Products > Test Equipment
Siglent .ads firmware file format
<< < (39/85) > >>
markus_jlrb:
Philip,

In Linux and in a sh, bash
shell enter the cmds below.

echo *IDN? > /dev/usbtmc0

or other SCPI commands

in one window

and

while true
do
cat /dev/usbtmc0
sleep 1
done

in a second window.

While the scope is connected via USB
and not LAN.

USBTMC must be enabled in the utility
menu under IO selection.

Good luck for your investigation
Markus
janekivi:
https://www.siglentamerica.com/service-and-support/firmware-software/dc-power-supplies/#spd1000x-series

This was long time ago, but not in the table yet
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1364981/#msg1364981
tv84:

--- Quote from: janekivi on July 28, 2018, 10:21:24 pm ---https://www.siglentamerica.com/service-and-support/firmware-software/dc-power-supplies/#spd1000x-series

This was long time ago, but not in the table yet

--- End quote ---

Hi janekivi,

Now it's in the table but, since it's the first without the minimum size for 2nd 3DES block decryption, there is a little detail that I haven't solved - Section Checksum.

According to that section the correct checksum should be 0xFEE2D1B1.


--- Code: ---File Header Size: 00000070
00000000 - File Checksum: FE691817 [00000004-0002FB6F] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 0002FB00 (without 0x70 bytes of the File Header)
0000000C - Product_ID: 600
00000026 - Vendor/Brand: SIGLENT
0000003A - USB Host Controller: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x00017D80 until 0x0002FAFF
****************************************************
00000000 --- Section Checksum: FEE2D1B1
00000004 --- Section Size: 0002FACC [00000034-0002FAFF]  CKSM OK
00000008 --- Section # 00000007
00000034 --- 0002FAFF  ***** STM32 32-bit ARM Cortex file *****
00000034 - Vector Table:        (Little Endian - Flash(ROM): 0x08000000 - SRAM: 0x20000000)
00000034 ---        Initial SP value: 200193F0
00000038 ---                   Reset: 0802039D  (Thumb 16/32 bits)
0000003C ---                     NMI: 080203C1  (Thumb 16/32 bits)
00000040 ---              Hard fault: 080203C3  (Thumb 16/32 bits)
00000044 --- Memory management fault: 080203C5  (Thumb 16/32 bits)
00000048 ---               Bus fault: 080203C7  (Thumb 16/32 bits)
0000004C ---             Usage fault: 080203C9  (Thumb 16/32 bits)
00000050 ---                   Rsvd1: 00000000
00000054 ---                   Rsvd2: 00000000
00000058 ---                   Rsvd3: 00000000
0000005C ---                   Rsvd4: 00000000
00000060 ---                  SVCall: 080201B9  (Thumb 16/32 bits)
00000064 ---          Rsvd for Debug: 080203CD  (Thumb 16/32 bits)
00000068 ---                   Rsvd5: 00000000
0000006C ---                  PendSV: 080201E9  (Thumb 16/32 bits)
00000070 ---                 Systick: 080203D1  (Thumb 16/32 bits)
00000074 --- IRQ0 to IRQ80  [00000074-000001B7]
****************************************************
  File Processed OK

--- End code ---

Edit1: SOLVED the decryption of the partial 3DES block. So, in order to verify the 2nd DES block decryption we must consider that the last block was padded with all 0x00s (to complete a 8-bytes block), before 3DES encryption.
gperoni:
I'm trying to hack my SDG6000X, here is my understanding of what I have to do by giving this thread a fast read:

1) Download a firmware upgrade from Siglent
2) Use tv84's post on the SDG6000X thread to understand where the filesystem begins in the ADS file downloaded
3) I assume the filesystem is encrypted? If so decrypt it (silly xor patterns or something), once decrypted mount the filesystem and change the shadows file.
4) Change the checksum, I wouldn't know where to find it or the crc32 init, etc.
5) Re-make the filesystem, encrypt it, put it back in place, use the resulting ADS for a firmware upgrade and get root access
6) ??? - Will figure something out.
7) Profit.

What are the tools I should use in the process? I saw a couple of scripts and programs but they don't seem to be complete, should I write my own?
janekivi:
You must get something like this at the end
SDG6000X_eevblog_29R10.zip
I do it by hand, use notepad and hexedit and have too many steps in multiple laptops...
this is messy process...
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod