Products > Test Equipment
Siglent .ads firmware file format
<< < (5/85) > >>
darrylp:
Oh please tell more on the SDG1000 series.  Clues as to your work method would be interesting and educational.

--
 Darryl

janekivi:
Let's take a look in SDG1000-V100R001B01D01P31.ADS for example:

Like most of the firmwares, they are turned around. So first step is turn the file around (or look it backwards)
Next step is XOR FF it with pattern bytes 0, 1, 3, 6, A, F and so on - space increasing by 1. But this isn't all,
next XOR FF it from center -> file have 72 byte header (now at the end) -> (file length - 72)/2
For now we can investigate something but this isn't all. There is 2 crypted parts. 5120 bytes and 10239 (27FF)
bytes at the end + there is 72 bytes something... File is turned over before crypt so they are calculated actually
from the file beginning (I believe ...) So the second crypt is from 2E777 after header.
Let's forget this part at this time.

File is (now) beginning with:

E8 E6 01 FF 94 32 05 00 01 00 00 00 19 EE 01 FF     ----  05 32 94 is promising and next 05 32 7C too
7C 32 05 00 66 70 67 61 20 64 61 74 61 00 12 00     ----  ____FPGA DATA___
8F 04 D4 77 FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF AA 99 55 66 30 A1 00 07 20 00 31 A1
Turns out the 05 32 94 is data from first file header beginning to second file header beginning and
05 32 7C is from end of Fpga data file header and this is file length. So the first file header is beginning
with 19 EE 01 FF... and file data start with FF FF FF...
First file is ending:

30 A1 00 0D 20 00 20 00 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00   <---- here is the end of first file
E1 ED 9E FA C6 FA 0A 00 02 00 00 00 40 00 00 00   ---- from E1 ED... is starting second file header
80 00 FF 00 04 00 00 00 00 00 00 00 12 00 00 00

There is 0A FA C6... this is promising. This is second file data length. So data is beginning with
40 00 00 00 80 00 FF 00... then it ends in right place and rest is 72 bytes.
But, now, the two regions in second file are crypted.

They have same crypt and key and patterns in other firmware files too and if you show me
this crypt procedure I can show you more... With the same procedure I opening all other
firmware files here, with notepad or this file viewer-compare and calculator. Actually I use hexedit too.
janekivi:
We can continue with some analysis because i have to have eeprom dump.
The second file is like "self extracting archive"? From address CFE4 the visual picture of data
changes rapidly and 78 9C EC 7D is zlib compression magic number. From here to the end is
archive and can be unpacked. Unpacked file is readable and contains all kind of stuff. There
is all the same DES constants and HTML and text...
So this is the executable, how to disassemble this
PartialDischarge:
Hi janekivi,
what tools do you use to make the XORs, turn around files etc...
or you just do it with self programmed code?
janekivi:
I have Python and I google around to find procedures I need and then hack something together like:


--- Code: ---import sys, os, shutil
input = 'rev_P31.ADS'
output = 'Xor_2_'+input
b = bytearray(open(input, 'rb').read())
a = 0
i = 0
j = 0
i = len(b)
while j < i:
    b[j] ^= 0xFF
    j = j + a + 1
    a = a + 1
open(output, 'wb').write(b)
print (' * XOR with increasing pattern done * ')

--- End code ---
And then I can change there variables and change starting addresses


--- Code: ---i = len(b)
j = len(b)/2-36
while j < i:
    b[j] ^= 0xFF
    j = j + 1

--- End code ---

And reverse example:

--- Code: ---import os

src_file_path = 'P31.ADS'
reversed = ('rev_'+src_file_path)

src_file_size = os.path.getsize(src_file_path)
src_file = open(src_file_path, 'rb')
src_file.seek(0)
byte_list = src_file.read(src_file_size)
with open(reversed, 'wb') as outfile:
    outfile.write(bytes(byte_list[::-1]))
src_file.close()

--- End code ---

I modify them a lot and there is not needed parts and different rows sometimes...
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod