EEVblog Electronics Community Forum
Products => Test Equipment => Topic started by: TRN on October 11, 2019, 06:44:24 pm
-
Hi,
I recently purchased an RTM2052 scope, and am wondering if anybody has ever attempted to hack this scope to add option licenses, or knows how to extract files from the "RTM20x2.FWU" firmware files?
regards
-
We miss a memdump...
-
I am not sure how to do a memdump for this scope It's not a windows based scope, it has an embedded operating system, just like the Agilent DSO-X scopes
-
Anybody has any suggestions, Hints?
-
Start with looking at the board for used MCU/FPGAs/Flash, debugging headers, etc.
-
O.K. I will do :-+
-
O.K. since I didn't have any experience with embedded systems, I did some googling and found that most embedded system software is written in C,.
So I bought a few books about embedded C, and have started to read them. Progress is slow but steady, and one of the books has touched the subject of JTAG, but I am long away from understanding how install a JTAG connector into an embedded system, which doesn't have one. (In my case the RTM2000 scope), and even further away from then how to use this for debugging.
But I guess one day I will grasp this.
Nevertheless I would like to ask the forum if somebody can point me in the right direction how to extract files from a Flash firmware update file ( In my case the RTM20x2.FWU file) on a PC instead of the embedded system it intended for?
-
O.K. since I didn't have any experience with embedded systems, I did some googling and found that most embedded system software is written in C,.
So I bought a few books about embedded C, and have started to read them. Progress is slow but steady, and one of the books has touched the subject of JTAG, but I am long away from understanding how install a JTAG connector into an embedded system, which doesn't have one. (In my case the RTM2000 scope), and even further away from then how to use this for debugging.
But I guess one day I will grasp this.
Nevertheless I would like to ask the forum if somebody can point me in the right direction how to extract files from a Flash firmware update file ( In my case the RTM20x2.FWU file) on a PC instead of the embedded system it intended for?
A lot if not most equipment has JTAG functionality. Sometimes they're kind enough to fit a port and sometimes it's pads you can use. Sometimes you need to do a bit more poking to find the correct traces as manufacturers intentionally obscure them.
https://hackaday.com/2016/12/15/the-many-faces-of-jtag/
-
Well I did some read-up on JTAG, and finally had the courage to open the scope, and look for the JTAG pads, which were easy to spot, because they are labeled as BF JTAG. (the processor is a an ADSP-BF561)
So I soldered a 14 pin PCB header to the main-board, purchased a JTAG emulator, and downloaded a trial version of VisualDSP software.
The emulator runs fine, and I was able to download a memory dump from what I think is the contents of the flash ROM.
I tried to disassemble the dump-file with IDA pro, but IDA does not support the Blackfin processor, so I found a blackfin plugin for IDA, which has to be build with visual studio. I tried this but the build always fails, so no luck there.
I also was unable to debug the oscilloscope with Visual DSP, which caused a read error of the blackfin registered every time I halted the processor.
After switching to a trial version of crosscore studio, this has now been resolved, and I can debug the scope.
I am trying to make sense of the Blackfin weird assembly language format, but so far not much luck.
Trying to find where to set breakpoints while looking for the the routines which are used for inputting the 30 digit license keys is also an unknown to me.
I also noticed that memory dumps from for instance the Blackfin internal boot ROM yields all "0's" even though the rom is not empty.
If somebody has a working blackfin plugin for IDA pro I would appreciate it if I could get a copy.
Will keep you updated on any further progress, or if I have other questions
If anybody is interested in a copy of the flash ROM memory dump, let me know, and I will upload it to the Mega.nz cloud
-
:clap: :clap:
For someone who just "bought some embedded C books": well done!
I'm interested in the dump. Please send me the link.
Attached is the BF plugin.
-
Here is the link: https://mega.nz/file/RnpQFK4J#Ersky1dP0kvjYFbHdMQIKCX5UpyHgAj0NVr1rru0q_Q
Thanks for the heads-up and for the plugin as well :-+
-
Have you guys ever heard of BINWALK?
You can install it with apt command in linux (ubuntu)
here is a preview of the file... Look's like there a few RBF Files in the Data file.
WARNING lots of output!!!!
CLI> binwalk BF561_External_Memory_Dump_0x20.dat
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
133408 0x20920 CRC32 polynomial table, little endian
262208 0x40040 ELF, 32-bit LSB executable, version 1 (SYSV)
793212 0xC1A7C CRC32 polynomial table, little endian
844576 0xCE320 CRC32 polynomial table, little endian
848672 0xCF320 CRC32 polynomial table, big endian
855611 0xD0E3B Copyright string: "Copyright 1995-2013 Mark Adler "
860378 0xD20DA Zlib compressed data, best compression
861534 0xD255E Zlib compressed data, best compression
861940 0xD26F4 Zlib compressed data, best compression
863829 0xD2E55 Zlib compressed data, best compression
869236 0xD4374 GIF image data, version "89a", 1024 x 55
869591 0xD44D7 GIF image data, version "89a", 1 x 1
869626 0xD44FA GIF image data, version "89a", 1 x 1
869661 0xD451D GIF image data, version "89a", 153 x 116
Lots of Images...
Below looks like a RBF file..
1103844 0x10D7E4 Zip archive data, at least v2.0 to extract, compressed size: 229047, uncompressed size: 446341, name: MC_RMxV02.rbf
1332962 0x1456E2 Zip archive data, at least v2.0 to extract, compressed size: 2127, uncompressed size: 7832, name: rs_sz13.hft
1335158 0x145F76 Zip archive data, at least v2.0 to extract, compressed size: 2119, uncompressed size: 7833, name: rs_sz13b.hft
1337347 0x146803 Zip archive data, at least v2.0 to extract, compressed size: 1573, uncompressed size: 7761, name: rs_sz13m.hft
1338990 0x146E6E Zip archive data, at least v2.0 to extract, compressed size: 2289, uncompressed size: 8852, name: rs_sz15.hft
1341348 0x1477A4 Zip archive data, at least v2.0 to extract, compressed size: 2496, uncompressed size: 8821, name: rs_sz15b.hft
1343914 0x1481AA Zip archive data, at least v2.0 to extract, compressed size: 4060, uncompressed size: 15452, name: rs_sz25.hft
1348043 0x1491CB Zip archive data, at least v2.0 to extract, compressed size: 4109, uncompressed size: 23353, name: rs_sz25m.hft
1352222 0x14A21E Zip archive data, at least v2.0 to extract, compressed size: 4862, uncompressed size: 22984, name: rs_sz30.hft
1357153 0x14B561 Zip archive data, at least v2.0 to extract, compressed size: 4956, uncompressed size: 27425, name: rs_sz30m.hft
1362996 0x14CC34 End of Zip archive
4456512 0x440040 ELF, 32-bit LSB executable, version 1 (SYSV)
8412523 0x805D6B mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
8412795 0x805E7B mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
More RBF's files.... Further Down..
36364532 0x22AE0F4 PC bitmap, Windows 3.x format,, 1024 x 768 x 4
36401706 0x22B722A PC bitmap, Windows 3.x format,, 1024 x 768 x 4
36450492 0x22C30BC PC bitmap, Windows 3.x format,, 1024 x 768 x 4
36712252 0x2302F3C PNG image, 323 x 207, 8-bit/color RGB, non-interlaced
36712314 0x2302F7A Zlib compressed data, compressed
36894980 0x232F904 Zip archive data, at least v2.0 to extract, compressed size: 3398244, uncompressed size: 5549056, name: 2G5RM500.rbf
40293294 0x266D3AE Zip archive data, at least v2.0 to extract, compressed size: 232260, uncompressed size: 447796, name: MC_RMxV02.rbf
40525625 0x26A5F39 Zip archive data, at least v2.0 to extract, compressed size: 2525, uncompressed size: 14259, name: hm_7segment_25.hft
40528226 0x26A6962 Zip archive data, at least v2.0 to extract, compressed size: 2578, uncompressed size: 17987, name: hm_7segment_33.hft
40530880 0x26A73C0 Zip archive data, at least v2.0 to extract, compressed size: 2636, uncompressed size: 21715, name: hm_7segment_41.hft
40533592 0x26A7E58 Zip archive data, at least v2.0 to extract, compressed size: 671222, uncompressed size: 1736498, name: rs_chin15.hft
41204885 0x274BC95 Zip archive data, at least v2.0 to extract, compressed size: 671531, uncompressed size: 1736739, name: rs_chin15b.hft
Anyway... you get the idea...
