EEVblog Electronics Community Forum

Products => Test Equipment => Topic started by: steffenmauch on January 30, 2016, 11:01:46 pm

Title: Siglent .ads firmware file format
Post by: steffenmauch on January 30, 2016, 11:01:46 pm

Hey,

does anyone of you have more information how the .ads file from Siglent can be read?
I am curious what kind of encryption is used.
Some dumps are available of e.g. the SDG2000x application ... anyone with IDA skills has been already successful?

Thanks.

Title: Re: Siglent .ads firmware file format
Post by: tautech on January 31, 2016, 05:20:04 am

Quote from: steffenmauch on January 30, 2016, 11:01:46 pm

Hey,

does anyone of you have more information how the .ads file from Siglent can be read?
I am curious what kind of encryption is used.
Some dumps are available of e.g. the SDG2000x application ... anyone with IDA skills has been already successful?

Thanks.

According to a Google search the .ads file format is probably linked to the Linux OS
http://fileinfo.com/extension/ads (http://fileinfo.com/extension/ads)

In a recent interview by Dave with the head of Siglent Eric Quin it was revealed the main OS in Siglent products was Linux.
Sorry, that's all I know but it might point you in the right direction. ;)

FYI for all Siglent products that I have installed new FW, the FW updates have been in .ads format. (unpacked and ready to install)

Title: Re: Siglent .ads firmware file format
Post by: bitseeker on January 31, 2016, 06:04:01 am

Ah, thanks for the references tautech.

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on January 31, 2016, 08:38:29 am

I do not want say this have anything to do with Siglent equipments but about .ADS
It is file extension used by Ada.

Is it (file extension) a coincidence or not I will not take any position.
Of course, it would be interesting if Siglent use it or have been in contact with this Ada. (military, aviation, industry...)

If there is Linux, http://www.pegasoft.ca/resources/boblap/4.html (http://www.pegasoft.ca/resources/boblap/4.html)
(The Big Online Book of Linux Ada Programming)

What is Ada?
https://www.adacore.com/adaanswers/about/ada (https://www.adacore.com/adaanswers/about/ada)

example

three_d.ads
three_d-opengl.ads
three_d-animation.ads
three_d-animation-sequences.ads

Title: Re: Siglent .ads firmware file format
Post by: analogNewbie on February 01, 2016, 03:15:43 am

I have reverse-engineered the ads firmware file format of SDG2000X. I think others might use the same format but different encryption key.

Title: Re: Siglent .ads firmware file format
Post by: steffenmauch on February 01, 2016, 07:32:54 am

@analogNewbie:
Could you share your information about the cryptography been used as-well as how to find the encryption key?

Title: Re: Siglent .ads firmware file format
Post by: analogNewbie on February 01, 2016, 08:55:29 am

I find the key and decrypt code in the SDG2000x app file with IDA. It's not so easy to do. You have to very familiar with 3DES algorithm, since they modified or implemented the wrong way.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 23, 2016, 12:25:56 pm

One day I took my notepad and calculator out, again (ads0.jpg)
and took a good look inside SDG2000 ads file.
Since they overwrite passwd file during new firmware upgrade this file must be changed
if you like to login by telnet. But what file is this ADS. I'm not found crypt yet but can show
some files. Firmware P17R5 and P21R2 have the same root password but I think this is not
crackable and because of update this has no point too. (ads1.jpg)
Zip-ed passwd file is very similar with this section in ADS file. (ads2.jpg)
But there is one trick they done. After firmware file is complete they XOR-ed it with FF by
some kind of pattern. One this point is in position 15BD. (ads3.jpg)
All may not be fully accurate but may illustrate a bit this structure from
P21R2.ADS or P17R5.ADS file here:
(after I XOR-ed 71 back to 8E)

Code: [Select]

00000000 | 50 4B 03 04 14 00 00 00 08 00 11 56 2F 48 8B 48 | PK.........V/H?H |
00000010 | 08 21 3B 00 00 00 3C 00 00 00 0E 00 1C 00 61 70 | .!;...<.......ap |
00000020 | 70 2F 65 74 63 2F 73 68 61 64 6F 77 55 54 09 00 | p/etc/shadowUT.. |
00000030 | 03 02 5E 98 56 02 5E 98 56 75 78 0B 00 01 04 E8 | ..^?V.^?Vux....? |
00000040 | 03 00 00 04 E8 03 00 00 2B CA CF 2F B1 52 31 54 | ....?...+?Ž/?R1T |
00000050 | F1 F3 29 F7 CD 32 F4 AF 50 31 AC 34 89 74 4B 8E | ±¾)„?2¶»P1¼4?tKÄ |
00000060 | 88 CC 8C F2 F4 29 0C 4D CD 70 71 F3 2E 75 32 B4 | ???“¶).M?pq¾.u2? |
00000070 | 32 34 35 33 37 B2 32 B0 B2 04 01 2B 73 2B 2B 2B | 24537?2??..+s+++ |
00000080 | 2E 2E 00                                        | ...              |


Signature		50 4B 03 04
Version			14 00 (= 20 -> 2.0)
Flags			00 00 (no flags)
Compression method	08 00 (deflated)
File modification time	11 56 (0101 0110 0001 0001)
	hour   = (01010)11000010001 = 10
	minute = 01010(110000)10001 = 48
	second = 01010110000(10001) = 17 = 34 seconds
	10:48:34
File modification date	2F 48 (0100 1000 0010 1111)
	year  = (0100100)000101111 = 36
	month = 0100100(0001)01111 = 1
	day   = 01001000001(01111) = 15
	01/15/2016
Crc-32 checksum		8B 48 08 21 (2108488B)
Compressed size 	3B 00 00 00 (59 bytes)
Uncompressed size 	3C 00 00 00 (60 bytes)
File name length 	0E 00 (14 bytes)
Extra field length 	1C 00 (28 bytes)
File name 		"app/etc/shadow"
	Extra field 	id 55 54: extended timestamp, size: 9 bytes
				data size 09 00 (9 bytes)
				data bytes 03 02 5E 98 56 02 5E 98 56
			id 75 78 (Unix UID/GID)
				data size 0B 00 (11 bytes)
				data bytes 01 04 E8 03 00 00 04 E8 03 00 00
Packed data		2B CA CF 2F ...... 2E 2E 00 (59 bytes)

Title: Re: Siglent .ads firmware file format
Post by: kmike on June 23, 2016, 03:19:00 pm

Anyway, if someone wants to give it a try:
root:$1$NLwMj1Ox$1y4YFcXYiZILqUehDFKuB1:15672:0:99999:7:::

edit: this is of course encrypted :(

br,
mike

Title: Re: Siglent .ads firmware file format
Post by: CustomEngineerer on June 23, 2016, 05:29:44 pm

I had started John The Ripper running against that password back on the 18th just out of curiosity (haven't used a password cracker in so long, probably didn't do it right) and then forgot about it shortly after that. After seeing your post I remembered and so checked in on it. It had run for close to 3 days until we lost power the other night and my computer had shutdown. No luck on getting the password, so either I did something wrong when I started running the cracker or they didn't pick a super simple password (at least that would be in the word file I used). Probably a combination of the two.

Edit: Typos

Title: Re: Siglent .ads firmware file format
Post by: TheSteve on June 23, 2016, 05:32:31 pm

I'll probably give it a shot as well and will start it running tonight. The last one I did took several days, I'm not using the fastest computer around.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 23, 2016, 11:14:47 pm

If you want beat my notepad and calculator...
you need
https://hashcat.net/oclhashcat/ (https://hashcat.net/oclhashcat/)
and
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ (http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/)
https://sagitta.pw/hardware/gpu-compute-nodes/brutalis/ (https://sagitta.pw/hardware/gpu-compute-nodes/brutalis/)
Password is not simple and short and not from some dictionary. For reasonable time you need come up with
some masks and rules too. (I tried them with single R9 390 : )

(Found that FF XOR mask. Next I think I need checksum or something)

Title: Re: Siglent .ads firmware file format
Post by: kmike on June 24, 2016, 11:45:30 am

After watching a nice video https://www.youtube.com/watch?v=colVXihqdGo (https://www.youtube.com/watch?v=colVXihqdGo), I decided to open up my generator.

No rust in there ;D

The serial port is easily accessable, and the command prompt is also there. After connecting the normal "upgrade" can still be done.

br,
mike

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 24, 2016, 12:56:03 pm

But how about this, ads file is too easy accessable

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 25, 2016, 06:53:18 pm

This is better but they driving my notepad and calculator to red hot.
There is some tricks they done, I never guess all of them.
But all ADS files are not the same. Scopes for example are not
like this SDG800 based generator and multimeter. But spectrum
analyzer is.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 30, 2016, 05:44:44 pm

So far I managed to scroll up and down with notepad and calculate some patterns to open
and extract similar ADS files. But I can't get all out of them and run on something at the end
of file. Some portion of ZIP data from some small places is changed. May be this is the crypt...

Title: Re: Siglent .ads firmware file format
Post by: darrylp on July 01, 2016, 01:16:45 pm

So what code are you using to work out the initial decide of the ADS files ?

Has anyone started on the SDG10xx model firmware ?

--
Darryl

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 13, 2016, 03:33:18 pm

There are many different ADS file types. SDG1000 have some similar XOR FF patterns
with other packed multi files firmwares but inside here is like some kind of boot or
dump image. As you know SDG1000 series are similar with LeCroy WaveStation
and the firmware files are very similar too. Like wavestation_2000_v1.01.02.36.ads
and SDG1000-V100R001B01D01P36.ADS. Half of file is practically the same.
https://www.eevblog.com/forum/testgear/siglent-sdg1000-(aka-lecroy-wavestation)-firmware-updates/ (https://www.eevblog.com/forum/testgear/siglent-sdg1000-(aka-lecroy-wavestation)-firmware-updates/)
SDG800 and SPD3303X files are a bit similar to it but SDS2000X file is very different again.

I have no progress with 3des and can't read the whole file. I can't disassemble apps.
I can, but I don't see there anything understandable...

I don't have notepad powerful enough : ( and calculator : ( and paper big enough
I think my pencil is not sharp enough.

Title: Re: Siglent .ads firmware file format
Post by: flynnjs on July 13, 2016, 10:53:24 pm

The 3DES key is fairly easy to find as are the 3DES functions.
I haven't been bothered to pick through them yet to see what has
been implemented in a non standard way...

Is it the key expansion, the order of the functions..? Give us a clue :=\

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 15, 2016, 02:59:27 pm

After choosing better hammer for SDG1000 file I see there 2 files. They are using the same XOR FF
pattern and part of file is crypted. One file is some FPGA Data? and the other is some binary program?
But what kind of... there is nowhere i see the familiar signatures.

Title: Re: Siglent .ads firmware file format
Post by: darrylp on July 15, 2016, 05:04:51 pm

Oh please tell more on the SDG1000 series. Clues as to your work method would be interesting and educational.

--
Darryl

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 15, 2016, 07:47:52 pm

Let's take a look in SDG1000-V100R001B01D01P31.ADS for example:

Like most of the firmwares, they are turned around. So first step is turn the file around (or look it backwards)
Next step is XOR FF it with pattern bytes 0, 1, 3, 6, A, F and so on - space increasing by 1. But this isn't all,
next XOR FF it from center -> file have 72 byte header (now at the end) -> (file length - 72)/2
For now we can investigate something but this isn't all. There is 2 crypted parts. 5120 bytes and 10239 (27FF)
bytes at the end + there is 72 bytes something... File is turned over before crypt so they are calculated actually
from the file beginning (I believe ...) So the second crypt is from 2E777 after header.
Let's forget this part at this time.

File is (now) beginning with:

E8 E6 01 FF 94 32 05 00 01 00 00 00 19 EE 01 FF ---- 05 32 94 is promising and next 05 32 7C too
7C 32 05 00 66 70 67 61 20 64 61 74 61 00 12 00 ---- ____FPGA DATA___
8F 04 D4 77 FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF AA 99 55 66 30 A1 00 07 20 00 31 A1
Turns out the 05 32 94 is data from first file header beginning to second file header beginning and
05 32 7C is from end of Fpga data file header and this is file length. So the first file header is beginning
with 19 EE 01 FF... and file data start with FF FF FF...
First file is ending:

30 A1 00 0D 20 00 20 00 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 <---- here is the end of first file
E1 ED 9E FA C6 FA 0A 00 02 00 00 00 40 00 00 00 ---- from E1 ED... is starting second file header
80 00 FF 00 04 00 00 00 00 00 00 00 12 00 00 00

There is 0A FA C6... this is promising. This is second file data length. So data is beginning with
40 00 00 00 80 00 FF 00... then it ends in right place and rest is 72 bytes.
But, now, the two regions in second file are crypted.

They have same crypt and key and patterns in other firmware files too and if you show me
this crypt procedure I can show you more... With the same procedure I opening all other
firmware files here, with notepad or this file viewer-compare and calculator. Actually I use hexedit too.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 16, 2016, 06:44:36 am

We can continue with some analysis because i have to have eeprom dump.
The second file is like "self extracting archive"? From address CFE4 the visual picture of data
changes rapidly and 78 9C EC 7D is zlib compression magic number. From here to the end is
archive and can be unpacked. Unpacked file is readable and contains all kind of stuff. There
is all the same DES constants and HTML and text...
So this is the executable, how to disassemble this

Title: Re: Siglent .ads firmware file format
Post by: PartialDischarge on July 16, 2016, 07:23:09 am

Hi janekivi,
what tools do you use to make the XORs, turn around files etc...
or you just do it with self programmed code?

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 16, 2016, 08:26:35 am

I have Python and I google around to find procedures I need and then hack something together like:

Code: [Select]

import sys, os, shutil
input = 'rev_P31.ADS'
output = 'Xor_2_'+input
b = bytearray(open(input, 'rb').read())
a = 0
i = 0
j = 0
i = len(b)
while j < i:
    b[j] ^= 0xFF
    j = j + a + 1
    a = a + 1
open(output, 'wb').write(b)
print (' * XOR with increasing pattern done * ')

And then I can change there variables and change starting addresses

Code: [Select]

i = len(b)
j = len(b)/2-36
while j < i:
    b[j] ^= 0xFF
    j = j + 1

And reverse example:

Code: [Select]

import os

src_file_path = 'P31.ADS'
reversed = ('rev_'+src_file_path)

src_file_size = os.path.getsize(src_file_path)
src_file = open(src_file_path, 'rb')
src_file.seek(0)
byte_list = src_file.read(src_file_size)
with open(reversed, 'wb') as outfile:
    outfile.write(bytes(byte_list[::-1]))
src_file.close()

I modify them a lot and there is not needed parts and different rows sometimes...

Title: Re: Siglent .ads firmware file format
Post by: analogNewbie on July 16, 2016, 12:51:12 pm

Sorry, I post the unpack script few min ago and I've deleted it. I have figured out the ADS file format shared by SDG2000x, SSA3000x etc.

There some other reasons I have not released the code
1) the "upgrade" mechanism for SDG2042x to 120MHz is still working. O0
2) if siglent fixes the bug. A license can be generated to keep the 120MHz ability. I have made a license generator.
3) if the telnet/ssh connect is blocked someday and a white list is embedded, a unofficial ADS file can be made to unblock it.
4) I am a little bit worried about the consequences. |O :palm:
5) I expect that siglent keeps using this format in the future.

So, if you are the owner of SDG2042x , do not be worried about losing the 120MHz.
If you want to do some research on the options of something like SSA3000x or so, I can send the ELF file to you.

For the 3DES, they implemented the wrong way, here is the algorithm they use.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 16, 2016, 03:21:23 pm

This is working fine.
As you may know I did handle crypted files with notepad and calculator not knowing anything
about crypt or cryptography or key : ) But with knowing something is always more productive.
I still do not know much...

Title: Re: Siglent .ads firmware file format
Post by: flynnjs on July 16, 2016, 04:08:32 pm

> For the 3DES, they implemented the wrong way,

Thanks for that, it would have taken me quite a while to pick through that.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 17, 2016, 01:50:45 pm

I had an idea to change shadow file contents and crc in both places.
All info was outside crypted area too. But what is in the header before
every file inside the update. SDG2000X P21R2.ADS has only one zip inside.
But if you have SDM3055 transition.ads there is many files.

12 1E B1 8F 59 C5 DA 00 07 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 50 4B 03 04 0A 00 00 00 00 00 42 A0

With 50 4B 03 04 is starting zip file and his length is DA C5 59.
07 may be zip file type, u-boot has there 01, ELF has 03...
First 4 bytes must be related to the following file somehow
I'm staring at this ads reading script in IDA but...
Main 112 byte header is even crazier

Title: Re: Siglent .ads firmware file format
Post by: analogNewbie on July 19, 2016, 01:37:38 am

8fb11e12 is the checksum of current section, 00dac559 is the length, 07 is the section type.

if you just need to unpack the package , the 1st 112 bytes is not needed.

There is a byte exchange process after the decryption. The algorithm is not complex, but it can not be done by comparing different files. You need to play with IDA.

good luck

Title: Re: Siglent .ads firmware file format
Post by: dav on July 21, 2016, 07:06:14 am

Quote from: analogNewbie on July 16, 2016, 12:51:12 pm

2) if siglent fixes the bug. A license can be generated to keep the 120MHz ability. I have made a license generator.

What do you think to share the license generator?

Title: Re: Siglent .ads firmware file format
Post by: new299 on August 04, 2016, 03:04:01 pm

Hi guys,

Do you think you might be able to help me extract u-boot (including the SPL) from the firmware images, it seems to be present in SDG_transitional.ads.

I've been trying to unpack the ads files myself. I can see the first header (so called 112byte header above) and it's about the right size (130k) for the u-boot spl. However what follows doesn't look like any kind of binary (very low complexity).

Could you tell me how the firmware files are organised? Are there a bunch of headers at the start of the ADS? Or all the different parts of the ads prefixed with a header?

Failing that, if you'd be willing to send me an extracted u-boot for an SDG800 I'd be most grateful.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on August 04, 2016, 03:59:58 pm

I'm looking in different firmware files. Many of them have u-boot.
Here is one from SDG800 V100R008B01D01P12R2.ADS
But SDG800_transition.ADS has 3-4 files in it and I don't know
their names. Best bet is this: http://wikisend.com/download/483710/from_transition.zip (http://wikisend.com/download/483710/from_transition.zip)
File start is promising and from 00 00 4B 30 is starting GZIP
(Header - 1F 8B 00) and You can unpack it to have more of
files. One of them I recognize as logo...

Title: Re: Siglent .ads firmware file format
Post by: janekivi on August 04, 2016, 04:43:50 pm

...or this is app file with all stuff inside. I don't know about Linux much.
Inside was this image:

Title: Re: Siglent .ads firmware file format
Post by: new299 on August 05, 2016, 07:08:27 am

Quote from: janekivi on August 04, 2016, 04:43:50 pm

...or this is app file with all stuff inside. I don't know about Linux much.
Inside was this image:

Thank you, so so much for your help! Using the files you posted I was able to recover my Siglent to u-boot. I think it should be relatively easy to get the system booting to Linux now. I wrote up my notes here:

http://41j.com/blog/2016/08/sdg800-recovering-from-a-hosed-u-boot/ (http://41j.com/blog/2016/08/sdg800-recovering-from-a-hosed-u-boot/)

Title: Re: Siglent .ads firmware file format
Post by: janekivi on August 05, 2016, 09:09:05 pm

After some needed help and more notepad and head scratching my SDG2000X-P21R2
user is root and password is... you guess...

Title: Re: Siglent .ads firmware file format
Post by: janekivi on August 05, 2016, 09:58:56 pm

If You take SDG2000X-P21R2.rar and let bspatch to use difference on it like:
bspatch.exe SDG2000_V200R001B01D01P21R2.ADS NewFirmware.ADS difference
and SDG2042X accept NewFirmware.ADS and new password, 7 char, lowercase,
starting with ee, everybody know here...
http://www.daemonology.net/bsdiff/ (http://www.daemonology.net/bsdiff/)

Title: Re: Siglent .ads firmware file format
Post by: new299 on August 06, 2016, 02:37:33 am

Quote from: janekivi on August 05, 2016, 09:58:56 pm

If You take SDG2000X-P21R2.rar and let bspatch to use difference on it like:
bspatch.exe SDG2000_V200R001B01D01P21R2.ADS NewFirmware.ADS difference
and SDG2042X accept NewFirmware.ADS and new password, 7 char, lowercase,
starting with ee, everybody know here...
http://www.daemonology.net/bsdiff/ (http://www.daemonology.net/bsdiff/)

Neat! I wonder if the same trick can be used on the SDG800

I tried editing the flash dumps directly but I think I screw up the UBI filesystem. I'm planning to try properly mounting the FS and changing /etc/shadow but on my last attempt it didn't mount cleanly (not sure why, some kind of header). I might try doing it on the device using the sdg800_transitional.ads rootfs (which exposes a bash prompt) to mount the other FS.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on August 06, 2016, 07:39:07 am

I can try this but You must test it : )
I don't have many instruments here...

It would be as easy as sdg1042x if I get somehow 271 bytes packed data of shadow file for zip to replace.
So You come up with all kind of password hash and pack new shadow file and if packed size is 271 bytes,
send zip to me...
I was using the same salt for sdg2042x but it doesn't matter now.
https://quickhash.com/crypt3-md5-online

This part is cut from P12R2 where needed new data(bytes 40 - 14E)

There is cool hex editor: 010 Editor, where You can use templates to analyze all kind of files
and it is decoding all fields for You, it will calculate checksums and do more of other stuff...

Title: Re: Siglent .ads firmware file format
Post by: janekivi on October 15, 2016, 07:46:59 pm

Here was a bit silence... but now possibly I can make new ZIP files for firmware and replace
files in it. And passwords too. Supported are this kind of firmware files where is that same
format. For SDG800 possibly can be replaced boot logo.
But for now I can only confirm working files with SDG2048X and some hacks with SDG1025.
Nobody else haven't reported anything back...

Title: Re: Siglent .ads firmware file format
Post by: darrylp on October 17, 2016, 08:40:06 am

I've struggled to get the file( on Sdg1020 I have ) gully un-encrypted to allow study of the bandwidth unlock feature.

--
Darryl

Title: Re: Siglent .ads firmware file format
Post by: janekivi on October 17, 2016, 02:58:04 pm

I can give to you something newer too but on first page here I talk about
SDG1000-V100R001B01D01P31.ADS and there are files too.

Title: Re: Siglent .ads firmware file format
Post by: darrylp on October 17, 2016, 03:30:39 pm

Yes I've started with them, but it's the version 36 or 37 that has a menu option for bandwidth upgrade via a key number

--
Darryl

Title: Re: Siglent .ads firmware file format
Post by: janekivi on October 17, 2016, 04:12:56 pm

Ok. Let's see what inside 37R3.
In firmware are 2 files. From header you see 00 00 00 00 padding and then is CRC, length, file type (fpga data).
FPGA DATA CRC is next, then length and file is starting. Length is pointing us to the next file start 00 05 3A 2C.
There you find CRC, part length 00 0A C9 30 and this is firmware end too. Next 00 00 00 02 is part type I think
and app is starting from 00 05 32 B8 with 40 00 00 00 80 00 FF 00 ... ...
Exactly the same they are in flash chip too. No more magic. But the same thing there with packed part from
00 00 CF E4.

decrypted 37R3 (http://s000.tinyupload.com/index.php?file_id=37488989169878544621)

Title: Re: Siglent .ads firmware file format
Post by: hafrse on October 20, 2016, 08:15:23 pm

Quote from: kmike on June 24, 2016, 11:45:30 am

After watching a nice video https://www.youtube.com/watch?v=colVXihqdGo (https://www.youtube.com/watch?v=colVXihqdGo), I decided to open up my generator.

No rust in there ;D

The serial port is easily accessable, and the command prompt is also there. After connecting the normal "upgrade" can still be done.

br,
mike

Great information! just want to know how to convert that to USB or an old rs323 to USB adapter. Thanks

Title: Re: Siglent .ads firmware file format
Post by: janekivi on October 21, 2016, 03:15:56 pm

If you want telnet, read 7-8 posts upwards where I have 21R2 password hack
I can do them for other instruments too

Ok, link if you can't patch it: SDG2000_eevblog_P21R2.ADS (http://s000.tinyupload.com/index.php?file_id=27636778236277715757)

Title: Re: Siglent .ads firmware file format
Post by: janekivi on October 26, 2016, 08:57:55 pm

One day there was nothing to do and I did learn C#. I wanted to click everything with mouse.
I click on Python files too but for this I need input and output filenames in there for every time.
This wasn't fun.
So I converted all scripts from this thread to C# and got very hyper super mega flexible
powerful great utility. As much as for functionality there is not forgotten look too.
But is it useful...

Title: Re: Siglent .ads firmware file format
Post by: hafrse on October 27, 2016, 03:21:43 pm

Quote from: janekivi on October 21, 2016, 03:15:56 pm

If you want telnet, read 7-8 posts upwards where I have 21R2 password hack
I can do them for other instruments too

Ok, link if you can't patch it: SDG2000_eevblog_P21R2.ADS (http://s000.tinyupload.com/index.php?file_id=27636778236277715757)

Thanks for the information, what I understand is that SDG2000_V200R001B01D01P21R2.ADS is the patched file for 21R2 where I can use telnet and upgrade the bandwidth as version SDG2000_V200R001B01D01P17R5.ADS ?
Many thanks in advance!

Title: Re: Siglent .ads firmware file format
Post by: janekivi on October 27, 2016, 03:46:41 pm

No.
If you take original SDG2000_V200R001B01D01P21R2.ADS
and patch it with "bsdiff.exe" using "difference" You get patched file
and patched like this is file from the link: SDG2000_eevblog_P21R2.ADS
....
where You can use telnet and do whatever... things...

But now I must do newer from latest firmware P22R5... : )
Or someone like to calculate password?
root:$1$NLwMj1Ox$1y4YFcXYiZILqUehDFKuB1

Title: Re: Siglent .ads firmware file format
Post by: hafrse on October 27, 2016, 05:42:57 pm

Quote from: janekivi on October 27, 2016, 03:46:41 pm

No.
If you take original SDG2000_V200R001B01D01P21R2.ADS
and patch it with "bsdiff.exe" using "difference" You get patched file
and patched like this is file from the link: SDG2000_eevblog_P21R2.ADS
....
where You can use telnet and do whatever... things...

But now I must do newer from latest firmware P22R5... : )
Or someone like to calculate password?
root:$1$NLwMj1Ox$1y4YFcXYiZILqUehDFKuB1

Got it!
I need to find the exe file bsdiff.exe, do you have it ? thanks

Title: Re: Siglent .ads firmware file format
Post by: janekivi on October 27, 2016, 06:23:06 pm

Yes, I got it from the link there
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg998481/#msg998481 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg998481/#msg998481)

And I changed here root password too SDG2000_eevblog_P22R5.ads (http://s000.tinyupload.com/index.php?file_id=97592156348538956368)

Title: Re: Siglent .ads firmware file format
Post by: hafrse on October 27, 2016, 07:32:41 pm

Quote from: janekivi on October 27, 2016, 06:23:06 pm

Yes, I got it from the link there
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg998481/#msg998481 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg998481/#msg998481)

And I changed here root password too SDG2000_eevblog_P22R5.ads (http://s000.tinyupload.com/index.php?file_id=97592156348538956368)

works fine, thanks for your valuable contribution !!!!!!!!!!!!!!!!!!!!!!

Title: Re: Siglent .ads firmware file format
Post by: janekivi on November 01, 2016, 09:38:15 pm

One ADS format is teared to the bits... you know... bits. OK.
But what about the other ADS, like for scopes.

Let's take one and start looking. May be we find something.
How all this look to me. I take SDS2000X and SDS1000X files here and compare them.
There is header and parts have 72 byte header. Hard to tell about header and first
file line but I start from start. First 4 bytes is 00123456? Next 8 bytes is parts
table. One byte represents one part and if it's present then there is 01 otherwise
there is 00. So i think 8 possible parts in firmware. Obviously there must be some
addresses. Next 8 x 4 bytes is them. If there wasn't that part - there isn't there
address too. Let's look closer sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS.
Then we see what is next and where is file header ends.

Code: [Select]

00000000   56 34 12 00  01 01 01 01  01 00 01 00  D1 EC 0D 00  V4..........Ñì..
00000010   FF B7 16 00  FF B7 16 00  3B BB 16 00  CC 4C 13 00  ÿ·..ÿ·..;»..ÌL..
00000020   00 00 00 00  FF FF 07 00  00 00 00 00  32 2E 31 2E  ....ÿÿ......2.1.
00000030   31 2E 39 00  89 03 04 00  39 00 00 32  30 31 36 30  1.9.....9..20160
00000040   36 30 36 00  03 04 00 39  00 00 32 30  31 36 30 36  606....9..201606
00000050   30 36 00 03  04 00 39 00  00 32 30 31  36 30 35 31  06....9..2016051
00000060   36 00 03 04  00 39 00 00  31 2E 32 2E  31 2E 33 38  6....9..1.2.1.38
00000070   2E 37 00 00  39 00 00 00  00 00 00 00  00 00 00 00  .7..9...........
00000080   00 00 00 00  00 00 33 2E  31 2E 31 2E  31 33 00 37  ......3.1.1.13.7
00000090   00 00 39 00  00 00 00 00  00 00 00 00  00 00 00 00  ..9.............
000000A0   00 00 00 00  01 00 00 00  00 00 00 00  00 00 00 00  ................
000000B0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
000000C0   00 00 00 00  FF BD DC C9  32 2E 31 2E  31 2E 38 00  ....ÿ½ÜÉ2.1.1.8.
........   ...

Third part in here is part version. In some cases it's in date format. But i'm not
sure what's between. For each part there is 15 bytes. May be version nr is 8 bytes
and between is part type. Somewhere there is bin and when version was 9 bytes, for
"bin" wasn't room and there is "in". Obviously version part is missing too when 00
is written to part and length bytes. So 8 parts x 15 bytes is 120 and next data is
01 for SDS2000 and 03 for SDS1000. May be rest is padding there and real stuff may
begin from address C4 making header 196 bytes long. May be...
First 4 bytes is Siglent CRC for first part which is starting from C8 and have his
length in first place - D1 EC 0D 00 - 0D EC D1. Strange thing there is - CRC bytes
are in different order in this ADS format.
From CRC to the next part is 0D EC D1 and here is next part data length B7 B7 16 -
16 B7 B7. Data start with FF there and header must be 72 bytes because from header
we see the whole part length is FF B7 16.
Like this all is going to continue. First part is a bit different.

I have here different timezone and that's all for today.
Let's continue this bedtime story at next time.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on November 03, 2016, 09:15:46 pm

All is not that simple as it looks. But that's how all is at the beginning.

This SDS firmware is like memory dump with predefined regions for parts-files.
Addresses in the header is kind of place markers. Data can be shorter there
and in some cases I can't find any length or crc or other part-file guidance at
this beginning address. Of course I don't know anything about those parts.
First of them is something like string collection.
All of them are bit confusing right now...
I got suitable parts from Siglent_ADS project junkyard and start beating together
new utility for this.
_____________________
v0.1.1 with file open check

Title: Re: Siglent .ads firmware file format
Post by: janekivi on November 05, 2016, 04:02:50 pm

When we open SDS2000X file sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS
and cut it to the parts, today part 5 is interesting for us. It can be executable and contain
packed part too like SDG1000 file. If we look it in hex editor and scroll thru the data we can
see structure change at address 00 01 09 A7. It is like zlib header again - 78 DA. Zlib with the
best compression. Then Last 6 bytes is some sort of padding and Adler32 must be 88 CE 76 FC.
But who knows...

Title: Re: Siglent .ads firmware file format
Post by: janekivi on November 06, 2016, 04:21:17 pm

I made several utilities for unpacking zlib but they all are working only with SDG1000
file. For this is good utility there too http://aluigi.altervista.org/mytoolz.htm#offzip (http://aluigi.altervista.org/mytoolz.htm#offzip)
which can seek packed parts from file and extract those.
Part 5 of SDS1000/2000 firmware is like second part from SDG1000 where is unpacker
and from address 00 00 CF E4 located zlib packed part. SDS file has the same section
at the beginning with the same error messages strings. And from address 00 01 09 A7
staring zlib part... But whole file have like 5 byte counter after every 24 bytes. From the
beginning we can see FA 18 00 00 00 and it continues 18 00 18... 18 00 30... 18 00 48.
But not like this to the end. When I remove it with mask I lost tracking and can only
decompress 18502 bytes of that packed part.
I have seen this kind of pattern elsewhere too... but what system is this and what is
the first byte before 18.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on November 07, 2016, 09:11:39 pm

Some updates.
-----------------
OK, that was kind of right. Part 5 has a 4 byte footer.
But whole file have like 4 byte counter after every 24 bytes. From the beginning we can see
6 bytes where last two are 65536 byte counters - 02 00 00 04 00 00 which 8-byte checksum
is next - FA. After that is starting data counter 18 00 00 00 and it continues 18 00 18 00...
18 00 30 00... 18 00 48 00. But not like this to the end, after every 65536 bytes is that
6 byte counter part.
After every data part is 8-bit checksum from previous data and counter, usually from 28 bytes.

So, counters are zeroed out and file is beginning:
02 00 00 04 00 00 --- counted 00 bytes
18 00 00 00 --- 18 - count 24 bytes

next is
18 00 18 00
| |---------24 bytes is counted
|---------------count 24 bytes

next is
18 00 30 00
| |---------48 bytes is counted
|---------------count 24 bytes
...
and so on until counter fills up
...
18 FF D8 00
10 FF F0 00
| |---------65520 bytes is counted
|---------------count 16 bytes

now counter is over FF FF and comes
02 00 00 04 00 01
|----first 65536 bytes is counted

and counter starts again
18 00 00 00
| |---------0 bytes is counted
|---------------count 24 bytes
...
and so on when last 2 are
18 F8 58 00
| |---------63576 bytes is counted
|---------------count 24 bytes

07 F8 70 00
| |---------63600 bytes is counted
|---------------count 7 bytes

and last bytes of file are
00 00 00 01 FF
|
|---------------count 0 bytes - so it is the end of file

This is 4 byte footer which 8-bit checksum is FF. Maybe 01 is marking "end of file 1".
Now if we remove all counter parts and checksums, we get clean file and after decompressing
it the Adler32 is matching with 95 88 CE 76 at the end in original Part_5.hex in last data packet
before checksum.

Now if I remove all of the counter parts I get clean file and after decompressing it
I get Adler32 from the end of data - 95 88 CE 76
I was hoping to see there something interesting, like logo in SDG1000 file but ... boring...

-----------------------------------------------------------------------------------------------------------------------------------
decompressed second part from part 5 of sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS

Title: Re: Siglent .ads firmware file format
Post by: janekivi on November 09, 2016, 06:49:27 pm

New SDS ads viewer utility v0.1.2 can get that app saved straight from opened firmware file or from
one of extracted files (part 5) with dedicated tools menu. Deflating can be done for example with offzip.
Only help at this time comes only from ToolTipTexts when staying on menu items...
-------------------------------------------------------------
Windows NET 3.5 C# application (WinXP, Win7...)

Title: Re: Siglent .ads firmware file format
Post by: dav on November 10, 2016, 06:43:59 am

What about the SDG and SSA .ADS viewer utility?

Title: Re: Siglent .ads firmware file format
Post by: janekivi on November 10, 2016, 09:00:35 pm

I might release SDS viewer but there is too many buttons.
So, is somebody english review my EEenglish help file - yes, I made help file,
first time in history, then we see...

Title: Re: Siglent .ads firmware file format
Post by: dav on December 11, 2016, 05:58:11 pm

Just to let you know, Avira found this trojan in "SDS ads viewer utility v0.1.2"

Crypt.Xpack.vyifq

Title: Re: Siglent .ads firmware file format
Post by: janekivi on December 11, 2016, 08:53:40 pm

Crypt.Xpack itself isn't trojan, this is only cryptic packer which was in programmers tool.
But from this day on nobody can't use it any more because somebody was packing some
trojan with this...

Other components from it I wanted to use were flagged already
https://yck1509.github.io/ConfuserEx/

Title: Re: Siglent .ads firmware file format
Post by: tridentsx on April 08, 2017, 07:08:34 am

Has anyone looked at the ads files for the power supplies http://www.siglentamerica.com/USA_website_2014/Firmware&Software/firmware/SPD3303X-Firmware-V100R001B01D02P03.rar (http://www.siglentamerica.com/USA_website_2014/Firmware&Software/firmware/SPD3303X-Firmware-V100R001B01D02P03.rar) ?

Title: Re: Siglent .ads firmware file format
Post by: tautech on April 08, 2017, 07:24:05 am

Quote from: tridentsx on April 08, 2017, 07:08:34 am

Has anyone looked at the ads files for the power supplies http://www.siglentamerica.com/USA_website_2014/Firmware&Software/firmware/SPD3303X-Firmware-V100R001B01D02P03.rar (http://www.siglentamerica.com/USA_website_2014/Firmware&Software/firmware/SPD3303X-Firmware-V100R001B01D02P03.rar) ?

That could be an interesting exercise with the possibility of improving a SPD3303X-E to an X model saving $150 and gaining 10x the V and A resolution. :popcorn:

Title: Re: Siglent .ads firmware file format
Post by: janekivi on April 08, 2017, 09:42:56 am

Of course I looked in all files. But "looked" was the right word. There was no other experiments.
Inside there is one app file. I see in that directory I did look it with IDA too. But how or where I dug out this image I don't remember...

edit
-----
* Actually they have different firmware, you may need to compare them (both are in the zip):
* Boot image was just cut out from
SPD3303X-E-V100R001B01D02P03.hex from 00 02 4A C8 to 00 02 7F 5B and saved as JPG
SPD3303X-V100R001B01D02P03.hex 00 02 4A AC - 00 02 7F 3F

Title: Re: Siglent .ads firmware file format
Post by: janekivi on April 08, 2017, 10:40:18 am

I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

~~SPD3303X-V100R001B01D02P03_with _E_header.zip~~
OK, I give this only individually after request. I can't test it.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on May 14, 2017, 03:43:06 pm

Quote from: janekivi on November 09, 2016, 06:49:27 pm

New SDS ads viewer utility v0.1.2 can get that app saved straight from opened firmware file or from
one of extracted files (part 5) with dedicated tools menu. Deflating can be done for example with offzip.
Only help at this time comes only from ToolTipTexts when staying on menu items...
-------------------------------------------------------------
Windows NET 3.5 C# application (WinXP, Win7...)

Version 0.1.3 has some minor fixes and help file which is full of all kind of strange text.
What you gonna do, I can't write in normal english...

-------------------------------------------------------------
In help file is updated SDS file format description, which is not so relevant

-------------------------------------------------------------
Maybe part version end in header is space and next crap is leftover from something old,
so version 0.1.4 displays that table differently now.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on May 31, 2017, 10:51:27 am

Hi janekivi ,

I've been doing some research on Siglent .ADS files, trying to parse every single file that they have.

I've managed to understand most of the files packing, as you have done, including parsing the Blackfin BF54x and BF53x blocks in order to load them more easily in IDA. I've not analysed uBoot, ELF files. I let that to the Linux guys.

I have been doing it in C# (console). Once I have it more bullet-proof i'm thinking in releasing a compiled version so that people can unpack the files.

(I'm not sure if you have found it yet, but the 1st byte in your "5-byte type of blocks counter" is the last byte of the previous block. So, the blocks start (usually) with the 0x18 + 3 bytes + n (0x18) data bytes + last byte (which is the checksum of the whole block, including header). The checksum is the usual "- Sum of all bytes".

This 5th block in the SDS files is the only understandable to me. Do you know what are the other blocks for?

Title: Re: Siglent .ads firmware file format
Post by: janekivi on May 31, 2017, 05:06:45 pm

I don't understand almost anything in ads files, only taking it apart and looking into everything.
Linux is not my thing and in IDA I don't recognize much. Also I was looking into
ro_uImage, rw_uImage - partly packed
datafs.img, firmdata0.img - UBI images
and with GIMP or IrfanView I scan all files for graphics.

In SDS files it is 8-bit Checksum indeed. I may recompile my SDS viewer. But I was cutting out
right part anyway because unpacked checksum matches. Unpacker part in the beginning of
the 5th part is the same as in SDG1000 file. Part 1 is most likely help. Parts 2, 3, 4 almost the
same as FPGA file LcdFpga.bin from SSA3000X. I mean beginning and especially look at the end.
Who knows... maybe version numbers in the beginning can help if somebody can see them in
scope menu. Like 3.1.1.13, 2.1.1.8, 2.1.1.9
I have only SDG2000X and SDG1000 actually.
(Of course Flir E4 and Rigol DS1054Z too for other threads :))

Title: Re: Siglent .ads firmware file format
Post by: tv84 on May 31, 2017, 06:53:48 pm

Yes, the beginning of the 5th part is similar to the SDG1000 but the Blackfin processor is a BF54x and, as such, has a totally diferent way of decoding (relative to the BF53x of the SGD1000).

OK, so now you've turned to the files inside the ZIPs. I'll be trying those also to see if anything comes up. I've also implemented many graphic detectors in my programs GIF / JPEG / MPEG / etc that work even if there are no (usual) magic numbers.

I also have a Rigol scope so might have a look at that.

I've also developed a deflate scanner that can detect zlib/gzip streams without proper headers and crc/adler, and sometimes becomes useful for dealing with this type of compression in stripped fw. I think there's notinhg around that is able to do this.

The goal is: as usual, just for fun.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on May 31, 2017, 07:21:10 pm

Quote from: tv84 on May 31, 2017, 06:53:48 pm

.......
I also have a Rigol scope so might have a look at that.
.......
The goal is: as usual, just for fun.

This is here... but we were far away from fun, we want to change PLUSES to PULSES
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/ (https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on May 31, 2017, 09:44:54 pm

ro_uImage and rw_uImage both have a GZIP stream starting at 0x4966 with no valid header but with valid CRC32+Size. That's easy for my scanner. :)

I'll have a look at the RIGOL efforts... Will be difficult to help you guys.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 01, 2017, 02:57:38 pm

http://www.garykessler.net/library/file_sigs.html (http://www.garykessler.net/library/file_sigs.html)
1F 8B 08 is GZIP header at 495C, there was no problems but normal UBI-reader is hard to find.
Couple of times I was successful with ubidump but now I use something with Ubuntu.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 01, 2017, 06:40:48 pm

Sorry for that. You're right, the magic bytes were there.

I'm so accustomed to finding deflate compression with no headers and no footers that many times I forget the easy way which is: the file is totally in there... ::)

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 03, 2017, 09:02:43 am

Yeah, I didn't try this before, but they use the same CRC calculation methods everywhere.
Somewhere output is 32 bit and in SDS it is 8 bit. And they can be used as MSB or LSB first.

Code: [Select]

import functools

# If you have file
input = 'File'
data = bytearray(open(input, 'rb').read())

# Or data can be declared directly
# data = bytes([0x02,0x00,0x00,0x04,0x00,0x00]);

csum = functools.reduce(lambda x,y: x+y, data, 0)
csum = ~csum + 1
csum = csum & 0xffffffff # the only difference is here
print (format(csum, 'X'),"- 32 bit checksum")
csum = csum & 0xff # the only difference is here
print ("     ",format(csum, 'X'),"-  8 bit checksum")

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 03, 2017, 03:33:07 pm

janeviki,

Looking at SDS1000X_V100R001B01D02P1503.ADS:

Code: [Select]

01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20170310  [000DED95-0024A9E3]
      000DED95 - Header Size: 00000048
      000DEDDD - Data Size: 0016BC07
03  0000004A --- 0208 310  [0024A9E4-00276BF3]
      0024A9E4 - Header Size: 00000048
      0024AA2C - Data Size: 0002C1C8
04  00000059 --- 20170207  [00276BF4-002E84BE]
      00276BF4 - Header Size: 00000048
      00276C3C - Data Size: 00071883
05  00000068 --- 1.1.2.15  [002E84BF-00417E4E]
002E84BF - Removing block encapsulations from Block Area [002E84BF-00417E4E]

Total bytes extracted (from the blocks): 000FB396    Block area processed OK

Buffer Size: 00006374 bytes (after converting: 8bit-dma-from-16bit)

Processor Type: BF54x - BF542/BF544/BF547/BF548/BF549
Orig Offset     Offset          Block Code      Target Add      Byte Count      Argument        BFlags
00000000        00000000        AD9F5002        FFA00000        00000000        0000635C        ignore first
00000020        00000010        ADC50102        FF800000        00000014        00000000        fill
00000040        00000020        ADD90102        FF800014        0000001C        00000000        fill
00000060        00000030        ADC80002        FF800030        00000028        00000000
000000D0        00000068        ADA90102        FF800058        00000020        00000000        fill
000000F0        00000078        AD200002        FF800078        00002CA4        00000000
00005A58        00002D2C        ADC50102        FF802D1C        00000124        00000000        fill
00005A78        00002D3C        ADD60002        FFA00000        00003610        00000000
0000C6B8        0000635C        ADF80802        FFA00000        00000000        00000000        init

0000C6D8 --- ZLIB Decompressed Size: 00287728
0000C6E0 --- ZLIB Compressed Block Size: 000EECAE [0000C6E8-000FB395]
****************************************************
  Section Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [00417E4F-00497E4D]
      00417E4F - ?????: 0000DCBB
      00417E53 - Data Size: 0006B930
      00417E57 - Name: 3.1.1.13 ???
      00417E63 - Section Data [00417E63-00483792]
08  00000095 ---

Title: Re: Siglent .ads firmware file format
Post by: alfishe on June 04, 2017, 03:48:32 am

Quote from: janekivi on June 01, 2017, 02:57:38 pm

...but normal UBI-reader is hard to find.
Couple of times I was successful with ubidump but now I use something with Ubuntu.

Found the only thing that work flawlessly - https://github.com/jrspruitt/ubi_reader
so was able to unpack every single UBI file from Siglent FWs.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 04, 2017, 08:18:23 am

https://github.com/jrspruitt/ubi_reader
Yes, I think this is the one I'm using with Ubuntu now but can't get it working in windows under the python there.
__________________________________________________________________________________________

But now that BlackFin stuff is bit strange to me, I don't know much about it.
I lost track from there:

Code: [Select]

Buffer Size: 00006374 bytes (after converting 16bit to 8bit)

Processor Type: BF54x - BF542/BF544/BF547/BF548/BF549
Offset          Block Code      Address         Byte Count      Argument
00000000        AD9F5002

So I can't see this stuff right now. In other words, I don't have a clue about this BlackFin part.
Eeee... what you do there?

But seems in SDS header the file version numbers can have different lengths. All this is
like there is written something in the header. May be file names and some data. And then
all is overwritten with file versions which is number or date plus one 00 byte.
Bit strange it looks. For example
03 0000004A --- 0208 310 looks like there was
XXXXXXXX.bin which is overwritten with shorter XXXXX310 and 00 buffer byte
XXXXX310 bin which is now overwritten with shorter 0208 and 00 buffer byte
0208 310 bin
so all file versions are probably numbers to the first 00 byte and the rest is leftover crap.
One strong feeling there is like - to grow header the whole previous row is added again
and overwritten with correct info, next row is made from this and overwritten and empty
lines are skipped so part 7 has part 5 background there. This is leftover 3 after 00 buffer.

And now there is actually
05 00000068 --- 1.1.2.15 [002E84BF-00417E4E]
05 00000068 --- 1.1.2.15.3 [002E84BF-00417E4E]
because it is V1.1.1.2.15R3

In header first file version showing 2.1.1.9 and first part is beginning with CRC and 2.1.1.8

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 04, 2017, 08:46:09 pm

I changed the code that I had submitted. See the previous post again.

After removing the blocks, you have to convert the section that exists before the ZLIB block from 16 bit to 8 bit.

Then that area will have the Blackfin code that decompresses the ZLIB.

The code has:

16-byte block headers

The 1st 4 bytes:
0xXX------ - 1st byte -> Header Sign (Magic) - Must be 0xAD ("Analog Devices")
0x--XX---- - 2nd byte -> Header Checksum (calculated with 0 in this byte)
0x----XXX- - 3rd & 4th bytes -> Block flag (excluding the last nibble)
0x-------X - Last nibble -> DMA Code (0x00 -> 0x0F)

The others you can deduce from my parsing in the previous post.

Code: [Select]

string[] DMA_code = {"dma-reserved" , "8bit-dma-from-8bit", "8bit-dma-from-16bit", "8bit-dma-from-32bit",
                "8bit-dma-from-64bit", "8bit-dma-from-128bit", "16bit-dma-from-16bit", "16bit-dma-from-32bit",
                "16bit-dma-from-64bit", "16bit-dma-from-128bit", "32bit-dma-from-32bit", "32bit-dma-from-64bit",
                "32bit-dma-from-128bit", "64bit-dma-from-64bit", "64bit-dma-from-128bit", "128bit-dma-from-128bit" };
            
string[] bflag = { "safe", "aux", "", "", "fill", "quickboot", "callback", "init", "ignore", "indirect", "first", "final" };

As you can see I've discovered where my mistake was. Because I was convinced that the Section 5 was only a Blackfin code block but I discovered that I had missed the ZLIB block. Then, the decompressed size and bytes remaining made sense. It's the same thing in the SDG1000 files.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 10, 2017, 06:41:06 pm

SDS1000X_V100R001B01D02P1503.ADS saved as a 8-bit BMP starting at offset 0x27 (to align the blocks) (cropped in length).

It's visible in Section 2 a curious data arrangement (blocks of 64*21 bytes plus 64*9 bytes (whiter...))

I assume it is the Xilinx FPGA since the Section starts with the FFFF FFFF area and the FPGA bitstream SYNCWORD (AA 99 55 66) re-mixed.

(If we save the file with width=320, the block encapsulation of Section 5 is perfectly visible.)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 13, 2017, 08:05:59 pm

Now that I know, I conclude that it should have been easier to spot this:

The 2nd section of SDS1000X_V100R001B01D02P1503.ADS contains the FPGAs bitstreams. SDS1000 must have 2 FPGAs...

The only obfuscation is that the bytes are reversed. So to, identify the typical SYNC WORD ( AA 99 55 66) one has to reverse all the bytes.

Then, it's visible at address 0xDEE05 the IDCODE 0x04008093 that corresponds to a Spartan 6 XC6SLX45.

Resuming:
Section 2 - Spartan 6 XC6SLX45 FPGA bitstream
Section 4 - Spartan 6 XC6SLX16 FPGA bitstream

To be continued...

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 16, 2017, 05:35:36 pm

Testing my FPGA bitstream parser, here is the complete parsing of both SDG1000-V100R001B01D01P37R3.ADS sections:

Code: [Select]

File Header Size: 00000048
00000000 - File Checksum: F9F6C42A [000004-EOF] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 000FFBE8 (without 0x48 bytes of the File Header)
00000008 - Section Size: 000AC930
0000000C - Blocks Area: 00000000 [000FFBE8-000FFBE7]
00000026 - Vendor: SIGLENT
0000003A - USB Host Controller: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0007FDF4 until 0x000FFBE7
****************************************************
0000000C --- Section Checksum: FEFF926D
00000010 --- Section Size: 00053294 [00000018-000532AB]  CKSM OK
00000014 --- Section # 00000001
  00000018 - Data Checksum: FEFF9BCB
  0000001C - Data Size: 0005327C [00000030-000532AB]  CKSM OK
  00000020 - Data Name: fpga data
  0000002A - ????: 0012
  0000002C - ????: 77D4048F
00000030 --- 000532AB  ***** FPGA DATA *****

00000030 - FFFFFFFF             Padding
00000034 - FFFFFFFF             Padding
00000038 - FFFFFFFF             Padding
0000003C - FFFFFFFF             Padding
00000040 - AA995566             Sync Word (BPI/SPI Mode)
00000044 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
00000048 - 2000                 T1 - 0000000  NOP       (1x)
0000004A - 31A1 0380            T1 W 0000001  FLR
0000004E - 3141 3D00            T1 W 0000001  COR1
00000052 - 3161 09EE            T1 W 0000001  COR2
00000056 - 31C2 04001093        T1 W 0000002  IDCODE
0000005C - 30E1 00CF            T1 W 0000001  MASK
00000060 - 30C1 0081            T1 W 0000001  CTL
00000064 - 2000                 T1 - 0000000  NOP       (17x)
00000086 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
0000008A - 3181 0881            T1 W 0000001  PWRDN_REG
0000008E - 3421 0000            T1 W 0000001  EYE_MASK
00000092 - 3201 001F            T1 W 0000001  HC_OPT_REG
00000096 - 31E1 FFFF            T1 W 0000001  CWDT
0000009A - 3321 0005            T1 W 0000001  PU_GWE
0000009E - 3341 0004            T1 W 0000001  PU_GTS
000000A2 - 3301 0100            T1 W 0000001  MODE_REG
000000A6 - 3261 0000            T1 W 0000001  GENERAL1
000000AA - 3281 0000            T1 W 0000001  GENERAL2
000000AE - 32A1 0000            T1 W 0000001  GENERAL3
000000B2 - 32C1 0000            T1 W 0000001  GENERAL4
000000B6 - 32E1 0000            T1 W 0000001  GENERAL5
000000BA - 33A1 1BE2            T1 W 0000001  SEU_OPT
000000BE - 33C2 00000000        T1 W 0000002  EXP_SIGN
000000C4 - 2000                 T1 - 0000000  NOP       (2x)
000000C8 - 3022 00000000        T1 W 0000002  FAR_MAJ
000000CE - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000000D2 - 5060 000298AD        T2 W 00298AD  FDRI      CRC: 00094352
00053236 - 2000                 T1 - 0000000  NOP       (24x)
00053266 - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0005326A - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0005326E - 2000                 T1 - 0000000  NOP       (4x)
00053276 - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0005327A - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0005327E - 30E1 00FF            T1 W 0000001  MASK
00053282 - 30C1 0081            T1 W 0000001  CTL
00053286 - 3002 001171C1        T1 W 0000002  CRC
0005328C - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
00053290 - 2000                 T1 - 0000000  NOP       (14x)
****************************************************
000532AC --- Section Checksum: FAB63171
000532B0 --- Section Size: 000AC930 [000532B8-000FFBE7]  CKSM OK
000532B4 --- Section # 00000002
000532B8 --- 000FFBE7  ***** BLACKFIN DATA *****

Buffer Size: 000067F2 bytes (after converting from 16 to 8 bits)

0x00000000  DXE 0000 (Data Size: 000067DC) [00000000-000067E9]
Processor Type: ADSP-BF533/534/536/537/538/539 (boot address: 0xFFA00000)
Orig Offset:    Offset:         Block:  Target Add:     Byte Count:     Flags:  [  start -   end  ]
000532B8 ---    0x00000000      0000    FF800040        00000004        0012    [0000000A-0000000D]  resvect ignore
000532D4 ---    0x0000000E      0001    FF800000        000022B0        0002    [00000018-000022C7]  resvect
00057848 ---    0x000022C8      0002    FF8022B0        00000010        0003                         zero-fill resvect
0005785C ---    0x000022D2      0003    FF8022C0        00000010        0002    [000022DC-000022EB]  resvect
00057890 ---    0x000022EC      0004    FF8022D0        0000029E        0002    [000022F6-00002593]  resvect
00057DE0 ---    0x00002594      0005    FF80256E        0000000E        0003                         zero-fill resvect
00057DF4 ---    0x0000259E      0006    FF80257C        000009BA        0002    [000025A8-00002F61]  resvect
0005917C ---    0x00002F62      0007    FF802F36        000000AA        0003                         zero-fill resvect
00059190 ---    0x00002F6C      0008    FF802FE0        0000000C        0002    [00002F76-00002F81]  resvect
000591BC ---    0x00002F82      0009    FF902000        00000004        0002    [00002F8C-00002F8F]  resvect
000591D8 ---    0x00002F90      000A    FF902004        00000068        0003                         zero-fill resvect
000591EC ---    0x00002F9A      000B    FFA00000        0000383A        0002    [00002FA4-000067DD]  resvect
00060274 ---    0x000067DE      000C    FFA00000        00000002        000A    [000067E8-000067E9]  resvect init

0006028C --- ZLIB Decompressed Size: 001AA72E
00060294 --- ZLIB Compressed Block Size: 0009F94C [0006029C-000FFBE7]
****************************************************
  File Processed OK

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 16, 2017, 06:22:06 pm

Parsing of SDS1000X_V100R001B01D02P1503.ADS:

Code: [Select]

Parsing a SIGLENT SDS1000/SDS2000 file
01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20170310  [000DED95-0024A9E3]
      000DED95 - Data Size: 0016BC07
      000DED95 - Header Size: 00000048

000DEDDD - FFFFFFFF             Padding
000DEDE1 - FFFFFFFF             Padding
000DEDE5 - FFFFFFFF             Padding
000DEDE9 - FFFFFFFF             Padding
000DEDED - AA995566             Sync Word (BPI/SPI Mode)
000DEDF1 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
000DEDF5 - 2000                 T1 - 0000000  NOP       (1x)
000DEDF7 - 31A1 0628            T1 W 0000001  FLR
000DEDFB - 3141 3D00            T1 W 0000001  COR1
000DEDFF - 3161 09EE            T1 W 0000001  COR2
000DEE03 - 31C2 04008093        T1 W 0000002  IDCODE
000DEE09 - 30E1 00CF            T1 W 0000001  MASK
000DEE0D - 30C1 0081            T1 W 0000001  CTL
000DEE11 - 2000                 T1 - 0000000  NOP       (17x)
000DEE33 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
000DEE37 - 3181 0881            T1 W 0000001  PWRDN_REG
000DEE3B - 3421 0000            T1 W 0000001  EYE_MASK
000DEE3F - 3201 001F            T1 W 0000001  HC_OPT_REG
000DEE43 - 31E1 FFFF            T1 W 0000001  CWDT
000DEE47 - 3321 0005            T1 W 0000001  PU_GWE
000DEE4B - 3341 0004            T1 W 0000001  PU_GTS
000DEE4F - 3301 0100            T1 W 0000001  MODE_REG
000DEE53 - 3261 0000            T1 W 0000001  GENERAL1
000DEE57 - 3281 0000            T1 W 0000001  GENERAL2
000DEE5B - 32A1 0000            T1 W 0000001  GENERAL3
000DEE5F - 32C1 0000            T1 W 0000001  GENERAL4
000DEE63 - 32E1 0000            T1 W 0000001  GENERAL5
000DEE67 - 33A1 1BE2            T1 W 0000001  SEU_OPT
000DEE6B - 33C2 00000000        T1 W 0000002  EXP_SIGN
000DEE71 - 2000                 T1 - 0000000  NOP       (2x)
000DEE75 - 3022 00000000        T1 W 0000002  FAR_MAJ
000DEE7B - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000DEE7F - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0034308C
002493DB - 2000                 T1 - 0000000  NOP       (24x)
0024940B - 3022 00040017        T1 W 0000002  FAR_MAJ
00249411 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00249415 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003375D7
00249523 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00249529 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0002BA9A
00249637 - 3022 001A0017        T1 W 0000002  FAR_MAJ
0024963D - 5060 00000082        T2 W 0000082  FDRI      CRC: 0003762D
0024974B - 3022 00230017        T1 W 0000002  FAR_MAJ
00249751 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00094B76
0024985F - 3022 01040017        T1 W 0000002  FAR_MAJ
00249865 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00202D3C
00249973 - 3022 010D0017        T1 W 0000002  FAR_MAJ
00249979 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002CF083
00249A87 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00249A8D - 5060 00000082        T2 W 0000082  FDRI      CRC: 0014FD49
00249B9B - 3022 01230017        T1 W 0000002  FAR_MAJ
00249BA1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00051241
00249CAF - 3022 021A0017        T1 W 0000002  FAR_MAJ
00249CB5 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0007EA84
00249DC3 - 3022 02230017        T1 W 0000002  FAR_MAJ
00249DC9 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0030BD91
00249ED7 - 3022 03040017        T1 W 0000002  FAR_MAJ
00249EDD - 5060 00000082        T2 W 0000082  FDRI      CRC: 00015E7B
00249FEB - 3022 030D0017        T1 W 0000002  FAR_MAJ
00249FF1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003B95FD
0024A0FF - 3022 031A0017        T1 W 0000002  FAR_MAJ
0024A105 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000DC751
0024A213 - 3022 03230017        T1 W 0000002  FAR_MAJ
0024A219 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00029613
0024A327 - 3022 04230017        T1 W 0000002  FAR_MAJ
0024A32D - 5060 00000082        T2 W 0000082  FDRI      CRC: 000B26CB
0024A43B - 3022 050D0017        T1 W 0000002  FAR_MAJ
0024A441 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00079B31
0024A54F - 3022 051A0017        T1 W 0000002  FAR_MAJ
0024A555 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00078C47
0024A663 - 3022 05230017        T1 W 0000002  FAR_MAJ
0024A669 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002EA4CD
0024A777 - 3022 061A0017        T1 W 0000002  FAR_MAJ
0024A77D - 5060 00000082        T2 W 0000082  FDRI      CRC: 002E1DE1
0024A88B - 3022 06230017        T1 W 0000002  FAR_MAJ
0024A891 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00281192
0024A99F - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A9A3 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0024A9A7 - 2000                 T1 - 0000000  NOP       (4x)
0024A9AF - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A9B3 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0024A9B7 - 30E1 00FF            T1 W 0000001  MASK
0024A9BB - 30C1 0081            T1 W 0000001  CTL
0024A9BF - 3002 00174160        T1 W 0000002  CRC
0024A9C5 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
0024A9C9 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
03  0000004A --- 0208 310  [0024A9E4-00276BF3]
      0024A9E4 - Data Size: 0002C1C8
      0024A9E4 - Header Size: 00000048
04  00000059 --- 20170207  [00276BF4-002E84BE]
      00276BF4 - Data Size: 00071883
      00276BF4 - Header Size: 00000048

00276C3C - FFFFFFFF             Padding
00276C40 - FFFFFFFF             Padding
00276C44 - FFFFFFFF             Padding
00276C48 - FFFFFFFF             Padding
00276C4C - AA995566             Sync Word (BPI/SPI Mode)
00276C50 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
00276C54 - 2000                 T1 - 0000000  NOP       (1x)
00276C56 - 31A1 0430            T1 W 0000001  FLR
00276C5A - 3141 3D00            T1 W 0000001  COR1
00276C5E - 3161 09EE            T1 W 0000001  COR2
00276C62 - 31C2 04002093        T1 W 0000002  IDCODE
00276C68 - 30E1 00CF            T1 W 0000001  MASK
00276C6C - 30C1 0081            T1 W 0000001  CTL
00276C70 - 2000                 T1 - 0000000  NOP       (17x)
00276C92 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
00276C96 - 3181 0881            T1 W 0000001  PWRDN_REG
00276C9A - 3421 0000            T1 W 0000001  EYE_MASK
00276C9E - 3201 001F            T1 W 0000001  HC_OPT_REG
00276CA2 - 31E1 FFFF            T1 W 0000001  CWDT
00276CA6 - 3321 0005            T1 W 0000001  PU_GWE
00276CAA - 3341 0004            T1 W 0000001  PU_GTS
00276CAE - 3301 0100            T1 W 0000001  MODE_REG
00276CB2 - 3261 0000            T1 W 0000001  GENERAL1
00276CB6 - 3281 0000            T1 W 0000001  GENERAL2
00276CBA - 32A1 0000            T1 W 0000001  GENERAL3
00276CBE - 32C1 0000            T1 W 0000001  GENERAL4
00276CC2 - 32E1 0000            T1 W 0000001  GENERAL5
00276CC6 - 33A1 1BE2            T1 W 0000001  SEU_OPT
00276CCA - 33C2 00000000        T1 W 0000002  EXP_SIGN
00276CD0 - 2000                 T1 - 0000000  NOP       (2x)
00276CD4 - 3022 00000000        T1 W 0000002  FAR_MAJ
00276CDA - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00276CDE - 5060 00038A11        T2 W 0038A11  FDRI      CRC: 00374F6B
002E810A - 2000                 T1 - 0000000  NOP       (24x)
002E813A - 3022 01040017        T1 W 0000002  FAR_MAJ
002E8140 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
002E8144 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0011C60E
002E8252 - 3022 02040017        T1 W 0000002  FAR_MAJ
002E8258 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0036FAC5
002E8366 - 3022 03040017        T1 W 0000002  FAR_MAJ
002E836C - 5060 00000082        T2 W 0000082  FDRI      CRC: 002A817F
002E847A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
002E847E - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
002E8482 - 2000                 T1 - 0000000  NOP       (4x)
002E848A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
002E848E - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
002E8492 - 30E1 00FF            T1 W 0000001  MASK
002E8496 - 30C1 0081            T1 W 0000001  CTL
002E849A - 3002 00325B22        T1 W 0000002  CRC
002E84A0 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
002E84A4 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
05  00000068 --- 1.1.2.15  [002E84BF-00417E4E]
002E84BF - Removing block encapsulations from Block Area [002E84BF-00417E4E]

Total bytes extracted (from the blocks): 000FB396    Block area processed OK

Buffer Size: 00006374 bytes (after converting from 16 to 8 bits)

Processor Type: BF54x - BF542/BF544/BF547/BF548/BF549
Orig Offset     Offset          Block Code      Target Add      Byte Count      Argument        BFlags
00000000        00000000        AD9F5002        FFA00000        00000000        0000635C        ignore first
00000020        00000010        ADC50102        FF800000        00000014        00000000        fill
00000040        00000020        ADD90102        FF800014        0000001C        00000000        fill
00000060        00000030        ADC80002        FF800030        00000028        00000000
000000D0        00000068        ADA90102        FF800058        00000020        00000000        fill
000000F0        00000078        AD200002        FF800078        00002CA4        00000000
00005A58        00002D2C        ADC50102        FF802D1C        00000124        00000000        fill
00005A78        00002D3C        ADD60002        FFA00000        00003610        00000000
0000C6B8        0000635C        ADF80802        FFA00000        00000000        00000000        init

0000C6D8 --- ZLIB Decompressed Size: 00287728
0000C6E0 --- ZLIB Compressed Block Size: 000EECAE [0000C6E8-000FB395]
****************************************************
  Section Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [00417E4F-00497E4D]
      00417E4F - ?????: 0000DCBB
      00417E53 - Data Size: 0006B930
      00417E57 - Name: 3.1.1.13 ???
      00417E63 - Section Data [00417E63-00483792]
08  00000095 ---

Parsing of sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS:

Code: [Select]

Parsing a SIGLENT SDS1000/SDS2000 file
01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20160606  [000DED95-0024A593]
      000DED95 - Data Size: 0016B7B7
      000DED95 - Header Size: 00000048

000DEDDD - FFFFFFFF             Padding
000DEDE1 - FFFFFFFF             Padding
000DEDE5 - FFFFFFFF             Padding
000DEDE9 - FFFFFFFF             Padding
000DEDED - AA995566             Sync Word (BPI/SPI Mode)
000DEDF1 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
000DEDF5 - 2000                 T1 - 0000000  NOP       (1x)
000DEDF7 - 31A1 0628            T1 W 0000001  FLR
000DEDFB - 3141 3D00            T1 W 0000001  COR1
000DEDFF - 3161 09EE            T1 W 0000001  COR2
000DEE03 - 31C2 04008093        T1 W 0000002  IDCODE
000DEE09 - 30E1 00CF            T1 W 0000001  MASK
000DEE0D - 30C1 0081            T1 W 0000001  CTL
000DEE11 - 2000                 T1 - 0000000  NOP       (17x)
000DEE33 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
000DEE37 - 3181 0881            T1 W 0000001  PWRDN_REG
000DEE3B - 3421 0000            T1 W 0000001  EYE_MASK
000DEE3F - 3201 001F            T1 W 0000001  HC_OPT_REG
000DEE43 - 31E1 FFFF            T1 W 0000001  CWDT
000DEE47 - 3321 0005            T1 W 0000001  PU_GWE
000DEE4B - 3341 0004            T1 W 0000001  PU_GTS
000DEE4F - 3301 0100            T1 W 0000001  MODE_REG
000DEE53 - 3261 0000            T1 W 0000001  GENERAL1
000DEE57 - 3281 0000            T1 W 0000001  GENERAL2
000DEE5B - 32A1 0000            T1 W 0000001  GENERAL3
000DEE5F - 32C1 0000            T1 W 0000001  GENERAL4
000DEE63 - 32E1 0000            T1 W 0000001  GENERAL5
000DEE67 - 33A1 1BE2            T1 W 0000001  SEU_OPT
000DEE6B - 33C2 00000000        T1 W 0000002  EXP_SIGN
000DEE71 - 2000                 T1 - 0000000  NOP       (2x)
000DEE75 - 3022 00000000        T1 W 0000002  FAR_MAJ
000DEE7B - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000DEE7F - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 00131922
002493DB - 2000                 T1 - 0000000  NOP       (24x)
0024940B - 3022 00040017        T1 W 0000002  FAR_MAJ
00249411 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00249415 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0004280B
00249523 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00249529 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000F94E1
00249637 - 3022 00230017        T1 W 0000002  FAR_MAJ
0024963D - 5060 00000082        T2 W 0000082  FDRI      CRC: 00008F4D
0024974B - 3022 01040017        T1 W 0000002  FAR_MAJ
00249751 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0035DE97
0024985F - 3022 010D0017        T1 W 0000002  FAR_MAJ
00249865 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E4DA8
00249973 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00249979 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001822E4
00249A87 - 3022 01230017        T1 W 0000002  FAR_MAJ
00249A8D - 5060 00000082        T2 W 0000082  FDRI      CRC: 003B04FB
00249B9B - 3022 02040017        T1 W 0000002  FAR_MAJ
00249BA1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00303121
00249CAF - 3022 020D0017        T1 W 0000002  FAR_MAJ
00249CB5 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0025A24C
00249DC3 - 3022 021A0017        T1 W 0000002  FAR_MAJ
00249DC9 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00370282
00249ED7 - 3022 02230017        T1 W 0000002  FAR_MAJ
00249EDD - 5060 00000082        T2 W 0000082  FDRI      CRC: 000DAEDE
00249FEB - 3022 03040017        T1 W 0000002  FAR_MAJ
00249FF1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00319323
0024A0FF - 3022 04040017        T1 W 0000002  FAR_MAJ
0024A105 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000B7C1F
0024A213 - 3022 040D0017        T1 W 0000002  FAR_MAJ
0024A219 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001DE18B
0024A327 - 3022 05040017        T1 W 0000002  FAR_MAJ
0024A32D - 5060 00000082        T2 W 0000082  FDRI      CRC: 003D0427
0024A43B - 3022 050D0017        T1 W 0000002  FAR_MAJ
0024A441 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003A50CB
0024A54F - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A553 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0024A557 - 2000                 T1 - 0000000  NOP       (4x)
0024A55F - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A563 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0024A567 - 30E1 00FF            T1 W 0000001  MASK
0024A56B - 30C1 0081            T1 W 0000001  CTL
0024A56F - 3002 000F3E32        T1 W 0000002  CRC
0024A575 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
0024A579 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
03  0000004A --- 20160606  [0024A594-003B5D92]
      0024A594 - Data Size: 0016B7B7
      0024A594 - Header Size: 00000048

0024A5DC - FFFFFFFF             Padding
0024A5E0 - FFFFFFFF             Padding
0024A5E4 - FFFFFFFF             Padding
0024A5E8 - FFFFFFFF             Padding
0024A5EC - AA995566             Sync Word (BPI/SPI Mode)
0024A5F0 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
0024A5F4 - 2000                 T1 - 0000000  NOP       (1x)
0024A5F6 - 31A1 0628            T1 W 0000001  FLR
0024A5FA - 3141 3D00            T1 W 0000001  COR1
0024A5FE - 3161 09EE            T1 W 0000001  COR2
0024A602 - 31C2 04008093        T1 W 0000002  IDCODE
0024A608 - 30E1 00CF            T1 W 0000001  MASK
0024A60C - 30C1 0081            T1 W 0000001  CTL
0024A610 - 2000                 T1 - 0000000  NOP       (17x)
0024A632 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
0024A636 - 3181 0881            T1 W 0000001  PWRDN_REG
0024A63A - 3421 0000            T1 W 0000001  EYE_MASK
0024A63E - 3201 001F            T1 W 0000001  HC_OPT_REG
0024A642 - 31E1 FFFF            T1 W 0000001  CWDT
0024A646 - 3321 0005            T1 W 0000001  PU_GWE
0024A64A - 3341 0004            T1 W 0000001  PU_GTS
0024A64E - 3301 0100            T1 W 0000001  MODE_REG
0024A652 - 3261 0000            T1 W 0000001  GENERAL1
0024A656 - 3281 0000            T1 W 0000001  GENERAL2
0024A65A - 32A1 0000            T1 W 0000001  GENERAL3
0024A65E - 32C1 0000            T1 W 0000001  GENERAL4
0024A662 - 32E1 0000            T1 W 0000001  GENERAL5
0024A666 - 33A1 1BE2            T1 W 0000001  SEU_OPT
0024A66A - 33C2 00000000        T1 W 0000002  EXP_SIGN
0024A670 - 2000                 T1 - 0000000  NOP       (2x)
0024A674 - 3022 00000000        T1 W 0000002  FAR_MAJ
0024A67A - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
0024A67E - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 000310D9
003B4BDA - 2000                 T1 - 0000000  NOP       (24x)
003B4C0A - 3022 000D0017        T1 W 0000002  FAR_MAJ
003B4C10 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B4C14 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0020783B
003B4D22 - 3022 001A0017        T1 W 0000002  FAR_MAJ
003B4D28 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002806B7
003B4E36 - 3022 00230017        T1 W 0000002  FAR_MAJ
003B4E3C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0014E29D
003B4F4A - 3022 010D0017        T1 W 0000002  FAR_MAJ
003B4F50 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00141799
003B505E - 3022 011A0017        T1 W 0000002  FAR_MAJ
003B5064 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003A1B9A
003B5172 - 3022 01230017        T1 W 0000002  FAR_MAJ
003B5178 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0020B6FA
003B5286 - 3022 021A0017        T1 W 0000002  FAR_MAJ
003B528C - 5060 00000082        T2 W 0000082  FDRI      CRC: 002554A2
003B539A - 3022 02230017        T1 W 0000002  FAR_MAJ
003B53A0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001D9C65
003B54AE - 3022 03040017        T1 W 0000002  FAR_MAJ
003B54B4 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038FD0C
003B55C2 - 3022 030D0017        T1 W 0000002  FAR_MAJ
003B55C8 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002782A6
003B56D6 - 3022 03230017        T1 W 0000002  FAR_MAJ
003B56DC - 5060 00000082        T2 W 0000082  FDRI      CRC: 0014CA3C
003B57EA - 3022 040D0017        T1 W 0000002  FAR_MAJ
003B57F0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001C57CE
003B58FE - 3022 04230017        T1 W 0000002  FAR_MAJ
003B5904 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0017A6CC
003B5A12 - 3022 050D0017        T1 W 0000002  FAR_MAJ
003B5A18 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00037603
003B5B26 - 3022 051A0017        T1 W 0000002  FAR_MAJ
003B5B2C - 5060 00000082        T2 W 0000082  FDRI      CRC: 00069CF5
003B5C3A - 3022 05230017        T1 W 0000002  FAR_MAJ
003B5C40 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003DE286
003B5D4E - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5D52 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
003B5D56 - 2000                 T1 - 0000000  NOP       (4x)
003B5D5E - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5D62 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
003B5D66 - 30E1 00FF            T1 W 0000001  MASK
003B5D6A - 30C1 0081            T1 W 0000001  CTL
003B5D6E - 3002 00205EF5        T1 W 0000002  CRC
003B5D74 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
003B5D78 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
04  00000059 --- 20160516  [003B5D93-005218CD]
      003B5D93 - Data Size: 0016BAF3
      003B5D93 - Header Size: 00000048

003B5DDB - FFFFFFFF             Padding
003B5DDF - FFFFFFFF             Padding
003B5DE3 - FFFFFFFF             Padding
003B5DE7 - FFFFFFFF             Padding
003B5DEB - AA995566             Sync Word (BPI/SPI Mode)
003B5DEF - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
003B5DF3 - 2000                 T1 - 0000000  NOP       (1x)
003B5DF5 - 31A1 0628            T1 W 0000001  FLR
003B5DF9 - 3141 3D08            T1 W 0000001  COR1
003B5DFD - 3161 09EE            T1 W 0000001  COR2
003B5E01 - 31C2 04008093        T1 W 0000002  IDCODE
003B5E07 - 30E1 00CF            T1 W 0000001  MASK
003B5E0B - 30C1 0081            T1 W 0000001  CTL
003B5E0F - 2000                 T1 - 0000000  NOP       (17x)
003B5E31 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
003B5E35 - 3181 0881            T1 W 0000001  PWRDN_REG
003B5E39 - 3421 0000            T1 W 0000001  EYE_MASK
003B5E3D - 3201 001F            T1 W 0000001  HC_OPT_REG
003B5E41 - 31E1 FFFF            T1 W 0000001  CWDT
003B5E45 - 3321 0005            T1 W 0000001  PU_GWE
003B5E49 - 3341 0004            T1 W 0000001  PU_GTS
003B5E4D - 3301 0100            T1 W 0000001  MODE_REG
003B5E51 - 3261 0000            T1 W 0000001  GENERAL1
003B5E55 - 3281 0000            T1 W 0000001  GENERAL2
003B5E59 - 32A1 0000            T1 W 0000001  GENERAL3
003B5E5D - 32C1 0000            T1 W 0000001  GENERAL4
003B5E61 - 32E1 0000            T1 W 0000001  GENERAL5
003B5E65 - 33A1 1BE2            T1 W 0000001  SEU_OPT
003B5E69 - 33C2 00000000        T1 W 0000002  EXP_SIGN
003B5E6F - 2000                 T1 - 0000000  NOP       (2x)
003B5E73 - 3022 00000000        T1 W 0000002  FAR_MAJ
003B5E79 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B5E7D - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 002B8811
005203D9 - 2000                 T1 - 0000000  NOP       (24x)
00520409 - 3022 00040017        T1 W 0000002  FAR_MAJ
0052040F - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00520413 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003AE8A0
00520521 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00520527 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0003D2F5
00520635 - 3022 001A0017        T1 W 0000002  FAR_MAJ
0052063B - 5060 00000082        T2 W 0000082  FDRI      CRC: 000C9D2E
00520749 - 3022 01040017        T1 W 0000002  FAR_MAJ
0052074F - 5060 00000082        T2 W 0000082  FDRI      CRC: 000F9CED
0052085D - 3022 010D0017        T1 W 0000002  FAR_MAJ
00520863 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002B37CB
00520971 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00520977 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000F731E
00520A85 - 3022 01230017        T1 W 0000002  FAR_MAJ
00520A8B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0008A05A
00520B99 - 3022 02040017        T1 W 0000002  FAR_MAJ
00520B9F - 5060 00000082        T2 W 0000082  FDRI      CRC: 002A8550
00520CAD - 3022 020D0017        T1 W 0000002  FAR_MAJ
00520CB3 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003A459B
00520DC1 - 3022 030D0017        T1 W 0000002  FAR_MAJ
00520DC7 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000EFB42
00520ED5 - 3022 031A0017        T1 W 0000002  FAR_MAJ
00520EDB - 5060 00000082        T2 W 0000082  FDRI      CRC: 0008F310
00520FE9 - 3022 03230017        T1 W 0000002  FAR_MAJ
00520FEF - 5060 00000082        T2 W 0000082  FDRI      CRC: 00275C86
005210FD - 3022 04040017        T1 W 0000002  FAR_MAJ
00521103 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001C9593
00521211 - 3022 040D0017        T1 W 0000002  FAR_MAJ
00521217 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0024C949
00521325 - 3022 041A0017        T1 W 0000002  FAR_MAJ
0052132B - 5060 00000082        T2 W 0000082  FDRI      CRC: 000126CA
00521439 - 3022 04230017        T1 W 0000002  FAR_MAJ
0052143F - 5060 00000082        T2 W 0000082  FDRI      CRC: 001B87F4
0052154D - 3022 05040017        T1 W 0000002  FAR_MAJ
00521553 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000377BB
00521661 - 3022 050D0017        T1 W 0000002  FAR_MAJ
00521667 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00291A21
00521775 - 3022 06040017        T1 W 0000002  FAR_MAJ
0052177B - 5060 00000082        T2 W 0000082  FDRI      CRC: 003EDDFD
00521889 - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0052188D - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
00521891 - 2000                 T1 - 0000000  NOP       (4x)
00521899 - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0052189D - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
005218A1 - 30E1 00FF            T1 W 0000001  MASK
005218A5 - 30C1 0081            T1 W 0000001  CTL
005218A9 - 3002 002E31B6        T1 W 0000002  CRC
005218AF - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
005218B3 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
05  00000068 --- 1.2.1.38  [005218CE-00656599]
005218CE - Removing block encapsulations from Block Area [005218CE-00656599]

Total bytes extracted (from the blocks): 000FF877    Block area processed OK

Buffer Size: 00006DEA bytes (after converting from 16 to 8 bits)

0x00000000  DXE 0000 (Data Size: 00006DD4) [00000000-00006DE1]
Processor Type: ADSP-BF533/534/536/537/538/539 (boot address: 0xFFA00000)
Orig Offset:    Offset:         Block:  Target Add:     Byte Count:     Flags:  [  start -   end  ]
00000000 ---    0x00000000      0000    FF800040        00000004        0012    [0000000A-0000000D]  resvect ignore
0000001C ---    0x0000000E      0001    FF800000        000022B0        0002    [00000018-000022C7]  resvect
00004590 ---    0x000022C8      0002    FF8022B0        00000010        0003                         zero-fill resvect
000045A4 ---    0x000022D2      0003    FF8022C0        00000010        0002    [000022DC-000022EB]  resvect
000045D8 ---    0x000022EC      0004    FF8022D0        0000029E        0002    [000022F6-00002593]  resvect
00004B28 ---    0x00002594      0005    FF80256E        0000000E        0003                         zero-fill resvect
00004B3C ---    0x0000259E      0006    FF80257C        000009BA        0002    [000025A8-00002F61]  resvect
00005EC4 ---    0x00002F62      0007    FF802F36        000000AA        0003                         zero-fill resvect
00005ED8 ---    0x00002F6C      0008    FF802FE0        0000000C        0002    [00002F76-00002F81]  resvect
00005F04 ---    0x00002F82      0009    FF902000        00000004        0002    [00002F8C-00002F8F]  resvect
00005F20 ---    0x00002F90      000A    FF902004        00000068        0003                         zero-fill resvect
00005F34 ---    0x00002F9A      000B    FFA00000        00003E32        0002    [00002FA4-00006DD5]  resvect
0000DBAC ---    0x00006DD6      000C    FFA00000        00000002        000A    [00006DE0-00006DE1]  resvect init

0000DBC4 --- ZLIB Decompressed Size: 0029FA20
0000DBCC --- ZLIB Compressed Block Size: 000F1CA3 [0000DBD4-000FF876]
****************************************************
  Section Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [0065659A-006D6598]
      0065659A - ?????: 0000DCBB
      0065659E - Data Size: 0006B930
      006565A2 - Name: 3.1.1.13 ???
      006565AE - Section Data [006565AE-006C1EDD]
08  00000095 ---

SDS1000 - 1 x Spartan-6 XC6SLX45 + 1 Spartan-6 XC6SLX16
SDS2000 - 3 x Spartan-6 XC6SLX45

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 17, 2017, 03:39:38 am

These lines look interesting:
SDS1000X

Code: [Select]

00276C62 - 31C2 04002093 T1 W 0000002 IDCODE
SDS2000

Code: [Select]

0024A602 - 31C2 04008093 T1 W 0000002 IDCODE
BW selection maybe ? :-//

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 17, 2017, 08:34:16 am

No. Those are the lines that identify the specific FPGA type for which the stream is intendend. When loading the stream, the FPGA checks to see if its the correct ID in the stream or it aborts installation.

See here https://github.com/matrix-io/xc3sprog/blob/master/devlist.txt (https://github.com/matrix-io/xc3sprog/blob/master/devlist.txt)

Title: Re: Siglent .ads firmware file format
Post by: matib12 on July 27, 2017, 08:11:14 pm

I used SDS ads 0.13 tool on the SDS2000X_V1.2.2.2_Firmware_Update_EN. Then, as it was suggested, I reversed bytes of the whole files: Part_2, Part_3 and Part4 with the code:

Code: [Select]

import sys, os, shutil

def reverse(b):
   "function_docstring"
   b = (b & 0xF0) >> 4 | (b & 0x0F) << 4
   b = (b & 0xCC) >> 2 | (b & 0x33) << 2
   b = (b & 0xAA) >> 1 | (b & 0x55) << 1
   return b


input = 'Part_4.bit'
#input='sds2kx_V100R02B01D02P02_fvA1609220922M160922.ADS'
output = 'ByteSwap_'+input
b = bytearray(open(input, 'rb').read())
i = 0
j = 0
i = len(b)
while j < i:
    b[j]=reverse(b[j])
    j = j + 1

open(output, 'wb').write(b)
print (' * Byte reverse done * ')

All those files contain IDCODE: 04008093 at offset 0x70 what means three Spartan6 XC6SLX45 in the scope.

Anyway the files cannot be used in impact in this form. What is in the file can be a *.bin file. Then it does not have header and starts with FFFF sequence. Otherwise it is *.bit where the header is missing.

I generated an "empty" *.bit file for XC6SLX45 with ISE for reference. It is 16A6CE long. It finishes with 0202 sequence. There is something similar in the analysed file but not in the right place.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 28, 2017, 08:23:47 pm

matib12,

Better way to reverse (C#):

Code: [Select]

        private static byte reverseByteBits(byte a)  // Reverse the bits in a Byte
        { return (byte)((a * 0x0202020202 & 0x010884422010) % 1023); }

Here's my parsing/decode of sds2kx_V100R02B01D02P02_fvA1609220922M160922.ADS:

Code: [Select]

Parsing a SIGLENT SDS1000/SDS2000 file
01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20160922  [000DED95-0024A47F]
      000DED95 - Data Size: 0016B6A3
      000DED95 - Header Size: 00000048

000DEDDD - FFFFFFFF             Padding
000DEDE1 - FFFFFFFF             Padding
000DEDE5 - FFFFFFFF             Padding
000DEDE9 - FFFFFFFF             Padding
000DEDED - AA995566             Sync Word (BPI/SPI Mode)
000DEDF1 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
000DEDF5 - 2000                 T1 - 0000000  NOP       (1x)
000DEDF7 - 31A1 0628            T1 W 0000001  FLR
000DEDFB - 3141 3D00            T1 W 0000001  COR1
000DEDFF - 3161 09EE            T1 W 0000001  COR2
000DEE03 - 31C2 04008093        T1 W 0000002  IDCODE
000DEE09 - 30E1 00CF            T1 W 0000001  MASK
000DEE0D - 30C1 0081            T1 W 0000001  CTL
000DEE11 - 2000                 T1 - 0000000  NOP       (17x)
000DEE33 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
000DEE37 - 3181 0881            T1 W 0000001  PWRDN_REG
000DEE3B - 3421 0000            T1 W 0000001  EYE_MASK
000DEE3F - 3201 001F            T1 W 0000001  HC_OPT_REG
000DEE43 - 31E1 FFFF            T1 W 0000001  CWDT
000DEE47 - 3321 0005            T1 W 0000001  PU_GWE
000DEE4B - 3341 0004            T1 W 0000001  PU_GTS
000DEE4F - 3301 0100            T1 W 0000001  MODE_REG
000DEE53 - 3261 0000            T1 W 0000001  GENERAL1
000DEE57 - 3281 0000            T1 W 0000001  GENERAL2
000DEE5B - 32A1 0000            T1 W 0000001  GENERAL3
000DEE5F - 32C1 0000            T1 W 0000001  GENERAL4
000DEE63 - 32E1 0000            T1 W 0000001  GENERAL5
000DEE67 - 33A1 1BE2            T1 W 0000001  SEU_OPT
000DEE6B - 33C2 00000000        T1 W 0000002  EXP_SIGN
000DEE71 - 2000                 T1 - 0000000  NOP       (2x)
000DEE75 - 3022 00000000        T1 W 0000002  FAR_MAJ
000DEE7B - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000DEE7F - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0030A883
002493DB - 2000                 T1 - 0000000  NOP       (24x)
0024940B - 3022 00040017        T1 W 0000002  FAR_MAJ
00249411 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00249415 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00024B83
00249523 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00249529 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001EE1DD
00249637 - 3022 001A0017        T1 W 0000002  FAR_MAJ
0024963D - 5060 00000082        T2 W 0000082  FDRI      CRC: 0020C6C9
0024974B - 3022 00230017        T1 W 0000002  FAR_MAJ
00249751 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0001E99E
0024985F - 3022 01040017        T1 W 0000002  FAR_MAJ
00249865 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003117C6
00249973 - 3022 010D0017        T1 W 0000002  FAR_MAJ
00249979 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00294671
00249A87 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00249A8D - 5060 00000082        T2 W 0000082  FDRI      CRC: 002473B9
00249B9B - 3022 01230017        T1 W 0000002  FAR_MAJ
00249BA1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E65E7
00249CAF - 3022 021A0017        T1 W 0000002  FAR_MAJ
00249CB5 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002675A2
00249DC3 - 3022 02230017        T1 W 0000002  FAR_MAJ
00249DC9 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00192AA0
00249ED7 - 3022 03040017        T1 W 0000002  FAR_MAJ
00249EDD - 5060 00000082        T2 W 0000082  FDRI      CRC: 0010969D
00249FEB - 3022 04040017        T1 W 0000002  FAR_MAJ
00249FF1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0028B252
0024A0FF - 3022 041A0017        T1 W 0000002  FAR_MAJ
0024A105 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002E7925
0024A213 - 3022 051A0017        T1 W 0000002  FAR_MAJ
0024A219 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005A5E5
0024A327 - 3022 07230017        T1 W 0000002  FAR_MAJ
0024A32D - 5060 00000082        T2 W 0000082  FDRI      CRC: 00158043
0024A43B - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A43F - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0024A443 - 2000                 T1 - 0000000  NOP       (4x)
0024A44B - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A44F - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0024A453 - 30E1 00FF            T1 W 0000001  MASK
0024A457 - 30C1 0081            T1 W 0000001  CTL
0024A45B - 3002 002E7B9D        T1 W 0000002  CRC
0024A461 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
0024A465 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
03  0000004A --- 20160922  [0024A480-003B5C7E]
      0024A480 - Data Size: 0016B7B7
      0024A480 - Header Size: 00000048

0024A4C8 - FFFFFFFF             Padding
0024A4CC - FFFFFFFF             Padding
0024A4D0 - FFFFFFFF             Padding
0024A4D4 - FFFFFFFF             Padding
0024A4D8 - AA995566             Sync Word (BPI/SPI Mode)
0024A4DC - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
0024A4E0 - 2000                 T1 - 0000000  NOP       (1x)
0024A4E2 - 31A1 0628            T1 W 0000001  FLR
0024A4E6 - 3141 3D00            T1 W 0000001  COR1
0024A4EA - 3161 09EE            T1 W 0000001  COR2
0024A4EE - 31C2 04008093        T1 W 0000002  IDCODE
0024A4F4 - 30E1 00CF            T1 W 0000001  MASK
0024A4F8 - 30C1 0081            T1 W 0000001  CTL
0024A4FC - 2000                 T1 - 0000000  NOP       (17x)
0024A51E - 3381 3CC8            T1 W 0000001  CCLK_FREQ
0024A522 - 3181 0881            T1 W 0000001  PWRDN_REG
0024A526 - 3421 0000            T1 W 0000001  EYE_MASK
0024A52A - 3201 001F            T1 W 0000001  HC_OPT_REG
0024A52E - 31E1 FFFF            T1 W 0000001  CWDT
0024A532 - 3321 0005            T1 W 0000001  PU_GWE
0024A536 - 3341 0004            T1 W 0000001  PU_GTS
0024A53A - 3301 0100            T1 W 0000001  MODE_REG
0024A53E - 3261 0000            T1 W 0000001  GENERAL1
0024A542 - 3281 0000            T1 W 0000001  GENERAL2
0024A546 - 32A1 0000            T1 W 0000001  GENERAL3
0024A54A - 32C1 0000            T1 W 0000001  GENERAL4
0024A54E - 32E1 0000            T1 W 0000001  GENERAL5
0024A552 - 33A1 1BE2            T1 W 0000001  SEU_OPT
0024A556 - 33C2 00000000        T1 W 0000002  EXP_SIGN
0024A55C - 2000                 T1 - 0000000  NOP       (2x)
0024A560 - 3022 00000000        T1 W 0000002  FAR_MAJ
0024A566 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
0024A56A - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 002483B9
003B4AC6 - 2000                 T1 - 0000000  NOP       (24x)
003B4AF6 - 3022 01230017        T1 W 0000002  FAR_MAJ
003B4AFC - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B4B00 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005A45A
003B4C0E - 3022 021A0017        T1 W 0000002  FAR_MAJ
003B4C14 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003FDEB8
003B4D22 - 3022 02230017        T1 W 0000002  FAR_MAJ
003B4D28 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00327927
003B4E36 - 3022 03040017        T1 W 0000002  FAR_MAJ
003B4E3C - 5060 00000082        T2 W 0000082  FDRI      CRC: 001F0CCB
003B4F4A - 3022 030D0017        T1 W 0000002  FAR_MAJ
003B4F50 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002995C9
003B505E - 3022 031A0017        T1 W 0000002  FAR_MAJ
003B5064 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00374AD7
003B5172 - 3022 03230017        T1 W 0000002  FAR_MAJ
003B5178 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000B2C82
003B5286 - 3022 04040017        T1 W 0000002  FAR_MAJ
003B528C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0013E5DB
003B539A - 3022 040D0017        T1 W 0000002  FAR_MAJ
003B53A0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001EF8CF
003B54AE - 3022 041A0017        T1 W 0000002  FAR_MAJ
003B54B4 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00385AC2
003B55C2 - 3022 04230017        T1 W 0000002  FAR_MAJ
003B55C8 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002C7B03
003B56D6 - 3022 05040017        T1 W 0000002  FAR_MAJ
003B56DC - 5060 00000082        T2 W 0000082  FDRI      CRC: 001FC3EF
003B57EA - 3022 050D0017        T1 W 0000002  FAR_MAJ
003B57F0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003F9D02
003B58FE - 3022 05230017        T1 W 0000002  FAR_MAJ
003B5904 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A7833
003B5A12 - 3022 06040017        T1 W 0000002  FAR_MAJ
003B5A18 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00266FD4
003B5B26 - 3022 06230017        T1 W 0000002  FAR_MAJ
003B5B2C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0032FDA2
003B5C3A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5C3E - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
003B5C42 - 2000                 T1 - 0000000  NOP       (4x)
003B5C4A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5C4E - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
003B5C52 - 30E1 00FF            T1 W 0000001  MASK
003B5C56 - 30C1 0081            T1 W 0000001  CTL
003B5C5A - 3002 0020E07A        T1 W 0000002  CRC
003B5C60 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
003B5C64 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
04  00000059 --- 20160922  [003B5C7F-005219E1]
      003B5C7F - Data Size: 0016BD1B
      003B5C7F - Header Size: 00000048

003B5CC7 - FFFFFFFF             Padding
003B5CCB - FFFFFFFF             Padding
003B5CCF - FFFFFFFF             Padding
003B5CD3 - FFFFFFFF             Padding
003B5CD7 - AA995566             Sync Word (BPI/SPI Mode)
003B5CDB - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
003B5CDF - 2000                 T1 - 0000000  NOP       (1x)
003B5CE1 - 31A1 0628            T1 W 0000001  FLR
003B5CE5 - 3141 3D08            T1 W 0000001  COR1
003B5CE9 - 3161 09EE            T1 W 0000001  COR2
003B5CED - 31C2 04008093        T1 W 0000002  IDCODE
003B5CF3 - 30E1 00CF            T1 W 0000001  MASK
003B5CF7 - 30C1 0081            T1 W 0000001  CTL
003B5CFB - 2000                 T1 - 0000000  NOP       (17x)
003B5D1D - 3381 3CC8            T1 W 0000001  CCLK_FREQ
003B5D21 - 3181 0881            T1 W 0000001  PWRDN_REG
003B5D25 - 3421 0000            T1 W 0000001  EYE_MASK
003B5D29 - 3201 001F            T1 W 0000001  HC_OPT_REG
003B5D2D - 31E1 FFFF            T1 W 0000001  CWDT
003B5D31 - 3321 0005            T1 W 0000001  PU_GWE
003B5D35 - 3341 0004            T1 W 0000001  PU_GTS
003B5D39 - 3301 0100            T1 W 0000001  MODE_REG
003B5D3D - 3261 0000            T1 W 0000001  GENERAL1
003B5D41 - 3281 0000            T1 W 0000001  GENERAL2
003B5D45 - 32A1 0000            T1 W 0000001  GENERAL3
003B5D49 - 32C1 0000            T1 W 0000001  GENERAL4
003B5D4D - 32E1 0000            T1 W 0000001  GENERAL5
003B5D51 - 33A1 1BE2            T1 W 0000001  SEU_OPT
003B5D55 - 33C2 00000000        T1 W 0000002  EXP_SIGN
003B5D5B - 2000                 T1 - 0000000  NOP       (2x)
003B5D5F - 3022 00000000        T1 W 0000002  FAR_MAJ
003B5D65 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B5D69 - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0003C50A
005202C5 - 2000                 T1 - 0000000  NOP       (24x)
005202F5 - 3022 00040017        T1 W 0000002  FAR_MAJ
005202FB - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
005202FF - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E1099
0052040D - 3022 000D0017        T1 W 0000002  FAR_MAJ
00520413 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002FEF01
00520521 - 3022 001A0017        T1 W 0000002  FAR_MAJ
00520527 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000EC6B1
00520635 - 3022 01040017        T1 W 0000002  FAR_MAJ
0052063B - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A1576
00520749 - 3022 010D0017        T1 W 0000002  FAR_MAJ
0052074F - 5060 00000082        T2 W 0000082  FDRI      CRC: 000C458E
0052085D - 3022 011A0017        T1 W 0000002  FAR_MAJ
00520863 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A9D1D
00520971 - 3022 01230017        T1 W 0000002  FAR_MAJ
00520977 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A1B36
00520A85 - 3022 02040017        T1 W 0000002  FAR_MAJ
00520A8B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005C494
00520B99 - 3022 020D0017        T1 W 0000002  FAR_MAJ
00520B9F - 5060 00000082        T2 W 0000082  FDRI      CRC: 00076315
00520CAD - 3022 03040017        T1 W 0000002  FAR_MAJ
00520CB3 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0026FBD1
00520DC1 - 3022 030D0017        T1 W 0000002  FAR_MAJ
00520DC7 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002525AE
00520ED5 - 3022 04040017        T1 W 0000002  FAR_MAJ
00520EDB - 5060 00000082        T2 W 0000082  FDRI      CRC: 002DED8E
00520FE9 - 3022 040D0017        T1 W 0000002  FAR_MAJ
00520FEF - 5060 00000082        T2 W 0000082  FDRI      CRC: 000785AD
005210FD - 3022 041A0017        T1 W 0000002  FAR_MAJ
00521103 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00173D17
00521211 - 3022 04230017        T1 W 0000002  FAR_MAJ
00521217 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038A0E7
00521325 - 3022 05040017        T1 W 0000002  FAR_MAJ
0052132B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0019B766
00521439 - 3022 051A0017        T1 W 0000002  FAR_MAJ
0052143F - 5060 00000082        T2 W 0000082  FDRI      CRC: 0028C4B0
0052154D - 3022 05230017        T1 W 0000002  FAR_MAJ
00521553 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002B3B85
00521661 - 3022 06040017        T1 W 0000002  FAR_MAJ
00521667 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001B9738
00521775 - 3022 061A0017        T1 W 0000002  FAR_MAJ
0052177B - 5060 00000082        T2 W 0000082  FDRI      CRC: 002795C7
00521889 - 3022 06230017        T1 W 0000002  FAR_MAJ
0052188F - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038E821
0052199D - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
005219A1 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
005219A5 - 2000                 T1 - 0000000  NOP       (4x)
005219AD - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
005219B1 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
005219B5 - 30E1 00FF            T1 W 0000001  MASK
005219B9 - 30C1 0081            T1 W 0000001  CTL
005219BD - 3002 002025B0        T1 W 0000002  CRC
005219C3 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
005219C7 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
05  00000068 --- 1.2.2.2   [005219E2-00656E68]
005219E2 - Removing block encapsulations from Block Area [005219E2-00656E68]

Total bytes extracted (from the blocks): 000FFEDE    Block area processed OK

Buffer Size: 00006DEA bytes (after converting from 16 to 8 bits)

0x00000000  DXE 0000 (Data Size: 00006DD4) [00000000-00006DE1]
Processor Type: ADSP-BF533/534/536/537/538/539 (boot address: 0xFFA00000)
Orig Offset:    Offset:         Block:  Target Add:     Byte Count:     Flags:  [  start -   end  ]
00000000 ---    0x00000000      0000    FF800040        00000004        0012    [0000000A-0000000D]  resvect ignore
0000001C ---    0x0000000E      0001    FF800000        000022B0        0002    [00000018-000022C7]  resvect
00004590 ---    0x000022C8      0002    FF8022B0        00000010        0003                         zero-fill resvect
000045A4 ---    0x000022D2      0003    FF8022C0        00000010        0002    [000022DC-000022EB]  resvect
000045D8 ---    0x000022EC      0004    FF8022D0        0000029E        0002    [000022F6-00002593]  resvect
00004B28 ---    0x00002594      0005    FF80256E        0000000E        0003                         zero-fill resvect
00004B3C ---    0x0000259E      0006    FF80257C        000009BA        0002    [000025A8-00002F61]  resvect
00005EC4 ---    0x00002F62      0007    FF802F36        000000AA        0003                         zero-fill resvect
00005ED8 ---    0x00002F6C      0008    FF802FE0        0000000C        0002    [00002F76-00002F81]  resvect
00005F04 ---    0x00002F82      0009    FF902000        00000004        0002    [00002F8C-00002F8F]  resvect
00005F20 ---    0x00002F90      000A    FF902004        00000068        0003                         zero-fill resvect
00005F34 ---    0x00002F9A      000B    FFA00000        00003E32        0002    [00002FA4-00006DD5]  resvect
0000DBAC ---    0x00006DD6      000C    FFA00000        00000002        000A    [00006DE0-00006DE1]  resvect init

0000DBC4 --- ZLIB Decompressed Size: 002A0BE0
0000DBCC --- ZLIB Compressed Block Size: 000F230A [0000DBD4-000FFEDD]
****************************************************
  Section Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [00656E69-006D6E67]
      00656E69 - ?????: 0000DCBB
      00656E6D - Data Size: 0006B930
      00656E71 - Name: 3.1.1.13 ???
      00656E7D - Section Data [00656E7D-006C27AC]
08  00000095 ---

What I'm trying to understand (without success) is part 7 (don't know if it's CPLD stuff...)

If you want to transform one of the .bin blocks into a .bit stream, you must add a header of this type (remember you must change the sizes according to your bitstream):

Code: [Select]

00000000 - 0009         (0x0009) File Header Length
00000002 - 0FF00FF0     (0x0FF00FF0) File Header Long 1
00000006 - 0FF00FF0     (0x0FF00FF0) File Header Long 2
0000000A - 00           (0x00) File Header Zero
0000000B - 0001         (0x0001) Key Length
0000000D - 61 001D      (key 0x61) Design Name: VirtexUnitTest.reference.ncd
0000002D - 62 0009      (key 0x62) Part Name: v50bg256
00000039 - 63 000B      (key 0x63) Generation Date: 2011/ 1/26
00000047 - 64 0009      (key 0x64) Generation Time: 11:51:59
00000053 - 65 0001110C  (key 0x65) Bitstream Length: 0001110C  [00000058-00011163]
--------------  BITSTREAM  ------------------------
00000058 - FFFFFFFF             Padding
0000005C - AA995566             Sync Word (BPI/SPI Mode)

Title: Re: Siglent .ads firmware file format
Post by: AxaRu on August 07, 2017, 08:28:31 am

Hi everybody.

Have any news?

Title: Re: Siglent .ads firmware file format
Post by: 0xPIT on September 03, 2017, 09:46:00 am

Hello,

did anyone manage to find a serial console on the SDG1025? (Like this guy did on the 800 series: http://41j.com/blog/2016/08/hacking-around-with-a-sdg800-sdg805/ (http://41j.com/blog/2016/08/hacking-around-with-a-sdg800-sdg805/))

After soldering a pin header to the pads labelled UART, I tried (several known-good) TTL to USB converters, but there seems to be no output. Also, I've verified that the TX and RX pins go directly to the Blackfin TX&RX pins.

Checking with the Scope, the only thing that happens is it pulls TX high.

Any ideas?

Title: Re: Siglent .ads firmware file format
Post by: matib12 on September 07, 2017, 07:24:43 pm

I'm not surprised by the outcome of your experiment. I did the same with my SDS2000X with the same effect. It seems that the serial console had been disabled already in u-boot. My next attempt would be a memory dump via JTAG connector if I have some spare time.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on September 08, 2017, 10:07:07 pm

The parsing of the latest SDS2000X fw is:

Code: [Select]

Parsing a SIGLENT SDS1000/SDS2000 file
01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20160922  [000DED95-0024A47F]
      000DED95 - Data Size: 0016B6A3
      000DED95 - Header Size: 00000048

000DEDDD - FFFFFFFF             Padding
000DEDE1 - FFFFFFFF             Padding
000DEDE5 - FFFFFFFF             Padding
000DEDE9 - FFFFFFFF             Padding
000DEDED - AA995566             Sync Word (BPI/SPI Mode)
000DEDF1 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
000DEDF5 - 2000                 T1 - 0000000  NOP       (1x)
000DEDF7 - 31A1 0628            T1 W 0000001  FLR
000DEDFB - 3141 3D00            T1 W 0000001  COR1
000DEDFF - 3161 09EE            T1 W 0000001  COR2
000DEE03 - 31C2 04008093        T1 W 0000002  IDCODE
000DEE09 - 30E1 00CF            T1 W 0000001  MASK
000DEE0D - 30C1 0081            T1 W 0000001  CTL
000DEE11 - 2000                 T1 - 0000000  NOP       (17x)
000DEE33 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
000DEE37 - 3181 0881            T1 W 0000001  PWRDN_REG
000DEE3B - 3421 0000            T1 W 0000001  EYE_MASK
000DEE3F - 3201 001F            T1 W 0000001  HC_OPT_REG
000DEE43 - 31E1 FFFF            T1 W 0000001  CWDT
000DEE47 - 3321 0005            T1 W 0000001  PU_GWE
000DEE4B - 3341 0004            T1 W 0000001  PU_GTS
000DEE4F - 3301 0100            T1 W 0000001  MODE_REG
000DEE53 - 3261 0000            T1 W 0000001  GENERAL1
000DEE57 - 3281 0000            T1 W 0000001  GENERAL2
000DEE5B - 32A1 0000            T1 W 0000001  GENERAL3
000DEE5F - 32C1 0000            T1 W 0000001  GENERAL4
000DEE63 - 32E1 0000            T1 W 0000001  GENERAL5
000DEE67 - 33A1 1BE2            T1 W 0000001  SEU_OPT
000DEE6B - 33C2 00000000        T1 W 0000002  EXP_SIGN
000DEE71 - 2000                 T1 - 0000000  NOP       (2x)
000DEE75 - 3022 00000000        T1 W 0000002  FAR_MAJ
000DEE7B - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000DEE7F - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0030A883
002493DB - 2000                 T1 - 0000000  NOP       (24x)
0024940B - 3022 00040017        T1 W 0000002  FAR_MAJ
00249411 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00249415 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00024B83
00249523 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00249529 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001EE1DD
00249637 - 3022 001A0017        T1 W 0000002  FAR_MAJ
0024963D - 5060 00000082        T2 W 0000082  FDRI      CRC: 0020C6C9
0024974B - 3022 00230017        T1 W 0000002  FAR_MAJ
00249751 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0001E99E
0024985F - 3022 01040017        T1 W 0000002  FAR_MAJ
00249865 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003117C6
00249973 - 3022 010D0017        T1 W 0000002  FAR_MAJ
00249979 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00294671
00249A87 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00249A8D - 5060 00000082        T2 W 0000082  FDRI      CRC: 002473B9
00249B9B - 3022 01230017        T1 W 0000002  FAR_MAJ
00249BA1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E65E7
00249CAF - 3022 021A0017        T1 W 0000002  FAR_MAJ
00249CB5 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002675A2
00249DC3 - 3022 02230017        T1 W 0000002  FAR_MAJ
00249DC9 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00192AA0
00249ED7 - 3022 03040017        T1 W 0000002  FAR_MAJ
00249EDD - 5060 00000082        T2 W 0000082  FDRI      CRC: 0010969D
00249FEB - 3022 04040017        T1 W 0000002  FAR_MAJ
00249FF1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0028B252
0024A0FF - 3022 041A0017        T1 W 0000002  FAR_MAJ
0024A105 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002E7925
0024A213 - 3022 051A0017        T1 W 0000002  FAR_MAJ
0024A219 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005A5E5
0024A327 - 3022 07230017        T1 W 0000002  FAR_MAJ
0024A32D - 5060 00000082        T2 W 0000082  FDRI      CRC: 00158043
0024A43B - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A43F - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0024A443 - 2000                 T1 - 0000000  NOP       (4x)
0024A44B - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A44F - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0024A453 - 30E1 00FF            T1 W 0000001  MASK
0024A457 - 30C1 0081            T1 W 0000001  CTL
0024A45B - 3002 002E7B9D        T1 W 0000002  CRC
0024A461 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
0024A465 - 2000                 T1 - 0000000  NOP       (13x)
    Section processed OK
****************************************************
03  0000004A --- 20160922  [0024A480-003B5C7E]
      0024A480 - Data Size: 0016B7B7
      0024A480 - Header Size: 00000048

0024A4C8 - FFFFFFFF             Padding
0024A4CC - FFFFFFFF             Padding
0024A4D0 - FFFFFFFF             Padding
0024A4D4 - FFFFFFFF             Padding
0024A4D8 - AA995566             Sync Word (BPI/SPI Mode)
0024A4DC - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
0024A4E0 - 2000                 T1 - 0000000  NOP       (1x)
0024A4E2 - 31A1 0628            T1 W 0000001  FLR
0024A4E6 - 3141 3D00            T1 W 0000001  COR1
0024A4EA - 3161 09EE            T1 W 0000001  COR2
0024A4EE - 31C2 04008093        T1 W 0000002  IDCODE
0024A4F4 - 30E1 00CF            T1 W 0000001  MASK
0024A4F8 - 30C1 0081            T1 W 0000001  CTL
0024A4FC - 2000                 T1 - 0000000  NOP       (17x)
0024A51E - 3381 3CC8            T1 W 0000001  CCLK_FREQ
0024A522 - 3181 0881            T1 W 0000001  PWRDN_REG
0024A526 - 3421 0000            T1 W 0000001  EYE_MASK
0024A52A - 3201 001F            T1 W 0000001  HC_OPT_REG
0024A52E - 31E1 FFFF            T1 W 0000001  CWDT
0024A532 - 3321 0005            T1 W 0000001  PU_GWE
0024A536 - 3341 0004            T1 W 0000001  PU_GTS
0024A53A - 3301 0100            T1 W 0000001  MODE_REG
0024A53E - 3261 0000            T1 W 0000001  GENERAL1
0024A542 - 3281 0000            T1 W 0000001  GENERAL2
0024A546 - 32A1 0000            T1 W 0000001  GENERAL3
0024A54A - 32C1 0000            T1 W 0000001  GENERAL4
0024A54E - 32E1 0000            T1 W 0000001  GENERAL5
0024A552 - 33A1 1BE2            T1 W 0000001  SEU_OPT
0024A556 - 33C2 00000000        T1 W 0000002  EXP_SIGN
0024A55C - 2000                 T1 - 0000000  NOP       (2x)
0024A560 - 3022 00000000        T1 W 0000002  FAR_MAJ
0024A566 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
0024A56A - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 002483B9
003B4AC6 - 2000                 T1 - 0000000  NOP       (24x)
003B4AF6 - 3022 01230017        T1 W 0000002  FAR_MAJ
003B4AFC - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B4B00 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005A45A
003B4C0E - 3022 021A0017        T1 W 0000002  FAR_MAJ
003B4C14 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003FDEB8
003B4D22 - 3022 02230017        T1 W 0000002  FAR_MAJ
003B4D28 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00327927
003B4E36 - 3022 03040017        T1 W 0000002  FAR_MAJ
003B4E3C - 5060 00000082        T2 W 0000082  FDRI      CRC: 001F0CCB
003B4F4A - 3022 030D0017        T1 W 0000002  FAR_MAJ
003B4F50 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002995C9
003B505E - 3022 031A0017        T1 W 0000002  FAR_MAJ
003B5064 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00374AD7
003B5172 - 3022 03230017        T1 W 0000002  FAR_MAJ
003B5178 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000B2C82
003B5286 - 3022 04040017        T1 W 0000002  FAR_MAJ
003B528C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0013E5DB
003B539A - 3022 040D0017        T1 W 0000002  FAR_MAJ
003B53A0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001EF8CF
003B54AE - 3022 041A0017        T1 W 0000002  FAR_MAJ
003B54B4 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00385AC2
003B55C2 - 3022 04230017        T1 W 0000002  FAR_MAJ
003B55C8 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002C7B03
003B56D6 - 3022 05040017        T1 W 0000002  FAR_MAJ
003B56DC - 5060 00000082        T2 W 0000082  FDRI      CRC: 001FC3EF
003B57EA - 3022 050D0017        T1 W 0000002  FAR_MAJ
003B57F0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003F9D02
003B58FE - 3022 05230017        T1 W 0000002  FAR_MAJ
003B5904 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A7833
003B5A12 - 3022 06040017        T1 W 0000002  FAR_MAJ
003B5A18 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00266FD4
003B5B26 - 3022 06230017        T1 W 0000002  FAR_MAJ
003B5B2C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0032FDA2
003B5C3A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5C3E - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
003B5C42 - 2000                 T1 - 0000000  NOP       (4x)
003B5C4A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5C4E - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
003B5C52 - 30E1 00FF            T1 W 0000001  MASK
003B5C56 - 30C1 0081            T1 W 0000001  CTL
003B5C5A - 3002 0020E07A        T1 W 0000002  CRC
003B5C60 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
003B5C64 - 2000                 T1 - 0000000  NOP       (13x)
    Section processed OK
****************************************************
04  00000059 --- 20160922  [003B5C7F-005219E1]
      003B5C7F - Data Size: 0016BD1B
      003B5C7F - Header Size: 00000048

003B5CC7 - FFFFFFFF             Padding
003B5CCB - FFFFFFFF             Padding
003B5CCF - FFFFFFFF             Padding
003B5CD3 - FFFFFFFF             Padding
003B5CD7 - AA995566             Sync Word (BPI/SPI Mode)
003B5CDB - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
003B5CDF - 2000                 T1 - 0000000  NOP       (1x)
003B5CE1 - 31A1 0628            T1 W 0000001  FLR
003B5CE5 - 3141 3D08            T1 W 0000001  COR1
003B5CE9 - 3161 09EE            T1 W 0000001  COR2
003B5CED - 31C2 04008093        T1 W 0000002  IDCODE
003B5CF3 - 30E1 00CF            T1 W 0000001  MASK
003B5CF7 - 30C1 0081            T1 W 0000001  CTL
003B5CFB - 2000                 T1 - 0000000  NOP       (17x)
003B5D1D - 3381 3CC8            T1 W 0000001  CCLK_FREQ
003B5D21 - 3181 0881            T1 W 0000001  PWRDN_REG
003B5D25 - 3421 0000            T1 W 0000001  EYE_MASK
003B5D29 - 3201 001F            T1 W 0000001  HC_OPT_REG
003B5D2D - 31E1 FFFF            T1 W 0000001  CWDT
003B5D31 - 3321 0005            T1 W 0000001  PU_GWE
003B5D35 - 3341 0004            T1 W 0000001  PU_GTS
003B5D39 - 3301 0100            T1 W 0000001  MODE_REG
003B5D3D - 3261 0000            T1 W 0000001  GENERAL1
003B5D41 - 3281 0000            T1 W 0000001  GENERAL2
003B5D45 - 32A1 0000            T1 W 0000001  GENERAL3
003B5D49 - 32C1 0000            T1 W 0000001  GENERAL4
003B5D4D - 32E1 0000            T1 W 0000001  GENERAL5
003B5D51 - 33A1 1BE2            T1 W 0000001  SEU_OPT
003B5D55 - 33C2 00000000        T1 W 0000002  EXP_SIGN
003B5D5B - 2000                 T1 - 0000000  NOP       (2x)
003B5D5F - 3022 00000000        T1 W 0000002  FAR_MAJ
003B5D65 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B5D69 - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0003C50A
005202C5 - 2000                 T1 - 0000000  NOP       (24x)
005202F5 - 3022 00040017        T1 W 0000002  FAR_MAJ
005202FB - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
005202FF - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E1099
0052040D - 3022 000D0017        T1 W 0000002  FAR_MAJ
00520413 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002FEF01
00520521 - 3022 001A0017        T1 W 0000002  FAR_MAJ
00520527 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000EC6B1
00520635 - 3022 01040017        T1 W 0000002  FAR_MAJ
0052063B - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A1576
00520749 - 3022 010D0017        T1 W 0000002  FAR_MAJ
0052074F - 5060 00000082        T2 W 0000082  FDRI      CRC: 000C458E
0052085D - 3022 011A0017        T1 W 0000002  FAR_MAJ
00520863 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A9D1D
00520971 - 3022 01230017        T1 W 0000002  FAR_MAJ
00520977 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A1B36
00520A85 - 3022 02040017        T1 W 0000002  FAR_MAJ
00520A8B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005C494
00520B99 - 3022 020D0017        T1 W 0000002  FAR_MAJ
00520B9F - 5060 00000082        T2 W 0000082  FDRI      CRC: 00076315
00520CAD - 3022 03040017        T1 W 0000002  FAR_MAJ
00520CB3 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0026FBD1
00520DC1 - 3022 030D0017        T1 W 0000002  FAR_MAJ
00520DC7 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002525AE
00520ED5 - 3022 04040017        T1 W 0000002  FAR_MAJ
00520EDB - 5060 00000082        T2 W 0000082  FDRI      CRC: 002DED8E
00520FE9 - 3022 040D0017        T1 W 0000002  FAR_MAJ
00520FEF - 5060 00000082        T2 W 0000082  FDRI      CRC: 000785AD
005210FD - 3022 041A0017        T1 W 0000002  FAR_MAJ
00521103 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00173D17
00521211 - 3022 04230017        T1 W 0000002  FAR_MAJ
00521217 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038A0E7
00521325 - 3022 05040017        T1 W 0000002  FAR_MAJ
0052132B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0019B766
00521439 - 3022 051A0017        T1 W 0000002  FAR_MAJ
0052143F - 5060 00000082        T2 W 0000082  FDRI      CRC: 0028C4B0
0052154D - 3022 05230017        T1 W 0000002  FAR_MAJ
00521553 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002B3B85
00521661 - 3022 06040017        T1 W 0000002  FAR_MAJ
00521667 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001B9738
00521775 - 3022 061A0017        T1 W 0000002  FAR_MAJ
0052177B - 5060 00000082        T2 W 0000082  FDRI      CRC: 002795C7
00521889 - 3022 06230017        T1 W 0000002  FAR_MAJ
0052188F - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038E821
0052199D - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
005219A1 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
005219A5 - 2000                 T1 - 0000000  NOP       (4x)
005219AD - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
005219B1 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
005219B5 - 30E1 00FF            T1 W 0000001  MASK
005219B9 - 30C1 0081            T1 W 0000001  CTL
005219BD - 3002 002025B0        T1 W 0000002  CRC
005219C3 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
005219C7 - 2000                 T1 - 0000000  NOP       (13x)
    Section processed OK
****************************************************
05  00000068 --- 1.2.2.2   [005219E2-00656E68]
005219E2 - Removing block encapsulations from Block Area [005219E2-00656E68]

Total bytes extracted (from the blocks): 000FFEDE    Block area processed OK

Buffer Size: 00006DEA bytes (after converting from 16 to 8 bits)

0x00000000  DXE 0000 (Data Size: 00006DD4) [00000000-00006DE1]
Processor Type: ADSP-BF533/534/536/537/538/539 (boot address: 0xFFA00000)
Orig Offset:    Offset:         Block:  Target Add:     Byte Count:     Flags:  [  start -   end  ]
00000000 ---    0x00000000      0000    FF800040        00000004        0012    [0000000A-0000000D]  resvect ignore
0000001C ---    0x0000000E      0001    FF800000        000022B0        0002    [00000018-000022C7]  resvect
00004590 ---    0x000022C8      0002    FF8022B0        00000010        0003                         zero-fill resvect
000045A4 ---    0x000022D2      0003    FF8022C0        00000010        0002    [000022DC-000022EB]  resvect
000045D8 ---    0x000022EC      0004    FF8022D0        0000029E        0002    [000022F6-00002593]  resvect
00004B28 ---    0x00002594      0005    FF80256E        0000000E        0003                         zero-fill resvect
00004B3C ---    0x0000259E      0006    FF80257C        000009BA        0002    [000025A8-00002F61]  resvect
00005EC4 ---    0x00002F62      0007    FF802F36        000000AA        0003                         zero-fill resvect
00005ED8 ---    0x00002F6C      0008    FF802FE0        0000000C        0002    [00002F76-00002F81]  resvect
00005F04 ---    0x00002F82      0009    FF902000        00000004        0002    [00002F8C-00002F8F]  resvect
00005F20 ---    0x00002F90      000A    FF902004        00000068        0003                         zero-fill resvect
00005F34 ---    0x00002F9A      000B    FFA00000        00003E32        0002    [00002FA4-00006DD5]  resvect
0000DBAC ---    0x00006DD6      000C    FFA00000        00000002        000A    [00006DE0-00006DE1]  resvect init

0000DBC4 --- ZLIB Decompressed Size: 002A0BE0
0000DBCC --- ZLIB Compressed Block Size: 000F230A [0000DBD4-000FFEDD]
****************************************************
  File Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [00656E69-006D6E67]
      00656E69 - ?????: 0000DCBB
      00656E6D - Data Size: 0006B930
      00656E71 - Name: 3.1.1.13 ???
      00656E7D - Section Data [00656E7D-006C27AC]
08  00000095 ---

Quote

I did the same with my SDS2000X with the same effect. It seems that the serial console had been disabled already in u-boot.

No need for JTAG. You can try to look inside the Blackfin code if there is something that might indicate Serial output. The ZLIB decompressed Blackfin (block 5) code is attached. You don't have any U-Boot in this scope!

For comparison, here is a parsing of the SDG800 (latest fw - SDG800 V100R008B01D01P12R2.ADS):

Code: [Select]

File Header Size: 00000070
00000000 - File Checksum: CC58A027 [000004-EOF] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 0067D31D (without 0x70 bytes of the File Header)
00000008 - Section Size: 00000000
0000000C - Blocks Area: 00000002 [0067D31B-0067D31C]
00000026 - Vendor/Content: SIGLENT
0000003A - Version: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0033E98F until 0x0067D31C
****************************************************
00000000 --- Section Checksum: FD6D33CE
00000004 --- Section Size: 0004B034 [00000034-0004B067]  CKSM OK
00000008 --- Section # 00000006
  00000034 - Section Type: Logo
  00000038 - Data Checksum: FD6D37D3 [0000003C-0004B067]
  0000003C - Data Size: 0004B034
  00000040 - Section Header Size: 00000028
00000034 --- 0004B067  ***** Logo file (320x240 RGB32) *****
****************************************************
0004B068 --- Section Checksum: CC92757D
0004B06C --- Section Size: 00632281 [0004B09C-0067D31C]  CKSM OK
0004B070 --- Section # 00000007
0004B09C --- 0067D31C  ***** ZIP file *****
****************************************************
  File Processed OK

Title: Re: Siglent .ads firmware file format
Post by: cu6apum on September 12, 2017, 07:45:50 pm

Quote from: tv84 on September 08, 2017, 10:07:07 pm

Code: [Select]
The parsing of the latest SDS2000X fw is:

Thank you all for a great job.
Have anybody got to the linux filesystem? I'd like to change something and pack it back... :-/O

Title: Re: Siglent .ads firmware file format
Post by: tv84 on September 13, 2017, 04:08:01 pm

I could try to pack it back, but it would be the first time. The only hurdle in repacking the SDS2K fw is to encapsulate the ZLIB in the blocks.

Title: Re: Siglent .ads firmware file format
Post by: cu6apum on September 13, 2017, 06:40:38 pm

I haven't split the image yet, short on time.
Funny if i can brick the device...

Title: Re: Siglent .ads firmware file format
Post by: uuftc on September 13, 2017, 10:32:45 pm

Quote from: cu6apum on September 12, 2017, 07:45:50 pm

Have anybody got to the linux filesystem? I'd like to change something and pack it back... :-/O

IMHO, SDS2000x firmware is not based on Linux.
Part 5 contains almost all the bf53x code including the TCP stack (LWIP).
I do not understand the fact that the teardown video https://youtu.be/E3B4OTV8f1o?t=1376 (https://youtu.be/E3B4OTV8f1o?t=1376) clearly shows the processor mark bf531, while the entry point corresponds to bf533 (0xFFA00000). see page 6 on http://www.analog.com/media/en/technical-documentation/data-sheets/ADSP-BF531_BF532_BF533.pdf (http://www.analog.com/media/en/technical-documentation/data-sheets/ADSP-BF531_BF532_BF533.pdf)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on September 14, 2017, 09:27:27 am

The parsing of sds2kx_V100R02B01D02P02_fvA1609220922M160922_NO_BLOCKS_DECOMPRESSED.bin (blackfin LDR) is in the attached file.

The FFA08000 range (BF531 boot address) is overwritten with the last block.

I'm guessing that as long as you ensure that it has a correct boot code at FFA08000 you could go along with the initial "false" FFA00000 boot adress.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on September 30, 2017, 08:02:54 pm

Now that I've discovered how to decompress Altera FPGA streams, I returned to a type of blocks that I hadn't parse before:

- Block 03 of the SDS1000X_V100R001B01D02P1503.ADS firmware

It's an Altera FPGA (EP4CE6 or EP4CE10) stream:

Code: [Select]

         [00000048                      00000021]
Bit 7  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 6  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 5  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 4  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 3  - 1111111111111111111111111110011010000000       FFFFFFE680
Bit 2  - 0000101100000110000000111000000000111111       0B0603803F
Bit 1  - 1111000000000111100011000000011111111111       F0078C07FF
Bit 0  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bits 0080 - EPCS/EPCQ ID check: Enabled
Bits 005F - Stream size: 1.444.871 bits  (0002C181 bytes)  Compression Bit ON  (+1)  
Bits 0056 - 0000 0000 : 0x56-0x5D
Bits 004C - Programming Mode: 1-bit Passive Serial
Bits 003B - IDCode (Version+Part Number only): 0x020F1 
Bits 0008 - Usercode: FFFFFFFF
00000049 - Header CRC-16_MODBUS: BD40  [00000021-00000048]        CRC OK
0000004B - Data Framesize: 207  [0000004B-000000F1]
000000F2 - 4-byte words: 1260  [000000F2-000014A1]
000014A2 - Stream Size (Uncompressed): 2.944.056 bits
000014A2 - CRC Framesize: 207+0     # Data Frames: 1727  [000014A2-00059D4F]
00059D50 - Post-device bitstream pad bytes (0xFF): 55  [00059D50-00059D86]
File Checksum: 00C2D766

and, as a curiosity, a graphical image of its decompressed content (8 bits/pixel) is attached (without the frame CRCs).

Title: Re: Siglent .ads firmware file format
Post by: Tsippaduida on October 16, 2017, 09:41:05 pm

Quick look into the Blackfin code with strings reveal funny things.

This you might expect:
$ strings sds2kx_V100R02B01D02P02_fvA1609220922M160922_NO_BLOCKS_DECOMPRESSED.bin | grep -i siglent
SIGLENT TEST
SIGLENT
Siglent Technologies Co,. Ltd.

This might be a minor surprise:
$ strings sds2kx_V100R02B01D02P02_fvA1609220922M160922_NO_BLOCKS_DECOMPRESSED.bin | grep -i lecroy
LECROY_2_3
LECROY,WA200,600300,5.01
; LeCroy Digital Oscilloscopes,
LECROY

Great work in decoding these firmware files. Had only a short glimpse into this, but it was fun.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 20, 2017, 07:17:12 pm

If you search carefully in that file, you can see the designations of several brands/models:

Brands:
ATTEN, LECROY, SIGLENT, BK, AKIP, METRIX, SDS

Code: [Select]

Atten, (Aktakom, ?):
ADS2024, ADS2044, ADS2064, ADS2104, ADS2154, ADS2204, ADS2304, ADS2054, ADS2074, ADS2022, ADS2042, ADS2062, ADS2102, ADS2152, ADS2202, ADS2302, ADS2052, ADS2072 

Lecroy:
WA204, WaveAce2014, WaveAce2024, WaveAce2034, WaveAce2004, WA202, WaveAce2012, WaveAce2022, WaveAce2032, WaveAce2002

AKIP:
AKIP-4126, AKIP-4126/2A, AKIP-4126/3A, AKIP-4126/4A, AKIP-4126/1A, AKIP-4126/2, AKIP-4126/3, AKIP-4126/4, AKIP-4126/1 

Siglent:
SDS2022X, SDS2042X, SDS2062X, SDS2102X, SDS2152X, SDS2202X, SDS2302X, SDS2052X, SDS2072X, SDS2024X, SDS2044X, SDS2064X, SDS2104X, SDS2154X, SDS2204X, SDS2304X, SDS2054X, SDS2074X

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 29, 2017, 08:19:45 pm

Attached is a log of the parsing of (almost) all the Siglent .ADS files available (all models) + some Lecroy + some Atten:

Code: [Select]

ADS1102_Software Version 2.0_V100R002B07D02P10R5.ADS  /  CRC32: 482FDAF7
ATTEN_ADS1000CAL_V100R003B01D01P31R16.ADS  /  CRC32: 3195554C
ATTEN_ADS1000CL+_V100R003B01D01P31R16.ADS  /  CRC32: 24CCD3A9
ATTEN_ADS1000CML_V100R003B01D01P31R16.ADS  /  CRC32: 80A57BDD
ATTEN_ADS1202CML_v2.06.02.15R1.ADS  /  CRC32: E9C8791F
SDG1000-V100R001B01D01P27.ADS  /  CRC32: F4E746F9
SDG1000-V100R001B01D01P31.ADS  /  CRC32: 046FAF25
SDG1000-V100R001B01D01P31R1.ADS  /  CRC32: 4BAF4345
SDG1000-V100R001B01D01P36R1.ADS  /  CRC32: CE6B6D42
SDG1000-V100R001B01D01P37R2.ADS  /  CRC32: 97DDECD1
SDG1000-V100R001B01D01P37R3.ADS  /  CRC32: B28CDE5D
SDG1000-V100R001B01D01P39R2.ADS  /  CRC32: AD6C46D1
SDG1000X_1.01.01.22R5.ADS  /  CRC32: C62D04EE
SDG1000X_V100R001B01D01P22.ADS  /  CRC32: B14D5521
SDG1000X_V100R001B01D01P22_eevblog.ads  /  CRC32: 2CB0008E
SDG1000_1.01.01.39R5.ADS  /  CRC32: D9B4C673
SDG2000X_2.01.01.23R7.ADS  /  CRC32: E3770C8A
SDG2000X_V2.0.CFG.ADS  /  CRC32: 8934257D
SDG2000X_V200R001B01D01P23R3.ADS  /  CRC32: 45C65605
SDG2000X_eevblog_23R7.ads  /  CRC32: 852BDEBD
SDG2000_V200R001B01D01P15R2.ADS  /  CRC32: 51FC8172
SDG2000_V200R001B01D01P16R2.ADS  /  CRC32: E4926B51
SDG2000_V200R001B01D01P17R5.ADS  /  CRC32: A62CF60D
SDG2000_V200R001B01D01P21R2.ADS  /  CRC32: 9B336DB9
SDG2000_V200R001B01D01P22R5.ADS  /  CRC32: 393FFDD8
SDG5000 V500R001B01D01P10R1.ADS  /  CRC32: C95609A4
SDG5000-V500R001B01D01P12.ADS  /  CRC32: 37BDC62E
SDG5000-V500R001B01D01P15R1.ADS  /  CRC32: 91629F0B
SDG5000-V500R001B01D01P15R5.ADS  /  CRC32: C0B2A723
SDG800 V100R008B01D01P06.ADS  /  CRC32: 5B5767B2
SDG800 V100R008B01D01P07.ADS  /  CRC32: 9DE4B005
SDG800 V100R008B01D01P08.ADS  /  CRC32: 4920167F
SDG800 V100R008B01D01P09R1.ADS  /  CRC32: DD2C7FD3
SDG800 V100R008B01D01P10R1.ADS  /  CRC32: CE230F0A
SDG800 V100R008B01D01P11.ADS  /  CRC32: FD6F8FE9
SDG800 V100R008B01D01P12R1.ADS  /  CRC32: 0E21A078
SDG800 V100R008B01D01P12R2.ADS  /  CRC32: 867E8DDD
SDG800 V100R008B01D01P13R5.ADS  /  CRC32: 335B08D9
SDG800 Vp07-to-p08-transition.ADS  /  CRC32: 7DAB9D04
SDG800_transition.ADS  /  CRC32: 7DAB9D04
SDM3045X_5.01.01.03.ADS  /  CRC32: B722F3F1
SDM305(V100R001B01D01P13R1).ADS  /  CRC32: 5E84E31E
SDM3055_1.01.01.16R2.ADS  /  CRC32: C72A5CEE
SDM3055_1.01.01.19.ADS  /  CRC32: 12743868
SDM3065X_3.01.01.03.ADS  /  CRC32: E914E8A4
SDS1000CFL_2CH_SSP_V100R005B03D02P12.ADS  /  CRC32: 305EED12
SDS1000CFL_2CH_SSP_V100R005B08D02P30.ADS  /  CRC32: 56916B35
SDS1000CFL_2CH_SSP_V100R005B08D02P38.ADS  /  CRC32: 46AA7E43
SDS1000CFL_SSP_V100R005B03D02P12.ADS  /  CRC32: E43FF437
SDS1000CFL_SSP_V100R005B03D02P30.ADS  /  CRC32: 41E32C6B
SDS1000CFL_SSP_V100R005B03D02P38.ADS  /  CRC32: A9250B6B
SDS1000CML+_V100R006B01D01P19_FPGA_V5.2.ADS  /  CRC32: 5C6B0F1A
SDS1000CML+_V6.01.01.18.ADS  /  CRC32: 203ACC1E
SDS1000CML_SSP_V100R005B01D02P13.ADS  /  CRC32: 6D788CDE
SDS1000CML_SSP_V100R005B01D02P22.ADS  /  CRC32: F4525B3F
SDS1000CML_SSP_V100R005B01D02P29.ADS  /  CRC32: EF2F0429
SDS1000CML_SSP_V100R005B01D02P32.ADS  /  CRC32: 68A992F5
SDS1000DL+_V100R006B02D01P08_FPGA_V3.1.ADS  /  CRC32: 7A3691D4
SDS1000DL+_V6.02.01.07.ADS  /  CRC32: 332CC506
SDS1000DL_V100R005B06D02P16.ADS  /  CRC32: C7B3AB3A
SDS1000DL_V100R005B06D02P19.ADS  /  CRC32: 418912FF
SDS1000X&X+_V100R001B01D02P1305_fvA20160802.ADS  /  CRC32: 4BBED455
SDS1000X-E_1.3.13_FPGA_V20170622.ADS  /  CRC32: 6067B3F4
SDS1000X_V100R001B01D01P39R5_fvA20151001.ADS  /  CRC32: CE78DA56
SDS1000X_V100R001B01D02P0101_fvA20151211.ADS  /  CRC32: 00E208AB
SDS1000X_V100R001B01D02P06_fvA20160227.ADS  /  CRC32: 675B14B3
SDS1000X_V100R001B01D02P15.ADS  /  CRC32: BF0B6F7E
SDS1000X_V100R001B01D02P1503.ADS  /  CRC32: 7D785143
SDS1000X_V100R001B01D02P1510.ADS  /  CRC32: EA317A79
SDS1002X-E_5.1.3.17R1.ADS  /  CRC32: D64CD117
SDS1004X-E_7.6.1.12_FPGA_V20171107.ADS  /  CRC32: 9E2F7325
SDS1004X_E_6.1.25R1.ADS  /  CRC32: F2A6E2A1
SDS1004X_E_6.1.25R2.ADS  /  CRC32: 831783F6
SDS1004X_E_7.6.1.20.ADS  /  CRC32: A18BD2F3
SDS1004X_E_7.6.1.20R1.ADS  /  CRC32: AFAFFBDC
SDS2000x_1.2.2.2R10.ADS  /  CRC32: FBD42874
SHS1000_V100R003B01D02P01.ADS  /  CRC32: E37E4883
SHS1000_V100R003B01D02P02R2.ADS  /  CRC32: EBBD20F4
SHS1000_V100R003B01D02P02R7.ADS  /  CRC32: 15276A83
SHS1000_V5.09.01.05.ADS  /  CRC32: 6716D9EB
SHS800_V5.09.01.05.ADS  /  CRC32: 6716D9EB
SHS820_V100R003B01D02P01.ADS  /  CRC32: 44139E02
SHS820_V100R003B01D02P02R2.ADS  /  CRC32: 4D98764A
SHS820_V100R003B01D02P02R7.ADS  /  CRC32: 6C16AA6B
SHS820_V5.10.01.01.ADS  /  CRC32: 4FC9C274
SLA1016_7.8.1.8.ADS  /  CRC32: 492B6D07
SLA1016_8.1.9.ADS  /  CRC32: 8F68CC42
SPD3303X-1.01.01.02.05.ADS  /  CRC32: 8D42C003
SPD3303X-E-1.01.01.02.05.ADS  /  CRC32: B0419B9C
SPD3303X-E-V100R001B01D02P02R2.ADS  /  CRC32: D510D51A
SPD3303X-E_1.01.01.02.03.ADS  /  CRC32: D0789A98
SPD3303X-V100R001B01D02P02R2.ADS  /  CRC32: FBC0457D
SPD3303X_1.01.01.02.03.ADS  /  CRC32: CF403574
SSA3000X_D07P03.ADS  /  CRC32: D2B7E463
SSA3000X_v1.2.8.5a.ADS  /  CRC32: 80235A01
SSA3000X_v1.2.9.1.ADS  /  CRC32: 6D70F8D3
V01.02.08.01.ADS  /  CRC32: F67F09A3
V1.2.8.2.ADS  /  CRC32: 48F4F21B
V1.2.8.3.ADS  /  CRC32: 93FDFDAB
V100.01.02.07.07.ADS  /  CRC32: 8470CDE0
Vp10R3-to-p11-transition.ADS  /  CRC32: 0BD8FD19
Vp15R2-to-p16-transition.ADS  /  CRC32: 7B9B174E
WA_101 v2.07.02.100_W.ads  /  CRC32: 26949B7B
WA_101 v2.07.02.160.ADS  /  CRC32: 001FAE5F
WA_102 v2.07.01.100_N.ads  /  CRC32: EEE15A1D
WA_102 v2.07.01.100_W.ads  /  CRC32: 2D0A1FEE
WA_102 v2.07.02.160.ADS  /  CRC32: A31B1F2A
WA_112 v2.07.01.100_N.ads  /  CRC32: C1C09E8F
WA_112 v2.07.01.100_W.ads  /  CRC32: 9762F2AF
WA_112 v2.07.02.160.ADS  /  CRC32: EC64A923
WA_202 v2.06.01.08_N.ads  /  CRC32: DF2BBC31
WA_202 v2.06.02.11_W.ads  /  CRC32: 91210A12
WA_202 v2.06.02.19.ADS  /  CRC32: 64DD774A
WA_212 v2.06.01.08_N.ads  /  CRC32: 6CE1B754
WA_212 v2.06.02.11_W.ads  /  CRC32: 23025C19
WA_212 v2.06.02.19.ADS  /  CRC32: 36F047C4
WA_222 v2.06.01.08_N.ads  /  CRC32: 73CCFBF1
WA_222 v2.06.02.19.ADS  /  CRC32: E375216D
WA_232 v2.06.01.08_N.ads  /  CRC32: 125CADB4
WA_232 v2.06.02.11_W.ads  /  CRC32: BD9EC351
WA_232 v2.06.02.19.ADS  /  CRC32: 1FAC2084
WA_2x4.ADS  /  CRC32: B54CBECA
sdm305(V100R001B01D01P09).ADS  /  CRC32: D2362F4C
sdm305(V100R001B01D01P11R1).ADS  /  CRC32: 26CCDB35
sdm305(V100R001B01D01P12R1).ADS  /  CRC32: C49D7D95
sdm305(V100R001B01D01P15R1).ADS  /  CRC32: 2363E004
sds2k_V100R01B01D01P3501_fvA140620140620M140715.ADS  /  CRC32: A4D2A904
sds2k_V100R01B01D01P3702_fvA141204141203M141117.ADS  /  CRC32: 1C954983
sds2k_V100R01B01D01P3709_fvA141204141203M141117.ADS  /  CRC32: B2FED91C
sds2k_V100R02B01D01P27_fvA1511171117M151117.ADS  /  CRC32: 5E826C18
sds2k_V100R02B01D01P2801_fvA1511171117M151126.ADS  /  CRC32: 1F81CB83
sds2k_V100R02B01D01P3301_fvA1601290129M160129.ADS  /  CRC32: 74968A25
sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS  /  CRC32: 176C2D06
sds2k_V100R02B01D02P0109_fvA1609220922M160922.ADS  /  CRC32: ABD70008
sds2k_V100R02B01D02P02_fvA1609220922M160922.ADS  /  CRC32: 2AC88D06
sds2kx_V100R02B01D01P2801_fvA1511171117M151126.ADS  /  CRC32: CA4EE474
sds2kx_V100R02B01D01P3301_fvA1601290129M160129.ADS  /  CRC32: 44F3DFD3
sds2kx_V100R02B01D01P38R07_fvA1606060606M160516.ADS  /  CRC32: 8B4BB764
sds2kx_V100R02B01D02P0109_fvA1609220922M160922.ADS  /  CRC32: FDB18978
sds2kx_V100R02B01D02P02_fvA1609220922M160922.ADS  /  CRC32: FC7F7840
transition.ADS  /  CRC32: 0BD8FD19
waveace10xx_5.01.02.29.ADS  /  CRC32: 8F44CBF5
waveace2xx2_5.08.02.38.ADS  /  CRC32: 15AF114A
waveace2xx4_5.03.02.38.ADS  /  CRC32: 48FA2455
wavestation_2000_v1.01.02.31.ads  /  CRC32: 0926F234
wavestation_2000_v1.01.02.34.ads  /  CRC32: 4A6EF551
wavestation_2000_v1.01.02.36.ads  /  CRC32: 51595069
wavestation_3000_v5.01.02.13.ads  /  CRC32: 93EB575F

The only part that I still haven't figured it out is Section 7 of SDS1000/SDS2000 files. But it's probably the CPLD programming of those scopes.

Edit7: updated Sep 23rd, 2018 - Added all the recent FW updates

Title: Re: Siglent .ads firmware file format
Post by: tv84 on November 12, 2017, 07:29:56 pm

The SDS1000 FW files sometimes come with a .CFG file which contains the scope logo image and ID strings of the model involved.

Attached is a ZIP with some of those .CFG taken from several SDS1000_Update files.

Their format is simple but I couldn't work out all the fields involved:

Code: [Select]

F:\zscan\original\Siglent\cfg\2000SIGLENT.cfg
Reversing 1st part of the file [00000000-0005E0E3]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0002F072 until 0x0005E0E3

00000000 - Main Checksum: FFD1EE25 [00000004-0005E0E3]  CKSM OK
00000004 - ***** Boot Logo image (800x480 8-bit w/ RGB32 palette) ***** [00000004-0005E003]
0005E004 - Vendor: SIGLENT                         
0005E024 - CFG Type: SDS2000             
0005E038 - Manufacturer: Siglent 
0005E040 - Ref1 (?): 00000000
0005E044 - HW Version: 1
0005E048 - Image Size: 00119400 (384.000 pixels)
0005E04C - Magic Number (?): EE3AEE38EE39
0005E052 - Ref2 (?): F4EC
0005E054 - Product Family: SDS 
0005E05C - Company: Siglent Technologies Co,. Ltd.                                  
0005E09C - Image flags (?): 01 01 01 01 00 01 01 00 00 00 00 00 00 00 00 00                                                 
0005E0E4 - Footer Checksum: FFFF8BB9 [0005E0E8-0005E184]  CKSM OK
0005E0EC - Product Type 0:                
0005E0FB - Product Type 1:                
0005E10A - Product Type 2:                
0005E119 - Product Type 3:                
0005E128 - Product Type 4:                
0005E137 - Product Type 5:                
0005E146 - Product Type 6:                
0005E155 - Product Type 7:                
0005E164 - Product Type 8:                
0005E173 - Product Type 9:                


F:\zscan\original\Siglent\cfg\LeCroy_CF.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FDF472FE [00000004-00036E55]  CKSM OK
00000004 - Vendor: LECROY                          
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: LeCroy  
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 70
00000048 - Image Size: 00036D7E (74.880 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): 05FF
00000054 - Product Family: WA  
00000058 - Company: LeCroy Corp                                                     
00000098 - Image flags (?): 00 01 01 01 00 00 01 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (320x234 RGB24) ***** [000000D8-00036E55]
00036E56 - Footer Checksum: FFFF8BB9 [00036E5A-00036EF6]  CKSM OK
00036E5E - Product Type 0:                
00036E6D - Product Type 1:                
00036E7C - Product Type 2:                
00036E8B - Product Type 3:                
00036E9A - Product Type 4:                
00036EA9 - Product Type 5:                
00036EB8 - Product Type 6:                
00036EC7 - Product Type 7:                
00036ED6 - Product Type 8:                
00036EE5 - Product Type 9:                


F:\zscan\original\Siglent\cfg\SDS2000.cfg
Reversing 1st part of the file [00000000-0005E0E3]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0002F072 until 0x0005E0E3

00000000 - Main Checksum: FFFC3864 [00000004-0005E0E3]  CKSM OK
00000004 - ***** Boot Logo image (800x480 8-bit w/ RGB32 palette) ***** [00000004-0005E003]
0005E004 - Vendor: SIGLENT                         
0005E024 - CFG Type: SDS2000             
0005E038 - Manufacturer: Siglent 
0005E040 - Ref1 (?): 00000000
0005E044 - HW Version: 1
0005E048 - Image Size: 00119400 (384.000 pixels)
0005E04C - Magic Number (?): EE3AEE38EE39
0005E052 - Ref2 (?): F4EC
0005E054 - Product Family: SDS 
0005E05C - Company: Siglent Technologies Co,. Ltd.                                  
0005E09C - Image flags (?): 01 01 01 01 00 01 01 00 00 00 00 18 0B 02 00 00                                                 
0005E0E4 - Footer Checksum: FFFF415D [0005E0E8-0005E21C]  CKSM OK
0005E0EC - Product Type 0:                
0005E0FB - Product Type 1:                
0005E10A - Product Type 2:                
0005E119 - Product Type 3: SDS2102        
0005E128 - Product Type 4: SDS2152        
0005E137 - Product Type 5: SDS2202        
0005E146 - Product Type 6:                
0005E155 - Product Type 7: SDS2302        
0005E164 - Product Type 8:                
0005E173 - Product Type 9: SDS2072        
0005E182 - Product Type 10:                
0005E191 - Product Type 11:                
0005E1A0 - Product Type 12:                
0005E1AF - Product Type 13: SDS2104        
0005E1BE - Product Type 14: SDS2154        
0005E1CD - Product Type 15: SDS2204        
0005E1DC - Product Type 16:                
0005E1EB - Product Type 17: SDS2304        
0005E1FA - Product Type 18:                
0005E209 - Product Type 19: SDS2074        


F:\zscan\original\Siglent\cfg\Siglent_CFL.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3CD [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 71
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 01 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFFA17C [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:                
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1104CFL     
0005255C - Product Type 4:                
0005256B - Product Type 5: SDS1204CFL     
0005257A - Product Type 6:                
00052589 - Product Type 7: SDS1304CFL     
00052598 - Product Type 8:                
000525A7 - Product Type 9: SDS1074CFL     


F:\zscan\original\Siglent\cfg\Siglent_CFL_2CH.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3CD [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 71
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 01 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFFA184 [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:                
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1102CFL     
0005255C - Product Type 4:                
0005256B - Product Type 5: SDS1202CFL     
0005257A - Product Type 6:                
00052589 - Product Type 7: SDS1302CFL     
00052598 - Product Type 8:                
000525A7 - Product Type 9: SDS1072CFL     


F:\zscan\original\Siglent\cfg\Siglent_CML.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3C5 [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 01000000
00000044 - HW Version: 79
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFF9BF8 [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:                
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1102CML     
0005255C - Product Type 4: SDS1152CML     
0005256B - Product Type 5:                
0005257A - Product Type 6:                
00052589 - Product Type 7:                
00052598 - Product Type 8:                
000525A7 - Product Type 9: SDS1072CML     


F:\zscan\original\Siglent\cfg\Siglent_CNL.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3C6 [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 79
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFF968D [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:                
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1102CNL     
0005255C - Product Type 4:                
0005256B - Product Type 5:                
0005257A - Product Type 6:                
00052589 - Product Type 7:                
00052598 - Product Type 8:                
000525A7 - Product Type 9: SDS1072CNL     


F:\zscan\original\Siglent\cfg\Siglent_DL.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3C6 [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 79
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFF9F6B [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0: SDS1022DL      
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1102DL      
0005255C - Product Type 4:                
0005256B - Product Type 5: SDS1202DL      
0005257A - Product Type 6:                
00052589 - Product Type 7:                
00052598 - Product Type 8: SDS1052DL      
000525A7 - Product Type 9:

The imageB was taken from those SDS1000 files (byte-XORed with 0xFF).

Edit1: The SDS2000 was taken from a SDS2000 CFG.

The Lecroy logo was taken from the CFG in waveace2x4_5_05_02_14.zip (Lecroy website).

For those guys who have wrongly flashed SDS1000 FWs:

320x234 image = 5.7" LCD (SDS1000 non-"L" version)
480x234 image = 7" LCD (SDS1000 "L" version)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on November 16, 2017, 09:32:56 pm

If we look inside Atten ADS1000CML_V100R003B01D01P31R16.ADS.LDR (Blackfin code extracted from the .ADS ZLIB block), the parsing is in the ZIP, one can extract the Atten boot logo starting in the block at offset 0x497A0. (480 x 234 RGB24 inverted)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on November 17, 2017, 10:52:38 pm

Taken from the FWs referenced in the image names.

PS: Un-inverted the SDG images. The SPD3303X has en embedded image like the SDG5000 but in .JPG format.

SDG1000 - 3.5" LCD
SDG5000 - 4.3" LCD

Title: Re: Siglent .ads firmware file format
Post by: tv84 on December 02, 2017, 10:36:14 pm

Looking at all the .ADS files available (Siglent and others), I noticed a field (I assumed a UInt32) in the header of the files that seems to represent the "Product_ID" for which the file is intended. In all the files I've looked, I think that this is the only field that may have that purpose.

I updated my parsings log in previous Posts.

Attached is a table with a compilation of those models/products.

The FWs that possess a NSP_config_upgrade_info.xml, confirm that information.

Edit: updated Feb 12, 2018
Edit: updated Jun 15, 2018, added SDG6000X(-E)
Edit: updated Jul 24, 2018, added SVA1000X
Edit: updated Sep 9, 2018, corrected SDS1002X-E exclusivity
Edit: updated Sep 15, 2018, added all SPD models (based on the EasyPower.exe)
Edit: updated Nov 14, 2018, added SSG3000X
Edit: updated Mar 3, 2019, added SDS5000X
Edit: updated Mar 14, 2019, added SDS2000X-E
Edit: updated May 11, 2019, added SPD1305X
Edit: updated July 4, 2019, added SDL1000X-E
Edit: updated June 2, 2020, added SDS2000X+ and others
Edit: updated April 30, 2021, added SSG5000X and new SVA/SSA

(https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/?action=dlattach;attach=1215759;image)

Title: Re: Siglent .ads firmware file format
Post by: janekivi on February 07, 2018, 04:06:43 pm

You can add new SDS1004X-E firmware to the table.
And SLA1016 too...

Title: Re: Siglent .ads firmware file format
Post by: tv84 on February 10, 2018, 10:26:11 am

Cool. Another equipment!

Code: [Select]

F:\zscan\original\Siglent\SLA1016_7.8.1.8.ADS  /  CRC32: 492B6D07
File Header Size: 00000070
00000000 - File Checksum: D9EB15AD [00000004-004B4954] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 004B48E5 (without 0x70 bytes of the File Header)
0000000C - HW Version: 14501
00000026 - Vendor/Brand: SIGLENT
0000003A - USB Host Controller: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0025A473 until 0x004B48E4
****************************************************
00000000 --- Section Checksum: D8B146AD
00000004 --- Section Size: 004B48B1 [00000034-004B48E4]  CKSM OK
00000008 --- Section # 00000007
00000034 --- 004B48E4  ***** ZIP file *****
Offset    Ver  Flag  Comp  Size      Packed    Modified             CRC32                          Name         Extra Details
00000034  2.0  0000  0008  0000C483  00000F68  16-11-2017 18:03:02  A971148C  [00000065-00000FCC]  factory_setting.xml    000A
00000FCD  2.0  0000  0008  00C559D4  003D8B35  31-01-2018 13:43:29  5BC6F8E8  [00000FF7-003D9B2B]  sds1000b.app    000A
003D9B2C  2.0  0000  0008  003DBB68  000DA8BA  20-01-2018 10:50:22  18E4BC6E  [003D9B5F-004B4418]  top_sds1000b_fpga.bit    000A
004B4419  2.0  0000  0008  00000CD1  0000030A  08-11-2017 16:59:20  63FABAD6  [004B4440-004B4749]  update.sh    000A
Disk Entries: 4   Total Entries: 4   Directory Size: 389 bytes  [004B474A-004B48CE]
****************************************************

I'll add it in the next few days.

Title: Re: Siglent .ads firmware file format
Post by: tautech on February 10, 2018, 10:53:13 am

Quote from: tv84 on February 10, 2018, 10:26:11 am

Cool. Another equipment!

SLA1016 is the LA hardware for the 4ch X-E models.
The SW licence that's needed to make it functional is SDS1000X-E-16LA
This LA ^ functionality has just been added to SDS1004X-E models in v7.6.1.20 firmware.

It's just one of 3 optional licence codes for these models. The other two of interest for some will be for WiFi and the AWG to get full functionality from the AWG USB module SAG1021.
SDS1000X-E-WIFI
SDS1000X-E-FG

Title: Re: Siglent .ads firmware file format
Post by: tv84 on February 12, 2018, 08:13:22 pm

I updated my parsing log of Siglent FWs:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892)

and the models table:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1364981/#msg1364981 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1364981/#msg1364981)

To commemorate the SLA:

.APP

Code: [Select]

00000000                 Magic: 7F454C46    ELF File OK
00000004                Format: 32-bits
00000005                  Data: Little endian
00000006               Version: 1
00000007                OS/ABI: System V (often set to this)
00000008           ABI Version: 0
00000010           Object Type: Executable
00000012       Instruction Set: ARM
00000014               Version: 1
00000018           Entry Point: 0000FD90
0000001C  Program Header Table: 00000034
00000020  Section Header Table: 00C5554C
00000024                 Flags: 05000002
00000028           Header Size: 00000034
0000002A  Program Headers Size: 00000020
0000002C Numb. Program Headers: 9
0000002E  Section Headers Size: 00000028
00000032 SH String Table Index: 28
**********  PROGRAM HEADERS:
          SegmType  SegmOffs  VirtAddr  PhysAddr  FilSegSz  MemSegSz  Flags     Align
00000034  70000001  008901D4  008981D4  008981D4  0004CAC8  0004CAC8  00000004  00000004
00000054  PHDR      00000034  00008034  00008034  00000120  00000120  00000005  00000004
00000074  INTERP    00000154  00008154  00008154  00000013  00000013  00000004  00000001
  00000154  [Requesting program interpreter: /lib/ld-linux.so.3 ]
00000094  LOAD      00000000  00008000  00008000  008DCCA0  008DCCA0  00000005  00008000
000000B4  LOAD      008DD000  008ED000  008ED000  003783F4  01F19B04  00000006  00008000
000000D4  DYNAMIC   008DDFD8  008EDFD8  008EDFD8  00000140  00000140  00000006  00000004
000000F4  NOTE      00000168  00008168  00008168  00000020  00000020  00000004  00000004
  00000168  [Owner: GNU ] [OS: Linux 2.6.16]
00000114  00000007  008DD000  008ED000  008ED000  00000000  00000004  00000004  00000004
00000134  6474E551  00000000  00000000  00000000  00000000  00000000  00000006  00000004
**********  SECTION HEADERS:
         [Nr] Name                          Type       VirtAddr Offset  Size    ES Flg Lk Inf Al
00C5554C [ 0]                               NULL       00000000 0000000 0000000 00 000  0   0  0
00C55574 [ 1] .interp                       PROGBITS   00008154 0000154 0000013 00 002  0   0  1
00C5559C [ 2] .note.ABI-tag                 NOTE       00008168 0000168 0000020 00 002  0   0  4
00C555C4 [ 3] .hash                         HASH       00008188 0000188 0000BD4 04 002  4   0  4
00C555EC [ 4] .dynsym                       DYNSYM     00008D5C 0000D5C 0001EC0 10 002  5   1  4
00C55614 [ 5] .dynstr                       STRTAB     0000AC1C 0002C1C 000262B 00 002  0   0  1
00C5563C [ 6] .gnu.version                  0x6FFFFFFF 0000D248 0005248 00003D8 02 002  4   0  2
00C55664 [ 7] .gnu.version_r                0x6FFFFFFE 0000D620 0005620 0000180 00 002  5   8  4
00C5568C [ 8] .rel.dyn                      REL        0000D7A0 00057A0 00000B8 08 002  4   0  4
00C556B4 [ 9] .rel.plt                      REL        0000D858 0005858 0000E00 08 002  4  11  4
00C556DC [10] .init                         PROGBITS   0000E658 0006658 000000C 00 006  0   0  4
00C55704 [11] .plt                          PROGBITS   0000E664 0006664 0001514 04 006  0   0  4
00C5572C [12] .text                         PROGBITS   0000FB80 0007B80 076BFB4 00 006  0   0 16
00C55754 [13] .fini                         PROGBITS   0077BB34 0773B34 0000008 00 006  0   0  4
00C5577C [14] .rodata                       PROGBITS   0077BB40 0773B40 0089EE0 00 002  0   0  8
00C557A4 [15] .ARM.extab                    PROGBITS   00805A20 07FDA20 00927B4 00 002  0   0  4
00C557CC [16] .ARM.exidx                    0x70000001 008981D4 08901D4 004CAC8 00 082 12   0  4
00C557F4 [17] .eh_frame                     PROGBITS   008E4C9C 08DCC9C 0000004 00 002  0   0  4
00C5581C [18] .tbss                         NOBITS     008ED000 08DD000 0000004 00 403  0   0  4
00C55844 [19] .init_array                   INIT_ARRAY 008ED000 08DD000 0000FD0 00 003  0   0  4
00C5586C [20] .fini_array                   FINI_ARRAY 008EDFD0 08DDFD0 0000004 00 003  0   0  4
00C55894 [21] .jcr                          PROGBITS   008EDFD4 08DDFD4 0000004 00 003  0   0  4
00C558BC [22] .dynamic                      DYNAMIC    008EDFD8 08DDFD8 0000140 08 003  5   0  4
00C558E4 [23] .got                          PROGBITS   008EE118 08DE118 0000720 04 003  0   0  4
00C5590C [24] .data                         PROGBITS   008EE838 08DE838 0376BBC 00 003  0   0  8
00C55934 [25] .bss                          NOBITS     00C653F8 0C553F4 1BA170C 00 003  0   0  8
00C5595C [26] .comment                      PROGBITS   00000000 0C553F4 0000030 01 030  0   0  1
00C55984 [27] .ARM.attributes               0x70000003 00000000 0C55424 0000033 00 000  0   0  1
00C559AC [28] .shstrtab                     STRTAB     00000000 0C55457 00000F4 00 000  0   0  1

.BIT (it's a Xilinx XC7Z020 bitstream)

Code: [Select]

00000000 - 0009         (0x0009) File Header Length
00000002 - 0FF00FF0     (0x0FF00FF0) File Header Long 1
00000006 - 0FF00FF0     (0x0FF00FF0) File Header Long 2
0000000A - 00           (0x00) File Header Zero
0000000B - 0001         (0x0001) Key Length
0000000D - 61 002E      (key a) Design Name: top_mso_fpga;UserID=0XFFFFFFFF;Version=2014.4
0000003E - 62 000C      (key b) Part Name: 7z020clg484
0000004D - 63 000B      (key c) Generation Date: 2018/01/20
0000005B - 64 0009      (key d) Generation Time: 10:50:44
00000067 - 65 003DBAFC  (key e) Bitstream Length: 003DBAFC  [0000006C-003DBB67]
--------------  BITSTREAM  ------------------------
0000006C - FFFFFFFF             Padding
00000070 - FFFFFFFF             Padding
00000074 - FFFFFFFF             Padding
00000078 - FFFFFFFF             Padding
0000007C - FFFFFFFF             Padding
00000080 - FFFFFFFF             Padding
00000084 - FFFFFFFF             Padding
00000088 - FFFFFFFF             Padding
0000008C - 000000BB             Bus width auto detect, word 1
00000090 - 11220044             Bus width auto detect, word 2
00000094 - FFFFFFFF             Padding
00000098 - FFFFFFFF             Padding
0000009C - AA995566             Sync Word (BPI/SPI Mode)
000000A0 - 20000000             T1 - 00000000  NOP      (1x)
000000A4 - 30022001 00000000    T1 W 00000001  TIMER
000000AC - 30020001 00000000    T1 W 00000001  WBSTAR
000000B4 - 30008001 00000000    T1 W 00000001  CMD      NULL - No Operation
000000BC - 20000000             T1 - 00000000  NOP      (1x)
000000C0 - 30008001 00000007    T1 W 00000001  CMD      RCRC - Reset CRC
000000C8 - 20000000             T1 - 00000000  NOP      (2x)
000000D0 - 30026001 00000000    T1 W 00000001  FALL_EDGE
000000D8 - 30012001 02003FE5    T1 W 00000001  COR0
000000E0 - 3001C001 00000000    T1 W 00000001  COR1
000000E8 - 30018001 03727093    T1 W 00000001  IDCODE
000000F0 - 30008001 00000009    T1 W 00000001  CMD      SWITCH - Switch CCLK Frequency
000000F8 - 20000000             T1 - 00000000  NOP      (1x)
000000FC - 3000C001 00000401    T1 W 00000001  MASK
00000104 - 3000A001 00000501    T1 W 00000001  CTL0
0000010C - 3000C001 00000000    T1 W 00000001  MASK
00000114 - 30030001 00000000    T1 W 00000001  CTL1
0000011C - 20000000             T1 - 00000000  NOP      (8x)
0000013C - 30002001 00000000    T1 W 00000001  FAR
00000144 - 30008001 00000001    T1 W 00000001  CMD      WCFG - Write Config Data
0000014C - 20000000             T1 - 00000000  NOP      (1x)
00000150 - 30004000             T1 W 00000000  FDRI
00000154 - 500F6C78             T2 W 000F6C78
003DB340 - 20000000             T1 - 00000000  NOP      (2x)
003DB348 - 30008001 0000000A    T1 W 00000001  CMD      GRESTORE - Pulse GRESTORE Signal
003DB350 - 20000000             T1 - 00000000  NOP      (1x)
003DB354 - 30008001 00000003    T1 W 00000001  CMD      DGHIGH/LFRM - Last Frame Write
003DB35C - 20000000             T1 - 00000000  NOP      (100x)
003DB4EC - 30008001 00000005    T1 W 00000001  CMD      START - Begin Startup Sequence
003DB4F4 - 20000000             T1 - 00000000  NOP      (1x)
003DB4F8 - 30002001 03BE0000    T1 W 00000001  FAR
003DB500 - 3000C001 00000501    T1 W 00000001  MASK
003DB508 - 3000A001 00000501    T1 W 00000001  CTL0
003DB510 - 30000001 E3AD7EA5    T1 W 00000001  CRC
003DB518 - 20000000             T1 - 00000000  NOP      (2x)
003DB520 - 30008001 0000000D    T1 W 00000001  CMD      DESYNC - Reset DALIGN Signal
003DB528 - 20000000             T1 - 00000000  NOP      (400x)

Didn't include them in the ZIP because they are too big.

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on March 07, 2018, 10:00:40 am

Fun that SDS10004X-E FW update file (.ADS) is in reverse order.
Who could write the secret door key words of telnet song....

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 10, 2018, 10:55:57 am

Shadow file is something like this

Code: [Select]

root:$6$DZO.HiUy$JKaJGKC8ynyAn.7IF64GzC6cGnmJCQgGlqoPQ9QTc7EW8iF/8lMD00EtiiS3/GpgzN7rvfTbmfnAKzAg66dnu/:17177:0:99999:7:::
siglent:$6$tOEDgvF2$A2zA0bgMZ9XU7LTZN5FVGl4iuDUoPGqGG8IrHoTRaPRJzYyIDXQ8lh8.E1PX98HS8UDRBgDdXwRHlWUG5fY4M1:17029:0:99999:7:::

Algorithm: SHA-512 / crypt(3) / $6$

https://samsclass.info/123/proj10/p12-hashcat.htm

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 11, 2018, 09:59:00 am

Quote from: janekivi on June 10, 2018, 10:55:57 am

Shadow file is something like this
Code: [Select]
root:$6$DZO.HiUy$JKaJGKC8ynyAn.7IF64GzC6cGnmJCQgGlqoPQ9QTc7EW8iF/8lMD00EtiiS3/GpgzN7rvfTbmfnAKzAg66dnu/:17177:0:99999:7::: siglent:$6$tOEDgvF2$A2zA0bgMZ9XU7LTZN5FVGl4iuDUoPGqGG8IrHoTRaPRJzYyIDXQ8lh8.E1PX98HS8UDRBgDdXwRHlWUG5fY4M1:17029:0:99999:7:::
Algorithm: SHA-512 / crypt(3) / $6$

https://samsclass.info/123/proj10/p12-hashcat.htm

Which .ADS ? Have you released it with a known shadow?

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 11, 2018, 03:53:08 pm

This is in latest update files. They are the original passwords.
I don't have any hardware to do any replacing or hacking tests...

Title: Re: Siglent .ads firmware file format
Post by: ian.ameline on June 12, 2018, 01:29:30 pm

Quote from: janekivi on June 11, 2018, 03:53:08 pm

This is in latest update files. They are the original passwords.
I don't have any hardware to do any replacing ... tests...

I can volunteer to try an image with a substituted password (similar to that for the SDG2000 series.)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 12, 2018, 01:39:23 pm

Quote from: ian.ameline on June 12, 2018, 01:29:30 pm

I can volunteer to try an image with a substituted password (similar to that for the SDG2000 series.)

janekivi, now you have your first customer! :)

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 12, 2018, 03:47:48 pm

OK, but this time it may be bit tricky.
In normal update like SDS1004X-E_6.1.25R2 you don't see any passwords or anything else.
But they have released Operating System -V1 (Only For 4-Channel) update and there is
all the root file system for example. So looking into rootfs.cramfs in \etc\ is shadow. Now we
need to repack it after change and do the Operating System update again.
May be it is possible...
Otherwise my Radeon R9-390 decodes only 80000 passwords in sec - that may take years.

Title: Re: Siglent .ads firmware file format
Post by: ian.ameline on June 12, 2018, 04:07:13 pm

Quote from: janekivi on June 12, 2018, 03:47:48 pm

OK, but this time it may be bit tricky.
In normal update like SDS1004X-E_6.1.25R2 you don't see any passwords or anything else.
But they have released Operating System -V1 (Only For 4-Channel) update and there is
all the root file system for example. So looking into rootfs.cramfs in \etc\ is shadow. Now we
need to repack it after change and do the Operating System update again.
May be it is possible...
Otherwise my Radeon R9-390 decodes only 80000 passwords in sec - that may take years.

Yes -- I was assuming it would be the OS update that is modified to substitute a known password for the root account. (as was done for the SDG)
I'm fairly technically experienced -- many years of compiler development on unix platforms.
Cracking the password itself in less than years is not a good bet assuming they didn't chose a word in a dictionary.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 12, 2018, 04:33:51 pm

I see the cramfs can be made with mkfs.cramfs. You unpack all files and then generate new cramfs
from new files. There is many options and we need know what format it needs to be exactly.
http://manpages.ubuntu.com/manpages/bionic/man8/mkfs.cramfs.8.html (http://manpages.ubuntu.com/manpages/bionic/man8/mkfs.cramfs.8.html)
Update is done during the startup so may be the wrong file don't kill it much and during next
startup we can try other file and so on...

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 12, 2018, 05:19:30 pm

This way I don't need to do anything.
You can take the update
https://www.siglentamerica.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series (https://www.siglentamerica.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series)
Unpack rootfs.cramfs file (with 7zip for example).
Generate new password for root (and siglent)
https://quickhash.com/crypt3-sha512-online (https://quickhash.com/crypt3-sha512-online)
Replace shadow file, then pack new rootfs.cramfs together with mkfs.cramfs your_filesdir rootfs.cramfs
Then put all files to USB and follow the PDF guide

Title: Re: Siglent .ads firmware file format
Post by: ian.ameline on June 12, 2018, 06:35:58 pm

I'll give that a shot later this week when I get some spare time.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 12, 2018, 07:53:02 pm

I can't get it use "best compression" but new file is only 25Kb bigger.
I don't know what you can do with it...

~~SDS1004X-E_OSV1_EN_eevblog.zip~~

Title: Re: Siglent .ads firmware file format
Post by: ian.ameline on June 12, 2018, 08:15:32 pm

Thanks -- I'll give it a try...

Title: Re: Siglent .ads firmware file format
Post by: ian.ameline on June 12, 2018, 08:25:20 pm

It appeared to copy the new OS over, but the machine freezes on boot -- all the panel leds are lit, the siglent logo is displayed on the lcd, but no activity -- even after 2 minutes.

Fortunately putting he old OS on the key and restarting loads the old OS back on and it works as expected -- no brick.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 13, 2018, 03:15:00 pm

So there is needed some tinkering with packing this rootfs.cramfs back together to get the needed output.
I did it with all default settings in Ubuntu. mkfs.cramfs my_filesdir rootfs.cramfs

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 13, 2018, 03:49:33 pm

In the extreme maybe we can patch only the shadow without extracting the whole cramfs... ::)

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 13, 2018, 04:44:08 pm

But is there some crc or other critical attribute?
There may be something Siglent special.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 13, 2018, 05:28:26 pm

Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip (http://s000.tinyupload.com/index.php?file_id=03539117620391626698)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 13, 2018, 07:04:28 pm

[000A09D6-000A0AAC] CRC32: F48E57F1 DecompSize: 000000F9 ADLER32: 91C34AE7 - ZLIB_ADLER32_OK

You did a binary replacement?

Edit: It seems you did. That should do the job! :)

New one:
[000A09D6-000A0AAC] CRC32: C7E44B26 DecompSize: 000000F9 ADLER32: 9A234C07 - ZLIB_ADLER32_OK

Title: Re: Siglent .ads firmware file format
Post by: ian.ameline on June 13, 2018, 07:35:07 pm

Quote from: janekivi on June 13, 2018, 05:28:26 pm

Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip (http://s000.tinyupload.com/index.php?file_id=03539117620391626698)

Ok -- that copied over to the scope and boots up!
And I can log in as root via telnet!

Let the exploring begin...

Title: Re: Siglent .ads firmware file format
Post by: ian.ameline on June 13, 2018, 08:54:32 pm

It's pretty interesting -- with cursors on, fft active with 1mpts, and measure all active, and the web interface going, you can saturate both CPUs on the machine... (load Avg of 1.94 in top)
But with just viewing a waveform, it's very lightly loaded -- under 5%.

Even with those features activated, it's using around 52% of the cpu RAM. (256Meg)

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on June 14, 2018, 05:50:42 am

Dears,

fantastic news, would be a big fafor if you could do this for the sds2204X model fw too.
I'm working on this too since few days but my learning process is still evolving with small
progress.

I follow your descriptions concerning the reverse of the binary fw file and now working on
the extraction of the ziped parts to extract the shadow file in order to find the root pw.

But your progress is more effective und leads perhaps faster to a fw mod.
Is it true that the telnet daemon had first to be activated in order to be able to use it or dose
he run continuously. Nmap did not show the port 23 active in my device.

By the way I'm also interested in a mod fw file for the sdg6022x iq generator.

Any help that brings me closer to my goal of option activation is apreciated.

Many thanks in advance for your help.

Markus

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on June 14, 2018, 08:17:27 am

@janekivi

could you please confirm that my understanding of your FWF conversion/decryption
is right or correct it if I made an error.

1) first step is turn the .ads file around (or look it backwards)

2) XOR FF it with pattern bytes 0, 1, 3, 6, A, F and so on - space increasing by 1 <== could yo please explain 0,1,3,6,A,F...

3) XOR FF it from center (file length - 72)/2 as file have 72 byte header (now at the end) <== XOR every FW byte with FF - right?

So I extract your description and wrote my own Python script that do the tree actions like listed below:

Reverse FW File:
=============
according to outfile.write(bytes(byte_list[::-1]))

First XOR:
=========
a = 0
i = 0
j = 0
i = len(b)
while j < i:
b[j] ^= 0xFF
j = j + a + 1
a = a + 1

Second XOR form Pos len(b)/2-36:
================================
i = len(b)
j = len(b)/2-36
while j < i:
b[j] ^= 0xFF
j = j + 1

Thanks for your effort and helpfull hints.

Markus

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 14, 2018, 08:45:20 am

Markus,

msg 99 of this thread:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892)

You have the parsing of all files. You can see there some indication about the half-file to xor for question 3.

Your 2nd step is correct.

Before 1st step you could(should) parse the file header. But, since you can't decrypt yet...

After doing the xor-deobfuscation you will be able to extract the shadow but you can't reconstruct the zip file because of the encrypted areas... you need to tackle the decryption.

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on June 14, 2018, 11:03:41 am

@tv84,

thanks for your repley,

but I'm a bit confused about the ads. fw file checksum issue.

According to the thread #99 the FW file

SDS2000x_1.2.2.2R10.ADS CRC32: FBD42874

has the above checksum, but

according to the python fragment listed in thred #74
that I included in my script, see below,

>./ads_fwf_checksum.py SDS2000x_1.2.2.2R10.ADS
ED2FE8CD - 32 bit checksum
CD - 8 bit checksum

>cat ./ads_fwf_checksum.py
#! /usr/bin/python3

import sys, os, shutil
import functools

input = sys.argv[1]

data = bytearray(open(input, 'rb').read())

csum = functools.reduce(lambda x,y: x+y, data, 0)
csum = ~csum + 1
csum = csum & 0xffffffff # the only difference is here
print (format(csum, 'X'),"- 32 bit checksum")
csum = csum & 0xff # the only difference is here
print (" ",format(csum, 'X'),"- 8 bit checksum")

the checksum differs <== ????

Have you an idea whats wrong?

Thanks

Markus

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 14, 2018, 11:32:07 am

When I mention:

SDS2000x_1.2.2.2R10.ADS CRC32: FBD42874

is just for a integrity check of the ADS in question.

It's calculated with the general CRC-32 algo and it's 100% correct. Maybe you are not implementing the right CRC-32. There are plenty of options, I don 't know if you are aware of.

http://www.sunshine2k.de/coding/javascript/crc/crc_js.html (http://www.sunshine2k.de/coding/javascript/crc/crc_js.html)

It's the first option of CRC32.

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on June 14, 2018, 02:45:54 pm

@tv84,

>./ads_fwf_checksum.py SDS2000x_1.2.2.2R10.ADS
ED2FE8CD - 32 bit checksum
CD - 8 bit checksum
FBD42874 - 32 bit checksum
74 - 8 bit checksum

now the crc32 result looks ok.

I had used the crc32.py module from
https://github.com/StalkR/misc/blob/master/crypto/crc32.py

After replacement of "ord(c)" by "c" as the read function fetch
a byte stream, I was able to calc the crc32 sum of the .ads fwf.

Thanks
Markus

>cat ./ads_fwf_checksum.py
#! /usr/bin/python3

import sys, os, shutil
import functools
from crc32 import CRC32

input = sys.argv[1]

data = bytearray(open(input, 'rb').read())

# Or data can be declared directly
# data = bytes([0x02,0x00,0x00,0x04,0x00,0x00]);

csum = functools.reduce(lambda x,y: x+y, data, 0)
csum = ~csum + 1
csum = csum & 0xffffffff # the only difference is here
print (format(csum, 'X'),"- 32 bit checksum")
csum = csum & 0xff # the only difference is here
print (" ",format(csum, 'X'),"- 8 bit checksum")

csum2 = CRC32().calc(data)
print (format(csum2, 'X'),"- 32 bit checksum")
csum2 = csum2 & 0xff # the only difference is here
print (" ",format(csum2, 'X'),"- 8 bit checksum")

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 14, 2018, 04:22:08 pm

:-//
I don't have a clue what you are doing here...
but one day I made SDS file viewer and unpacker and app converter and after that
you can unpack program part from that app with offzip. Packed region is starting
from 0000dbd4 and then you have unpacked BlackFin code with which I don't know
what we gonna do...

I start looking it here
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1061594/#msg1061594 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1061594/#msg1061594)
and latest app is there
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1208443/#msg1208443 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1208443/#msg1208443)

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on June 15, 2018, 07:07:33 am

@janekivi

I try to reproduce your steps in .ads FW reassembling.
One of them was to calculate the CRC32 properly.
The others to understand the .ads file format.
Due to your excellent prework I hope to create me
own tools.

I was aware of the tools you provided, but I had no luck
till now to use them under wine (Linux OS) due to missing
Libs. (I'm not sure if your Code could be ported to Mono,
the linux Version of Net-Environment)

Thanks for your replay.

Markus

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on June 21, 2018, 04:16:42 pm

@janekivi
@tv84,
and all,

how to proceed after I had extract the Part1..5+7 from the
.ads FW file with the sds_ads.exe tool.

How to extract and mod the shadow file to enter his own
hash for the root account and how to pack all parts together
to get again a .ads FW file?

Some helpful hints will be appreciated.

Many thanks in advance for this effort.

Markus

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 21, 2018, 05:29:48 pm

Quote from: markus_jlrb on June 21, 2018, 04:16:42 pm

@janekivi
@tv84,
and all,

how to proceed after I had extract the Part1..5+7 from the
.ads FW file with the sds_ads.exe tool.

How to extract and mod the shadow file to enter his own
hash for the root account and how to pack all parts together
to get again a .ads FW file?

Some helpful hints will be appreciated.

Many thanks in advance for this effort.

Markus

" Part1..5+7" exist in files where, I think, are not relevant to your "shadow" quest.

Usually the shadow file exists inside a ZIP in the ADS. So, you decrypt the ADS, extract the zip and replace shadow.

You can generate the shadow file in linux or manually hash the passwords.

Then, it's the reverse process all the way:

Compress the zip with the new shadow file.
Encode the zip in a ADS, placing headers, xoring and encrypting... Maybe janekivi tool does this... Don't remember.

I advise you to not flash a "handmade" ADS before me or janekivi do a small validation test. Just to decrease the risk of having any packing error...

Look at my parsings list and see where the shadow files exist.

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on June 21, 2018, 06:25:54 pm

@tv84,

but where can I find the block with the fw file system.
How to read/interpret your listing, see attached file that I
cut & paste from your recent fw summary.

Markus

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 21, 2018, 07:54:03 pm

Quote from: markus_jlrb on June 21, 2018, 06:25:54 pm

@tv84,

but where can I find the block with the fw file system.
How to read/interpret your listing, see attached file that I
cut & paste from your recent fw summary.

Markus

Oh, I see your problem!

The example that you provide is a SDS2000X file. Not a SDS2000X-E file!

This scope has a Blackfin proc and several FPGAs.

The X-E has an ARM proc. The structure of ADS is completely different, although the basic encryption envelope is pretty much the same.

You don't have a shadow file in the X version because it doesn't have a "file system" and/or linux environment.

Which is the equipment that you want to "analyze"?

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on June 21, 2018, 08:15:00 pm

Oh,

what's a pity.

So I have to start to analyze from the beginning and
make my own experience and tools.

Thanks for your explanation concerning teh X and X-E
model suffix.

Markus

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 21, 2018, 08:22:41 pm

Quote from: tv84 on June 21, 2018, 07:54:03 pm

Quote from: markus_jlrb on June 21, 2018, 06:25:54 pm
@tv84,

but where can I find the block with the fw file system.
How to read/interpret your listing, see attached file that I
cut & paste from your recent fw summary.

Markus

Oh, I see your problem!

The example that you provide is a SDS2000X file. Not a SDS2000X-E file!

This scope has a Blackfin proc and several FPGAs.

The X-E has an ARM proc. The structure of ADS is completely different, although the basic encryption envelope is pretty much the same.

You don't have a shadow file in the X version because it doesn't have a "file system" and/or linux environment.

Which is the equipment that you want to "analyze"?

I think markus has misunderstood your question.
See here:
https://www.eevblog.com/forum/testgear/siglent-sds2204x-mods/ (https://www.eevblog.com/forum/testgear/siglent-sds2204x-mods/)

Title: Re: Siglent .ads firmware file format
Post by: janekivi on June 21, 2018, 08:29:52 pm

In other words, crypted-reversed-COR-ZIP files you must process to get files,
but in SDS1000X, SDS2000 and SDS2000X firmware you have plain files.
(except part 5 what is BlackFin app and bit obfuscated or so)
So those part 1...5 and 7 are the plain files what scope is using. I haven't given them names
but TV84 probably know better what files they are - FPGA, APP, ... (no LINUX there)
That's what SDS ADS files my SDS file viewer is made for. I haven't done repack utility yet...

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on June 21, 2018, 08:41:12 pm

@janekivi,
@all,

make it sense to analyze the fw parts sds_ads tool generate with IDA-Pro?
And if so are there templates/addons/extensions that could be used for this
purpose?

Markus

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 21, 2018, 09:09:40 pm

Markus,

I think you don't need to reinvent the wheel but... you know better.

If you want to reverse the SDS2000X Blackfin block, you can extract it with janekivi tool and them load the Blackfin plugins in IDA and analyze the code. It will be a hard job because there's no decompiler to help you. And unless you have BF expertise... Blakfin code is not ARM code...

But, of course, it is possible to do and, at least, produce a upgrade patch (since that seems to be your ultimate goal). Not the cleanest of the solutions but nobody here is looking for perfection.

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on June 30, 2018, 02:28:14 pm

So if I am starting from a stock SDS1104X-E with stock, out of the box (not updated) firmware, what is the step by step process for updating the oscilloscope to the latest firmware while also getting access to or changing the root user password for the scope?

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on June 30, 2018, 03:46:22 pm

Quote from: SMB784 on June 30, 2018, 02:28:14 pm

So if I am starting from a stock SDS1104X-E with stock, out of the box (not updated) firmware, what is the step by step process for updating the oscilloscope to the latest firmware while also getting access to or changing the root user password for the scope?

If your scope system info show out from box:
FW 7.1.6.1.25R2
or
FW 7.1.6.1.25R1
(this 1, here colored red, it tells that OS V1 is installed.)
then B else A

A
Update latest FW and OS (if not already out from box).
SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 )
SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 )
These both can download from Siglent official side. Inside these both packages (zip) there is also instructions.

B
Then: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on June 30, 2018, 06:51:49 pm

Quote from: rf-loop on June 30, 2018, 03:46:22 pm

Quote from: SMB784 on June 30, 2018, 02:28:14 pm
So if I am starting from a stock SDS1104X-E with stock, out of the box (not updated) firmware, what is the step by step process for updating the oscilloscope to the latest firmware while also getting access to or changing the root user password for the scope?

If your scope system info show out from box:
FW 7.1.6.1.25R2
or
FW 7.1.6.1.25R1
(this 1, here colored red, it tells that OS V1 is installed.)
then B else A

A
Update latest FW and OS (if not already out from box).
SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 )
SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 )
These both can download from Siglent official side. Inside these both packages (zip) there is also instructions.

B
Then: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)

Thanks!

Title: Re: Siglent .ads firmware file format
Post by: BillB on June 30, 2018, 11:41:03 pm

Quote from: SMB784 on June 30, 2018, 06:51:49 pm

Thank you, but I think my main question has to do with how you log in as root. I assume there is a root password, and I'm under the assumption that it is not something known it easily guessed, so how do I install the software update so that I can either know or set the root user password?

SMB784, are you asking how you interface with the unit? You'll need to telnet into the device through the ethernet connection. As rf-loop said, it depends what your current firmware version is. This determines the path you need to take. The firmware is upgraded by copying files to a USB flash and following the on-device menus.

Once you have an updated firmware, you need to load the special OS build found in the message that rf-loop mentioned in B above.

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 01, 2018, 03:35:17 am

Quote from: BillB on June 30, 2018, 11:41:03 pm

Quote from: SMB784 on June 30, 2018, 06:51:49 pm
Thank you, but I think my main question has to do with how you log in as root. I assume there is a root password, and I'm under the assumption that it is not something known it easily guessed, so how do I install the software update so that I can either know or set the root user password?

SMB784, are you asking how you interface with the unit? You'll need to telnet into the device through the ethernet connection. As rf-loop said, it depends what your current firmware version is. This determines the path you need to take. The firmware is upgraded by copying files to a USB flash and following the on-device menus.

Once you have an updated firmware, you need to load the special OS build found in the message that rf-loop mentioned in B above.

Indeed, thank you. After some time spent thinking, I did exactly that process. I am now working on logging in via root!

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 01, 2018, 07:18:01 am

So I am running into a snag with the root login via telnet.

Thus far I have successfully downloaded and installed the firmware, and the OS from the silent website. I then installed the special software from the aforementioned link, and the device boots correctly. I am successfully able to get to the login prompt using telnet.

There is where the trouble starts. I enter root as the login name and I enter the password and it tells me that the login info is incorrect. I have tried many different combinations of login name and password.

So: either I am incorrectly using telnet, or I am entering in the wrong password, or Siglent has patched this technique, or the scope is ignoring and not installing the custom software update when the USB is plugged in before boot up. I did time the boot sequence and it takes 20 seconds to boot regardless of whether or not the USB with the firmware is present.

Not sure what is going on here, gonna try some other things while I try to figure it out. Any suggestions are welcome, and I will keep you updated.

Title: Re: Siglent .ads firmware file format
Post by: BillB on July 01, 2018, 11:30:04 am

It sounds like all you need is the password for the modified firmware! Most of these modified firmware files for the Siglent devices floating around on this forum all us the same password. The author who posts on this forum likes to make sure that the forum users who download the files from this forum are regular forum users who've been around on this forum for a while. See these other forum posts: ;)

https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1447972/#msg1447972 (https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1447972/#msg1447972)
https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1449465/#msg1449465 (https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1449465/#msg1449465)

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 01, 2018, 02:44:54 pm

Quote from: BillB on July 01, 2018, 11:30:04 am

It sounds like all you need is the password for the modified firmware! Most of these modified firmware files for the Siglent devices floating around on this forum all us the same password. The author who posts on this forum likes to make sure that the forum users who download the files from this forum are regular forum users who've been around on this forum for a while. See these other forum posts: ;)

https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1447972/#msg1447972 (https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1447972/#msg1447972)
https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1449465/#msg1449465 (https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1449465/#msg1449465)

Well, I tried the very same password that logs me into the website in the first link of your message, and it tells me that it's wrong. The user name is root, and the password is the same one as the one that logs me into that website, and it says that the login credentials are wrong.

This leads me to believe that the custom software update is not being applied correctly for some reason.

Title: Re: Siglent .ads firmware file format
Post by: BillB on July 01, 2018, 02:58:46 pm

Quote from: SMB784 on July 01, 2018, 02:44:54 pm

Quote from: BillB on July 01, 2018, 11:30:04 am
It sounds like all you need is the password for the modified firmware! Most of these modified firmware files for the Siglent devices floating around on this forum all us the same password. The author who posts on this forum likes to make sure that the forum users who download the files from this forum are regular forum users who've been around on this forum for a while. See these other forum posts: ;)

https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1447972/#msg1447972 (https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1447972/#msg1447972)
https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1449465/#msg1449465 (https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1449465/#msg1449465)

Well, I tried the very same password that logs me into the website in the first link of your message, and it tells me that it's wrong. The user name is root, and the password is the same one as the one that logs me into that website, and it says that the login credentials are wrong.

This leads me to believe that the custom software update is not being applied correctly for some reason.

Hmmm... that's the right one. The credentials are changed through the modified OS update file, rather than the App firmware update.

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1606243/#msg1606243 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1606243/#msg1606243)

As rf-loop described in A. Load the standard SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 ) file, then the modified SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 ) from the post listed.

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 01, 2018, 04:26:27 pm

Quote from: BillB on July 01, 2018, 02:58:46 pm

Hmmm... that's the right one. The credentials are changed through the modified OS update file, rather than the App firmware update.

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1606243/#msg1606243 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1606243/#msg1606243)

As rf-loop described in A. Load the standard SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 ) file, then the modified SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 ) from the post listed.

Alright here's what my process was before failing to get login credentials correct:

The first thing I did was format my 32 gigabyte USB flash drive to FAT32. Then I added the FW 7.1.6.1.25R2.ads file to the usb drive, dismounted it, and plugged it into the scope. I turned the scope on, and then followed the instructions to install the firmware and self calibrated the scope. I verified that I was running the 25R2 firmware at software level 0 (no software update performed yet).

Then, according to RF-Loop's instructions:

Quote

Update latest FW and OS (if not already out from box).
SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 )
SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 )
These both can download from Siglent official side. Inside these both packages (zip) there is also instructions.

I downloaded the latest software update from the siglent website and put the 4 software files on a newly FAT32 reformatted USB drive. I turned off the scope and plugged the USB drive in. I then booted the scope, and it installed the software, and verified that I was now running at software level 1. Then I turned the scope off, took out the USB, reflashed it with the 4 custom files with the modified root login, plugged this back into the scope, started it up and let it return to the main screen.

I then tried to telnet into the scope on port 23, I got to the login page and entered the username root and the modified password and received a "login incorrect" message. I tried many different combinations of login name and password, as well as the correct password numerous times. I rebooted the scope, tried reinstalling the modified software, tried reinstalling the 25R2 firmware, all to no added effect. I noticed that the boot time to main screen remained the same regardless of what software file I put on the USB, and regardless of whether or not there was even a USB inserted (20 seconds regardless). These times were measured after the initial official software boot.

I can try instaling the 25R1 firmware and retrying this whole process, but I cannot seem to find a good download location for it. Also I have tried to hardware reset the scope using the instructions on the Siglent website (http://www.siglentamerica.com/USA_website_2014/Documents/Other/Oscilloscope%20Hardware%20Reset.pdf), but that process has not worked each time I have attempted it.

Its possible that they have invalidated this method of changing the root user login when you install the official software update first.

Any suggestions are most welcome.

Title: Re: Siglent .ads firmware file format
Post by: BillB on July 01, 2018, 05:42:42 pm

Quote from: SMB784 on July 01, 2018, 04:26:27 pm

Its possible that they have invalidated this method of changing the root user login when you install the official software update first, so at this point it is my suggestion that anyone attempting this process install the modified software provided here on the forums instead of trying the official software update.

Any suggestions are most welcome.

The OS update after turning on the scope is very fast, and it definitely worked the first time because you did bump from version 0 to 1.

As far as the order of update, my scope had both the 25R2 and V1 factory updates applied for a while before I updated with the modified OS. My process went like 25R1->25R2->OSV1(factory)... a week or two later... ->OSV1(modified).

So, I'm at a loss now to explain why you aren't able to log in. :-//

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 01, 2018, 06:23:24 pm

Alright then, I must be doing something wrong. I am going to scrutinize this process in detail and maybe I can figure out what I have done wrong

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 01, 2018, 07:04:35 pm

I wonder if it is possible to do the update using the update configuration key. Anyone have any experience with this?

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on July 01, 2018, 07:27:57 pm

Quote from: SMB784 on July 01, 2018, 07:04:35 pm

I wonder if it is possible to do the update using the update configuration key. Anyone have any experience with this?

(https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/?action=dlattach;attach=466685;image)
Your screen image

Is it displaying all files in your USB in root folder for OS update.
AFAIK There need be 4 files! included in eevblog zip

devicetree.dtb
rootfs.cramfs
sds1004x_e_udiskEnv.txt
uImage

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 01, 2018, 07:34:33 pm

Quote from: rf-loop on July 01, 2018, 07:27:57 pm

Quote from: SMB784 on July 01, 2018, 07:04:35 pm
I wonder if it is possible to do the update using the update configuration key. Anyone have any experience with this?
(https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/?action=dlattach;attach=466685;image)
Your screen image

Is it displaying all files in your USB in root folder for OS update.
AFAIK There need be 4 files! included in eevblog zip

devicetree.dtb
rootfs.cramfs
sds1004x_e_udiskEnv.txt
uImage

Yes I did have 4 files in there originally, and when that didn't work I tried just those two, which also didn't work

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 01, 2018, 07:48:07 pm

Here is an image of the system info

Title: Re: Siglent .ads firmware file format
Post by: BillB on July 01, 2018, 07:58:31 pm

Quote from: SMB784 on July 01, 2018, 07:48:07 pm

Here is an image of the system info

Hmm...
My hardware version is 00-03

But ian.ameline's is 01-03 as well and he updated his just fine.

Title: Re: Siglent .ads firmware file format
Post by: tautech on July 01, 2018, 08:24:10 pm

Quote from: SMB784 on July 01, 2018, 06:23:24 pm

Alright then, I must be doing something wrong. I am going to scrutinize this process in detail and maybe I can figure out what I have done wrong

Most likely spelling or syntax error.......those were the mistakes I made. :palm:

Title: Re: Siglent .ads firmware file format
Post by: CustomEngineerer on July 01, 2018, 09:42:47 pm

Quote from: SMB784 on July 01, 2018, 04:26:27 pm

Its possible that they have invalidated this method of changing the root user login when you install the official software update first.

Any suggestions are most welcome.

No, the work being done by forum members has been on the latest firmware and os versions from what I can tell. Post one of your telnet sessions (including initiating the telnet connection) so we can see that you are connecting correctly. Also it might be useful to have a screenshot of the IP configuration screen on the scope. Are you able to connect to the webserver on the scope through your browser?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 01, 2018, 10:25:46 pm

Quote from: CustomEngineerer on July 01, 2018, 09:42:47 pm

Quote from: SMB784 on July 01, 2018, 04:26:27 pm
Its possible that they have invalidated this method of changing the root user login when you install the official software update first.

Any suggestions are most welcome.

No, the work being done by forum members has been on the latest firmware and os versions from what I can tell. Post one of your telnet sessions (including initiating the telnet connection) so we can see that you are connecting correctly. Also it might be useful to have a screenshot of the IP configuration screen on the scope. Are you able to connect to the webserver on the scope through your browser?

He sees the login prompt.

Title: Re: Siglent .ads firmware file format
Post by: tautech on July 01, 2018, 10:32:06 pm

Quote from: tv84 on July 01, 2018, 10:25:46 pm

Quote from: CustomEngineerer on July 01, 2018, 09:42:47 pm
Quote from: SMB784 on July 01, 2018, 04:26:27 pm
Its possible that they have invalidated this method of changing the root user login when you install the official software update first.

Any suggestions are most welcome.

No, the work being done by forum members has been on the latest firmware and os versions from what I can tell. Post one of your telnet sessions (including initiating the telnet connection) so we can see that you are connecting correctly. Also it might be useful to have a screenshot of the IP configuration screen on the scope. Are you able to connect to the webserver on the scope through your browser?

He sees the login prompt.

Yes.
And to progress further you must have the modified OS installed and any command spelling and syntax correct.

Title: Re: Siglent .ads firmware file format
Post by: CustomEngineerer on July 01, 2018, 10:39:44 pm

I get that he thinks he is. But without knowing his comfort level with the command line I would prefer to see proof to be able to rule it out. If he swears that the firmware has been installed correctly, and he is for sure using the correct username and password, then the next thing to check is that he really is connecting to the scope. I agree that it does sound like he probably is, but I've seen telnet connections fool other users before (as in they were at the telnet prompt, but not actually connected to anything).

On a separate note, thanks for your contributions in getting this process worked out.

Edit: I don't mean the first line as an insult. smb784 specifically mentioned earlier that wasn't completely sure was using telnet correctly, and I really have seen telnet connections trick people before.

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 01, 2018, 11:13:01 pm

Quote from: CustomEngineerer on July 01, 2018, 10:39:44 pm

I get that he thinks he is. But without knowing his comfort level with the command line I would prefer to see proof to be able to rule it out. If he swears that the firmware has been installed correctly, and he is for sure using the correct username and password, then the next thing to check is that he really is connecting to the scope. I agree that it does sound like he probably is, but I've seen telnet connections fool other users before (as in they were at the telnet prompt, but not actually connected to anything).

On a separate note, thanks for your contributions in getting this process worked out.

Edit: I don't mean the first line as an insult. smb784 specifically mentioned earlier that wasn't completely sure was using telnet correctly, and I really have seen telnet connections trick people before.

Don't worry I'm not insulted :) Having spent almost 15 years in a physics lab in the quest for my Ph.D., I am used to making simple but easily overlooked mistakes. Here is how I performed this update.

First, I formatted a USB to FAT32, and downloaded the 25R2 Firmware .ads onto the USB stick from Siglent America's official website, and installed it to the device. You can verify that by looking at the top left corner of the first image attached in this email.

Then I reformatted the USB as FAT32 and downloaded the latest operating system and extracted the four files onto the USB. I then plugged the USB into the scope and restarted it, allowing it to install the new operating system. See the first attached image for verification of this process (top, middle, and bottom panels).

I turned on DHCP and connected the ethernet cable between it and my router, allowing it to acquire an IP address from my router. See the second attached image for verification.

Then I removed the USB while the scope was on, turned the scope off, reformatted the USB to FAT32, and downloaded the custom software install from Janekivi's weblink from this thread. I extracted this custom firmware zip onto the USB, and plugged it into the oscilloscope and turned it on. The scope booted up, and after boot I telneted in on port 23 and tried to log in with login name root and the correctly spelled password. See third attached image for verification of this process (top, bottom panels).

Take special note in the images of the date stamps for each of the files uploaded to the USB. That is how I verified that I had the correct files on the USB

Thank you all again for all of your hard work and help, let me know if you see any errors in my process.

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 02, 2018, 01:03:48 am

I have updated my installation method in the post immediately preceding this one.

Title: Re: Siglent .ads firmware file format
Post by: CustomEngineerer on July 02, 2018, 01:14:44 am

Just to be absolutely certain there wasn't an issue with newer scopes I went ahead and went through the procedure on my SDS1104X-E that I ordered on last Monday and received on Thursday from Saelig. When I received the scope it had
Software Version: 7.6.1.20R3
FPGA Version: 2018-01-20
Hardware Version: 01-03

That day I went ahead and installed the SDS1004X-E_6.1.25R2.ADS firmware (listing this way since I'm still a little confused about if the 7 at the beginning of the version should be part of the firmware number) and afterwords checking the system information screen then showed
Software Version: 7.0.6.1.25R2
FPGA Version: 2018-03-06
Hardware Version: 01-03

Yesterday I installed the official OS update from the Siglent, SDS1004X-E_OSV1_EN-1.zip file, and checking the system information screen after showed:
Software Version: 7.1.6.1.25R2
FPGA Version: 2018-03-06
Hardware Version: 01-03

I had planned on holding off on installing the modified system files until I knew for sure I was going to keep the scope, but since its easily reversible I figured Id go ahead and make sure it does indeed work as expected. I installed the four files from the SDS1004X-E_OSV1_EN_eevblog.zip file earlier in this thread and sure enough I was then able to telnet into the scope with the expected username and password.

In the attached screenshot (sorry for not separating the two attempts into separate screenshots), the first telnet login attempt was while the scope had the official Siglent OS files installed, then before I attempted the second login, I restarted the scope with an inserted USB thumb drive containing the modified OS files. You can see the second attempt is able to login.

Title: Re: Siglent .ads firmware file format
Post by: CustomEngineerer on July 02, 2018, 01:20:47 am

Everything you are doing looks correct to me, sorry, I'm out of ideas.

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 02, 2018, 01:23:28 am

Quote from: CustomEngineerer on July 02, 2018, 01:20:47 am

Everything you are doing looks correct to me, sorry, I'm out of ideas.

I am thinking it has something to do with taking the software from the USB and putting it onto the scope. I will try doing that from a different computer than the one I am currently using.

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 02, 2018, 01:42:35 am

Well, I have fixed the login issue.

Something about adding the custom files to the USB with my Desktop running Ubuntu 18.04 was causing them to not be recognized by the scope (I guess)

I tried adding the files to the USB using my raspberry pi, and lo and behold i am now able to telnet into the scope with both the raspberry pi and my desktop.

No idea what the deal was with that, but at least now I can log in.

Thank you all for your help, seriously.

Title: Re: Siglent .ads firmware file format
Post by: CustomEngineerer on July 02, 2018, 01:48:06 am

Great news. Congrats!!!

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 02, 2018, 01:50:12 am

Quote from: CustomEngineerer on July 02, 2018, 01:48:06 am

Great news. Congrats!!!

Thanks!! Color me impressed with all the efforts in this thread.

Thanks again yall!

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 02, 2018, 08:55:39 am

As I've told SMB784, I advise all to:

1st option - Instead of the official OS install, install janekivi full OS file. It's exactly the same thing with the pwds already changed.

2nd option - After installing the official OS, when you install janekivi patch, do it only with the rootfs file (and the script .txt, of course).

Less operations, less risk!

Regarding the advice of CustomEngineerer about the login problem: thinking of it, it was totally right and not an insult, it could have been a problem with the client SMB784 was using to connect to the scope. Although SMB784 was able to see the correct prompt, there was no assurance that what he writes in the console was correctly/transparently being sent to the scope.

A solution could have been to change the client (I usually use Putty) or investigate what was introducing garbage in the connection.

Or, in the extreme, use (in his case) the RPi as a gateway to telnet to the scope...

Glad it is solved! Now, time for upgrade. :)

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 02, 2018, 11:11:59 am

Quote from: tv84 on July 02, 2018, 08:55:39 am

As I've told SMB784, I advise all to:

1st option - Instead of the official OS install, install janekivi full OS file. It's exactly the same thing with the pwds already changed.

2nd option - After installing the official OS, when you install janekivi patch, do it only with the rootfs file (and the script .txt, of course).

Less operations, less risk!

Regarding the advice of CustomEngineerer about the login problem: thinking of it, it was totally right and not an insult, it could have been a problem with the client SMB784 was using to connect to the scope. Although SMB784 was able to see the correct prompt, there was no assurance that what he writes in the console was correctly/transparently being sent to the scope.

A solution could have been to change the client (I usually use Putty) or investigate what was introducing garbage in the connection.

Or, in the extreme, use (in his case) the RPi as a gateway to telnet to the scope...

Glad it is solved! Now, time for upgrade. :)

As it turned out in my case, the problem wasn't the telnet, rather it was the act of copying the files from the computer to the flash drive.

I tried telnetting into the scope from the RPI with the software installed from files copied over using my desktop and couldn't log into the scope. But as soon as I copied the files over to the USB using the RPI, the scope recognized them and correctly installed the custom software, and at that point I could log in via telnet from either the RPI or the desktop.

So something was going wrong in the process of making the USB with the custom software on it when using the desktop. I have no earthly idea what could have been going on though.

In my case, using RF-loop's instructions worked perfectly once I performed them using the RPI to make the USB instead of the desktop.

Title: Re: Siglent .ads firmware file format
Post by: BillB on July 02, 2018, 12:57:23 pm

Quote from: SMB784 on July 02, 2018, 11:11:59 am

As it turned out in my case, the problem wasn't the telnet, rather it was the act of copying the files from the computer to the flash drive.

I tried telnetting into the scope from the RPI with the software installed from files copied over using my desktop and couldn't log into the scope. But as soon as I copied the files over to the USB using the RPI, the scope recognized them and correctly installed the custom software, and at that point I could log in via telnet from either the RPI or the desktop.

So something was going wrong in the process of making the USB with the custom software on it when using the desktop. I have no earthly idea what could have been going on though.

In my case, using RF-loop's instructions worked perfectly once I performed them using the RPI to make the USB instead of the desktop.

Congrats! Figured it wasn't telnet, as you could correctly type "root\r". I guess if you wanted to be sure the pwd characters you were typing were correct, you could have typed them into the user field to see them. :)

Anyway, what is odd, is that you were able to correctly generate the factory OS update USB configuration. Was that the same process that didn't work for your attempt with the modified OS update?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 02, 2018, 03:42:09 pm

Quote from: SMB784 on July 02, 2018, 11:11:59 am

As it turned out in my case, the problem wasn't the telnet, rather it was the act of copying the files from the computer to the flash drive.

Remember why I asked you to make sure the CRC of the files (in the flash drive) was correct...

For sure, next time you'll remember! :)

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on July 02, 2018, 03:56:50 pm

Quote from: BillB on July 02, 2018, 12:57:23 pm

Anyway, what is odd, is that you were able to correctly generate the factory OS update USB configuration. Was that the same process that didn't work for your attempt with the modified OS update?

That is correct, I used the exact same process on the same computer to generate the modified OS update USB configuration as the one I used to generate the factory OS update USB configuration. The factory USB configuration worked, and the modified USB configuration didn't.

Then when I generated the modified USB configuration on my RPi, it worked right away. It's very strange.

Indeed, TV84 was probably correct in his advice that I check the CRC values. I didn't actually check them, because I was in the process of learning how to check them when I tried making the USB on the RPi. However, it seems strange to me that the simple act of copying the files over to the USB on one system would change the CRC values of those files when doing that exact same process on a different system does not modify them in any way.

Anyways it was a fun, albeit frustrating experience, with a rather bewildering but ultimately satisfying end result. Thanks again to all of you who helped me.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 02, 2018, 09:39:12 pm

Updated my parsing list of all Siglent FWs (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892).

Now we can see the extra details of the files used in the ZIPs.

The only UID/GID combinations are:

1000/1000
65534/65534 (only in some SDG800 .ADS when the rw_uImage is used)

Title: Re: Siglent .ads firmware file format
Post by: kerouanton on July 14, 2018, 12:24:17 pm

thank you all especially janekivi and tv84 for reversing the .ads file format.
I'm still new at that and as I'm learning Python it motivated me to reimplement the decoding process. I followed the steps described on some of your posts, but I am still far from what tv84 outputs in his parsing list.

Up to now, I am able to :
1. extract a .ads file from the downloaded zip file and load it in memory.
2. calculate the checksum
3. reverse the bytes
4. xor it with increasing pattern
5. xor it from the center
6. save the result

What should be the next steps, for example to locate and isolate each part?

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 14, 2018, 10:18:03 pm

Next you need probably put this before reverse and XOR
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg984820/#msg984820 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg984820/#msg984820)

to get SPD3303X-E_1.01.01.02.05-EN.hex

like there, inside is the same jpg image starting at 0x00024D68
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1181598/#msg1181598 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1181598/#msg1181598)

Title: Re: Siglent .ads firmware file format
Post by: kerouanton on July 16, 2018, 07:49:22 am

Quote from: janekivi on July 15, 2016, 07:47:52 pm

Let's take a look in SDG1000-V100R001B01D01P31.ADS for example

I am trying to move forward on my python .ads decoding script, but as a newbie I'm a bit lost and expect to rely on janekivi replies to see if I'm able to get the same results. For this, I need this exact SDG1000-V100R001B01D01P31.ADS file, but I wasn't able to find the correct download URL, both on siglent.com, siglentamerica.com, and old.siglentamerica.com.
Has anyone the download url, so I can move forward and try getting the same results on my script?

Also, as far as I understood, some parts of the file are 3des encrypted (some parts only as with my actual script I am able to get clear-text strings such as model number, at least on the SPD3303 .ads file), but I'm still unable to understand how janekivi found the right offset and length of the encrypted part, as well as the key itself. The method used to investigate and find those is challenging for me!

As both of you, I'm just playing around with those files for fun, as I try to learn Python and nothing more (well, having a root access on my devices is fun too).

Thanks

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 16, 2018, 04:42:59 pm

Oh crap. I could have let you to walk the same way. But you can test my theory and find those
patterns and XOR regions and crypted places. It was straightforward because inside was zip.
Some stuff you can find by scrolling id up and down in "notepad", because XOR FF pattern is
easily visible in 00 regions and in other places data is looking so alien. Crypted parts I found
simply by unziping it by cutted pieces to see if output ends now as it ends by unziping full file.
If output was shorter - I did cut file too early, if output was the same - my piece was longer
or right size, then I shortened it by one byte for test. With this method I found exact places
without decompiling update file reading part in app. I don't know can I now find something
like this with IDA... probably no, I would use notepad and calculator, maybe a little bit python.

I didn't cut the header off - 72 or 112 bytes and after reverse it was at the end, that's why
there was offset in file center calculation (j = len(b)/2-36) or (j = len(b)/2-56)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 16, 2018, 09:32:40 pm

The file is attached.

The 2 encrypted blocks have 0x2800 and 0x1400 sizes, as my parsings show. It shouldn't be too dificult to find where they are located. The key is available inside an .app file.

Study what janekivi linked (the 3DES implemented is "Siglent 3DES", not standard 3DES).

Have fun!

Title: Re: Siglent .ads firmware file format
Post by: kerouanton on July 16, 2018, 10:37:00 pm

Thank you both of you for your kind answer, and the file.

I will keep you informed of my findings! it is like a puzzle game, indeed.

Title: Re: Siglent .ads firmware file format
Post by: PhilipPeake on July 17, 2018, 10:46:09 pm

This may be common knowledge, but I was about to try fixing the root password for my SDS1102X running SDS1000X_V100R001B01D02P1510.ADS, and discovered that there is no telnet service running. Only Ports 111 and 9009.

So much for my idea of trying to upgrade the bandwidth - at least until there is enough progress here to decode and re-assemble the entire thing.

Title: Re: Siglent .ads firmware file format
Post by: BillB on July 17, 2018, 10:52:05 pm

Quote from: PhilipPeake on July 17, 2018, 10:46:09 pm

This may be common knowledge, but I was about to try fixing the root password for my SDS1102X running SDS1000X_V100R001B01D02P1510.ADS, and discovered that there is no telnet service running. Only Ports 111 and 9009.

So much for my idea of trying to upgrade the bandwidth - at least until there is enough progress here to decode and re-assemble the entire thing.

The same with the SPD3303X-E. Open ports 111,9009 and no telnet.

Title: Re: Siglent .ads firmware file format
Post by: markus_jlrb on July 19, 2018, 10:12:00 pm

Philip,

In Linux and in a sh, bash
shell enter the cmds below.

echo *IDN? > /dev/usbtmc0

or other SCPI commands

in one window

and

while true
do
cat /dev/usbtmc0
sleep 1
done

in a second window.

While the scope is connected via USB
and not LAN.

USBTMC must be enabled in the utility
menu under IO selection.

Good luck for your investigation
Markus

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 28, 2018, 10:21:24 pm

https://www.siglentamerica.com/service-and-support/firmware-software/dc-power-supplies/#spd1000x-series (https://www.siglentamerica.com/service-and-support/firmware-software/dc-power-supplies/#spd1000x-series)

This was long time ago, but not in the table yet
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1364981/#msg1364981 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1364981/#msg1364981)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 29, 2018, 10:53:22 am

Quote from: janekivi on July 28, 2018, 10:21:24 pm

https://www.siglentamerica.com/service-and-support/firmware-software/dc-power-supplies/#spd1000x-series (https://www.siglentamerica.com/service-and-support/firmware-software/dc-power-supplies/#spd1000x-series)

This was long time ago, but not in the table yet

Hi janekivi,

Now it's in the table but, since it's the first without the minimum size for 2nd 3DES block decryption, there is a little detail that I ~~haven't~~ solved - Section Checksum.

According to that section the correct checksum should be 0xFEE2D1B1.

Code: [Select]

File Header Size: 00000070
00000000 - File Checksum: FE691817 [00000004-0002FB6F] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 0002FB00 (without 0x70 bytes of the File Header)
0000000C - Product_ID: 600
00000026 - Vendor/Brand: SIGLENT
0000003A - USB Host Controller: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x00017D80 until 0x0002FAFF
****************************************************
00000000 --- Section Checksum: FEE2D1B1
00000004 --- Section Size: 0002FACC [00000034-0002FAFF]  CKSM OK
00000008 --- Section # 00000007
00000034 --- 0002FAFF  ***** STM32 32-bit ARM Cortex file *****
00000034 - Vector Table:        (Little Endian - Flash(ROM): 0x08000000 - SRAM: 0x20000000)
00000034 ---        Initial SP value: 200193F0
00000038 ---                   Reset: 0802039D  (Thumb 16/32 bits)
0000003C ---                     NMI: 080203C1  (Thumb 16/32 bits)
00000040 ---              Hard fault: 080203C3  (Thumb 16/32 bits)
00000044 --- Memory management fault: 080203C5  (Thumb 16/32 bits)
00000048 ---               Bus fault: 080203C7  (Thumb 16/32 bits)
0000004C ---             Usage fault: 080203C9  (Thumb 16/32 bits)
00000050 ---                   Rsvd1: 00000000
00000054 ---                   Rsvd2: 00000000
00000058 ---                   Rsvd3: 00000000
0000005C ---                   Rsvd4: 00000000
00000060 ---                  SVCall: 080201B9  (Thumb 16/32 bits)
00000064 ---          Rsvd for Debug: 080203CD  (Thumb 16/32 bits)
00000068 ---                   Rsvd5: 00000000
0000006C ---                  PendSV: 080201E9  (Thumb 16/32 bits)
00000070 ---                 Systick: 080203D1  (Thumb 16/32 bits)
00000074 --- IRQ0 to IRQ80  [00000074-000001B7]
****************************************************
  File Processed OK

Edit1: SOLVED the decryption of the partial 3DES block. So, in order to verify the 2nd DES block decryption we must consider that the last block was padded with all 0x00s (to complete a 8-bytes block), before 3DES encryption.

Title: Re: Siglent .ads firmware file format
Post by: gperoni on August 10, 2018, 11:30:55 am

I'm trying to hack my SDG6000X, here is my understanding of what I have to do by giving this thread a fast read:

1) Download a firmware upgrade from Siglent
2) Use tv84's post on the SDG6000X thread to understand where the filesystem begins in the ADS file downloaded
3) I assume the filesystem is encrypted? If so decrypt it (silly xor patterns or something), once decrypted mount the filesystem and change the shadows file.
4) Change the checksum, I wouldn't know where to find it or the crc32 init, etc.
5) Re-make the filesystem, encrypt it, put it back in place, use the resulting ADS for a firmware upgrade and get root access
6) ??? - Will figure something out.
7) Profit.

What are the tools I should use in the process? I saw a couple of scripts and programs but they don't seem to be complete, should I write my own?

Title: Re: Siglent .ads firmware file format
Post by: janekivi on August 12, 2018, 09:51:27 am

You must get something like this at the end
SDG6000X_eevblog_29R10.zip
I do it by hand, use notepad and hexedit and have too many steps in multiple laptops...
this is messy process...

Title: Re: Siglent .ads firmware file format
Post by: bluejedi on August 19, 2018, 01:43:56 pm

If I remember correctly, the OS update was previously listed on the download page (https://www.siglentamerica.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series) as:

SDS1004X-E Operating System -V1 (Only For 4-Channel ) (Release Date 05.22.18)

but is currently listed as:

SDS1004X-E Operating System -V1 (Only For 4-Channel ) (Release Date 06.26.18)

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on August 19, 2018, 02:20:10 pm

Quote from: bluejedi on August 19, 2018, 01:43:56 pm

If I remember correctly, the OS update was previously listed on the download page (https://www.siglentamerica.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series) as:

SDS1004X-E Operating System -V1 (Only For 4-Channel ) (Release Date 05.22.18)

but is currently listed as:

SDS1004X-E Operating System -V1 (Only For 4-Channel ) (Release Date 06.26.18)

I have not checked how these older and more new files match but one I know. Instructions pdf is tiny bit edited. I have not compared all files but I have some "feel" they are equal.

But who use these when we have something "better" like SDS1004X-E_OSV1_EN_eevblog

Title: Re: Siglent .ads firmware file format
Post by: tv84 on August 19, 2018, 02:23:04 pm

If you look inside, it seems they changed only the:

SDS1004X-E OS Revise History and Update Instructions.pdf

Title: Re: Siglent .ads firmware file format
Post by: tv84 on August 20, 2018, 12:57:32 pm

Quote from: tautech on August 09, 2018, 02:09:07 am

New firmware for SVA1015X
V2.1.1.1.12a
https://www.siglentamerica.com/download/6912/ (https://www.siglentamerica.com/download/6912/)
38.8 MB

Changelog
2018/8/8
1. Spectrum Analysis mode：Improved the stability of sweep and interface.
2. VNA mode: fasten the VNA sweep speed; expand the minimum span from 10M to 10 kHz.
3. Modulation Analysis mode: add trigger, optimize the modulation analysis algorithm.
4. Add user port number selection for web server.

Product_ID 11401 (that was ripped from original FW) confirmed!! ;D

Title: Re: Siglent .ads firmware file format
Post by: radiolistener on August 21, 2018, 01:54:37 am

Quote from: PhilipPeake on July 17, 2018, 10:46:09 pm

This may be common knowledge, but I was about to try fixing the root password for my SDS1102X running SDS1000X_V100R001B01D02P1510.ADS, and discovered that there is no telnet service running. Only Ports 111 and 9009.

So much for my idea of trying to upgrade the bandwidth - at least until there is enough progress here to decode and re-assemble the entire thing.

I investigated it here: https://www.eevblog.com/forum/testgear/siglent-sds1000x-how-to-make-direct-ethernet-connection/msg1650191/#msg1650191 (https://www.eevblog.com/forum/testgear/siglent-sds1000x-how-to-make-direct-ethernet-connection/msg1650191/#msg1650191)

The port 111 is getport, it is used to obtain VXI-11 protocol port and returns 9009 port.
The port 9009 is VXI-11 protocol port.

I implemented VXI-11 protocol in C#, so you can use it to send SCPI commands with no need to install NI VISA runtime.
The example in C# takes oscilloscope screenshot with SCPI command.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on August 25, 2018, 09:25:34 pm

Siglent licenses usually can be seen inside a memdump of the equipment. No news there.

How to get the memdump?
In the ARM machines (linux), a simple "cp /dev/mem" to USB, usually does the trick.
In the Blackfin machines, it's also possible but may require JTAG or a patched .ADS, AFAIK.

How to find the (possible) licenses?
You need to have a general knowledge of the license format. One of the 2-types possible:

16-char lowercase (including numbers) or
16-char uppercase (including numbers)

( the upper/lowercase is equipment-dependent )

At the request of several people, to ease the search for those type of strings, I release here a small C# code snippet that processes the memdump file:

Code: [Select]

        private static void search_licenses()
        {
            byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");

            for (int j = 0, l = 0; j < 2; j++, l += 0x20)
            for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
                if (((buffer[i] < '2') || (buffer[i] > '9')) && ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) && buffer[i] != ('L' + l) && buffer[i] != ('O' + l))
                {
                    if (strSize == 16)
                        Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
                    strSize = 0;
                    strStart = i + 1;
                }
                else strSize++;
        }

Of course, then you must use some common sense to filter/extract the ones that may seem valid.

If none of the strings works, bad luck (the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings... ;) ). Remember this is not a bulletproof process!

How to insert the licenses?
Equipments have the Options license insert menu. So, that's easy.
Most of them usually don't have the BW license insert menu.

In that case, you can use the SCPI command "MCBD" (MACHINE_BAND). Ex:

MCBD N2T7PQ29BPZJ7WB5

BEWARE that you may insert a BW license that corresponds to a lower BW than you currently have. If you know your other "bigger" license, no problem. But, if not, it's not safe to try unlock higher BW if you are not already in the lowest possible.

In some equipments the BW license is the contents of the bandwidth.txt file so you can also read/write it there manually.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on September 17, 2018, 09:35:22 pm

Quote from: janekivi on April 08, 2017, 10:40:18 am

I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

~~SPD3303X-V100R001B01D02P03_with _E_header.zip~~
OK, I give this only individually after request. I can't test it.

A year ago nobody volunteered to confirm Janekivi's work so I resuscitated the challenge and was successfull! :popcorn:

Attached is the proof of a Siglent SPD3303X-E conversion to a SPD3303X model.

The method is simple:

1. Run the SCPI command in the X-E to enable the 1mV step:

FACTORY ON

2. Using EasyPower flash the required FW file from the attached ZIP. (ConvertFromX-E)

(3. If you want to rollback, flash the other file.)

The FWs are Siglent official versions with Prod_ID's swapped like janekivi suggested.

The HW version of the board where the test was done is 0.3.

ATTENTION: This may involve a certain risk so do it at your own responsability!

Enjoy!

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on September 18, 2018, 07:27:54 am

Waiting Santa Claus... (https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1831406/#msg1831406)

Title: Re: Siglent .ads firmware file format
Post by: SaKhan on September 19, 2018, 04:18:28 pm

I am curious whether the precision of a hacked SPD3303X-E is similar to SPD3303X.

Title: Re: Siglent .ads firmware file format
Post by: BillB on September 19, 2018, 06:48:36 pm

Quote from: SaKhan on September 19, 2018, 04:18:28 pm

I am curious whether the precision of a hacked SPD3303X-E is similar to SPD3303X.

I think it is. Even before the hack, my X-E would accept remote 1mA changes and show them through EasyPower. It would also accept remote 1mV changes from EasyPower even though it would truncate the response. However, the 1mA and 1mV changes were happening at the output terminals of the X-E even though the display was not being updated. From what I could tell, the X-E is really an X minus the display digit. So, if you were using the X-E purely through SCPI, you'd almost already have an X (except for the truncated mV command response)

Title: Re: Siglent .ads firmware file format
Post by: SaKhan on September 19, 2018, 07:44:03 pm

Quote from: BillB on September 19, 2018, 06:48:36 pm

Quote from: SaKhan on September 19, 2018, 04:18:28 pm
I am curious whether the precision of a hacked SPD3303X-E is similar to SPD3303X.

I think it is. Even before the hack, my X-E would accept remote 1mA changes and show them through EasyPower. It would also accept remote 1mV changes from EasyPower even though it would truncate the response. However, the 1mA and 1mV changes were happening at the output terminals of the X-E even though the display was not being updated. From what I could tell, the X-E is really an X minus the display digit. So, if you were using the X-E purely through SCPI, you'd almost already have an X (except for the truncated mV command response)

Thanks for the info. I am planning to buy one and was trying to "justify" the price difference.

Title: Re: Siglent .ads firmware file format
Post by: kerouanton on September 19, 2018, 08:50:37 pm

Quote from: tv84 on September 17, 2018, 09:35:22 pm

The method is simple:

Confirmed working on mine. Thanks tv84, again!

Title: Re: Siglent .ads firmware file format
Post by: BillB on September 19, 2018, 11:14:54 pm

Here is a graph of the SPD3303X-E timer stepping through .100-.104mV in 1mV/5 second steps.

Title: Re: Siglent .ads firmware file format
Post by: vt100 on October 04, 2018, 02:54:18 am

Quote from: tv84 on August 25, 2018, 09:25:34 pm

Code: [Select]
private static void search_licenses() { byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin"); for (int j = 0, l = 0; j < 2; j++, l += 0x20) for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++) if (((buffer[i] < '2') || (buffer[i] > '9')) && ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) && buffer[i] != ('L' + l) && buffer[i] != ('O' + l)) { if (strSize == 16) Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize)); strSize = 0; strStart = i + 1; } else strSize++; }

A more comprehensive version of the key locator, based on tv84's code snippet above, has been posted to:

https://github.com/Siglent/FindKeys.git

This .NET Core 2.1 program will find keys when they span memory segment boundaries by extracting leftover segments of strings and concatenating them with other segments found elsewhere in the memory dump.

Based upon testing on 2 scopes, all 7 keys (50mhz, 70mhz, 100mhz, 200mhz, AWG, MSO and WIFI) were located 100% of the time in 1 pass.

Note this code only works for SDS1xxxX-E scopes currently, additional scopes will be added as they become available.

--
vt100
the world's best dumb terminal

Title: Re: Siglent .ads firmware file format
Post by: kerouanton on October 04, 2018, 08:27:08 am

Nice. But I'm wondering how Siglent will react considering you created a "Siglent" account on Github to host this code!

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 04, 2018, 09:02:12 pm

How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.

They provide a root session via port 10101.

Title: Re: Siglent .ads firmware file format
Post by: vt100 on October 05, 2018, 02:03:50 am

https://github.com/Siglent/TryKeys.git

TryKeys - a .NET Core 2.1 utility - Companion application to FindKeys

The purpose of this utility is to recover the valid keys you licensed with your scope but you lost the paperwork for and you do not remember the codes for.

First you generate a list of possible keys using the FindKeys utility. Edit the output of FindKeys to remove any keys which are not likely candidates (e.g. real life words). Then, execute this utility using that file as an input source.

Upon startup, the program reads the contents of "TryKeys.json" to configure various parameters needed for it to work. The options in this file and their purpose are as follows:

keyfile: The fully-qualified path to the list of keys you wish to try, e.g. "g:trykeys.txt"

scopeip: the IP address of the scope, needed for web and telnet access

port: the telnet port the program should connect to. Default '23'.

username: The telnet username. Default is "root".

password: The telnet password. Default is "eevblog"

bandwidth: Tells the program to not only attempt to find any missing option licenses, but also the maximum bandwidth license.

Theory of operation:

The program cycles through a list of keys contained in the key file. For option licenses, it issues the "license install" SCPI command through the web interface. It uses the telnet connection to determine if the option license file was created in /usr/bin/siglent/firmdata0 after issuing the command. If the file exists, then the key used for the license install command was the 'correct' one.

For bandwidth licenses, the program determines the current bandwidth license key from the firmdata0 directory, and what that key is good for, by using the PRBD SCPI command. Then, it cycles through the keys, issuing the MCBD with they test key, and then re-examines the output of PRBD to determine if the bandwidth has changed. If so, it determines if the bandwidth increased -- in which case, it will check to see if the maximum bandwidth has been reached with the key. If the bandwidth decreased, then it re-issues the MCBD command to 're-install' the 'current' bandwidth license key so scope bandwidth will not decrease.

A log is dumped to the console. Upon program completion, the scope will be restarted if the bandwidth was changed. This is necessary for the new bandwidth to take effect. Finally, a summary of license keys located will be printed.

To execute from the command line: dotnet TryKeys.dll

Sample log file:

Execution starts @ 10/4/2018 8:58 PM
Scope Option 'AWG' not licensed, will seek key
Scope Option 'MSO' not licensed, will seek key
Scope Option 'WIFI' not licensed, will seek key
Scope bandwidth license key: VVVVVVVVVVVVVVV
We have 584 keys to try for 4 options
Scope bandwidth currently licensed: 50M of 200M
100M Bandwidth license key found: 1111111111111111
Maximum bandwidth (200M) license key found: 2222222222222222
Scope Option 'AWG' license key found: AAAAAAAAAAAAAAAA
Scope Option 'MSO' license key found: MMMMMMMMMMMMMMMM
Scope Option 'WIFI' license key found: WWWWWWWWWWWWWWWW

Summary of License keys located:
200M bandwidth license key: 2222222222222222
AWG license key: AAAAAAAAAAAAAAAA
MSO license key: MMMMMMMMMMMMMMMM
WIFI license key: WWWWWWWWWWWWWWWW

Rebooting scope to activate higher bandwidth license.

Execution ends @ 10/4/2018 9:03 PM

You can verify the presence of your recovered license keys on the scope's 'options' screen. You should print a copy of your recovered license keys and keep them in a safe place for future reference.

To revert the scope back to the previous bandwidth license, and to remove the optional licenses, you execute the following script after logging in via a telnet session as root:

mount -o remount,rw /usr/bin/siglent/firmdata0
rm /usr/bin/siglent/firmdata0/options*
cat VVVVVVVVVVVVVVVV > /usr/bin/siglent/firmdata0/bandwidth.txt
(control-d)(control-d)
sync
reboot

This program has several dependencies you must install through the NuGet Package Manager. They are: Microsoft.Extensions.Configuration, Microsoft.Extensions.Configuration.Json, Newtonsoft.Json, and Telnet (from 9swampy).

Note: at the moment this utility only supports the SDS1###X-E series of scopes, however, additional functionality will be added as details become available.

Special thanks to eevblog user tv84 who gave me tons of assistance during the development of this utility.

Title: Re: Siglent .ads firmware file format
Post by: vt100 on October 08, 2018, 03:13:09 am

This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)

Skill level: Easy/Moderate

Risk: Slim to none.

Assumptions: You know the root password to your scope.

Steps:

1. download full armv7l version of busybox which has core dump enabled.
see: https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l

2. put version on thumb disk

3. reboot scope to known state

4. telnet to scope and log in as root

5. insert usb stick

6. copy busybox binary from usb to /tmp:
cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp

7. unmount and remove usb
umount /usr/bin/siglent/usr/mass_storage/U-disk0
(and then remove usb stick)

8. identify and kill existing sds1000b.app
ps -ef | grep sds | awk '{printf "kill -9 %s\n", $1}' | ash

9. change to /tmp directory:
cd /tmp

10. launch new busybox ash shell
/tmp/busybox_armv7l ash
(when you press enter it looks like nothing happens, but something does)

11. re-launch scope app in new busybox environment in background
/usr/bin/siglent/sds1000b.app &

12. increase core dump ulimit to unlimited:
ulimit -c unlimited
you can verify new limit by typing
ulimit -c
and you should get a response "unlimited"

12. kill scope app again, telling OS to create a core dump of the app:
ps -ef | grep sds | awk '{printf "kill -ABRT %s\n", $1}' | ash

13. wait a few seconds, and press enter once or twice. you should see:
[1]+ Aborted (core dumped) /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3

14. verify core dump is in /tmp:
ls /tmp/core*
you should see something like this:
-rw------- 1 root root 377511936 Jan 1 00:14 /tmp/core
if not, you did something wrong, go to step #3

15. exit out of usb version of busybox shell
exit
(it will look like nothing happens when you press enter, but, something does)

16. re-launch Siglent scope application. See Step #11

17. insert usb drive

18. copy core dump to thumb drive
cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)

19. unmount usb stick and remove (see step #7)

20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.

21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.

22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.

23. You can license a different bandwidth by typing MCBD (license key) at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.

24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.

25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.

26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.

27. Write keys down in a safe place so you do not lose them again.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on October 08, 2018, 04:01:00 pm

Quote from: kerouanton on October 04, 2018, 08:27:08 am

Nice. But I'm wondering how Siglent will react considering you created a "Siglent" account on Github to host this code!

They keep always eye on us but have nothing to say...

Title: Re: Siglent .ads firmware file format
Post by: joeyjoejoe on October 09, 2018, 04:21:39 pm

I think it's relatively smart.

I think the number of entities who would touch these unlocks (Rigol, Siglent, etc) are almost non-existent. Any university, lab, company or facility wouldn't go for the risks. Even outside of those requiring certifications.. I can't imagine the discussion.

Employee : "Hey boss, we need specs X on our scope... we can save 300$ on by buying the cheaper model, and then just unlocking those features to meet our needs... but it won't be supported and there's a small risk that I brick the device.. or we can't get future updates..."
Manager/Exec : "So if that happens, we now have a scope that's either literally useless (bricked) or doesn't meet our minimum specs? ... why are you still here."

Hobbyists will accept the risk since they can personally accept any risk they want. And generally speaking, I think the companies are aware of the reach of these unlocks. A hobbyist who buys a 50MHz scope that can unlock to 100MHz probably wouldn't buy the 100 if he couldn't, so the actual impact on revenue would be small. However, at the same time, they are probably making sure that a 50MHz scope can't be unlocked to a 500MHz scope (ignoring hardware) as then it starts stepping on the toes of a product line.

Title: Re: Siglent .ads firmware file format
Post by: nicolad on October 10, 2018, 09:30:05 pm

Quote from: tv84 on October 04, 2018, 09:02:12 pm

How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.

They provide a root session via port 10101.

How do they work? Trying the one for SDG2000X but firmware update fails. Port 10101 is closed...

Title: Re: Siglent .ads firmware file format
Post by: joeyjoejoe on October 11, 2018, 12:38:56 am

Quote from: tv84 on September 17, 2018, 09:35:22 pm

Quote from: janekivi on April 08, 2017, 10:40:18 am
I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

~~SPD3303X-V100R001B01D02P03_with _E_header.zip~~
OK, I give this only individually after request. I can't test it.

A year ago nobody volunteered to confirm Janekivi's work so I resuscitated the challenge and was successfull! :popcorn:

Attached is the proof of a Siglent SPD3303X-E conversion to a SPD3303X model.

The method is simple:

1. Run the SCPI command in the X-E to enable the 1mV step:

FACTORY ON

2. Using EasyPower flash the required FW file from the attached ZIP. (ConvertFromX-E)

(3. If you want to rollback, flash the other file.)

The FWs are Siglent official versions with Prod_ID's swapped like janekivi suggested.

The HW version of the board where the test was done is 0.3.

ATTENTION: This may involve a certain risk so do it at your own responsability!

Enjoy!

Does the FACTORY ON have any feedback? Or after hitting "Query" it's OK that nothing is output?

Title: Re: Siglent .ads firmware file format
Post by: tautech on October 11, 2018, 12:48:47 am

Quote from: joeyjoejoe on October 11, 2018, 12:38:56 am

Quote from: tv84 on September 17, 2018, 09:35:22 pm
Quote from: janekivi on April 08, 2017, 10:40:18 am
I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

~~SPD3303X-V100R001B01D02P03_with _E_header.zip~~
OK, I give this only individually after request. I can't test it.

A year ago nobody volunteered to confirm Janekivi's work so I resuscitated the challenge and was successfull! :popcorn:

Attached is the proof of a Siglent SPD3303X-E conversion to a SPD3303X model.

The method is simple:

1. Run the SCPI command in the X-E to enable the 1mV step:

FACTORY ON

2. Using EasyPower flash the required FW file from the attached ZIP. (ConvertFromX-E)

(3. If you want to rollback, flash the other file.)

The FWs are Siglent official versions with Prod_ID's swapped like janekivi suggested.

The HW version of the board where the test was done is 0.3.

ATTENTION: This may involve a certain risk so do it at your own responsability!

Enjoy!

Does the FACTORY ON have any feedback?

Five not four digits on the PSU display. ;)

Title: Re: Siglent .ads firmware file format
Post by: joeyjoejoe on October 11, 2018, 12:51:39 am

After FACTORY ON cmd is sent

(https://i.imgur.com/kgYHSnx.png)

PSU is no longer responsive via EasyPower - cannot do any sort of commands. Re-connecting to the device re-enables functionality.

Also, is this a "Normal Mode" FW update, or "Firmware mode"?

Title: Re: Siglent .ads firmware file format
Post by: tautech on October 11, 2018, 01:24:54 am

Reboot PSU.

Title: Re: Siglent .ads firmware file format
Post by: joeyjoejoe on October 11, 2018, 01:28:09 am

Oh, so FACTORY ON is just some sort of factory defaults? Then a reboot, and a normal firmware flash with these files?

Title: Re: Siglent .ads firmware file format
Post by: tautech on October 11, 2018, 01:38:07 am

Quote from: joeyjoejoe on October 11, 2018, 01:28:09 am

Oh, so FACTORY ON is just some sort of factory defaults? Then a reboot, and a normal firmware flash with these files?

My notes show something like that. ;)

Title: Re: Siglent .ads firmware file format
Post by: joeyjoejoe on October 11, 2018, 01:43:22 am

Bingo! You have good notes ;)

Title: Re: Siglent .ads firmware file format
Post by: DaJMasta on October 13, 2018, 05:13:48 am

Got a similar readout running FACTORY ON, but it was actually on every command because I had resintalled recently and didn't have the NI VISA drivers (and 18.0 work just as well as 5.4 as listed in the manual.....)

In any case, running factory on gave me no return information, but I flashed two hardware version 3.0 units, one with firmware that was so old it still had the screensaver, successfully to SPD3303X using the file and EasyPower. Very easy to do, the hardest part was definitely installing the program and NI VISA drivers.

Title: Re: Siglent .ads firmware file format
Post by: firstcolle on October 20, 2018, 11:27:19 am

hi, I searched in the forum for a couple of hours but I didn't find anything.. where can I find a patched version of the latest firmware for a sds1104x-e with known telnet password?

thanks

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on October 20, 2018, 12:48:52 pm

Quote from: firstcolle on October 20, 2018, 11:27:19 am

hi, I searched in the forum for a couple of hours but I didn't find anything.. where can I find a patched version of the latest firmware for a sds1104x-e with known telnet password?

thanks

Read first all Instructions (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1789175/#msg1789175)

download links looks like broken. I do not understand at all why peoples use these total crap file sharing sides with tons of ads and popups etc junk and very limited time.

better quality place for files:
Here (https://app.box.com/s/j5lcyyhvfd6juysbsv7a61y717sp75ux) SDS1004X-E_OSV1_EN_eevblog.zip

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 21, 2018, 12:03:42 pm

Very interesting thread and great work on decrypting ADS files. Read the entire thread several times and I would like to get my hands dirty with this as well.
I tried janekivi tools v 0.1.4 on SDS1004X_E_6.1.26 but it didn't work. It says: This is not SDS firmware file. Do I need to reverse-xor the file before it can be parsed by janekivi tools?
It would be great to be able to find out where the model is stored (EEPROM?), then change it to the 1004X model then use regular upgrades.

Cheers

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 21, 2018, 12:18:35 pm

Quote from: cguareschi on October 21, 2018, 12:03:42 pm

I tried janekivi tools v 0.1.4 on SDS1004X_E_6.1.26 but it didn't work. It says: This is not SDS firmware file. Do I need to reverse-xor the file before it can be parsed by janekivi tools?
It would be great to be able to find out where the model is stored (EEPROM?), then change it to the 1004X model then use regular upgrades.

Cheers

I didn't test with janekivi's tool but it should work. It's a normal SDS X-E FW file.

Parsing:

Code: [Select]

File Header Size: 00000070
00000000 - File Checksum: C60CADAC [00000004-00765FB8] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 00765F49 (without 0x70 bytes of the File Header)
0000000C - Product_ID: 13501
00000026 - Vendor/Brand: SIGLENT
0000003A - USB Host Controller: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x003B2FA5 until 0x00765F48
****************************************************
00000000 --- Section Checksum: C302218F
00000004 --- Section Size: 00765F15 [00000034-00765F48]  CKSM OK
00000008 --- Section # 00000007
00000034 --- 00765F48  ***** ZIP file *****
Offset    Ver  Flag  Comp  Size      Packed    Modified             CRC32                          Name         Permissions     Extra Details
00000034  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [00000056-00000055]  lib/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:14
00000056  2.0  0000  0008  00005F13  00001B04  13-07-2018 10:23:21  9F6ED423  [00000084-00001B87]  lib/brusvxi11.so  MTime: 13-07-2018 03:23:43  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:14
00001B88  2.0  0000  0008  0000916E  00003F99  13-07-2018 10:23:21  5B27B9AB  [00001BBE-00005B56]  lib/ext_device_driver.so  MTime: 13-07-2018 03:23:43  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:14
00005B57  2.0  0000  0008  00065C2C  00022A1A  13-07-2018 10:23:21  577A82D1  [00005B86-0002859F]  lib/libEasyLib.so  MTime: 13-07-2018 03:23:43  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000285A0  2.0  0000  0008  0001E649  00008EBF  13-07-2018 10:23:21  AB77BB49  [000285D1-0003148F]  lib/libvncclient.so  MTime: 13-07-2018 03:23:43  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00031490  2.0  0000  0008  0001E649  00008EBF  13-07-2018 10:23:21  AB77BB49  [000314C3-0003A381]  lib/libvncclient.so.1  MTime: 13-07-2018 03:23:43  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0003A382  2.0  0000  0008  00047CE2  000160A2  13-07-2018 10:23:21  3E6ADA03  [0003A3B3-00050454]  lib/libvncserver.so  MTime: 13-07-2018 03:23:43  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00050455  2.0  0000  0008  00047CE2  000160A2  13-07-2018 10:23:21  3E6ADA03  [00050488-00066529]  lib/libvncserver.so.1  MTime: 13-07-2018 03:23:43  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0006652A  1.0  0000  0000  00000000  00000000  09-08-2018 08:47:07  00000000  [00066550-0006654F]  ui_data/  MTime: 09-08-2018 01:47:15  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:14
00066550  2.0  0000  0008  0001984A  00003053  16-07-2018 14:38:06  A321AADF  [0006658A-000695DC]  ui_data/arabic_help_info.xml  MTime: 16-07-2018 07:38:12  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000695DD  2.0  0000  0008  00022BB7  00002B21  14-08-2018 15:23:13  3FBAF4FD  [00069617-0006C137]  ui_data/arabic_menu_info.xml  MTime: 14-08-2018 08:23:26  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0006C138  2.0  0000  0008  00008529  00001991  16-07-2018 14:38:06  722FD019  [0006C172-0006DB02]  ui_data/arabic_text_info.xml  MTime: 16-07-2018 07:38:13  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0006DB03  2.0  0000  0008  000003F8  00000058  16-07-2018 14:38:06  9DBCA89C  [0006DB30-0006DB87]  ui_data/dev.bmp  MTime: 16-07-2018 07:38:13  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0006DB88  2.0  0000  0008  00019F89  000030A7  27-07-2018 08:53:04  DB7E908B  [0006DBC3-00070C69]  ui_data/english_help_info.xml  MTime: 27-07-2018 01:53:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00070C6A  2.0  0000  0008  00022F6D  00002B62  14-08-2018 14:51:22  6F53507E  [00070CA5-00073806]  ui_data/english_menu_info.xml  MTime: 14-08-2018 07:51:45  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00073807  2.0  0000  0008  00008529  00001991  16-07-2018 14:38:06  722FD019  [00073842-000751D2]  ui_data/english_text_info.xml  MTime: 16-07-2018 07:38:13  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000751D3  2.0  0000  0008  000198F7  00003088  27-07-2018 08:53:27  7AFB4C5C  [0007520D-00078294]  ui_data/french_help_info.xml  MTime: 27-07-2018 01:53:55  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00078295  2.0  0000  0008  00023243  00002CAB  14-08-2018 14:52:01  F4FCDF5A  [000782CF-0007AF79]  ui_data/french_menu_info.xml  MTime: 14-08-2018 07:52:03  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0007AF7A  2.0  0000  0008  0000850D  000019B5  16-07-2018 14:38:06  C784D9DF  [0007AFB4-0007C968]  ui_data/french_text_info.xml  MTime: 16-07-2018 07:38:12  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0007C969  2.0  0000  0008  000198A1  00003080  27-07-2018 08:54:08  19D632E0  [0007C9A3-0007FA22]  ui_data/german_help_info.xml  MTime: 27-07-2018 01:54:17  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0007FA23  2.0  0000  0008  00023700  00002D88  14-08-2018 14:52:14  0E9BACA8  [0007FA5D-000827E4]  ui_data/german_menu_info.xml  MTime: 14-08-2018 07:52:29  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000827E5  2.0  0000  0008  00008C82  00001BDC  16-07-2018 14:38:06  096321F9  [0008281F-000843FA]  ui_data/german_text_info.xml  MTime: 16-07-2018 07:38:12  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000843FB  2.0  0000  0008  000198C4  00003080  27-07-2018 08:54:19  5B695C02  [00084436-000874B5]  ui_data/italian_help_info.xml  MTime: 27-07-2018 01:54:38  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000874B6  2.0  0000  0008  0002350C  00002CC1  14-08-2018 14:52:19  AED3E8E6  [000874F1-0008A1B1]  ui_data/italian_menu_info.xml  MTime: 14-08-2018 07:52:39  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0008A1B2  2.0  0000  0008  00008522  000019AA  16-07-2018 14:38:06  5488AB5E  [0008A1ED-0008BB96]  ui_data/italian_text_info.xml  MTime: 16-07-2018 07:38:13  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0008BB97  2.0  0000  0008  000198C4  00003081  27-07-2018 08:54:27  CEF5D080  [0008BBD3-0008EC53]  ui_data/japanese_help_info.xml  MTime: 27-07-2018 01:54:55  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0008EC54  2.0  0000  0008  00023F0F  00002F04  14-08-2018 14:52:23  585805B7  [0008EC90-00091B93]  ui_data/japanese_menu_info.xml  MTime: 14-08-2018 07:52:47  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00091B94  2.0  0000  0008  00008529  00001991  16-07-2018 14:38:06  722FD019  [00091BD0-00093560]  ui_data/japanese_text_info.xml  MTime: 16-07-2018 07:38:12  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00093561  2.0  0000  0008  000198C5  00003080  27-07-2018 08:55:08  355082EB  [0009359B-0009661A]  ui_data/korean_help_info.xml  MTime: 27-07-2018 01:55:16  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0009661B  2.0  0000  0008  00023974  00002E32  14-08-2018 14:52:29  E6282D8E  [00096655-00099486]  ui_data/korean_menu_info.xml  MTime: 14-08-2018 07:52:59  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00099487  2.0  0000  0008  00008529  00001991  16-07-2018 14:38:06  722FD019  [000994C1-0009AE51]  ui_data/korean_text_info.xml  MTime: 16-07-2018 07:38:13  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0009AE52  2.0  0000  0008  000198C4  00003080  27-07-2018 08:55:17  AA3AC251  [0009AE90-0009DF0F]  ui_data/portuguese_help_info.xml  MTime: 27-07-2018 01:55:34  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0009DF10  2.0  0000  0008  00023191  00002C4B  14-08-2018 14:53:04  874BE64C  [0009DF4E-000A0B98]  ui_data/portuguese_menu_info.xml  MTime: 14-08-2018 07:53:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000A0B99  2.0  0000  0008  0000851C  000019B1  16-07-2018 14:38:06  ED13903B  [000A0BD7-000A2587]  ui_data/portuguese_text_info.xml  MTime: 16-07-2018 07:38:12  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000A2588  2.0  0000  0008  000198C4  00003080  27-07-2018 08:58:03  5B695C02  [000A25C3-000A5642]  ui_data/russian_help_info.xml  MTime: 27-07-2018 01:58:06  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000A5643  2.0  0000  0008  00024A30  00003006  14-08-2018 14:56:05  10CA9361  [000A567E-000A8683]  ui_data/russian_menu_info.xml  MTime: 14-08-2018 07:56:11  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000A8684  2.0  0000  0008  00008584  00001A4E  16-07-2018 14:38:06  40A19302  [000A86BF-000AA10C]  ui_data/russian_text_info.xml  MTime: 16-07-2018 07:38:12  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000AA10D  2.0  0000  0008  00018C1B  000032D0  27-07-2018 09:05:23  43A609DF  [000AA145-000AD414]  ui_data/simp_help_info.xml  MTime: 27-07-2018 02:05:46  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000AD415  2.0  0000  0008  00023864  00002E41  14-08-2018 14:56:11  81A5D501  [000AD44D-000B028D]  ui_data/simp_menu_info.xml  MTime: 14-08-2018 07:56:22  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000B028E  2.0  0000  0008  00008473  00001AB2  16-07-2018 14:38:06  E027E215  [000B02C6-000B1D77]  ui_data/simp_text_info.xml  MTime: 16-07-2018 07:38:12  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000B1D78  2.0  0000  0008  000198C8  00003082  27-07-2018 09:01:23  2072E7B2  [000B1DB3-000B4E34]  ui_data/spanish_help_info.xml  MTime: 27-07-2018 02:01:47  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000B4E35  2.0  0000  0008  00023426  00002C4B  14-08-2018 14:56:15  A89A8946  [000B4E70-000B7ABA]  ui_data/spanish_menu_info.xml  MTime: 14-08-2018 07:56:30  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000B7ABB  2.0  0000  0008  00008540  000019B7  16-07-2018 14:38:05  3D98F0D4  [000B7AF6-000B94AC]  ui_data/spanish_text_info.xml  MTime: 16-07-2018 07:38:11  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000B94AD  2.0  0000  0008  0001849E  0000328A  27-07-2018 09:13:11  AFFC2F20  [000B94E5-000BC76E]  ui_data/trad_help_info.xml  MTime: 27-07-2018 02:13:23  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000BC76F  2.0  0000  0008  00023858  00002EE8  14-08-2018 14:56:19  3E117598  [000BC7A7-000BF68E]  ui_data/trad_menu_info.xml  MTime: 14-08-2018 07:56:38  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000BF68F  2.0  0000  0008  0000846C  00001AF7  16-07-2018 14:38:06  5395CA64  [000BF6C7-000C11BD]  ui_data/trad_text_info.xml  MTime: 16-07-2018 07:38:13  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000C11BE  2.0  0000  0008  00000308  00000066  16-07-2018 14:38:06  539A7E1A  [000C11EB-000C1250]  ui_data/usb.bmp  MTime: 16-07-2018 07:38:13  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000C1251  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [000C1273-000C1272]  www/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:12
000C1273  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [000C129F-000C129E]  www/attchment/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:14
000C129F  2.0  0000  0008  00005AD3  00005AC5  16-07-2018 16:54:16  E23B57EF  [000C12D2-000C6D96]  www/BinToCSV_tool.zip  MTime: 16-07-2018 09:54:33  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:12
000C6D97  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [000C6DBD-000C6DBC]  www/css/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:14
000C6DBD  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [000C6DEA-000C6DE9]  www/css/device/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:14
000C6DEA  2.0  0000  0008  00001A0A  0000065D  13-07-2018 10:21:01  DA06DD28  [000C6E29-000C7485]  www/css/device/device_control.css  MTime: 13-07-2018 03:21:02  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000C7486  2.0  0000  0008  00000E6F  00000492  13-07-2018 10:21:01  731108C6  [000C74BB-000C794C]  www/css/device/main.css  MTime: 13-07-2018 03:21:02  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000C794D  2.0  0000  0008  000007DD  0000029B  13-07-2018 10:21:01  C8FCE2D7  [000C797C-000C7C16]  www/css/login.css  MTime: 13-07-2018 03:21:02  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000C7C17  2.0  0000  0008  000011D5  00000577  13-07-2018 10:21:01  26D75603  [000C7C48-000C81BE]  www/css/welcome.css  MTime: 13-07-2018 03:21:02  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000C81BF  2.0  0000  0008  000007C4  00000239  13-07-2018 10:21:02  D3E45378  [000C81F1-000C8429]  www/deviceupdate.php  MTime: 13-07-2018 03:21:04  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:12
000C842A  2.0  0000  0008  000005F2  0000017D  13-07-2018 10:21:03  7BB9B512  [000C8461-000C85DD]  www/device_read_write.php  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:12
000C85DE  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [000C8606-000C8605]  www/fonts/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:14
000C8606  2.0  0000  0008  00011497  0001146B  13-07-2018 10:21:02  A3758D75  [000C8645-000D9AAF]  www/fonts/fontawesome-webfont.eot  MTime: 13-07-2018 03:21:04  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000D9AB0  2.0  0000  0008  00059430  0001A95E  13-07-2018 10:21:02  CFF95578  [000D9AEF-000F444C]  www/fonts/fontawesome-webfont.svg  MTime: 13-07-2018 03:21:04  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
000F444D  2.0  0000  0008  00022AF8  0001453A  13-07-2018 10:21:02  AC39751F  [000F448C-001089C5]  www/fonts/fontawesome-webfont.ttf  MTime: 13-07-2018 03:21:04  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001089C6  2.0  0000  0008  00014684  0001464C  13-07-2018 10:21:02  C17DCBF4  [00108A06-0011D051]  www/fonts/fontawesome-webfont.woff  MTime: 13-07-2018 03:21:04  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0011D052  2.0  0000  0008  00010440  00010431  13-07-2018 10:21:02  B5F6695A  [0011D093-0012D4C3]  www/fonts/fontawesome-webfont.woff2  MTime: 13-07-2018 03:21:04  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0012D4C4  2.0  0000  0008  0001AC78  00015EFD  13-07-2018 10:21:02  98F5FCC9  [0012D4FB-001433F7]  www/fonts/FontAwesome.otf  MTime: 13-07-2018 03:21:04  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001433F8  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [0014341E-0014341D]  www/img/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:14
0014341E  2.0  0000  0008  00004723  0000112A  13-07-2018 10:21:04  0A7D1CDE  [0014344D-00144576]  www/img/about.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00144577  2.0  0000  0008  00006682  00002200  13-07-2018 10:21:04  A3952F7A  [001445A6-001467A5]  www/img/Home1.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001467A6  2.0  0000  0008  000056E1  00001973  13-07-2018 10:21:04  3F022755  [001467D5-00148147]  www/img/Home2.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00148148  2.0  0000  0008  000001A9  000001AE  13-07-2018 10:21:04  2B0955C8  [0014817A-00148327]  www/img/ic_login.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00148328  2.0  0000  0008  0000015B  00000160  13-07-2018 10:21:04  26CF6E8F  [0014835D-001484BC]  www/img/ic_password.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001484BD  2.0  0000  0008  0000011E  00000121  13-07-2018 10:21:04  2D89CBF8  [001484EE-0014860E]  www/img/ic_user.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0014860F  2.0  0000  0008  00006E08  00002A4F  13-07-2018 10:21:04  6A01E632  [00148643-0014B091]  www/img/Intrument1.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0014B092  2.0  0000  0008  00006444  00002088  13-07-2018 10:21:04  54331AA2  [0014B0C6-0014D14D]  www/img/Intrument2.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0014D14E  2.0  0000  0008  0000704D  00002BC9  13-07-2018 10:21:04  7A6E3F62  [0014D17C-0014FD44]  www/img/LAN1.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0014FD45  2.0  0000  0008  00006179  00002345  13-07-2018 10:21:04  F227C9F5  [0014FD73-001520B7]  www/img/LAN2.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001520B8  2.0  0000  0008  000156C4  00012101  13-07-2018 10:21:04  4766C70E  [001520E6-001641E6]  www/img/logo.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001641E7  2.0  0000  0008  0000740F  00002F8F  13-07-2018 10:21:04  A4E5054B  [00164216-001671A4]  www/img/SCPI1.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001671A5  2.0  0000  0008  00005DD6  000019E5  13-07-2018 10:21:04  10F8D9C4  [001671D4-00168BB8]  www/img/SCPI2.png  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00168BB9  2.0  0000  0008  00000261  00000101  13-07-2018 10:21:03  59765DD4  [00168BE4-00168CE4]  www/index.php  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:12
00168CE5  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:06  00000000  [00168D12-00168D11]  www/Instrument/  MTime: 09-08-2018 01:44:13  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:13
00168D12  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [00168D45-00168D44]  www/Instrument/novnc/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:13
00168D45  2.0  0000  0008  00000012  00000012  13-07-2018 10:21:04  09EA74AA  [00168D83-00168D94]  www/Instrument/novnc/favicon.ico  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
00168D95  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [00168DCF-00168DCE]  www/Instrument/novnc/images/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:14
00168DCF  2.0  0000  0008  00000153  00000151  13-07-2018 10:21:04  E8B725E1  [00168E10-00168F60]  www/Instrument/novnc/images/alt.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00168F61  2.0  0000  0008  000001F5  000001FA  13-07-2018 10:21:04  D063D8CA  [00168FA8-001691A1]  www/Instrument/novnc/images/clipboard.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001691A2  2.0  0000  0008  00000194  00000199  13-07-2018 10:21:04  310798F7  [001691E7-0016937F]  www/Instrument/novnc/images/connect.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00169380  2.0  0000  0008  00000162  00000161  13-07-2018 10:21:04  6610B793  [001693C2-00169522]  www/Instrument/novnc/images/ctrl.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00169523  2.0  0000  0008  0000013D  00000142  13-07-2018 10:21:04  5FA26818  [0016956B-001696AC]  www/Instrument/novnc/images/ctrlaltdel.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001696AD  2.0  0000  0008  00000562  00000567  13-07-2018 10:21:04  2EABA092  [001696F5-00169C5B]  www/Instrument/novnc/images/disconnect.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00169C5C  2.0  0000  0008  000003C3  000003C8  13-07-2018 10:21:04  06D319EE  [00169C9E-0016A065]  www/Instrument/novnc/images/drag.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016A066  2.0  0000  0008  00000181  00000182  13-07-2018 10:21:04  F86CB8F8  [0016A0A7-0016A228]  www/Instrument/novnc/images/esc.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016A229  2.0  0000  0008  0000019E  00000189  13-07-2018 10:21:04  FD031A25  [0016A26D-0016A3F5]  www/Instrument/novnc/images/expand.gif  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016A3F6  2.0  0000  0008  0000047E  000000FF  13-07-2018 10:21:04  B17B6C52  [0016A43B-0016A539]  www/Instrument/novnc/images/favicon.ico  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016A53A  2.0  0000  0008  000001C5  000001C5  13-07-2018 10:21:04  86BA4433  [0016A57F-0016A743]  www/Instrument/novnc/images/favicon.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016A744  2.0  0000  0008  000002ED  000002F2  13-07-2018 10:21:04  3956D9F0  [0016A78D-0016AA7E]  www/Instrument/novnc/images/full_screen.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016AA7F  2.0  0000  0008  000001A7  00000199  13-07-2018 10:21:04  FFF8D302  [0016AAC1-0016AC59]  www/Instrument/novnc/images/hide.gif  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016AC5A  2.0  0000  0008  00000503  00000508  13-07-2018 10:21:04  0E44D2DA  [0016ACA0-0016B1A7]  www/Instrument/novnc/images/keyboard.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016B1A8  2.0  0000  0008  0000014A  00000141  13-07-2018 10:21:04  297C782F  [0016B1EA-0016B32A]  www/Instrument/novnc/images/left.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016B32B  2.0  0000  0008  000001FF  00000204  13-07-2018 10:21:04  33C0F7B9  [0016B373-0016B576]  www/Instrument/novnc/images/mouse_left.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016B577  2.0  0000  0008  00000205  0000020A  13-07-2018 10:21:04  DE48BB49  [0016B5C1-0016B7CA]  www/Instrument/novnc/images/mouse_middle.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016B7CB  2.0  0000  0008  000001F1  000001F6  13-07-2018 10:21:04  B8155471  [0016B813-0016BA08]  www/Instrument/novnc/images/mouse_none.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016BA09  2.0  0000  0008  00000201  00000206  13-07-2018 10:21:04  4BDAF377  [0016BA52-0016BC57]  www/Instrument/novnc/images/mouse_right.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016BC58  2.0  0000  0008  000000DF  000000D1  13-07-2018 10:21:04  5BC997F5  [0016BCA1-0016BD71]  www/Instrument/novnc/images/new-down-24.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016BD72  2.0  0000  0008  000000EE  000000E0  13-07-2018 10:21:04  059AC92F  [0016BDBB-0016BE9A]  www/Instrument/novnc/images/new-left-24.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016BE9B  2.0  0000  0008  000000EA  000000DD  13-07-2018 10:21:04  D3CBF039  [0016BEE5-0016BFC1]  www/Instrument/novnc/images/new-right-24.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016BFC2  2.0  0000  0008  000000B7  000000AB  13-07-2018 10:21:04  3407F6E1  [0016C009-0016C0B3]  www/Instrument/novnc/images/new-up-24.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016C0B4  2.0  0000  0008  00000186  00000188  13-07-2018 10:21:04  4EA5EAAC  [0016C0F7-0016C27E]  www/Instrument/novnc/images/power.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016C27F  2.0  0000  0008  00000257  0000025C  13-07-2018 10:21:04  4DA3EF2C  [0016C2C6-0016C521]  www/Instrument/novnc/images/press_new.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016C522  2.0  0000  0008  00000122  0000011C  13-07-2018 10:21:04  11609785  [0016C565-0016C680]  www/Instrument/novnc/images/right.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016C681  2.0  0000  0008  00000141  0000013E  13-07-2018 10:21:04  0AA95190  [0016C6C8-0016C805]  www/Instrument/novnc/images/r_left-16.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016C806  2.0  0000  0008  00000142  0000013D  13-07-2018 10:21:04  D26DA198  [0016C84E-0016C98A]  www/Instrument/novnc/images/r_right-16.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016C98B  2.0  0000  0008  000031EA  00002ED0  13-07-2018 10:21:04  BB29E23A  [0016C9D7-0016F8A6]  www/Instrument/novnc/images/screen_320x460.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
0016F8A7  2.0  0000  0008  0000070F  00000714  13-07-2018 10:21:04  6D5EA4CD  [0016F8F1-00170004]  www/Instrument/novnc/images/screen_57x57.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00170005  2.0  0000  0008  0000460A  00003DE3  13-07-2018 10:21:04  82300E91  [00170051-00173E33]  www/Instrument/novnc/images/screen_700x700.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00173E34  2.0  0000  0008  000009BF  00000977  13-07-2018 10:21:04  4A582C85  [00173E7A-001747F0]  www/Instrument/novnc/images/settings.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
001747F1  2.0  0000  0008  000002DF  000002E4  13-07-2018 10:21:04  AD86DFB3  [0017483C-00174B1F]  www/Instrument/novnc/images/showextrakeys.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00174B20  2.0  0000  0008  000000AD  000000A0  13-07-2018 10:21:04  76A67EB7  [00174B62-00174C01]  www/Instrument/novnc/images/stop.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00174C02  2.0  0000  0008  00000183  00000186  13-07-2018 10:21:04  5026226C  [00174C43-00174DC8]  www/Instrument/novnc/images/tab.png  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00174DC9  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [00174E04-00174E03]  www/Instrument/novnc/include/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:13
00174E04  2.0  0000  0008  00002A17  000009EF  14-07-2018 15:16:18  BDD7A20C  [00174E47-00175835]  www/Instrument/novnc/include/base.css  MTime: 14-07-2018 08:16:36  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
00175836  2.0  0000  0008  0000153E  0000088A  13-07-2018 10:21:03  7A8AC16F  [0017587A-00176103]  www/Instrument/novnc/include/base64.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
00176104  2.0  0000  0008  00002AAF  00000A00  14-07-2018 15:16:18  0177A851  [0017614E-00176B4D]  www/Instrument/novnc/include/base_mobile.css  MTime: 14-07-2018 08:16:36  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
00176B4E  2.0  0000  0008  00001205  000002F4  13-07-2018 10:21:03  32FDD938  [00176B92-00176E85]  www/Instrument/novnc/include/black.css  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
00176E86  2.0  0000  0008  00000534  000001A5  13-07-2018 10:21:03  F31B00F0  [00176EC9-0017706D]  www/Instrument/novnc/include/blue.css  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0017706E  2.0  0000  0008  000007EE  000002B4  13-07-2018 10:21:03  58434E20  [001770B4-00177367]  www/Instrument/novnc/include/browsers.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
00177368  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [001773AE-001773AD]  www/Instrument/novnc/include/chrome-app/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:14
001773AE  2.0  0000  0008  000024F9  00000A27  13-07-2018 10:21:03  17252ED4  [00177401-00177E27]  www/Instrument/novnc/include/chrome-app/tcp-client.js  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:14
00177E28  2.0  0000  0008  000029BA  00000F2C  13-07-2018 10:21:03  C52426D5  [00177E69-00178D94]  www/Instrument/novnc/include/des.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
00178D95  2.0  0000  0008  00005575  0000175C  13-07-2018 10:21:03  CD04C438  [00178DDA-0017A535]  www/Instrument/novnc/include/display.js  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0017A536  2.0  0000  0008  00002C4A  00000A8C  13-07-2018 10:21:03  5D13357B  [0017A57F-0017B00A]  www/Instrument/novnc/include/domkeytable.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0017B00B  2.0  0000  0008  000004E0  000001EF  13-07-2018 10:21:03  66DA53C8  [0017B052-0017B240]  www/Instrument/novnc/include/encodings.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0017B241  2.0  0000  0008  000010A2  000005A8  13-07-2018 10:21:03  7934485D  [0017B285-0017B82C]  www/Instrument/novnc/include/events.js  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0017B82D  2.0  0000  0008  00000409  00000196  13-07-2018 10:21:03  C7D62201  [0017B876-0017BA0B]  www/Instrument/novnc/include/eventtarget.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0017BA0C  2.0  0000  0008  00000EC4  00000467  13-07-2018 10:21:03  6AAB8870  [0017BA53-0017BEB9]  www/Instrument/novnc/include/fixedkeys.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0017BEBA  2.0  0000  0008  0000049A  000001CE  13-07-2018 10:21:03  6C773BC2  [0017BF00-0017C0CD]  www/Instrument/novnc/include/inflator.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0017C0CE  2.0  0000  0008  0000C6A5  00002DAD  13-07-2018 10:21:03  CB3AA190  [0017C111-0017EEBD]  www/Instrument/novnc/include/input.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0017EEBE  2.0  0000  0008  00004AC1  00001319  13-07-2018 10:21:03  564AF4D0  [0017EF03-0018021B]  www/Instrument/novnc/include/jsunzip.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0018021C  2.0  0000  0008  00005168  000015AA  13-07-2018 10:21:03  C9CCAD61  [00180262-0018180B]  www/Instrument/novnc/include/keyboard.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
0018180C  2.0  0000  0008  000057FE  000011D5  13-07-2018 10:21:03  BFC59E51  [00181850-00182A24]  www/Instrument/novnc/include/keysym.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
00182A25  2.0  0000  0008  00005422  00001F89  13-07-2018 10:21:03  BA5BA9A2  [00182A6C-001849F4]  www/Instrument/novnc/include/keysymdef.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
001849F5  2.0  0000  0008  00000536  00000209  13-07-2018 10:21:03  156BE805  [00184A3A-00184C42]  www/Instrument/novnc/include/logging.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:44  CTime: 09-08-2018 01:44:13
00184C43  2.0  0000  0008  00006BDA  00004E97  13-07-2018 10:21:03  83395258  [00184C85-00189B1B]  www/Instrument/novnc/include/logo.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
00189B1C  2.0  0000  0008  00002740  00000A7D  13-07-2018 10:21:03  4F35F4AF  [00189B5F-0018A5DB]  www/Instrument/novnc/include/mouse.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
0018A5DC  2.0  0000  0008  000096B4  00004435  13-07-2018 10:21:03  75810239  [0018A626-0018EA5A]  www/Instrument/novnc/include/Orbitron700.ttf  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
0018EA5B  2.0  0000  0008  00004440  0000441B  13-07-2018 10:21:03  9B7440BD  [0018EAA6-00192EC0]  www/Instrument/novnc/include/Orbitron700.woff  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
00192EC1  2.0  0000  0008  000009BF  00000396  13-07-2018 10:21:03  EB0D8CA4  [00192F07-0019329C]  www/Instrument/novnc/include/playback.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
0019329D  2.0  0000  0008  0000074F  000002F4  13-07-2018 10:21:03  CA2202E0  [001932E3-001935D6]  www/Instrument/novnc/include/polyfill.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001935D7  2.0  0000  0008  0000F593  00003A03  13-07-2018 10:21:03  965E43CA  [00193618-0019701A]  www/Instrument/novnc/include/rfb.js  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
0019701B  2.0  0000  0008  0000013B  000000E7  13-07-2018 10:21:03  312DF302  [00197060-00197146]  www/Instrument/novnc/include/strings.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
00197147  2.0  0000  0008  0000901A  00001C34  13-07-2018 10:21:03  8C2E1648  [00197187-00198DBA]  www/Instrument/novnc/include/ui.js  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
00198DBB  2.0  0000  0008  00002425  00000B93  13-07-2018 10:21:03  D823E18B  [00198DFD-0019998F]  www/Instrument/novnc/include/util.js  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
00199990  2.0  0000  0008  000009D7  000003B6  13-07-2018 10:21:03  BFC66E5F  [001999D3-00199D88]  www/Instrument/novnc/include/vkeys.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
00199D89  2.0  0000  0008  0000043F  000001F6  13-07-2018 10:21:03  66464436  [00199DCA-00199FBF]  www/Instrument/novnc/include/vnc.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
00199FC0  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [0019A009-0019A008]  www/Instrument/novnc/include/web-socket-js/  MTime: 09-08-2018 01:44:14  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:14
0019A009  2.0  0000  0008  00001753  00001758  13-07-2018 10:21:03  F2D8E66E  [0019A05C-0019B7B3]  www/Instrument/novnc/include/web-socket-js/README.txt  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:14
0019B7B4  2.0  0000  0008  000027EC  00000F3C  13-07-2018 10:21:03  C1200AA1  [0019B809-0019C744]  www/Instrument/novnc/include/web-socket-js/swfobject.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:14
0019C745  2.0  0000  0008  0002B3F3  0002981D  13-07-2018 10:21:03  044DC2E9  [0019C79F-001C5FBB]  www/Instrument/novnc/include/web-socket-js/WebSocketMain.swf  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:14
001C5FBC  2.0  0000  0008  000032F0  0000104B  13-07-2018 10:21:03  8FA21DD0  [001C6012-001C705C]  www/Instrument/novnc/include/web-socket-js/web_socket.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:14
001C705D  2.0  0000  0008  000023E2  00000B42  13-07-2018 10:21:03  FF6488B2  [001C70A2-001C7BE3]  www/Instrument/novnc/include/websock.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001C7BE4  2.0  0000  0008  00001041  00000652  13-07-2018 10:21:03  F887C1C8  [001C7C29-001C827A]  www/Instrument/novnc/include/webutil.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001C827B  2.0  0000  0008  000037B0  00000F15  13-07-2018 10:21:03  2076F13A  [001C82C4-001C91D8]  www/Instrument/novnc/include/xtscancodes.js  MTime: 13-07-2018 03:21:07  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:14
001C91D9  2.0  0000  0008  00000AE2  00000AA5  13-07-2018 10:21:03  5DF86B18  [001C9217-001C9CBB]  www/Instrument/novnc/LICENSE.txt  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001C9CBC  2.0  0000  0008  00001512  000009A4  13-07-2018 10:21:04  ECFC1F4A  [001C9CF8-001CA69B]  www/Instrument/novnc/README.md  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001CA69C  2.0  0000  0008  0000C466  0000253F  13-07-2018 10:21:04  1D39BAF3  [001CA6DB-001CCC19]  www/Instrument/novnc/vnc_auto.php  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001CCC1A  2.0  0000  0008  0000D2F2  000027A4  13-07-2018 10:21:04  4418B719  [001CCC60-001CF403]  www/Instrument/novnc/vnc_auto_mobile.php  MTime: 13-07-2018 03:21:08  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001CF404  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:06  00000000  [001CF429-001CF428]  www/js/  MTime: 09-08-2018 01:44:13  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:12
001CF429  2.0  0000  0008  000017EF  00000836  13-07-2018 10:21:04  29BD1571  [001CF456-001CFC8B]  www/js/cycle.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001CFC8C  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:06  00000000  [001CFCB8-001CFCB7]  www/js/device/  MTime: 09-08-2018 01:44:13  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:13
001CFCB8  2.0  0000  0008  00012AEE  000031D3  13-07-2018 10:21:04  C39FF42A  [001CFCEE-001D2EC0]  www/js/device/t_table.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001D2EC1  2.0  0000  0008  0000069E  000002D8  13-07-2018 10:21:04  D03B120A  [001D2EF2-001D31C9]  www/js/home_info.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001D31CA  2.0  0000  0008  00010C6C  00002D85  13-07-2018 10:21:04  5E8976A5  [001D31F9-001D5F7D]  www/js/iscroll.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001D5F7E  2.0  0000  0008  00000C31  00000539  13-07-2018 10:21:04  DB5D4D50  [001D5FB3-001D64EB]  www/js/jquery.cookie.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001D64EC  2.0  0000  0008  0000FD23  00003377  13-07-2018 10:21:04  F4479356  [001D6525-001D989B]  www/js/jquery.fileupload.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001D989C  2.0  0000  0008  00002C0C  00000B06  13-07-2018 10:21:04  A612B1BD  [001D98DB-001DA3E0]  www/js/jquery.iframe-transport.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001DA3E1  2.0  0000  0008  000176F8  00008125  13-07-2018 10:21:04  6AE93E35  [001DA413-001E2537]  www/js/jquery.min.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001E2538  2.0  0000  0008  000013E4  000006A3  13-07-2018 10:21:04  40D7DC92  [001E2571-001E2C13]  www/js/jquery.pagination.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001E2C14  2.0  0000  0008  00001E96  00000AA1  13-07-2018 10:21:04  8C7EA0B6  [001E2C4E-001E36EE]  www/js/jquery.transit.min.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001E36EF  2.0  0000  0008  00000FC3  00000544  13-07-2018 10:21:04  5737EAD4  [001E3728-001E3C6B]  www/js/jquery.wordexport.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001E3C6C  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:06  00000000  [001E3CA0-001E3C9F]  www/js/JSON-js-master/  MTime: 09-08-2018 01:44:13  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:12
001E3CA0  2.0  0000  0008  000017EF  00000836  13-07-2018 10:21:04  29BD1571  [001E3CDC-001E4511]  www/js/JSON-js-master/cycle.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001E4512  2.0  0000  0008  00004800  0000157C  13-07-2018 10:21:04  685DAC78  [001E454E-001E5AC9]  www/js/JSON-js-master/json2.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001E5ACA  2.0  0000  0008  000023FF  00000A6B  13-07-2018 10:21:04  FE620627  [001E5B0B-001E6575]  www/js/JSON-js-master/json_parse.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001E6576  2.0  0000  0008  00003341  00000CFC  13-07-2018 10:21:04  C908B106  [001E65BD-001E72B8]  www/js/JSON-js-master/json_parse_state.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001E72B9  2.0  0000  0008  00000689  0000035D  13-07-2018 10:21:04  B4BE88FD  [001E72F3-001E764F]  www/js/JSON-js-master/README  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:13
001E7650  2.0  0000  0008  00004800  0000157C  13-07-2018 10:21:04  685DAC78  [001E767D-001E8BF8]  www/js/json2.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001E8BF9  2.0  0000  0008  000023FF  00000A6B  13-07-2018 10:21:04  FE620627  [001E8C2B-001E9695]  www/js/json_parse.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001E9696  2.0  0000  0008  00003341  00000CFC  13-07-2018 10:21:04  C908B106  [001E96CE-001EA3C9]  www/js/json_parse_state.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001EA3CA  2.0  0000  0008  000046A4  00000C68  13-07-2018 10:21:04  106FAAB6  [001EA3FC-001EB063]  www/js/lan_config.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001EB064  2.0  0000  0008  00000085  00000062  13-07-2018 10:21:04  872B6CB6  [001EB092-001EB0F3]  www/js/log_in.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001EB0F4  2.0  0000  0008  0000215A  00000BE2  13-07-2018 10:21:04  A11D7515  [001EB120-001EBD01]  www/js/main.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001EBD02  2.0  0000  0008  00001DD7  00000A40  13-07-2018 10:21:04  02D7D4BB  [001EBD30-001EC76F]  www/js/mcplib.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001EC770  2.0  0000  0008  000001E4  000000B9  13-07-2018 10:21:04  CC50E34D  [001EC79B-001EC853]  www/js/npm.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001EC854  2.0  0000  0008  00019503  000084B5  13-07-2018 10:21:04  FC554B04  [001EC888-001F4D3C]  www/js/TweenMax.min.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001F4D3D  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:06  00000000  [001F4D69-001F4D68]  www/js/vendor/  MTime: 09-08-2018 01:44:12  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:12
001F4D69  2.0  0000  0008  00003ED9  00001325  13-07-2018 10:21:04  B8246F6C  [001F4DA8-001F60CC]  www/js/vendor/jquery.ui.widget.js  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001F60CD  2.0  0000  0008  00000B2D  0000045B  13-07-2018 10:21:04  F719B09D  [001F60F7-001F6551]  www/js/xhtml  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001F6552  2.0  0000  0008  00007D6F  00001F54  13-07-2018 10:21:04  0AE8B9F2  [001F658E-001F84E1]  www/js/xhtml1-transitional.dtd  MTime: 13-07-2018 03:21:09  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001F84E2  2.0  0000  0008  00001E9B  00000686  13-07-2018 10:21:03  7F4DEC6B  [001F850B-001F8B90]  www/lan.php  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001F8B91  2.0  0000  0008  00002BDE  000008FB  13-07-2018 10:21:03  CB8B927E  [001F8BC2-001F94BC]  www/lan_setting.php  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001F94BD  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:06  00000000  [001F94E3-001F94E2]  www/log/  MTime: 09-08-2018 01:44:12  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:12
001F94E3  1.0  0000  0000  00000000  00000000  13-07-2018 10:21:01  00000000  [001F951B-001F951A]  www/log/lighttpd_error.log  MTime: 13-07-2018 03:21:02  ATime: 09-08-2018 01:44:12  CTime: 09-08-2018 01:44:12
001F951B  2.0  0000  0008  00000FE9  000005CB  13-07-2018 10:21:03  DC1C907D  [001F9546-001F9B10]  www/login.php  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001F9B11  2.0  0000  0008  0000011B  000000B7  13-07-2018 10:21:03  562D1E79  [001F9B3D-001F9BF3]  www/logout.php  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001F9BF4  2.0  0000  0008  000010AE  00000546  13-07-2018 10:21:01  F7CB535A  [001F9C26-001FA16B]  www/SCPI_control.php  MTime: 13-07-2018 03:21:02  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001FA16C  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:06  00000000  [001FA192-001FA191]  www/src/  MTime: 09-08-2018 01:44:12  ATime: 15-08-2018 08:26:43  CTime: 09-08-2018 01:44:12
001FA192  2.0  0000  0008  000000B9  0000007F  13-07-2018 10:21:01  E60190A8  [001FA1BF-001FA23D]  www/src/IDN.php  MTime: 13-07-2018 03:21:02  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001FA23E  2.0  0000  0008  000000C8  00000082  13-07-2018 10:21:01  9E8519B7  [001FA26E-001FA2EF]  www/src/index.html  MTime: 13-07-2018 03:21:02  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001FA2F0  2.0  0000  0008  000000CE  00000085  13-07-2018 10:21:03  4734FAA2  [001FA31F-001FA3A3]  www/vncserver.txt  MTime: 13-07-2018 03:21:06  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001FA3A4  2.0  0000  0008  00001366  00000502  13-07-2018 10:21:01  0C3FC166  [001FA3D1-001FA8D2]  www/welcome.php  MTime: 13-07-2018 03:21:02  ATime: 15-08-2018 08:26:45  CTime: 09-08-2018 01:44:12
001FA8D3  2.0  0000  0008  0000CDB2  00000FF2  14-08-2018 14:56:25  EAE3BFFB  [001FA904-001FB8F5]  factory_setting.xml  MTime: 14-08-2018 07:56:50  ATime: 15-08-2018 08:26:07  CTime: 09-08-2018 01:44:11
001FB8F6  2.0  0000  0008  003DBB6D  00158549  26-07-2018 11:46:04  F3302A7F  [001FB92E-00353E76]  top_sds1000b_fpga_256M.bit  MTime: 26-07-2018 04:46:09  ATime: 15-08-2018 08:26:07  CTime: 09-08-2018 01:44:12
00353E77  2.0  0000  0008  00000E34  00000335  30-05-2018 11:47:04  19E22C47  [00353E9E-003541D2]  update.sh  MTime: 30-05-2018 04:47:08  ATime: 15-08-2018 08:26:07  CTime: 09-08-2018 01:44:12
003541D3  2.0  0000  0008  00006831  000024BC  13-07-2018 10:23:22  66D144AF  [003541FA-003566B5]  vncserver  MTime: 13-07-2018 03:23:44  ATime: 15-08-2018 08:26:07  CTime: 09-08-2018 01:44:12
003566B6  2.0  0000  0008  00CA9B1C  003F194E  15-08-2018 15:51:14  26EE22F2  [003566E0-0074802D]  sds1000b.app  MTime: 15-08-2018 08:51:28  ATime: 15-08-2018 08:44:33  CTime: 09-08-2018 01:44:11
0074802E  1.0  0000  0000  00000000  00000000  09-08-2018 08:44:07  00000000  [00748054-00748053]  drivers/  MTime: 09-08-2018 01:44:15  ATime: 15-08-2018 08:26:39  CTime: 09-08-2018 01:44:15
00748054  2.0  0000  0008  000068AD  000027D3  08-07-2017 00:10:13  FAAA09A7  [00748085-0074A857]  drivers/g_usbtmc.ko  MTime: 07-07-2017 17:10:26  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
0074A858  2.0  0000  0008  0000ECB5  00005D2C  08-07-2017 00:10:13  6E3E714E  [0074A88D-007505B8]  drivers/libcomposite.ko  MTime: 07-07-2017 17:10:26  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
007505B9  2.0  0000  0008  000118E6  0000778E  17-11-2017 10:16:20  4C1729CD  [007505E9-00757D76]  drivers/mt7601u.ko  MTime: 17-11-2017 02:16:40  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
00757D77  2.0  0000  0008  000028C5  00000DF7  08-07-2017 00:10:12  EADEFABE  [00757DA9-00758B9F]  drivers/siglentkb.ko  MTime: 07-07-2017 17:10:25  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
00758BA0  2.0  0000  0008  00002E6E  000010D2  08-07-2017 00:10:12  2DAC2FC4  [00758BD4-00759CA5]  drivers/siglent_dma.ko  MTime: 07-07-2017 17:10:24  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
00759CA6  2.0  0000  0008  00002396  00000D35  08-07-2017 00:10:12  888DAB3C  [00759CDB-0075AA0F]  drivers/siglent_vdma.ko  MTime: 07-07-2017 17:10:25  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
0075AA10  2.0  0000  0008  00002288  00000B80  20-03-2018 11:04:02  E0989036  [0075AA44-0075B5C3]  drivers/siglent_vnc.ko  MTime: 20-03-2018 03:04:05  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
0075B5C4  2.0  0000  0008  00003729  00001639  08-07-2017 00:10:12  AF8F4F6D  [0075B5FB-0075CC33]  drivers/xilinx_axicdma.ko  MTime: 07-07-2017 17:10:25  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
0075CC34  2.0  0000  0008  00003B9B  00001756  08-07-2017 00:10:12  A70C189A  [0075CC6A-0075E3BF]  drivers/xilinx_axidma.ko  MTime: 07-07-2017 17:10:25  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
0075E3C0  2.0  0000  0008  0000412D  00001999  08-07-2017 00:10:12  6F40AEAD  [0075E3F4-0075FD8C]  drivers/xilinx_vdma.ko  MTime: 07-07-2017 17:10:25  ATime: 15-08-2018 08:26:46  CTime: 09-08-2018 01:44:15
Disk Entries: 226   Total Entries: 226   Directory Size: 24998 bytes  [0075FD8D-00765F32]
****************************************************
  File Processed OK

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 21, 2018, 12:27:48 pm

Oh well, it worked on SDS200x ads firmware file straight out, but not on 1xx4X-E ads, tried .25R2 and .26.

@tv84, thanks for your reply, by any chance did you post your parsing script anywhere? couldn't find it. If you didn't, would you mind sharing?

Thanks

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 21, 2018, 12:41:19 pm

Quote from: cguareschi on October 21, 2018, 12:27:48 pm

@tv84, thanks for your reply, by any chance did you post your parsing script anywhere? couldn't find it. If you didn't, would you mind sharing?

My "script" is part of a full-blown work in progress. Sorry, no share.

Janekivi's tool and all other spinoffs/infos that have been made available (in this thread) should be enough to accomplish any need for the most persistents.

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 21, 2018, 12:46:26 pm

Understand... I will persist. Can you share the 72 bytes header format?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 21, 2018, 01:07:27 pm

Quote from: cguareschi on October 21, 2018, 12:46:26 pm

Understand... I will persist. Can you share the 72 bytes header format?

There is not a standard header format. There are a few formats depending on the equipment.

You can see all of that in action on the master parsing lists:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892)

Most of the time you can only get to the header after decrypting Siglent's 3DES encryption.

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 21, 2018, 01:13:57 pm

I see. comparing 2000X to 1004X-E ads, the latter definitely seem compressed or encrypted data. So I should run it through Siglent 3des algo to get something readable like the 2000X. Right?

I was under the impression that only a few parts were 3des encrypted. Maybe I didnt read carefully enough. Thanks

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 21, 2018, 01:27:19 pm

You are not studying the parsings hard enough.

SDS X are Blackfin machines with a specific format.

SDS X-E are ARM machines with a totally different format (see parsings).

Most files usualy have 2 encrypted blocks plus an encrypted file header but SDS X, for example, have no encryption.

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 21, 2018, 05:13:01 pm

Quote from: tv84 on October 21, 2018, 01:27:19 pm

You are not studying the parsings hard enough.

SDS X are Blackfin machines with a specific format.

SDS X-E are ARM machines with a totally different format (see parsings).

Most files usualy have 2 encrypted blocks plus an encrypted file header but SDS X, for example, have no encryption.

I am reading the parse result for 1004X-E firmware this is my understanding, please correct me if wrong:

first 0x70 bytes is an encrypted header.
is the header size a known constant length to is it somewhere at some known offset in the file?
is the header encrypted with 3des? if so where do I find the key, is mode EBC, CBC, initial value for CBC? Are these known parameters or are somewhere in the ADS file?

Read thread three times and can't find this info, just a hint that the key was in the ADS file but it was a different firmware

Thanks for helping out

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 21, 2018, 05:27:42 pm

Quote from: cguareschi on October 21, 2018, 05:13:01 pm

Quote from: tv84 on October 21, 2018, 01:27:19 pm
You are not studying the parsings hard enough.

SDS X are Blackfin machines with a specific format.

SDS X-E are ARM machines with a totally different format (see parsings).

Most files usualy have 2 encrypted blocks plus an encrypted file header but SDS X, for example, have no encryption.

I am reading the parse result for 1004X-E firmware this is my understanding, please correct me if wrong:

first 0x70 bytes is an encrypted header.
is the header size a known constant length to is it somewhere at some known offset in the file?
is the header encrypted with 3des? if so where do I find the key, is mode EBC, CBC, initial value for CBC? Are these known parameters or are somewhere in the ADS file?

Read thread three times and can't find this info, just a hint that the key was in the ADS file but it was a different firmware

Thanks for helping out

For SDS X-E file header is always 0x70 bytes.
Yes it's encrypted with the same key and the key can be found in the .APP file. Once you have your decryption running you can compare it with my parsings and you'll discover the encryption mode.

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 21, 2018, 06:08:22 pm

[/quote]
For SDS X-E file header is always 0x70 bytes.
Yes it's encrypted with the same key and the key can be found in the .APP file. Once you have your decryption running you can compare it with my parsings and you'll discover the encryption mode.
[/quote]

Ok cant read .APP file. Not there yet.

So the algorithm should be:
- read file as a byte array
- save first 0x70 bytes header
- save remaining data bytes
- reverse the remaining data bytes
- apply first XOR to data bytes with incrementing index as described by janekivi
- apply second XOR to second half of data bytes

Now I should be able to see .APP in data bytes

- get 3des parameters from data
- 3des decrypt te saved header bytes with above parameters

Am I on the right track?
I wrote a python script to just do that but the result still seem garbled bytes (i.e. cant see .APP)

Thanks for your guidance

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 21, 2018, 08:46:20 pm

Ok. I am getting a bunch of zipped files in the first half of the reversed xored data, the second half is unintelligible, making me think that I am screwing up the second XOR pass from half point on, although that's difficult to screw up but ...

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 21, 2018, 09:46:46 pm

this seems correct, however I cannot get a complete zip file. The central directory at the end is only half there and is incomplete. Trying to figure out what I am doing wrong

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 26, 2018, 01:24:56 am

@vt100 I followed your instruction to the letter. I can launch sds100.app under busybox, I seem to be able to enable crash core dumps with ulimit -c unlimited, but when I kill sds1000.app with ABRT signal, no core dump is generated, the app is just killed. ulimit -c shows unlimited so core dumps should be enabled. My firmware is .25R2. Any other way to trigger a core dump? Is it possible core dumps are disabled on this particular version of Busybox?

Thanks

Title: Re: Siglent .ads firmware file format
Post by: twinter145 on October 26, 2018, 01:48:42 pm

Quote from: cguareschi on October 26, 2018, 01:24:56 am

I can launch sds100.app under busybox, I seem to be able to enable crash core dumps with ulimit -c unlimited, but when I kill sds1000.app with ABRT signal, no core dump is generated, the app is just killed.

The same thing happened to me, but after I tried a few times I managed to get a core dump. Maybe you have to wait a bit longer for the dump to be generated?

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 26, 2018, 07:04:47 pm

Quote from: twinter145 on October 26, 2018, 01:48:42 pm

Quote from: cguareschi on October 26, 2018, 01:24:56 am
I can launch sds100.app under busybox, I seem to be able to enable crash core dumps with ulimit -c unlimited, but when I kill sds1000.app with ABRT signal, no core dump is generated, the app is just killed.

The same thing happened to me, but after I tried a few times I managed to get a core dump. Maybe you have to wait a bit longer for the dump to be generated?

I will try waiting longer. Did you download Busybox from the link provided? Reading the log in the Busybox download page, it seems it has crash dumps disabled.

Would you post your Busybox file?

Thanks

Title: Re: Siglent .ads firmware file format
Post by: cguareschi on October 27, 2018, 12:48:12 am

Finally I was able to setup the proper linux toolchain for the arm cortex A7 and cross compile Busybox.
The new Busybox worked flawlessly and I was able to get a core dump and retrieve the licenses.

Title: Re: Siglent .ads firmware file format
Post by: vt100 on October 27, 2018, 08:33:51 pm

My apologies for the delay in responding, I have been swamped with work over this past 10 days and haven't had much time to peruse the forum. its not because I don't love you guys ;)

Quote from: cguareschi on October 26, 2018, 01:24:56 am

@vt100 I followed your instruction to the letter. I can launch sds100.app under busybox, I seem to be able to enable crash core dumps with ulimit -c unlimited, but when I kill sds1000.app with ABRT signal, no core dump is generated, the app is just killed. ulimit -c shows unlimited so core dumps should be enabled. My firmware is .25R2. Any other way to trigger a core dump? Is it possible core dumps are disabled on this particular version of Busybox?

Core dump appears to be disabled on the "stock" version included with the scope. If you kill -ABRT the pid and you do not get a core dump, then
a. make sure you're in a directory which is writable (e.g. /tmp) when you launch the scope app and then kill the pid. Otherwise the core dump can't be written.
b. make sure you're running the /tmp version of busybox, common error is to just type busybox ash which would launch the version in bin from the search path

Quote from: twinter145 on October 26, 2018, 01:48:42 pm

The same thing happened to me, but after I tried a few times I managed to get a core dump. Maybe you have to wait a bit longer for the dump to be generated?

The core file is somewhat large, but its never taken more than, say, 5-10 seconds in all my tests. Once you see the (core dump) message, the core file should be there.

Quote from: cguareschi on October 27, 2018, 12:48:12 am

Finally I was able to setup the proper linux toolchain for the arm cortex A7 and cross compile Busybox.
The new Busybox worked flawlessly and I was able to get a core dump and retrieve the licenses.

It's possible the pre-compiled version at the link posted (which is an auto-build updated regularly) might be incorrectly compiled with core dumps disabled at some point. I am not sure how often the busybox at the link provided is updated. for best results obviously compile your own :)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on November 24, 2018, 10:33:55 pm

Janekivi,

What about the Siglent SDS3000 files? Did you have a look? (They are big boys...)

http://www.siglent.com/prodcut-gjjrj.aspx?id=80&tid=1&T=2 (http://www.siglent.com/prodcut-gjjrj.aspx?id=80&tid=1&T=2)

Title: Re: Siglent .ads firmware file format
Post by: janekivi on November 25, 2018, 12:01:29 pm

Seems like this is Siglent fla file format there...
Inside are 8 files. First is BIG. Probably software, app or this kind of stuff.
Some parts are 300 bytes. Last 4 bytes of all parts are probably some kind
of CRC. Looking at this shortest part, in 2 firmware they are identical, except
last 16 bytes and last 4 after that. So there may be some kind of encryption
using 8 or 16 byte chunks. All they may be reversed of course. And after that
all is in Chinese.

No files yet but there was even SDS5000

Title: Re: Siglent .ads firmware file format
Post by: tv84 on November 25, 2018, 03:13:26 pm

Seems like a checksum, not a CRC. But I haven't figure it out. Maybe it's used after decryption...

SDS3K_SPO3ND_8.0.4.7.fla

Code: [Select]

00000000 - Manufacturer: Siglent
00000010 - Name 2: RELSVR  (Release Version)
00000016 - FW Version: 8_0
00000020 - Encrypted Block [00000020-0A7EF09F]  Size: 0A7EF080
0A7EF0A0 - (?) Checksum: D4CF5466

0A7EF0A4 - Manufacturer: Siglent
0A7EF0B4 - Name 2: RELSVR  (Release Version)
0A7EF0BA - FW Version: 8_0
0A7EF0C4 - Encrypted Block [0A7EF0C4-0A9B1113]  Size: 001C2050
0A9B1114 - (?) Checksum: 0047D675

0A9B1118 - Manufacturer: Siglent
0A9B1128 - Name 2: RELSVR  (Release Version)
0A9B112E - FW Version: 8_0
0A9B1138 - Encrypted Block [0A9B1138-0AA71147]  Size: 000C0010
0AA71148 - (?) Checksum: 0058FB6E

0AA7114C - Manufacturer: Siglent
0AA7115C - Name 2: RELSVR  (Release Version)
0AA71162 - FW Version: 8_0
0AA7116C - Encrypted Block [0AA7116C-0AAB117B]  Size: 00040010
0AAB117C - (?) Checksum: 010E0CB7

0AAB1180 - Manufacturer: Siglent
0AAB1190 - Name 2: RELSVR  (Release Version)
0AAB1196 - FW Version: 8_0
0AAB11A0 - Encrypted Block [0AAB11A0-0AAB55EF]  Size: 00004450
0AAB55F0 - (?) Checksum: 001A4498

0AAB55F4 - Manufacturer: Siglent
0AAB5604 - Name 2: RELSVR  (Release Version)
0AAB560A - FW Version: 8_0
0AAB5614 - Encrypted Block [0AAB5614-0AB86743]  Size: 000D1130
0AB86744 - (?) Checksum: 03CF6A7F

0AB86748 - Manufacturer: Siglent
0AB86758 - Name 2: RELSVR  (Release Version)
0AB8675E - FW Version: 8_0
0AB86768 - Encrypted Block [0AB86768-0AB868B7]  Size: 00000150
0AB868B8 - (?) Checksum: 00005FBB

0AB868BC - Manufacturer: Siglent
0AB868CC - Name 2: RELSVR  (Release Version)
0AB868D2 - FW Version: 8_0
0AB868DC - Encrypted Block [0AB868DC-0AB8894B]  Size: 00002070
0AB8894C - (?) Checksum: 000985B9

SDS3000E_8.4.1.4.fla

Code: [Select]

00000000 - Manufacturer: Siglent
00000010 - Name 2: RELSVR  (Release Version)
00000016 - FW Version: 8_4
00000020 - Encrypted Block [00000020-0AD9DD3F]  Size: 0AD9DD20
0AD9DD40 - (?) Checksum: F7B98E71

0AD9DD44 - Manufacturer: Siglent
0AD9DD54 - Name 2: RELSVR  (Release Version)
0AD9DD5A - FW Version: 8_4
0AD9DD64 - Encrypted Block [0AD9DD64-0AF5FDB3]  Size: 001C2050
0AF5FDB4 - (?) Checksum: 0047D675

0AF5FDB8 - Manufacturer: Siglent
0AF5FDC8 - Name 2: RELSVR  (Release Version)
0AF5FDCE - FW Version: 8_4
0AF5FDD8 - Encrypted Block [0AF5FDD8-0B01FDE7]  Size: 000C0010
0B01FDE8 - (?) Checksum: 0058FB6E

0B01FDEC - Manufacturer: Siglent
0B01FDFC - Name 2: RELSVR  (Release Version)
0B01FE02 - FW Version: 8_4
0B01FE0C - Encrypted Block [0B01FE0C-0B05FE1B]  Size: 00040010
0B05FE1C - (?) Checksum: 010E0B14

0B05FE20 - Manufacturer: Siglent
0B05FE30 - Name 2: RELSVR  (Release Version)
0B05FE36 - FW Version: 8_4
0B05FE40 - Encrypted Block [0B05FE40-0B06428F]  Size: 00004450
0B064290 - (?) Checksum: 001A4498

0B064294 - Manufacturer: Siglent
0B0642A4 - Name 2: RELSVR  (Release Version)
0B0642AA - FW Version: 8_4
0B0642B4 - Encrypted Block [0B0642B4-0B135693]  Size: 000D13E0
0B135694 - (?) Checksum: 03D03F96

0B135698 - Manufacturer: Siglent
0B1356A8 - Name 2: RELSVR  (Release Version)
0B1356AE - FW Version: 8_4
0B1356B8 - Encrypted Block [0B1356B8-0B135807]  Size: 00000150
0B135808 - (?) Checksum: 00005FB9

0B13580C - Manufacturer: Siglent
0B13581C - Name 2: RELSVR  (Release Version)
0B135822 - FW Version: 8_4
0B13582C - Encrypted Block [0B13582C-0B13789B]  Size: 00002070
0B13789C - (?) Checksum: 000985B9

maui_8.4.1.5.fla (LeCroy WS3000)

Code: [Select]

00000000 - Manufacturer: LeCroy
00000010 - Name 2: RELSVR  (Release Version)
00000016 - FW Version: 8_4
00000020 - Encrypted Block [00000020-0AEE972F]  Size: 0AEE9710
0AEE9730 - (?) Checksum: 0100856F

0AEE9734 - Manufacturer: LeCroy
0AEE9744 - Name 2: RELSVR  (Release Version)
0AEE974A - FW Version: 8_4
0AEE9754 - Encrypted Block [0AEE9754-0B0AB7A3]  Size: 001C2050
0B0AB7A4 - (?) Checksum: 00444D1E

0B0AB7A8 - Manufacturer: LeCroy
0B0AB7B8 - Name 2: RELSVR  (Release Version)
0B0AB7BE - FW Version: 8_4
0B0AB7C8 - Encrypted Block [0B0AB7C8-0B16B7D7]  Size: 000C0010
0B16B7D8 - (?) Checksum: 0058FB6E

0B16B7DC - Manufacturer: LeCroy
0B16B7EC - Name 2: RELSVR  (Release Version)
0B16B7F2 - FW Version: 8_4
0B16B7FC - Encrypted Block [0B16B7FC-0B1AB80B]  Size: 00040010
0B1AB80C - (?) Checksum: 010E10CC

0B1AB810 - Manufacturer: LeCroy
0B1AB820 - Name 2: RELSVR  (Release Version)
0B1AB826 - FW Version: 8_4
0B1AB830 - Encrypted Block [0B1AB830-0B1AFC7F]  Size: 00004450
0B1AFC80 - (?) Checksum: 001A4498

0B1AFC84 - Manufacturer: LeCroy
0B1AFC94 - Name 2: RELSVR  (Release Version)
0B1AFC9A - FW Version: 8_4
0B1AFCA4 - Encrypted Block [0B1AFCA4-0B281083]  Size: 000D13E0
0B281084 - (?) Checksum: 03D03F96

0B281088 - Manufacturer: LeCroy
0B281098 - Name 2: RELSVR  (Release Version)
0B28109E - FW Version: 8_4
0B2810A8 - Encrypted Block [0B2810A8-0B2811F7]  Size: 00000150
0B2811F8 - (?) Checksum: 00005FBA

0B2811FC - Manufacturer: LeCroy
0B28120C - Name 2: RELSVR  (Release Version)
0B281212 - FW Version: 8_4
0B28121C - Encrypted Block [0B28121C-0B28328B]  Size: 00002070
0B28328C - (?) Checksum: 000985B9

Title: Re: Siglent .ads firmware file format
Post by: janekivi on November 25, 2018, 04:09:54 pm

Exactly, siglent checksum or crc like I name checksum for some reason.
Like in "ads" calculations, value is depending from data size.

For me the second header line looks like this:
RELSVR8_0 - release version 8.0
RELSVR8_4 - release version 8.4

Title: Re: Siglent .ads firmware file format
Post by: tv84 on November 25, 2018, 06:48:27 pm

Quote from: janekivi on November 25, 2018, 04:09:54 pm

Exactly, siglent checksum or crc like I name checksum for some reason.
Like in "ads" calculations, value is depending from data size.

For me the second header line looks like this:
RELSVR8_0 - release version 8.0
RELSVR8_4 - release version 8.4

Nice conclusion about "relsvr". But the rest is encrypted chinese.

Without a memdump, I think I can't go any further... Unless your notepad/calculator produce some magic!

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 06, 2018, 04:31:49 am

Quote from: tv84 on October 04, 2018, 09:02:12 pm

How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.

They provide a root session via port 10101.

tv84,

I have been lurking for a few days and am impressed by your contributions. I have ordered an SDS 1204x-e, but have not taken delivery of it as yet. I gather that when one "Installs" one of these ads files, it runs some script as root to do magic to the scope. Two questions: First, I cannot find where you have conveyed what these scripts specifically do. Would you state what it is they do? Second: Have you automated the process of creating an ads file?

As many here may be aware, this instrument has been recently reported to have security issues by online security forums. The crux of the issue being a static root password for which the hash has been found. This thread, of course has promoted a hack by which the password is changed to a rather publicly known password. Ideally, it would be nice to provide a means for users to conveniently change the default root password for their own instrument.

Also, it seems there are SCPI commands to permit the execution of command line commands. I have seen an indication these may run as root. Has anyone tried using this mechanism to send something along the lines of:

bash -c "echo -e 'my_password\nmy_password" | passwd

??
I would not expect this to survive a reboot, but it might allow one to login in via telenet as root on the standaard port until said reboot.

Title: Re: Siglent .ads firmware file format
Post by: tautech on December 06, 2018, 04:43:54 am

Quote from: ewaller on December 06, 2018, 04:31:49 am

I have ordered an SDS 1204x-e,..............

As many here may be aware, this instrument has been recently reported to have security issues by online security forums.

Correction if I may, those issues are unconfirmed for SDS1004X-E models. Only SDS1202X-E are implicated as having WLAN security issues.....which may or may not effect all manner of test equipment and brands.

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 06, 2018, 05:13:43 am

As I said, I've not my instrument yet, but...

Does the instrument not open a Telnet port? Does it not ask for a root password when attempting to log in via telnet? Is there not a hashed entry in /etc/passwd for which there is a password that is not well known? Does replacing that hash with that for a known password not permit one to log in using that well known password? If these are yes, this instrument is vulnerable.

Note that I am asking these questions as it is my intent to root this instrument; but I am trying to determine which tack I want to take. I might add that I choose to do this purely for intellectual curiosity. I do fully intend to buy appropriate licence keys when and if I choose to add options.

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on December 06, 2018, 09:49:47 am

Quote from: ewaller on December 06, 2018, 05:13:43 am

As I said, I've not my instrument yet, but...

Does the instrument not open a Telnet port? Does it not ask for a root password when attempting to log in via telnet? Is there not a hashed entry in /etc/passwd for which there is a password that is not well known? Does replacing that hash with that for a known password not permit one to log in using that well known password? If these are yes, this instrument is vulnerable.

Note that I am asking these questions as it is my intent to root this instrument; but I am trying to determine which tack I want to take. I might add that I choose to do this purely for intellectual curiosity. I do fully intend to buy appropriate licence keys when and if I choose to add options.

There is normal telnet port 23 open.
For access to system you need know user and password.
You can try bruteforce these using telnet connection and loose your rest limited life time or scope limited life time. Which one is first reached. But if you are lucky of course randonmly it may open this worm can tomorrow... who knows.
But there is other way... I will recommend you now take some time for carefully read this forum and you soon hit how all works (tip, first you need change other OSV in scope (and after then "close door" changing original genuine OSV with unknown usr/pw back to scope) = "RTFM" (what is scattered around inside the forum.)

There is also other ports open for use SCPI commands.
https://www.siglentamerica.com/application-note/verification-lan-connection-using-telnet/ (https://www.siglentamerica.com/application-note/verification-lan-connection-using-telnet/)

Also of course for web server.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on December 06, 2018, 10:43:31 am

Quote from: ewaller on December 06, 2018, 04:31:49 am

Two questions: First, I cannot find where you have conveyed what these scripts specifically do. Would you state what it is they do? Second: Have you automated the process of creating an ads file?

1. These X-E specific .ADS have an update.sh script that is run to accomplish the installation.
2. You could say semi-automated.

The best way to protect the equipment is to leave outside the internet. Of course if you have a rogue colleague in the lab...

You cannot change the pwd since the FS is RO. To change the pwd you need to patch the FS and flash it again. That's what janekivi usually creates for forum members.

All your other indications seem correct and have been used/implemented...

PS: As rf-loop says, for someone who reads carefully, the info is already in the forum.

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 06, 2018, 03:17:53 pm

TV84,

I am not overly concerned about security for my instrument. It will be on my private Lan on a guest subnet jail that I use for my IoT devices . I have read the threads with interest, and I agree that there is probably enough information here to create an ads file myself. What is not clear is what those scripts do. On the surface, they open a new port at 10101 (IIRC) that does not require a password. Is that what they do? Is that a transient port that goes away at the next reboot? or is it persistent? Unfortunately, there is no easy way to audit those files so I would have to trust you as to what they do.

If they open a port with a root session, and it is transient, that would be my preferred method to root the instrument, rather than uploaded the OS image with a modified /etc/shadow.

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 06, 2018, 03:30:48 pm

Quote from: rf-loop on December 06, 2018, 09:49:47 am

There is normal telnet port 23 open.
For access to system you need know user and password.
You can try bruteforce these using telnet connection and loose your rest limited life time or scope limited life time. Which one is first reached. But if you are lucky of course randonmly it may open this worm can tomorrow... who knows.

All true and fully understood.

Quote

But there is other way... I will recommend you now take some time for carefully read this forum and you soon hit how all works (tip, first you need change other OSV in scope (and after then "close door" changing original genuine OSV with unknown usr/pw back to scope) = "RTFM" (what is scattered around inside the forum.)

And, I have read the fine manual -- fully -- and I do understand it. But, if one uploads an OS with a modified /etc/shadow file, then I do know the password -- and so do a lot of other people. Granted, a lot of other people who have no access to my instrument. I would prefer to find a transient solution the leaves the instrument with official firmware that vanishes with the next reboot. That seems to be that tv84 had been suggesting.

Quote

There is also other ports open for use SCPI commands.
https://www.siglentamerica.com/application-note/verification-lan-connection-using-telnet/ (https://www.siglentamerica.com/application-note/verification-lan-connection-using-telnet/)

Which is another vector I would consider. It sounds like the SCPI which permits one to execute shell command lines does so as root. That should provide the necessary privilege escalation to punch a temporary hole.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on December 06, 2018, 03:42:32 pm

Quote from: ewaller on December 06, 2018, 03:17:53 pm

I am not overly concerned about security for my instrument.
...
so I would have to trust you as to what they do.

Contradiction? You are not obliged to trust me. You must weight the pros and cons of what the script allegedly allows you to do - open a transient port with root access, versus not being able to audit the script and continue without access.

Of course, i'm not a TPM so you decide who/what to trust.

If you don't feel comfortable, put it aside and move on.

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 06, 2018, 03:43:39 pm

Quote from: tv84 on December 06, 2018, 10:43:31 am

You cannot change the pwd since the FS is RO. To change the pwd you need to patch the FS and flash it again. That's what janekivi usually creates for forum members.

I understand that the cramfs is read only and is stored in flash. Often in systems like this, the file system is shadowed in RAM allowing files to be created and changed in RAM; these files exist in their modified state until the instrument starts the next time and the cramfs is once again copied from non-volatile memory to RAM. Note that I am not asserting that this is how it is implemented, but it is how I might have expected to be implemented. If my expectation is correct (could be a long shot :) ), then it would be possible to change the root password for the duration of the session; reverting to stock after the next restart.

As some background, I am one who does not tend to follow step-by-step instructions where the goal is to merely install as a means to an end. My goal (and motivation) is to fully understand each step in the process and to consider the best solution. "Best" is defined by me and is subject to change as I learn; it can be swayed by good arguments too ;)

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 06, 2018, 03:55:52 pm

Quote from: tv84 on December 06, 2018, 03:42:32 pm

Contradiction? You are not obliged to trust me. You must weight the pros and cons of what the script allegedly allows you to do

Absolutely a contradiction. Anyone who runs a random script from the Internet without considering and mitigating the risks is a fool. I fully appreciate, and admire your efforts and have absolutely no reason to not trust you or your contributions. OTOH, well, it is the Internet.

Quote

open a transient port with root access, versus not being able to audit the script and continue without access.

That really is not the choice. It does answer my question though, thanks. It was unclear whether this was a transient port, or whether the ads script installed something permanent. Correct me if I am wrong, but these scripts instantiate a port at 10101 that stays open until the next restart, and that after restart, the instrument has stock firmware, unchanged by the script.

Quote

Of course, i'm not a TPM so you decide who/what to trust.

If you don't feel comfortable, put it aside and move on.

I am feeling out my comfort level. And I do trust you. But I do intend to understand what will happen to my instrument. At this point, I believe yours to be the "Best" solution in that it seems to not do anything permanent.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on December 06, 2018, 04:19:48 pm

Quote from: ewaller on December 06, 2018, 03:55:52 pm

Correct me if I am wrong, but these scripts instantiate a port at 10101 that stays open until the next restart, and that after restart, the instrument has stock firmware, unchanged by the script.

I could answer yes but, since I'm not a TPM, you would have to trust me... Do you?

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 06, 2018, 04:40:59 pm

Quote from: tv84 on December 06, 2018, 04:19:48 pm

I could answer yes but, since I'm not a TPM, you would have to trust me... Do you?

Nothing personal, but not fully. But enough to try your scripts, especially if they make no permanent changes.

Did I miss something that I should have read? That collection of ADS scripts that open port 10101 kind of popped up out of no where -- and seem like a good approach. But I really could not discern that they make no permanent changes. Have I been asking a question that has been asked and answered about whether these scripts make any stored changes?

Title: Re: Siglent .ads firmware file format
Post by: vt100 on December 07, 2018, 01:25:48 am

Quote from: ewaller on December 06, 2018, 04:40:59 pm

Nothing personal, but not fully. But enough to try your scripts, especially if they make no permanent changes.

He's a huge international criminal wanted by the FBI and Interpol. Trust me, you're reading it here on the internet, so, it must be true, right? :)

Since you can always flash the original firmware back on your scope, what are you worried about? Even if he was a notorious ransomware bitcoin criminal, what's the worst that happens? you flash your old firmware back on the box and you're none the worse for wear.

sheesh.

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 07, 2018, 04:21:13 am

Quote from: vt100 on December 07, 2018, 01:25:48 am

He's a huge international criminal wanted by the FBI and Interpol. Trust me, you're reading it here on the internet, so, it must be true, right? :)

I trust no code downloaded from the internet -- unless things are signed with gpg keys and there is a chain of trust from me to the person who posted the code, or if it is on a site with a trusted certificate of an organization I consider reputable. Lacking those, I want to at least be able to read the source code.

And, in no way is this indented to besmirch anyone -- especially not as a new member of a forum -- and certainly not trying to insult a respected member of the said forum.

Quote

Since you can always flash the original firmware back on your scope, what are you worried about?

to be honest, I had not even considered rolling back. Good point.

Quote

Even if he was a notorious ransomware bitcoin criminal, what's the worst that happens? you flash your old firmware back on the box and you're none the worse for wear.

Really? It seems a motivation to perform this seems to be to enable features in the scope that were not enabled out of the box -- including features that cannot be enabled through the licence mechanism of the scope GUI. Clearly these persist after rolling back to the old firmware. For example, all 4 channel scopes use the same OS image, regardless of whether they are 100 or 200 MHz instruments. Loading the modified version, or rolling it back does not impact whether it is a 100 or 200 MHz instrument -- there are other steps that need be done that do persist. Same is true for the installed licences.

If something were to corrupt things in this persistent storage, for whatever reason, rolling back the OS will not fix things. What else is in that storage? Calibration factors? Serial numbers? FPGA Firmware?

Quote

sheesh.

Edit:
But, I probably will use the ADS files that they had published. I think the risk is low to modest; certainly if I accept the assertion that these script does nothing but open a root port on 10101 that is transient.

Title: Re: Siglent .ads firmware file format
Post by: vtwin@cox.net on December 07, 2018, 01:52:20 pm

a healthy amount of skepticism is always warranted on a public forum. I would be more concerned if I were dealing with someone without a track record of engaging in very technical discussions and assisting people in the forum. tv84's bona fides are well established here, he's been a huge help to me (both publicly and privately) and I've never had a concern or encountered an issue running anything he's provided.

Title: Re: Siglent .ads firmware file format
Post by: BillB on December 07, 2018, 03:30:31 pm

From what I hear, tv84 leaves the toilet seat up, and drinks directly out of the milk carton, too! >:(

Seriously, I've executed most of what he's generated on my equipment and so far nothing nefarious, yet. ^-^

Title: Re: Siglent .ads firmware file format
Post by: SMB784 on December 07, 2018, 03:48:54 pm

tv84 and Janekivi are literal wizards.

I'm just a physicist, but I trust them.

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 07, 2018, 04:34:06 pm

Quote from: SMB784 on December 07, 2018, 03:48:54 pm

tv84 and Janekivi are literal wizards.

No doubt about it.

Quote

I'm just a physicist, but I trust them.

I have no reason not to either. I would, however, want to understand what the script does and how it does it before I use it. I think I know what it does -- and if it does what I think it does, it is brilliant. When I asked what it does, the answer was "These X-E specific .ADS have an update.sh script that is run to accomplish the installation. ". That does not tell me what the script is doing, and it does imply that something is being installed. I pressed further, and got the reply ' could answer yes but, since I'm not a TPM, you would have to trust me... Do you?'. Okay, it seems I have a choice; for whatever reason, I am not going to get the details of what the script does or a clear text version of what goes into an encrypted binary that will be uploaded to the update mechanism of my instrument. Seems I have a choice to make.

I have to confess, I am a little out of my element here. I have spent a lot of time amongst the Free (as in Libre) software crowd where code comes with the source and information on how to build and modify it.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on December 07, 2018, 05:09:14 pm

There is a little problem, we were hacking Rigol 1054Z and siglent gear with tv84
and only he knows and can trust me - how little I know and can do.
Others here really think I can make a program which does something...

Title: Re: Siglent .ads firmware file format
Post by: tv84 on December 07, 2018, 05:50:17 pm

Quote from: janekivi on December 07, 2018, 05:09:14 pm

There is a little problem, we were hacking Rigol 1054Z and siglent gear with tv84
and only he knows and can trust me - how little I know and can do.
Others here really think I can make a program which does something...

Modesty! Different methods and expertise but, in the end, the same results.

janekivi has some of the best notepad/calculator there are for these analyses! :clap:

Title: Re: Siglent .ads firmware file format
Post by: ebastler on December 22, 2018, 08:44:28 am

Quote from: tv84 on October 04, 2018, 09:02:12 pm

How to open a telnet session in a Siglent when the root password is unknown?
Use the following scripts, according to each equipment.
They provide a root session via port 10101.

I may be a bit slow here... Those "scripts" are firmware files, to be installed via the regular firmware update procedure, right? And the idea is to install them temporarily, open a telnet session to make the required changes to the config file, and then re-update to the official Siglent firmware?

Thanks!

Title: Re: Siglent .ads firmware file format
Post by: tv84 on December 22, 2018, 10:15:28 pm

Right. The scripts don"t change anything in the equipment's FW!! It's just a runtime modification.

But the user may use them to make definitive changes... at his own responsibility.

Title: Re: Siglent .ads firmware file format
Post by: 2N3055 on December 22, 2018, 11:51:34 pm

I got curious and took memcopy (cp /dev/mem) on my SDG6022X.
I got 175 something MB file.
I can't seem to find strings that look like licenses ( 16 chars. all caps and numbers no dashes)
There is a cluster of 128 bytes that looks like license material, but is lowercase+numbers.
There is no existing 200MHz valid lic in there.
Any more hints what to look for?
Thanks.

Title: Re: Siglent .ads firmware file format
Post by: Rerouter on December 23, 2018, 11:25:41 am

If you can share it via PM, I can have a look.

Equally if you have a copy of the system App, I would be curious to have a dig through whats buried inside.

Title: Re: Siglent .ads firmware file format
Post by: vtwin@cox.net on December 23, 2018, 12:04:33 pm

Quote from: 2N3055 on December 22, 2018, 11:51:34 pm

I got curious and took memcopy (cp /dev/mem) on my SDG6022X.
I got 175 something MB file.
I can't seem to find strings that look like licenses ( 16 chars. all caps and numbers no dashes)
There is a cluster of 128 bytes that looks like license material, but is lowercase+numbers.
There is no existing 200MHz valid lic in there.
Any more hints what to look for?
Thanks.

Should probably move these ancillary posts to a new thread, they've gotten off topic quite a bit, however, that said, a 175MB file sounds kind of odd in terms of memory size... although 176 is a multiple of 4 so I suppose it could be correct... but, that said, my SDG6000 bandwidth license and IQ Function license are both 16-character uppercase values. How did you obtain the memdump?

Title: Re: Siglent .ads firmware file format
Post by: 2N3055 on December 23, 2018, 12:19:34 pm

Quote from: vtwin@cox.net on December 23, 2018, 12:04:33 pm

Should probably move these ancillary posts to a new thread, they've gotten off topic quite a bit, however, that said, a 175MB file sounds kind of odd in terms of memory size... although 176 is a multiple of 4 so I suppose it could be correct... but, that said, my SDG6000 bandwidth license and IQ Function license are both 16-character uppercase values. How did you obtain the memdump?

As I wrote, "cp /dev/mem" into file on the usb drive.. Beauty of UNIX, everything is a device...
I wasn't exact on filesize, exact filesize is 174080 bytes . 170 MB exactly.
Regards

Title: Re: Siglent .ads firmware file format
Post by: vtwin@cox.net on December 23, 2018, 04:59:52 pm

Quote from: 2N3055 on December 23, 2018, 12:19:34 pm

I wasn't exact on filesize, exact filesize is 174080 bytes . 170 MB exactly.

I wonder where the last 2M is. I would expect 172M or 168M,

Title: Re: Siglent .ads firmware file format
Post by: tv84 on December 23, 2018, 05:18:14 pm

Quote from: vtwin@cox.net on December 23, 2018, 04:59:52 pm

Quote from: 2N3055 on December 23, 2018, 12:19:34 pm
I wasn't exact on filesize, exact filesize is 174080 bytes . 170 MB exactly.

I wonder where the last 2M is. I would expect 172M or 168M,

cp /dev/mem can break anywhere. It depends on the running processes.

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 26, 2018, 07:10:19 pm

Quote from: tv84 on October 04, 2018, 09:02:12 pm

How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.

They provide a root session via port 10101.

tv84,

I did finally get my SDS1204X-E and I did attempt to use telnet_SDG1000X.ADS on it.
Unfortunately, it did not go as I had hoped. I am using a WiFi link and not the Wired Ethernet. Running your ADS causes the scope to become lethargic at best, some times causing it to hang requiring that do a hard power down. In any event, a Telnet port is not opened at 10101 on the WiFi interface. The scope does restart just fine.

I am able to get a memory dump using a SHELLCMD from the web interface, but my real plan was to get in to the OS with the intent to explore with the ultimate goal of being able to build a new cramfs that perhaps would support better WiFi. And maybe SSH.

Is your ADS known to work with WiFi?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on December 26, 2018, 07:20:23 pm

SDS != SDG

Title: Re: Siglent .ads firmware file format
Post by: ewaller on December 26, 2018, 09:00:39 pm

Quote from: tv84 on December 26, 2018, 07:20:23 pm

SDS != SDG

*Facepalm*

Edit: By the way, I did find a way to root the SDS1204X-E without loading custom firmware:
https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2070406/#msg2070406 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2070406/#msg2070406)

Title: Re: Siglent .ads firmware file format
Post by: tinhead on December 28, 2018, 12:37:34 am

in case someone have here already Siglent SDS2202X-E or SDS2352X-E, i really would love to get NAND dump or at least the content of /usr/bin/siglent directory.

Title: Re: Siglent .ads firmware file format
Post by: Rerouter on December 28, 2018, 01:05:41 am

Same here. based on what I've seen we may be able to do sideways migration of some functions.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on December 28, 2018, 08:26:32 am

Quote from: ewaller on December 26, 2018, 09:00:39 pm

Edit: By the way, I did find a way to root the SDS1204X-E without loading custom firmware:
https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2070406/#msg2070406 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2070406/#msg2070406)

So now you know how my .ADS work, but without SHELLCMD. ;)

Title: Re: Siglent .ads firmware file format
Post by: hamtarociaooo on January 03, 2019, 11:46:39 am

Hello guys, I'm not an expert on Unix shells but I don't get panic when I see one, can anybody tell me if the steps in this thread can apply even on the SVA1015X? If I'm not wrong is about editing the memory (the 179mb dump?) And getting it back on the instrument, am I right?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on January 03, 2019, 12:02:14 pm

Quote from: hamtarociaooo on January 03, 2019, 11:46:39 am

Hello guys, I'm not an expert on Unix shells but I don't get panic when I see one, can anybody tell me if the steps in this thread can apply even on the SVA1015X? If I'm not wrong is about editing the memory (the 179mb dump?) And getting it back on the instrument, am I right?

It won't do any harm! :)

No mem edit, just processing.

Title: Re: Siglent .ads firmware file format
Post by: hamtarociaooo on January 03, 2019, 12:03:55 pm

thank you for your quick answer, can you give me some additional hints? i'm still waiting for the instrument so i can't try anything now

Title: Re: Siglent .ads firmware file format
Post by: Algu607 on January 10, 2019, 03:41:13 pm

I have a SDS2202X-E tell me how to to make a memory dump and i will post it here.

Title: Re: Siglent .ads firmware file format
Post by: vtwin@cox.net on January 10, 2019, 06:04:29 pm

Quote from: Algu607 on January 10, 2019, 03:41:13 pm

I have a SDS2202X-E tell me how to to make a memory dump and i will post it here.

If it operates the same as the other X-E equipment, mounting a USB disk and using the SCPI command

SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin

might do it?

Title: Re: Siglent .ads firmware file format
Post by: lazarusr on January 12, 2019, 08:25:17 pm

Quote from: tv84 on October 04, 2018, 09:02:12 pm

How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.

They provide a root session via port 10101.

You, sir, are a genius. Many thanks

Title: Re: Siglent .ads firmware file format
Post by: gorillamotors on February 18, 2019, 07:22:09 pm

Does anyone have a copy of janekivi zipped file SDG6000X_eevblog_29R10.zip that can send me.

Jim

Title: Re: Siglent .ads firmware file format
Post by: gorillamotors on February 18, 2019, 07:34:29 pm

Quote from: tv84 on February 18, 2019, 07:32:01 pm

Quote from: gorillamotors on February 18, 2019, 07:22:09 pm
Does anyone have a copy of janekivi zipped file SDG6000X_eevblog_29R10.zip that can send me.

Jim

Do you have a share area?

I just signed up to this forum about 4 or 5 days ago. How do I set up shared area?

Jim

Title: Re: Siglent .ads firmware file format
Post by: gorillamotors on February 19, 2019, 01:59:46 am

Quote from: tv84 on February 18, 2019, 08:12:33 pm

Quote from: gorillamotors on February 18, 2019, 07:34:29 pm
Quote from: tv84 on February 18, 2019, 07:32:01 pm
Quote from: gorillamotors on February 18, 2019, 07:22:09 pm
Does anyone have a copy of janekivi zipped file SDG6000X_eevblog_29R10.zip that can send me.

Jim

Do you have a share area?

I just signed up to this forum about 4 or 5 days ago. How do I set up shared area?

Jim

Did you received it?

Yes but part 2 was corrupted and would not open. Also, is all this done in Linux or can it be done in Windows?

Jim

Title: Re: Siglent .ads firmware file format
Post by: gorillamotors on February 19, 2019, 02:03:11 am

How can I open up ads files to look at the firmware? I just noticed on reply #46 that there is a siglent ads editor. Where can I download this?

Jim

Title: Re: Siglent .ads firmware file format
Post by: gorillamotors on February 19, 2019, 02:49:55 pm

Quote from: tv84 on February 19, 2019, 09:55:20 am

Did you put both files in the same directory before extraction?

The .ADS require special tool to extract. There is no editor publicly available. What exists is a viewer/limited extraction tool. It doesn't reassemble.

This is the error message I get. That's OK as I got in contact with janekivi and he sent me the file. Thanks for trying. The ADS file was intact but the instructions were not.

I figured that was a special disassembler that janekivi wrote.

Jim

Title: Re: Siglent .ads firmware file format
Post by: ebastler on February 19, 2019, 02:55:39 pm

Quote from: gorillamotors on February 19, 2019, 02:49:55 pm

This is the error message I get. ... The ADS file was intact but the instructions were not.

To say it with Jimi Hendrix: "Are you experienced?" ;)
I wonder what you expect to find in the firmware, and what you expect to do with it?

Title: Re: Siglent .ads firmware file format
Post by: n3mmr on February 28, 2019, 02:04:43 pm

Quote from: tv84 on September 17, 2018, 09:35:22 pm

Quote from: janekivi on April 08, 2017, 10:40:18 am
I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

~~SPD3303X-V100R001B01D02P03_with _E_header.zip~~
OK, I give this only individually after request. I can't test it.

A year ago nobody volunteered to confirm Janekivi's work so I resuscitated the challenge and was successfull! :popcorn:

Attached is the proof of a Siglent SPD3303X-E conversion to a SPD3303X model.

The method is simple:

1. Run the SCPI command in the X-E to enable the 1mV step:

FACTORY ON

2. Using EasyPower flash the required FW file from the attached ZIP. (ConvertFromX-E)

(3. If you want to rollback, flash the other file.)

The FWs are Siglent official versions with Prod_ID's swapped like janekivi suggested.

The HW version of the board where the test was done is 0.3.

ATTENTION: This may involve a certain risk so do it at your own responsability!

Enjoy!

Did this to my 3303x-e, and it sort-of works.

Factory on; upgrade via the easypower normal i/f.

Then I get the extra digit of precision, however accuracy is worse than ±1mV.
And balance in serial mode is about 2 mV at best.

Can one calibrate and equalize a 3303X at home?

Or is this good enough as it is? :-DD

Title: Re: Siglent .ads firmware file format
Post by: tautech on February 28, 2019, 07:29:54 pm

Quote from: n3mmr on February 28, 2019, 02:04:43 pm

Can one calibrate and equalize a 3303X at home?

Check the Cal cert for the equipment used, but in short probably not.

A recent thread you might like to study:
https://www.eevblog.com/forum/testgear/how-to-calibrate-siglent-spd1000x-spd3303x-spd3303x-e-series-power-supplies/ (https://www.eevblog.com/forum/testgear/how-to-calibrate-siglent-spd1000x-spd3303x-spd3303x-e-series-power-supplies/)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on February 28, 2019, 08:56:09 pm

janekivi,

Just released is a FW for SDS5000X, you might like to have a look into it.

V0.8.0R1B5 http://old.siglentamerica.com/USA_website_2014/Firmware&Software/firmware/SDS5000X_0.8.0R1B5_EN.zip (http://old.siglentamerica.com/USA_website_2014/Firmware&Software/firmware/SDS5000X_0.8.0R1B5_EN.zip)

Looks like a new .ADS format. (Maybe just small differences...)

Product_ID: 14000

Title: Re: Siglent .ads firmware file format
Post by: janekivi on March 01, 2019, 06:14:32 pm

Somehow this is like zip is starting with Central directory file header.
https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html
And I see additional FF XOR regions and patterns. Like from here is starting
one and after XOR it is normal directory.

Code: [Select]

00000B80 | 00 00 00 00 00 00 00 00 E4 81 D9 DC 54 02 69 6D |         äŁÜT im
00000B90 | 67 5F 73 69 6D 70 2F 69 6D 61 67 65 32 31 36 D1 | g_simp/image216Ń
00000BA0 | 8F 91 98 AA AB FA FF FC BE 5C B0 A3 8A 87 F4 FF | ¸‘Ŗ«ś˙ü¾\°£‡ō˙
00000BB0 | FE FB 12 FC FF FF FB 12 FC FF FF AF B4 FE FD E1 | žū ü˙˙ū ü˙˙Æ´žżį
00000BC0 | FC EB FF FF FF F7 FF AF B9 C2 B1 FF E5 83 EE 93 | üė˙˙˙÷˙Æ¹Ā±˙åī“
00000BD0 | F0 FF FF 9D ED FF FF EA FF E7 FF FF FF FF FF FF | š˙˙¯ķ˙˙ź˙ē˙˙˙˙˙˙
00000BE0 | FF FF FF 1B 7E B7 05 AB FD 96 92 98 A0 8C 96 92 | ˙˙˙ ~· «ż–’ –’
00000BF0 | 8F D0 96 92 9E 98 9A CE CB C6 D1 8F 91 98 AA AB | ¸Š–’˛ĪĖĘŃ¸‘Ŗ«

Code: [Select]

00000B80 | 00 00 00 00 00 00 00 00 E4 81 D9 DC 54 02 69 6D |         äŁÜT im
00000B90 | 67 5F 73 69 6D 70 2F 69 6D 61 67 65 32 31 36 2E | g_simp/image216.
00000BA0 | 70 6E 67 55 54 05 00 03 41 A3 4F 5C 75 78 0B 00 | pngUT   A£O\ux  
00000BB0 | 01 04 ED 03 00 00 04 ED 03 00 00 50 4B 01 02 1E |   ķ    ķ   PK   
00000BC0 | 03 14 00 00 00 08 00 50 46 3D 4E 00 1A 7C 11 6C |        PF=N  | l
00000BD0 | 0F 00 00 62 12 00 00 15 00 18 00 00 00 00 00 00 |    b            
00000BE0 | 00 00 00 E4 81 48 FA 54 02 69 6D 67 5F 73 69 6D |    äHśT img_sim
00000BF0 | 70 2F 69 6D 61 67 65 31 34 39 2E 70 6E 67 55 54 | p/image149.pngUT

Title: Re: Siglent .ads firmware file format
Post by: janekivi on March 01, 2019, 07:24:35 pm

But not that simple. I see between them extra previously known pattern too.

00001720 | 12 FC FF FF FB 12 FC FF FF AF B4 FA F9 FF FF FF | ü˙˙ū ü˙˙Æ´śł˙˙˙
00001730 | FF 9A FC 9A FC 65 C6 FE FF 70 7A 9C FD FF FF B4 | ˙üüeĘž˙pzż˙˙´
00001740 | E9 25 FD 69 6D 98 5F 73 69 92 70 2F 69 6D 9E 67 | é%żim˙_si’p/im˛g
00001750 | 65 32 38 30 D1 70 6E 67 55 54 05 FF 03 28 A3 4F | e280ŃpngUT ˙ (£O
00001760 | 5C 75 78 F4 00 01 04 ED 03 00 00 FB 12 03 00 00 | \uxō ķ ū
and so on

Parts are 0x1400, but this last (what is at the beginning now) is shorter leftover (file end?).
Seems like more kind of reversed...

Title: Re: Siglent .ads firmware file format
Post by: tv84 on March 01, 2019, 07:34:45 pm

Yes, the first one is not 0x1400. And remember you have the incrementing pattern also.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on March 02, 2019, 11:17:36 pm

Thanks for that!
So far I found more of them after the one I show there with red...

Title: Re: Siglent .ads firmware file format
Post by: janekivi on March 03, 2019, 09:53:49 am

Previous format was toooo simple and this equipment has bit more powerful
cpu to read complicated update files. So they totally shred the file at this time.
So far I found five ascending FF patterns. One starts from beginning but doesn't
affect those first two shorter parts. XOR FF is switched on at 0x1400 parts.
First was the every second 0x1400 is fully XOR-ed with FF (first pair was shorter)
and other from the pairs has rising XOR FF pattern from beginning.
Then I jumped bit forward and found XOR FF pattern which is starting at some
point and starts his steps from 100 bytes and counting up by 1. I don't know other
parameters jet. And one XOR FF is stepping forward by 4 bytes, like 262-266-270-...
I see there at least one crypted part.
So, there are (too)many XOR FF patterns and crypted regions.

I was talking about this zip file what you get after opening ads with usual way-
decrypt, reverse, XOR FF. All this process is done after that with output ZIP file.
So there is not possible simply extract something. Just scrolling down with Notepad
after some of pattern elimination I found this intact PNG image.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on March 03, 2019, 12:02:03 pm

Afterwards we know...
Packed data part of that png file is unpacking with 7zip without errors.
I need to use .ZIP to upload it here.
We need to get data straight and app out.

Title: Re: Siglent .ads firmware file format
Post by: tinhead on March 03, 2019, 02:54:03 pm

did someone of you guys got already app and bitstream from SDS2000X-E? I wish i could get it as well ...

Title: Re: Siglent .ads firmware file format
Post by: tv84 on March 03, 2019, 03:21:02 pm

Quote from: tinhead on March 03, 2019, 02:54:03 pm

did someone of you guys got already app and bitstream from SDS2000X-E? I wish i could get it as well ...

Nope. When you get it, tell us.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on March 03, 2019, 04:38:46 pm

Quote from: tv84 on March 03, 2019, 01:44:33 pm

Name of the app: sds2000hsr

That file we don't extract in the near future...

Title: Re: Siglent .ads firmware file format
Post by: tv84 on March 04, 2019, 08:06:07 pm

After all, it was no rocket science...

Name of the app: sds2000hsr

Attached is the list of the ZIP contents (.GEL)

Title: Re: Siglent .ads firmware file format
Post by: janekivi on March 04, 2019, 09:53:50 pm

Ok, that was quick.
They have shuffled those XOR-ed and pattern parts there.
I was starting from wrong address and then missed right
addresses creating more wrong of them by myself.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on March 05, 2019, 12:53:47 pm

Regarding the checksum, all bets are on!

Code: [Select]

File Header Size: 00000070
00000000 - File Checksum: 001C9FBC [00000004-0264BFAE] (with only the File Header decrypted)  CKSM NOT OK
00000004 - File Size: 0264BF3F (without 0x70 bytes of the File Header)
0000000C - Product_ID: 14000
00000026 - Vendor/Brand: 0.8.0R1B5
0000003A - USB Host Controller: SIGLENT
00000048 - Version: 0.8.0R1B5
****************************************************

Title: Re: Siglent .ads firmware file format
Post by: janekivi on March 05, 2019, 08:24:55 pm

Header checksum is calculated differently.
Previous one depends from data length. Short data has bigger checksum
and larger data has smaller. Like 277 byte text file has FF FF B9 BA and
40 Mb file CE C2 02 7B, 50 Mb 77 1D AD 8B...
So, to get 00 1C 9F BC ?

Title: Re: Siglent .ads firmware file format
Post by: n3mmr on March 06, 2019, 04:45:01 pm

Quote from: janekivi on June 13, 2018, 05:28:26 pm

Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip (http://s000.tinyupload.com/index.php?file_id=03539117620391626698)

That file was on some free server, and is gone.

Is the same file available elsewhere???

Or is there a substitute that might be better to use??

Title: Re: Siglent .ads firmware file format
Post by: ebastler on April 13, 2019, 04:58:09 pm

Quote from: tv84 on October 04, 2018, 09:02:12 pm

How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.
They provide a root session via port 10101.

Sorry to come back to this old post. (And thank you for posting, tv84!) I am obviously to stupid for this...

I copied the SDG2000X.ADS from the above post to a USB stick, inserted into my SDG2042X, activated the LAN interface and DHCP. But:

~~Port 10101, as indicated by tv84, does not work. Port is not open, "connection refused".~~
I can get a telnet prompt via the standard port 23, and it comes up with "SIGLENT SDG project". I believe that's different from the standard prompt, so the ADS script seems to have been activated? But I can't log in; the root/eevblog credentials do not work.

Where did I get this wrong?
Thanks for your help!

EDIT:

Duh, figured it out... The .ADS file is not loaded automatically upon insertion of the USB stick, or upon booting the SDG with an inserted stick. One has to explicitly trigger a "firmware update" via the system menu. The SDG will state that the update failed, but subsequently it does have port 10101 enabled. No credentials required for a telnet session on that port.

I fooled myself be believing that the "SGD project" headline had appeared only after I inserted the USB stick, but apparently that's bog standard... I'll keep my post here anyway, in case someone else falls into the same trap and starts Googling for help...

Title: Re: Siglent .ads firmware file format
Post by: tv84 on April 13, 2019, 06:46:28 pm

Quote from: ebastler on April 13, 2019, 04:58:09 pm

Duh, figured it out... The .ADS file is not loaded automatically upon insertion of the USB stick, or upon booting the SDG with an inserted stick. One has to explicitly trigger a "firmware update" via the system menu. The SDG will state that the update failed, but subsequently it does have port 10101 enabled. No credentials required for a telnet session on that port.

:) How did you figure it out? (That is the most educational part that you can leave here... )

Title: Re: Siglent .ads firmware file format
Post by: ebastler on April 13, 2019, 06:54:48 pm

Quote from: tv84 on April 13, 2019, 06:46:28 pm

:) How did you figure it out? (That is the most educational part that you can leave here... )

I started to doubt my recollection that the "Siglent SDG project" headline had only shown up after I had inserted the USB stick. (I had tried a "plain" Telnet session before, but had not taken screenshots or notes.) So I doubted whether I could really be sure that your modification was actually activated.

And then, shame on me, I actually read the manual (on how to perform a firmware upgrade)... ;)

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on April 16, 2019, 04:55:42 am

Quote from: n3mmr on March 06, 2019, 04:45:01 pm

Quote from: janekivi on June 13, 2018, 05:28:26 pm
Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip (http://s000.tinyupload.com/index.php?file_id=03539117620391626698)

That file was on some free server, and is gone.

Is the same file available elsewhere???

Or is there a substitute that might be better to use??

Perhaps here. (https://app.box.com/s/j5lcyyhvfd6juysbsv7a61y717sp75ux)

Title: Re: Siglent .ads firmware file format
Post by: ShaneEEV on April 27, 2019, 12:51:55 am

I have been attempting to gain login access to my new SDG2041X ARB waveform generator for a couple of days.

I have succeeded with:

1) Downgrading firmware to 23R3
2) Installing the telnet code
3) The telnet banner says "
===============================================
|SIGLENT SDG project
==============================================="

I have not succeeded in loging-in to the SDG, however.

I have tried every combination of root and the login password I can think of, including the one shown above the "root / #######" entry, above.

I have read the admonishments to cut 'n paste the login and <password> and have tried that, as well, to no avail. :scared: :phew: :-//

I'm usually not this clueless (Just a few days ago, I updated my new SDS1004X-S to full glory, so I can follow well-stated directions.
I realize you don't want to make this too easy, but I evidently haven't stumbled on the "secret sauce" on my own.

Any help is greatly appreciated (perhaps someone could PM me with the obvious?

Thank you, in advance!

Shane

Title: Re: Siglent .ads firmware file format
Post by: ShaneEEV on April 27, 2019, 02:17:53 am

O.K. - Got it figured out

1) Insert USB Stick into front panel USB socket
2) Put SDG into System / Info / Upgrade
3) Select telnet file for SDG2042X and UPDATE
4) LEAVE POWER ON SDG
5) On remote computer console, type: telnet <SDG IP address> <SPACE> 10101 <RETURN>
6) On remote computer console, type: mount -o remount,rw ubi2_0 <SPACE> /usr/bin/siglent/firmdata0
7) On remote computer console, type: cp /usr/bin/siglent/firmdata0/NSP_system_info.xml /usr/bin/siglent/firmdata0/NSP_system_info.xml.orig
8) On remote computer console, type: vi /usr/bin/siglent/firmdata0/NSP_system_info.xml
9) On remote computer console, move down to the line that starts with <license> and press 'i' for INSERT and right arrow over to just after </license> and press the delete button until the line only has </system_information>
10) On remoter computer console, press the ESC key, then type::wq <RETURN>
11) On remote computer console, type: sync
12) on SDG: remove USB stick
13) on SDG: turn power OFF

When you power back on, the status menu indicates the model number is now SDG2122X. You should see your serial number there, as well.

Thank you to JDubU and CustomEngineerer for your kind corrections!

Title: Re: Siglent .ads firmware file format
Post by: JDubU on April 27, 2019, 02:45:42 am

Read this post by CustomEngineerer:

https://www.eevblog.com/forum/testgear/the-siglent-sdg2042x-thread/msg965243/#msg965243 (https://www.eevblog.com/forum/testgear/the-siglent-sdg2042x-thread/msg965243/#msg965243)

Title: Re: Siglent .ads firmware file format
Post by: CustomEngineerer on April 27, 2019, 02:49:33 am

Quote from: ShaneEEV on April 27, 2019, 02:17:53 am

9) On remote computer console, press the down arrow until the cursor in the vi window is on the line that starts with <license><bandwidth... and press dd (that means press 'd' twice) You will see the line has disappeared.
(the serial number has been replaced with "1234567890", however.
Perhaps someone else knows how to replace the serial number?

If you want to keep your serial number, don't delete the whole line like it says in step 9. Just delete the <license>...</license> tags (and everything between). The </system_information> closing tag at the end of the line needs to be left as the only thing on that line when you are done.

Title: Re: Siglent .ads firmware file format
Post by: CustomEngineerer on April 27, 2019, 02:50:40 am

Thanks JDubU. Was looking for that post but couldn't find it.

Title: Re: Siglent .ads firmware file format
Post by: ShaneEEV on April 27, 2019, 03:53:00 am

Thanks to JDubU and CustomEngineerer!

I'll get into my SDG and make that change.

Cheers!
Shane

O.K. - I took the SN info out of the .orig file and inserted it over the 0123456789 in the <chip> <\chip> area and all is well. firmware back to 23R8 and all is right with the world!

Thanks again, JDubU and CustomEngineerer!

Title: Re: Siglent .ads firmware file format
Post by: rf-loop on April 27, 2019, 08:33:30 am

Quote from: ShaneEEV on April 27, 2019, 02:17:53 am

O.K. - Got it figured out

1) Insert USB Stick into front panel USB socket
2) Put SDG into System / Info / Upgrade
3) Select telnet file for SDG2042X and UPDATE
4) LEAVE POWER ON SDG
5) On remote computer console, type: telnet <SDG IP address> <SPACE> 10101 <RETURN>
6) On remote computer console, type: mount -o remount,rw ubi2_0 <SPACE> /usr/bin/siglent/firmdata0
7) On remote computer console, type: cp /usr/bin/siglent/firmdata0/NSP_system_info.xml /usr/bin/siglent/firmdata0/NSP_system_info.xml.orig
8.) On remote computer console, type: vi /usr/bin/siglent/firmdata0/NSP_system_info.xml
ERR: 9) On remote computer console, press the down arrow until the cursor in the vi window is on the line that starts with <license><bandwidth... and press dd (that means press 'd' twice) You will see the line has disappeared.
10) On remote computer console, type: :wq <RETURN>
11) On remote computer console, type: sync
12) on SDG: remove USB stick
13) on SDG: turn power OFF

When you power back on, the status menu indicates the model number is now SDG2122X. (the serial number has been replaced with "1234567890", however.

Perhaps someone else knows how to replace the serial number?

Of course it do this, look what you have deleted using vi, walking like elephant in porcelain store.

As explained by @CustomEngineerer
Please repair this erroneous red marked step 9 for avoid some noobs confusion when they follow things without further thinking and/or with total lack of knowledge or experience.

With SDG2000X basic principles are roughly same as with SDG1000X. (some differences in details.) This is for SDG1000X only (https://app.box.com/s/srj3uev2s9wy78qj8d4jzi0j5ocgkmr9). (.zip file what include all needed info for SDG1000X and not only for BW alone)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 10, 2019, 11:15:48 am

Getting back to the topic... :)

Here is a C# function that allows the deobfuscation of Siglent SDS5000X .ADS files, so that everyone can extract the .ZIP inside:

(memDump is the raw .ADS file)

Code: [Select]

        private static void parseADS_SIGLENT_SDS5000X(ref byte[] memDump)
        {
            byte[] buf1 = new byte[memDump.Length - 0x70];

            Array.Reverse(memDump);   // reverses the buffer
            for (int block = 0x2800, i1 = buf1.Length - block, i2 = 0; block > 0; i2 += block, block = Math.Min(0x2800, i1), i1 -= block)  // unshuffling blocks
                Buffer.BlockCopy(memDump, i1, buf1, i2, block);
            for (int iBlock = 0; iBlock < buf1.Length; iBlock += 0x2800)  // XORing with 0xFF (increment. pattern and blocks)...
            {
                for (int i1 = iBlock + 1, i2 = 2; i1 < iBlock + 0x2800 && i1 < buf1.Length; i1 += i2, i2++)
                    buf1[i1] ^= 0xFF;
                for (int i1 = iBlock + Math.Min(0x1400, (buf1.Length - iBlock + 1) / 2); i1 < iBlock + 0x2800 && i1 < buf1.Length; i1++)
                    buf1[i1] ^= 0xFF;
            }
       }

Title: Re: Siglent .ads firmware file format
Post by: bugi on June 10, 2019, 04:03:44 pm

Quote from: tv84 on June 10, 2019, 11:15:48 am

Here is a C# function ...
Code: [Select]
for (int iBlock = 0; iBlock < buf1.Length; iBlock += 0x2800) // XORing with 0xFF (increment. pattern and blocks)... { for (int i1 = iBlock + 1, i2 = 2; i1 < iBlock + 0x2800 && i1 < buf1.Length; i1 += i2, i2++) buf1[i1] ^= 0xFF; for (int i1 = iBlock + Math.Min(0x1400, (buf1.Length - iBlock + 1) / 2); i1 < iBlock + 0x2800 && i1 < buf1.Length; i1++) buf1[i1] ^= 0xFF; } }

Out of curiosity, I've lately seen that xor with 0xFF in few places, and I have been thinking why not using the operator that does the same without the 2nd parameter (or the only parameter written explicitly when using compound assignment variants), i.e. bitwise complement (~). That is "buf1[i1] = ~buf1[i1];" (To me the complement is also "clearer" to read as it doesn't have the "unnecessary" 2nd parameter, but this may very well be a matter of opinion.)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 10, 2019, 04:34:28 pm

Quote from: bugi on June 10, 2019, 04:03:44 pm

Out of curiosity, I've lately seen that xor with 0xFF in few places, and I have been thinking why not using the operator that does the same without the 2nd parameter (or the only parameter written explicitly when using compound assignment variants), i.e. bitwise complement (~). That is "buf1[i1] = ~buf1[i1];" (To me the complement is also "clearer" to read as it doesn't have the "unnecessary" 2nd parameter, but this may very well be a matter of opinion.)

Only a question of habit. The compiler should do it's magic...

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 04, 2019, 07:39:57 pm

The SDL1000X-E FW has been released.

It has a FW format different from all previous Siglent equipment's FW.

Nonetheless the first 0x70 bytes are the file header with the usual Siglent 3DES encryption:

Code: [Select]

File Header Size: 00000070
00000000 - File Header Checksum: FFFFF9C9 [00000004-0000006F]   CKSM OK
00000004 - File Size: 000DA5F4
0000000C - Product_ID: 700
00000026 - Vendor/Brand: SIGLENT
0000003A - USB Host Controller: ISP1763

The rest of the file may be sporadically encrypted or obfuscated but haven't discovered more details...

Janekivi, what's your opinion?

Proc seems to be STM32F427VGT6.

Title: Re: Siglent .ads firmware file format
Post by: janekivi on July 05, 2019, 01:45:04 pm

No reverse, no FF.
screen.bmp at 0x000D70DC where are couple icons for the screen
like network, battery and yellow exclamation triangle.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 13, 2019, 05:01:29 pm

Just for the record:

The SDL1000X(-E) .ADS has a 0x70 bytes encrypted header (usual Siglent 3DES).

After that, it has 3 concatenated blocks which start with executable STM32 ARM programs. These are unencrypted and unobfuscated.

The final parsing of the 1st public release is attached.

Until now, no other Siglent FW had this format.

Edit1: I tried to add the loading addresses for IDA. I'm not 100% sure they are correct but they do a pretty good job in disassembling.
If anyone knows a better way to automatically determine the correct Loading addresses of the STM32 blocks, etc please contact me.

Title: Re: Siglent .ads firmware file format
Post by: wgoeo on July 24, 2019, 10:26:00 pm

For the SDS1000X-E, I summarized the replies so far in the Python 3 code below. You only need to recover the key in sds1000b.app. Without the correct key the .app will be corrupted but you can force extract and analyze it.

Code: [Select]

import sys
import codecs
import struct
# Reply #25
import pyDesSiglent

# Reply #186
key = codecs.decode('00000000000000000000000000000000', 'hex')
des = pyDesSiglent.triple_des(key)

# Reply #74
def checksum(b):
	return -sum(b) & 0xffffffff

# Specify the .ads file as a command line argument
b = open(sys.argv[1], 'rb').read(-1)
# Reply #235
b = des.decrypt(b[:0x70]) + b[0x70:]
# Compare with parsing (Reply #99)
csum, size = struct.unpack('<LL', b[:8])
print('file size w/o header', hex(size), 'checksum', hex(csum), '=?', hex(checksum(b[4:])))
# skip header
b = b[0x70:]
# Reply #21, #186
b = des.decrypt(b[:0x2800]) \
	+ b[0x2800:0x2E777] \
	+ des.decrypt(b[0x2E777:0x2E777+0x1400]) \
	+ b[0x2E777+0x1400:]
# Reply #24 (modified)
b = bytearray(b[::-1])
a = 1
i = len(b)
j = 1
while j < i:
	b[j] ^= 0xff
	a += 1
	j += a
i = len(b)
j = len(b) - len(b)//2
while j < i:
	b[j] ^= 0xff
	j += 1

# Compare with parsing (Reply #99)
i = 0
while (i < len(b)):
	csum, size = struct.unpack('<LL', b[i:i+8])
	section = b[i+8]
	payload = b[0x34:0x34+size]
	print('section', section, 'size', hex(size), 'checksum', hex(csum), '=?', hex(checksum(payload)))
	open('section%d.zip' % b[i+8], 'wb').write(payload)
	i += 0x34 + size

Edit: to those who want a faster DES implementation I attached some code derived from mbedtls with just the necessary parts.

Title: Re: Siglent .ads firmware file format
Post by: wgoeo on July 29, 2019, 12:51:41 am

Quote from: tv84 on July 13, 2019, 05:01:29 pm

If anyone knows a better way to automatically determine the correct Loading addresses of the STM32 blocks

These are only heuristics so not very reliable.
One way is to search for the pattern of the reset handler:

Code: [Select]

48__    ldr  r0, [pc, #__]
4780    blx  r0
48__    ldr  r0, [pc, #__]
4700    bx   r0
e7fe    b    .

Another is the pattern that sets the vector table offset register:

Code: [Select]

62498:       4817            ldr     r0, [pc, #92]   ; (0x624f8)
6249a:       4918            ldr     r1, [pc, #96]   ; (0x624fc)
6249c:       6008            str     r0, [r1, #0]
.
.
624f8:       08040000
624fc:       e000ed08

If it does not exist then 0x08000000 is assumed.

Title: Re: Siglent .ads firmware file format
Post by: n3mmr on September 23, 2019, 10:06:47 am

Quote from: tv84 on October 04, 2018, 09:02:12 pm

How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.

They provide a root session via port 10101.

Could exactly the same be done for an SDS1104X-E?
It'd be nice to have a consistent method for all instruments.

Title: Re: Siglent .ads firmware file format
Post by: netlend on September 30, 2019, 06:16:29 am

Hello, friends. Can SDS1102CFL do SDS1302CFL?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 20, 2019, 07:59:41 pm

Quote from: n3mmr on September 23, 2019, 10:06:47 am

Could exactly the same be done for an SDS1104X-E?
It'd be nice to have a consistent method for all instruments.

Go here (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2478699/#msg2478699).

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 20, 2019, 08:01:52 pm

Quote from: netlend on September 30, 2019, 06:16:29 am

Hello, friends. Can SDS1102CFL do SDS1302CFL?

Do you have one to try? If so, maybe I can help but in a more appropriate thread. Or pm me.

Title: Re: Siglent .ads firmware file format
Post by: Aqunity on December 12, 2019, 08:31:48 pm

Happy to say that the SPD3303X-E to SPD3303X Hack is still working at the end of 2019. :-+

Quote from: tv84 on September 17, 2018, 09:35:22 pm

Quote from: janekivi on April 08, 2017, 10:40:18 am
I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

~~SPD3303X-V100R001B01D02P03_with _E_header.zip~~
OK, I give this only individually after request. I can't test it.

A year ago nobody volunteered to confirm Janekivi's work so I resuscitated the challenge and was successfull! :popcorn:

Attached is the proof of a Siglent SPD3303X-E conversion to a SPD3303X model.

The method is simple:

1. Run the SCPI command in the X-E to enable the 1mV step:

FACTORY ON

2. Using EasyPower flash the required FW file from the attached ZIP. (ConvertFromX-E)

(3. If you want to rollback, flash the other file.)

The FWs are Siglent official versions with Prod_ID's swapped like janekivi suggested.

The HW version of the board where the test was done is 0.3.

ATTENTION: This may involve a certain risk so do it at your own responsability!

Enjoy!

Title: Re: Siglent .ads firmware file format
Post by: Veteran68 on January 05, 2020, 03:15:16 pm

A couple of questions on these Siglent firmware hacks and the process when Siglent releases a new firmware version.

The SDS1104X-E and 1204X-E appear to use the same firmware file (as it applies to the entire 1xx4 series) so obviously when new firmware gets released there's no choice to make.

However with the SPD3303X-E to 3303X, Siglent has released these as separate firmware files. Now there hasn't been a new release in 2 years, so maybe this is a moot question, but should they release again, can I now just apply the X firmware instead of the X-E since the device now identifies as the X model? Or do I have to repeat the "hack" process again?

In other words, is the hack a "one time only" operation that permanently changes the identity of the product such that it now accepts standard firmware for the upgraded product?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on January 05, 2020, 03:35:46 pm

Quote from: Veteran68 on January 05, 2020, 03:15:16 pm

In other words, is the hack a "one time only" operation that permanently changes the identity of the product such that it now accepts standard firmware for the upgraded product?

Yes.

Title: Re: Siglent .ads firmware file format
Post by: Veteran68 on January 09, 2020, 03:40:33 am

Well I've successfully applied the hack to my new SPD3303X-E. It wouldn't take through the normal upload though, I had to boot into firmware mode.

Title: Re: Siglent .ads firmware file format
Post by: MathWizard on March 17, 2020, 11:15:46 am

Quote from: Veteran68 on January 09, 2020, 03:40:33 am

Well I've successfully applied the hack to my new SPD3303X-E. It wouldn't take through the normal upload though, I had to boot into firmware mode.

Hi How did you do it ? I got 1 from Amazon last year, and it's V3.0, FW:1.01.01.02.05

I put in the FACTORY ON cmd the 1st time and didn't reboot right away, so maybe that botched it. But did have the machine reset from the voltages I had set rebooting.

Anyways I tried again 3-4 times, FACTORY ON, reboot, go into Easypower and select the
SPD3303X-1.01.01.02.05_ConvertFromX-E.ADS
and it only lets me try normal mode update, so I try that and it says "this is not update file!"

What procedure did you follow ? What's this about booting into FW mode?

I wish I knew programming, I DL'ed Phython again today, I'll need that for EE anyways.

Title: Re: Siglent .ads firmware file format
Post by: MathWizard on March 17, 2020, 01:00:13 pm

HAHAHAHA I did it.

Before I used the USB to try FW upgrade to 3303X, this time I had wireshark recording and tried the hack procedure over LAN, and it did it.

The PSU now has 3 decimal places

WOO HOO

It doesn't track perfectly, but IDK what it's really supposed to track like, but I can adjust it to within a few mV, so that's great.

I'll check those posts I remember seeing about the calibration maybe different after flashing.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on March 17, 2020, 03:51:49 pm

Quote from: MathWizard on March 17, 2020, 01:00:13 pm

HAHAHAHA I did it.

Before I used the USB to try FW upgrade to 3303X, this time I had wireshark recording and tried the hack procedure over LAN, and it did it.

Explain what you saw in wireshark, please.

Title: Re: Siglent .ads firmware file format
Post by: tautech on April 04, 2020, 07:34:56 am

SDS1000CML .CFG file nested here so to be easier to find. :phew:

Title: Re: Siglent .ads firmware file format
Post by: tv84 on April 04, 2020, 12:47:44 pm

Quote from: tautech on April 04, 2020, 07:34:56 am

SDS1000CML .CFG file nested here so to be easier to find. :phew:

The other ones are here:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1347761/#msg1347761 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1347761/#msg1347761)

Title: Re: Siglent .ads firmware file format
Post by: douggoldberg on April 05, 2020, 10:09:28 pm

Having successfully “improved” my SDG AWG with help of this community I’d like a go at the 2104X+. I’m having trouble finding concrete instructions. Can anyone point me in the right direction?

Title: Re: Siglent .ads firmware file format
Post by: alexitaly on April 22, 2020, 07:39:46 pm

Hello everyone. Sorry for my english (I'm helping with the google translator).
First of all, nice to meet you, I'm Alessandro and it's the first time I write in this forum.

I have problems with my ATTEN ADS1102CAL oscilloscope. The revision of the motherboard is SAT7.820.681H. The memory is 40k.
Due to several bugs with trigger and time base I've installed the firmware of the SIGLENT SDS1102CNL oscilloscope:
version 5.01.02.13
file SDS1000CNL_SSP_V100R005B01D02P13
I also tried the last one (32).

Unfortunately, with the time base set from 100ms down to 1s and beyond, the update of the track on the time scale fails.
A friend lent me his SDS1102CML oscilloscope and there is no problem with that.
I would like to restore the original firmware ATTEN
file ADS1000CAL_V100R003B01D01P31R16
but the currently installed SIGLENT firmware does not let me do it: PRODUCT ID WRONG.
Could someone help me please?
Thank you.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on April 22, 2020, 08:43:27 pm

Quote from: alexitaly on April 22, 2020, 07:39:46 pm

Could someone help me please?

That Atten FW is Product_ID: 80

Your Siglent FW is Product_ID: 79

I think I can do that for you but you're sailing in dangerous waters...

Edit: Go here (https://www.eevblog.com/forum/repair/need-full-firmware-(full-dump-flash)-oscilloscope-atten-ads-1062cml/msg3036948/#msg3036948).

Title: Re: Siglent .ads firmware file format
Post by: alexitaly on April 22, 2020, 09:20:30 pm

Quote

That Atten FW is Product_ID: 80

Your Siglent FW is Product_ID: 79

I think I can do that for you but you're sailing in dangerous waters...

Very Very Thanks! :-+
Actually the scope is unusable with the timebase settings over 100ms...
The oscilloscope does not draw points at regular intervals on the time axis, it seems to add random delays... i think there is a bug in some pointer in my CNL firmware (or my hw is old for this FW) :'(

Title: Re: Siglent .ads firmware file format
Post by: routerfan on April 26, 2020, 07:37:26 am

I have an atten 1102cal oscilloscope, hardware version: 3.41.1.16 software version: 3.01.01.21 SN: 30xxxx, then I refresh the firmware version number of siglent SDS 1102cnl: 5.01.02.13, everything looks normal. A few days later, I found the chip to upgrade the long memory（ Is61lps5123a-200tqli), after welding it and brushing in 1102cml firmware, the failure occurred. After traversing all relevant discussions in this forum, I downloaded the binary file package to refresh the chip with the programmer, but the failure is still not solved. Now I have removed the chip. I think it's because of the compatibility between the firmware and the device. Thank you for your resources. But I still need to find the right firmware to save my oscilloscope. |O

Title: Re: Siglent .ads firmware file format
Post by: routerfan on April 26, 2020, 07:50:21 am

I wrote this through translation software. I don't know if anyone can understand it :palm:

Title: Re: Siglent .ads firmware file format
Post by: tv84 on April 26, 2020, 09:49:03 am

Quote from: routerfan on April 26, 2020, 07:37:26 am

I have an atten 1102cal oscilloscope, hardware version: 3.41.1.16 software version: 3.01.01.21 SN: 30xxxx, then I refresh the firmware version number of siglent SDS 1102cnl: 5.01.02.13, everything looks normal. A few days later, I found the chip to upgrade the long memory（ Is61lps5123a-200tqli), after welding it and brushing in 1102cml firmware, the failure occurred. After traversing all relevant discussions in this forum, I downloaded the binary file package to refresh the chip with the programmer, but the failure is still not solved. Now I have removed the chip. I think it's because of the compatibility between the firmware and the device. Thank you for your resources. But I still need to find the right firmware to save my oscilloscope. |O

From my analyses, I would say the CNL and the CML firmware should be the same.

SDS1000CML_SSP_V100R005B01D02P13.ADS - CRC32 6D788CDE

Please attach here the firmwares that you flashed.

Title: Re: Siglent .ads firmware file format
Post by: routerfan on April 26, 2020, 10:06:56 am

The link can't be downloaded, I don't know if it's a permission problem Thanks! :-DMM For convenience, please email: routerfan@gmail.com
After several swipes, now my hardware version is 11-41-2.1, and the device serial number has changed. I don't know if I can solve the problem by using ads file through U disk? Do I need full dump flash to flash through the programmer?

Title: Re: Siglent .ads firmware file format
Post by: routerfan on April 26, 2020, 11:42:29 am

This is the bin file I used to recover from siglent to atten, and then I refreshed it to 1102cnl (dingyang) via USB flash disk

Title: Re: Siglent .ads firmware file format
Post by: tv84 on April 26, 2020, 11:45:04 am

Send all the files that you used via USB disk.

Title: Re: Siglent .ads firmware file format
Post by: routerfan on April 26, 2020, 12:29:41 pm

There are a lot of documents, but they are all from eevlbog, and I almost went through the corner. The firmware of WaveAce1xxx firmware has also been brushed, The situation is similar to :https://www.eevblog.com/forum/repair/need-full-firmware-%28full-dump-flash%29-oscilloscope-atten-ads-1062cml/

Title: Re: Siglent .ads firmware file format
Post by: tv84 on April 26, 2020, 12:41:01 pm

Sure, but if you don't answer my requests I'm unable to help.

Which were the files that you flashed via USB drive? Not via programmer.

Title: Re: Siglent .ads firmware file format
Post by: routerfan on April 26, 2020, 01:02:51 pm

Soryy tv84 ， Uploading files makes me a headache, My flashing order is： atten 1102cal >siglent 1102cnl>1102cml>waveace10xx The fault occurs when the flashing machine from 1102cnl to 1102cml

Title: Re: Siglent .ads firmware file format
Post by: tv84 on April 26, 2020, 01:38:38 pm

Let's start from the beginning:

The CML and CNL firmwares are the same files! The only reason you have 2 different files is because you are using different versions.

Have you tried using the latest CML/CNL firmware 5.01.02.32 (Release Date 07.09.15 )?

https://www.siglenteu.com/download/4251/ (https://www.siglenteu.com/download/4251/)

BTW, why did you flash the WaveAce on top of the Siglent firmware ? ? ?

Title: Re: Siglent .ads firmware file format
Post by: alexitaly on April 26, 2020, 07:16:01 pm

Hi tv84, first of all thanks for your help.
Attached there is the Siglent FW that is installed in my scope.
Note that the FPGA in my scope is a CYCLONE III (is this the problem? Old hw?).

Quote from: tv84

Have you tried using the latest CML/CNL firmware 5.01.02.32 (Release Date 07.09.15 )?

Yes, i've tried and the problem is the same.

Thanks...

(https://i.imgur.com/Q8PE5BZl.jpg)

(https://i.imgur.com/sipzaLil.jpg)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on April 26, 2020, 07:50:47 pm

I don't know who I'm helping anymore... :)

I said 5.01.02.32 and you show a printscreen with 5.01.02.13 ? ?

Title: Re: Siglent .ads firmware file format
Post by: alexitaly on April 26, 2020, 10:30:51 pm

Quote from: tv84 on April 26, 2020, 07:50:47 pm

I don't know who I'm helping anymore... :)

I said 5.01.02.32 and you show a printscreen with 5.01.02.13 ? ?

Hi tv84, thanks for your help.

Quote from: alexitaly

I have problems with my ATTEN ADS1102CAL oscilloscope. The revision of the motherboard is SAT7.820.681H. The memory is 40k.
Due to several bugs with trigger and time base I've installed the firmware of the SIGLENT SDS1102CNL oscilloscope:
version 5.01.02.13
file SDS1000CNL_SSP_V100R005B01D02P13
I also tried the last one (32).

Unfortunately, my problem is also present in the last firmware release 5.01.02.32. In fact, the first attempt was to downgrade the firmware to the 5.01.02.13 release, and the problem was not resolved. Because of this i would like to downgrade to the ATTEN 3.01.01.31.16 release.
I think, however I am not sure, that my problem is connected to the absence of 2M memory: I am trying to understand if this problem is due to some filtering algorithm to save memory... I'd like to know what you think about it.

Thanks.

Title: Re: Siglent .ads firmware file format
Post by: vtwin@cox.net on April 26, 2020, 11:23:49 pm

Quote from: tv84 on April 26, 2020, 07:50:47 pm

I don't know who I'm helping anymore... :)

How's that saying go... you can lead a horse to water? :)

Title: Re: Siglent .ads firmware file format
Post by: routerfan on April 27, 2020, 05:33:36 am

Hello tv84, version 5.01.02.32 I have tried, it is invalid. It is an attempt to update the WaveAce firmware when it cannot be recovered after a fault occurs, but it still fails. There is a phenomenon in the middle that deserves attention. Before the fault, the channel calibration time is less than 20 seconds, but now it takes more than 5 minutes. . I guess whether the internal calibration data was damaged due to the chaotic flashing.

Title: Re: Siglent .ads firmware file format
Post by: routerfan on April 27, 2020, 05:47:27 am

It's too clever. The hardware version and model of our oscilloscope are basically the same, not even the serial number. Of course, this was before I did not break my oscilloscope.

Title: Re: Siglent .ads firmware file format
Post by: routerfan on April 27, 2020, 06:17:37 am

I have done everything from SIGLENT to atten, only to remove the memory chip and use the programmer. The premise is that you have the correct full dump flash file. The risk is high. I am an example of failure. Now look everywhere for the bin brush file suitable for my oscilloscope

Title: Re: Siglent .ads firmware file format
Post by: tv84 on April 27, 2020, 08:39:00 am

Gentlemen, let's continue this discussion in thread:

https://www.eevblog.com/forum/repair/need-full-firmware-%28full-dump-flash%29-oscilloscope-atten-ads-1062cml/ (https://www.eevblog.com/forum/repair/need-full-firmware-%28full-dump-flash%29-oscilloscope-atten-ads-1062cml/)

It's more appropriated since here is completely OUT OF TOPIC.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 18, 2020, 09:52:44 pm

I have a couple Siglent SDS2104 scopes. I successfully pushed one from 1.0 to 2.0 awhile ago. It now has version 1.2.1.38.7 and tried to update to 1.2.2.2, whether R10 or R15. When I tried to update, I get a 'product type does not match' error. Maybe I have the latest fw. The website doesn't show any fw for base SDS2000 models, only SDS2000X or SDS2000X-E or SDS2000 Plus. Very confusing.

The other 2104 scope has 1.1.1.37.2 and won't even show the "Press to Update" button on the screen. Can anyone help?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 18, 2020, 09:57:00 pm

Quote from: gman76 on June 18, 2020, 09:52:44 pm

I have a couple Siglent SDS2104 scopes. I successfully pushed one from 1.0 to 2.0 awhile ago. It now has version 1.2.1.38.7 and tried to update to 1.2.2.2, whether R10 or R15. When I tried to update, I get a 'product type does not match' error. Maybe I have the latest fw. The website doesn't show any fw for base SDS2000 models, only SDS2000X or SDS2000X-E or SDS2000 Plus. Very confusing.

The other 2104 scope has 1.1.1.37.2 and won't even show the "Press to Update" button on the screen. Can anyone help?

Have you tried sds2k_V100R02B01D02P0109_fvA1609220922M160922.ADS or sds2k_V100R02B01D02P02_fvA1609220922M160922.ADS?

SDS2000x_1.2.2.2R10 and others are only for X versions!

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 18, 2020, 10:13:29 pm

Quote from: gman76 on June 18, 2020, 09:52:44 pm

I have a couple Siglent SDS2104 scopes. I successfully pushed one from 1.0 to 2.0 awhile ago. It now has version 1.2.1.38.7 and tried to update to 1.2.2.2, whether R10 or R15. When I tried to update, I get a 'product type does not match' error. Maybe I have the latest fw. The website doesn't show any fw for base SDS2000 models, only SDS2000X or SDS2000X-E or SDS2000 Plus. Very confusing.

The other 2104 scope has 1.1.1.37.2 and won't even show the "Press to Update" button on the screen. Can anyone help?

Last FW version for SDS2000 models is V1.2.2.1R9 | Published：2016-11-23
You can get it here:
http://www.siglentamerica.com/USA_website_2014/Firmware&Software/firmware/SDS2000-V1.2.2.1R9.rar (http://www.siglentamerica.com/USA_website_2014/Firmware&Software/firmware/SDS2000-V1.2.2.1R9.rar)

Edit
Many old firmware versions no longer available on the updated Siglent websites are still available here:
http://old.siglentamerica.com/gjjrj.aspx?id=15&page=1 (http://old.siglentamerica.com/gjjrj.aspx?id=15&page=1)

Title: Re: Siglent .ads firmware file format
Post by: Elasia on June 18, 2020, 10:37:32 pm

Quote from: tautech on June 18, 2020, 10:13:29 pm

Many old firmware versions no longer available on the updated Siglent websites are still available here:
http://old.siglentamerica.com/gjjrj.aspx?id=15&page=1 (http://old.siglentamerica.com/gjjrj.aspx?id=15&page=1)

Interesting... that old site is a bonanza of information

FAQ
Oscilloscope Hardware Reset
Solution: In some extreme hardware errors, the oscilloscope may become
unresponsive or “hang” during the boot sequence.
If your oscilloscope is frozen, will not boot, or appears to be unresponsive, you can
attempt a hardware reset by following these instructions:
1. Disconnect all USB, LAN, and input cables. Leave the power cord connected.
2. Power cycle the instrument by pressing the power button.
3. Immediately begin pressing the MATH button repeatedly at a rate of 2 to 3
times a second while the instrument boots up.
4. If the instrument does not boot up properly, retry steps 2 through 4.
NOTE: If you continue to have problems, contact your nearest SIGLENT
office for service.

Title: Re: Siglent .ads firmware file format
Post by: Elasia on June 18, 2020, 10:39:59 pm

Also scored this... now i can calibrate my wave gen lol

Python Scripts for SDG

NOTICE
1. All scripts can only be used for calibrating SDG products.
2. Updating SDG’s firmware to the newest version is strongly recommended.
3. Before being calibrated, all devices should have been operating continuously for more than 30 minutes within specified operating temperature range (18℃ ~ 28℃)
4. Make sure all devices are well connected as section 1.3 shows.
5. Don’t open Microsoft Office Excel when running scripts.

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 18, 2020, 10:41:53 pm

Quote from: Elasia on June 18, 2020, 10:39:59 pm

Also scored this... now i can calibrate my wave gen lol

Python Scripts for SDG

NOTICE
1. All scripts can only be used for calibrating SDG products.
2. Updating SDG’s firmware to the newest version is strongly recommended.
3. Before being calibrated, all devices should have been operating continuously for more than 30 minutes within specified operating temperature range (18℃ ~ 28℃)
4. Make sure all devices are well connected as section 1.3 shows.
5. Don’t open Microsoft Office Excel when running scripts.

Recovery files on standby if you stuff it up ! :P

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 23, 2020, 11:34:56 pm

Thanks tv84 and tautech. Using the sds2000 version worked. As I said before, the model numbers are confusing. It's now running 1.2.2.1R9.

Now my other scope is back at rev 1.1.1.37.2, and it's been 2 yrs since I moved the one scope from V1 to V2, don't remember exactly. I need some help. When I go to Utility -> Update -> Config and select the sds2000.cfg with the Universal Knob then push it in, you can see that it's not recognizing the file. The menu at the bottom doesn't show a Load button.

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 24, 2020, 01:23:06 am

Quote from: gman76 on June 23, 2020, 11:34:56 pm

Thanks tv84 and tautech. Using the sds2000 version worked. As I said before, the model numbers are confusing. It's now running 1.2.2.1R9.

Now my other scope is back at rev 1.1.1.37.2, and it's been 2 yrs since I moved the one scope from V1 to V2, don't remember exactly. I need some help. When I go to Utility -> Update -> Config and select the sds2000.cfg with the Universal Knob then push it in, you can see that it's not recognizing the file. The menu at the bottom doesn't show a Load button.

V1 to V2 instructions attached.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 24, 2020, 09:08:08 am

I'm revisiting these old Siglent firmwares to enable the BW upgrade. (Siglent disabled it intentionally.)

The SHS has been successfully tested. The SDS are waiting for volunteers.

If anyone wants to try an upgrade pm me.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 25, 2020, 05:36:57 pm

tautech, thanks but Ive already followed the directions. The problem seems to be that the scope doesnt recognize the .cfg file I select and doesnt show the LOAD button on the LCD. See the image in my last post. Is it because I'm not on Version 1? This scope shows 1.1.1.37.2. How do I know its Version 1 vs Version 2. The leading number is '1' on both scopes but I think the other scope successfully was updated to Version 2 (but shows 1.2.1.38.7). Must be the 2nd number that designates Version 2. ??

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 25, 2020, 06:08:37 pm

Quote from: gman76 on June 25, 2020, 05:36:57 pm

Must be the 2nd number that designates Version 2. ??

Correct.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 25, 2020, 06:12:21 pm

OK, thanks for the confirmation. But why dont I see the LOAD button appear when I select the cfg file?

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 25, 2020, 07:53:15 pm

Quote from: gman76 on June 25, 2020, 05:36:57 pm

tautech, thanks but Ive already followed the directions. The problem seems to be that the scope doesnt recognize the .cfg file I select and doesnt show the LOAD button on the LCD. See the image in my last post. Is it because I'm not on Version 1? This scope shows 1.1.1.37.2. How do I know its Version 1 vs Version 2. The leading number is '1' on both scopes but I think the other scope successfully was updated to Version 2 (but shows 1.2.1.38.7). Must be the 2nd number that designates Version 2. ??

Looking at your screenshot, you're working in the Save/Recall menu.
Long time since I had a 2k but now FW updates are done from a Upgrade menu within Utility. Check there.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 25, 2020, 08:44:04 pm

OK, I notice that now. But I hit 'Update' then 'Configure' then the Save/Recall menu automatically opens. I just thought it was looking for the cfg file, but maybe it's in a confused state. I know I'm in a confused state! ???

I'm following the V1 to V2 instructions exactly. Pages 1 and 2 show screenshots, but their's shows a LOAD option which I dont see on the LCD. Their screenshot shows it as the Save/Recall menu. Maybe I ought to reflash the existing fw.

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 25, 2020, 09:04:00 pm

Quote from: gman76 on June 25, 2020, 08:44:04 pm

OK, I notice that now. But I hit 'Update' then 'Configure' then the Save/Recall menu automatically opens. I just thought it was looking for the cfg file, but maybe it's in a confused state. I know I'm in a confused state! ???

I'm following the V1 to V2 instructions exactly. Pages 1 and 2 show screenshots, but their's shows a LOAD option which I dont see on the LCD. Their screenshot shows it as the Save/Recall menu. Maybe I ought to reflash the existing fw.

OK.
I suggest you load an early V1 version from way back when V2 just became available.
The FW revision History PDF attached might help with the selection of which version to install.

Then make your selection from the old website I linked earlier.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 25, 2020, 09:17:44 pm

I tried an old file, but that won't work because no matter what, it never shows the LOAD softkey.

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 25, 2020, 09:24:10 pm

Quote from: gman76 on June 25, 2020, 09:17:44 pm

I tried an old file, but that won't work because no matter what, it never shows the LOAD softkey.

OK, going back to your earlier post:

Quote from: gman76 on June 25, 2020, 05:36:57 pm

tautech, thanks but Ive already followed the directions. The problem seems to be that the scope doesnt recognize the .cfg file I select and doesnt show the LOAD button on the LCD. See the image in my last post. Is it because I'm not on Version 1? This scope shows 1.1.1.37.2. How do I know its Version 1 vs Version 2. The leading number is '1' on both scopes but I think the other scope successfully was updated to Version 2 (but shows 1.2.1.38.7). Must be the 2nd number that designates Version 2. ??

Set to a slow timebase where the memory depth is displayed. IIRC they were 35 MPts whereas V2 allows for 70 Mpts.
Maybe you can also see this in the Acquire menu where you select the mem depth.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 25, 2020, 10:33:17 pm

Not sure I follow. What does the memory depth or timebase have to do with the firmware update, insofar as getting it updated?

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 25, 2020, 10:48:49 pm

Quote from: gman76 on June 25, 2020, 10:33:17 pm

Not sure I follow. What does the memory depth or timebase have to do with the firmware update?

SDS2000 models with V1 FW had just 35 28 Mpts max mem depth IIRC. V2 allowed 70 Mpts it by allowing the system to access more memory.
This is easily checked in Acquire settings as to what is the max mem depth available and indicates if V1 or V2 FW is installed.

Relevant thread you need read:
https://www.eevblog.com/forum/testgear/siglent-sds2000-new-v2-firmware/ (https://www.eevblog.com/forum/testgear/siglent-sds2000-new-v2-firmware/)

Quote from: tautech on November 23, 2015, 06:57:59 am

Please note there are 4 steps to upgrade from V1 to V2 firmware, these are outlined in the update instructions that are part of the FW update.

First install a .cfg, then reboot.
Then the .ads file TWICE with a reboot after each install.
Finally a Self cal.

Attached is the pdf changelog.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 26, 2020, 05:26:25 pm

Tautech, thanks - I checked both scopes. V2 scope can go to 70Mpts and V1 scope can do 14Mpts (not 35M, not 28M). This seems to confirm ver2 vs ver1.

I noticed that the Utility screen has a 'back' softkey option on V2 and is missing that softkey on V1. V1 never displays the 'Load' softkey, so it seems I can't even revert the fw. Ugh. But then I accidentally hit the Save/Recall button and changed one of the menus, then more softkeys appeared! OMG. Now I see the Load softkey. Now we're getting somewhere. I tried Utility>Configure> then menu popped up, pointed to .cfg file, hit Load softkey, and the scope does nothing, just beeps. WTH.

Is there some sort of master reset?

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 26, 2020, 08:23:46 pm

Quote from: gman76 on June 26, 2020, 05:26:25 pm

Tautech, thanks - I checked both scopes. V2 scope can go to 70Mpts and V1 scope can do 14Mpts (not 35M, not 28M). This seems to confirm ver2 vs ver1.

I noticed that the Utility screen has a 'back' softkey option on V2 and is missing that softkey on V1. V1 never displays the 'Load' softkey, so it seems I can't even revert the fw. Ugh. But then I accidentally hit the Save/Recall button and changed one of the menus, then more softkeys appeared! OMG. Now I see the Load softkey. Now we're getting somewhere. I tried Utility>Configure> then menu popped up, pointed to .cfg file, hit Load softkey, and the scope does nothing, just beeps. WTH.

Is there some sort of master reset?

From my quoted post from 2015:

First install a .cfg, then reboot.
Then the .ads file TWICE with a reboot after each install.
Finally a Self cal.

Step by step, follow this exactly ^^

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 26, 2020, 09:57:43 pm

tautech, yes I know the steps but the scope doesn't behave as it should. When I push in the universal knob to select the cfg file, it just beeps and does nothing else. So, it seems I'm stuck. Is there another method to use? Update over ethernet?

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 26, 2020, 10:00:48 pm

Quote from: gman76 on June 26, 2020, 09:57:43 pm

tautech, yes I know the steps but the scope doesn't behave as it should. When I push in the universal knob to select the cfg file, it just beeps and does nothing else. So, it seems I'm stuck. Is there another method to use? Update over ethernet?

OK. What about the reboot ? How are you doing that ? Soft power button or hard OFF ?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 27, 2020, 09:56:24 am

Look at this thread:

https://www.eevblog.com/forum/testgear/siglent_s-new-product-msosds2000-series/msg755017/#msg755017 (https://www.eevblog.com/forum/testgear/siglent_s-new-product-msosds2000-series/msg755017/#msg755017)

I think you must press the "default" button to be able to load the .CFG.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 29, 2020, 07:34:23 pm

I've done reboots, pwr down, unplugged AC cord. No change in behavior. The beep is telling me something but I dont know what. The Load softkey is now there on the screen. Every time I select the cfg file, it just beeps.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 29, 2020, 07:37:59 pm

tv84, I tried that just now, hit default, even powered down before and after hitting Default, but no different. Nothing seems to work. It might be a matter of hitting the right button to put it in the proper state to program.

Title: Re: Siglent .ads firmware file format
Post by: tautech on June 29, 2020, 08:13:22 pm

Quote from: gman76 on June 29, 2020, 07:37:59 pm

tv84, I tried that just now, hit default, even powered down before and after hitting Default, but no different. Nothing seems to work. It might be a matter of hitting the right button to put it in the proper state to program.

Have you tried rolling back the firmware to early versions ?
Maybe the later versions closed the door on upgrading to V2 FW.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 29, 2020, 09:22:49 pm

I can't roll back. I tried, but the bottom line is that the scope doesn't do anything whether it's a cfg file or ads file. It just beeps in both cases.

Attached are 2 cfg files that I tried.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on June 29, 2020, 09:40:06 pm

And this one.

Title: Re: Siglent .ads firmware file format
Post by: tv84 on June 30, 2020, 08:26:18 am

The 3rd one is a repetition.

These are the main differences of these .CFG files (in the attachment).

I never understood why the the 2000SIGLENT.cfg was released as it doesn't have the models references. Maybe it's a kind of reset. (I think that if you flash this file, the model references become the standard ones that are embedded in the app, which are similar to (ex.) "SDS210X").

In the end, the SDS2000.txt (which you called SDS2000_28R1.cfg) should be the more correct .CFG that SDS owners should flash.

Title: Re: Siglent .ads firmware file format
Post by: sjm on July 05, 2020, 12:38:23 pm

Quote from: tv84 on September 17, 2018, 09:35:22 pm

Attached is the proof of a Siglent SPD3303X-E conversion to a SPD3303X model.

...

ATTENTION: This may involve a certain risk so do it at your own responsability!

Enjoy!

Well, I confirm this worked for me. Finally got time to try this out. Thanks!

Title: Re: Siglent .ads firmware file format
Post by: gman76 on July 07, 2020, 06:03:59 pm

OMG, how dumb. I'm on a corp network and the files were encrypted. Once I copied them over unencrypted, the firmware updated w/o problems. Now running 1.2.2.1R9.

Title: Re: Siglent .ads firmware file format
Post by: tautech on July 07, 2020, 08:27:03 pm

Quote from: gman76 on July 07, 2020, 06:03:59 pm

OMG, how dumb. I'm on a corp network and the files were encrypted. Once I copied them over unencrypted, the firmware updated w/o problems. Now running 1.2.2.1R9.

:phew: :-+

Title: Re: Siglent .ads firmware file format
Post by: tv84 on July 07, 2020, 09:00:21 pm

Quote from: gman76 on July 07, 2020, 06:03:59 pm

OMG, how dumb. I'm on a corp network and the files were encrypted. Once I copied them over unencrypted, the firmware updated w/o problems. Now running 1.2.2.1R9.

:palm: (Even so, don't understand the problem...) Well, it's done.

Title: Re: Siglent .ads firmware file format
Post by: gman76 on August 05, 2020, 04:59:31 am

I have the scopes at the office on a corporate network. There’s a sneaky way to copy a file from the PC to an external usb drive so that it doesn’t get encrypted. Involves the file extension.

Title: Re: Siglent .ads firmware file format
Post by: voronin_10 on October 14, 2020, 07:55:40 pm

Hi friend, i have bad osciloscome,
a need to decompres ads file to arhive

my osciloscp after flashing as brick,
but U-boot is alive annd need 3 files
this is console out:

Code: [Select]

Download Linux from USB to Nandflash...
reading ro_uImage
** Unable to read file ro_uImage **
reading rootfs.img
** Unable to read file rootfs.img **
reading datafs.img
** Unable to read file datafs.img **
reading logo.bmp
** Unable to read file logo.bmp **
Booting from nand ...

how to mount or extract this files of the update file?
https://siglentna.com/download/15283/
siglent sds1102cml+

good update log

Code: [Select]

[00]
U-Boot SPL 2013.01.01-svn29730 (Mar 27 2017 - 19:02:34)
config ddr_pll_config()++
config ddr_pll_config()--
nand_init+++++
nand_init-----
Lcd_Init()++
SetUpLCD()++
SetUpLCD()--
len=768052, height=480, width=800
Logo from nandflash: base=0x81000000; end=0x810bb81f; end-base=0xbb81f; rwsize=0xbb820; r=0x0
Lcd_Init()--


U-Boot 2013.01.01-svn29730 (Mar 27 2017 - 19:02:34)

I2C:   ready
DRAM:  128 MiB
NAND:  256 MiB
MMC:   OMAP SD/MMC: 0, OMAP SD/MMC: 1
Using default environment

set_default_env::7864
musb-hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
musb-hdrc: MHDRC RTL version 2.0 
musb-hdrc: setup fifo_mode 4
musb-hdrc: 28/31 max ep, 16384/16384 memory
USB Peripheral mode controller at 47401000 using PIO, IRQ 0
musb-hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
musb-hdrc: MHDRC RTL version 2.0 
musb-hdrc: setup fifo_mode 4
musb-hdrc: 28/31 max ep, 16384/16384 memory
USB Host mode controller at 47401800 using PIO, IRQ 0
Net:   <ethaddr> not set. Validating first E-fuse MAC
cpsw
Hit any key to stop autoboot
(Re)start USB...
USB0:   scanning bus 0 for devices... 1 USB Device(s) found
       scanning usb for storage devices... 1 Storage Device(s) found
Download Linux from USB to Nandflash...
reading ro_uImage
** Unable to read file ro_uImage **
reading rootfs.img
** Unable to read file rootfs.img **
reading datafs.img
** Unable to read file datafs.img **
reading logo.bmp
** Unable to read file logo.bmp **
Booting from nand ...

NAND read: device 0 offset 0x3080000, size 0x300000
 3145728 bytes read: OK
## Booting kernel from Legacy Image at 80200000 ...
   Image Name:   Linux-3.2.0+
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2157768 Bytes = 2.1 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Verifying Checksum ... OK
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

init started: BusyBox v1.13.2 (2012-04-08 17:28:57 CDT)

starting pid 519, tty '': '/etc/init.d/rcS'
rS in
/etc/init.d/rcS: line 15: setterm: not found

starting pid 536, tty '/dev/ttyO0': '-/bin/sh'

Processing /etc/profile... Done

/ # check_and_upgrade:starting...
mount_fs: rw,sync,ubi1_0,/usr/bin/siglent/usr
ubi1_0unattached
attach_ubi:datafs
attach_ubi:11
UBI device number 1, total 812 LEBs (103104512 bytes, 98.3 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
MOUNT_DIR_NAME = /usr/bin/siglent/usr
TEST_RESTURN = 
is_fs_mounted 0 --- 
is_need_upgrade
is_need_upgrade:not need upgrade
check_and_upgrade:end...
++mount_check_copy_appdata: starting
mount_fs: ro,sync,ubi2_0,/usr/bin/siglent/firmdata0
ubi2_0unattached
attach_ubi:firmdata0
attach_ubi:9
UBI device number 2, total 400 LEBs (50790400 bytes, 48.4 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
MOUNT_DIR_NAME = /usr/bin/siglent/firmdata0
TEST_RESTURN = 
is_fs_mounted 0 --- 
--mount_check_copy_appdata: ending
Load Fpga Success!

ECC failed: 0
ECC corrected: 0
Number of bad blocks: 0
Number of bbt blocks: 0
Block size 131072, page size 2048, OOB size 64
Dumping data starting at 0x00000000 and ending at 0x00010000...

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 20000 -- 50 % complete 
Erasing 128 Kibyte @ 20000 -- 100 % complete 
The Help file load OK!!

I0101 00:00:10.805797   534 module.cpp:568] ---------------------------------------------------------------------------------------
I0101 00:00:10.828555   534 module.cpp:569]                     Creat Log
-----------------------------------------------------------------------------------------------------------------------------------
 
I0101 00:00:10.858596   534 module.cpp:464] rm -f /usr/bin/siglent/usr/log/Info_19700101-000010.534
I0101 00:00:11.086069   534 module.cpp:489] 
-----------------------------------------------------------------------------------------------------------------------------------
 
vxi11_main = 11206
init_lcd_driver()++
g_vinfo.xres = 800
g_vinfo.yres = 480
g_vinfo.bits_per_pixel = 16
E0101 00:00:13.605361   655 dev_interpreter.cpp:332] the device = /dev/sda mount fail
I0101 00:00:13.653393   655 dev_interpreter.cpp:338] 
        №ТФШUЕМ /usr/bin/siglent/usr/media/U-disk0    device = /dev/sda1
 

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 20000 -- 50 % complete 
Erasing 128 Kibyte @ 20000 -- 100 % complete 

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 20000 -- 50 % complete 
Erasing 128 Kibyte @ 20000 -- 100 % complete 
FileHeader.product_type == 10000
version_flag == 1
xml_upgrade_id = 10000
Archive:  /usr/bin/siglent/usr/usr/upgrade/config.zip
  inflating: SDS1000_arm.app
  inflating: sds1000_fpga.rbf
  inflating: siglentlib.sh
  inflating: ti81xx.ko
  inflating: u-boot.img
  inflating: udc-core.ko
  inflating: update.sh
  inflating: upgrade.sh
  inflating: cfbcopyarea.ko
  inflating: cfbfillrect.ko
  inflating: cfbimgblt.ko
  inflating: da8xx-fb.ko
  inflating: datafs.img
  inflating: firmdata0.img
  inflating: g_usbtmc.ko
  inflating: gpib.ko
  inflating: help.bin
  inflating: libglog.so.0
  inflating: MLO
  inflating: musb_hdrc.ko
  inflating: NSP_config_upgrade_info.xml
  inflating: ro_uImage
  inflating: rw_uImage
update.sh starting ...
ubi0:rootfs / ubifs ro,relatime 0 0
rootfs ro
upgrade /usr/bin/siglent/usr/usr/upgrade/rw_uImage

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 20000 --  2 % complete 
Erasing 128 Kibyte @ 40000 --  4 % complete 
Erasing 128 Kibyte @ 60000 --  6 % complete 
Erasing 128 Kibyte @ 80000 --  8 % complete 
Erasing 128 Kibyte @ a0000 -- 10 % complete 
Erasing 128 Kibyte @ c0000 -- 12 % complete 
Erasing 128 Kibyte @ e0000 -- 14 % complete 
Erasing 128 Kibyte @ 100000 -- 16 % complete 
Erasing 128 Kibyte @ 120000 -- 18 % complete 
Erasing 128 Kibyte @ 140000 -- 20 % complete 
Erasing 128 Kibyte @ 160000 -- 22 % complete 
Erasing 128 Kibyte @ 180000 -- 25 % complete 
Erasing 128 Kibyte @ 1a0000 -- 27 % complete 
Erasing 128 Kibyte @ 1c0000 -- 29 % complete 
Erasing 128 Kibyte @ 1e0000 -- 31 % complete 
Erasing 128 Kibyte @ 200000 -- 33 % complete 
Erasing 128 Kibyte @ 220000 -- 35 % complete 
Erasing 128 Kibyte @ 240000 -- 37 % complete 
Erasing 128 Kibyte @ 260000 -- 39 % complete 
Erasing 128 Kibyte @ 280000 -- 41 % complete 
Erasing 128 Kibyte @ 2a0000 -- 43 % complete 
Erasing 128 Kibyte @ 2c0000 -- 45 % complete 
Erasing 128 Kibyte @ 2e0000 -- 47 % complete 
Erasing 128 Kibyte @ 300000 -- 50 % complete 
Erasing 128 Kibyte @ 320000 -- 52 % complete 
Erasing 128 Kibyte @ 340000 -- 54 % complete 
Erasing 128 Kibyte @ 360000 -- 56 % complete 
Erasing 128 Kibyte @ 380000 -- 58 % complete 
Erasing 128 Kibyte @ 3a0000 -- 60 % complete 
Erasing 128 Kibyte @ 3c0000 -- 62 % complete 
Erasing 128 Kibyte @ 3e0000 -- 64 % complete 
Erasing 128 Kibyte @ 400000 -- 66 % complete 
Erasing 128 Kibyte @ 420000 -- 68 % complete 
Erasing 128 Kibyte @ 440000 -- 70 % complete 
Erasing 128 Kibyte @ 460000 -- 72 % complete 
Erasing 128 Kibyte @ 480000 -- 75 % complete 
Erasing 128 Kibyte @ 4a0000 -- 77 % complete 
Erasing 128 Kibyte @ 4c0000 -- 79 % complete 
Erasing 128 Kibyte @ 4e0000 -- 81 % complete 
Erasing 128 Kibyte @ 500000 -- 83 % complete 
Erasing 128 Kibyte @ 520000 -- 85 % complete 
Erasing 128 Kibyte @ 540000 -- 87 % complete 
Erasing 128 Kibyte @ 560000 -- 89 % complete 
Erasing 128 Kibyte @ 580000 -- 91 % complete 
Erasing 128 Kibyte @ 5a0000 -- 93 % complete 
Erasing 128 Kibyte @ 5c0000 -- 95 % complete 
Erasing 128 Kibyte @ 5e0000 -- 97 % complete 
Erasing 128 Kibyte @ 5e0000 -- 100 % complete 
Writing data to block 0 at offset 0x0
Writing data to block 1 at offset 0x20000
Writing data to block 2 at offset 0x40000
Writing data to block 3 at offset 0x60000
Writing data to block 4 at offset 0x80000
Writing data to block 5 at offset 0xa0000
Writing data to block 6 at offset 0xc0000
Writing data to block 7 at offset 0xe0000
Writing data to block 8 at offset 0x100000
Writing data to block 9 at offset 0x120000
Writing data to block 10 at offset 0x140000
Writing data to block 11 at offset 0x160000
Writing data to block 12 at offset 0x180000
Writing data to block 13 at offset 0x1a0000
Writing data to block 14 at offset 0x1c0000
Writing data to block 15 at offset 0x1e0000
Writing data to block 16 at offset 0x200000
++is 3.0 parition  version

U-Boot SPL 2013.01.01-svn29730 (Mar 27 2017 - 19:02:34)
config ddr_pll_config()++
config ddr_pll_config()--
nand_init+++++
nand_init-----
Lcd_Init()++
SetUpLCD()++
SetUpLCD()--
len=768052, height=480, width=800
Logo from nandflash: base=0x81000000; end=0x810bb81f; end-base=0xbb81f; rwsize=0xbb820; r=0x0
Lcd_Init()--


U-Boot 2013.01.01-svn29730 (Mar 27 2017 - 19:02:34)

I2C:   ready
DRAM:  128 MiB
NAND:  256 MiB
MMC:   OMAP SD/MMC: 0, OMAP SD/MMC: 1
Using default environment

set_default_env::7864
musb-hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
musb-hdrc: MHDRC RTL version 2.0 
musb-hdrc: setup fifo_mode 4
musb-hdrc: 28/31 max ep, 16384/16384 memory
USB Peripheral mode controller at 47401000 using PIO, IRQ 0
musb-hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
musb-hdrc: MHDRC RTL version 2.0 
musb-hdrc: setup fifo_mode 4
musb-hdrc: 28/31 max ep, 16384/16384 memory
USB Host mode controller at 47401800 using PIO, IRQ 0
Net:   <ethaddr> not set. Validating first E-fuse MAC
cpsw
Hit any key to stop autoboot
(Re)start USB...
USB0:   scanning bus 0 for devices... 1 USB Device(s) found
       scanning usb for storage devices... 1 Storage Device(s) found
Download Linux from USB to Nandflash...
reading ro_uImage
** Unable to read file ro_uImage **
reading rootfs.img
** Unable to read file rootfs.img **
reading datafs.img
** Unable to read file datafs.img **
reading logo.bmp
** Unable to read file logo.bmp **
Booting from nand ...

NAND read: device 0 offset 0x3080000, size 0x300000
 3145728 bytes read: OK
## Booting kernel from Legacy Image at 80200000 ...
   Image Name:   Linux-3.2.0+
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2157776 Bytes = 2.1 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Verifying Checksum ... OK
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

init started: BusyBox v1.13.2 (2012-04-08 17:28:57 CDT)

starting pid 520, tty '': '/etc/init.d/rcS'
rS in
/etc/init.d/rcS: line 15: setterm: not found

starting pid 537, tty '/dev/ttyO0': '-/bin/sh'

Processing /etc/profile... Done

/ # check_and_upgrade:starting...
mount_fs: rw,sync,ubi1_0,/usr/bin/siglent/usr
ubi1_0unattached
attach_ubi:datafs
attach_ubi:11
UBI device number 1, total 812 LEBs (103104512 bytes, 98.3 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
MOUNT_DIR_NAME = /usr/bin/siglent/usr
TEST_RESTURN = 
is_fs_mounted 0 --- 
is_need_upgrade
is_need_upgrade:need upgrade
check_and_upgrade: upgrade start ...
upgrade /usr/bin/siglent/usr/usr/upgrade/MLO
upgrade /usr/bin/siglent/usr/usr/upgrade/u-boot.img

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 0 -- 100 % complete 
Writing data to block 0 at offset 0x0

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 0 -- 100 % complete 
Writing data to block 0 at offset 0x0

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 0 -- 100 % complete 
Writing data to block 0 at offset 0x0

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 0 -- 100 % complete 
Writing data to block 0 at offset 0x0

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 20000 --  6 % complete 
Erasing 128 Kibyte @ 40000 -- 13 % complete 
Erasing 128 Kibyte @ 60000 -- 20 % complete 
Erasing 128 Kibyte @ 80000 -- 26 % complete 
Erasing 128 Kibyte @ a0000 -- 33 % complete 
Erasing 128 Kibyte @ c0000 -- 40 % complete 
Erasing 128 Kibyte @ e0000 -- 46 % complete 
Erasing 128 Kibyte @ 100000 -- 53 % complete 
Erasing 128 Kibyte @ 120000 -- 60 % complete 
Erasing 128 Kibyte @ 140000 -- 66 % complete 
Erasing 128 Kibyte @ 160000 -- 73 % complete 
Erasing 128 Kibyte @ 180000 -- 80 % complete 
Erasing 128 Kibyte @ 1a0000 -- 86 % complete 
Erasing 128 Kibyte @ 1c0000 -- 93 % complete 
Erasing 128 Kibyte @ 1c0000 -- 100 % complete 
Writing data to block 0 at offset 0x0
Writing data to block 1 at offset 0x20000
Writing data to block 2 at offset 0x40000
upgrade /usr/bin/siglent/usr/usr/upgrade/ro_uImage

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 20000 --  2 % complete 
Erasing 128 Kibyte @ 40000 --  4 % complete 
Erasing 128 Kibyte @ 60000 --  6 % complete 
Erasing 128 Kibyte @ 80000 --  8 % complete 
Erasing 128 Kibyte @ a0000 -- 10 % complete 
Erasing 128 Kibyte @ c0000 -- 12 % complete 
Erasing 128 Kibyte @ e0000 -- 14 % complete 
Erasing 128 Kibyte @ 100000 -- 16 % complete 
Erasing 128 Kibyte @ 120000 -- 18 % complete 
Erasing 128 Kibyte @ 140000 -- 20 % complete 
Erasing 128 Kibyte @ 160000 -- 22 % complete 
Erasing 128 Kibyte @ 180000 -- 25 % complete 
Erasing 128 Kibyte @ 1a0000 -- 27 % complete 
Erasing 128 Kibyte @ 1c0000 -- 29 % complete 
Erasing 128 Kibyte @ 1e0000 -- 31 % complete 
Erasing 128 Kibyte @ 200000 -- 33 % complete 
Erasing 128 Kibyte @ 220000 -- 35 % complete 
Erasing 128 Kibyte @ 240000 -- 37 % complete 
Erasing 128 Kibyte @ 260000 -- 39 % complete 
Erasing 128 Kibyte @ 280000 -- 41 % complete 
Erasing 128 Kibyte @ 2a0000 -- 43 % complete 
Erasing 128 Kibyte @ 2c0000 -- 45 % complete 
Erasing 128 Kibyte @ 2e0000 -- 47 % complete 
Erasing 128 Kibyte @ 300000 -- 50 % complete 
Erasing 128 Kibyte @ 320000 -- 52 % complete 
Erasing 128 Kibyte @ 340000 -- 54 % complete 
Erasing 128 Kibyte @ 360000 -- 56 % complete 
Erasing 128 Kibyte @ 380000 -- 58 % complete 
Erasing 128 Kibyte @ 3a0000 -- 60 % complete 
Erasing 128 Kibyte @ 3c0000 -- 62 % complete 
Erasing 128 Kibyte @ 3e0000 -- 64 % complete 
Erasing 128 Kibyte @ 400000 -- 66 % complete 
Erasing 128 Kibyte @ 420000 -- 68 % complete 
Erasing 128 Kibyte @ 440000 -- 70 % complete 
Erasing 128 Kibyte @ 460000 -- 72 % complete 
Erasing 128 Kibyte @ 480000 -- 75 % complete 
Erasing 128 Kibyte @ 4a0000 -- 77 % complete 
Erasing 128 Kibyte @ 4c0000 -- 79 % complete 
Erasing 128 Kibyte @ 4e0000 -- 81 % complete 
Erasing 128 Kibyte @ 500000 -- 83 % complete 
Erasing 128 Kibyte @ 520000 -- 85 % complete 
Erasing 128 Kibyte @ 540000 -- 87 % complete 
Erasing 128 Kibyte @ 560000 -- 89 % complete 
Erasing 128 Kibyte @ 580000 -- 91 % complete 
Erasing 128 Kibyte @ 5a0000 -- 93 % complete 
Erasing 128 Kibyte @ 5c0000 -- 95 % complete 
Erasing 128 Kibyte @ 5e0000 -- 97 % complete 
Erasing 128 Kibyte @ 5e0000 -- 100 % complete 
Writing data to block 0 at offset 0x0
Writing data to block 1 at offset 0x20000
Writing data to block 2 at offset 0x40000
Writing data to block 3 at offset 0x60000
Writing data to block 4 at offset 0x80000
Writing data to block 5 at offset 0xa0000
Writing data to block 6 at offset 0xc0000
Writing data to block 7 at offset 0xe0000
Writing data to block 8 at offset 0x100000
Writing data to block 9 at offset 0x120000
Writing data to block 10 at offset 0x140000
Writing data to block 11 at offset 0x160000
Writing data to block 12 at offset 0x180000
Writing data to block 13 at offset 0x1a0000
Writing data to block 14 at offset 0x1c0000
Writing data to block 15 at offset 0x1e0000
Writing data to block 16 at offset 0x200000
upgrade_app:starting
upgrade_app:ending
is_no_firmdata0_partition:partion 3.0
check_and_upgrade: upgrade end... rebooting

U-Boot SPL 2013.01.01-svn29730 (Mar 27 2017 - 19:02:34)
config ddr_pll_config()++
config ddr_pll_config()--
nand_init+++++
nand_init-----
Lcd_Init()++
SetUpLCD()++
SetUpLCD()--
len=768052, height=480, width=800
Logo from nandflash: base=0x81000000; end=0x810bb81f; end-base=0xbb81f; rwsize=0xbb820; r=0x0
Lcd_Init()--


U-Boot 2013.01.01-svn29730 (Mar 27 2017 - 19:02:34)

I2C:   ready
DRAM:  128 MiB
NAND:  256 MiB
MMC:   OMAP SD/MMC: 0, OMAP SD/MMC: 1
Using default environment

set_default_env::7864
musb-hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
musb-hdrc: MHDRC RTL version 2.0 
musb-hdrc: setup fifo_mode 4
musb-hdrc: 28/31 max ep, 16384/16384 memory
USB Peripheral mode controller at 47401000 using PIO, IRQ 0
musb-hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
musb-hdrc: MHDRC RTL version 2.0 
musb-hdrc: setup fifo_mode 4
musb-hdrc: 28/31 max ep, 16384/16384 memory
USB Host mode controller at 47401800 using PIO, IRQ 0
Net:   <ethaddr> not set. Validating first E-fuse MAC
cpsw
Hit any key to stop autoboot
(Re)start USB...
USB0:   scanning bus 0 for devices... 1 USB Device(s) found
       scanning usb for storage devices... 1 Storage Device(s) found
Download Linux from USB to Nandflash...
reading ro_uImage
** Unable to read file ro_uImage **
reading rootfs.img
** Unable to read file rootfs.img **
reading datafs.img
** Unable to read file datafs.img **
reading logo.bmp
** Unable to read file logo.bmp **
Booting from nand ...

NAND read: device 0 offset 0x3080000, size 0x300000
 3145728 bytes read: OK
## Booting kernel from Legacy Image at 80200000 ...
   Image Name:   Linux-3.2.0+
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2157768 Bytes = 2.1 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Verifying Checksum ... OK
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

init started: BusyBox v1.13.2 (2012-04-08 17:28:57 CDT)

starting pid 519, tty '': '/etc/init.d/rcS'
rS in
/etc/init.d/rcS: line 15: setterm: not found

starting pid 536, tty '/dev/ttyO0': '-/bin/sh'

Processing /etc/profile... Done

/ # check_and_upgrade:starting...
mount_fs: rw,sync,ubi1_0,/usr/bin/siglent/usr
ubi1_0unattached
attach_ubi:datafs
attach_ubi:11
UBI device number 1, total 812 LEBs (103104512 bytes, 98.3 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
MOUNT_DIR_NAME = /usr/bin/siglent/usr
TEST_RESTURN = 
is_fs_mounted 0 --- 
is_need_upgrade
is_need_upgrade:not need upgrade
check_and_upgrade:end...
++mount_check_copy_appdata: starting
mount_fs: ro,sync,ubi2_0,/usr/bin/siglent/firmdata0
ubi2_0unattached
attach_ubi:firmdata0
attach_ubi:9
UBI device number 2, total 400 LEBs (50790400 bytes, 48.4 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
MOUNT_DIR_NAME = /usr/bin/siglent/firmdata0
TEST_RESTURN = 
is_fs_mounted 0 --- 
--mount_check_copy_appdata: ending
Load Fpga Success!

ECC failed: 0
ECC corrected: 0
Number of bad blocks: 0
Number of bbt blocks: 0
Block size 131072, page size 2048, OOB size 64
Dumping data starting at 0x00000000 and ending at 0x00010000...

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 20000 -- 50 % complete 
Erasing 128 Kibyte @ 20000 -- 100 % complete 
The Help file load OK!!

I0101 00:00:10.685917   534 module.cpp:568] ---------------------------------------------------------------------------------------
I0101 00:00:10.711039   534 module.cpp:569]                     Creat Log
-----------------------------------------------------------------------------------------------------------------------------------
 
I0101 00:00:10.742288   534 module.cpp:464] rm -f /usr/bin/siglent/usr/log/Info_19700101-000010.534
I0101 00:00:10.832217   534 module.cpp:464] rm -f /usr/bin/siglent/usr/log/Warning_19700101-000013.534
I0101 00:00:11.008834   534 module.cpp:489] 
-----------------------------------------------------------------------------------------------------------------------------------
 
vxi11_main = 11130
init_lcd_driver()++
g_vinfo.xres = 800
g_vinfo.yres = 480
g_vinfo.bits_per_pixel = 16
I0101 00:00:12.443692   655 dev_interpreter.cpp:220] Udisk = U-disk0  not found notes
Could not create log file: File exists
COULD NOT CREATE LOGFILE '19700101-000012.534'!
E0101 00:00:12.445013   655 dev_interpreter.cpp:395] the u-disk sum = -1 is error
E0101 00:00:12.467742   655 dev_interpreter.cpp:406] the device = /usr/bin/siglent/usr/media/U-disk0 umount fail
E0101 00:00:12.472785   655 dev_interpreter.cpp:421] not erase the udisk = U-disk0
I0101 00:00:13.544532   655 dev_interpreter.cpp:338] 
        №ТФШUЕМ /usr/bin/siglent/usr/media/U-disk0    device = /dev/sda1
 
E0101 00:00:13.599209   655 dev_interpreter.cpp:332] the device = /dev/sda mount fail

Erasing 128 Kibyte @ 0 --  0 % complete 
Erasing 128 Kibyte @ 20000 -- 50 % complete 
Erasing 128 Kibyte @ 20000 -- 100 % complete 
Writing data to block 0 at offset 0x0

i am don't know how hide long code,sorry

it is after i try update, iwant to copy log but i off it in momrnt :( and my osciloscope is u-boot mode permanently

please help me to fix my mistake

Title: Re: Siglent .ads firmware file format
Post by: tautech on October 14, 2020, 08:10:59 pm

Quote from: voronin_10 on October 14, 2020, 07:55:40 pm

Hi friend, i have bad osciloscome,
and my osciloscope is u-boot mode permanently

please help me to fix my mistake

Welcome to the forum.

I have SDS1000CML+ recovery files.
By PM please send me your email and we'll see what we can do to fix it. :)

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 16, 2020, 12:13:49 pm

Here (without app).

Title: Re: Siglent .ads firmware file format
Post by: voronin_10 on October 16, 2020, 04:26:56 pm

tv84 Thank you, ( P21R2.zip ) this file is very important,
tautech Thank you, your file is best, but send this file to this forum, many people seach it

i recover my siglent sds1102cml+ with cuted MLO file and original u-boot.img

:-BROKE :-/O :-DMM :box:
if you device send CC CC CC and uBoot (U-BOOT) dead, this istruction for you

step 1) donload teratermpro23 (version 2.3)
step 2) connect com to device and run and setup 115200, your device send CC CC word to terminal,
step 3) cut in winhex original MLO file start buto to this code 140000EA14F09FE5, and save, your cuted file will start at 140000EA14F09FE5
step 4) terra term File -> Transfer -> XMODEM -> Send open cuted MLO file? program send this file to device
step 5) File -> Transfer -> XMODEM -> Send open u-boot.img, program send this file to device,

after on console you see word UBOOT#
after, recover your device of standarts method

this message of about CC CC and recover
http://www.mantrid.ru/forum/showthread.php?t=1657 (http://www.mantrid.ru/forum/showthread.php?t=1657)

good luck friends

by Peter Skip

Title: Re: Siglent .ads firmware file format
Post by: luudee on October 07, 2021, 04:28:53 pm

Quote from: tv84 on October 04, 2018, 09:02:12 pm

How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.

They provide a root session via port 10101.

Guys, does anyone have a telnet script for SDS5000x series DSO ?

Many Thanks !!!

luudee

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 08, 2021, 04:25:35 pm

Quote from: luudee on October 07, 2021, 04:28:53 pm

Guys, does anyone have a telnet script for SDS5000x series DSO ?

The best way is to use the SDS2000X+ method here (https://www.eevblog.com/forum/testgear/siglent-sds2000x-plus-coming/msg3006340/#msg3006340).

Title: Re: Siglent .ads firmware file format
Post by: luudee on October 09, 2021, 09:40:16 am

Quote from: tv84 on October 08, 2021, 04:25:35 pm

Quote from: luudee on October 07, 2021, 04:28:53 pm
Guys, does anyone have a telnet script for SDS5000x series DSO ?

The best way is to use the SDS2000X+ method here (https://www.eevblog.com/forum/testgear/siglent-sds2000x-plus-coming/msg3006340/#msg3006340).

Thank you so much, that worked (even with static IP, no need for DHCP).

BUT, I can't find the password. I've been trying for an hour and nothing so far.
Tried all kind os combinations of siglent_sds5000x ...

Any suggestions?

Many Thanks!
luudee

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 09, 2021, 10:34:29 am

Quote from: luudee on October 09, 2021, 09:40:16 am

BUT, I can't find the password. I've been trying for an hour and nothing so far.

User name: 'root'
Password: 'siglent_sds1000x_e'

is for shadow contents (used, at least, in SDS1000X-E and SDS2000X+):

root:$6$DZO.HiUy$JKaJGKC8ynyAn.7IF64GzC6cGnmJCQgGlqoPQ9QTc7EW8iF/8lMD00EtiiS3/GpgzN7rvfTbmfnAKzAg66dnu/

From what you're saying SDS5000X uses another password.

You need to copy the shadow file from SDS5000X so that we can verify that. Use the attached file and then attach the file here.

Title: Re: Siglent .ads firmware file format
Post by: blurpy on October 09, 2021, 11:01:21 am

It's interesting to find out the password, but as a start you could possibly just skip it as well.

Code: [Select]

/usr/sbin/telnetd -l /bin/sh

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 09, 2021, 11:15:50 am

Quote from: blurpy on October 09, 2021, 11:01:21 am

It's interesting to find out the password, but as a start you could possibly just skip it as well.

Code: [Select]
/usr/sbin/telnetd -l /bin/sh

I'm getting old... :palm: Nonetheless, the shadow file would be interesting.

Title: Re: Siglent .ads firmware file format
Post by: luudee on October 09, 2021, 12:34:30 pm

Thanks so much, guys, very much appreciated !!!

I can now telnet in to my sds5000, with the latest firmware installed.

This is the shadow password file:
root:$6$qWDH15y1$JmmNaT8CddB4GCKIRtcel4fv5TavNr1CFZcYC2iLD6OaoVsDXIbV76S2JEmSBJ54kYrAreEBjWTJL8XIKUuu70:0:0:99999:7:::

Cheers,
rudi

Title: Re: Siglent .ads firmware file format
Post by: luudee on October 09, 2021, 01:50:28 pm

ohh crap, they changed the way licensing works :(

Last time I did, I had just modify one file (NSP_system_info.xml) and add the license key to it.
Now, they use two files for each option:
---x------ 1 root 0 20 Jun 5 2020 options_pa_cfg.bin
---x------ 1 root 0 20 Jun 5 2020 options_pa_license.txt

The text file seems to have a license key, which does not match what I am generating with the python script anymore.
And the binary file has 20 bytes, of which the first 16 are identical between all option*.bin file, only the last 6 bytes differ ...

Any clues how to generate these ?

Many Thanks,
luudee

Title: Re: Siglent .ads firmware file format
Post by: tv84 on October 09, 2021, 02:05:02 pm

It's the same scheme. You must be making mistake. Switch to SDS5000X thread.

Title: Re: Siglent .ads firmware file format
Post by: luudee on October 09, 2021, 03:13:44 pm

Thanks guys, I figured it out ... was using a old python script, after looking thought the changes, I figured it out.

Please let me know if I can be of any help to you guy !

Cheers,
rudi

Title: Re: Siglent .ads firmware file format
Post by: luudee on October 09, 2021, 03:20:59 pm

I found a permanent way to enable telnet, not sure if it will be removed by a
firmware update, but this works without a flash drive once installed:

1. mount -o remount,rw,sync /usr/bin/siglent
2. cd /usr/bin/siglent/etc/init.d
3. vi rcLocal
4. Add at the end of rcLocal: /usr/sbin/telnetd -l /bin/sh

btw, the main application on my SDS500X, is /usr/bin/siglent/sds2000hsr

Cheers,
rudi

Title: Re: Siglent .ads firmware file format
Post by: tv84 on September 26, 2022, 09:17:50 pm

SUCCESS!!!!!!!! I know, I know, it was just a meaningless personal quest but you can't imagine the time I've spent on this... :palm: :-DD

Ever since the HostID and ScopeIP came into existence (in Siglent's HW) that I've been trying to discover where that info is stored and, most importantly, how it is determined and how the initial byte that always looked like a CRC/checksum was calculated. Even some forum members have participated in my endless quest...

Today is the day when that mystery came to an end!!!!!!!! :popcorn:

After several years looking at lots of IDs, today I was once again lead on a "random mistake" and googled the attached document. Once I read "The DS2401 consists of a 64-bit ROM that includes a unique 48-bit serial number, an 8-bit CRC, and an 8-bit Family Code (01h). Data is transferred serially via the 1-Wire protocol that requires only a single data lead and a ground return. ", I knew I had found what Siglent is using.

Now I just had to discover what was the CRC-8 implementation and confirm the results... It took a few minutes: CRC-8/MAXIM :popcorn:

This IC scheme is an unbelievable simple thing that I had never heard of... Had eluded me for years because I was always focused on the other HW parts of the devices! :palm:

So, if we take a Siglent "fictitious" ScopeID like "2F000089ABCDEF01", its CRC-8 is calculated like this:

CRC-8[01EFCDAB890000] => 2F

~~That confirms that Siglent seems to use the 64-bits chip ID byte-reversed.~~ The CRC-8 is calculated with the bytes order reversed.

Time to celebrate!! :popcorn: :popcorn:

Title: Re: Siglent .ads firmware file format
Post by: Orange on September 27, 2022, 05:43:33 pm

Quote from: tv84 on September 26, 2022, 09:17:50 pm

SUCCESS!!!!!!!! I know, I know, it was just a meaningless personal quest but you can't imagine the time I've spent on this... :palm: :-DD

Ever since the HostID and ScopeIP came into existence (in Siglent's HW) that I've been trying to discover where that info is stored and, most importantly, how it is determined and how the initial byte that always looked like a CRC/checksum was calculated. Even some forum members have participated in my endless quest...

Today is the day when that mystery came to an end!!!!!!!! :popcorn:

After several years looking at lots of IDs, today I was once again lead on a "random mistake" and googled the attached document. Once I read "The DS2401 consists of a 64-bit ROM that includes a unique 48-bit serial number, an 8-bit CRC, and an 8-bit Family Code (01h). Data is transferred serially via the 1-Wire protocol that requires only a single data lead and a ground return. ", I knew I had found what Siglent is using.

Now I just had to discover what was the CRC-8 implementation and confirm the results... It took a few minutes: CRC-8/MAXIM :popcorn:

This IC scheme is an unbelievable simple thing that I had never heard of... Had eluded me for years because I was always focused on the other HW parts of the devices! :palm:

So, if we take a Siglent "fictitious" ScopeID like "2F000089ABCDEF01", its CRC-8 is calculated like this:

CRC-8[01EFCDAB890000] => 2F

That confirms that Siglent seems to use the 64-bits chip ID byte-reversed.

Time to celebrate!! :popcorn: :popcorn:

Do you think that Siglent internally keeps an mapping table where the SopeID is linked to the Serial number of the instrument so that license generation can be done ?

Do they use Blackfin IDs for their older devices ?

Title: Re: Siglent .ads firmware file format
Post by: tv84 on September 27, 2022, 08:51:41 pm

Quote from: Orange on September 27, 2022, 05:43:33 pm

Do you think that Siglent internally keeps an mapping table where the SopeID is linked to the Serial number of the instrument so that license generation can be done ?

Do they use Blackfin IDs for their older devices ?

1. Yes.

2. No. In the old SDS2000X/SDS1000X they use the same (or very similar) ID chips but only consider the inner 6 bytes. The family ID and CRC8 are discarded for the ScopeID construction.

Title: Re: Siglent .ads firmware file format
Post by: Mick B on March 16, 2023, 07:26:36 pm

Is the telnet_SSA3032X_Plus.zip (224.02 kB) OK to use on the SSA3032X
Thanks just making sure

Title: Re: Siglent .ads firmware file format
Post by: tv84 on November 03, 2023, 07:47:32 pm

Here is the file to get telnet access to the SDG6000X-E (China model).

Product_ID = 10900

Title: Re: Siglent .ads firmware file format
Post by: boolhead on November 06, 2023, 03:05:55 am

:-+ :-+ :-+, Hi tv84, it works for the modle SDG6012X-E :clap:, by following the steps from this tip:

Quote from: rdsi on October 06, 2020, 01:14:36 am

Quote from: sdouble on September 28, 2020, 04:02:21 am
I'm clearly no expert.
would it be possible to get a step by step procedure to unlock this device ?

Attached are my notes I made of the process.

Title: Re: Siglent .ads firmware file format
Post by: rloc on April 06, 2024, 10:05:15 am

Hi all!

Who knows how to unpack the *.ads firmware of Siglent SDS800X-HD based on the Zynq US+ platform?

https://siglentna.com/service-and-support/firmware-software/digital-oscilloscopes/#sds800x-hd-series

SMF 2.0.19 | SMF © 2021, Simple Machines
Simple Audio Video Embedder
SMFAds for Free Forums | Powered by SMFPacks Advanced Attachments Uploader Mod