Siglent .ads firmware file format

[tv84]

Yes, the first one is not 0x1400. And remember you have the incrementing pattern also.

[janekivi]

Thanks for that!
So far I found more of them after the one I show there with red...

[janekivi]

Previous format was toooo simple and this equipment has bit more powerful
cpu to read complicated update files. So they totally shred the file at this time.
So far I found five ascending FF patterns. One starts from beginning but doesn't
affect those first two shorter parts. XOR FF is switched on at 0x1400 parts.
First was the every second 0x1400 is fully XOR-ed with FF (first pair was shorter)
and other from the pairs has rising XOR FF pattern from beginning.
Then I jumped bit forward and found XOR FF pattern which is starting at some
point and starts his steps from 100 bytes and counting up by 1. I don't know other
parameters jet. And one XOR FF is stepping forward by 4 bytes, like 262-266-270-...
I see there at least one crypted part.
So, there are (too)many XOR FF patterns and crypted regions.

I was talking about this zip file what you get after opening ads with usual way-
decrypt, reverse, XOR FF. All this process is done after that with output ZIP file.
So there is not possible simply extract something. Just scrolling down with Notepad
after some of pattern elimination I found this intact PNG image.

[janekivi]

Afterwards we know...
Packed data part of that png file is unpacking with 7zip without errors.
I need to use .ZIP to upload it here.
We need to get data straight and app out.

[tinhead]

did someone of you guys got already app and bitstream from SDS2000X-E? I wish i could get it as well ...

[tv84]

did someone of you guys got already app and bitstream from SDS2000X-E? I wish i could get it as well ...

Nope. When you get it, tell us.

[janekivi]

Name of the app: sds2000hsr

That file we don't extract in the near future...

[tv84]

After all, it was no rocket science...

Name of the app: sds2000hsr

Attached is the list of the ZIP contents  (.GEL)

[janekivi]

Ok, that was quick.
They have shuffled those XOR-ed and pattern parts there.
I was starting from wrong address and then missed right
addresses creating more wrong of them by myself.

[tv84]

Regarding the checksum, all bets are on!

Code: [Select]

File Header Size: 00000070
00000000 - File Checksum: 001C9FBC [00000004-0264BFAE] (with only the File Header decrypted)  CKSM NOT OK
00000004 - File Size: 0264BF3F (without 0x70 bytes of the File Header)
0000000C - Product_ID: 14000
00000026 - Vendor/Brand: 0.8.0R1B5
0000003A - USB Host Controller: SIGLENT
00000048 - Version: 0.8.0R1B5
****************************************************

[janekivi]

Header checksum is calculated differently.
Previous one depends from data length. Short data has bigger checksum
and larger data has smaller. Like 277 byte text file has FF FF B9 BA and
40 Mb file CE C2 02 7B, 50 Mb 77 1D AD 8B...
So, to get 00 1C 9F BC ?

[n3mmr]

Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip

That file was on some free server, and is gone.

Is the same file available elsewhere???

Or is there a substitute that might be better to use??

[ebastler]

How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.
They provide a root session via port 10101.

Sorry to come back to this old post. (And thank you for posting, tv84!) I am obviously to stupid for this...

I copied the SDG2000X.ADS from the above post to a USB stick, inserted into my SDG2042X, activated the LAN interface and DHCP.  But:

• Port 10101, as indicated by tv84, does not work. Port is not open, "connection refused".
  
• I can get a telnet prompt via the standard port 23, and it comes up with "SIGLENT SDG project". I believe that's different from the standard prompt, so the ADS script seems to have been activated? But I can't log in; the root/eevblog credentials do not work.
  

Where did I get this wrong?
Thanks for your help!

EDIT:

Duh, figured it out... The .ADS file is not loaded automatically upon insertion of the USB stick, or upon booting the SDG with an inserted stick. One has to explicitly trigger a "firmware update" via the system menu. The SDG will state that the update failed, but subsequently it does have port 10101 enabled. No credentials required for a telnet session on that port.

I fooled myself be believing that the "SGD project" headline had appeared only after I inserted the USB stick, but apparently that's bog standard...  I'll keep my post here anyway, in case someone else falls into the same trap and starts Googling for help...

[tv84]

Duh, figured it out... The .ADS file is not loaded automatically upon insertion of the USB stick, or upon booting the SDG with an inserted stick. One has to explicitly trigger a "firmware update" via the system menu. The SDG will state that the update failed, but subsequently it does have port 10101 enabled. No credentials required for a telnet session on that port.

  How did you figure it out?  (That is the most educational part that you can leave here... )

[ebastler]

How did you figure it out?  (That is the most educational part that you can leave here... )

I started to doubt my recollection that the "Siglent SDG project" headline had only shown up after I had inserted the USB stick. (I had tried a "plain" Telnet session before, but had not taken screenshots or notes.) So I doubted whether I could really be sure that your modification was actually activated.

And then, shame on me, I actually read the manual (on how to perform a firmware upgrade)... 

[rf-loop]

Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip

That file was on some free server, and is gone.

Is the same file available elsewhere???

Or is there a substitute that might be better to use??

Perhaps here.

[ShaneEEV]

I have been attempting to gain login access to my new SDG2041X ARB waveform generator for a couple of days.

I have succeeded with:

1) Downgrading firmware to 23R3
2) Installing the telnet code
3) The telnet banner says "
===============================================
|SIGLENT SDG project                   
==============================================="

I have not succeeded in loging-in to the SDG, however.

I have tried every combination of root and the login password I can think of, including the one shown above the "root / #######" entry, above.

I have read the admonishments to cut 'n paste the login and <password> and have tried that, as well, to no avail.     

I'm usually not this clueless (Just a few days ago, I updated my new SDS1004X-S to full glory, so I can follow well-stated directions.
I realize you don't want to make this too easy, but I evidently haven't stumbled on the "secret sauce" on my own.

Any help is greatly appreciated (perhaps someone could PM me with the obvious?

Thank you, in advance!

Shane

[ShaneEEV]

O.K. - Got it figured out

1) Insert USB Stick into front panel USB socket
2) Put SDG into System / Info / Upgrade
3) Select telnet file for SDG2042X and UPDATE
4) LEAVE POWER ON SDG
5) On remote computer console, type: telnet <SDG IP address> <SPACE> 10101 <RETURN>
6) On remote computer console, type: mount -o remount,rw ubi2_0 <SPACE> /usr/bin/siglent/firmdata0
7) On remote computer console, type: cp /usr/bin/siglent/firmdata0/NSP_system_info.xml /usr/bin/siglent/firmdata0/NSP_system_info.xml.orig
On remote computer console, type: vi /usr/bin/siglent/firmdata0/NSP_system_info.xml
9) On remote computer console, move down to the line that starts with <license> and press 'i' for INSERT and right arrow over to just after </license> and press the delete button until the line only has </system_information>
10) On remoter computer console, press the ESC key, then type::wq <RETURN>
11) On remote computer console, type: sync
12) on SDG: remove USB stick
13) on SDG: turn power OFF

When you power back on, the status menu indicates the model number is now SDG2122X. You should see your serial number there, as well.

Thank you to JDubU and CustomEngineerer for your kind corrections!

[JDubU]

Read this post by CustomEngineerer:

https://www.eevblog.com/forum/testgear/the-siglent-sdg2042x-thread/msg965243/#msg965243

[CustomEngineerer]

9) On remote computer console, press the down arrow until the cursor in the vi window is on the line that starts with <license><bandwidth...  and press dd (that means press 'd' twice) You will see the line has disappeared.
(the serial number has been replaced with "1234567890", however.
Perhaps someone else knows how to replace the serial number?

If you want to keep your serial number, don't delete the whole line like it says in step 9. Just delete the <license>...</license> tags (and everything between). The </system_information> closing tag at the end of the line needs to be left as the only thing on that line when you are done.

[CustomEngineerer]

Thanks JDubU. Was looking for that post but couldn't find it.

[ShaneEEV]

Thanks to JDubU and CustomEngineerer!

I'll get into my SDG and make that change.

Cheers!
Shane

O.K. - I took the SN info out of the .orig file and inserted it over the 0123456789 in the <chip> <\chip> area and all is well. firmware back to 23R8 and all is right with the world!

Thanks again, JDubU and CustomEngineerer!

[rf-loop]

O.K. - Got it figured out

1) Insert USB Stick into front panel USB socket
2) Put SDG into System / Info / Upgrade
3) Select telnet file for SDG2042X and UPDATE
4) LEAVE POWER ON SDG
5) On remote computer console, type: telnet <SDG IP address> <SPACE> 10101 <RETURN>
6) On remote computer console, type: mount -o remount,rw ubi2_0 <SPACE> /usr/bin/siglent/firmdata0
7) On remote computer console, type: cp /usr/bin/siglent/firmdata0/NSP_system_info.xml /usr/bin/siglent/firmdata0/NSP_system_info.xml.orig
8.) On remote computer console, type: vi /usr/bin/siglent/firmdata0/NSP_system_info.xml
ERR: 9) On remote computer console, press the down arrow until the cursor in the vi window is on the line that starts with <license><bandwidth...  and press dd (that means press 'd' twice) You will see the line has disappeared.
10) On remote computer console, type: :wq <RETURN>
11) On remote computer console, type: sync
12) on SDG: remove USB stick
13) on SDG: turn power OFF

When you power back on, the status menu indicates the model number is now SDG2122X. (the serial number has been replaced with "1234567890", however.

Perhaps someone else knows how to replace the serial number?

Of course it do this, look what you have deleted using vi, walking like elephant in porcelain store.

As explained by @CustomEngineerer
Please repair this erroneous red marked step 9 for avoid some noobs confusion when they follow things without further thinking and/or with total lack of knowledge or experience.


With SDG2000X basic principles are roughly same as with SDG1000X. (some differences in details.) This is for SDG1000X only.  (.zip file what include all needed info for SDG1000X and not only for BW alone)

[tv84]

Getting back to the topic... 

Here is a C# function that allows the deobfuscation of Siglent SDS5000X .ADS files, so that everyone can extract the .ZIP inside:

(memDump is the raw .ADS file)

Code: [Select]

        private static void parseADS_SIGLENT_SDS5000X(ref byte[] memDump)
        {
            byte[] buf1 = new byte[memDump.Length - 0x70];

            Array.Reverse(memDump);   // reverses the buffer
            for (int block = 0x2800, i1 = buf1.Length - block, i2 = 0; block > 0; i2 += block, block = Math.Min(0x2800, i1), i1 -= block)  // unshuffling blocks
                Buffer.BlockCopy(memDump, i1, buf1, i2, block);
            for (int iBlock = 0; iBlock < buf1.Length; iBlock += 0x2800)  // XORing with 0xFF (increment. pattern and blocks)...
            {
                for (int i1 = iBlock + 1, i2 = 2; i1 < iBlock + 0x2800 && i1 < buf1.Length; i1 += i2, i2++)
                    buf1[i1] ^= 0xFF;
                for (int i1 = iBlock + Math.Min(0x1400, (buf1.Length - iBlock + 1) / 2); i1 < iBlock + 0x2800 && i1 < buf1.Length; i1++)
                    buf1[i1] ^= 0xFF;
            }
       }

[bugi]

Here is a C# function ...

Code: [Select]

            for (int iBlock = 0; iBlock < buf1.Length; iBlock += 0x2800)  // XORing with 0xFF (increment. pattern and blocks)...
            {
                for (int i1 = iBlock + 1, i2 = 2; i1 < iBlock + 0x2800 && i1 < buf1.Length; i1 += i2, i2++)
                    buf1[i1] ^= 0xFF;
                for (int i1 = iBlock + Math.Min(0x1400, (buf1.Length - iBlock + 1) / 2); i1 < iBlock + 0x2800 && i1 < buf1.Length; i1++)
                    buf1[i1] ^= 0xFF;
            }
       }

Out of curiosity, I've lately seen that xor with 0xFF in few places, and I have been thinking why not using the operator that does the same without the 2nd parameter (or the only parameter written explicitly when using compound assignment variants), i.e. bitwise complement (~).  That is "buf1[i1] = ~buf1[i1];"  (To me the complement is also "clearer" to read as it doesn't have the "unnecessary" 2nd parameter, but this may very well be a matter of opinion.)