| Products > Test Equipment |
| Siglent .ads firmware file format |
| << < (39/85) > >> |
| markus_jlrb:
Philip, In Linux and in a sh, bash shell enter the cmds below. echo *IDN? > /dev/usbtmc0 or other SCPI commands in one window and while true do cat /dev/usbtmc0 sleep 1 done in a second window. While the scope is connected via USB and not LAN. USBTMC must be enabled in the utility menu under IO selection. Good luck for your investigation Markus |
| janekivi:
https://www.siglentamerica.com/service-and-support/firmware-software/dc-power-supplies/#spd1000x-series This was long time ago, but not in the table yet https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1364981/#msg1364981 |
| tv84:
--- Quote from: janekivi on July 28, 2018, 10:21:24 pm ---https://www.siglentamerica.com/service-and-support/firmware-software/dc-power-supplies/#spd1000x-series This was long time ago, but not in the table yet --- End quote --- Hi janekivi, Now it's in the table but, since it's the first without the minimum size for 2nd 3DES block decryption, there is a little detail that I haven't solved - Section Checksum. According to that section the correct checksum should be 0xFEE2D1B1. --- Code: ---File Header Size: 00000070 00000000 - File Checksum: FE691817 [00000004-0002FB6F] (with only the File Header decrypted) CKSM OK 00000004 - File Size: 0002FB00 (without 0x70 bytes of the File Header) 0000000C - Product_ID: 600 00000026 - Vendor/Brand: SIGLENT 0000003A - USB Host Controller: ISP1763 **************************************************** Decrypting the 0x2800 and 0x1400 blocks... Reversing file... XORing with 0xFF (incrementing pattern)... XORing with 0xFF from 0x00017D80 until 0x0002FAFF **************************************************** 00000000 --- Section Checksum: FEE2D1B1 00000004 --- Section Size: 0002FACC [00000034-0002FAFF] CKSM OK 00000008 --- Section # 00000007 00000034 --- 0002FAFF ***** STM32 32-bit ARM Cortex file ***** 00000034 - Vector Table: (Little Endian - Flash(ROM): 0x08000000 - SRAM: 0x20000000) 00000034 --- Initial SP value: 200193F0 00000038 --- Reset: 0802039D (Thumb 16/32 bits) 0000003C --- NMI: 080203C1 (Thumb 16/32 bits) 00000040 --- Hard fault: 080203C3 (Thumb 16/32 bits) 00000044 --- Memory management fault: 080203C5 (Thumb 16/32 bits) 00000048 --- Bus fault: 080203C7 (Thumb 16/32 bits) 0000004C --- Usage fault: 080203C9 (Thumb 16/32 bits) 00000050 --- Rsvd1: 00000000 00000054 --- Rsvd2: 00000000 00000058 --- Rsvd3: 00000000 0000005C --- Rsvd4: 00000000 00000060 --- SVCall: 080201B9 (Thumb 16/32 bits) 00000064 --- Rsvd for Debug: 080203CD (Thumb 16/32 bits) 00000068 --- Rsvd5: 00000000 0000006C --- PendSV: 080201E9 (Thumb 16/32 bits) 00000070 --- Systick: 080203D1 (Thumb 16/32 bits) 00000074 --- IRQ0 to IRQ80 [00000074-000001B7] **************************************************** File Processed OK --- End code --- Edit1: SOLVED the decryption of the partial 3DES block. So, in order to verify the 2nd DES block decryption we must consider that the last block was padded with all 0x00s (to complete a 8-bytes block), before 3DES encryption. |
| gperoni:
I'm trying to hack my SDG6000X, here is my understanding of what I have to do by giving this thread a fast read: 1) Download a firmware upgrade from Siglent 2) Use tv84's post on the SDG6000X thread to understand where the filesystem begins in the ADS file downloaded 3) I assume the filesystem is encrypted? If so decrypt it (silly xor patterns or something), once decrypted mount the filesystem and change the shadows file. 4) Change the checksum, I wouldn't know where to find it or the crc32 init, etc. 5) Re-make the filesystem, encrypt it, put it back in place, use the resulting ADS for a firmware upgrade and get root access 6) ??? - Will figure something out. 7) Profit. What are the tools I should use in the process? I saw a couple of scripts and programs but they don't seem to be complete, should I write my own? |
| janekivi:
You must get something like this at the end SDG6000X_eevblog_29R10.zip I do it by hand, use notepad and hexedit and have too many steps in multiple laptops... this is messy process... |
| Navigation |
| Message Index |
| Next page |
| Previous page |