, name: hm_7segment_41.hft
40533592      0x26A7E58       Zip archive data, at least v2.0 to extract, compressed size: 671222, uncompressed size: 1736498, name: rs_chin15.hft
41204885      0x274BC95       Zip archive data, at least v2.0 to extract, compressed size: 671531, uncompressed size: 1736739, name: rs_chin15b.hft

Anyway... you get the idea...

Hope this helps???

Thanks.
Mike K
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1768
  • Country: pt
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #13 on: May 06, 2020, 04:55:34 pm »
Have you guys ever heard of BINWALK?

Mike, it's nice to assume that IDA Pro users know "binwalk". Thanks, anyway.

Parsing the .RBF   1103844       0x10D7E4         name: MC_RMxV02.rbf
Code: [Select]
FPGA - RBF/RPD (Raw Binary File) - Filesize: 3 570 728 bits (0006CF85 bytes)
00000000 - Start of File  (Type 1)

         [00000048                      00000021]
Bit 7  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 6  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 5  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 4  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 3  - 1111111111111111111111111110011010000000       FFFFFFE680
Bit 2  - 0001101100111110000011111000000000111111       1B3E0F803F
Bit 1  - 1111000000000111101001000000011111111111       F007A407FF
Bit 0  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bits 0080 - EPCS/EPCQ ID check: Enabled
Bits 005F - Stream size: 3 570 719 bits  (0006CF84 bytes)  Compression Bit ON  (+1)     Size OK
Bits 0056 - 0000 0000 : 0x56-0x5D
Bits 004C - Programming Mode: 1-bit Passive Serial
Bits 003B - IDCode (Version+Part Number only): 0x020F4  (-> 0x024F4)
Bits 0008 - Usercode: FFFFFFFF
00000049 - Header CRC-16_MODBUS: DBF1  [00000021-00000048]        CRC OK
0000004B - Data Framesize: 374  [0000004B-00000198]
00000199 - 4-byte words: 3393  [00000199-0000369C]
00000000 - Stream Size (Uncompressed): 9 534 288 bits
0000369D - CRC Framesize: 374+0     # Data Frames: 3124  [0000369D-00122F30]
Start address: 00000000
00122F31 - Post-device bitstream pad bytes (0xFF): 57  [00122F31-00122F69]
File Checksum: 0128A493

And, no, it wasn't done with binwalk...

 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1768
  • Country: pt
Re: R&S RTM2000 has anybody hacked this scope?
« Reply #14 on: May 06, 2020, 10:05:56 pm »
I also noticed that memory dumps from for instance the Blackfin internal boot ROM yields all "0's" even though the rom is not empty.

Indeed. Interesting...
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf