R&S RTM2000 has anybody hacked this scope?

[TRN]

Hi,
I recently purchased an RTM2052 scope, and am wondering if anybody has ever attempted to hack this scope to add option licenses, or knows how to extract files from the "RTM20x2.FWU" firmware files?

regards

[tv84]

We miss a memdump...

[TRN]

I am not sure how to do a memdump for this scope It's not a windows based scope, it has an embedded operating system, just like the Agilent DSO-X scopes

[TRN]

Anybody has any suggestions, Hints?

[KaneTW]

Start with looking at the board for used MCU/FPGAs/Flash, debugging headers, etc.

[TRN]

O.K. I will do

[TRN]

O.K. since I didn't have any experience with embedded systems, I did some googling and found that most embedded system software is written in C,.
So I bought a few books about embedded C, and have started to read them. Progress is slow but steady, and one of the books has touched the subject of JTAG, but I am long away from understanding how install a JTAG connector into an embedded system, which doesn't have one. (In my case the RTM2000 scope), and even further away from then how to use this for debugging.
But I guess one day I will grasp this.
Nevertheless I would like to ask the forum if somebody can point me in the right direction how to extract files from a Flash firmware update file ( In my case the RTM20x2.FWU file) on a PC instead of the embedded system it intended for?

[Mr. Scram]

O.K. since I didn't have any experience with embedded systems, I did some googling and found that most embedded system software is written in C,.
So I bought a few books about embedded C, and have started to read them. Progress is slow but steady, and one of the books has touched the subject of JTAG, but I am long away from understanding how install a JTAG connector into an embedded system, which doesn't have one. (In my case the RTM2000 scope), and even further away from then how to use this for debugging.
But I guess one day I will grasp this.
Nevertheless I would like to ask the forum if somebody can point me in the right direction how to extract files from a Flash firmware update file ( In my case the RTM20x2.FWU file) on a PC instead of the embedded system it intended for?

A lot if not most equipment has JTAG functionality. Sometimes they're kind enough to fit a port and sometimes it's pads you can use. Sometimes you need to do a bit more poking to find the correct traces as manufacturers intentionally obscure them.

https://hackaday.com/2016/12/15/the-many-faces-of-jtag/

[TRN]

Well I did some read-up on JTAG, and finally had the courage to open the scope, and look for the JTAG pads, which were easy to spot, because they are labeled as BF JTAG. (the processor  is a an ADSP-BF561)
So I soldered a 14 pin PCB header to the main-board, purchased a JTAG emulator, and downloaded a trial version of VisualDSP software.
The emulator runs fine, and I was able to download a memory dump from what I think is the contents of the flash ROM.
I tried to disassemble the dump-file with IDA pro, but IDA does not support the Blackfin processor, so I found a blackfin plugin for IDA, which has to be build with visual studio. I tried this but the build always fails, so no luck there.
I also was unable to debug the oscilloscope with Visual DSP, which caused a read error of the blackfin registered every time I halted the processor.
After switching to a trial version of crosscore studio, this has now been resolved, and I can debug the scope.
I am trying to make sense of the Blackfin weird assembly language format, but so far not much luck.
Trying to find where to set breakpoints while looking for the the routines which are used for inputting the 30 digit license keys is also an unknown to me.
I also noticed that memory dumps from for instance the Blackfin internal boot ROM yields all "0's" even though the rom is not empty.
If somebody has a working blackfin plugin for IDA pro I would appreciate it if I could get a copy.

Will keep you updated on any further progress, or if I have other questions

 If anybody is interested in a copy of the flash ROM memory dump, let me know, and I will upload it to the Mega.nz cloud

[tv84]

  

For someone who just "bought some embedded C books": well done!

I'm interested in the dump. Please send me the link.

Attached is the BF plugin.

[TRN]

Here is the link: https://mega.nz/file/RnpQFK4J#Ersky1dP0kvjYFbHdMQIKCX5UpyHgAj0NVr1rru0q_Q

Thanks for the heads-up and for the plugin as well

[godtec]

Have you guys ever heard of BINWALK?
You can install it with apt command in linux (ubuntu)
here is a preview of the file... Look's like there a few RBF Files in the Data file.

WARNING lots of output!!!!

CLI>  binwalk BF561_External_Memory_Dump_0x20.dat

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
133408        0x20920         CRC32 polynomial table, little endian
262208        0x40040         ELF, 32-bit LSB executable, version 1 (SYSV)
793212        0xC1A7C         CRC32 polynomial table, little endian
844576        0xCE320         CRC32 polynomial table, little endian
848672        0xCF320         CRC32 polynomial table, big endian
855611        0xD0E3B         Copyright string: "Copyright 1995-2013 Mark Adler "
860378        0xD20DA         Zlib compressed data, best compression
861534        0xD255E         Zlib compressed data, best compression
861940        0xD26F4         Zlib compressed data, best compression
863829        0xD2E55         Zlib compressed data, best compression
869236        0xD4374         GIF image data, version "89a", 1024 x 55
869591        0xD44D7         GIF image data, version "89a", 1 x 1
869626        0xD44FA         GIF image data, version "89a", 1 x 1
869661        0xD451D         GIF image data, version "89a", 153 x 116

Lots of Images...

Below looks like a RBF file..

1103844       0x10D7E4        Zip archive data, at least v2.0 to extract, compressed size: 229047, uncompressed size: 446341, name: MC_RMxV02.rbf
1332962       0x1456E2        Zip archive data, at least v2.0 to extract, compressed size: 2127, uncompressed size: 7832, name: rs_sz13.hft
1335158       0x145F76        Zip archive data, at least v2.0 to extract, compressed size: 2119, uncompressed size: 7833, name: rs_sz13b.hft
1337347       0x146803        Zip archive data, at least v2.0 to extract, compressed size: 1573, uncompressed size: 7761, name: rs_sz13m.hft
1338990       0x146E6E        Zip archive data, at least v2.0 to extract, compressed size: 2289, uncompressed size: 8852, name: rs_sz15.hft
1341348       0x1477A4        Zip archive data, at least v2.0 to extract, compressed size: 2496, uncompressed size: 8821, name: rs_sz15b.hft
1343914       0x1481AA        Zip archive data, at least v2.0 to extract, compressed size: 4060, uncompressed size: 15452, name: rs_sz25.hft
1348043       0x1491CB        Zip archive data, at least v2.0 to extract, compressed size: 4109, uncompressed size: 23353, name: rs_sz25m.hft
1352222       0x14A21E        Zip archive data, at least v2.0 to extract, compressed size: 4862, uncompressed size: 22984, name: rs_sz30.hft
1357153       0x14B561        Zip archive data, at least v2.0 to extract, compressed size: 4956, uncompressed size: 27425, name: rs_sz30m.hft
1362996       0x14CC34        End of Zip archive
4456512       0x440040        ELF, 32-bit LSB executable, version 1 (SYSV)

8412523       0x805D6B        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
8412795       0x805E7B        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit

More RBF's files.... Further Down..

36364532      0x22AE0F4       PC bitmap, Windows 3.x format,, 1024 x 768 x 4
36401706      0x22B722A       PC bitmap, Windows 3.x format,, 1024 x 768 x 4
36450492      0x22C30BC       PC bitmap, Windows 3.x format,, 1024 x 768 x 4
36712252      0x2302F3C       PNG image, 323 x 207, 8-bit/color RGB, non-interlaced
36712314      0x2302F7A       Zlib compressed data, compressed
36894980      0x232F904       Zip archive data, at least v2.0 to extract, compressed size: 3398244, uncompressed size: 5549056, name: 2G5RM500.rbf
40293294      0x266D3AE       Zip archive data, at least v2.0 to extract, compressed size: 232260, uncompressed size: 447796, name: MC_RMxV02.rbf
40525625      0x26A5F39       Zip archive data, at least v2.0 to extract, compressed size: 2525, uncompressed size: 14259, name: hm_7segment_25.hft
40528226      0x26A6962       Zip archive data, at least v2.0 to extract, compressed size: 2578, uncompressed size: 17987, name: hm_7segment_33.hft
40530880      0x26A73C0       Zip archive data, at least v2.0 to extract, compressed size: 2636, uncompressed size: 21715, name: hm_7segment_41.hft
40533592      0x26A7E58       Zip archive data, at least v2.0 to extract, compressed size: 671222, uncompressed size: 1736498, name: rs_chin15.hft
41204885      0x274BC95       Zip archive data, at least v2.0 to extract, compressed size: 671531, uncompressed size: 1736739, name: rs_chin15b.hft

Anyway... you get the idea...

Hope this helps???

Thanks.
Mike K

[tv84]

AES-256 key for RTM2xxx and RTM1xxx .FWU packages:

2F4EC8AD07FFA87BAA7B5140BA91F7001B6C0B001945661C8F001B4113021409

Parsing of RTM210x_Firmware_V6000:

Code: [Select]

00000000      Header Size: 0400      [00000000-000003FF]    FileSize OK
00000002   Section 1 Size: 00090AA0  [00000400-00090E9F]
00000006   Section 2 Size: 00CAA980  [00090EA0-00D3B81F]
0000000A  Section 1 CRC16: C8D1    CRC OK
0000000C  Section 2 CRC16: DBD1    CRC OK
0000000E             ????: 0x10250000
0000001E            Model: RTM2104
0000002E       FW Version: 06.000
0000003E     Release Date: 2016-06-21
0000004E             ????: 17118.16288
0000005E      Compilation: Build 33803 built on 2016-06-21 12:36:26 by MaG? [06.000 - HCL: 02.450 - MesOS: 03.750] with GCC 5.3.0
0000015E  (???) Hash Type: 2
00000198            Build: 33803
000001AA Section 1 SHA256: 9E68739356BEF372F3469D3D50D2F3A1    HASH OK
000001CA Section 2 SHA256: 6001B0F7E32F38D8D67EC98F217A81AD    HASH OK
000003FE     Header CRC16: B6C2    CRC OK
--------------------------------------------------------------------
00090EA0 **** SubSection 0x80 ****
00090EA1  SubSect Hdr Size: 0025
00090EA3   SubSection Size: 0000BFCF  [00090EC5-0009CE93]
00090EA7  SubSection CRC16: 4830    CRC OK
00090EBF     Contents Size: 0000BFCA  [00090EC8-0009CE91]
00090EC3 SubSect Hdr CRC16: C39A      [00090EA0-00090EC2]    CRC OK
00090EC8 BMP (1024x768 pixels - 8 bits / compr.: 1)   [00090EC8-0009CE91]
0009CE94 **** SubSection 0x11 ****
0009CE95  SubSect Hdr Size: 0025
0009CE97   SubSection Size: 00001203  [0009CEB9-0009E0BB]
0009CE9B  SubSection CRC16: 359D    CRC OK
0009CEB3     Contents Size: 00001200  [0009CEBC-0009E0BB]
0009CEB7 SubSect Hdr CRC16: 1F73      [0009CE94-0009CEB6]    CRC OK
0009CEBC Bootloader Programmer
0009E0BC **** SubSection 0x18 ****
0009E0BD  SubSect Hdr Size: 0025
0009E0BF   SubSection Size: 00C0B413  [0009E0E1-00CA94F3]
0009E0C3  SubSection CRC16: 5ACF    CRC OK
0009E0DB     Contents Size: 00C0B410  [0009E0E4-00CA94F3]
0009E0DF SubSect Hdr CRC16: BD91      [0009E0BC-0009E0DE]    CRC OK
0009E0E5     ELF File Size: 00C0B390  [0009E124-00CA94B3]
0009E0E9    ELF File CRC32: 61AAE214    CRC OK
0009E0ED     Creation Time: 21/06/2016 10:37:00
0009E124 Main Application .ELF
00CA94F4 **** SubSection 0x22 ****
00CA94F5  SubSect Hdr Size: 0025
00CA94F7   SubSection Size: 00087873  [00CA9519-00D30D8B]
00CA94FB  SubSection CRC16: 226B    CRC OK
00CA9513     Contents Size: 00087870  [00CA951C-00D30D8B]
00CA9517 SubSect Hdr CRC16: 68F1      [00CA94F4-00CA9516]    CRC OK
00CA951D     ZIP File Size: 000877F0  [00CA955C-00D30D4B]
00CA9521    ZIP File CRC32: 42E95A61    CRC OK
00CA9525     Creation Time: 21/06/2016 10:33:00
00CA955C Languages .ZIP file
00D30D8C **** SubSection 0x16 ****
00D30D8D  SubSect Hdr Size: 0070
00D30D8F   SubSection Size: 0000AA1C  [00D30DFC-00D3B817]
00D30D93  SubSection CRC16: 3CA6    CRC OK
00D30DAB     Contents Size: 0000A9BB  [00D30E5C-00D3B816]
00D30DFA SubSect Hdr CRC16: 8457      [00D30D8C-00D30DF9]    CRC OK
00D30E5C PLD .JAM Programming