Hope this helps???
Thanks.
Mike K
-
AES-256 key for RTM2xxx and RTM1xxx .FWU packages:
2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409
Parsing of RTM210x_Firmware_V6000:
00000000 Header Size: 0400 [00000000-000003FF] FileSize OK
00000002 Section 1 Size: 00090AA0 [00000400-00090E9F]
00000006 Section 2 Size: 00CAA980 [00090EA0-00D3B81F]
0000000A Section 1 CRC16: C8D1 CRC OK
0000000C Section 2 CRC16: DBD1 CRC OK
0000000E ????: 0x10250000
0000001E Model: RTM2104
0000002E FW Version: 06.000
0000003E Release Date: 2016-06-21
0000004E ????: 17118.16288
0000005E Compilation: Build 33803 built on 2016-06-21 12:36:26 by MaG? [06.000 - HCL: 02.450 - MesOS: 03.750] with GCC 5.3.0
0000015E (???) Hash Type: 2
00000198 Build: 33803
000001AA Section 1 SHA256: 9E68739356BEF372F3469D3D50D2F3A1 HASH OK
000001CA Section 2 SHA256: 6001B0F7E32F38D8D67EC98F217A81AD HASH OK
000003FE Header CRC16: B6C2 CRC OK
--------------------------------------------------------------------
00090EA0 **** SubSection 0x80 ****
00090EA1 SubSect Hdr Size: 0025
00090EA3 SubSection Size: 0000BFCF [00090EC5-0009CE93]
00090EA7 SubSection CRC16: 4830 CRC OK
00090EBF Contents Size: 0000BFCA [00090EC8-0009CE91]
00090EC3 SubSect Hdr CRC16: C39A [00090EA0-00090EC2] CRC OK
00090EC8 BMP (1024x768 pixels - 8 bits / compr.: 1) [00090EC8-0009CE91]
0009CE94 **** SubSection 0x11 ****
0009CE95 SubSect Hdr Size: 0025
0009CE97 SubSection Size: 00001203 [0009CEB9-0009E0BB]
0009CE9B SubSection CRC16: 359D CRC OK
0009CEB3 Contents Size: 00001200 [0009CEBC-0009E0BB]
0009CEB7 SubSect Hdr CRC16: 1F73 [0009CE94-0009CEB6] CRC OK
0009CEBC Bootloader Programmer
0009E0BC **** SubSection 0x18 ****
0009E0BD SubSect Hdr Size: 0025
0009E0BF SubSection Size: 00C0B413 [0009E0E1-00CA94F3]
0009E0C3 SubSection CRC16: 5ACF CRC OK
0009E0DB Contents Size: 00C0B410 [0009E0E4-00CA94F3]
0009E0DF SubSect Hdr CRC16: BD91 [0009E0BC-0009E0DE] CRC OK
0009E0E5 ELF File Size: 00C0B390 [0009E124-00CA94B3]
0009E0E9 ELF File CRC32: 61AAE214 CRC OK
0009E0ED Creation Time: 21/06/2016 10:37:00
0009E124 Main Application .ELF
00CA94F4 **** SubSection 0x22 ****
00CA94F5 SubSect Hdr Size: 0025
00CA94F7 SubSection Size: 00087873 [00CA9519-00D30D8B]
00CA94FB SubSection CRC16: 226B CRC OK
00CA9513 Contents Size: 00087870 [00CA951C-00D30D8B]
00CA9517 SubSect Hdr CRC16: 68F1 [00CA94F4-00CA9516] CRC OK
00CA951D ZIP File Size: 000877F0 [00CA955C-00D30D4B]
00CA9521 ZIP File CRC32: 42E95A61 CRC OK
00CA9525 Creation Time: 21/06/2016 10:33:00
00CA955C Languages .ZIP file
00D30D8C **** SubSection 0x16 ****
00D30D8D SubSect Hdr Size: 0070
00D30D8F SubSection Size: 0000AA1C [00D30DFC-00D3B817]
00D30D93 SubSection CRC16: 3CA6 CRC OK
00D30DAB Contents Size: 0000A9BB [00D30E5C-00D3B816]
00D30DFA SubSect Hdr CRC16: 8457 [00D30D8C-00D30DF9] CRC OK
00D30E5C PLD .JAM Programming