Author Topic: Siglent .ads firmware file format  (Read 38871 times)

0 Members and 2 Guests are viewing this topic.

Offline analogNewbie

  • Contributor
  • Posts: 46
  • Country: cn
Re: Siglent .ads firmware file format
« Reply #25 on: July 16, 2016, 10:51:12 pm »
Sorry, I post the unpack script few min ago and I've deleted it. I have figured out the ADS file format shared by SDG2000x, SSA3000x etc.

There some other reasons I have not released the code
1) the "upgrade" mechanism for SDG2042x to 120MHz is still working. O0
2) if  siglent fixes the bug. A license can be generated to keep the 120MHz ability. I have made a license generator.
3) if the telnet/ssh connect is blocked someday and a white list is embedded,  a unofficial ADS file can be made to unblock it.
4) I am a little bit worried about the consequences.  |O :palm:   
5) I expect that siglent keeps using this format in the future.

So, if you are the owner of SDG2042x , do not be worried about losing the 120MHz.
If you want to do some research on the options of something like SSA3000x or so, I can send the ELF file to you.



For the 3DES, they implemented the wrong way, here is the algorithm they use.
« Last Edit: July 16, 2016, 10:58:49 pm by analogNewbie »
 
The following users thanked this post: flynnjs, tv84, janekivi, Safar

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #26 on: July 17, 2016, 01:21:23 am »
This is working fine.
As you may know I did handle crypted files with notepad and calculator not knowing anything
about crypt or cryptography or key : ) But with knowing something is always more productive.
I still do not know much...
 

Offline flynnjs

  • Contributor
  • Posts: 24
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #27 on: July 17, 2016, 02:08:32 am »
> For the 3DES, they implemented the wrong way,

Thanks for that, it would have taken me quite a while to pick through that.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #28 on: July 17, 2016, 11:50:45 pm »
I had an idea to change shadow file contents and crc in both places.
All info was outside crypted area too. But what is in the header before
every file inside the update. SDG2000X P21R2.ADS has only one zip inside.
But if you have SDM3055 transition.ads there is many files.

12 1E B1 8F   59 C5 DA 00   07 00 00 00   00 00 00 00
00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
00 00 00 00   50 4B 03 04   0A 00 00 00   00 00 42 A0

With 50 4B 03 04 is starting zip file and his length is DA C5 59.
07 may be zip file type, u-boot has there 01, ELF has 03...
First 4 bytes must be related to the following file somehow
I'm staring at this ads reading script in IDA but...
Main 112 byte header is even crazier
 

Offline analogNewbie

  • Contributor
  • Posts: 46
  • Country: cn
Re: Siglent .ads firmware file format
« Reply #29 on: July 19, 2016, 11:37:38 am »
8fb11e12 is the checksum of current section, 00dac559 is the length, 07 is the section type.

if you just need to unpack the package , the 1st 112 bytes is not needed.

There is a byte exchange process after the decryption. The algorithm is not complex, but it can not be done by comparing different files. You need to play with IDA.

good luck

 

Offline dav

  • Regular Contributor
  • *
  • Posts: 111
  • Country: it
Re: Siglent .ads firmware file format
« Reply #30 on: July 21, 2016, 05:06:14 pm »

2) if  siglent fixes the bug. A license can be generated to keep the 120MHz ability. I have made a license generator.

What do you think to share the license generator?
 

Offline new299

  • Regular Contributor
  • *
  • Posts: 100
Re: Siglent .ads firmware file format
« Reply #31 on: August 05, 2016, 01:04:01 am »
Hi guys,

Do you think you might be able to help me extract u-boot (including the SPL) from the firmware images, it seems to be present in SDG_transitional.ads.

I've been trying to unpack the ads files myself. I can see the first header (so called 112byte header above) and it's about the right size (130k) for the u-boot spl. However what follows doesn't look like any kind of binary (very low complexity).

Could you tell me how the firmware files are organised? Are there a bunch of headers at the start of the ADS? Or all the different parts of the ads prefixed with a header?

