Products > Test Equipment
Siglent .ads firmware file format
tv84:
--- Quote from: bugi on June 10, 2019, 04:03:44 pm ---Out of curiosity, I've lately seen that xor with 0xFF in few places, and I have been thinking why not using the operator that does the same without the 2nd parameter (or the only parameter written explicitly when using compound assignment variants), i.e. bitwise complement (~). That is "buf1[i1] = ~buf1[i1];" (To me the complement is also "clearer" to read as it doesn't have the "unnecessary" 2nd parameter, but this may very well be a matter of opinion.)
--- End quote ---
Only a question of habit. The compiler should do it's magic...
tv84:
The SDL1000X-E FW has been released.
It has a FW format different from all previous Siglent equipment's FW.
Nonetheless the first 0x70 bytes are the file header with the usual Siglent 3DES encryption:
--- Code: ---File Header Size: 00000070
00000000 - File Header Checksum: FFFFF9C9 [00000004-0000006F] CKSM OK
00000004 - File Size: 000DA5F4
0000000C - Product_ID: 700
00000026 - Vendor/Brand: SIGLENT
0000003A - USB Host Controller: ISP1763
--- End code ---
The rest of the file may be sporadically encrypted or obfuscated but haven't discovered more details...
Janekivi, what's your opinion?
Proc seems to be STM32F427VGT6.
janekivi:
No reverse, no FF.
screen.bmp at 0x000D70DC where are couple icons for the screen
like network, battery and yellow exclamation triangle.
tv84:
Just for the record:
The SDL1000X(-E) .ADS has a 0x70 bytes encrypted header (usual Siglent 3DES).
After that, it has 3 concatenated blocks which start with executable STM32 ARM programs. These are unencrypted and unobfuscated.
The final parsing of the 1st public release is attached.
Until now, no other Siglent FW had this format.
Edit1: I tried to add the loading addresses for IDA. I'm not 100% sure they are correct but they do a pretty good job in disassembling.
If anyone knows a better way to automatically determine the correct Loading addresses of the STM32 blocks, etc please contact me.
wgoeo:
For the SDS1000X-E, I summarized the replies so far in the Python 3 code below. You only need to recover the key in sds1000b.app. Without the correct key the .app will be corrupted but you can force extract and analyze it.
--- Code: ---import sys
import codecs
import struct
# Reply #25
import pyDesSiglent
# Reply #186
key = codecs.decode('00000000000000000000000000000000', 'hex')
des = pyDesSiglent.triple_des(key)
# Reply #74
def checksum(b):
return -sum(b) & 0xffffffff
# Specify the .ads file as a command line argument
b = open(sys.argv[1], 'rb').read(-1)
# Reply #235
b = des.decrypt(b[:0x70]) + b[0x70:]
# Compare with parsing (Reply #99)
csum, size = struct.unpack('<LL', b[:8])
print('file size w/o header', hex(size), 'checksum', hex(csum), '=?', hex(checksum(b[4:])))
# skip header
b = b[0x70:]
# Reply #21, #186
b = des.decrypt(b[:0x2800]) \
+ b[0x2800:0x2E777] \
+ des.decrypt(b[0x2E777:0x2E777+0x1400]) \
+ b[0x2E777+0x1400:]
# Reply #24 (modified)
b = bytearray(b[::-1])
a = 1
i = len(b)
j = 1
while j < i:
b[j] ^= 0xff
a += 1
j += a
i = len(b)
j = len(b) - len(b)//2
while j < i:
b[j] ^= 0xff
j += 1
# Compare with parsing (Reply #99)
i = 0
while (i < len(b)):
csum, size = struct.unpack('<LL', b[i:i+8])
section = b[i+8]
payload = b[0x34:0x34+size]
print('section', section, 'size', hex(size), 'checksum', hex(csum), '=?', hex(checksum(payload)))
open('section%d.zip' % b[i+8], 'wb').write(payload)
i += 0x34 + size
--- End code ---
Edit: to those who want a faster DES implementation I attached some code derived from mbedtls with just the necessary parts.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version