Failing that, if you'd be willing to send me an extracted u-boot for an SDG800 I'd be most grateful.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #32 on: August 05, 2016, 01:59:58 am »
I'm looking in different firmware files. Many of them have u-boot.
Here is one from SDG800 V100R008B01D01P12R2.ADS
But SDG800_transition.ADS has 3-4 files in it and I don't know
their names. Best bet is this: http://wikisend.com/download/483710/from_transition.zip
File start is promising and from 00 00 4B 30 is starting GZIP
(Header - 1F 8B 00) and You can unpack it to have more of
files. One of them I recognize as logo...
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #33 on: August 05, 2016, 02:43:50 am »
...or this is app file with all stuff inside. I don't know about Linux much.
Inside was this image:
« Last Edit: August 05, 2016, 03:21:56 am by janekivi »
 

Offline new299

  • Regular Contributor
  • *
  • Posts: 100
Re: Siglent .ads firmware file format
« Reply #34 on: August 05, 2016, 05:08:27 pm »
...or this is app file with all stuff inside. I don't know about Linux much.
Inside was this image:

Thank you, so so much for your help! Using the files you posted I was able to recover my Siglent to u-boot. I think it should be relatively easy to get the system booting to Linux now. I wrote up my notes here:

http://41j.com/blog/2016/08/sdg800-recovering-from-a-hosed-u-boot/
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #35 on: August 06, 2016, 07:09:05 am »
After some needed help and more notepad and head scratching my SDG2000X-P21R2
user is root and password is... you guess...
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #36 on: August 06, 2016, 07:58:56 am »
If You take SDG2000X-P21R2.rar and let bspatch to use difference on it like:
bspatch.exe SDG2000_V200R001B01D01P21R2.ADS NewFirmware.ADS difference
and SDG2042X accept NewFirmware.ADS and new password, 7 char, lowercase,
starting with ee, everybody know here...
http://www.daemonology.net/bsdiff/
 
The following users thanked this post: Hagrid, Safar

Offline new299

  • Regular Contributor
  • *
  • Posts: 100
Re: Siglent .ads firmware file format
« Reply #37 on: August 06, 2016, 12:37:33 pm »
If You take SDG2000X-P21R2.rar and let bspatch to use difference on it like:
bspatch.exe SDG2000_V200R001B01D01P21R2.ADS NewFirmware.ADS difference
and SDG2042X accept NewFirmware.ADS and new password, 7 char, lowercase,
starting with ee, everybody know here...
http://www.daemonology.net/bsdiff/

Neat! I wonder if the same trick can be used on the SDG800

 I tried editing the flash dumps directly but I think I screw up the UBI filesystem. I'm planning to try properly mounting the FS and changing /etc/shadow but on my last attempt it didn't mount cleanly (not sure why, some kind of header). I might try doing it on the device using the sdg800_transitional.ads rootfs (which exposes a bash prompt) to mount the other FS.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #38 on: August 06, 2016, 05:39:07 pm »
I can try this but You must test it : )
I don't have many instruments here...

It would be as easy as sdg1042x if I get somehow 271 bytes packed data of shadow file for zip to replace.
So You come up with all kind of password hash and pack new shadow file and if packed size is 271 bytes,
send zip to me...
I was using the same salt for sdg2042x but it doesn't matter now.
https://quickhash.com/crypt3-md5-online

This part is cut from P12R2 where needed new data(bytes 40 - 14E)

There is cool hex editor: 010 Editor, where You can use templates to analyze all kind of files
and it is decoding all fields for You, it will calculate checksums and do more of other stuff...
« Last Edit: August 06, 2016, 08:11:03 pm by janekivi »
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #39 on: October 16, 2016, 06:46:59 am »
Here was a bit silence... but now possibly I can make new ZIP files for firmware and replace
files in it. And passwords too. Supported are this kind of firmware files where is that same
format. For SDG800 possibly can be replaced boot logo.
But for now I can only confirm working files with SDG2048X and some hacks with SDG1025.
Nobody else haven't reported anything back...
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #40 on: October 17, 2016, 07:40:06 pm »
I've struggled to get the file( on Sdg1020 I have ) gully un-encrypted to allow study of the bandwidth unlock feature.

--
 Darryl

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #41 on: October 18, 2016, 01:58:04 am »
I can give to you something newer too but on first page here I talk about
SDG1000-V100R001B01D01P31.ADS and there are files too.
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #42 on: October 18, 2016, 02:30:39 am »
Yes I've started with them, but it's the version 36 or 37 that has a menu option for bandwidth upgrade via a key number

--
 Darryl

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #43 on: October 18, 2016, 03:12:56 am »
Ok. Let's see what inside 37R3.
In firmware are 2 files. From header you see 00 00 00 00 padding and then is CRC, length, file type (fpga data).
FPGA DATA CRC is next, then length and  file is starting. Length is pointing us to the next file start 00 05 3A 2C.
There you find CRC, part length 00 0A C9 30 and this is firmware end too. Next 00 00 00 02 is part type I think
and app is starting from 00 05 32 B8 with 40 00 00 00 80 00 FF 00 ... ...
Exactly the same they are in flash chip too. No more magic. But the same thing there with packed part from
00 00 CF E4.

decrypted 37R3
 
The following users thanked this post: skench

Offline hafrse

  • Contributor
  • Posts: 39
Re: Siglent .ads firmware file format
« Reply #44 on: October 21, 2016, 07:15:23 am »
After watching a nice video , I decided to open up my generator.

No rust in there   ;D

The serial port is easily accessable, and the command prompt is also there. After connecting the normal "upgrade" can still be done.

br,
mike
Great information! just want to know how to convert that to USB or an old rs323 to USB adapter. Thanks
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #45 on: October 22, 2016, 02:15:56 am »
If you want telnet, read 7-8 posts upwards where I have 21R2 password hack
I can do them for other instruments too

Ok, link if you can't patch it: SDG2000_eevblog_P21R2.ADS
« Last Edit: October 22, 2016, 02:27:59 am by janekivi »
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #46 on: October 27, 2016, 07:57:55 am »
One day there was nothing to do and I did learn C#. I wanted to click everything with mouse.
I click on Python files too but for this I need input and output filenames in there for every time.
This wasn't fun.
So I converted all scripts from this thread to C# and got very hyper super mega flexible
powerful great utility. As much as for functionality there is not forgotten look too.
But is it useful...
 

Offline hafrse

  • Contributor
  • Posts: 39
Re: Siglent .ads firmware file format
« Reply #47 on: October 28, 2016, 02:21:43 am »
If you want telnet, read 7-8 posts upwards where I have 21R2 password hack
I can do them for other instruments too

Ok, link if you can't patch it: SDG2000_eevblog_P21R2.ADS
Thanks for the information, what I understand is that SDG2000_V200R001B01D01P21R2.ADS is the patched file for 21R2 where I can use telnet and upgrade the bandwidth as version SDG2000_V200R001B01D01P17R5.ADS ?
Many thanks in advance!
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 340
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #48 on: October 28, 2016, 02:46:41 am »
No.
If you take original SDG2000_V200R001B01D01P21R2.ADS
and patch it with "bsdiff.exe" using "difference" You get patched file
and patched like this is file from the link: SDG2000_eevblog_P21R2.ADS
....
where You can use telnet and do whatever... things...

But now I must do newer from latest firmware P22R5... : )
Or someone like to calculate password?
root:$1$NLwMj1Ox$1y4YFcXYiZILqUehDFKuB1
 

Offline hafrse

  • Contributor
  • Posts: 39
Re: Siglent .ads firmware file format
« Reply #49 on: October 28, 2016, 04:42:57 am »
No.
If you take original SDG2000_V200R001B01D01P21R2.ADS
and patch it with "bsdiff.exe" using "difference" You get patched file
and patched like this is file from the link: SDG2000_eevblog_P21R2.ADS
....
where You can use telnet and do whatever... things...

But now I must do newer from latest firmware P22R5... : )
Or someone like to calculate password?
root:$1$NLwMj1Ox$1y4YFcXYiZILqUehDFKuB1

Got it!
I need to find the exe file bsdiff.exe, do you have it ? thanks
 
The following users thanked this post: Dhekhanur


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf