Author Topic: Siglent .ads firmware file format  (Read 62133 times)

0 Members and 2 Guests are viewing this topic.

Offline steffenmauch

  • Contributor
  • Posts: 30
  • Country: de
Siglent .ads firmware file format
« on: January 30, 2016, 11:01:46 pm »
Hey,

does anyone of you have more information how the .ads file from Siglent can be read?
I am curious what kind of encryption is used.
Some dumps are available of e.g. the SDG2000x application ... anyone with IDA skills has been already successful?

Thanks.
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #1 on: January 31, 2016, 05:20:04 am »
Hey,

does anyone of you have more information how the .ads file from Siglent can be read?
I am curious what kind of encryption is used.
Some dumps are available of e.g. the SDG2000x application ... anyone with IDA skills has been already successful?

Thanks.
According to a Google search the .ads file format is probably linked to the Linux OS
http://fileinfo.com/extension/ads

In a recent interview by Dave with the head of Siglent Eric Quin it was revealed the main OS in Siglent products was Linux.
Sorry, that's all I know but it might point you in the right direction.  ;)

FYI for all Siglent products that I have installed new FW, the FW updates have been in .ads format. (unpacked and ready to install)
Avid Rabid Hobbyist
 

Offline bitseeker

  • Super Contributor
  • ***
  • Posts: 7888
  • Country: us
  • Lots of engineer-tweakable parts inside!
Re: Siglent .ads firmware file format
« Reply #2 on: January 31, 2016, 06:04:01 am »
Ah, thanks for the references tautech.
I TEA.
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 3069
  • Country: fi
  • Starting with DLL21
Re: Siglent .ads firmware file format
« Reply #3 on: January 31, 2016, 08:38:29 am »
I do not want say this have anything to do with Siglent equipments but about .ADS
It is file extension used by Ada.

Is it (file extension) a coincidence or not I will not take any position.
Of course, it would be interesting if Siglent use it or have been in contact with this Ada. (military, aviation, industry...)

If there is Linux, http://www.pegasoft.ca/resources/boblap/4.html
(The Big Online Book of Linux Ada Programming)

What is Ada?
https://www.adacore.com/adaanswers/about/ada

example
  three_d.ads
    three_d-opengl.ads
    three_d-animation.ads
      three_d-animation-sequences.ads
« Last Edit: January 31, 2016, 08:43:48 am by rf-loop »
If practice and theory is not equal it tells that used application of theory  is wrong or the theory itself is wrong.
It is much easier to think an apple fall to the ground than to think that the earth and the apple will begin to move toward each other and collide.
 

Offline analogNewbie

  • Contributor
  • Posts: 46
  • Country: cn
Re: Siglent .ads firmware file format
« Reply #4 on: February 01, 2016, 03:15:43 am »
I have reverse-engineered the ads firmware file format of SDG2000X. I think others might use the same format but different encryption key.
 

Offline steffenmauch

  • Contributor
  • Posts: 30
  • Country: de
Re: Siglent .ads firmware file format
« Reply #5 on: February 01, 2016, 07:32:54 am »
@analogNewbie:
Could you share your information about the cryptography been used as-well as how to find the encryption key?
 

Offline analogNewbie

  • Contributor
  • Posts: 46
  • Country: cn
Re: Siglent .ads firmware file format
« Reply #6 on: February 01, 2016, 08:55:29 am »
I find the key and decrypt code in the SDG2000x app file with IDA. It's not so easy to do. You have to very familiar with 3DES algorithm, since they modified or implemented the wrong way.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #7 on: June 23, 2016, 12:25:56 pm »
One day I took my notepad and calculator out, again  (ads0.jpg)
and took a good look inside SDG2000 ads file.
Since they overwrite passwd file during new firmware upgrade this file must be changed
if you like to login by telnet. But what file is this ADS. I'm not found crypt yet but can show
some files. Firmware P17R5 and P21R2 have the same root password but I think this is not
crackable and because of update this has no point too.   (ads1.jpg)
Zip-ed passwd file is very similar with this section in ADS file. (ads2.jpg)
But there is one trick they done. After firmware file is complete they XOR-ed it with FF by
some kind of pattern. One this point is in position 15BD. (ads3.jpg)
All may not be fully accurate but may illustrate a bit this structure from
P21R2.ADS or P17R5.ADS file here:
(after I XOR-ed 71 back to 8E)
Code: [Select]
00000000 | 50 4B 03 04 14 00 00 00 08 00 11 56 2F 48 8B 48 | PK.........V/H?H |
00000010 | 08 21 3B 00 00 00 3C 00 00 00 0E 00 1C 00 61 70 | .!;...<.......ap |
00000020 | 70 2F 65 74 63 2F 73 68 61 64 6F 77 55 54 09 00 | p/etc/shadowUT.. |
00000030 | 03 02 5E 98 56 02 5E 98 56 75 78 0B 00 01 04 E8 | ..^?V.^?Vux....? |
00000040 | 03 00 00 04 E8 03 00 00 2B CA CF 2F B1 52 31 54 | ....?...+?Ž/?R1T |
00000050 | F1 F3 29 F7 CD 32 F4 AF 50 31 AC 34 89 74 4B 8E | ±¾)„?2¶»P1¼4?tKÄ |
00000060 | 88 CC 8C F2 F4 29 0C 4D CD 70 71 F3 2E 75 32 B4 | ???“¶).M?pq¾.u2? |
00000070 | 32 34 35 33 37 B2 32 B0 B2 04 01 2B 73 2B 2B 2B | 24537?2??..+s+++ |
00000080 | 2E 2E 00                                        | ...              |


Signature 50 4B 03 04
Version 14 00 (= 20 -> 2.0)
Flags 00 00 (no flags)
Compression method 08 00 (deflated)
File modification time 11 56 (0101 0110 0001 0001)
hour   = (01010)11000010001 = 10
minute = 01010(110000)10001 = 48
second = 01010110000(10001) = 17 = 34 seconds
10:48:34
File modification date 2F 48 (0100 1000 0010 1111)
year  = (0100100)000101111 = 36
month = 0100100(0001)01111 = 1
day   = 01001000001(01111) = 15
01/15/2016
Crc-32 checksum 8B 48 08 21 (2108488B)
Compressed size 3B 00 00 00 (59 bytes)
Uncompressed size 3C 00 00 00 (60 bytes)
File name length 0E 00 (14 bytes)
Extra field length 1C 00 (28 bytes)
File name "app/etc/shadow"
Extra field id 55 54: extended timestamp, size: 9 bytes
data size 09 00 (9 bytes)
data bytes 03 02 5E 98 56 02 5E 98 56
id 75 78 (Unix UID/GID)
data size 0B 00 (11 bytes)
data bytes 01 04 E8 03 00 00 04 E8 03 00 00
Packed data 2B CA CF 2F ...... 2E 2E 00 (59 bytes)
 
The following users thanked this post: AxaRu

Offline kmike

  • Contributor
  • Posts: 27
  • Country: de
Re: Siglent .ads firmware file format
« Reply #8 on: June 23, 2016, 03:19:00 pm »
Anyway, if someone wants to give it a try:
root:$1$NLwMj1Ox$1y4YFcXYiZILqUehDFKuB1:15672:0:99999:7:::

edit: this is of course encrypted  :(

br,
mike
« Last Edit: June 23, 2016, 03:32:09 pm by kmike »
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 459
  • Country: us
Re: Siglent .ads firmware file format
« Reply #9 on: June 23, 2016, 05:29:44 pm »
I had started John The Ripper running against that password back on the 18th just out of curiosity (haven't used a password cracker in so long, probably didn't do it right) and then forgot about it shortly after that. After seeing your post I remembered and so checked in on it. It had run for close to 3 days until we lost power the other night and my computer had shutdown. No luck on getting the password, so either I did something wrong when I started running the cracker or they didn't pick a super simple password (at least that would be in the word file I used). Probably a combination of the two.

Edit: Typos
 

Offline TheSteve

  • Supporter
  • ****
  • Posts: 2992
  • Country: ca
  • GHz
Re: Siglent .ads firmware file format
« Reply #10 on: June 23, 2016, 05:32:31 pm »
I'll probably give it a shot as well and will start it running tonight. The last one I did took several days, I'm not using the fastest computer around.
VE7FM
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #11 on: June 23, 2016, 11:14:47 pm »
If you want beat my notepad and calculator...
you need
https://hashcat.net/oclhashcat/
and
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
https://sagitta.pw/hardware/gpu-compute-nodes/brutalis/
Password is not simple and short and not from some dictionary. For reasonable time you need come up with
some masks and rules too. (I tried them with single R9 390 : )

(Found that FF XOR mask. Next I think I need checksum or something)
 
The following users thanked this post: AxaRu

Offline kmike

  • Contributor
  • Posts: 27
  • Country: de
Re: Siglent .ads firmware file format
« Reply #12 on: June 24, 2016, 11:45:30 am »
After watching a nice video , I decided to open up my generator.

No rust in there   ;D

The serial port is easily accessable, and the command prompt is also there. After connecting the normal "upgrade" can still be done.

br,
mike

 
The following users thanked this post: tautech, AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #13 on: June 24, 2016, 12:56:03 pm »
But how about this, ads file is too easy accessable
 
The following users thanked this post: tautech, AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #14 on: June 25, 2016, 06:53:18 pm »
This is better but they driving my notepad and calculator to red hot.
There is some tricks they done, I never guess all of them.
But all ADS files are not the same. Scopes for example are not
like this SDG800 based generator and multimeter. But spectrum
analyzer is.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #15 on: June 30, 2016, 05:44:44 pm »
So far I managed to scroll up and down with notepad and calculate some patterns to open
and extract similar ADS files. But I can't get all out of them and run on something at the end
of file. Some portion of ZIP data from some small places is changed. May be this is the crypt...
 
The following users thanked this post: MasterTech

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #16 on: July 01, 2016, 01:16:45 pm »
So what code are you using to work out the initial decide of the ADS files ?

Has anyone started on the SDG10xx model firmware ?

--
 Darryl

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #17 on: July 13, 2016, 03:33:18 pm »
There are many different ADS file types. SDG1000 have some similar XOR FF patterns
with other packed multi files firmwares but inside here is like some kind of boot or
dump image. As you know SDG1000 series are similar with LeCroy WaveStation
and the firmware files are very similar too. Like wavestation_2000_v1.01.02.36.ads
and SDG1000-V100R001B01D01P36.ADS. Half of file is practically the same.
https://www.eevblog.com/forum/testgear/siglent-sdg1000-(aka-lecroy-wavestation)-firmware-updates/
SDG800 and SPD3303X files are a bit similar to it but SDS2000X file is very different again.

I have no progress with 3des and can't read the whole file. I can't disassemble apps.
I can, but I don't see there anything understandable...

I don't have notepad powerful enough : (  and calculator : ( and paper big enough
I think my pencil is not sharp enough.
 
The following users thanked this post: AxaRu

Offline flynnjs

  • Contributor
  • Posts: 24
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #18 on: July 13, 2016, 10:53:24 pm »
The 3DES key is fairly easy to find as are the 3DES functions.
I haven't been bothered to pick through them yet to see what has
been implemented in a non standard way...

Is it the key expansion, the order of the functions..? Give us a clue   :=\

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #19 on: July 15, 2016, 02:59:27 pm »
After choosing better hammer for SDG1000 file I see there 2 files. They are using the same XOR FF
pattern and part of file is crypted. One file is some FPGA Data? and the other is some binary program?
But what kind of... there is nowhere i see the familiar signatures.
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #20 on: July 15, 2016, 05:04:51 pm »
Oh please tell more on the SDG1000 series.  Clues as to your work method would be interesting and educational.

--
 Darryl

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #21 on: July 15, 2016, 07:47:52 pm »
Let's take a look in SDG1000-V100R001B01D01P31.ADS for example:

Like most of the firmwares, they are turned around. So first step is turn the file around (or look it backwards)
Next step is XOR FF it with pattern bytes 0, 1, 3, 6, A, F and so on - space increasing by 1. But this isn't all,
next XOR FF it from center -> file have 72 byte header (now at the end) -> (file length - 72)/2
For now we can investigate something but this isn't all. There is 2 crypted parts. 5120 bytes and 10239 (27FF)
bytes at the end + there is 72 bytes something... File is turned over before crypt so they are calculated actually
from the file beginning (I believe ...) So the second crypt is from 2E777 after header.
Let's forget this part at this time.

File is (now) beginning with:

E8 E6 01 FF 94 32 05 00 01 00 00 00 19 EE 01 FF     ----  05 32 94 is promising and next 05 32 7C too
7C 32 05 00 66 70 67 61 20 64 61 74 61 00 12 00     ----  ____FPGA DATA___
8F 04 D4 77 FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF AA 99 55 66 30 A1 00 07 20 00 31 A1

Turns out the 05 32 94 is data from first file header beginning to second file header beginning and
05 32 7C is from end of Fpga data file header and this is file length. So the first file header is beginning
with 19 EE 01 FF... and file data start with FF FF FF...
First file is ending:

30 A1 00 0D 20 00 20 00 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00   <---- here is the end of first file
E1 ED 9E FA C6 FA 0A 00 02 00 00 00 40 00 00 00   ---- from E1 ED... is starting second file header
80 00 FF 00 04 00 00 00 00 00 00 00 12 00 00 00

There is 0A FA C6... this is promising. This is second file data length. So data is beginning with
40 00 00 00 80 00 FF 00... then it ends in right place and rest is 72 bytes.
But, now, the two regions in second file are crypted.

They have same crypt and key and patterns in other firmware files too and if you show me
this crypt procedure I can show you more... With the same procedure I opening all other
firmware files here, with notepad or this file viewer-compare and calculator. Actually I use hexedit too.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #22 on: July 16, 2016, 06:44:36 am »
We can continue with some analysis because i have to have eeprom dump.
The second file is like "self extracting archive"? From address CFE4 the visual picture of data
changes rapidly and 78 9C EC 7D is zlib compression magic number. From here to the end is
archive and can be unpacked. Unpacked file is readable and contains all kind of stuff. There
is all the same DES constants and HTML and text...
So this is the executable, how to disassemble this
 

Offline MasterTech

  • Frequent Contributor
  • **
  • Posts: 883
  • Country: 00
Re: Siglent .ads firmware file format
« Reply #23 on: July 16, 2016, 07:23:09 am »
Hi janekivi,
what tools do you use to make the XORs, turn around files etc...
or you just do it with self programmed code?
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #24 on: July 16, 2016, 08:26:35 am »
I have Python and I google around to find procedures I need and then hack something together like:

Code: [Select]
import sys, os, shutil
input = 'rev_P31.ADS'
output = 'Xor_2_'+input
b = bytearray(open(input, 'rb').read())
a = 0
i = 0
j = 0
i = len(b)
while j < i:
    b[j] ^= 0xFF
    j = j + a + 1
    a = a + 1
open(output, 'wb').write(b)
print (' * XOR with increasing pattern done * ')
And then I can change there variables and change starting addresses

Code: [Select]
i = len(b)
j = len(b)/2-36
while j < i:
    b[j] ^= 0xFF
    j = j + 1

And reverse example:
Code: [Select]
import os

src_file_path = 'P31.ADS'
reversed = ('rev_'+src_file_path)

src_file_size = os.path.getsize(src_file_path)
src_file = open(src_file_path, 'rb')
src_file.seek(0)
byte_list = src_file.read(src_file_size)
with open(reversed, 'wb') as outfile:
    outfile.write(bytes(byte_list[::-1]))
src_file.close()

I modify them a lot and there is not needed parts and different rows sometimes...
« Last Edit: July 16, 2016, 08:50:32 am by janekivi »
 

Offline analogNewbie

  • Contributor
  • Posts: 46
  • Country: cn
Re: Siglent .ads firmware file format
« Reply #25 on: July 16, 2016, 12:51:12 pm »
Sorry, I post the unpack script few min ago and I've deleted it. I have figured out the ADS file format shared by SDG2000x, SSA3000x etc.

There some other reasons I have not released the code
1) the "upgrade" mechanism for SDG2042x to 120MHz is still working. O0
2) if  siglent fixes the bug. A license can be generated to keep the 120MHz ability. I have made a license generator.
3) if the telnet/ssh connect is blocked someday and a white list is embedded,  a unofficial ADS file can be made to unblock it.
4) I am a little bit worried about the consequences.  |O :palm:   
5) I expect that siglent keeps using this format in the future.

So, if you are the owner of SDG2042x , do not be worried about losing the 120MHz.
If you want to do some research on the options of something like SSA3000x or so, I can send the ELF file to you.



For the 3DES, they implemented the wrong way, here is the algorithm they use.
« Last Edit: July 16, 2016, 12:58:49 pm by analogNewbie »
 
The following users thanked this post: flynnjs, tv84, janekivi, Safar

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #26 on: July 16, 2016, 03:21:23 pm »
This is working fine.
As you may know I did handle crypted files with notepad and calculator not knowing anything
about crypt or cryptography or key : ) But with knowing something is always more productive.
I still do not know much...
 

Offline flynnjs

  • Contributor
  • Posts: 24
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #27 on: July 16, 2016, 04:08:32 pm »
> For the 3DES, they implemented the wrong way,

Thanks for that, it would have taken me quite a while to pick through that.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #28 on: July 17, 2016, 01:50:45 pm »
I had an idea to change shadow file contents and crc in both places.
All info was outside crypted area too. But what is in the header before
every file inside the update. SDG2000X P21R2.ADS has only one zip inside.
But if you have SDM3055 transition.ads there is many files.

12 1E B1 8F   59 C5 DA 00   07 00 00 00   00 00 00 00
00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
00 00 00 00   50 4B 03 04   0A 00 00 00   00 00 42 A0

With 50 4B 03 04 is starting zip file and his length is DA C5 59.
07 may be zip file type, u-boot has there 01, ELF has 03...
First 4 bytes must be related to the following file somehow
I'm staring at this ads reading script in IDA but...
Main 112 byte header is even crazier
 

Offline analogNewbie

  • Contributor
  • Posts: 46
  • Country: cn
Re: Siglent .ads firmware file format
« Reply #29 on: July 19, 2016, 01:37:38 am »
8fb11e12 is the checksum of current section, 00dac559 is the length, 07 is the section type.

if you just need to unpack the package , the 1st 112 bytes is not needed.

There is a byte exchange process after the decryption. The algorithm is not complex, but it can not be done by comparing different files. You need to play with IDA.

good luck

 

Offline dav

  • Regular Contributor
  • *
  • Posts: 133
  • Country: it
Re: Siglent .ads firmware file format
« Reply #30 on: July 21, 2016, 07:06:14 am »

2) if  siglent fixes the bug. A license can be generated to keep the 120MHz ability. I have made a license generator.

What do you think to share the license generator?
 

Offline new299

  • Regular Contributor
  • *
  • Posts: 106
Re: Siglent .ads firmware file format
« Reply #31 on: August 04, 2016, 03:04:01 pm »
Hi guys,

Do you think you might be able to help me extract u-boot (including the SPL) from the firmware images, it seems to be present in SDG_transitional.ads.

I've been trying to unpack the ads files myself. I can see the first header (so called 112byte header above) and it's about the right size (130k) for the u-boot spl. However what follows doesn't look like any kind of binary (very low complexity).

Could you tell me how the firmware files are organised? Are there a bunch of headers at the start of the ADS? Or all the different parts of the ads prefixed with a header?

Failing that, if you'd be willing to send me an extracted u-boot for an SDG800 I'd be most grateful.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #32 on: August 04, 2016, 03:59:58 pm »
I'm looking in different firmware files. Many of them have u-boot.
Here is one from SDG800 V100R008B01D01P12R2.ADS
But SDG800_transition.ADS has 3-4 files in it and I don't know
their names. Best bet is this: http://wikisend.com/download/483710/from_transition.zip
File start is promising and from 00 00 4B 30 is starting GZIP
(Header - 1F 8B 00) and You can unpack it to have more of
files. One of them I recognize as logo...
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #33 on: August 04, 2016, 04:43:50 pm »
...or this is app file with all stuff inside. I don't know about Linux much.
Inside was this image:
« Last Edit: August 04, 2016, 05:21:56 pm by janekivi »
 

Offline new299

  • Regular Contributor
  • *
  • Posts: 106
Re: Siglent .ads firmware file format
« Reply #34 on: August 05, 2016, 07:08:27 am »
...or this is app file with all stuff inside. I don't know about Linux much.
Inside was this image:

Thank you, so so much for your help! Using the files you posted I was able to recover my Siglent to u-boot. I think it should be relatively easy to get the system booting to Linux now. I wrote up my notes here:

http://41j.com/blog/2016/08/sdg800-recovering-from-a-hosed-u-boot/
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #35 on: August 05, 2016, 09:09:05 pm »
After some needed help and more notepad and head scratching my SDG2000X-P21R2
user is root and password is... you guess...
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #36 on: August 05, 2016, 09:58:56 pm »
If You take SDG2000X-P21R2.rar and let bspatch to use difference on it like:
bspatch.exe SDG2000_V200R001B01D01P21R2.ADS NewFirmware.ADS difference
and SDG2042X accept NewFirmware.ADS and new password, 7 char, lowercase,
starting with ee, everybody know here...
http://www.daemonology.net/bsdiff/
 
The following users thanked this post: Hagrid, Safar

Offline new299

  • Regular Contributor
  • *
  • Posts: 106
Re: Siglent .ads firmware file format
« Reply #37 on: August 06, 2016, 02:37:33 am »
If You take SDG2000X-P21R2.rar and let bspatch to use difference on it like:
bspatch.exe SDG2000_V200R001B01D01P21R2.ADS NewFirmware.ADS difference
and SDG2042X accept NewFirmware.ADS and new password, 7 char, lowercase,
starting with ee, everybody know here...
http://www.daemonology.net/bsdiff/

Neat! I wonder if the same trick can be used on the SDG800

 I tried editing the flash dumps directly but I think I screw up the UBI filesystem. I'm planning to try properly mounting the FS and changing /etc/shadow but on my last attempt it didn't mount cleanly (not sure why, some kind of header). I might try doing it on the device using the sdg800_transitional.ads rootfs (which exposes a bash prompt) to mount the other FS.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #38 on: August 06, 2016, 07:39:07 am »
I can try this but You must test it : )
I don't have many instruments here...

It would be as easy as sdg1042x if I get somehow 271 bytes packed data of shadow file for zip to replace.
So You come up with all kind of password hash and pack new shadow file and if packed size is 271 bytes,
send zip to me...
I was using the same salt for sdg2042x but it doesn't matter now.
https://quickhash.com/crypt3-md5-online

This part is cut from P12R2 where needed new data(bytes 40 - 14E)

There is cool hex editor: 010 Editor, where You can use templates to analyze all kind of files
and it is decoding all fields for You, it will calculate checksums and do more of other stuff...
« Last Edit: August 06, 2016, 10:11:03 am by janekivi »
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #39 on: October 15, 2016, 07:46:59 pm »
Here was a bit silence... but now possibly I can make new ZIP files for firmware and replace
files in it. And passwords too. Supported are this kind of firmware files where is that same
format. For SDG800 possibly can be replaced boot logo.
But for now I can only confirm working files with SDG2048X and some hacks with SDG1025.
Nobody else haven't reported anything back...
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #40 on: October 17, 2016, 08:40:06 am »
I've struggled to get the file( on Sdg1020 I have ) gully un-encrypted to allow study of the bandwidth unlock feature.

--
 Darryl

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #41 on: October 17, 2016, 02:58:04 pm »
I can give to you something newer too but on first page here I talk about
SDG1000-V100R001B01D01P31.ADS and there are files too.
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: Siglent .ads firmware file format
« Reply #42 on: October 17, 2016, 03:30:39 pm »
Yes I've started with them, but it's the version 36 or 37 that has a menu option for bandwidth upgrade via a key number

--
 Darryl

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #43 on: October 17, 2016, 04:12:56 pm »
Ok. Let's see what inside 37R3.
In firmware are 2 files. From header you see 00 00 00 00 padding and then is CRC, length, file type (fpga data).
FPGA DATA CRC is next, then length and  file is starting. Length is pointing us to the next file start 00 05 3A 2C.
There you find CRC, part length 00 0A C9 30 and this is firmware end too. Next 00 00 00 02 is part type I think
and app is starting from 00 05 32 B8 with 40 00 00 00 80 00 FF 00 ... ...
Exactly the same they are in flash chip too. No more magic. But the same thing there with packed part from
00 00 CF E4.

decrypted 37R3
 
The following users thanked this post: skench

Offline hafrse

  • Regular Contributor
  • *
  • Posts: 59
Re: Siglent .ads firmware file format
« Reply #44 on: October 20, 2016, 08:15:23 pm »
After watching a nice video , I decided to open up my generator.

No rust in there   ;D

The serial port is easily accessable, and the command prompt is also there. After connecting the normal "upgrade" can still be done.

br,
mike
Great information! just want to know how to convert that to USB or an old rs323 to USB adapter. Thanks
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #45 on: October 21, 2016, 03:15:56 pm »
If you want telnet, read 7-8 posts upwards where I have 21R2 password hack
I can do them for other instruments too

Ok, link if you can't patch it: SDG2000_eevblog_P21R2.ADS
« Last Edit: October 21, 2016, 03:27:59 pm by janekivi »
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #46 on: October 26, 2016, 08:57:55 pm »
One day there was nothing to do and I did learn C#. I wanted to click everything with mouse.
I click on Python files too but for this I need input and output filenames in there for every time.
This wasn't fun.
So I converted all scripts from this thread to C# and got very hyper super mega flexible
powerful great utility. As much as for functionality there is not forgotten look too.
But is it useful...
 

Offline hafrse

  • Regular Contributor
  • *
  • Posts: 59
Re: Siglent .ads firmware file format
« Reply #47 on: October 27, 2016, 03:21:43 pm »
If you want telnet, read 7-8 posts upwards where I have 21R2 password hack
I can do them for other instruments too

Ok, link if you can't patch it: SDG2000_eevblog_P21R2.ADS
Thanks for the information, what I understand is that SDG2000_V200R001B01D01P21R2.ADS is the patched file for 21R2 where I can use telnet and upgrade the bandwidth as version SDG2000_V200R001B01D01P17R5.ADS ?
Many thanks in advance!
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #48 on: October 27, 2016, 03:46:41 pm »
No.
If you take original SDG2000_V200R001B01D01P21R2.ADS
and patch it with "bsdiff.exe" using "difference" You get patched file
and patched like this is file from the link: SDG2000_eevblog_P21R2.ADS
....
where You can use telnet and do whatever... things...

But now I must do newer from latest firmware P22R5... : )
Or someone like to calculate password?
root:$1$NLwMj1Ox$1y4YFcXYiZILqUehDFKuB1
 

Offline hafrse

  • Regular Contributor
  • *
  • Posts: 59
Re: Siglent .ads firmware file format
« Reply #49 on: October 27, 2016, 05:42:57 pm »
No.
If you take original SDG2000_V200R001B01D01P21R2.ADS
and patch it with "bsdiff.exe" using "difference" You get patched file
and patched like this is file from the link: SDG2000_eevblog_P21R2.ADS
....
where You can use telnet and do whatever... things...

But now I must do newer from latest firmware P22R5... : )
Or someone like to calculate password?
root:$1$NLwMj1Ox$1y4YFcXYiZILqUehDFKuB1

Got it!
I need to find the exe file bsdiff.exe, do you have it ? thanks
 
The following users thanked this post: Dhekhanur

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #50 on: October 27, 2016, 06:23:06 pm »
 
The following users thanked this post: kado, [IDC]Dragon, Safar, AxaRu

Offline hafrse

  • Regular Contributor
  • *
  • Posts: 59
Re: Siglent .ads firmware file format
« Reply #51 on: October 27, 2016, 07:32:41 pm »
Yes, I got it from the link there
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg998481/#msg998481


And I changed here root password too SDG2000_eevblog_P22R5.ads
works fine, thanks for your valuable contribution !!!!!!!!!!!!!!!!!!!!!!
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #52 on: November 01, 2016, 09:38:15 pm »
One ADS format is teared to the bits... you know... bits. OK.
But what about the other ADS, like for scopes.

Let's take one and start looking. May be we find something.
How all this look to me. I take SDS2000X and SDS1000X files here and compare them.
There is header and parts have 72 byte header. Hard to tell about header and first
file line but I start from start. First 4 bytes is 00123456? Next 8 bytes is parts
table. One byte represents one part and if it's present then there is 01 otherwise
there is 00. So i think 8 possible parts in firmware. Obviously there must be some
addresses. Next 8 x 4 bytes is them. If there wasn't that part - there isn't there
address too. Let's look closer sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS.
Then we see what is next and where is file header ends.

Code: [Select]
00000000   56 34 12 00  01 01 01 01  01 00 01 00  D1 EC 0D 00  V4..........Ñì..
00000010   FF B7 16 00  FF B7 16 00  3B BB 16 00  CC 4C 13 00  ÿ·..ÿ·..;»..ÌL..
00000020   00 00 00 00  FF FF 07 00  00 00 00 00  32 2E 31 2E  ....ÿÿ......2.1.
00000030   31 2E 39 00  89 03 04 00  39 00 00 32  30 31 36 30  1.9.....9..20160
00000040   36 30 36 00  03 04 00 39  00 00 32 30  31 36 30 36  606....9..201606
00000050   30 36 00 03  04 00 39 00  00 32 30 31  36 30 35 31  06....9..2016051
00000060   36 00 03 04  00 39 00 00  31 2E 32 2E  31 2E 33 38  6....9..1.2.1.38
00000070   2E 37 00 00  39 00 00 00  00 00 00 00  00 00 00 00  .7..9...........
00000080   00 00 00 00  00 00 33 2E  31 2E 31 2E  31 33 00 37  ......3.1.1.13.7
00000090   00 00 39 00  00 00 00 00  00 00 00 00  00 00 00 00  ..9.............
000000A0   00 00 00 00  01 00 00 00  00 00 00 00  00 00 00 00  ................
000000B0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
000000C0   00 00 00 00  FF BD DC C9  32 2E 31 2E  31 2E 38 00  ....ÿ½ÜÉ2.1.1.8.
........   ...

Third part in here is part version. In some cases it's in date format. But i'm not
sure what's between. For each part there is 15 bytes. May be version nr is 8 bytes
and between is part type. Somewhere there is bin and when version was 9 bytes, for
"bin" wasn't room and there is "in". Obviously version part is missing too when 00
is written to part and length bytes. So 8 parts x 15 bytes is 120 and next data is
01 for SDS2000 and 03 for SDS1000. May be rest is padding there and real stuff may
begin from address C4 making header 196 bytes long. May be...
First 4 bytes is Siglent CRC for first part which is starting from C8 and have his
length in first place - D1 EC 0D 00 - 0D EC D1. Strange thing there is - CRC bytes
are in different order in this ADS format.
From CRC to the next part is 0D EC D1 and here is next part data length B7 B7 16 -
16 B7 B7. Data start with FF there and header must be 72 bytes because from header
we see the whole part length is FF B7 16.
Like this all is going to continue. First part is a bit different.

I have here different timezone and that's all for today.
Let's continue this bedtime story at next time.
 
The following users thanked this post: AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #53 on: November 03, 2016, 09:15:46 pm »
All is not that simple as it looks. But that's how all is at the beginning.

This SDS firmware is like memory dump with predefined regions for parts-files.
Addresses in the header is kind of place markers. Data can be shorter there
and in some cases I can't find any length or crc or other part-file guidance at
this beginning address. Of course I don't know anything about those parts.
First of them is something like string collection.
All of them are bit confusing right now...
I got suitable parts from Siglent_ADS project junkyard and start beating together
new utility for this.
_____________________
v0.1.1 with file open check
« Last Edit: November 04, 2016, 03:52:49 pm by janekivi »
 
The following users thanked this post: AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #54 on: November 05, 2016, 04:02:50 pm »
When we open SDS2000X file sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS
and cut it to the parts, today part 5 is interesting for us. It can be executable and contain
packed part too like SDG1000 file. If we look it in hex editor and scroll thru the data we can
see structure change at address 00 01 09 A7. It is like zlib header again - 78 DA. Zlib with the
best compression. Then Last 6 bytes is some sort of padding and Adler32 must be 88 CE 76 FC.
But who knows...
 
The following users thanked this post: AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #55 on: November 06, 2016, 04:21:17 pm »
I made several utilities for unpacking zlib but they all are working only with SDG1000
file. For this is good utility there too  http://aluigi.altervista.org/mytoolz.htm#offzip
which can seek packed parts from file and extract those.
Part 5 of SDS1000/2000 firmware is like second part from SDG1000 where is unpacker
and from address 00 00 CF E4 located zlib packed part. SDS file has the same section
at the beginning with the same error messages strings. And from address 00 01 09 A7
staring zlib part... But whole file have like 5 byte counter after every 24 bytes. From the
beginning we can see FA 18 00 00 00 and it continues 18 00 18... 18 00 30... 18 00 48.
But not like this to the end. When I remove it with mask I lost tracking and can only
decompress 18502 bytes of that packed part.
I have seen this kind of pattern elsewhere too... but what system is this and what is
the first byte before 18.
 
The following users thanked this post: AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #56 on: November 07, 2016, 09:11:39 pm »
Some updates.
-----------------
OK, that was kind of right. Part 5 has a 4 byte footer.
But whole file have like 4 byte counter after every 24 bytes. From the beginning we can see
6 bytes where last two are 65536 byte counters - 02 00 00 04 00 00 which 8-byte checksum
is next - FA. After that is starting data counter 18 00 00 00 and it continues 18 00 18 00...
18 00 30 00... 18 00 48 00. But not like this to the end, after every 65536 bytes is that
6 byte counter part.
After every data part is 8-bit checksum from previous data and counter, usually from 28 bytes.

So, counters are zeroed out and file is beginning:
02 00 00 04 00 00 --- counted 00 bytes
18 00 00 00  --- 18 - count 24 bytes

next is
18 00 18 00
 |     |---------24 bytes is counted
 |---------------count 24 bytes

next is
18 00 30 00
 |     |---------48 bytes is counted
 |---------------count 24 bytes
...
and so on until counter fills up
...
18 FF D8 00
10 FF F0 00
 |     |---------65520 bytes is counted
 |---------------count 16 bytes

now counter is over FF FF and comes
02 00 00 04 00 01
                |----first 65536 bytes is counted

and counter starts again
18 00 00 00
 |     |---------0 bytes is counted
 |---------------count 24 bytes
...
and so on when last 2 are
18 F8 58 00
 |     |---------63576 bytes is counted
 |---------------count 24 bytes

07 F8 70 00
 |     |---------63600 bytes is counted
 |---------------count 7 bytes

and last bytes of file are
00 00 00 01 FF
 |
 |---------------count 0 bytes - so it is the end of file

This is 4 byte footer which 8-bit checksum is FF. Maybe 01 is marking "end of file 1".
Now if we remove all counter parts and checksums, we get clean file and after decompressing
it the Adler32 is matching with 95 88 CE 76 at the end in original Part_5.hex in last data packet
before checksum.

Now if I remove all of the counter parts I get clean file and after decompressing it
I get Adler32 from the end of data  - 95 88 CE 76
I was hoping to see there something interesting, like logo in SDG1000 file but ... boring...

-----------------------------------------------------------------------------------------------------------------------------------
decompressed second part from part 5 of sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS
« Last Edit: June 01, 2017, 07:37:53 pm by janekivi »
 
The following users thanked this post: AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #57 on: November 09, 2016, 06:49:27 pm »
New SDS ads viewer utility v0.1.2 can get that app saved straight from opened firmware file or from
one of extracted files (part 5) with dedicated tools menu. Deflating can be done for example with offzip.
Only help at this time comes only from ToolTipTexts when staying on menu items...
-------------------------------------------------------------
Windows NET 3.5 C# application (WinXP, Win7...)
 
The following users thanked this post: Safar, AxaRu, shiftdelete

Offline dav

  • Regular Contributor
  • *
  • Posts: 133
  • Country: it
Re: Siglent .ads firmware file format
« Reply #58 on: November 10, 2016, 06:43:59 am »
What about the SDG and SSA .ADS viewer utility?
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #59 on: November 10, 2016, 09:00:35 pm »
I might release SDS viewer but there is too many buttons.
So, is somebody english review my EEenglish help file - yes, I made help file,
first time in history, then we see...
 
The following users thanked this post: AxaRu

Offline dav

  • Regular Contributor
  • *
  • Posts: 133
  • Country: it
Re: Siglent .ads firmware file format
« Reply #60 on: December 11, 2016, 05:58:11 pm »
Just to let you know, Avira found this trojan in "SDS ads viewer utility v0.1.2"

Crypt.Xpack.vyifq
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #61 on: December 11, 2016, 08:53:40 pm »
Crypt.Xpack itself isn't trojan, this is only cryptic packer which was in programmers tool.
But from this day on nobody can't use it any more because somebody was packing some
trojan with this...

Other components from it I wanted to use were flagged already
https://yck1509.github.io/ConfuserEx/
 
The following users thanked this post: AxaRu

Offline tridentsx

  • Regular Contributor
  • *
  • Posts: 96
  • Country: us
Re: Siglent .ads firmware file format
« Reply #62 on: April 08, 2017, 07:08:34 am »
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #63 on: April 08, 2017, 07:24:05 am »

Has anyone looked at the ads files for the power supplies http://www.siglentamerica.com/USA_website_2014/Firmware&Software/firmware/SPD3303X-Firmware-V100R001B01D02P03.rar ?
That could be an interesting exercise with the possibility of improving a SPD3303X-E to an X model saving $150 and gaining 10x the V and A resolution.  :popcorn:
Avid Rabid Hobbyist
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #64 on: April 08, 2017, 09:42:56 am »
Of course I looked in all files. But "looked" was the right word. There was no other experiments.
Inside there is one app file. I see in that directory I did look it with IDA too. But how or where I dug out this image I don't remember...

edit
-----

 * Actually they have different firmware, you may need to compare them (both are in the zip):
 * Boot image was just cut out from
    SPD3303X-E-V100R001B01D02P03.hex from 00 02 4A C8 to 00 02 7F 5B and saved as JPG
    SPD3303X-V100R001B01D02P03.hex 00 02 4A AC - 00 02 7F 3F
« Last Edit: April 08, 2017, 08:16:59 pm by janekivi »
 
The following users thanked this post: AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #65 on: April 08, 2017, 10:40:18 am »
I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

SPD3303X-V100R001B01D02P03_with _E_header.zip
OK, I give this only individually after request. I can't test it.
 
The following users thanked this post: JohnG, AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #66 on: May 14, 2017, 03:43:06 pm »
New SDS ads viewer utility v0.1.2 can get that app saved straight from opened firmware file or from
one of extracted files (part 5) with dedicated tools menu. Deflating can be done for example with offzip.
Only help at this time comes only from ToolTipTexts when staying on menu items...
-------------------------------------------------------------
Windows NET 3.5 C# application (WinXP, Win7...)
Version 0.1.3 has some minor fixes and help file which is full of all kind of strange text.
What you gonna do, I can't write in normal english...

-------------------------------------------------------------
In help file is updated SDS file format description, which is not so relevant

-------------------------------------------------------------
Maybe part version end in header is space and next crap is leftover from something old,
so version 0.1.4 displays that table differently now.
« Last Edit: November 30, 2017, 07:48:01 pm by janekivi »
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #67 on: May 31, 2017, 10:51:27 am »
Hi janekivi ,

I've been doing some research on Siglent .ADS files, trying to parse every single file that they have.

I've managed to understand most of the files packing, as you have done, including parsing the Blackfin BF54x and BF53x blocks in order to load them more easily in IDA. I've not analysed uBoot, ELF files. I let that to the Linux guys.

I have been doing it in C# (console). Once I have it more bullet-proof i'm thinking in releasing a compiled version so that people can unpack the files.

(I'm not sure if you have found it yet, but the 1st byte in your "5-byte type of blocks counter" is the last byte of the previous block. So, the blocks start (usually) with the 0x18 + 3 bytes + n (0x18) data bytes + last byte (which is the checksum of the whole block, including header). The checksum is the usual  "- Sum of all bytes".

This 5th block in the SDS files is the only understandable to me. Do you know what are the other blocks for?
« Last Edit: May 31, 2017, 11:06:15 am by tv84 »
 
The following users thanked this post: kado, janekivi, AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #68 on: May 31, 2017, 05:06:45 pm »
I don't understand almost anything in ads files, only taking it apart and looking into everything.
Linux is not my thing and in IDA I don't recognize much. Also I was looking into
ro_uImage, rw_uImage - partly packed
datafs.img, firmdata0.img - UBI images
and with GIMP or IrfanView I scan all files for graphics.

In SDS files it is 8-bit Checksum indeed. I may recompile my SDS viewer. But I was cutting out
right part anyway because unpacked checksum matches. Unpacker part in the beginning of
the 5th part is the same as in SDG1000 file. Part 1 is most likely help. Parts 2, 3, 4 almost the
same as FPGA file LcdFpga.bin from SSA3000X. I mean beginning and especially look at the end.
Who knows... maybe version numbers in the beginning can help if somebody can see them in
scope menu. Like 3.1.1.13, 2.1.1.8, 2.1.1.9
I have only SDG2000X and SDG1000 actually.
(Of course Flir E4 and Rigol DS1054Z too for other threads :))
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #69 on: May 31, 2017, 06:53:48 pm »
Yes, the beginning of the 5th part is similar to the SDG1000 but the Blackfin processor is a BF54x and, as such, has a totally diferent way of decoding (relative to the BF53x of the SGD1000).

OK, so now you've turned to the files inside the ZIPs. I'll be trying those also to see if anything comes up. I've also implemented many graphic detectors in my programs GIF / JPEG / MPEG / etc that work even if there are no (usual) magic numbers.

I also have a Rigol scope so might have a look at that.

I've also developed a deflate scanner that can detect zlib/gzip streams without proper headers and crc/adler, and sometimes becomes useful for dealing with this type of compression in stripped fw. I think there's notinhg around that is able to do this.

The goal is: as usual, just for fun.
 
The following users thanked this post: AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #70 on: May 31, 2017, 07:21:10 pm »
.......
I also have a Rigol scope so might have a look at that.
.......
The goal is: as usual, just for fun.
This is here... but we were far away from fun, we want to change PLUSES  to PULSES
https://www.eevblog.com/forum/testgear/rigol-dsxxxx-gel-firmware-file-format/
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #71 on: May 31, 2017, 09:44:54 pm »
ro_uImage and rw_uImage both have a GZIP stream starting at 0x4966 with no valid header but with valid CRC32+Size. That's easy for my scanner. :)

I'll have a look at the RIGOL efforts... Will be difficult to help you guys.
 
The following users thanked this post: AxaRu

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #72 on: June 01, 2017, 02:57:38 pm »
http://www.garykessler.net/library/file_sigs.html
1F 8B 08 is GZIP header at 495C, there was no problems but normal UBI-reader is hard to find.
Couple of times I was successful with ubidump but now I use something with Ubuntu.
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #73 on: June 01, 2017, 06:40:48 pm »
Sorry for that. You're right, the magic bytes were there.

I'm so accustomed to finding deflate compression with no headers and no footers that many times I forget the easy way which is: the file is totally in there...  ::)


 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #74 on: June 03, 2017, 09:02:43 am »
Yeah, I didn't try this before, but they use the same CRC calculation methods everywhere.
Somewhere output is 32 bit and in SDS it is 8 bit. And they can be used as MSB or LSB first.
Code: [Select]
import functools

 # If you have file
input = 'File'
data = bytearray(open(input, 'rb').read())

 # Or data can be declared directly
 # data = bytes([0x02,0x00,0x00,0x04,0x00,0x00]);

csum = functools.reduce(lambda x,y: x+y, data, 0)
csum = ~csum + 1
csum = csum & 0xffffffff # the only difference is here
print (format(csum, 'X'),"- 32 bit checksum")
csum = csum & 0xff # the only difference is here
print ("     ",format(csum, 'X'),"-  8 bit checksum")
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #75 on: June 03, 2017, 03:33:07 pm »
janeviki,

Looking at SDS1000X_V100R001B01D02P1503.ADS:

Code: [Select]
01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20170310  [000DED95-0024A9E3]
      000DED95 - Header Size: 00000048
      000DEDDD - Data Size: 0016BC07
03  0000004A --- 0208 310  [0024A9E4-00276BF3]
      0024A9E4 - Header Size: 00000048
      0024AA2C - Data Size: 0002C1C8
04  00000059 --- 20170207  [00276BF4-002E84BE]
      00276BF4 - Header Size: 00000048
      00276C3C - Data Size: 00071883
05  00000068 --- 1.1.2.15  [002E84BF-00417E4E]
002E84BF - Removing block encapsulations from Block Area [002E84BF-00417E4E]

Total bytes extracted (from the blocks): 000FB396    Block area processed OK

Buffer Size: 00006374 bytes (after converting: 8bit-dma-from-16bit)

Processor Type: BF54x - BF542/BF544/BF547/BF548/BF549
Orig Offset     Offset          Block Code      Target Add      Byte Count      Argument        BFlags
00000000        00000000        AD9F5002        FFA00000        00000000        0000635C        ignore first
00000020        00000010        ADC50102        FF800000        00000014        00000000        fill
00000040        00000020        ADD90102        FF800014        0000001C        00000000        fill
00000060        00000030        ADC80002        FF800030        00000028        00000000
000000D0        00000068        ADA90102        FF800058        00000020        00000000        fill
000000F0        00000078        AD200002        FF800078        00002CA4        00000000
00005A58        00002D2C        ADC50102        FF802D1C        00000124        00000000        fill
00005A78        00002D3C        ADD60002        FFA00000        00003610        00000000
0000C6B8        0000635C        ADF80802        FFA00000        00000000        00000000        init

0000C6D8 --- ZLIB Decompressed Size: 00287728
0000C6E0 --- ZLIB Compressed Block Size: 000EECAE [0000C6E8-000FB395]
****************************************************
  Section Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [00417E4F-00497E4D]
      00417E4F - ?????: 0000DCBB
      00417E53 - Data Size: 0006B930
      00417E57 - Name: 3.1.1.13 ???
      00417E63 - Section Data [00417E63-00483792]
08  00000095 ---
« Last Edit: June 04, 2017, 09:09:33 pm by tv84 »
 
The following users thanked this post: AxaRu

Offline alfishe

  • Contributor
  • Posts: 8
  • Country: us
Re: Siglent .ads firmware file format
« Reply #76 on: June 04, 2017, 03:48:32 am »
...but normal UBI-reader is hard to find.
Couple of times I was successful with ubidump but now I use something with Ubuntu.

Found the only thing that work flawlessly - https://github.com/jrspruitt/ubi_reader
so was able to unpack every single UBI file from Siglent FWs.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #77 on: June 04, 2017, 08:18:23 am »
https://github.com/jrspruitt/ubi_reader
Yes, I think this is the one I'm using with Ubuntu now but can't get it working in windows under the python there.
__________________________________________________________________________________________

But now that BlackFin stuff is bit strange to me, I don't know much about it.
I lost track from there:
Code: [Select]
Buffer Size: 00006374 bytes (after converting 16bit to 8bit)

Processor Type: BF54x - BF542/BF544/BF547/BF548/BF549
Offset          Block Code      Address         Byte Count      Argument
00000000        AD9F5002
So I can't see this stuff right now. In other words, I don't have a clue about this BlackFin part.
Eeee... what you do there?

But seems in SDS header the file version numbers can have different lengths. All this is
like there is written something in the header. May be file names and some data. And then
all is overwritten with file versions which is number or date plus one 00 byte.
Bit strange it looks. For example
03  0000004A --- 0208 310 looks like there was
XXXXXXXX.bin which is overwritten with shorter XXXXX310 and 00 buffer byte
XXXXX310 bin which is now overwritten with shorter 0208 and 00 buffer byte
0208 310 bin
so all file versions are probably numbers to the first 00 byte and the rest is leftover crap.
One strong feeling there is like -  to grow header the whole previous row is added again
and overwritten with correct info, next row is made from this and overwritten and empty
lines are skipped so part 7 has part 5 background there. This is leftover 3 after 00 buffer.

And now there is actually
05  00000068 --- 1.1.2.15  [002E84BF-00417E4E]
05  00000068 --- 1.1.2.15.3  [002E84BF-00417E4E]
because it is V1.1.1.2.15R3

In header first file version showing 2.1.1.9 and first part is beginning with CRC and 2.1.1.8
« Last Edit: June 04, 2017, 11:02:44 am by janekivi »
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #78 on: June 04, 2017, 08:46:09 pm »
I changed the code that I had submitted. See the previous post again.

After removing the blocks, you have to convert the section that exists before the ZLIB block from 16 bit to 8 bit.

Then that area will have the Blackfin code that decompresses the ZLIB.

The code has:

                  16-byte block headers

The 1st 4 bytes:
                    0xXX------ - 1st byte -> Header Sign (Magic) - Must be 0xAD ("Analog Devices")
                    0x--XX---- - 2nd byte -> Header Checksum (calculated with 0 in this byte)
                    0x----XXX- - 3rd & 4th bytes -> Block flag (excluding the last nibble)
                    0x-------X - Last nibble -> DMA Code (0x00 -> 0x0F)

The others you can deduce from my parsing in the previous post.

Code: [Select]
string[] DMA_code = {"dma-reserved" , "8bit-dma-from-8bit", "8bit-dma-from-16bit", "8bit-dma-from-32bit",
                "8bit-dma-from-64bit", "8bit-dma-from-128bit", "16bit-dma-from-16bit", "16bit-dma-from-32bit",
                "16bit-dma-from-64bit", "16bit-dma-from-128bit", "32bit-dma-from-32bit", "32bit-dma-from-64bit",
                "32bit-dma-from-128bit", "64bit-dma-from-64bit", "64bit-dma-from-128bit", "128bit-dma-from-128bit" };
           
string[] bflag = { "safe", "aux", "", "", "fill", "quickboot", "callback", "init", "ignore", "indirect", "first", "final" };

As you can see I've discovered where my mistake was. Because I was convinced that the Section 5 was only a Blackfin code block but I discovered that I had missed the ZLIB block. Then, the decompressed size and bytes remaining made sense. It's the same thing in the SDG1000 files.

« Last Edit: June 04, 2017, 08:51:50 pm by tv84 »
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #79 on: June 10, 2017, 06:41:06 pm »
SDS1000X_V100R001B01D02P1503.ADS saved as a 8-bit BMP starting at offset 0x27 (to align the blocks) (cropped in length).

It's visible in Section 2 a curious data arrangement (blocks of 64*21 bytes plus 64*9 bytes (whiter...))

I assume it is the Xilinx FPGA since the Section starts with the FFFF FFFF area and the FPGA bitstream SYNCWORD (AA 99 55 66) re-mixed.

(If we save the file with width=320, the block encapsulation of Section 5 is perfectly visible.)
« Last Edit: June 11, 2017, 11:02:28 am by tv84 »
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #80 on: June 13, 2017, 08:05:59 pm »
Now that I know, I conclude that it should have been easier to spot this:

The 2nd section of SDS1000X_V100R001B01D02P1503.ADS contains the FPGAs bitstreams.  SDS1000 must have 2 FPGAs...

The only obfuscation is that the bytes are reversed. So to, identify the typical SYNC WORD ( AA 99 55 66) one has to reverse all the bytes.

Then, it's visible at address 0xDEE05 the IDCODE 0x04008093  that corresponds to a Spartan 6 XC6SLX45.

Resuming:
Section 2 - Spartan 6 XC6SLX45 FPGA bitstream
Section 4 - Spartan 6 XC6SLX16 FPGA bitstream

To be continued...
« Last Edit: June 14, 2017, 10:03:40 pm by tv84 »
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #81 on: June 16, 2017, 05:35:36 pm »
Testing my FPGA bitstream parser, here is the complete parsing of both SDG1000-V100R001B01D01P37R3.ADS sections:

Code: [Select]
File Header Size: 00000048
00000000 - File Checksum: F9F6C42A [000004-EOF] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 000FFBE8 (without 0x48 bytes of the File Header)
00000008 - Section Size: 000AC930
0000000C - Blocks Area: 00000000 [000FFBE8-000FFBE7]
00000026 - Vendor: SIGLENT
0000003A - USB Host Controller: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0007FDF4 until 0x000FFBE7
****************************************************
0000000C --- Section Checksum: FEFF926D
00000010 --- Section Size: 00053294 [00000018-000532AB]  CKSM OK
00000014 --- Section # 00000001
  00000018 - Data Checksum: FEFF9BCB
  0000001C - Data Size: 0005327C [00000030-000532AB]  CKSM OK
  00000020 - Data Name: fpga data
  0000002A - ????: 0012
  0000002C - ????: 77D4048F
00000030 --- 000532AB  ***** FPGA DATA *****

00000030 - FFFFFFFF             Padding
00000034 - FFFFFFFF             Padding
00000038 - FFFFFFFF             Padding
0000003C - FFFFFFFF             Padding
00000040 - AA995566             Sync Word (BPI/SPI Mode)
00000044 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
00000048 - 2000                 T1 - 0000000  NOP       (1x)
0000004A - 31A1 0380            T1 W 0000001  FLR
0000004E - 3141 3D00            T1 W 0000001  COR1
00000052 - 3161 09EE            T1 W 0000001  COR2
00000056 - 31C2 04001093        T1 W 0000002  IDCODE
0000005C - 30E1 00CF            T1 W 0000001  MASK
00000060 - 30C1 0081            T1 W 0000001  CTL
00000064 - 2000                 T1 - 0000000  NOP       (17x)
00000086 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
0000008A - 3181 0881            T1 W 0000001  PWRDN_REG
0000008E - 3421 0000            T1 W 0000001  EYE_MASK
00000092 - 3201 001F            T1 W 0000001  HC_OPT_REG
00000096 - 31E1 FFFF            T1 W 0000001  CWDT
0000009A - 3321 0005            T1 W 0000001  PU_GWE
0000009E - 3341 0004            T1 W 0000001  PU_GTS
000000A2 - 3301 0100            T1 W 0000001  MODE_REG
000000A6 - 3261 0000            T1 W 0000001  GENERAL1
000000AA - 3281 0000            T1 W 0000001  GENERAL2
000000AE - 32A1 0000            T1 W 0000001  GENERAL3
000000B2 - 32C1 0000            T1 W 0000001  GENERAL4
000000B6 - 32E1 0000            T1 W 0000001  GENERAL5
000000BA - 33A1 1BE2            T1 W 0000001  SEU_OPT
000000BE - 33C2 00000000        T1 W 0000002  EXP_SIGN
000000C4 - 2000                 T1 - 0000000  NOP       (2x)
000000C8 - 3022 00000000        T1 W 0000002  FAR_MAJ
000000CE - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000000D2 - 5060 000298AD        T2 W 00298AD  FDRI      CRC: 00094352
00053236 - 2000                 T1 - 0000000  NOP       (24x)
00053266 - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0005326A - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0005326E - 2000                 T1 - 0000000  NOP       (4x)
00053276 - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0005327A - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0005327E - 30E1 00FF            T1 W 0000001  MASK
00053282 - 30C1 0081            T1 W 0000001  CTL
00053286 - 3002 001171C1        T1 W 0000002  CRC
0005328C - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
00053290 - 2000                 T1 - 0000000  NOP       (14x)
****************************************************
000532AC --- Section Checksum: FAB63171
000532B0 --- Section Size: 000AC930 [000532B8-000FFBE7]  CKSM OK
000532B4 --- Section # 00000002
000532B8 --- 000FFBE7  ***** BLACKFIN DATA *****

Buffer Size: 000067F2 bytes (after converting from 16 to 8 bits)

0x00000000  DXE 0000 (Data Size: 000067DC) [00000000-000067E9]
Processor Type: ADSP-BF533/534/536/537/538/539 (boot address: 0xFFA00000)
Orig Offset:    Offset:         Block:  Target Add:     Byte Count:     Flags:  [  start -   end  ]
000532B8 ---    0x00000000      0000    FF800040        00000004        0012    [0000000A-0000000D]  resvect ignore
000532D4 ---    0x0000000E      0001    FF800000        000022B0        0002    [00000018-000022C7]  resvect
00057848 ---    0x000022C8      0002    FF8022B0        00000010        0003                         zero-fill resvect
0005785C ---    0x000022D2      0003    FF8022C0        00000010        0002    [000022DC-000022EB]  resvect
00057890 ---    0x000022EC      0004    FF8022D0        0000029E        0002    [000022F6-00002593]  resvect
00057DE0 ---    0x00002594      0005    FF80256E        0000000E        0003                         zero-fill resvect
00057DF4 ---    0x0000259E      0006    FF80257C        000009BA        0002    [000025A8-00002F61]  resvect
0005917C ---    0x00002F62      0007    FF802F36        000000AA        0003                         zero-fill resvect
00059190 ---    0x00002F6C      0008    FF802FE0        0000000C        0002    [00002F76-00002F81]  resvect
000591BC ---    0x00002F82      0009    FF902000        00000004        0002    [00002F8C-00002F8F]  resvect
000591D8 ---    0x00002F90      000A    FF902004        00000068        0003                         zero-fill resvect
000591EC ---    0x00002F9A      000B    FFA00000        0000383A        0002    [00002FA4-000067DD]  resvect
00060274 ---    0x000067DE      000C    FFA00000        00000002        000A    [000067E8-000067E9]  resvect init

0006028C --- ZLIB Decompressed Size: 001AA72E
00060294 --- ZLIB Compressed Block Size: 0009F94C [0006029C-000FFBE7]
****************************************************
  File Processed OK
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #82 on: June 16, 2017, 06:22:06 pm »
Parsing of SDS1000X_V100R001B01D02P1503.ADS:

Code: [Select]
Parsing a SIGLENT SDS1000/SDS2000 file
01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20170310  [000DED95-0024A9E3]
      000DED95 - Data Size: 0016BC07
      000DED95 - Header Size: 00000048

000DEDDD - FFFFFFFF             Padding
000DEDE1 - FFFFFFFF             Padding
000DEDE5 - FFFFFFFF             Padding
000DEDE9 - FFFFFFFF             Padding
000DEDED - AA995566             Sync Word (BPI/SPI Mode)
000DEDF1 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
000DEDF5 - 2000                 T1 - 0000000  NOP       (1x)
000DEDF7 - 31A1 0628            T1 W 0000001  FLR
000DEDFB - 3141 3D00            T1 W 0000001  COR1
000DEDFF - 3161 09EE            T1 W 0000001  COR2
000DEE03 - 31C2 04008093        T1 W 0000002  IDCODE
000DEE09 - 30E1 00CF            T1 W 0000001  MASK
000DEE0D - 30C1 0081            T1 W 0000001  CTL
000DEE11 - 2000                 T1 - 0000000  NOP       (17x)
000DEE33 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
000DEE37 - 3181 0881            T1 W 0000001  PWRDN_REG
000DEE3B - 3421 0000            T1 W 0000001  EYE_MASK
000DEE3F - 3201 001F            T1 W 0000001  HC_OPT_REG
000DEE43 - 31E1 FFFF            T1 W 0000001  CWDT
000DEE47 - 3321 0005            T1 W 0000001  PU_GWE
000DEE4B - 3341 0004            T1 W 0000001  PU_GTS
000DEE4F - 3301 0100            T1 W 0000001  MODE_REG
000DEE53 - 3261 0000            T1 W 0000001  GENERAL1
000DEE57 - 3281 0000            T1 W 0000001  GENERAL2
000DEE5B - 32A1 0000            T1 W 0000001  GENERAL3
000DEE5F - 32C1 0000            T1 W 0000001  GENERAL4
000DEE63 - 32E1 0000            T1 W 0000001  GENERAL5
000DEE67 - 33A1 1BE2            T1 W 0000001  SEU_OPT
000DEE6B - 33C2 00000000        T1 W 0000002  EXP_SIGN
000DEE71 - 2000                 T1 - 0000000  NOP       (2x)
000DEE75 - 3022 00000000        T1 W 0000002  FAR_MAJ
000DEE7B - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000DEE7F - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0034308C
002493DB - 2000                 T1 - 0000000  NOP       (24x)
0024940B - 3022 00040017        T1 W 0000002  FAR_MAJ
00249411 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00249415 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003375D7
00249523 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00249529 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0002BA9A
00249637 - 3022 001A0017        T1 W 0000002  FAR_MAJ
0024963D - 5060 00000082        T2 W 0000082  FDRI      CRC: 0003762D
0024974B - 3022 00230017        T1 W 0000002  FAR_MAJ
00249751 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00094B76
0024985F - 3022 01040017        T1 W 0000002  FAR_MAJ
00249865 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00202D3C
00249973 - 3022 010D0017        T1 W 0000002  FAR_MAJ
00249979 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002CF083
00249A87 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00249A8D - 5060 00000082        T2 W 0000082  FDRI      CRC: 0014FD49
00249B9B - 3022 01230017        T1 W 0000002  FAR_MAJ
00249BA1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00051241
00249CAF - 3022 021A0017        T1 W 0000002  FAR_MAJ
00249CB5 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0007EA84
00249DC3 - 3022 02230017        T1 W 0000002  FAR_MAJ
00249DC9 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0030BD91
00249ED7 - 3022 03040017        T1 W 0000002  FAR_MAJ
00249EDD - 5060 00000082        T2 W 0000082  FDRI      CRC: 00015E7B
00249FEB - 3022 030D0017        T1 W 0000002  FAR_MAJ
00249FF1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003B95FD
0024A0FF - 3022 031A0017        T1 W 0000002  FAR_MAJ
0024A105 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000DC751
0024A213 - 3022 03230017        T1 W 0000002  FAR_MAJ
0024A219 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00029613
0024A327 - 3022 04230017        T1 W 0000002  FAR_MAJ
0024A32D - 5060 00000082        T2 W 0000082  FDRI      CRC: 000B26CB
0024A43B - 3022 050D0017        T1 W 0000002  FAR_MAJ
0024A441 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00079B31
0024A54F - 3022 051A0017        T1 W 0000002  FAR_MAJ
0024A555 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00078C47
0024A663 - 3022 05230017        T1 W 0000002  FAR_MAJ
0024A669 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002EA4CD
0024A777 - 3022 061A0017        T1 W 0000002  FAR_MAJ
0024A77D - 5060 00000082        T2 W 0000082  FDRI      CRC: 002E1DE1
0024A88B - 3022 06230017        T1 W 0000002  FAR_MAJ
0024A891 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00281192
0024A99F - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A9A3 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0024A9A7 - 2000                 T1 - 0000000  NOP       (4x)
0024A9AF - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A9B3 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0024A9B7 - 30E1 00FF            T1 W 0000001  MASK
0024A9BB - 30C1 0081            T1 W 0000001  CTL
0024A9BF - 3002 00174160        T1 W 0000002  CRC
0024A9C5 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
0024A9C9 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
03  0000004A --- 0208 310  [0024A9E4-00276BF3]
      0024A9E4 - Data Size: 0002C1C8
      0024A9E4 - Header Size: 00000048
04  00000059 --- 20170207  [00276BF4-002E84BE]
      00276BF4 - Data Size: 00071883
      00276BF4 - Header Size: 00000048

00276C3C - FFFFFFFF             Padding
00276C40 - FFFFFFFF             Padding
00276C44 - FFFFFFFF             Padding
00276C48 - FFFFFFFF             Padding
00276C4C - AA995566             Sync Word (BPI/SPI Mode)
00276C50 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
00276C54 - 2000                 T1 - 0000000  NOP       (1x)
00276C56 - 31A1 0430            T1 W 0000001  FLR
00276C5A - 3141 3D00            T1 W 0000001  COR1
00276C5E - 3161 09EE            T1 W 0000001  COR2
00276C62 - 31C2 04002093        T1 W 0000002  IDCODE
00276C68 - 30E1 00CF            T1 W 0000001  MASK
00276C6C - 30C1 0081            T1 W 0000001  CTL
00276C70 - 2000                 T1 - 0000000  NOP       (17x)
00276C92 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
00276C96 - 3181 0881            T1 W 0000001  PWRDN_REG
00276C9A - 3421 0000            T1 W 0000001  EYE_MASK
00276C9E - 3201 001F            T1 W 0000001  HC_OPT_REG
00276CA2 - 31E1 FFFF            T1 W 0000001  CWDT
00276CA6 - 3321 0005            T1 W 0000001  PU_GWE
00276CAA - 3341 0004            T1 W 0000001  PU_GTS
00276CAE - 3301 0100            T1 W 0000001  MODE_REG
00276CB2 - 3261 0000            T1 W 0000001  GENERAL1
00276CB6 - 3281 0000            T1 W 0000001  GENERAL2
00276CBA - 32A1 0000            T1 W 0000001  GENERAL3
00276CBE - 32C1 0000            T1 W 0000001  GENERAL4
00276CC2 - 32E1 0000            T1 W 0000001  GENERAL5
00276CC6 - 33A1 1BE2            T1 W 0000001  SEU_OPT
00276CCA - 33C2 00000000        T1 W 0000002  EXP_SIGN
00276CD0 - 2000                 T1 - 0000000  NOP       (2x)
00276CD4 - 3022 00000000        T1 W 0000002  FAR_MAJ
00276CDA - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00276CDE - 5060 00038A11        T2 W 0038A11  FDRI      CRC: 00374F6B
002E810A - 2000                 T1 - 0000000  NOP       (24x)
002E813A - 3022 01040017        T1 W 0000002  FAR_MAJ
002E8140 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
002E8144 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0011C60E
002E8252 - 3022 02040017        T1 W 0000002  FAR_MAJ
002E8258 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0036FAC5
002E8366 - 3022 03040017        T1 W 0000002  FAR_MAJ
002E836C - 5060 00000082        T2 W 0000082  FDRI      CRC: 002A817F
002E847A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
002E847E - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
002E8482 - 2000                 T1 - 0000000  NOP       (4x)
002E848A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
002E848E - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
002E8492 - 30E1 00FF            T1 W 0000001  MASK
002E8496 - 30C1 0081            T1 W 0000001  CTL
002E849A - 3002 00325B22        T1 W 0000002  CRC
002E84A0 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
002E84A4 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
05  00000068 --- 1.1.2.15  [002E84BF-00417E4E]
002E84BF - Removing block encapsulations from Block Area [002E84BF-00417E4E]

Total bytes extracted (from the blocks): 000FB396    Block area processed OK

Buffer Size: 00006374 bytes (after converting from 16 to 8 bits)

Processor Type: BF54x - BF542/BF544/BF547/BF548/BF549
Orig Offset     Offset          Block Code      Target Add      Byte Count      Argument        BFlags
00000000        00000000        AD9F5002        FFA00000        00000000        0000635C        ignore first
00000020        00000010        ADC50102        FF800000        00000014        00000000        fill
00000040        00000020        ADD90102        FF800014        0000001C        00000000        fill
00000060        00000030        ADC80002        FF800030        00000028        00000000
000000D0        00000068        ADA90102        FF800058        00000020        00000000        fill
000000F0        00000078        AD200002        FF800078        00002CA4        00000000
00005A58        00002D2C        ADC50102        FF802D1C        00000124        00000000        fill
00005A78        00002D3C        ADD60002        FFA00000        00003610        00000000
0000C6B8        0000635C        ADF80802        FFA00000        00000000        00000000        init

0000C6D8 --- ZLIB Decompressed Size: 00287728
0000C6E0 --- ZLIB Compressed Block Size: 000EECAE [0000C6E8-000FB395]
****************************************************
  Section Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [00417E4F-00497E4D]
      00417E4F - ?????: 0000DCBB
      00417E53 - Data Size: 0006B930
      00417E57 - Name: 3.1.1.13 ???
      00417E63 - Section Data [00417E63-00483792]
08  00000095 ---

Parsing of sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS:

Code: [Select]
Parsing a SIGLENT SDS1000/SDS2000 file
01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20160606  [000DED95-0024A593]
      000DED95 - Data Size: 0016B7B7
      000DED95 - Header Size: 00000048

000DEDDD - FFFFFFFF             Padding
000DEDE1 - FFFFFFFF             Padding
000DEDE5 - FFFFFFFF             Padding
000DEDE9 - FFFFFFFF             Padding
000DEDED - AA995566             Sync Word (BPI/SPI Mode)
000DEDF1 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
000DEDF5 - 2000                 T1 - 0000000  NOP       (1x)
000DEDF7 - 31A1 0628            T1 W 0000001  FLR
000DEDFB - 3141 3D00            T1 W 0000001  COR1
000DEDFF - 3161 09EE            T1 W 0000001  COR2
000DEE03 - 31C2 04008093        T1 W 0000002  IDCODE
000DEE09 - 30E1 00CF            T1 W 0000001  MASK
000DEE0D - 30C1 0081            T1 W 0000001  CTL
000DEE11 - 2000                 T1 - 0000000  NOP       (17x)
000DEE33 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
000DEE37 - 3181 0881            T1 W 0000001  PWRDN_REG
000DEE3B - 3421 0000            T1 W 0000001  EYE_MASK
000DEE3F - 3201 001F            T1 W 0000001  HC_OPT_REG
000DEE43 - 31E1 FFFF            T1 W 0000001  CWDT
000DEE47 - 3321 0005            T1 W 0000001  PU_GWE
000DEE4B - 3341 0004            T1 W 0000001  PU_GTS
000DEE4F - 3301 0100            T1 W 0000001  MODE_REG
000DEE53 - 3261 0000            T1 W 0000001  GENERAL1
000DEE57 - 3281 0000            T1 W 0000001  GENERAL2
000DEE5B - 32A1 0000            T1 W 0000001  GENERAL3
000DEE5F - 32C1 0000            T1 W 0000001  GENERAL4
000DEE63 - 32E1 0000            T1 W 0000001  GENERAL5
000DEE67 - 33A1 1BE2            T1 W 0000001  SEU_OPT
000DEE6B - 33C2 00000000        T1 W 0000002  EXP_SIGN
000DEE71 - 2000                 T1 - 0000000  NOP       (2x)
000DEE75 - 3022 00000000        T1 W 0000002  FAR_MAJ
000DEE7B - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000DEE7F - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 00131922
002493DB - 2000                 T1 - 0000000  NOP       (24x)
0024940B - 3022 00040017        T1 W 0000002  FAR_MAJ
00249411 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00249415 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0004280B
00249523 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00249529 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000F94E1
00249637 - 3022 00230017        T1 W 0000002  FAR_MAJ
0024963D - 5060 00000082        T2 W 0000082  FDRI      CRC: 00008F4D
0024974B - 3022 01040017        T1 W 0000002  FAR_MAJ
00249751 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0035DE97
0024985F - 3022 010D0017        T1 W 0000002  FAR_MAJ
00249865 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E4DA8
00249973 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00249979 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001822E4
00249A87 - 3022 01230017        T1 W 0000002  FAR_MAJ
00249A8D - 5060 00000082        T2 W 0000082  FDRI      CRC: 003B04FB
00249B9B - 3022 02040017        T1 W 0000002  FAR_MAJ
00249BA1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00303121
00249CAF - 3022 020D0017        T1 W 0000002  FAR_MAJ
00249CB5 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0025A24C
00249DC3 - 3022 021A0017        T1 W 0000002  FAR_MAJ
00249DC9 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00370282
00249ED7 - 3022 02230017        T1 W 0000002  FAR_MAJ
00249EDD - 5060 00000082        T2 W 0000082  FDRI      CRC: 000DAEDE
00249FEB - 3022 03040017        T1 W 0000002  FAR_MAJ
00249FF1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00319323
0024A0FF - 3022 04040017        T1 W 0000002  FAR_MAJ
0024A105 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000B7C1F
0024A213 - 3022 040D0017        T1 W 0000002  FAR_MAJ
0024A219 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001DE18B
0024A327 - 3022 05040017        T1 W 0000002  FAR_MAJ
0024A32D - 5060 00000082        T2 W 0000082  FDRI      CRC: 003D0427
0024A43B - 3022 050D0017        T1 W 0000002  FAR_MAJ
0024A441 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003A50CB
0024A54F - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A553 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0024A557 - 2000                 T1 - 0000000  NOP       (4x)
0024A55F - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A563 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0024A567 - 30E1 00FF            T1 W 0000001  MASK
0024A56B - 30C1 0081            T1 W 0000001  CTL
0024A56F - 3002 000F3E32        T1 W 0000002  CRC
0024A575 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
0024A579 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
03  0000004A --- 20160606  [0024A594-003B5D92]
      0024A594 - Data Size: 0016B7B7
      0024A594 - Header Size: 00000048

0024A5DC - FFFFFFFF             Padding
0024A5E0 - FFFFFFFF             Padding
0024A5E4 - FFFFFFFF             Padding
0024A5E8 - FFFFFFFF             Padding
0024A5EC - AA995566             Sync Word (BPI/SPI Mode)
0024A5F0 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
0024A5F4 - 2000                 T1 - 0000000  NOP       (1x)
0024A5F6 - 31A1 0628            T1 W 0000001  FLR
0024A5FA - 3141 3D00            T1 W 0000001  COR1
0024A5FE - 3161 09EE            T1 W 0000001  COR2
0024A602 - 31C2 04008093        T1 W 0000002  IDCODE
0024A608 - 30E1 00CF            T1 W 0000001  MASK
0024A60C - 30C1 0081            T1 W 0000001  CTL
0024A610 - 2000                 T1 - 0000000  NOP       (17x)
0024A632 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
0024A636 - 3181 0881            T1 W 0000001  PWRDN_REG
0024A63A - 3421 0000            T1 W 0000001  EYE_MASK
0024A63E - 3201 001F            T1 W 0000001  HC_OPT_REG
0024A642 - 31E1 FFFF            T1 W 0000001  CWDT
0024A646 - 3321 0005            T1 W 0000001  PU_GWE
0024A64A - 3341 0004            T1 W 0000001  PU_GTS
0024A64E - 3301 0100            T1 W 0000001  MODE_REG
0024A652 - 3261 0000            T1 W 0000001  GENERAL1
0024A656 - 3281 0000            T1 W 0000001  GENERAL2
0024A65A - 32A1 0000            T1 W 0000001  GENERAL3
0024A65E - 32C1 0000            T1 W 0000001  GENERAL4
0024A662 - 32E1 0000            T1 W 0000001  GENERAL5
0024A666 - 33A1 1BE2            T1 W 0000001  SEU_OPT
0024A66A - 33C2 00000000        T1 W 0000002  EXP_SIGN
0024A670 - 2000                 T1 - 0000000  NOP       (2x)
0024A674 - 3022 00000000        T1 W 0000002  FAR_MAJ
0024A67A - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
0024A67E - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 000310D9
003B4BDA - 2000                 T1 - 0000000  NOP       (24x)
003B4C0A - 3022 000D0017        T1 W 0000002  FAR_MAJ
003B4C10 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B4C14 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0020783B
003B4D22 - 3022 001A0017        T1 W 0000002  FAR_MAJ
003B4D28 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002806B7
003B4E36 - 3022 00230017        T1 W 0000002  FAR_MAJ
003B4E3C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0014E29D
003B4F4A - 3022 010D0017        T1 W 0000002  FAR_MAJ
003B4F50 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00141799
003B505E - 3022 011A0017        T1 W 0000002  FAR_MAJ
003B5064 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003A1B9A
003B5172 - 3022 01230017        T1 W 0000002  FAR_MAJ
003B5178 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0020B6FA
003B5286 - 3022 021A0017        T1 W 0000002  FAR_MAJ
003B528C - 5060 00000082        T2 W 0000082  FDRI      CRC: 002554A2
003B539A - 3022 02230017        T1 W 0000002  FAR_MAJ
003B53A0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001D9C65
003B54AE - 3022 03040017        T1 W 0000002  FAR_MAJ
003B54B4 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038FD0C
003B55C2 - 3022 030D0017        T1 W 0000002  FAR_MAJ
003B55C8 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002782A6
003B56D6 - 3022 03230017        T1 W 0000002  FAR_MAJ
003B56DC - 5060 00000082        T2 W 0000082  FDRI      CRC: 0014CA3C
003B57EA - 3022 040D0017        T1 W 0000002  FAR_MAJ
003B57F0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001C57CE
003B58FE - 3022 04230017        T1 W 0000002  FAR_MAJ
003B5904 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0017A6CC
003B5A12 - 3022 050D0017        T1 W 0000002  FAR_MAJ
003B5A18 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00037603
003B5B26 - 3022 051A0017        T1 W 0000002  FAR_MAJ
003B5B2C - 5060 00000082        T2 W 0000082  FDRI      CRC: 00069CF5
003B5C3A - 3022 05230017        T1 W 0000002  FAR_MAJ
003B5C40 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003DE286
003B5D4E - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5D52 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
003B5D56 - 2000                 T1 - 0000000  NOP       (4x)
003B5D5E - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5D62 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
003B5D66 - 30E1 00FF            T1 W 0000001  MASK
003B5D6A - 30C1 0081            T1 W 0000001  CTL
003B5D6E - 3002 00205EF5        T1 W 0000002  CRC
003B5D74 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
003B5D78 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
04  00000059 --- 20160516  [003B5D93-005218CD]
      003B5D93 - Data Size: 0016BAF3
      003B5D93 - Header Size: 00000048

003B5DDB - FFFFFFFF             Padding
003B5DDF - FFFFFFFF             Padding
003B5DE3 - FFFFFFFF             Padding
003B5DE7 - FFFFFFFF             Padding
003B5DEB - AA995566             Sync Word (BPI/SPI Mode)
003B5DEF - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
003B5DF3 - 2000                 T1 - 0000000  NOP       (1x)
003B5DF5 - 31A1 0628            T1 W 0000001  FLR
003B5DF9 - 3141 3D08            T1 W 0000001  COR1
003B5DFD - 3161 09EE            T1 W 0000001  COR2
003B5E01 - 31C2 04008093        T1 W 0000002  IDCODE
003B5E07 - 30E1 00CF            T1 W 0000001  MASK
003B5E0B - 30C1 0081            T1 W 0000001  CTL
003B5E0F - 2000                 T1 - 0000000  NOP       (17x)
003B5E31 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
003B5E35 - 3181 0881            T1 W 0000001  PWRDN_REG
003B5E39 - 3421 0000            T1 W 0000001  EYE_MASK
003B5E3D - 3201 001F            T1 W 0000001  HC_OPT_REG
003B5E41 - 31E1 FFFF            T1 W 0000001  CWDT
003B5E45 - 3321 0005            T1 W 0000001  PU_GWE
003B5E49 - 3341 0004            T1 W 0000001  PU_GTS
003B5E4D - 3301 0100            T1 W 0000001  MODE_REG
003B5E51 - 3261 0000            T1 W 0000001  GENERAL1
003B5E55 - 3281 0000            T1 W 0000001  GENERAL2
003B5E59 - 32A1 0000            T1 W 0000001  GENERAL3
003B5E5D - 32C1 0000            T1 W 0000001  GENERAL4
003B5E61 - 32E1 0000            T1 W 0000001  GENERAL5
003B5E65 - 33A1 1BE2            T1 W 0000001  SEU_OPT
003B5E69 - 33C2 00000000        T1 W 0000002  EXP_SIGN
003B5E6F - 2000                 T1 - 0000000  NOP       (2x)
003B5E73 - 3022 00000000        T1 W 0000002  FAR_MAJ
003B5E79 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B5E7D - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 002B8811
005203D9 - 2000                 T1 - 0000000  NOP       (24x)
00520409 - 3022 00040017        T1 W 0000002  FAR_MAJ
0052040F - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00520413 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003AE8A0
00520521 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00520527 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0003D2F5
00520635 - 3022 001A0017        T1 W 0000002  FAR_MAJ
0052063B - 5060 00000082        T2 W 0000082  FDRI      CRC: 000C9D2E
00520749 - 3022 01040017        T1 W 0000002  FAR_MAJ
0052074F - 5060 00000082        T2 W 0000082  FDRI      CRC: 000F9CED
0052085D - 3022 010D0017        T1 W 0000002  FAR_MAJ
00520863 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002B37CB
00520971 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00520977 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000F731E
00520A85 - 3022 01230017        T1 W 0000002  FAR_MAJ
00520A8B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0008A05A
00520B99 - 3022 02040017        T1 W 0000002  FAR_MAJ
00520B9F - 5060 00000082        T2 W 0000082  FDRI      CRC: 002A8550
00520CAD - 3022 020D0017        T1 W 0000002  FAR_MAJ
00520CB3 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003A459B
00520DC1 - 3022 030D0017        T1 W 0000002  FAR_MAJ
00520DC7 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000EFB42
00520ED5 - 3022 031A0017        T1 W 0000002  FAR_MAJ
00520EDB - 5060 00000082        T2 W 0000082  FDRI      CRC: 0008F310
00520FE9 - 3022 03230017        T1 W 0000002  FAR_MAJ
00520FEF - 5060 00000082        T2 W 0000082  FDRI      CRC: 00275C86
005210FD - 3022 04040017        T1 W 0000002  FAR_MAJ
00521103 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001C9593
00521211 - 3022 040D0017        T1 W 0000002  FAR_MAJ
00521217 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0024C949
00521325 - 3022 041A0017        T1 W 0000002  FAR_MAJ
0052132B - 5060 00000082        T2 W 0000082  FDRI      CRC: 000126CA
00521439 - 3022 04230017        T1 W 0000002  FAR_MAJ
0052143F - 5060 00000082        T2 W 0000082  FDRI      CRC: 001B87F4
0052154D - 3022 05040017        T1 W 0000002  FAR_MAJ
00521553 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000377BB
00521661 - 3022 050D0017        T1 W 0000002  FAR_MAJ
00521667 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00291A21
00521775 - 3022 06040017        T1 W 0000002  FAR_MAJ
0052177B - 5060 00000082        T2 W 0000082  FDRI      CRC: 003EDDFD
00521889 - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0052188D - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
00521891 - 2000                 T1 - 0000000  NOP       (4x)
00521899 - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0052189D - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
005218A1 - 30E1 00FF            T1 W 0000001  MASK
005218A5 - 30C1 0081            T1 W 0000001  CTL
005218A9 - 3002 002E31B6        T1 W 0000002  CRC
005218AF - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
005218B3 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
05  00000068 --- 1.2.1.38  [005218CE-00656599]
005218CE - Removing block encapsulations from Block Area [005218CE-00656599]

Total bytes extracted (from the blocks): 000FF877    Block area processed OK

Buffer Size: 00006DEA bytes (after converting from 16 to 8 bits)

0x00000000  DXE 0000 (Data Size: 00006DD4) [00000000-00006DE1]
Processor Type: ADSP-BF533/534/536/537/538/539 (boot address: 0xFFA00000)
Orig Offset:    Offset:         Block:  Target Add:     Byte Count:     Flags:  [  start -   end  ]
00000000 ---    0x00000000      0000    FF800040        00000004        0012    [0000000A-0000000D]  resvect ignore
0000001C ---    0x0000000E      0001    FF800000        000022B0        0002    [00000018-000022C7]  resvect
00004590 ---    0x000022C8      0002    FF8022B0        00000010        0003                         zero-fill resvect
000045A4 ---    0x000022D2      0003    FF8022C0        00000010        0002    [000022DC-000022EB]  resvect
000045D8 ---    0x000022EC      0004    FF8022D0        0000029E        0002    [000022F6-00002593]  resvect
00004B28 ---    0x00002594      0005    FF80256E        0000000E        0003                         zero-fill resvect
00004B3C ---    0x0000259E      0006    FF80257C        000009BA        0002    [000025A8-00002F61]  resvect
00005EC4 ---    0x00002F62      0007    FF802F36        000000AA        0003                         zero-fill resvect
00005ED8 ---    0x00002F6C      0008    FF802FE0        0000000C        0002    [00002F76-00002F81]  resvect
00005F04 ---    0x00002F82      0009    FF902000        00000004        0002    [00002F8C-00002F8F]  resvect
00005F20 ---    0x00002F90      000A    FF902004        00000068        0003                         zero-fill resvect
00005F34 ---    0x00002F9A      000B    FFA00000        00003E32        0002    [00002FA4-00006DD5]  resvect
0000DBAC ---    0x00006DD6      000C    FFA00000        00000002        000A    [00006DE0-00006DE1]  resvect init

0000DBC4 --- ZLIB Decompressed Size: 0029FA20
0000DBCC --- ZLIB Compressed Block Size: 000F1CA3 [0000DBD4-000FF876]
****************************************************
  Section Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [0065659A-006D6598]
      0065659A - ?????: 0000DCBB
      0065659E - Data Size: 0006B930
      006565A2 - Name: 3.1.1.13 ???
      006565AE - Section Data [006565AE-006C1EDD]
08  00000095 ---

SDS1000 - 1 x Spartan-6 XC6SLX45 + 1 Spartan-6 XC6SLX16
SDS2000 - 3 x Spartan-6 XC6SLX45

« Last Edit: June 16, 2017, 09:29:45 pm by tv84 »
 
The following users thanked this post: DIPLover, AxaRu

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #83 on: June 17, 2017, 03:39:38 am »
These lines look interesting:
SDS1000X
Code: [Select]
00276C62 - 31C2 04002093        T1 W 0000002  IDCODE
SDS2000
Code: [Select]
0024A602 - 31C2 04008093        T1 W 0000002  IDCODE
BW selection maybe ?  :-//
Avid Rabid Hobbyist
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #84 on: June 17, 2017, 08:34:16 am »
No. Those are the lines that identify the specific FPGA type for which the stream is intendend. When loading the stream, the FPGA checks to see if its the correct ID in the stream or it aborts installation.

See here https://github.com/matrix-io/xc3sprog/blob/master/devlist.txt
 
The following users thanked this post: tautech

Offline matib12

  • Newbie
  • Posts: 3
  • Country: pl
    • mbecho
Re: Siglent .ads firmware file format
« Reply #85 on: July 27, 2017, 08:11:14 pm »
I used SDS ads 0.13 tool on the SDS2000X_V1.2.2.2_Firmware_Update_EN. Then, as it was suggested, I reversed bytes of the whole files: Part_2, Part_3 and Part4 with the code:

Code: [Select]
import sys, os, shutil

def reverse(b):
   "function_docstring"
   b = (b & 0xF0) >> 4 | (b & 0x0F) << 4
   b = (b & 0xCC) >> 2 | (b & 0x33) << 2
   b = (b & 0xAA) >> 1 | (b & 0x55) << 1
   return b


input = 'Part_4.bit'
 #input='sds2kx_V100R02B01D02P02_fvA1609220922M160922.ADS'
output = 'ByteSwap_'+input
b = bytearray(open(input, 'rb').read())
i = 0
j = 0
i = len(b)
while j < i:
    b[j]=reverse(b[j])
    j = j + 1

open(output, 'wb').write(b)
print (' * Byte reverse done * ')

All those files contain IDCODE: 04008093 at offset 0x70 what means three Spartan6 XC6SLX45 in the scope.

Anyway the files cannot be used in impact in this form. What is in the file can be a *.bin file. Then it does not have header and starts with FFFF sequence. Otherwise it is *.bit where the header is missing.

I generated an "empty" *.bit file for XC6SLX45 with ISE for reference. It is 16A6CE long. It finishes with 0202 sequence. There is  something similar in the analysed  file but not in the right place.
 
The following users thanked this post: AxaRu

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #86 on: July 28, 2017, 08:23:47 pm »
matib12,

Better way to reverse (C#):

Code: [Select]
        private static byte reverseByteBits(byte a)  // Reverse the bits in a Byte
        { return (byte)((a * 0x0202020202 & 0x010884422010) % 1023); }

Here's my parsing/decode of sds2kx_V100R02B01D02P02_fvA1609220922M160922.ADS:

Code: [Select]
Parsing a SIGLENT SDS1000/SDS2000 file
01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20160922  [000DED95-0024A47F]
      000DED95 - Data Size: 0016B6A3
      000DED95 - Header Size: 00000048

000DEDDD - FFFFFFFF             Padding
000DEDE1 - FFFFFFFF             Padding
000DEDE5 - FFFFFFFF             Padding
000DEDE9 - FFFFFFFF             Padding
000DEDED - AA995566             Sync Word (BPI/SPI Mode)
000DEDF1 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
000DEDF5 - 2000                 T1 - 0000000  NOP       (1x)
000DEDF7 - 31A1 0628            T1 W 0000001  FLR
000DEDFB - 3141 3D00            T1 W 0000001  COR1
000DEDFF - 3161 09EE            T1 W 0000001  COR2
000DEE03 - 31C2 04008093        T1 W 0000002  IDCODE
000DEE09 - 30E1 00CF            T1 W 0000001  MASK
000DEE0D - 30C1 0081            T1 W 0000001  CTL
000DEE11 - 2000                 T1 - 0000000  NOP       (17x)
000DEE33 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
000DEE37 - 3181 0881            T1 W 0000001  PWRDN_REG
000DEE3B - 3421 0000            T1 W 0000001  EYE_MASK
000DEE3F - 3201 001F            T1 W 0000001  HC_OPT_REG
000DEE43 - 31E1 FFFF            T1 W 0000001  CWDT
000DEE47 - 3321 0005            T1 W 0000001  PU_GWE
000DEE4B - 3341 0004            T1 W 0000001  PU_GTS
000DEE4F - 3301 0100            T1 W 0000001  MODE_REG
000DEE53 - 3261 0000            T1 W 0000001  GENERAL1
000DEE57 - 3281 0000            T1 W 0000001  GENERAL2
000DEE5B - 32A1 0000            T1 W 0000001  GENERAL3
000DEE5F - 32C1 0000            T1 W 0000001  GENERAL4
000DEE63 - 32E1 0000            T1 W 0000001  GENERAL5
000DEE67 - 33A1 1BE2            T1 W 0000001  SEU_OPT
000DEE6B - 33C2 00000000        T1 W 0000002  EXP_SIGN
000DEE71 - 2000                 T1 - 0000000  NOP       (2x)
000DEE75 - 3022 00000000        T1 W 0000002  FAR_MAJ
000DEE7B - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000DEE7F - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0030A883
002493DB - 2000                 T1 - 0000000  NOP       (24x)
0024940B - 3022 00040017        T1 W 0000002  FAR_MAJ
00249411 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00249415 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00024B83
00249523 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00249529 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001EE1DD
00249637 - 3022 001A0017        T1 W 0000002  FAR_MAJ
0024963D - 5060 00000082        T2 W 0000082  FDRI      CRC: 0020C6C9
0024974B - 3022 00230017        T1 W 0000002  FAR_MAJ
00249751 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0001E99E
0024985F - 3022 01040017        T1 W 0000002  FAR_MAJ
00249865 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003117C6
00249973 - 3022 010D0017        T1 W 0000002  FAR_MAJ
00249979 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00294671
00249A87 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00249A8D - 5060 00000082        T2 W 0000082  FDRI      CRC: 002473B9
00249B9B - 3022 01230017        T1 W 0000002  FAR_MAJ
00249BA1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E65E7
00249CAF - 3022 021A0017        T1 W 0000002  FAR_MAJ
00249CB5 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002675A2
00249DC3 - 3022 02230017        T1 W 0000002  FAR_MAJ
00249DC9 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00192AA0
00249ED7 - 3022 03040017        T1 W 0000002  FAR_MAJ
00249EDD - 5060 00000082        T2 W 0000082  FDRI      CRC: 0010969D
00249FEB - 3022 04040017        T1 W 0000002  FAR_MAJ
00249FF1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0028B252
0024A0FF - 3022 041A0017        T1 W 0000002  FAR_MAJ
0024A105 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002E7925
0024A213 - 3022 051A0017        T1 W 0000002  FAR_MAJ
0024A219 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005A5E5
0024A327 - 3022 07230017        T1 W 0000002  FAR_MAJ
0024A32D - 5060 00000082        T2 W 0000082  FDRI      CRC: 00158043
0024A43B - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A43F - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0024A443 - 2000                 T1 - 0000000  NOP       (4x)
0024A44B - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A44F - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0024A453 - 30E1 00FF            T1 W 0000001  MASK
0024A457 - 30C1 0081            T1 W 0000001  CTL
0024A45B - 3002 002E7B9D        T1 W 0000002  CRC
0024A461 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
0024A465 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
03  0000004A --- 20160922  [0024A480-003B5C7E]
      0024A480 - Data Size: 0016B7B7
      0024A480 - Header Size: 00000048

0024A4C8 - FFFFFFFF             Padding
0024A4CC - FFFFFFFF             Padding
0024A4D0 - FFFFFFFF             Padding
0024A4D4 - FFFFFFFF             Padding
0024A4D8 - AA995566             Sync Word (BPI/SPI Mode)
0024A4DC - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
0024A4E0 - 2000                 T1 - 0000000  NOP       (1x)
0024A4E2 - 31A1 0628            T1 W 0000001  FLR
0024A4E6 - 3141 3D00            T1 W 0000001  COR1
0024A4EA - 3161 09EE            T1 W 0000001  COR2
0024A4EE - 31C2 04008093        T1 W 0000002  IDCODE
0024A4F4 - 30E1 00CF            T1 W 0000001  MASK
0024A4F8 - 30C1 0081            T1 W 0000001  CTL
0024A4FC - 2000                 T1 - 0000000  NOP       (17x)
0024A51E - 3381 3CC8            T1 W 0000001  CCLK_FREQ
0024A522 - 3181 0881            T1 W 0000001  PWRDN_REG
0024A526 - 3421 0000            T1 W 0000001  EYE_MASK
0024A52A - 3201 001F            T1 W 0000001  HC_OPT_REG
0024A52E - 31E1 FFFF            T1 W 0000001  CWDT
0024A532 - 3321 0005            T1 W 0000001  PU_GWE
0024A536 - 3341 0004            T1 W 0000001  PU_GTS
0024A53A - 3301 0100            T1 W 0000001  MODE_REG
0024A53E - 3261 0000            T1 W 0000001  GENERAL1
0024A542 - 3281 0000            T1 W 0000001  GENERAL2
0024A546 - 32A1 0000            T1 W 0000001  GENERAL3
0024A54A - 32C1 0000            T1 W 0000001  GENERAL4
0024A54E - 32E1 0000            T1 W 0000001  GENERAL5
0024A552 - 33A1 1BE2            T1 W 0000001  SEU_OPT
0024A556 - 33C2 00000000        T1 W 0000002  EXP_SIGN
0024A55C - 2000                 T1 - 0000000  NOP       (2x)
0024A560 - 3022 00000000        T1 W 0000002  FAR_MAJ
0024A566 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
0024A56A - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 002483B9
003B4AC6 - 2000                 T1 - 0000000  NOP       (24x)
003B4AF6 - 3022 01230017        T1 W 0000002  FAR_MAJ
003B4AFC - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B4B00 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005A45A
003B4C0E - 3022 021A0017        T1 W 0000002  FAR_MAJ
003B4C14 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003FDEB8
003B4D22 - 3022 02230017        T1 W 0000002  FAR_MAJ
003B4D28 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00327927
003B4E36 - 3022 03040017        T1 W 0000002  FAR_MAJ
003B4E3C - 5060 00000082        T2 W 0000082  FDRI      CRC: 001F0CCB
003B4F4A - 3022 030D0017        T1 W 0000002  FAR_MAJ
003B4F50 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002995C9
003B505E - 3022 031A0017        T1 W 0000002  FAR_MAJ
003B5064 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00374AD7
003B5172 - 3022 03230017        T1 W 0000002  FAR_MAJ
003B5178 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000B2C82
003B5286 - 3022 04040017        T1 W 0000002  FAR_MAJ
003B528C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0013E5DB
003B539A - 3022 040D0017        T1 W 0000002  FAR_MAJ
003B53A0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001EF8CF
003B54AE - 3022 041A0017        T1 W 0000002  FAR_MAJ
003B54B4 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00385AC2
003B55C2 - 3022 04230017        T1 W 0000002  FAR_MAJ
003B55C8 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002C7B03
003B56D6 - 3022 05040017        T1 W 0000002  FAR_MAJ
003B56DC - 5060 00000082        T2 W 0000082  FDRI      CRC: 001FC3EF
003B57EA - 3022 050D0017        T1 W 0000002  FAR_MAJ
003B57F0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003F9D02
003B58FE - 3022 05230017        T1 W 0000002  FAR_MAJ
003B5904 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A7833
003B5A12 - 3022 06040017        T1 W 0000002  FAR_MAJ
003B5A18 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00266FD4
003B5B26 - 3022 06230017        T1 W 0000002  FAR_MAJ
003B5B2C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0032FDA2
003B5C3A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5C3E - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
003B5C42 - 2000                 T1 - 0000000  NOP       (4x)
003B5C4A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5C4E - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
003B5C52 - 30E1 00FF            T1 W 0000001  MASK
003B5C56 - 30C1 0081            T1 W 0000001  CTL
003B5C5A - 3002 0020E07A        T1 W 0000002  CRC
003B5C60 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
003B5C64 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
04  00000059 --- 20160922  [003B5C7F-005219E1]
      003B5C7F - Data Size: 0016BD1B
      003B5C7F - Header Size: 00000048

003B5CC7 - FFFFFFFF             Padding
003B5CCB - FFFFFFFF             Padding
003B5CCF - FFFFFFFF             Padding
003B5CD3 - FFFFFFFF             Padding
003B5CD7 - AA995566             Sync Word (BPI/SPI Mode)
003B5CDB - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
003B5CDF - 2000                 T1 - 0000000  NOP       (1x)
003B5CE1 - 31A1 0628            T1 W 0000001  FLR
003B5CE5 - 3141 3D08            T1 W 0000001  COR1
003B5CE9 - 3161 09EE            T1 W 0000001  COR2
003B5CED - 31C2 04008093        T1 W 0000002  IDCODE
003B5CF3 - 30E1 00CF            T1 W 0000001  MASK
003B5CF7 - 30C1 0081            T1 W 0000001  CTL
003B5CFB - 2000                 T1 - 0000000  NOP       (17x)
003B5D1D - 3381 3CC8            T1 W 0000001  CCLK_FREQ
003B5D21 - 3181 0881            T1 W 0000001  PWRDN_REG
003B5D25 - 3421 0000            T1 W 0000001  EYE_MASK
003B5D29 - 3201 001F            T1 W 0000001  HC_OPT_REG
003B5D2D - 31E1 FFFF            T1 W 0000001  CWDT
003B5D31 - 3321 0005            T1 W 0000001  PU_GWE
003B5D35 - 3341 0004            T1 W 0000001  PU_GTS
003B5D39 - 3301 0100            T1 W 0000001  MODE_REG
003B5D3D - 3261 0000            T1 W 0000001  GENERAL1
003B5D41 - 3281 0000            T1 W 0000001  GENERAL2
003B5D45 - 32A1 0000            T1 W 0000001  GENERAL3
003B5D49 - 32C1 0000            T1 W 0000001  GENERAL4
003B5D4D - 32E1 0000            T1 W 0000001  GENERAL5
003B5D51 - 33A1 1BE2            T1 W 0000001  SEU_OPT
003B5D55 - 33C2 00000000        T1 W 0000002  EXP_SIGN
003B5D5B - 2000                 T1 - 0000000  NOP       (2x)
003B5D5F - 3022 00000000        T1 W 0000002  FAR_MAJ
003B5D65 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B5D69 - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0003C50A
005202C5 - 2000                 T1 - 0000000  NOP       (24x)
005202F5 - 3022 00040017        T1 W 0000002  FAR_MAJ
005202FB - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
005202FF - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E1099
0052040D - 3022 000D0017        T1 W 0000002  FAR_MAJ
00520413 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002FEF01
00520521 - 3022 001A0017        T1 W 0000002  FAR_MAJ
00520527 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000EC6B1
00520635 - 3022 01040017        T1 W 0000002  FAR_MAJ
0052063B - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A1576
00520749 - 3022 010D0017        T1 W 0000002  FAR_MAJ
0052074F - 5060 00000082        T2 W 0000082  FDRI      CRC: 000C458E
0052085D - 3022 011A0017        T1 W 0000002  FAR_MAJ
00520863 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A9D1D
00520971 - 3022 01230017        T1 W 0000002  FAR_MAJ
00520977 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A1B36
00520A85 - 3022 02040017        T1 W 0000002  FAR_MAJ
00520A8B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005C494
00520B99 - 3022 020D0017        T1 W 0000002  FAR_MAJ
00520B9F - 5060 00000082        T2 W 0000082  FDRI      CRC: 00076315
00520CAD - 3022 03040017        T1 W 0000002  FAR_MAJ
00520CB3 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0026FBD1
00520DC1 - 3022 030D0017        T1 W 0000002  FAR_MAJ
00520DC7 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002525AE
00520ED5 - 3022 04040017        T1 W 0000002  FAR_MAJ
00520EDB - 5060 00000082        T2 W 0000082  FDRI      CRC: 002DED8E
00520FE9 - 3022 040D0017        T1 W 0000002  FAR_MAJ
00520FEF - 5060 00000082        T2 W 0000082  FDRI      CRC: 000785AD
005210FD - 3022 041A0017        T1 W 0000002  FAR_MAJ
00521103 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00173D17
00521211 - 3022 04230017        T1 W 0000002  FAR_MAJ
00521217 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038A0E7
00521325 - 3022 05040017        T1 W 0000002  FAR_MAJ
0052132B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0019B766
00521439 - 3022 051A0017        T1 W 0000002  FAR_MAJ
0052143F - 5060 00000082        T2 W 0000082  FDRI      CRC: 0028C4B0
0052154D - 3022 05230017        T1 W 0000002  FAR_MAJ
00521553 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002B3B85
00521661 - 3022 06040017        T1 W 0000002  FAR_MAJ
00521667 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001B9738
00521775 - 3022 061A0017        T1 W 0000002  FAR_MAJ
0052177B - 5060 00000082        T2 W 0000082  FDRI      CRC: 002795C7
00521889 - 3022 06230017        T1 W 0000002  FAR_MAJ
0052188F - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038E821
0052199D - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
005219A1 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
005219A5 - 2000                 T1 - 0000000  NOP       (4x)
005219AD - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
005219B1 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
005219B5 - 30E1 00FF            T1 W 0000001  MASK
005219B9 - 30C1 0081            T1 W 0000001  CTL
005219BD - 3002 002025B0        T1 W 0000002  CRC
005219C3 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
005219C7 - 2000                 T1 - 0000000  NOP       (13x)
****************************************************
05  00000068 --- 1.2.2.2   [005219E2-00656E68]
005219E2 - Removing block encapsulations from Block Area [005219E2-00656E68]

Total bytes extracted (from the blocks): 000FFEDE    Block area processed OK

Buffer Size: 00006DEA bytes (after converting from 16 to 8 bits)

0x00000000  DXE 0000 (Data Size: 00006DD4) [00000000-00006DE1]
Processor Type: ADSP-BF533/534/536/537/538/539 (boot address: 0xFFA00000)
Orig Offset:    Offset:         Block:  Target Add:     Byte Count:     Flags:  [  start -   end  ]
00000000 ---    0x00000000      0000    FF800040        00000004        0012    [0000000A-0000000D]  resvect ignore
0000001C ---    0x0000000E      0001    FF800000        000022B0        0002    [00000018-000022C7]  resvect
00004590 ---    0x000022C8      0002    FF8022B0        00000010        0003                         zero-fill resvect
000045A4 ---    0x000022D2      0003    FF8022C0        00000010        0002    [000022DC-000022EB]  resvect
000045D8 ---    0x000022EC      0004    FF8022D0        0000029E        0002    [000022F6-00002593]  resvect
00004B28 ---    0x00002594      0005    FF80256E        0000000E        0003                         zero-fill resvect
00004B3C ---    0x0000259E      0006    FF80257C        000009BA        0002    [000025A8-00002F61]  resvect
00005EC4 ---    0x00002F62      0007    FF802F36        000000AA        0003                         zero-fill resvect
00005ED8 ---    0x00002F6C      0008    FF802FE0        0000000C        0002    [00002F76-00002F81]  resvect
00005F04 ---    0x00002F82      0009    FF902000        00000004        0002    [00002F8C-00002F8F]  resvect
00005F20 ---    0x00002F90      000A    FF902004        00000068        0003                         zero-fill resvect
00005F34 ---    0x00002F9A      000B    FFA00000        00003E32        0002    [00002FA4-00006DD5]  resvect
0000DBAC ---    0x00006DD6      000C    FFA00000        00000002        000A    [00006DE0-00006DE1]  resvect init

0000DBC4 --- ZLIB Decompressed Size: 002A0BE0
0000DBCC --- ZLIB Compressed Block Size: 000F230A [0000DBD4-000FFEDD]
****************************************************
  Section Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [00656E69-006D6E67]
      00656E69 - ?????: 0000DCBB
      00656E6D - Data Size: 0006B930
      00656E71 - Name: 3.1.1.13 ???
      00656E7D - Section Data [00656E7D-006C27AC]
08  00000095 ---

What I'm trying to understand (without success) is part 7 (don't know if it's CPLD stuff...)

If you want to transform one of the .bin blocks into a .bit stream, you must add a header of this type (remember you must change the sizes according to your bitstream):

Code: [Select]
00000000 - 0009         (0x0009) File Header Length
00000002 - 0FF00FF0     (0x0FF00FF0) File Header Long 1
00000006 - 0FF00FF0     (0x0FF00FF0) File Header Long 2
0000000A - 00           (0x00) File Header Zero
0000000B - 0001         (0x0001) Key Length
0000000D - 61 001D      (key 0x61) Design Name: VirtexUnitTest.reference.ncd
0000002D - 62 0009      (key 0x62) Part Name: v50bg256
00000039 - 63 000B      (key 0x63) Generation Date: 2011/ 1/26
00000047 - 64 0009      (key 0x64) Generation Time: 11:51:59
00000053 - 65 0001110C  (key 0x65) Bitstream Length: 0001110C  [00000058-00011163]
--------------  BITSTREAM  ------------------------
00000058 - FFFFFFFF             Padding
0000005C - AA995566             Sync Word (BPI/SPI Mode)
« Last Edit: July 28, 2017, 09:07:01 pm by tv84 »
 
The following users thanked this post: AxaRu

Offline AxaRu

  • Newbie
  • Posts: 1
  • Country: ru
Re: Siglent .ads firmware file format
« Reply #87 on: August 07, 2017, 08:28:31 am »
Hi everybody.

Have any news?
 

Offline 0xPIT

  • Regular Contributor
  • *
  • Posts: 52
Re: Siglent .ads firmware file format
« Reply #88 on: September 03, 2017, 09:46:00 am »
Hello,

did anyone manage to find a serial console on the SDG1025? (Like this guy did on the 800 series: http://41j.com/blog/2016/08/hacking-around-with-a-sdg800-sdg805/)

After soldering a pin header to the pads labelled UART, I tried (several known-good) TTL to USB converters, but there seems to be no output. Also, I've verified that the TX and RX pins go directly to the Blackfin TX&RX pins.

Checking with the Scope, the only thing that happens is it pulls TX high.

Any ideas?
 

Offline matib12

  • Newbie
  • Posts: 3
  • Country: pl
    • mbecho
Re: Siglent .ads firmware file format
« Reply #89 on: September 07, 2017, 07:24:43 pm »
I'm not surprised by the outcome of your experiment. I did the same with my SDS2000X with the same effect. It seems that the serial console had been disabled already in u-boot. My next attempt would be a memory dump via JTAG connector if I have some spare time.
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #90 on: September 08, 2017, 10:07:07 pm »
The parsing of the latest SDS2000X fw is:

Code: [Select]
Parsing a SIGLENT SDS1000/SDS2000 file
01  0000002C --- 2.1.1.9   [000000C4-000DED94]
      000000C4 - Checksum: FFBDDCC9
      000000C8 - Name: 2.1.1.8
      000000C8 - Section Data [000000C8-000DED94]  CKSM OK
02  0000003B --- 20160922  [000DED95-0024A47F]
      000DED95 - Data Size: 0016B6A3
      000DED95 - Header Size: 00000048

000DEDDD - FFFFFFFF             Padding
000DEDE1 - FFFFFFFF             Padding
000DEDE5 - FFFFFFFF             Padding
000DEDE9 - FFFFFFFF             Padding
000DEDED - AA995566             Sync Word (BPI/SPI Mode)
000DEDF1 - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
000DEDF5 - 2000                 T1 - 0000000  NOP       (1x)
000DEDF7 - 31A1 0628            T1 W 0000001  FLR
000DEDFB - 3141 3D00            T1 W 0000001  COR1
000DEDFF - 3161 09EE            T1 W 0000001  COR2
000DEE03 - 31C2 04008093        T1 W 0000002  IDCODE
000DEE09 - 30E1 00CF            T1 W 0000001  MASK
000DEE0D - 30C1 0081            T1 W 0000001  CTL
000DEE11 - 2000                 T1 - 0000000  NOP       (17x)
000DEE33 - 3381 3CC8            T1 W 0000001  CCLK_FREQ
000DEE37 - 3181 0881            T1 W 0000001  PWRDN_REG
000DEE3B - 3421 0000            T1 W 0000001  EYE_MASK
000DEE3F - 3201 001F            T1 W 0000001  HC_OPT_REG
000DEE43 - 31E1 FFFF            T1 W 0000001  CWDT
000DEE47 - 3321 0005            T1 W 0000001  PU_GWE
000DEE4B - 3341 0004            T1 W 0000001  PU_GTS
000DEE4F - 3301 0100            T1 W 0000001  MODE_REG
000DEE53 - 3261 0000            T1 W 0000001  GENERAL1
000DEE57 - 3281 0000            T1 W 0000001  GENERAL2
000DEE5B - 32A1 0000            T1 W 0000001  GENERAL3
000DEE5F - 32C1 0000            T1 W 0000001  GENERAL4
000DEE63 - 32E1 0000            T1 W 0000001  GENERAL5
000DEE67 - 33A1 1BE2            T1 W 0000001  SEU_OPT
000DEE6B - 33C2 00000000        T1 W 0000002  EXP_SIGN
000DEE71 - 2000                 T1 - 0000000  NOP       (2x)
000DEE75 - 3022 00000000        T1 W 0000002  FAR_MAJ
000DEE7B - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
000DEE7F - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0030A883
002493DB - 2000                 T1 - 0000000  NOP       (24x)
0024940B - 3022 00040017        T1 W 0000002  FAR_MAJ
00249411 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
00249415 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00024B83
00249523 - 3022 000D0017        T1 W 0000002  FAR_MAJ
00249529 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001EE1DD
00249637 - 3022 001A0017        T1 W 0000002  FAR_MAJ
0024963D - 5060 00000082        T2 W 0000082  FDRI      CRC: 0020C6C9
0024974B - 3022 00230017        T1 W 0000002  FAR_MAJ
00249751 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0001E99E
0024985F - 3022 01040017        T1 W 0000002  FAR_MAJ
00249865 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003117C6
00249973 - 3022 010D0017        T1 W 0000002  FAR_MAJ
00249979 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00294671
00249A87 - 3022 011A0017        T1 W 0000002  FAR_MAJ
00249A8D - 5060 00000082        T2 W 0000082  FDRI      CRC: 002473B9
00249B9B - 3022 01230017        T1 W 0000002  FAR_MAJ
00249BA1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E65E7
00249CAF - 3022 021A0017        T1 W 0000002  FAR_MAJ
00249CB5 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002675A2
00249DC3 - 3022 02230017        T1 W 0000002  FAR_MAJ
00249DC9 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00192AA0
00249ED7 - 3022 03040017        T1 W 0000002  FAR_MAJ
00249EDD - 5060 00000082        T2 W 0000082  FDRI      CRC: 0010969D
00249FEB - 3022 04040017        T1 W 0000002  FAR_MAJ
00249FF1 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0028B252
0024A0FF - 3022 041A0017        T1 W 0000002  FAR_MAJ
0024A105 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002E7925
0024A213 - 3022 051A0017        T1 W 0000002  FAR_MAJ
0024A219 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005A5E5
0024A327 - 3022 07230017        T1 W 0000002  FAR_MAJ
0024A32D - 5060 00000082        T2 W 0000082  FDRI      CRC: 00158043
0024A43B - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A43F - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
0024A443 - 2000                 T1 - 0000000  NOP       (4x)
0024A44B - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
0024A44F - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
0024A453 - 30E1 00FF            T1 W 0000001  MASK
0024A457 - 30C1 0081            T1 W 0000001  CTL
0024A45B - 3002 002E7B9D        T1 W 0000002  CRC
0024A461 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
0024A465 - 2000                 T1 - 0000000  NOP       (13x)
    Section processed OK
****************************************************
03  0000004A --- 20160922  [0024A480-003B5C7E]
      0024A480 - Data Size: 0016B7B7
      0024A480 - Header Size: 00000048

0024A4C8 - FFFFFFFF             Padding
0024A4CC - FFFFFFFF             Padding
0024A4D0 - FFFFFFFF             Padding
0024A4D4 - FFFFFFFF             Padding
0024A4D8 - AA995566             Sync Word (BPI/SPI Mode)
0024A4DC - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
0024A4E0 - 2000                 T1 - 0000000  NOP       (1x)
0024A4E2 - 31A1 0628            T1 W 0000001  FLR
0024A4E6 - 3141 3D00            T1 W 0000001  COR1
0024A4EA - 3161 09EE            T1 W 0000001  COR2
0024A4EE - 31C2 04008093        T1 W 0000002  IDCODE
0024A4F4 - 30E1 00CF            T1 W 0000001  MASK
0024A4F8 - 30C1 0081            T1 W 0000001  CTL
0024A4FC - 2000                 T1 - 0000000  NOP       (17x)
0024A51E - 3381 3CC8            T1 W 0000001  CCLK_FREQ
0024A522 - 3181 0881            T1 W 0000001  PWRDN_REG
0024A526 - 3421 0000            T1 W 0000001  EYE_MASK
0024A52A - 3201 001F            T1 W 0000001  HC_OPT_REG
0024A52E - 31E1 FFFF            T1 W 0000001  CWDT
0024A532 - 3321 0005            T1 W 0000001  PU_GWE
0024A536 - 3341 0004            T1 W 0000001  PU_GTS
0024A53A - 3301 0100            T1 W 0000001  MODE_REG
0024A53E - 3261 0000            T1 W 0000001  GENERAL1
0024A542 - 3281 0000            T1 W 0000001  GENERAL2
0024A546 - 32A1 0000            T1 W 0000001  GENERAL3
0024A54A - 32C1 0000            T1 W 0000001  GENERAL4
0024A54E - 32E1 0000            T1 W 0000001  GENERAL5
0024A552 - 33A1 1BE2            T1 W 0000001  SEU_OPT
0024A556 - 33C2 00000000        T1 W 0000002  EXP_SIGN
0024A55C - 2000                 T1 - 0000000  NOP       (2x)
0024A560 - 3022 00000000        T1 W 0000002  FAR_MAJ
0024A566 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
0024A56A - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 002483B9
003B4AC6 - 2000                 T1 - 0000000  NOP       (24x)
003B4AF6 - 3022 01230017        T1 W 0000002  FAR_MAJ
003B4AFC - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B4B00 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005A45A
003B4C0E - 3022 021A0017        T1 W 0000002  FAR_MAJ
003B4C14 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003FDEB8
003B4D22 - 3022 02230017        T1 W 0000002  FAR_MAJ
003B4D28 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00327927
003B4E36 - 3022 03040017        T1 W 0000002  FAR_MAJ
003B4E3C - 5060 00000082        T2 W 0000082  FDRI      CRC: 001F0CCB
003B4F4A - 3022 030D0017        T1 W 0000002  FAR_MAJ
003B4F50 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002995C9
003B505E - 3022 031A0017        T1 W 0000002  FAR_MAJ
003B5064 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00374AD7
003B5172 - 3022 03230017        T1 W 0000002  FAR_MAJ
003B5178 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000B2C82
003B5286 - 3022 04040017        T1 W 0000002  FAR_MAJ
003B528C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0013E5DB
003B539A - 3022 040D0017        T1 W 0000002  FAR_MAJ
003B53A0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001EF8CF
003B54AE - 3022 041A0017        T1 W 0000002  FAR_MAJ
003B54B4 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00385AC2
003B55C2 - 3022 04230017        T1 W 0000002  FAR_MAJ
003B55C8 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002C7B03
003B56D6 - 3022 05040017        T1 W 0000002  FAR_MAJ
003B56DC - 5060 00000082        T2 W 0000082  FDRI      CRC: 001FC3EF
003B57EA - 3022 050D0017        T1 W 0000002  FAR_MAJ
003B57F0 - 5060 00000082        T2 W 0000082  FDRI      CRC: 003F9D02
003B58FE - 3022 05230017        T1 W 0000002  FAR_MAJ
003B5904 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A7833
003B5A12 - 3022 06040017        T1 W 0000002  FAR_MAJ
003B5A18 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00266FD4
003B5B26 - 3022 06230017        T1 W 0000002  FAR_MAJ
003B5B2C - 5060 00000082        T2 W 0000082  FDRI      CRC: 0032FDA2
003B5C3A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5C3E - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
003B5C42 - 2000                 T1 - 0000000  NOP       (4x)
003B5C4A - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
003B5C4E - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
003B5C52 - 30E1 00FF            T1 W 0000001  MASK
003B5C56 - 30C1 0081            T1 W 0000001  CTL
003B5C5A - 3002 0020E07A        T1 W 0000002  CRC
003B5C60 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
003B5C64 - 2000                 T1 - 0000000  NOP       (13x)
    Section processed OK
****************************************************
04  00000059 --- 20160922  [003B5C7F-005219E1]
      003B5C7F - Data Size: 0016BD1B
      003B5C7F - Header Size: 00000048

003B5CC7 - FFFFFFFF             Padding
003B5CCB - FFFFFFFF             Padding
003B5CCF - FFFFFFFF             Padding
003B5CD3 - FFFFFFFF             Padding
003B5CD7 - AA995566             Sync Word (BPI/SPI Mode)
003B5CDB - 30A1 0007            T1 W 0000001  CMD       RCRC - Reset CRC
003B5CDF - 2000                 T1 - 0000000  NOP       (1x)
003B5CE1 - 31A1 0628            T1 W 0000001  FLR
003B5CE5 - 3141 3D08            T1 W 0000001  COR1
003B5CE9 - 3161 09EE            T1 W 0000001  COR2
003B5CED - 31C2 04008093        T1 W 0000002  IDCODE
003B5CF3 - 30E1 00CF            T1 W 0000001  MASK
003B5CF7 - 30C1 0081            T1 W 0000001  CTL
003B5CFB - 2000                 T1 - 0000000  NOP       (17x)
003B5D1D - 3381 3CC8            T1 W 0000001  CCLK_FREQ
003B5D21 - 3181 0881            T1 W 0000001  PWRDN_REG
003B5D25 - 3421 0000            T1 W 0000001  EYE_MASK
003B5D29 - 3201 001F            T1 W 0000001  HC_OPT_REG
003B5D2D - 31E1 FFFF            T1 W 0000001  CWDT
003B5D31 - 3321 0005            T1 W 0000001  PU_GWE
003B5D35 - 3341 0004            T1 W 0000001  PU_GTS
003B5D39 - 3301 0100            T1 W 0000001  MODE_REG
003B5D3D - 3261 0000            T1 W 0000001  GENERAL1
003B5D41 - 3281 0000            T1 W 0000001  GENERAL2
003B5D45 - 32A1 0000            T1 W 0000001  GENERAL3
003B5D49 - 32C1 0000            T1 W 0000001  GENERAL4
003B5D4D - 32E1 0000            T1 W 0000001  GENERAL5
003B5D51 - 33A1 1BE2            T1 W 0000001  SEU_OPT
003B5D55 - 33C2 00000000        T1 W 0000002  EXP_SIGN
003B5D5B - 2000                 T1 - 0000000  NOP       (2x)
003B5D5F - 3022 00000000        T1 W 0000002  FAR_MAJ
003B5D65 - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
003B5D69 - 5060 000B52A9        T2 W 00B52A9  FDRI      CRC: 0003C50A
005202C5 - 2000                 T1 - 0000000  NOP       (24x)
005202F5 - 3022 00040017        T1 W 0000002  FAR_MAJ
005202FB - 30A1 0001            T1 W 0000001  CMD       WCFG - Write Config Data
005202FF - 5060 00000082        T2 W 0000082  FDRI      CRC: 003E1099
0052040D - 3022 000D0017        T1 W 0000002  FAR_MAJ
00520413 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002FEF01
00520521 - 3022 001A0017        T1 W 0000002  FAR_MAJ
00520527 - 5060 00000082        T2 W 0000082  FDRI      CRC: 000EC6B1
00520635 - 3022 01040017        T1 W 0000002  FAR_MAJ
0052063B - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A1576
00520749 - 3022 010D0017        T1 W 0000002  FAR_MAJ
0052074F - 5060 00000082        T2 W 0000082  FDRI      CRC: 000C458E
0052085D - 3022 011A0017        T1 W 0000002  FAR_MAJ
00520863 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A9D1D
00520971 - 3022 01230017        T1 W 0000002  FAR_MAJ
00520977 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001A1B36
00520A85 - 3022 02040017        T1 W 0000002  FAR_MAJ
00520A8B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0005C494
00520B99 - 3022 020D0017        T1 W 0000002  FAR_MAJ
00520B9F - 5060 00000082        T2 W 0000082  FDRI      CRC: 00076315
00520CAD - 3022 03040017        T1 W 0000002  FAR_MAJ
00520CB3 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0026FBD1
00520DC1 - 3022 030D0017        T1 W 0000002  FAR_MAJ
00520DC7 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002525AE
00520ED5 - 3022 04040017        T1 W 0000002  FAR_MAJ
00520EDB - 5060 00000082        T2 W 0000082  FDRI      CRC: 002DED8E
00520FE9 - 3022 040D0017        T1 W 0000002  FAR_MAJ
00520FEF - 5060 00000082        T2 W 0000082  FDRI      CRC: 000785AD
005210FD - 3022 041A0017        T1 W 0000002  FAR_MAJ
00521103 - 5060 00000082        T2 W 0000082  FDRI      CRC: 00173D17
00521211 - 3022 04230017        T1 W 0000002  FAR_MAJ
00521217 - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038A0E7
00521325 - 3022 05040017        T1 W 0000002  FAR_MAJ
0052132B - 5060 00000082        T2 W 0000082  FDRI      CRC: 0019B766
00521439 - 3022 051A0017        T1 W 0000002  FAR_MAJ
0052143F - 5060 00000082        T2 W 0000082  FDRI      CRC: 0028C4B0
0052154D - 3022 05230017        T1 W 0000002  FAR_MAJ
00521553 - 5060 00000082        T2 W 0000082  FDRI      CRC: 002B3B85
00521661 - 3022 06040017        T1 W 0000002  FAR_MAJ
00521667 - 5060 00000082        T2 W 0000082  FDRI      CRC: 001B9738
00521775 - 3022 061A0017        T1 W 0000002  FAR_MAJ
0052177B - 5060 00000082        T2 W 0000082  FDRI      CRC: 002795C7
00521889 - 3022 06230017        T1 W 0000002  FAR_MAJ
0052188F - 5060 00000082        T2 W 0000082  FDRI      CRC: 0038E821
0052199D - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
005219A1 - 30A1 0003            T1 W 0000001  CMD       DGHIGH/LFRM - Last Frame Write
005219A5 - 2000                 T1 - 0000000  NOP       (4x)
005219AD - 30A1 000A            T1 W 0000001  CMD       GRESTORE - Pulse GRESTORE Signal
005219B1 - 30A1 0005            T1 W 0000001  CMD       START - Begin Startup Sequence
005219B5 - 30E1 00FF            T1 W 0000001  MASK
005219B9 - 30C1 0081            T1 W 0000001  CTL
005219BD - 3002 002025B0        T1 W 0000002  CRC
005219C3 - 30A1 000D            T1 W 0000001  CMD       DESYNC - Reset DALIGN Signal
005219C7 - 2000                 T1 - 0000000  NOP       (13x)
    Section processed OK
****************************************************
05  00000068 --- 1.2.2.2   [005219E2-00656E68]
005219E2 - Removing block encapsulations from Block Area [005219E2-00656E68]

Total bytes extracted (from the blocks): 000FFEDE    Block area processed OK

Buffer Size: 00006DEA bytes (after converting from 16 to 8 bits)

0x00000000  DXE 0000 (Data Size: 00006DD4) [00000000-00006DE1]
Processor Type: ADSP-BF533/534/536/537/538/539 (boot address: 0xFFA00000)
Orig Offset:    Offset:         Block:  Target Add:     Byte Count:     Flags:  [  start -   end  ]
00000000 ---    0x00000000      0000    FF800040        00000004        0012    [0000000A-0000000D]  resvect ignore
0000001C ---    0x0000000E      0001    FF800000        000022B0        0002    [00000018-000022C7]  resvect
00004590 ---    0x000022C8      0002    FF8022B0        00000010        0003                         zero-fill resvect
000045A4 ---    0x000022D2      0003    FF8022C0        00000010        0002    [000022DC-000022EB]  resvect
000045D8 ---    0x000022EC      0004    FF8022D0        0000029E        0002    [000022F6-00002593]  resvect
00004B28 ---    0x00002594      0005    FF80256E        0000000E        0003                         zero-fill resvect
00004B3C ---    0x0000259E      0006    FF80257C        000009BA        0002    [000025A8-00002F61]  resvect
00005EC4 ---    0x00002F62      0007    FF802F36        000000AA        0003                         zero-fill resvect
00005ED8 ---    0x00002F6C      0008    FF802FE0        0000000C        0002    [00002F76-00002F81]  resvect
00005F04 ---    0x00002F82      0009    FF902000        00000004        0002    [00002F8C-00002F8F]  resvect
00005F20 ---    0x00002F90      000A    FF902004        00000068        0003                         zero-fill resvect
00005F34 ---    0x00002F9A      000B    FFA00000        00003E32        0002    [00002FA4-00006DD5]  resvect
0000DBAC ---    0x00006DD6      000C    FFA00000        00000002        000A    [00006DE0-00006DE1]  resvect init

0000DBC4 --- ZLIB Decompressed Size: 002A0BE0
0000DBCC --- ZLIB Compressed Block Size: 000F230A [0000DBD4-000FFEDD]
****************************************************
  File Processed OK
06  00000077 ---
07  00000086 --- 3.1.1.13  [00656E69-006D6E67]
      00656E69 - ?????: 0000DCBB
      00656E6D - Data Size: 0006B930
      00656E71 - Name: 3.1.1.13 ???
      00656E7D - Section Data [00656E7D-006C27AC]
08  00000095 ---

Quote
I did the same with my SDS2000X with the same effect. It seems that the serial console had been disabled already in u-boot.

No need for JTAG. You can try to look inside the Blackfin code if there is something that might indicate Serial output. The ZLIB decompressed Blackfin (block 5)  code is attached.  You don't have any U-Boot in this scope!


For comparison, here is a parsing of the SDG800 (latest fw - SDG800 V100R008B01D01P12R2.ADS):

Code: [Select]
File Header Size: 00000070
00000000 - File Checksum: CC58A027 [000004-EOF] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 0067D31D (without 0x70 bytes of the File Header)
00000008 - Section Size: 00000000
0000000C - Blocks Area: 00000002 [0067D31B-0067D31C]
00000026 - Vendor/Content: SIGLENT
0000003A - Version: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0033E98F until 0x0067D31C
****************************************************
00000000 --- Section Checksum: FD6D33CE
00000004 --- Section Size: 0004B034 [00000034-0004B067]  CKSM OK
00000008 --- Section # 00000006
  00000034 - Section Type: Logo
  00000038 - Data Checksum: FD6D37D3 [0000003C-0004B067]
  0000003C - Data Size: 0004B034
  00000040 - Section Header Size: 00000028
00000034 --- 0004B067  ***** Logo file (320x240 RGB32) *****
****************************************************
0004B068 --- Section Checksum: CC92757D
0004B06C --- Section Size: 00632281 [0004B09C-0067D31C]  CKSM OK
0004B070 --- Section # 00000007
0004B09C --- 0067D31C  ***** ZIP file *****
****************************************************
  File Processed OK
« Last Edit: September 08, 2017, 10:27:55 pm by tv84 »
 

Offline cu6apum

  • Newbie
  • Posts: 3
  • Country: ru
Re: Siglent .ads firmware file format
« Reply #91 on: September 12, 2017, 07:45:50 pm »
Code: [Select]
The parsing of the latest SDS2000X fw is:
Thank you all for a great job.
Have anybody got to the linux filesystem? I'd like to change something and pack it back...  :-/O
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #92 on: September 13, 2017, 04:08:01 pm »
I could try to pack it back, but it would be the first time. The only hurdle in repacking the SDS2K fw is to encapsulate the ZLIB in the blocks.

 
The following users thanked this post: cu6apum

Offline cu6apum

  • Newbie
  • Posts: 3
  • Country: ru
Re: Siglent .ads firmware file format
« Reply #93 on: September 13, 2017, 06:40:38 pm »
I haven't split the image yet, short on time.
Funny if i can brick the device...
 

Offline uuftc

  • Newbie
  • Posts: 2
  • Country: ru
Re: Siglent .ads firmware file format
« Reply #94 on: September 13, 2017, 10:32:45 pm »
Have anybody got to the linux filesystem? I'd like to change something and pack it back...  :-/O
IMHO, SDS2000x firmware is not based on Linux.
Part 5 contains almost all the bf53x code including the TCP stack (LWIP).
I do not understand the fact that the teardown video https://youtu.be/E3B4OTV8f1o?t=1376  clearly shows the processor mark bf531, while the entry point corresponds to bf533 (0xFFA00000). see page 6 on http://www.analog.com/media/en/technical-documentation/data-sheets/ADSP-BF531_BF532_BF533.pdf
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #95 on: September 14, 2017, 09:27:27 am »
The parsing of sds2kx_V100R02B01D02P02_fvA1609220922M160922_NO_BLOCKS_DECOMPRESSED.bin (blackfin LDR) is in the attached file.

The FFA08000 range (BF531 boot address) is overwritten with the last block.

I'm guessing that as long as you ensure that it has a correct boot code at FFA08000 you could go along with the initial  "false" FFA00000 boot adress.
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #96 on: September 30, 2017, 08:02:54 pm »
Now that I've discovered how to decompress Altera FPGA streams, I returned to a type of blocks that I hadn't parse before:

- Block 03 of the SDS1000X_V100R001B01D02P1503.ADS firmware

It's an Altera FPGA (EP4CE6 or EP4CE10) stream:

Code: [Select]
         [00000048                      00000021]
Bit 7  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 6  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 5  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 4  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 3  - 1111111111111111111111111110011010000000       FFFFFFE680
Bit 2  - 0000101100000110000000111000000000111111       0B0603803F
Bit 1  - 1111000000000111100011000000011111111111       F0078C07FF
Bit 0  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bits 0080 - EPCS/EPCQ ID check: Enabled
Bits 005F - Stream size: 1.444.871 bits  (0002C181 bytes)  Compression Bit ON  (+1) 
Bits 0056 - 0000 0000 : 0x56-0x5D
Bits 004C - Programming Mode: 1-bit Passive Serial
Bits 003B - IDCode (Version+Part Number only): 0x020F1
Bits 0008 - Usercode: FFFFFFFF
00000049 - Header CRC-16_MODBUS: BD40  [00000021-00000048]        CRC OK
0000004B - Data Framesize: 207  [0000004B-000000F1]
000000F2 - 4-byte words: 1260  [000000F2-000014A1]
000014A2 - Stream Size (Uncompressed): 2.944.056 bits
000014A2 - CRC Framesize: 207+0     # Data Frames: 1727  [000014A2-00059D4F]
00059D50 - Post-device bitstream pad bytes (0xFF): 55  [00059D50-00059D86]
File Checksum: 00C2D766

and, as a curiosity, a graphical image of its decompressed content (8 bits/pixel) is attached (without the frame CRCs).
 

Offline Tsippaduida

  • Contributor
  • Posts: 14
  • Country: fi
Re: Siglent .ads firmware file format
« Reply #97 on: October 16, 2017, 09:41:05 pm »
Quick look into the Blackfin code with strings reveal funny things.

This you might expect:
$ strings sds2kx_V100R02B01D02P02_fvA1609220922M160922_NO_BLOCKS_DECOMPRESSED.bin | grep -i siglent
SIGLENT TEST
SIGLENT
Siglent Technologies Co,. Ltd.

This might be a minor surprise:
$ strings sds2kx_V100R02B01D02P02_fvA1609220922M160922_NO_BLOCKS_DECOMPRESSED.bin | grep -i lecroy
LECROY_2_3
LECROY,WA200,600300,5.01
; LeCroy Digital Oscilloscopes,
LECROY

Great work in decoding these firmware files. Had only a short glimpse into this, but it was fun.
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #98 on: October 20, 2017, 07:17:12 pm »
If you search carefully in that file, you can see the designations of several brands/models:

Brands:
ATTEN, LECROY, SIGLENT, BK, AKIP, METRIX, SDS

Code: [Select]
Atten, (Aktakom, ?):
ADS2024, ADS2044, ADS2064, ADS2104, ADS2154, ADS2204, ADS2304, ADS2054, ADS2074, ADS2022, ADS2042, ADS2062, ADS2102, ADS2152, ADS2202, ADS2302, ADS2052, ADS2072

Lecroy:
WA204, WaveAce2014, WaveAce2024, WaveAce2034, WaveAce2004, WA202, WaveAce2012, WaveAce2022, WaveAce2032, WaveAce2002

AKIP:
AKIP-4126, AKIP-4126/2A, AKIP-4126/3A, AKIP-4126/4A, AKIP-4126/1A, AKIP-4126/2, AKIP-4126/3, AKIP-4126/4, AKIP-4126/1

Siglent:
SDS2022X, SDS2042X, SDS2062X, SDS2102X, SDS2152X, SDS2202X, SDS2302X, SDS2052X, SDS2072X, SDS2024X, SDS2044X, SDS2064X, SDS2104X, SDS2154X, SDS2204X, SDS2304X, SDS2054X, SDS2074X
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #99 on: October 29, 2017, 08:19:45 pm »
Attached is a log of the parsing of (almost) all the Siglent .ADS files available (all models) + some Lecroy + some Atten:

Code: [Select]
ADS1102_Software Version 2.0_V100R002B07D02P10R5.ADS  /  CRC32: 482FDAF7
ATTEN_ADS1000CAL_V100R003B01D01P31R16.ADS  /  CRC32: 3195554C
ATTEN_ADS1000CL+_V100R003B01D01P31R16.ADS  /  CRC32: 24CCD3A9
ATTEN_ADS1000CML_V100R003B01D01P31R16.ADS  /  CRC32: 80A57BDD
ATTEN_ADS1202CML_v2.06.02.15R1.ADS  /  CRC32: E9C8791F
SDG1000-V100R001B01D01P27.ADS  /  CRC32: F4E746F9
SDG1000-V100R001B01D01P31.ADS  /  CRC32: 046FAF25
SDG1000-V100R001B01D01P31R1.ADS  /  CRC32: 4BAF4345
SDG1000-V100R001B01D01P36R1.ADS  /  CRC32: CE6B6D42
SDG1000-V100R001B01D01P37R2.ADS  /  CRC32: 97DDECD1
SDG1000-V100R001B01D01P37R3.ADS  /  CRC32: B28CDE5D
SDG1000-V100R001B01D01P39R2.ADS  /  CRC32: AD6C46D1
SDG1000X_1.01.01.22R5.ADS  /  CRC32: C62D04EE
SDG1000X_V100R001B01D01P22.ADS  /  CRC32: B14D5521
SDG1000X_V100R001B01D01P22_eevblog.ads  /  CRC32: 2CB0008E
SDG1000_1.01.01.39R5.ADS  /  CRC32: D9B4C673
SDG2000X_2.01.01.23R7.ADS  /  CRC32: E3770C8A
SDG2000X_V2.0.CFG.ADS  /  CRC32: 8934257D
SDG2000X_V200R001B01D01P23R3.ADS  /  CRC32: 45C65605
SDG2000X_eevblog_23R7.ads  /  CRC32: 852BDEBD
SDG2000_V200R001B01D01P15R2.ADS  /  CRC32: 51FC8172
SDG2000_V200R001B01D01P16R2.ADS  /  CRC32: E4926B51
SDG2000_V200R001B01D01P17R5.ADS  /  CRC32: A62CF60D
SDG2000_V200R001B01D01P21R2.ADS  /  CRC32: 9B336DB9
SDG2000_V200R001B01D01P22R5.ADS  /  CRC32: 393FFDD8
SDG5000 V500R001B01D01P10R1.ADS  /  CRC32: C95609A4
SDG5000-V500R001B01D01P12.ADS  /  CRC32: 37BDC62E
SDG5000-V500R001B01D01P15R1.ADS  /  CRC32: 91629F0B
SDG5000-V500R001B01D01P15R5.ADS  /  CRC32: C0B2A723
SDG800 V100R008B01D01P06.ADS  /  CRC32: 5B5767B2
SDG800 V100R008B01D01P07.ADS  /  CRC32: 9DE4B005
SDG800 V100R008B01D01P08.ADS  /  CRC32: 4920167F
SDG800 V100R008B01D01P09R1.ADS  /  CRC32: DD2C7FD3
SDG800 V100R008B01D01P10R1.ADS  /  CRC32: CE230F0A
SDG800 V100R008B01D01P11.ADS  /  CRC32: FD6F8FE9
SDG800 V100R008B01D01P12R1.ADS  /  CRC32: 0E21A078
SDG800 V100R008B01D01P12R2.ADS  /  CRC32: 867E8DDD
SDG800 V100R008B01D01P13R5.ADS  /  CRC32: 335B08D9
SDG800 Vp07-to-p08-transition.ADS  /  CRC32: 7DAB9D04
SDG800_transition.ADS  /  CRC32: 7DAB9D04
SDM3045X_5.01.01.03.ADS  /  CRC32: B722F3F1
SDM305(V100R001B01D01P13R1).ADS  /  CRC32: 5E84E31E
SDM3055_1.01.01.16R2.ADS  /  CRC32: C72A5CEE
SDM3055_1.01.01.19.ADS  /  CRC32: 12743868
SDM3065X_3.01.01.03.ADS  /  CRC32: E914E8A4
SDS1000CFL_2CH_SSP_V100R005B03D02P12.ADS  /  CRC32: 305EED12
SDS1000CFL_2CH_SSP_V100R005B08D02P30.ADS  /  CRC32: 56916B35
SDS1000CFL_2CH_SSP_V100R005B08D02P38.ADS  /  CRC32: 46AA7E43
SDS1000CFL_SSP_V100R005B03D02P12.ADS  /  CRC32: E43FF437
SDS1000CFL_SSP_V100R005B03D02P30.ADS  /  CRC32: 41E32C6B
SDS1000CFL_SSP_V100R005B03D02P38.ADS  /  CRC32: A9250B6B
SDS1000CML+_V100R006B01D01P19_FPGA_V5.2.ADS  /  CRC32: 5C6B0F1A
SDS1000CML+_V6.01.01.18.ADS  /  CRC32: 203ACC1E
SDS1000CML_SSP_V100R005B01D02P13.ADS  /  CRC32: 6D788CDE
SDS1000CML_SSP_V100R005B01D02P22.ADS  /  CRC32: F4525B3F
SDS1000CML_SSP_V100R005B01D02P29.ADS  /  CRC32: EF2F0429
SDS1000CML_SSP_V100R005B01D02P32.ADS  /  CRC32: 68A992F5
SDS1000DL+_V100R006B02D01P08_FPGA_V3.1.ADS  /  CRC32: 7A3691D4
SDS1000DL+_V6.02.01.07.ADS  /  CRC32: 332CC506
SDS1000DL_V100R005B06D02P16.ADS  /  CRC32: C7B3AB3A
SDS1000DL_V100R005B06D02P19.ADS  /  CRC32: 418912FF
SDS1000X&X+_V100R001B01D02P1305_fvA20160802.ADS  /  CRC32: 4BBED455
SDS1000X-E_1.3.13_FPGA_V20170622.ADS  /  CRC32: 6067B3F4
SDS1000X_V100R001B01D01P39R5_fvA20151001.ADS  /  CRC32: CE78DA56
SDS1000X_V100R001B01D02P0101_fvA20151211.ADS  /  CRC32: 00E208AB
SDS1000X_V100R001B01D02P06_fvA20160227.ADS  /  CRC32: 675B14B3
SDS1000X_V100R001B01D02P15.ADS  /  CRC32: BF0B6F7E
SDS1000X_V100R001B01D02P1503.ADS  /  CRC32: 7D785143
SDS1000X_V100R001B01D02P1510.ADS  /  CRC32: EA317A79
SDS1002X-E_5.1.3.17R1.ADS  /  CRC32: D64CD117
SDS1004X-E_7.6.1.12_FPGA_V20171107.ADS  /  CRC32: 9E2F7325
SDS1004X_E_6.1.25R1.ADS  /  CRC32: F2A6E2A1
SDS1004X_E_6.1.25R2.ADS  /  CRC32: 831783F6
SDS1004X_E_7.6.1.20.ADS  /  CRC32: A18BD2F3
SDS1004X_E_7.6.1.20R1.ADS  /  CRC32: AFAFFBDC
SDS2000x_1.2.2.2R10.ADS  /  CRC32: FBD42874
SHS1000_V100R003B01D02P01.ADS  /  CRC32: E37E4883
SHS1000_V100R003B01D02P02R2.ADS  /  CRC32: EBBD20F4
SHS1000_V100R003B01D02P02R7.ADS  /  CRC32: 15276A83
SHS1000_V5.09.01.05.ADS  /  CRC32: 6716D9EB
SHS800_V5.09.01.05.ADS  /  CRC32: 6716D9EB
SHS820_V100R003B01D02P01.ADS  /  CRC32: 44139E02
SHS820_V100R003B01D02P02R2.ADS  /  CRC32: 4D98764A
SHS820_V100R003B01D02P02R7.ADS  /  CRC32: 6C16AA6B
SHS820_V5.10.01.01.ADS  /  CRC32: 4FC9C274
SLA1016_7.8.1.8.ADS  /  CRC32: 492B6D07
SLA1016_8.1.9.ADS  /  CRC32: 8F68CC42
SPD3303X-1.01.01.02.05.ADS  /  CRC32: 8D42C003
SPD3303X-E-1.01.01.02.05.ADS  /  CRC32: B0419B9C
SPD3303X-E-V100R001B01D02P02R2.ADS  /  CRC32: D510D51A
SPD3303X-E_1.01.01.02.03.ADS  /  CRC32: D0789A98
SPD3303X-V100R001B01D02P02R2.ADS  /  CRC32: FBC0457D
SPD3303X_1.01.01.02.03.ADS  /  CRC32: CF403574
SSA3000X_D07P03.ADS  /  CRC32: D2B7E463
SSA3000X_v1.2.8.5a.ADS  /  CRC32: 80235A01
SSA3000X_v1.2.9.1.ADS  /  CRC32: 6D70F8D3
V01.02.08.01.ADS  /  CRC32: F67F09A3
V1.2.8.2.ADS  /  CRC32: 48F4F21B
V1.2.8.3.ADS  /  CRC32: 93FDFDAB
V100.01.02.07.07.ADS  /  CRC32: 8470CDE0
Vp10R3-to-p11-transition.ADS  /  CRC32: 0BD8FD19
Vp15R2-to-p16-transition.ADS  /  CRC32: 7B9B174E
WA_101 v2.07.02.100_W.ads  /  CRC32: 26949B7B
WA_101 v2.07.02.160.ADS  /  CRC32: 001FAE5F
WA_102 v2.07.01.100_N.ads  /  CRC32: EEE15A1D
WA_102 v2.07.01.100_W.ads  /  CRC32: 2D0A1FEE
WA_102 v2.07.02.160.ADS  /  CRC32: A31B1F2A
WA_112 v2.07.01.100_N.ads  /  CRC32: C1C09E8F
WA_112 v2.07.01.100_W.ads  /  CRC32: 9762F2AF
WA_112 v2.07.02.160.ADS  /  CRC32: EC64A923
WA_202 v2.06.01.08_N.ads  /  CRC32: DF2BBC31
WA_202 v2.06.02.11_W.ads  /  CRC32: 91210A12
WA_202 v2.06.02.19.ADS  /  CRC32: 64DD774A
WA_212 v2.06.01.08_N.ads  /  CRC32: 6CE1B754
WA_212 v2.06.02.11_W.ads  /  CRC32: 23025C19
WA_212 v2.06.02.19.ADS  /  CRC32: 36F047C4
WA_222 v2.06.01.08_N.ads  /  CRC32: 73CCFBF1
WA_222 v2.06.02.19.ADS  /  CRC32: E375216D
WA_232 v2.06.01.08_N.ads  /  CRC32: 125CADB4
WA_232 v2.06.02.11_W.ads  /  CRC32: BD9EC351
WA_232 v2.06.02.19.ADS  /  CRC32: 1FAC2084
WA_2x4.ADS  /  CRC32: B54CBECA
sdm305(V100R001B01D01P09).ADS  /  CRC32: D2362F4C
sdm305(V100R001B01D01P11R1).ADS  /  CRC32: 26CCDB35
sdm305(V100R001B01D01P12R1).ADS  /  CRC32: C49D7D95
sdm305(V100R001B01D01P15R1).ADS  /  CRC32: 2363E004
sds2k_V100R01B01D01P3501_fvA140620140620M140715.ADS  /  CRC32: A4D2A904
sds2k_V100R01B01D01P3702_fvA141204141203M141117.ADS  /  CRC32: 1C954983
sds2k_V100R01B01D01P3709_fvA141204141203M141117.ADS  /  CRC32: B2FED91C
sds2k_V100R02B01D01P27_fvA1511171117M151117.ADS  /  CRC32: 5E826C18
sds2k_V100R02B01D01P2801_fvA1511171117M151126.ADS  /  CRC32: 1F81CB83
sds2k_V100R02B01D01P3301_fvA1601290129M160129.ADS  /  CRC32: 74968A25
sds2k_V100R02B01D01P38R07_fvA1606060606M160516.ADS  /  CRC32: 176C2D06
sds2k_V100R02B01D02P0109_fvA1609220922M160922.ADS  /  CRC32: ABD70008
sds2k_V100R02B01D02P02_fvA1609220922M160922.ADS  /  CRC32: 2AC88D06
sds2kx_V100R02B01D01P2801_fvA1511171117M151126.ADS  /  CRC32: CA4EE474
sds2kx_V100R02B01D01P3301_fvA1601290129M160129.ADS  /  CRC32: 44F3DFD3
sds2kx_V100R02B01D01P38R07_fvA1606060606M160516.ADS  /  CRC32: 8B4BB764
sds2kx_V100R02B01D02P0109_fvA1609220922M160922.ADS  /  CRC32: FDB18978
sds2kx_V100R02B01D02P02_fvA1609220922M160922.ADS  /  CRC32: FC7F7840
transition.ADS  /  CRC32: 0BD8FD19
waveace10xx_5.01.02.29.ADS  /  CRC32: 8F44CBF5
waveace2xx2_5.08.02.38.ADS  /  CRC32: 15AF114A
waveace2xx4_5.03.02.38.ADS  /  CRC32: 48FA2455
wavestation_2000_v1.01.02.31.ads  /  CRC32: 0926F234
wavestation_2000_v1.01.02.34.ads  /  CRC32: 4A6EF551
wavestation_2000_v1.01.02.36.ads  /  CRC32: 51595069
wavestation_3000_v5.01.02.13.ads  /  CRC32: 93EB575F


The only part that I still haven't figured it out is Section 7 of SDS1000/SDS2000 files. But it's probably the CPLD programming of those scopes.

Edit7: updated Sep 23rd, 2018  - Added all the recent FW updates
« Last Edit: September 23, 2018, 01:49:22 pm by tv84 »
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #100 on: November 12, 2017, 07:29:56 pm »
The SDS1000 FW files sometimes come with a .CFG file which contains the scope logo image and ID strings of the model involved.

Attached is a ZIP with some of those .CFG taken from several SDS1000_Update files.

Their format is simple but I couldn't work out all the fields involved:

Code: [Select]
F:\zscan\original\Siglent\cfg\2000SIGLENT.cfg
Reversing 1st part of the file [00000000-0005E0E3]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0002F072 until 0x0005E0E3

00000000 - Main Checksum: FFD1EE25 [00000004-0005E0E3]  CKSM OK
00000004 - ***** Boot Logo image (800x480 8-bit w/ RGB32 palette) ***** [00000004-0005E003]
0005E004 - Vendor: SIGLENT                         
0005E024 - CFG Type: SDS2000             
0005E038 - Manufacturer: Siglent
0005E040 - Ref1 (?): 00000000
0005E044 - HW Version: 1
0005E048 - Image Size: 00119400 (384.000 pixels)
0005E04C - Magic Number (?): EE3AEE38EE39
0005E052 - Ref2 (?): F4EC
0005E054 - Product Family: SDS
0005E05C - Company: Siglent Technologies Co,. Ltd.                                 
0005E09C - Image flags (?): 01 01 01 01 00 01 01 00 00 00 00 00 00 00 00 00                                                 
0005E0E4 - Footer Checksum: FFFF8BB9 [0005E0E8-0005E184]  CKSM OK
0005E0EC - Product Type 0:               
0005E0FB - Product Type 1:               
0005E10A - Product Type 2:               
0005E119 - Product Type 3:               
0005E128 - Product Type 4:               
0005E137 - Product Type 5:               
0005E146 - Product Type 6:               
0005E155 - Product Type 7:               
0005E164 - Product Type 8:               
0005E173 - Product Type 9:               


F:\zscan\original\Siglent\cfg\LeCroy_CF.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FDF472FE [00000004-00036E55]  CKSM OK
00000004 - Vendor: LECROY                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: LeCroy 
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 70
00000048 - Image Size: 00036D7E (74.880 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): 05FF
00000054 - Product Family: WA 
00000058 - Company: LeCroy Corp                                                     
00000098 - Image flags (?): 00 01 01 01 00 00 01 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (320x234 RGB24) ***** [000000D8-00036E55]
00036E56 - Footer Checksum: FFFF8BB9 [00036E5A-00036EF6]  CKSM OK
00036E5E - Product Type 0:               
00036E6D - Product Type 1:               
00036E7C - Product Type 2:               
00036E8B - Product Type 3:               
00036E9A - Product Type 4:               
00036EA9 - Product Type 5:               
00036EB8 - Product Type 6:               
00036EC7 - Product Type 7:               
00036ED6 - Product Type 8:               
00036EE5 - Product Type 9:               


F:\zscan\original\Siglent\cfg\SDS2000.cfg
Reversing 1st part of the file [00000000-0005E0E3]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0002F072 until 0x0005E0E3

00000000 - Main Checksum: FFFC3864 [00000004-0005E0E3]  CKSM OK
00000004 - ***** Boot Logo image (800x480 8-bit w/ RGB32 palette) ***** [00000004-0005E003]
0005E004 - Vendor: SIGLENT                         
0005E024 - CFG Type: SDS2000             
0005E038 - Manufacturer: Siglent
0005E040 - Ref1 (?): 00000000
0005E044 - HW Version: 1
0005E048 - Image Size: 00119400 (384.000 pixels)
0005E04C - Magic Number (?): EE3AEE38EE39
0005E052 - Ref2 (?): F4EC
0005E054 - Product Family: SDS
0005E05C - Company: Siglent Technologies Co,. Ltd.                                 
0005E09C - Image flags (?): 01 01 01 01 00 01 01 00 00 00 00 18 0B 02 00 00                                                 
0005E0E4 - Footer Checksum: FFFF415D [0005E0E8-0005E21C]  CKSM OK
0005E0EC - Product Type 0:               
0005E0FB - Product Type 1:               
0005E10A - Product Type 2:               
0005E119 - Product Type 3: SDS2102       
0005E128 - Product Type 4: SDS2152       
0005E137 - Product Type 5: SDS2202       
0005E146 - Product Type 6:               
0005E155 - Product Type 7: SDS2302       
0005E164 - Product Type 8:               
0005E173 - Product Type 9: SDS2072       
0005E182 - Product Type 10:               
0005E191 - Product Type 11:               
0005E1A0 - Product Type 12:               
0005E1AF - Product Type 13: SDS2104       
0005E1BE - Product Type 14: SDS2154       
0005E1CD - Product Type 15: SDS2204       
0005E1DC - Product Type 16:               
0005E1EB - Product Type 17: SDS2304       
0005E1FA - Product Type 18:               
0005E209 - Product Type 19: SDS2074       


F:\zscan\original\Siglent\cfg\Siglent_CFL.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3CD [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 71
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS
00000058 - Company: Siglent Technologies Co,. Ltd.                                 
00000098 - Image flags (?): 01 01 01 01 00 00 01 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFFA17C [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:               
0005252F - Product Type 1:               
0005253E - Product Type 2:               
0005254D - Product Type 3: SDS1104CFL     
0005255C - Product Type 4:               
0005256B - Product Type 5: SDS1204CFL     
0005257A - Product Type 6:               
00052589 - Product Type 7: SDS1304CFL     
00052598 - Product Type 8:               
000525A7 - Product Type 9: SDS1074CFL     


F:\zscan\original\Siglent\cfg\Siglent_CFL_2CH.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3CD [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 71
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS
00000058 - Company: Siglent Technologies Co,. Ltd.                                 
00000098 - Image flags (?): 01 01 01 01 00 00 01 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFFA184 [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:               
0005252F - Product Type 1:               
0005253E - Product Type 2:               
0005254D - Product Type 3: SDS1102CFL     
0005255C - Product Type 4:               
0005256B - Product Type 5: SDS1202CFL     
0005257A - Product Type 6:               
00052589 - Product Type 7: SDS1302CFL     
00052598 - Product Type 8:               
000525A7 - Product Type 9: SDS1072CFL     


F:\zscan\original\Siglent\cfg\Siglent_CML.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3C5 [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent
00000040 - Ref1 (?): 01000000
00000044 - HW Version: 79
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS
00000058 - Company: Siglent Technologies Co,. Ltd.                                 
00000098 - Image flags (?): 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFF9BF8 [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:               
0005252F - Product Type 1:               
0005253E - Product Type 2:               
0005254D - Product Type 3: SDS1102CML     
0005255C - Product Type 4: SDS1152CML     
0005256B - Product Type 5:               
0005257A - Product Type 6:               
00052589 - Product Type 7:               
00052598 - Product Type 8:               
000525A7 - Product Type 9: SDS1072CML     


F:\zscan\original\Siglent\cfg\Siglent_CNL.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3C6 [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 79
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS
00000058 - Company: Siglent Technologies Co,. Ltd.                                 
00000098 - Image flags (?): 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFF968D [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:               
0005252F - Product Type 1:               
0005253E - Product Type 2:               
0005254D - Product Type 3: SDS1102CNL     
0005255C - Product Type 4:               
0005256B - Product Type 5:               
0005257A - Product Type 6:               
00052589 - Product Type 7:               
00052598 - Product Type 8:               
000525A7 - Product Type 9: SDS1072CNL     


F:\zscan\original\Siglent\cfg\Siglent_DL.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3C6 [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 79
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS
00000058 - Company: Siglent Technologies Co,. Ltd.                                 
00000098 - Image flags (?): 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFF9F6B [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0: SDS1022DL     
0005252F - Product Type 1:               
0005253E - Product Type 2:               
0005254D - Product Type 3: SDS1102DL     
0005255C - Product Type 4:               
0005256B - Product Type 5: SDS1202DL     
0005257A - Product Type 6:               
00052589 - Product Type 7:               
00052598 - Product Type 8: SDS1052DL     
000525A7 - Product Type 9:               

The imageB was taken from those SDS1000 files (byte-XORed with 0xFF).

Edit1: The SDS2000 was taken from a SDS2000 CFG.

The Lecroy logo was taken from the CFG in waveace2x4_5_05_02_14.zip (Lecroy website).

For those guys who have wrongly flashed SDS1000 FWs:

320x234 image = 5.7" LCD (SDS1000 non-"L" version)
480x234 image = 7" LCD (SDS1000 "L" version)
« Last Edit: December 30, 2017, 02:36:46 pm by tv84 »
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #101 on: November 16, 2017, 09:32:56 pm »
If we look inside Atten ADS1000CML_V100R003B01D01P31R16.ADS.LDR (Blackfin code extracted from the .ADS ZLIB block), the parsing is in the ZIP, one can extract the Atten boot logo starting in the block at offset 0x497A0.  (480 x 234 RGB24 inverted)
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #102 on: November 17, 2017, 10:52:38 pm »
Taken from the FWs referenced in the image names.

PS: Un-inverted the SDG images. The SPD3303X has en embedded image like the SDG5000 but in .JPG format.

SDG1000 - 3.5" LCD
SDG5000 - 4.3" LCD
« Last Edit: December 30, 2017, 12:57:44 pm by tv84 »
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #103 on: December 02, 2017, 10:36:14 pm »
Looking at all the .ADS files available (Siglent and others), I noticed a field (I assumed a UInt32) in the header of the files that seems to represent the "Product_ID" for which the file is intended. In all the files I've looked, I think that this is the only field that may have that purpose.

I updated my parsings log in previous Posts.

Attached is a table with a compilation of those models/products.

The FWs that possess a NSP_config_upgrade_info.xml, confirm that information.


Edit: updated Feb 12, 2018
Edit: updated Jun 15, 2018, added SDG6000X(-E)
Edit: updated Jul 24, 2018, added SVA1000X
Edit: updated Sep 9, 2018, corrected SDS1002X-E exclusivity
Edit: updated Sep 15, 2018, added all SPD models (based on the EasyPower.exe)
Edit: updated Nov 14, 2018, added SSG3000X
Edit: updated Mar 3, 2019, added SDS5000X
Edit: updated Mar 14, 2019, added SDS2000X-E
Edit: updated May 11, 2019, added SPD1305X
Edit: updated July 4, 2019, added SDL1000X-E

« Last Edit: August 05, 2019, 07:29:01 pm by tv84 »
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #104 on: February 07, 2018, 04:06:43 pm »
You can add new SDS1004X-E firmware to the table.
And SLA1016 too...
« Last Edit: February 08, 2018, 04:12:40 pm by janekivi »
 
The following users thanked this post: tv84

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #105 on: February 10, 2018, 10:26:11 am »
Cool. Another equipment!

Code: [Select]
F:\zscan\original\Siglent\SLA1016_7.8.1.8.ADS  /  CRC32: 492B6D07
File Header Size: 00000070
00000000 - File Checksum: D9EB15AD [00000004-004B4954] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 004B48E5 (without 0x70 bytes of the File Header)
0000000C - HW Version: 14501
00000026 - Vendor/Brand: SIGLENT
0000003A - USB Host Controller: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0025A473 until 0x004B48E4
****************************************************
00000000 --- Section Checksum: D8B146AD
00000004 --- Section Size: 004B48B1 [00000034-004B48E4]  CKSM OK
00000008 --- Section # 00000007
00000034 --- 004B48E4  ***** ZIP file *****
Offset    Ver  Flag  Comp  Size      Packed    Modified             CRC32                          Name         Extra Details
00000034  2.0  0000  0008  0000C483  00000F68  16-11-2017 18:03:02  A971148C  [00000065-00000FCC]  factory_setting.xml    000A
00000FCD  2.0  0000  0008  00C559D4  003D8B35  31-01-2018 13:43:29  5BC6F8E8  [00000FF7-003D9B2B]  sds1000b.app    000A
003D9B2C  2.0  0000  0008  003DBB68  000DA8BA  20-01-2018 10:50:22  18E4BC6E  [003D9B5F-004B4418]  top_sds1000b_fpga.bit    000A
004B4419  2.0  0000  0008  00000CD1  0000030A  08-11-2017 16:59:20  63FABAD6  [004B4440-004B4749]  update.sh    000A
Disk Entries: 4   Total Entries: 4   Directory Size: 389 bytes  [004B474A-004B48CE]
****************************************************

I'll add it in the next few days.
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #106 on: February 10, 2018, 10:53:13 am »
Cool. Another equipment!
SLA1016 is the LA hardware for the 4ch X-E models.
The SW licence that's needed to make it functional is SDS1000X-E-16LA
This LA ^ functionality has just been added to SDS1004X-E models in v7.6.1.20 firmware.

It's just one of 3 optional licence codes for these models. The other two of interest for some will be for WiFi and the AWG to get full functionality from the AWG USB module SAG1021.
SDS1000X-E-WIFI
SDS1000X-E-FG
Avid Rabid Hobbyist
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #107 on: February 12, 2018, 08:13:22 pm »
I updated my parsing log of Siglent FWs:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892

and the models table:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1364981/#msg1364981

To commemorate the SLA:

.APP

Code: [Select]
00000000                 Magic: 7F454C46    ELF File OK
00000004                Format: 32-bits
00000005                  Data: Little endian
00000006               Version: 1
00000007                OS/ABI: System V (often set to this)
00000008           ABI Version: 0
00000010           Object Type: Executable
00000012       Instruction Set: ARM
00000014               Version: 1
00000018           Entry Point: 0000FD90
0000001C  Program Header Table: 00000034
00000020  Section Header Table: 00C5554C
00000024                 Flags: 05000002
00000028           Header Size: 00000034
0000002A  Program Headers Size: 00000020
0000002C Numb. Program Headers: 9
0000002E  Section Headers Size: 00000028
00000032 SH String Table Index: 28
**********  PROGRAM HEADERS:
          SegmType  SegmOffs  VirtAddr  PhysAddr  FilSegSz  MemSegSz  Flags     Align
00000034  70000001  008901D4  008981D4  008981D4  0004CAC8  0004CAC8  00000004  00000004
00000054  PHDR      00000034  00008034  00008034  00000120  00000120  00000005  00000004
00000074  INTERP    00000154  00008154  00008154  00000013  00000013  00000004  00000001
  00000154  [Requesting program interpreter: /lib/ld-linux.so.3 ]
00000094  LOAD      00000000  00008000  00008000  008DCCA0  008DCCA0  00000005  00008000
000000B4  LOAD      008DD000  008ED000  008ED000  003783F4  01F19B04  00000006  00008000
000000D4  DYNAMIC   008DDFD8  008EDFD8  008EDFD8  00000140  00000140  00000006  00000004
000000F4  NOTE      00000168  00008168  00008168  00000020  00000020  00000004  00000004
  00000168  [Owner: GNU ] [OS: Linux 2.6.16]
00000114  00000007  008DD000  008ED000  008ED000  00000000  00000004  00000004  00000004
00000134  6474E551  00000000  00000000  00000000  00000000  00000000  00000006  00000004
**********  SECTION HEADERS:
         [Nr] Name                          Type       VirtAddr Offset  Size    ES Flg Lk Inf Al
00C5554C [ 0]                               NULL       00000000 0000000 0000000 00 000  0   0  0
00C55574 [ 1] .interp                       PROGBITS   00008154 0000154 0000013 00 002  0   0  1
00C5559C [ 2] .note.ABI-tag                 NOTE       00008168 0000168 0000020 00 002  0   0  4
00C555C4 [ 3] .hash                         HASH       00008188 0000188 0000BD4 04 002  4   0  4
00C555EC [ 4] .dynsym                       DYNSYM     00008D5C 0000D5C 0001EC0 10 002  5   1  4
00C55614 [ 5] .dynstr                       STRTAB     0000AC1C 0002C1C 000262B 00 002  0   0  1
00C5563C [ 6] .gnu.version                  0x6FFFFFFF 0000D248 0005248 00003D8 02 002  4   0  2
00C55664 [ 7] .gnu.version_r                0x6FFFFFFE 0000D620 0005620 0000180 00 002  5   8  4
00C5568C [ 8] .rel.dyn                      REL        0000D7A0 00057A0 00000B8 08 002  4   0  4
00C556B4 [ 9] .rel.plt                      REL        0000D858 0005858 0000E00 08 002  4  11  4
00C556DC [10] .init                         PROGBITS   0000E658 0006658 000000C 00 006  0   0  4
00C55704 [11] .plt                          PROGBITS   0000E664 0006664 0001514 04 006  0   0  4
00C5572C [12] .text                         PROGBITS   0000FB80 0007B80 076BFB4 00 006  0   0 16
00C55754 [13] .fini                         PROGBITS   0077BB34 0773B34 0000008 00 006  0   0  4
00C5577C [14] .rodata                       PROGBITS   0077BB40 0773B40 0089EE0 00 002  0   0  8
00C557A4 [15] .ARM.extab                    PROGBITS   00805A20 07FDA20 00927B4 00 002  0   0  4
00C557CC [16] .ARM.exidx                    0x70000001 008981D4 08901D4 004CAC8 00 082 12   0  4
00C557F4 [17] .eh_frame                     PROGBITS   008E4C9C 08DCC9C 0000004 00 002  0   0  4
00C5581C [18] .tbss                         NOBITS     008ED000 08DD000 0000004 00 403  0   0  4
00C55844 [19] .init_array                   INIT_ARRAY 008ED000 08DD000 0000FD0 00 003  0   0  4
00C5586C [20] .fini_array                   FINI_ARRAY 008EDFD0 08DDFD0 0000004 00 003  0   0  4
00C55894 [21] .jcr                          PROGBITS   008EDFD4 08DDFD4 0000004 00 003  0   0  4
00C558BC [22] .dynamic                      DYNAMIC    008EDFD8 08DDFD8 0000140 08 003  5   0  4
00C558E4 [23] .got                          PROGBITS   008EE118 08DE118 0000720 04 003  0   0  4
00C5590C [24] .data                         PROGBITS   008EE838 08DE838 0376BBC 00 003  0   0  8
00C55934 [25] .bss                          NOBITS     00C653F8 0C553F4 1BA170C 00 003  0   0  8
00C5595C [26] .comment                      PROGBITS   00000000 0C553F4 0000030 01 030  0   0  1
00C55984 [27] .ARM.attributes               0x70000003 00000000 0C55424 0000033 00 000  0   0  1
00C559AC [28] .shstrtab                     STRTAB     00000000 0C55457 00000F4 00 000  0   0  1

.BIT (it's a Xilinx XC7Z020 bitstream)

Code: [Select]
00000000 - 0009         (0x0009) File Header Length
00000002 - 0FF00FF0     (0x0FF00FF0) File Header Long 1
00000006 - 0FF00FF0     (0x0FF00FF0) File Header Long 2
0000000A - 00           (0x00) File Header Zero
0000000B - 0001         (0x0001) Key Length
0000000D - 61 002E      (key a) Design Name: top_mso_fpga;UserID=0XFFFFFFFF;Version=2014.4
0000003E - 62 000C      (key b) Part Name: 7z020clg484
0000004D - 63 000B      (key c) Generation Date: 2018/01/20
0000005B - 64 0009      (key d) Generation Time: 10:50:44
00000067 - 65 003DBAFC  (key e) Bitstream Length: 003DBAFC  [0000006C-003DBB67]
--------------  BITSTREAM  ------------------------
0000006C - FFFFFFFF             Padding
00000070 - FFFFFFFF             Padding
00000074 - FFFFFFFF             Padding
00000078 - FFFFFFFF             Padding
0000007C - FFFFFFFF             Padding
00000080 - FFFFFFFF             Padding
00000084 - FFFFFFFF             Padding
00000088 - FFFFFFFF             Padding
0000008C - 000000BB             Bus width auto detect, word 1
00000090 - 11220044             Bus width auto detect, word 2
00000094 - FFFFFFFF             Padding
00000098 - FFFFFFFF             Padding
0000009C - AA995566             Sync Word (BPI/SPI Mode)
000000A0 - 20000000             T1 - 00000000  NOP      (1x)
000000A4 - 30022001 00000000    T1 W 00000001  TIMER
000000AC - 30020001 00000000    T1 W 00000001  WBSTAR
000000B4 - 30008001 00000000    T1 W 00000001  CMD      NULL - No Operation
000000BC - 20000000             T1 - 00000000  NOP      (1x)
000000C0 - 30008001 00000007    T1 W 00000001  CMD      RCRC - Reset CRC
000000C8 - 20000000             T1 - 00000000  NOP      (2x)
000000D0 - 30026001 00000000    T1 W 00000001  FALL_EDGE
000000D8 - 30012001 02003FE5    T1 W 00000001  COR0
000000E0 - 3001C001 00000000    T1 W 00000001  COR1
000000E8 - 30018001 03727093    T1 W 00000001  IDCODE
000000F0 - 30008001 00000009    T1 W 00000001  CMD      SWITCH - Switch CCLK Frequency
000000F8 - 20000000             T1 - 00000000  NOP      (1x)
000000FC - 3000C001 00000401    T1 W 00000001  MASK
00000104 - 3000A001 00000501    T1 W 00000001  CTL0
0000010C - 3000C001 00000000    T1 W 00000001  MASK
00000114 - 30030001 00000000    T1 W 00000001  CTL1
0000011C - 20000000             T1 - 00000000  NOP      (8x)
0000013C - 30002001 00000000    T1 W 00000001  FAR
00000144 - 30008001 00000001    T1 W 00000001  CMD      WCFG - Write Config Data
0000014C - 20000000             T1 - 00000000  NOP      (1x)
00000150 - 30004000             T1 W 00000000  FDRI
00000154 - 500F6C78             T2 W 000F6C78
003DB340 - 20000000             T1 - 00000000  NOP      (2x)
003DB348 - 30008001 0000000A    T1 W 00000001  CMD      GRESTORE - Pulse GRESTORE Signal
003DB350 - 20000000             T1 - 00000000  NOP      (1x)
003DB354 - 30008001 00000003    T1 W 00000001  CMD      DGHIGH/LFRM - Last Frame Write
003DB35C - 20000000             T1 - 00000000  NOP      (100x)
003DB4EC - 30008001 00000005    T1 W 00000001  CMD      START - Begin Startup Sequence
003DB4F4 - 20000000             T1 - 00000000  NOP      (1x)
003DB4F8 - 30002001 03BE0000    T1 W 00000001  FAR
003DB500 - 3000C001 00000501    T1 W 00000001  MASK
003DB508 - 3000A001 00000501    T1 W 00000001  CTL0
003DB510 - 30000001 E3AD7EA5    T1 W 00000001  CRC
003DB518 - 20000000             T1 - 00000000  NOP      (2x)
003DB520 - 30008001 0000000D    T1 W 00000001  CMD      DESYNC - Reset DALIGN Signal
003DB528 - 20000000             T1 - 00000000  NOP      (400x)

Didn't include them in the ZIP because they are too big.
« Last Edit: February 12, 2018, 08:40:38 pm by tv84 »
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 3069
  • Country: fi
  • Starting with DLL21
Re: Siglent .ads firmware file format
« Reply #108 on: March 07, 2018, 10:00:40 am »
Fun that SDS10004X-E  FW update file (.ADS) is in reverse order.
Who could write the secret door key words of telnet song....
If practice and theory is not equal it tells that used application of theory  is wrong or the theory itself is wrong.
It is much easier to think an apple fall to the ground than to think that the earth and the apple will begin to move toward each other and collide.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #109 on: June 10, 2018, 10:55:57 am »
Shadow file is something like this
Code: [Select]
root:$6$DZO.HiUy$JKaJGKC8ynyAn.7IF64GzC6cGnmJCQgGlqoPQ9QTc7EW8iF/8lMD00EtiiS3/GpgzN7rvfTbmfnAKzAg66dnu/:17177:0:99999:7:::
siglent:$6$tOEDgvF2$A2zA0bgMZ9XU7LTZN5FVGl4iuDUoPGqGG8IrHoTRaPRJzYyIDXQ8lh8.E1PX98HS8UDRBgDdXwRHlWUG5fY4M1:17029:0:99999:7:::

Algorithm: SHA-512 / crypt(3) / $6$

https://samsclass.info/123/proj10/p12-hashcat.htm
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #110 on: June 11, 2018, 09:59:00 am »
Shadow file is something like this
Code: [Select]
root:$6$DZO.HiUy$JKaJGKC8ynyAn.7IF64GzC6cGnmJCQgGlqoPQ9QTc7EW8iF/8lMD00EtiiS3/GpgzN7rvfTbmfnAKzAg66dnu/:17177:0:99999:7:::
siglent:$6$tOEDgvF2$A2zA0bgMZ9XU7LTZN5FVGl4iuDUoPGqGG8IrHoTRaPRJzYyIDXQ8lh8.E1PX98HS8UDRBgDdXwRHlWUG5fY4M1:17029:0:99999:7:::

Algorithm: SHA-512 / crypt(3) / $6$

https://samsclass.info/123/proj10/p12-hashcat.htm

Which .ADS ? Have you released it with a known shadow?
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #111 on: June 11, 2018, 03:53:08 pm »
This is in latest update files. They are the original passwords.
I don't have any hardware to do any replacing or hacking tests...
 

Online ian.ameline

  • Regular Contributor
  • *
  • Posts: 55
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #112 on: June 12, 2018, 01:29:30 pm »
This is in latest update files. They are the original passwords.
I don't have any hardware to do any replacing ... tests...

I can volunteer to try an image with a substituted password (similar to that for the SDG2000 series.)



 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #113 on: June 12, 2018, 01:39:23 pm »
I can volunteer to try an image with a substituted password (similar to that for the SDG2000 series.)

janekivi, now you have your first customer! :)
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #114 on: June 12, 2018, 03:47:48 pm »
OK, but this time it may be bit tricky.
In normal update like SDS1004X-E_6.1.25R2 you don't see any passwords or anything else.
But they have released Operating System -V1 (Only For 4-Channel) update and there is
all the root file system for example. So looking into rootfs.cramfs in \etc\ is shadow. Now we
need to repack it after change and do the Operating System update again.
May be it is possible...
Otherwise my Radeon R9-390 decodes only 80000 passwords in sec - that may take years.
 

Online ian.ameline

  • Regular Contributor
  • *
  • Posts: 55
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #115 on: June 12, 2018, 04:07:13 pm »
OK, but this time it may be bit tricky.
In normal update like SDS1004X-E_6.1.25R2 you don't see any passwords or anything else.
But they have released Operating System -V1 (Only For 4-Channel) update and there is
all the root file system for example. So looking into rootfs.cramfs in \etc\ is shadow. Now we
need to repack it after change and do the Operating System update again.
May be it is possible...
Otherwise my Radeon R9-390 decodes only 80000 passwords in sec - that may take years.

Yes -- I was assuming it would be the OS update that is modified to substitute a known password for the root account. (as was done for the SDG)
I'm fairly technically experienced -- many years of compiler development on unix platforms.
Cracking the password itself in less than years is not a good bet assuming they didn't chose a word in a dictionary.




 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #116 on: June 12, 2018, 04:33:51 pm »
I see the cramfs can be made with mkfs.cramfs. You unpack all files and then generate new cramfs
from new files. There is many options and we need know what format it needs to be exactly.
http://manpages.ubuntu.com/manpages/bionic/man8/mkfs.cramfs.8.html
Update is done during the startup so may be the wrong file don't kill it much and during next
startup we can try other file and so on...
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #117 on: June 12, 2018, 05:19:30 pm »
This way I don't need to do anything.
You can take the update
https://www.siglentamerica.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series
Unpack rootfs.cramfs file (with 7zip for example).
Generate new password for root (and siglent)
https://quickhash.com/crypt3-sha512-online
Replace shadow file, then pack new rootfs.cramfs together with mkfs.cramfs your_filesdir rootfs.cramfs
Then put all files to USB and follow the PDF guide
 

Online ian.ameline

  • Regular Contributor
  • *
  • Posts: 55
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #118 on: June 12, 2018, 06:35:58 pm »
I'll give that a shot later this week when I get some spare time.

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #119 on: June 12, 2018, 07:53:02 pm »
I can't get it use "best compression" but new file is only 25Kb bigger.
I don't know what you can do with it...

SDS1004X-E_OSV1_EN_eevblog.zip
« Last Edit: June 13, 2018, 03:06:06 pm by janekivi »
 

Online ian.ameline

  • Regular Contributor
  • *
  • Posts: 55
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #120 on: June 12, 2018, 08:15:32 pm »
Thanks -- I'll give it a try...
 

Online ian.ameline

  • Regular Contributor
  • *
  • Posts: 55
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #121 on: June 12, 2018, 08:25:20 pm »
It appeared to copy the new OS over, but the machine freezes on boot -- all the panel leds are lit, the siglent logo is displayed on the lcd, but no activity -- even after 2 minutes.

Fortunately putting he old OS on the key and restarting loads the old OS back on and it works as expected -- no brick.

 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #122 on: June 13, 2018, 03:15:00 pm »
So there is needed some tinkering with packing this rootfs.cramfs back together to get the needed output.
I did it with all default settings in Ubuntu. mkfs.cramfs my_filesdir rootfs.cramfs
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #123 on: June 13, 2018, 03:49:33 pm »
In the extreme maybe we can patch only the shadow without extracting the whole cramfs...  ::)
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #124 on: June 13, 2018, 04:44:08 pm »
But is there some crc or other critical attribute?
There may be something Siglent special.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #125 on: June 13, 2018, 05:28:26 pm »
Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip
 
The following users thanked this post: CustomEngineerer, W9GFO

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #126 on: June 13, 2018, 07:04:28 pm »
[000A09D6-000A0AAC]  CRC32: F48E57F1  DecompSize: 000000F9  ADLER32: 91C34AE7 - ZLIB_ADLER32_OK

You did a binary replacement?

Edit: It seems you did. That should do the job! :)

New one:
[000A09D6-000A0AAC]  CRC32: C7E44B26  DecompSize: 000000F9  ADLER32: 9A234C07 - ZLIB_ADLER32_OK
« Last Edit: June 13, 2018, 07:09:42 pm by tv84 »
 

Online ian.ameline

  • Regular Contributor
  • *
  • Posts: 55
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #127 on: June 13, 2018, 07:35:07 pm »
Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip

Ok -- that copied over to the scope and boots up!
And I can log in as root via telnet!

Let the exploring begin...
 

Online ian.ameline

  • Regular Contributor
  • *
  • Posts: 55
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #128 on: June 13, 2018, 08:54:32 pm »
It's pretty interesting -- with cursors on, fft active with 1mpts, and measure all active, and the web interface going, you can saturate both CPUs on the machine... (load Avg of 1.94 in top)
But with just viewing a waveform, it's very lightly loaded -- under 5%.

Even with those features activated, it's using around 52% of the cpu RAM. (256Meg)



 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #129 on: June 14, 2018, 05:50:42 am »
Dears,

fantastic news, would be a big fafor if you could do this for the sds2204X model fw too.
I'm working on this too since few days but my learning process is still evolving with small
progress.

I follow your descriptions concerning the reverse of the binary fw file and now working on
the extraction of the ziped parts to extract the shadow file in order to find the root pw.

But your progress is more effective und leads perhaps faster to a fw mod.
Is it true that the telnet daemon had first to be activated in order to be able to use it or dose
he run continuously. Nmap did not show the port 23 active in my device.

By the way I'm also interested in a mod fw file for the sdg6022x iq generator.

Any help that brings me closer to my goal of option activation is apreciated.

Many thanks in advance for your help.

Markus

 
 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #130 on: June 14, 2018, 08:17:27 am »
@janekivi

could you please confirm that my understanding of your FWF conversion/decryption
is right or correct it if I made an error.

1) first step is turn the .ads file around (or look it backwards)

2) XOR FF it with pattern bytes 0, 1, 3, 6, A, F and so on - space increasing by 1 <== could yo please explain 0,1,3,6,A,F...

3) XOR FF it from center (file length - 72)/2 as file have 72 byte header (now at the end) <== XOR every FW byte with FF - right?

So I extract your description and wrote my own Python script that do the tree actions like listed below:

Reverse FW File:
=============
according to  outfile.write(bytes(byte_list[::-1]))


First XOR:
=========
a = 0
i = 0
j = 0
i = len(b)
while j < i:
    b[j] ^= 0xFF
    j = j + a + 1
    a = a + 1

Second XOR form Pos len(b)/2-36:
================================
i = len(b)
j = len(b)/2-36
while j < i:
    b[j] ^= 0xFF
    j = j + 1


Thanks for your effort and helpfull hints.

Markus
« Last Edit: June 14, 2018, 08:20:01 am by markus_jlrb »
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #131 on: June 14, 2018, 08:45:20 am »
Markus,

msg 99 of this thread:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892

You have the parsing of all files. You can see there some indication about the half-file to xor for question 3.

Your 2nd step is correct.

Before 1st step you could(should) parse the file header. But, since you can't decrypt yet...

After doing the xor-deobfuscation you will be able to extract the shadow but you can't reconstruct the zip file because of the encrypted areas... you need to tackle the decryption.
 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #132 on: June 14, 2018, 11:03:41 am »
@tv84,

thanks for your repley,

but I'm a bit confused about the ads. fw file checksum issue.

According to the thread #99 the FW file

SDS2000x_1.2.2.2R10.ADS  CRC32: FBD42874

has the above checksum, but

according to the python fragment listed in thred #74
that I included in my script, see below,

>./ads_fwf_checksum.py SDS2000x_1.2.2.2R10.ADS
ED2FE8CD - 32 bit checksum
      CD -  8 bit checksum

>cat ./ads_fwf_checksum.py
 #! /usr/bin/python3

import sys, os, shutil
import functools

input = sys.argv[1]

data = bytearray(open(input, 'rb').read())

csum = functools.reduce(lambda x,y: x+y, data, 0)
csum = ~csum + 1
csum = csum & 0xffffffff # the only difference is here
print (format(csum, 'X'),"- 32 bit checksum")
csum = csum & 0xff # the only difference is here
print ("     ",format(csum, 'X'),"-  8 bit checksum")


the checksum differs <== ????

Have you an idea whats wrong?


Thanks

Markus
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #133 on: June 14, 2018, 11:32:07 am »
When I mention:

SDS2000x_1.2.2.2R10.ADS  CRC32: FBD42874

is just for a integrity check of the ADS in question.

It's calculated with the general CRC-32 algo and it's 100% correct. Maybe you are not implementing the right CRC-32. There are plenty of options, I don 't know if you are aware of.

http://www.sunshine2k.de/coding/javascript/crc/crc_js.html

It's the first option of CRC32.
 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #134 on: June 14, 2018, 02:45:54 pm »
@tv84,

>./ads_fwf_checksum.py SDS2000x_1.2.2.2R10.ADS
ED2FE8CD - 32 bit checksum
      CD -  8 bit checksum
FBD42874 - 32 bit checksum
      74 -  8 bit checksum

now the crc32 result looks ok.

I had used the crc32.py module from
https://github.com/StalkR/misc/blob/master/crypto/crc32.py

After replacement of "ord(c)" by "c" as the read function fetch
a byte stream, I was able to calc the crc32 sum of the .ads fwf.

Thanks
Markus

>cat ./ads_fwf_checksum.py
 #! /usr/bin/python3

import sys, os, shutil
import functools
from crc32 import CRC32

input = sys.argv[1]

data = bytearray(open(input, 'rb').read())

 # Or data can be declared directly
 # data = bytes([0x02,0x00,0x00,0x04,0x00,0x00]);

csum = functools.reduce(lambda x,y: x+y, data, 0)
csum = ~csum + 1
csum = csum & 0xffffffff # the only difference is here
print (format(csum, 'X'),"- 32 bit checksum")
csum = csum & 0xff # the only difference is here
print ("     ",format(csum, 'X'),"-  8 bit checksum")

csum2 = CRC32().calc(data)
print (format(csum2, 'X'),"- 32 bit checksum")
csum2 = csum2 & 0xff # the only difference is here
print ("     ",format(csum2, 'X'),"-  8 bit checksum")
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #135 on: June 14, 2018, 04:22:08 pm »
 :-//
I don't have a clue what you are doing here...
but one day I made SDS file viewer and unpacker and app converter and after that
you can unpack program part from that app with offzip. Packed region is starting
from 0000dbd4 and then you have unpacked BlackFin code with which I don't know
what we gonna do...

I start looking it here
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1061594/#msg1061594
and latest app is there
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1208443/#msg1208443
 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #136 on: June 15, 2018, 07:07:33 am »
@janekivi

I try to reproduce your steps in .ads FW reassembling.
One of them was to calculate the CRC32 properly.
The others to understand the .ads file format.
Due to your excellent prework I hope to create me
own tools.
 
I was aware of the tools you provided, but I had no luck
till now to use them under wine (Linux OS) due to missing
Libs. (I'm not sure if your Code could be ported to Mono,
the linux Version of Net-Environment)

Thanks for your replay.

Markus





 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #137 on: June 21, 2018, 04:16:42 pm »
@janekivi
@tv84,
and all,

how to proceed after I had extract the Part1..5+7 from the
.ads FW file with the sds_ads.exe tool.

How to extract and mod the shadow file to enter his own
hash for the root account and how to pack all parts together
to get again a .ads FW file?

Some helpful hints will be appreciated.

Many thanks in advance for this effort.

Markus 
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #138 on: June 21, 2018, 05:29:48 pm »
@janekivi
@tv84,
and all,

how to proceed after I had extract the Part1..5+7 from the
.ads FW file with the sds_ads.exe tool.

How to extract and mod the shadow file to enter his own
hash for the root account and how to pack all parts together
to get again a .ads FW file?

Some helpful hints will be appreciated.

Many thanks in advance for this effort.

Markus

" Part1..5+7" exist in files where, I think, are not relevant to your "shadow" quest.

Usually the shadow file exists inside a ZIP in the ADS. So, you decrypt the ADS, extract the zip and replace shadow.

You can generate the shadow file in linux or manually hash the passwords.

Then, it's the reverse process all the way:

Compress the zip with the new shadow file.
Encode the zip in a ADS, placing headers, xoring and encrypting...  Maybe janekivi tool does this... Don't remember.

I advise you to not flash a "handmade" ADS before me or janekivi do a small validation test. Just to decrease the risk of having any packing error...

Look at my parsings list and see where the shadow files exist.

« Last Edit: June 21, 2018, 05:32:13 pm by tv84 »
 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #139 on: June 21, 2018, 06:25:54 pm »
@tv84,

but where can I find the block with the fw file system.
How to read/interpret your listing, see attached file that I
cut & paste from your recent fw summary.

Markus
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #140 on: June 21, 2018, 07:54:03 pm »
@tv84,

but where can I find the block with the fw file system.
How to read/interpret your listing, see attached file that I
cut & paste from your recent fw summary.

Markus

Oh, I see your problem!

The example that you provide is a SDS2000X file. Not a SDS2000X-E file!

This scope has a Blackfin proc and several FPGAs.

The X-E has an ARM proc. The structure of ADS is completely different, although the basic encryption envelope is pretty much the same.

You don't have a shadow file in the X version because it doesn't have a "file system" and/or linux environment.

Which is the equipment that you want to "analyze"?
 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #141 on: June 21, 2018, 08:15:00 pm »
Oh,

what's a pity.

So I have to start to analyze from the beginning and
make my own experience and tools.

Thanks for your explanation concerning teh X and X-E
model suffix.

Markus
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #142 on: June 21, 2018, 08:22:41 pm »
@tv84,

but where can I find the block with the fw file system.
How to read/interpret your listing, see attached file that I
cut & paste from your recent fw summary.

Markus

Oh, I see your problem!

The example that you provide is a SDS2000X file. Not a SDS2000X-E file!

This scope has a Blackfin proc and several FPGAs.

The X-E has an ARM proc. The structure of ADS is completely different, although the basic encryption envelope is pretty much the same.

You don't have a shadow file in the X version because it doesn't have a "file system" and/or linux environment.

Which is the equipment that you want to "analyze"?
I think markus has misunderstood your question.
See here:
https://www.eevblog.com/forum/testgear/siglent-sds2204x-mods/
Avid Rabid Hobbyist
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #143 on: June 21, 2018, 08:29:52 pm »
In other words, crypted-reversed-COR-ZIP files you must process to get files,
but in SDS1000X, SDS2000 and SDS2000X firmware you have plain files.
(except part 5 what is BlackFin app and bit obfuscated or so)
So those part 1...5 and 7 are the plain files what scope is using. I haven't given them names
but TV84 probably know better what files they are - FPGA, APP, ... (no LINUX there)
That's what SDS ADS files my SDS file viewer is made for. I haven't done repack utility yet...
 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #144 on: June 21, 2018, 08:41:12 pm »
@janekivi,
@all,

make it sense to analyze the fw parts sds_ads tool generate with IDA-Pro?
And if so are there templates/addons/extensions that could be used for this
purpose?

Markus



 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #145 on: June 21, 2018, 09:09:40 pm »
Markus,

I think you don't need to reinvent the wheel but... you know better.

If you want to reverse the SDS2000X Blackfin block, you can extract it with janekivi tool and them load the Blackfin plugins in IDA and analyze the code. It will be a  hard job because there's no decompiler to help you. And unless you have BF expertise...  Blakfin code is not ARM code...

But, of course, it is possible to do and, at least, produce a upgrade patch (since that seems to be your ultimate goal). Not the cleanest of the solutions but nobody here is looking for perfection.

 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #146 on: June 30, 2018, 02:28:14 pm »
So if I am starting from a stock SDS1104X-E with stock, out of the box (not updated) firmware, what is the step by step process for updating the oscilloscope to the latest firmware while also getting access to or changing the root user password for the scope?
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 3069
  • Country: fi
  • Starting with DLL21
Re: Siglent .ads firmware file format
« Reply #147 on: June 30, 2018, 03:46:22 pm »
So if I am starting from a stock SDS1104X-E with stock, out of the box (not updated) firmware, what is the step by step process for updating the oscilloscope to the latest firmware while also getting access to or changing the root user password for the scope?

If your scope system info show out from box:
FW 7.1.6.1.25R2
or
FW 7.1.6.1.25R1
(this 1, here colored red, it tells that OS V1 is installed.)
then  B  else A

A
Update latest FW and OS (if not already out from box).
SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 )
SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 )
These both can download from Siglent official side. Inside these both packages (zip) there is also instructions.


B
Then: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639

« Last Edit: June 30, 2018, 04:01:56 pm by rf-loop »
If practice and theory is not equal it tells that used application of theory  is wrong or the theory itself is wrong.
It is much easier to think an apple fall to the ground than to think that the earth and the apple will begin to move toward each other and collide.
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #148 on: June 30, 2018, 06:51:49 pm »
So if I am starting from a stock SDS1104X-E with stock, out of the box (not updated) firmware, what is the step by step process for updating the oscilloscope to the latest firmware while also getting access to or changing the root user password for the scope?

If your scope system info show out from box:
FW 7.1.6.1.25R2
or
FW 7.1.6.1.25R1
(this 1, here colored red, it tells that OS V1 is installed.)
then  B  else A

A
Update latest FW and OS (if not already out from box).
SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 )
SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 )
These both can download from Siglent official side. Inside these both packages (zip) there is also instructions.


B
Then: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639

Thanks!
« Last Edit: July 01, 2018, 12:29:38 am by SMB784 »
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline BillB

  • Supporter
  • ****
  • Posts: 554
  • Country: us
Re: Siglent .ads firmware file format
« Reply #149 on: June 30, 2018, 11:41:03 pm »
Thank you, but I think my main question has to do with how you log in as root. I assume there is a root password, and I'm under the assumption that it is not something known it easily guessed, so how do I install the software update so that I can either know or set the root user password?

SMB784, are you asking how you interface with the unit?  You'll need to telnet into the device through the ethernet connection.  As rf-loop said, it depends what your current firmware version is.  This determines the path you need to take.  The firmware is upgraded by copying files to a USB flash and following the on-device menus.

Once you have an updated firmware, you need to load the special OS build found in the message that rf-loop mentioned in B above.
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #150 on: July 01, 2018, 03:35:17 am »
Thank you, but I think my main question has to do with how you log in as root. I assume there is a root password, and I'm under the assumption that it is not something known it easily guessed, so how do I install the software update so that I can either know or set the root user password?

SMB784, are you asking how you interface with the unit?  You'll need to telnet into the device through the ethernet connection.  As rf-loop said, it depends what your current firmware version is.  This determines the path you need to take.  The firmware is upgraded by copying files to a USB flash and following the on-device menus.

Once you have an updated firmware, you need to load the special OS build found in the message that rf-loop mentioned in B above.

Indeed, thank you.  After some time spent thinking, I did exactly that process.  I am now working on logging in via root!
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #151 on: July 01, 2018, 07:18:01 am »
So I am running into a snag with the root login via telnet.

Thus far I have successfully downloaded and installed the firmware, and the OS from the silent website. I then installed the special software from the aforementioned link, and the device boots correctly. I am successfully able to get to the login prompt using telnet.

There is where the trouble starts. I enter root as the login name and I enter the password and it tells me that the login info is incorrect. I have tried many different combinations of login name and password.

So: either I am incorrectly using telnet, or I am entering in the wrong password, or Siglent has patched this technique, or the scope is ignoring and not installing the custom software update when the USB is plugged in before boot up. I did time the boot sequence and it takes 20 seconds to boot regardless of whether or not the USB with the firmware is present.

Not sure what is going on here, gonna try some other things while I try to figure it out. Any suggestions are welcome, and I will keep you updated.
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline BillB

  • Supporter
  • ****
  • Posts: 554
  • Country: us
Re: Siglent .ads firmware file format
« Reply #152 on: July 01, 2018, 11:30:04 am »
It sounds like all you need is the password for the modified firmware!  Most of these modified firmware files for the Siglent devices floating around on this forum all us the same password.  The author who posts on this forum likes to make sure that the forum users who download the files from this forum are regular forum users who've been around on this forum for a while.  See these other forum posts:   ;)

https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1447972/#msg1447972
https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1449465/#msg1449465

 
 
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #153 on: July 01, 2018, 02:44:54 pm »
It sounds like all you need is the password for the modified firmware!  Most of these modified firmware files for the Siglent devices floating around on this forum all us the same password.  The author who posts on this forum likes to make sure that the forum users who download the files from this forum are regular forum users who've been around on this forum for a while.  See these other forum posts:   ;)

https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1447972/#msg1447972
https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1449465/#msg1449465

Well, I tried the very same password that logs me into the website in the first link of your message, and it tells me that it's wrong. The user name is root, and the password is the same one as the one that logs me into that website, and it says that the login credentials are wrong.

This leads me to believe that the custom software update is not being applied correctly for some reason.
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline BillB

  • Supporter
  • ****
  • Posts: 554
  • Country: us
Re: Siglent .ads firmware file format
« Reply #154 on: July 01, 2018, 02:58:46 pm »
It sounds like all you need is the password for the modified firmware!  Most of these modified firmware files for the Siglent devices floating around on this forum all us the same password.  The author who posts on this forum likes to make sure that the forum users who download the files from this forum are regular forum users who've been around on this forum for a while.  See these other forum posts:   ;)

https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1447972/#msg1447972
https://www.eevblog.com/forum/testgear/siglent-sdg1000x-waveform-generators/msg1449465/#msg1449465

Well, I tried the very same password that logs me into the website in the first link of your message, and it tells me that it's wrong. The user name is root, and the password is the same one as the one that logs me into that website, and it says that the login credentials are wrong.

This leads me to believe that the custom software update is not being applied correctly for some reason.

Hmmm... that's the right one.  The credentials are changed through the modified OS update file, rather than the App firmware update.   

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1606243/#msg1606243     

As rf-loop described in A.  Load the standard SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 ) file, then the modified SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 ) from the post listed.
« Last Edit: July 01, 2018, 03:01:23 pm by BillB »
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #155 on: July 01, 2018, 04:26:27 pm »
Hmmm... that's the right one.  The credentials are changed through the modified OS update file, rather than the App firmware update.   

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1606243/#msg1606243     

As rf-loop described in A.  Load the standard SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 ) file, then the modified SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 ) from the post listed.

Alright here's what my process was before failing to get login credentials correct:

The first thing I did was format my 32 gigabyte USB flash drive to FAT32.  Then I added the FW 7.1.6.1.25R2.ads file to the usb drive, dismounted it, and plugged it into the scope.  I turned the scope on, and then followed the instructions to install the firmware and self calibrated the scope.  I verified that I was running the 25R2 firmware at software level 0 (no software update performed yet).

Then, according to RF-Loop's instructions:
Quote
Update latest FW and OS (if not already out from box).
SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 )
SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 )
These both can download from Siglent official side. Inside these both packages (zip) there is also instructions.
I downloaded the latest software update from the siglent website and put the 4 software files on a newly FAT32 reformatted USB drive.  I turned off the scope and plugged the USB drive in.  I then booted the scope, and it installed the software, and verified that I was now running at software level 1.  Then I turned the scope off, took out the USB, reflashed it with the 4 custom files with the modified root login, plugged this back into the scope, started it up and let it return to the main screen.

I then tried to telnet into the scope on port 23, I got to the login page and entered the username root and the modified password and received a "login incorrect" message.  I tried many different combinations of login name and password, as well as the correct password numerous times.  I rebooted the scope, tried reinstalling the modified software, tried reinstalling the 25R2 firmware, all to no added effect.  I noticed that the boot time to main screen remained the same regardless of what software file I put on the USB, and regardless of whether or not there was even a USB inserted (20 seconds regardless).  These times were measured after the initial official software boot.

I can try instaling the 25R1 firmware and retrying this whole process, but I cannot seem to find a good download location for it.  Also I have tried to hardware reset the scope using the instructions on the Siglent website, but that process has not worked each time I have attempted it.

Its possible that they have invalidated this method of changing the root user login when you install the official software update first.

Any suggestions are most welcome.
« Last Edit: July 01, 2018, 06:17:05 pm by SMB784 »
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline BillB

  • Supporter
  • ****
  • Posts: 554
  • Country: us
Re: Siglent .ads firmware file format
« Reply #156 on: July 01, 2018, 05:42:42 pm »
Its possible that they have invalidated this method of changing the root user login when you install the official software update first, so at this point it is my suggestion that anyone attempting this process install the modified software provided here on the forums instead of trying the official software update.

Any suggestions are most welcome.

The OS update after turning on the scope is very fast, and it definitely worked the first time because you did bump from version 0 to 1.

As far as the order of update, my scope had both the 25R2 and V1 factory updates applied for a while before I updated with the modified OS.  My process went like 25R1->25R2->OSV1(factory)... a week or two later... ->OSV1(modified).

So, I'm at a loss now to explain why you aren't able to log in. :-//
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #157 on: July 01, 2018, 06:23:24 pm »
Alright then, I must be doing something wrong. I am going to scrutinize this process in detail and maybe I can figure out what I have done wrong
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #158 on: July 01, 2018, 07:04:35 pm »
I wonder if it is possible to do the update using the update configuration key. Anyone have any experience with this?
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 3069
  • Country: fi
  • Starting with DLL21
Re: Siglent .ads firmware file format
« Reply #159 on: July 01, 2018, 07:27:57 pm »
I wonder if it is possible to do the update using the update configuration key. Anyone have any experience with this?

Your screen image

Is it displaying all files in your USB in root folder for OS update.
AFAIK There need be 4 files! included in eevblog zip

devicetree.dtb
rootfs.cramfs
sds1004x_e_udiskEnv.txt
uImage
« Last Edit: July 01, 2018, 07:30:38 pm by rf-loop »
If practice and theory is not equal it tells that used application of theory  is wrong or the theory itself is wrong.
It is much easier to think an apple fall to the ground than to think that the earth and the apple will begin to move toward each other and collide.
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #160 on: July 01, 2018, 07:34:33 pm »
I wonder if it is possible to do the update using the update configuration key. Anyone have any experience with this?

Your screen image

Is it displaying all files in your USB in root folder for OS update.
AFAIK There need be 4 files! included in eevblog zip

devicetree.dtb
rootfs.cramfs
sds1004x_e_udiskEnv.txt
uImage

Yes I did have 4 files in there originally, and when that didn't work I tried just those two, which also didn't work
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #161 on: July 01, 2018, 07:48:07 pm »
Here is an image of the system info
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline BillB

  • Supporter
  • ****
  • Posts: 554
  • Country: us
Re: Siglent .ads firmware file format
« Reply #162 on: July 01, 2018, 07:58:31 pm »
Here is an image of the system info

Hmm...
My hardware version is 00-03

But ian.ameline's is 01-03 as well and he updated his just fine.
« Last Edit: July 01, 2018, 08:00:09 pm by BillB »
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #163 on: July 01, 2018, 08:24:10 pm »
Alright then, I must be doing something wrong. I am going to scrutinize this process in detail and maybe I can figure out what I have done wrong
Most likely spelling or syntax error.......those were the mistakes I made.  :palm:
Avid Rabid Hobbyist
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 459
  • Country: us
Re: Siglent .ads firmware file format
« Reply #164 on: July 01, 2018, 09:42:47 pm »
Its possible that they have invalidated this method of changing the root user login when you install the official software update first.

Any suggestions are most welcome.

No, the work being done by forum members has been on the latest firmware and os versions from what I can tell. Post one of your telnet sessions (including initiating the telnet connection) so we can see that you are connecting correctly. Also it might be useful to have a screenshot of the IP configuration screen on the scope. Are you able to connect to the webserver on the scope through your browser?
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #165 on: July 01, 2018, 10:25:46 pm »
Its possible that they have invalidated this method of changing the root user login when you install the official software update first.

Any suggestions are most welcome.

No, the work being done by forum members has been on the latest firmware and os versions from what I can tell. Post one of your telnet sessions (including initiating the telnet connection) so we can see that you are connecting correctly. Also it might be useful to have a screenshot of the IP configuration screen on the scope. Are you able to connect to the webserver on the scope through your browser?

He sees the login prompt.
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #166 on: July 01, 2018, 10:32:06 pm »
Its possible that they have invalidated this method of changing the root user login when you install the official software update first.

Any suggestions are most welcome.

No, the work being done by forum members has been on the latest firmware and os versions from what I can tell. Post one of your telnet sessions (including initiating the telnet connection) so we can see that you are connecting correctly. Also it might be useful to have a screenshot of the IP configuration screen on the scope. Are you able to connect to the webserver on the scope through your browser?

He sees the login prompt.
Yes.
And to progress further you must have the modified OS installed and any command spelling and syntax correct.
Avid Rabid Hobbyist
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 459
  • Country: us
Re: Siglent .ads firmware file format
« Reply #167 on: July 01, 2018, 10:39:44 pm »
I get that he thinks he is. But without knowing his comfort level with the command line I would prefer to see proof to be able to rule it out. If he swears that the firmware has been installed correctly, and he is for sure using the correct username and password, then the next thing to check is that he really is connecting to the scope. I agree that it does sound like he probably is, but I've seen telnet connections fool other users before (as in they were at the telnet prompt, but not actually connected to anything).

On a separate note, thanks for your contributions in getting this process worked out.

Edit: I don't mean the first line as an insult. smb784 specifically mentioned earlier that wasn't completely sure was using telnet correctly, and I really have seen telnet connections trick people before.
« Last Edit: July 01, 2018, 11:06:14 pm by CustomEngineerer »
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #168 on: July 01, 2018, 11:13:01 pm »
I get that he thinks he is. But without knowing his comfort level with the command line I would prefer to see proof to be able to rule it out. If he swears that the firmware has been installed correctly, and he is for sure using the correct username and password, then the next thing to check is that he really is connecting to the scope. I agree that it does sound like he probably is, but I've seen telnet connections fool other users before (as in they were at the telnet prompt, but not actually connected to anything).

On a separate note, thanks for your contributions in getting this process worked out.

Edit: I don't mean the first line as an insult. smb784 specifically mentioned earlier that wasn't completely sure was using telnet correctly, and I really have seen telnet connections trick people before.

Don't worry I'm not insulted :)  Having spent almost 15 years in a physics lab in the quest for my Ph.D., I am used to making simple but easily overlooked mistakes.  Here is how I performed this update.

First, I formatted a USB to FAT32, and downloaded the 25R2 Firmware .ads onto the USB stick from Siglent America's official website, and installed it to the device.  You can verify that by looking at the top left corner of the first image attached in this email.

Then I reformatted the USB as FAT32 and downloaded the latest operating system and extracted the four files onto the USB.  I then plugged the USB into the scope and restarted it, allowing it to install the new operating system.  See the first attached image for verification of this process (top, middle, and bottom panels).

I turned on DHCP and connected the ethernet cable between it and my router, allowing it to acquire an IP address from my router.  See the second attached image for verification.

Then I removed the USB while the scope was on, turned the scope off, reformatted the USB to FAT32, and downloaded the custom software install from Janekivi's weblink from this thread.  I extracted this custom firmware zip onto the USB, and plugged it into the oscilloscope and turned it on.  The scope booted up, and after boot I telneted in on port 23 and tried to log in with login name root and the correctly spelled password.  See third attached image for verification of this process (top, bottom panels).

Take special note in the images of the date stamps for each of the files uploaded to the USB.  That is how I verified that I had the correct files on the USB

Thank you all again for all of your hard work and help, let me know if you see any errors in my process.
« Last Edit: July 02, 2018, 01:02:53 am by SMB784 »
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 
The following users thanked this post: CustomEngineerer

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #169 on: July 02, 2018, 01:03:48 am »
I have updated my installation method in the post immediately preceding this one.
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 459
  • Country: us
Re: Siglent .ads firmware file format
« Reply #170 on: July 02, 2018, 01:14:44 am »
Just to be absolutely certain there wasn't an issue with newer scopes I went ahead and went through the procedure on my SDS1104X-E that I ordered on last Monday and received on Thursday from Saelig. When I received the scope it had
Software Version: 7.6.1.20R3
FPGA Version: 2018-01-20
Hardware Version: 01-03

That day I went ahead and installed the SDS1004X-E_6.1.25R2.ADS firmware (listing this way since I'm still a little confused about if the 7 at the beginning of the version should be part of the firmware number) and afterwords checking the system information screen then showed
Software Version: 7.0.6.1.25R2
FPGA Version: 2018-03-06
Hardware Version: 01-03

Yesterday I installed the official OS update from the Siglent, SDS1004X-E_OSV1_EN-1.zip file, and checking the system information screen after showed:
Software Version: 7.1.6.1.25R2
FPGA Version: 2018-03-06
Hardware Version: 01-03

I had planned on holding off on installing the modified system files until I knew for sure I was going to keep the scope, but since its easily reversible I figured Id go ahead and make sure it does indeed work as expected. I installed the four files from the SDS1004X-E_OSV1_EN_eevblog.zip file earlier in this thread and sure enough I was then able to telnet into the scope with the expected username and password.

In the attached screenshot (sorry for not separating the two attempts into separate screenshots), the first telnet login attempt was while the scope had the official Siglent OS files installed, then before I attempted the second login, I restarted the scope with an inserted USB thumb drive containing the modified OS files. You can see the second attempt is able to login.
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 459
  • Country: us
Re: Siglent .ads firmware file format
« Reply #171 on: July 02, 2018, 01:20:47 am »
Everything you are doing looks correct to me, sorry, I'm out of ideas.
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #172 on: July 02, 2018, 01:23:28 am »
Everything you are doing looks correct to me, sorry, I'm out of ideas.

I am thinking it has something to do with taking the software from the USB and putting it onto the scope.  I will try doing that from a different computer than the one I am currently using.
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #173 on: July 02, 2018, 01:42:35 am »
Well, I have fixed the login issue.

Something about adding the custom files to the USB with my Desktop running Ubuntu 18.04 was causing them to not  be recognized by the scope (I guess)

I tried adding the files to the USB using my raspberry pi, and lo and behold i am now able to  telnet into the scope with both the raspberry pi and my desktop.

No idea what the deal was with that, but at least now I can log in.

Thank you all for your help, seriously.
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline CustomEngineerer

  • Frequent Contributor
  • **
  • Posts: 459
  • Country: us
Re: Siglent .ads firmware file format
« Reply #174 on: July 02, 2018, 01:48:06 am »
Great news. Congrats!!!
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #175 on: July 02, 2018, 01:50:12 am »
Great news. Congrats!!!

Thanks!! Color me impressed with all the efforts in this thread.

Thanks again yall!
« Last Edit: July 02, 2018, 01:59:38 am by SMB784 »
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #176 on: July 02, 2018, 08:55:39 am »
As I've told SMB784, I advise all to:

1st option - Instead of the official OS install, install janekivi full OS file. It's exactly the same thing with the pwds already changed.

2nd option - After installing the official OS, when you install janekivi patch, do it only with the rootfs file (and the script .txt, of course).

Less operations, less risk!

Regarding the advice of CustomEngineerer about the login problem: thinking of it, it was totally right and not an insult, it could have been a problem with the client  SMB784 was using to connect to the scope. Although SMB784 was able to see the correct prompt, there was no assurance that what he writes in the console was correctly/transparently being sent to the scope.

A solution could have been to change the client (I usually use Putty) or investigate what was introducing garbage in the connection.

Or, in the extreme, use (in his case) the RPi as a gateway to telnet to the scope...

Glad it is solved! Now, time for upgrade.  :)
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #177 on: July 02, 2018, 11:11:59 am »
As I've told SMB784, I advise all to:

1st option - Instead of the official OS install, install janekivi full OS file. It's exactly the same thing with the pwds already changed.

2nd option - After installing the official OS, when you install janekivi patch, do it only with the rootfs file (and the script .txt, of course).

Less operations, less risk!

Regarding the advice of CustomEngineerer about the login problem: thinking of it, it was totally right and not an insult, it could have been a problem with the client  SMB784 was using to connect to the scope. Although SMB784 was able to see the correct prompt, there was no assurance that what he writes in the console was correctly/transparently being sent to the scope.

A solution could have been to change the client (I usually use Putty) or investigate what was introducing garbage in the connection.

Or, in the extreme, use (in his case) the RPi as a gateway to telnet to the scope...

Glad it is solved! Now, time for upgrade.  :)

As it turned out in my case, the problem wasn't the telnet, rather it was the act of copying the files from the computer to the flash drive.

I tried telnetting into the scope from the RPI with the software installed from files copied over using my desktop and couldn't log into the scope. But as soon as I copied the files over to the USB using the RPI, the scope recognized them and correctly installed the custom software, and at that point I could log in via telnet from either the RPI or the desktop.

So something was going wrong in the process of making the USB with the custom software on it when using the desktop. I have no earthly idea what could have been going on though.

In my case, using RF-loop's instructions worked perfectly once I performed them using the RPI to make the USB instead of the desktop.
« Last Edit: July 02, 2018, 11:14:25 am by SMB784 »
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline BillB

  • Supporter
  • ****
  • Posts: 554
  • Country: us
Re: Siglent .ads firmware file format
« Reply #178 on: July 02, 2018, 12:57:23 pm »
As it turned out in my case, the problem wasn't the telnet, rather it was the act of copying the files from the computer to the flash drive.

I tried telnetting into the scope from the RPI with the software installed from files copied over using my desktop and couldn't log into the scope. But as soon as I copied the files over to the USB using the RPI, the scope recognized them and correctly installed the custom software, and at that point I could log in via telnet from either the RPI or the desktop.

So something was going wrong in the process of making the USB with the custom software on it when using the desktop. I have no earthly idea what could have been going on though.

In my case, using RF-loop's instructions worked perfectly once I performed them using the RPI to make the USB instead of the desktop.

Congrats!  Figured it wasn't telnet, as you could correctly type "root\r".  I guess if you wanted to be sure the pwd characters you were typing were correct, you could have typed them into the user field to see them.  :)

Anyway, what is odd, is that you were able to correctly generate the factory OS update USB configuration.  Was that the same process that didn't work for your attempt with the modified OS update? 
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #179 on: July 02, 2018, 03:42:09 pm »
As it turned out in my case, the problem wasn't the telnet, rather it was the act of copying the files from the computer to the flash drive.

Remember why I asked you to make sure the CRC of the files (in the flash drive) was correct... 

For sure, next time you'll remember! :)
 

Offline SMB784

  • Regular Contributor
  • *
  • Posts: 170
  • Country: us
Re: Siglent .ads firmware file format
« Reply #180 on: July 02, 2018, 03:56:50 pm »
Anyway, what is odd, is that you were able to correctly generate the factory OS update USB configuration.  Was that the same process that didn't work for your attempt with the modified OS update?

That is correct, I used the exact same process on the same computer to generate the modified OS update USB configuration as the one I used to generate the factory OS update USB configuration.  The factory USB configuration worked, and the modified USB configuration didn't.

Then when I generated the modified USB configuration on my RPi, it worked right away.  It's very strange.

Indeed, TV84 was probably correct in his advice that I check the CRC values.  I didn't actually check them, because I was in the process of learning how to check them when I tried making the USB on the RPi.  However, it seems strange to me that the simple act of copying the files over to the USB on one system would change the CRC values of those files when doing that exact same process on a different system does not modify them in any way.

Anyways it was a fun, albeit frustrating experience, with a rather bewildering but ultimately satisfying end result.  Thanks again to all of you who helped me.
"Anything will lase if you hit it hard enough."

-Arthur L. Schawlow
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #181 on: July 02, 2018, 09:39:12 pm »
Updated my parsing list of all Siglent FWs.

Now we can see the extra details of the files used in the ZIPs.

The only UID/GID combinations are:

1000/1000
65534/65534 (only in some SDG800 .ADS when the rw_uImage is used)
 

Offline kerouanton

  • Regular Contributor
  • *
  • Posts: 58
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #182 on: July 14, 2018, 12:24:17 pm »
thank you all especially janekivi and tv84 for reversing the .ads file format.
I'm still new at that and as I'm learning Python it motivated me to reimplement the decoding process. I followed the steps described on some of your posts, but I am still far from what tv84 outputs in his parsing list.

Up to now, I am able to :
1. extract a .ads file from the downloaded zip file and load it in memory.
2. calculate the checksum
3. reverse the bytes
4. xor it with increasing pattern
5. xor it from the center
6. save the result

What should be the next steps, for example to locate and isolate each part?
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #183 on: July 14, 2018, 10:18:03 pm »
Next you need probably put this before reverse and XOR
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg984820/#msg984820

to get SPD3303X-E_1.01.01.02.05-EN.hex

like there, inside is the same jpg image starting at 0x00024D68
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1181598/#msg1181598
 

Offline kerouanton

  • Regular Contributor
  • *
  • Posts: 58
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #184 on: July 16, 2018, 07:49:22 am »
Let's take a look in SDG1000-V100R001B01D01P31.ADS for example

I am trying to move forward on my python .ads decoding script, but as a newbie I'm a bit lost and expect to rely on janekivi replies to see if I'm able to get the same results. For this, I need this exact SDG1000-V100R001B01D01P31.ADS file, but I wasn't able to find the correct download URL, both on siglent.com, siglentamerica.com, and old.siglentamerica.com.
Has anyone the download url, so I can move forward and try getting the same results on my script?

Also, as far as I understood, some parts of the file are 3des encrypted (some parts only as with my actual script I am able to get clear-text strings such as model number, at least on the SPD3303 .ads file), but I'm still unable to understand how janekivi found the right offset and length of the encrypted part, as well as the key itself. The method used to investigate and find those is challenging for me!

As both of you, I'm just playing around with those files for fun, as I try to learn Python and nothing more (well, having a root access on my devices is fun too).

Thanks
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #185 on: July 16, 2018, 04:42:59 pm »
Oh crap. I could have let you to walk the same way. But you can test my theory and find those
patterns and XOR regions and crypted places. It was straightforward because inside was zip.
Some stuff you can find by scrolling id up and down in "notepad", because XOR FF pattern is
easily visible in 00 regions and in other places data is looking so alien. Crypted parts I found
simply by unziping it by cutted pieces to see if output ends now as it ends by unziping full file.
If output was shorter - I did cut file too early, if output was the same - my piece was longer
or right size, then I shortened it by one byte for test. With this method I found exact places
without decompiling update file reading part in app. I don't know can I now find something
like this with IDA... probably no, I would use notepad and calculator, maybe a little bit python.

I didn't cut the header off - 72 or 112 bytes and after reverse it was at the end, that's why
there was offset in file center calculation (j = len(b)/2-36) or (j = len(b)/2-56)
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #186 on: July 16, 2018, 09:32:40 pm »
The file is attached.

The 2 encrypted blocks have 0x2800 and 0x1400 sizes, as my parsings show. It shouldn't be too dificult to find where they are located. The key is available inside an .app file.

Study what janekivi linked (the 3DES implemented is "Siglent 3DES", not standard 3DES).

Have fun!
 

Offline kerouanton

  • Regular Contributor
  • *
  • Posts: 58
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #187 on: July 16, 2018, 10:37:00 pm »
Thank you both of you for your kind answer, and the file.

I will keep you informed of my findings! it is like a puzzle game, indeed.
 

Offline PhilipPeake

  • Contributor
  • Posts: 49
  • Country: us
Re: Siglent .ads firmware file format
« Reply #188 on: July 17, 2018, 10:46:09 pm »
This may be common knowledge, but I was about to try fixing the root password for my SDS1102X running SDS1000X_V100R001B01D02P1510.ADS, and discovered that there is no telnet service running. Only Ports 111 and 9009.

So much for my idea of trying to upgrade the bandwidth - at least until there is enough progress here to decode and re-assemble the entire thing.
 

Offline BillB

  • Supporter
  • ****
  • Posts: 554
  • Country: us
Re: Siglent .ads firmware file format
« Reply #189 on: July 17, 2018, 10:52:05 pm »
This may be common knowledge, but I was about to try fixing the root password for my SDS1102X running SDS1000X_V100R001B01D02P1510.ADS, and discovered that there is no telnet service running. Only Ports 111 and 9009.

So much for my idea of trying to upgrade the bandwidth - at least until there is enough progress here to decode and re-assemble the entire thing.

The same with the SPD3303X-E.  Open ports 111,9009 and no telnet.
 

Offline markus_jlrb

  • Regular Contributor
  • *
  • Posts: 85
  • Country: de
Re: Siglent .ads firmware file format
« Reply #190 on: July 19, 2018, 10:12:00 pm »
Philip,

In Linux and in a sh, bash
shell enter the cmds below.

echo *IDN? > /dev/usbtmc0

or other SCPI commands

in one window

and

while true
do
cat /dev/usbtmc0
sleep 1
done

in a second window.

While the scope is connected via USB
and not LAN.

USBTMC must be enabled in the utility
menu under IO selection.

Good luck for your investigation
Markus
 


Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #192 on: July 29, 2018, 10:53:22 am »
https://www.siglentamerica.com/service-and-support/firmware-software/dc-power-supplies/#spd1000x-series

This was long time ago, but not in the table yet

Hi janekivi,

Now it's in the table but, since it's the first without the minimum size for 2nd 3DES block decryption, there is a little detail that I haven't solved - Section Checksum.

According to that section the correct checksum should be 0xFEE2D1B1.

Code: [Select]
File Header Size: 00000070
00000000 - File Checksum: FE691817 [00000004-0002FB6F] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 0002FB00 (without 0x70 bytes of the File Header)
0000000C - Product_ID: 600
00000026 - Vendor/Brand: SIGLENT
0000003A - USB Host Controller: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x00017D80 until 0x0002FAFF
****************************************************
00000000 --- Section Checksum: FEE2D1B1
00000004 --- Section Size: 0002FACC [00000034-0002FAFF]  CKSM OK
00000008 --- Section # 00000007
00000034 --- 0002FAFF  ***** STM32 32-bit ARM Cortex file *****
00000034 - Vector Table:        (Little Endian - Flash(ROM): 0x08000000 - SRAM: 0x20000000)
00000034 ---        Initial SP value: 200193F0
00000038 ---                   Reset: 0802039D  (Thumb 16/32 bits)
0000003C ---                     NMI: 080203C1  (Thumb 16/32 bits)
00000040 ---              Hard fault: 080203C3  (Thumb 16/32 bits)
00000044 --- Memory management fault: 080203C5  (Thumb 16/32 bits)
00000048 ---               Bus fault: 080203C7  (Thumb 16/32 bits)
0000004C ---             Usage fault: 080203C9  (Thumb 16/32 bits)
00000050 ---                   Rsvd1: 00000000
00000054 ---                   Rsvd2: 00000000
00000058 ---                   Rsvd3: 00000000
0000005C ---                   Rsvd4: 00000000
00000060 ---                  SVCall: 080201B9  (Thumb 16/32 bits)
00000064 ---          Rsvd for Debug: 080203CD  (Thumb 16/32 bits)
00000068 ---                   Rsvd5: 00000000
0000006C ---                  PendSV: 080201E9  (Thumb 16/32 bits)
00000070 ---                 Systick: 080203D1  (Thumb 16/32 bits)
00000074 --- IRQ0 to IRQ80  [00000074-000001B7]
****************************************************
  File Processed OK

Edit1: SOLVED the decryption of the partial 3DES block. So, in order to verify the 2nd DES block decryption we must consider that the last block was padded with all 0x00s (to complete a 8-bytes block), before 3DES encryption.
« Last Edit: August 24, 2018, 04:05:03 pm by tv84 »
 

Offline gperoni

  • Contributor
  • Posts: 32
  • Country: it
Re: Siglent .ads firmware file format
« Reply #193 on: August 10, 2018, 11:30:55 am »
I'm trying to hack my SDG6000X, here is my understanding of what I have to do by giving this thread a fast read:

1) Download a firmware upgrade from Siglent
2) Use tv84's post on the SDG6000X thread to understand where the filesystem begins in the ADS file downloaded
3) I assume the filesystem is encrypted? If so decrypt it (silly xor patterns or something), once decrypted mount the filesystem and change the shadows file.
4) Change the checksum, I wouldn't know where to find it or the crc32 init, etc.
5) Re-make the filesystem, encrypt it, put it back in place, use the resulting ADS for a firmware upgrade and get root access
6) ??? - Will figure something out.
7) Profit.

What are the tools I should use in the process? I saw a couple of scripts and programs but they don't seem to be complete, should I write my own?
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #194 on: August 12, 2018, 09:51:27 am »
You must get something like this at the end
SDG6000X_eevblog_29R10.zip
I do it by hand, use notepad and hexedit and have too many steps in multiple laptops...
this is messy process...
« Last Edit: September 16, 2018, 11:52:04 am by janekivi »
 
The following users thanked this post: gperoni

Offline bluejedi

  • Contributor
  • Posts: 34
  • Country: nl
Re: Siglent .ads firmware file format
« Reply #195 on: August 19, 2018, 01:43:56 pm »
If I remember correctly, the OS update was previously listed on the download page as:

    SDS1004X-E Operating System -V1 (Only For 4-Channel ) (Release Date 05.22.18)

but is currently listed as:

    SDS1004X-E Operating System -V1 (Only For 4-Channel ) (Release Date 06.26.18)



« Last Edit: August 19, 2018, 01:51:52 pm by bluejedi »
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 3069
  • Country: fi
  • Starting with DLL21
Re: Siglent .ads firmware file format
« Reply #196 on: August 19, 2018, 02:20:10 pm »
If I remember correctly, the OS update was previously listed on the download page as:

    SDS1004X-E Operating System -V1 (Only For 4-Channel ) (Release Date 05.22.18)

but is currently listed as:

    SDS1004X-E Operating System -V1 (Only For 4-Channel ) (Release Date 06.26.18)

I have not checked how these older and more new files match but one I know. Instructions pdf is tiny bit edited. I have not compared all files but I have some "feel" they are equal.

But who use these when we have something "better" like SDS1004X-E_OSV1_EN_eevblog
If practice and theory is not equal it tells that used application of theory  is wrong or the theory itself is wrong.
It is much easier to think an apple fall to the ground than to think that the earth and the apple will begin to move toward each other and collide.
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #197 on: August 19, 2018, 02:23:04 pm »
If you look inside, it seems they changed only the:

SDS1004X-E OS Revise History and Update Instructions.pdf
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #198 on: August 20, 2018, 12:57:32 pm »
New firmware for SVA1015X
V2.1.1.1.12a
https://www.siglentamerica.com/download/6912/
38.8 MB

Changelog
2018/8/8
1. Spectrum Analysis mode:Improved the stability of sweep and interface.
2. VNA mode: fasten the VNA sweep speed; expand the minimum span from 10M to 10 kHz.
3. Modulation Analysis mode: add trigger, optimize the modulation analysis algorithm.
4. Add user port number selection for web server.

Product_ID 11401 (that was ripped from original FW) confirmed!!  ;D
 

Offline radiolistener

  • Frequent Contributor
  • **
  • Posts: 830
  • Country: ua
Re: Siglent .ads firmware file format
« Reply #199 on: August 21, 2018, 01:54:37 am »
This may be common knowledge, but I was about to try fixing the root password for my SDS1102X running SDS1000X_V100R001B01D02P1510.ADS, and discovered that there is no telnet service running. Only Ports 111 and 9009.

So much for my idea of trying to upgrade the bandwidth - at least until there is enough progress here to decode and re-assemble the entire thing.

I investigated it here: https://www.eevblog.com/forum/testgear/siglent-sds1000x-how-to-make-direct-ethernet-connection/msg1650191/#msg1650191

The port 111 is getport, it is used to obtain VXI-11 protocol port and returns 9009 port.
The port 9009 is VXI-11 protocol port.

I implemented VXI-11 protocol in C#, so you can use it to send SCPI commands with no need to install NI VISA runtime.
The example in C# takes oscilloscope screenshot with SCPI command.
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #200 on: August 25, 2018, 09:25:34 pm »
Siglent licenses usually can be seen inside a memdump of the equipment. No news there.

How to get the memdump?
In the ARM machines (linux), a simple "cp /dev/mem" to USB, usually does the trick.
In the Blackfin machines, it's also possible but may require JTAG or a patched .ADS, AFAIK.

How to find the (possible) licenses?
You need to have a general knowledge of the license format. One of the 2-types possible:

16-char lowercase (including numbers) or
16-char uppercase (including numbers)

( the upper/lowercase is equipment-dependent )

At the request of several people, to ease the search for those type of strings, I release here a small C# code snippet that processes the memdump file:

Code: [Select]
        private static void search_licenses()
        {
            byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");

            for (int j = 0, l = 0; j < 2; j++, l += 0x20)
            for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
                if (((buffer[i] < '2') || (buffer[i] > '9')) && ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) && buffer[i] != ('L' + l) && buffer[i] != ('O' + l))
                {
                    if (strSize == 16)
                        Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
                    strSize = 0;
                    strStart = i + 1;
                }
                else strSize++;
        }

Of course, then you must use some common sense to filter/extract the ones that may seem valid.

If none of the strings works, bad luck (the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings... ;) ). Remember this is not a bulletproof process!

How to insert the licenses?
Equipments have the Options license insert menu. So, that's easy.
Most of them usually don't have the BW license insert menu.

In that case, you can use the SCPI command "MCBD" (MACHINE_BAND). Ex:

MCBD N2T7PQ29BPZJ7WB5

BEWARE that you may insert a BW license that corresponds to a lower BW than you currently have. If you know your other "bigger" license, no problem. But, if not, it's not safe to try unlock higher BW if you are not already in the lowest possible.

In some equipments the BW license is the contents of the bandwidth.txt file so you can also read/write it there manually.
« Last Edit: September 01, 2018, 02:55:27 pm by tv84 »
 
The following users thanked this post: MWisBest, dymbo, vtwin@cox.net, vt100, nicolasg

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #201 on: September 17, 2018, 09:35:22 pm »
I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

SPD3303X-V100R001B01D02P03_with _E_header.zip
OK, I give this only individually after request. I can't test it.

A year ago nobody volunteered to confirm Janekivi's work so I resuscitated the challenge and was successfull!   :popcorn:

Attached is the proof of a Siglent SPD3303X-E conversion to a SPD3303X model.

The method is simple:

1. Run the SCPI command in the X-E to enable the 1mV step:

FACTORY ON

2. Using EasyPower flash the required FW file from the attached ZIP. (ConvertFromX-E)

(3. If you want to rollback, flash the other file.)

The FWs are Siglent official versions with Prod_ID's swapped like janekivi suggested.

The HW version of the board where the test was done is 0.3.

ATTENTION: This may involve a certain risk so do it at your own responsability!

Enjoy!
 
The following users thanked this post: JohnG, gnavigator1007, shiftdelete, BillB, salami738, kerouanton, n3mmr, citizenrich

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 3069
  • Country: fi
  • Starting with DLL21
Re: Siglent .ads firmware file format
« Reply #202 on: September 18, 2018, 07:27:54 am »
If practice and theory is not equal it tells that used application of theory  is wrong or the theory itself is wrong.
It is much easier to think an apple fall to the ground than to think that the earth and the apple will begin to move toward each other and collide.
 

Offline SaKhan

  • Contributor
  • Posts: 14
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #203 on: September 19, 2018, 04:18:28 pm »
I am curious whether the precision of a hacked SPD3303X-E is similar to SPD3303X.
 

Offline BillB

  • Supporter
  • ****
  • Posts: 554
  • Country: us
Re: Siglent .ads firmware file format
« Reply #204 on: September 19, 2018, 06:48:36 pm »
I am curious whether the precision of a hacked SPD3303X-E is similar to SPD3303X.

I think it is.  Even before the hack, my X-E would accept remote 1mA changes and show them through EasyPower.  It would also accept remote 1mV changes from EasyPower even though it would truncate the response.  However, the 1mA and 1mV changes were happening at the output terminals of the X-E even though the display was not being updated.  From what I could tell, the X-E is really an X minus the display digit.  So, if you were using the X-E purely through SCPI, you'd almost already have an X (except for the truncated mV command response)
 
The following users thanked this post: tautech, SaKhan

Offline SaKhan

  • Contributor
  • Posts: 14
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #205 on: September 19, 2018, 07:44:03 pm »
I am curious whether the precision of a hacked SPD3303X-E is similar to SPD3303X.

I think it is.  Even before the hack, my X-E would accept remote 1mA changes and show them through EasyPower.  It would also accept remote 1mV changes from EasyPower even though it would truncate the response.  However, the 1mA and 1mV changes were happening at the output terminals of the X-E even though the display was not being updated.  From what I could tell, the X-E is really an X minus the display digit.  So, if you were using the X-E purely through SCPI, you'd almost already have an X (except for the truncated mV command response)

Thanks for the info. I am planning to buy one and was trying to "justify" the price difference.
 

Offline kerouanton

  • Regular Contributor
  • *
  • Posts: 58
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #206 on: September 19, 2018, 08:50:37 pm »
The method is simple:

Confirmed working on mine. Thanks tv84, again!
« Last Edit: September 19, 2018, 08:54:53 pm by kerouanton »
 

Offline BillB

  • Supporter
  • ****
  • Posts: 554
  • Country: us
Re: Siglent .ads firmware file format
« Reply #207 on: September 19, 2018, 11:14:54 pm »
Here is a graph of the SPD3303X-E timer stepping through .100-.104mV in 1mV/5 second steps. 
 
The following users thanked this post: wolfy007

Offline vt100

  • Contributor
  • Posts: 15
  • Country: af
Re: Siglent .ads firmware file format
« Reply #208 on: October 04, 2018, 02:54:18 am »
Code: [Select]
        private static void search_licenses()
        {
            byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");

            for (int j = 0, l = 0; j < 2; j++, l += 0x20)
            for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
                if (((buffer[i] < '2') || (buffer[i] > '9')) && ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) && buffer[i] != ('L' + l) && buffer[i] != ('O' + l))
                {
                    if (strSize == 16)
                        Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
                    strSize = 0;
                    strStart = i + 1;
                }
                else strSize++;
        }

A more comprehensive version of the key locator, based on tv84's code snippet above, has been posted to:

https://github.com/Siglent/FindKeys.git

This .NET Core 2.1 program will find keys when they span memory segment boundaries by extracting leftover segments of strings and concatenating them with other segments found elsewhere in the memory dump.

Based upon testing on 2 scopes, all 7 keys (50mhz, 70mhz, 100mhz, 200mhz, AWG, MSO and WIFI) were located 100% of the time in 1 pass.

Note this code only works for SDS1xxxX-E scopes currently, additional scopes will be added as they become available.

--
vt100
the world's best dumb terminal
vt100
the world's best dumb terminal
 
The following users thanked this post: Taaning

Offline kerouanton

  • Regular Contributor
  • *
  • Posts: 58
  • Country: ch
Re: Siglent .ads firmware file format
« Reply #209 on: October 04, 2018, 08:27:08 am »
Nice. But I'm wondering how Siglent will react considering you created a "Siglent" account on Github to host this code!
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 859
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #210 on: October 04, 2018, 09:02:12 pm »
How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.

They provide a root session via port 10101.
« Last Edit: May 25, 2019, 07:55:06 am by tv84 »
 

Offline vt100

  • Contributor
  • Posts: 15
  • Country: af
Re: Siglent .ads firmware file format
« Reply #211 on: October 05, 2018, 02:03:50 am »
https://github.com/Siglent/TryKeys.git

TryKeys - a .NET Core 2.1 utility - Companion application to FindKeys

The purpose of this utility is to recover the valid keys you licensed with your scope but you lost the paperwork for and you do not remember the codes for.

First you generate a list of possible keys using the FindKeys utility. Edit the output of FindKeys to remove any keys which are not likely candidates (e.g. real life words). Then, execute this utility using that file as an input source.

Upon startup, the program reads the contents of "TryKeys.json" to configure various parameters needed for it to work. The options in this file and their purpose are as follows:

keyfile: The fully-qualified path to the list of keys you wish to try, e.g. "g:trykeys.txt"

scopeip: the IP address of the scope, needed for web and telnet access

port: the telnet port the program should connect to. Default '23'.

username: The telnet username. Default is "root".

password: The telnet password. Default is "eevblog"

bandwidth: Tells the program to not only attempt to find any missing option licenses, but also the maximum bandwidth license.

Theory of operation:

The program cycles through a list of keys contained in the key file. For option licenses, it issues the "license install" SCPI command through the web interface. It uses the telnet connection to determine if the option license file was created in /usr/bin/siglent/firmdata0 after issuing the command. If the file exists, then the key used for the license install command was the 'correct' one.

For bandwidth licenses, the program determines the current bandwidth license key from the firmdata0 directory, and what that key is good for, by using the PRBD SCPI command. Then, it cycles through the keys, issuing the MCBD with they test key, and then re-examines the output of PRBD to determine if the bandwidth has changed. If so, it determines if the bandwidth increased -- in which case, it will check to see if the maximum bandwidth has been reached with the key. If the bandwidth decreased, then it re-issues the MCBD command to 're-install' the 'current' bandwidth license key so scope bandwidth will not decrease.

A log is dumped to the console. Upon program completion, the scope will be restarted if the bandwidth was changed. This is necessary for the new bandwidth to take effect. Finally, a summary of license keys located will be printed.

To execute from the command line: dotnet TryKeys.dll

Sample log file:

Execution starts @ 10/4/2018 8:58 PM
Scope Option 'AWG' not licensed, will seek key
Scope Option 'MSO' not licensed, will seek key
Scope Option 'WIFI' not licensed, will seek key
Scope bandwidth license key: VVVVVVVVVVVVVVV
We have 584 keys to try for 4 options
Scope bandwidth currently licensed: 50M of 200M
100M Bandwidth license key found: 1111111111111111
Maximum bandwidth (200M) license key found: 2222222222222222
Scope Option 'AWG' license key found: AAAAAAAAAAAAAAAA
Scope Option 'MSO' license key found: MMMMMMMMMMMMMMMM
Scope Option 'WIFI' license key found: WWWWWWWWWWWWWWWW

Summary of License keys located:
200M bandwidth license key: 2222222222222222
AWG license key: AAAAAAAAAAAAAAAA
MSO license key: MMMMMMMMMMMMMMMM
WIFI license key: WWWWWWWWWWWWWWWW

Rebooting scope to activate higher bandwidth license.

Execution ends @ 10/4/2018 9:03 PM

You can verify the presence of your recovered license keys on the scope's 'options' screen. You should print a copy of your recovered license keys and keep them in a safe place for future reference.

To revert the scope back to the previous bandwidth license, and to remove the optional licenses, you execute the following script after logging in via a telnet session as root:

mount -o remount,rw /usr/bin/siglent/firmdata0
rm /usr/bin/siglent/firmdata0/options*
cat VVVVVVVVVVVVVVVV > /usr/bin/siglent/firmdata0/bandwidth.txt
(control-d)(control-d)
sync
reboot

This program has several dependencies you must install through the NuGet Package Manager. They are: Microsoft.Extensions.Configuration, Microsoft.Extensions.Configuration.Json, Newtonsoft.Json, and Telnet (from 9swampy).

Note: at the moment this utility only supports the SDS1###X-E series of scopes, however, additional functionality will be added as details become available.

Special thanks to eevblog user tv84 who gave me tons of assistance during the development of this utility.
« Last Edit: October 16, 2018, 12:09:49 pm by vt100 »
vt100
the world's best dumb terminal
 
The following users thanked this post: BillB, joeyjoejoe, Taaning

Offline vt100

  • Contributor
  • Posts: 15
  • Country: af
Re: Siglent .ads firmware file format
« Reply #212 on: October 08, 2018, 03:13:09 am »
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)

Skill level: Easy/Moderate

Risk: Slim to none.

Assumptions: You know the root password to your scope.

Steps:

1. download full armv7l version of busybox which has core dump enabled.
    see: https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l

2. put version on thumb disk

3. reboot scope to known state

4. telnet to scope and log in as root

5. insert usb stick

6. copy busybox binary from usb to /tmp:
    cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp

7. unmount and remove usb
    umount /usr/bin/siglent/usr/mass_storage/U-disk0   
    (and then remove usb stick)

8. identify and kill existing sds1000b.app
    ps -ef | grep sds | awk  '{printf "kill -9 %s\n", $1}' | ash

9. change to /tmp directory:
    cd /tmp

10. launch new busybox ash shell
    /tmp/busybox_armv7l ash
   (when you press enter it looks like nothing happens, but something does)

11.  re-launch scope app in new busybox environment in background
      /usr/bin/siglent/sds1000b.app &

12. increase core dump ulimit to unlimited:
      ulimit -c unlimited
you can verify new limit by typing
      ulimit -c
and you should get a response "unlimited"

12. kill scope app again, telling OS to create a core dump of the app:
      ps -ef | grep sds | awk  '{printf "kill -ABRT %s\n", $1}' | ash

13. wait a few seconds, and press enter once or twice. you should see:
[1]+  Aborted (core dumped)      /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3

14. verify core dump is in /tmp:
      ls /tmp/core*
you should see something like this:
-rw-------    1 root     root     377511936 Jan  1 00:14 /tmp/core
if not, you did something wrong, go to step #3

15. exit out of usb version of busybox shell
     exit
(it will look like nothing happens when you press enter, but, something does)

16. re-launch Siglent scope application. See Step #11

17. insert usb drive

18. copy core dump to thumb drive
     cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)

19. unmount usb stick and remove (see step #7)

20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.

21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.

22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.

23. You can license a different bandwidth by typing MCBD (license key)  at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.

24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.

25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.

26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.

27. Write keys down in a safe place so you do not lose them again.
vt100
the world's best dumb terminal
 
The following users thanked this post: nicolad, cguareschi

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 362
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #213 on: October 08, 2018, 04:01:00 pm »
Nice. But I'm wondering how Siglent will react considering you created a "Siglent" account on Github to host this code!

They keep always eye on us but have nothing to say...
 

Offline joeyjoejoe

  • Regular Contributor
  • *
  • Posts: 141
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #214 on: October 09, 2018, 04:21:39 pm »
I think it's relatively smart.

I think the number of entities who would touch these unlocks (Rigol, Siglent, etc) are almost non-existent. Any university, lab, company or facility wouldn't go for the risks. Even outside of those requiring certifications.. I can't imagine the discussion.

Employee : "Hey boss, we need specs X on our scope...  we can save 300$ on by buying the cheaper model, and then just unlocking those features to meet our needs... but it won't be supported and there's a small risk that I brick the device.. or we can't get future updates..."
Manager/Exec : "So if that happens, we now have a scope that's either literally useless (bricked) or doesn't meet our minimum specs? ... why are you still here."

Hobbyists will accept the risk since they can personally accept any risk they want. And generally speaking, I think the companies are aware of the reach of these unlocks. A hobbyist who buys a 50MHz scope that can unlock to 100MHz probably wouldn't buy the 100 if he couldn't, so the actual impact on revenue would be small. However, at the same time, they are probably making sure that a 50MHz scope can't be unlocked to a 500MHz scope (ignoring hardware) as then it starts stepping on the toes of a product line.
 

Offline nicolad

  • Newbie
  • Posts: 1
  • Country: it
Re: Siglent .ads firmware file format
« Reply #215 on: October 10, 2018, 09:30:05 pm »
How to open a telnet session in a Siglent when the root password is unknown?

Use the following scripts, according to each equipment.

They provide a root session via port 10101.

How do they work? Trying the one for SDG2000X but firmware update fails. Port 10101 is closed...
« Last Edit: October 10, 2018, 09:32:18 pm by nicolad »
 

Offline joeyjoejoe

  • Regular Contributor
  • *
  • Posts: 141
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #216 on: October 11, 2018, 12:38:56 am »
I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

SPD3303X-V100R001B01D02P03_with _E_header.zip
OK, I give this only individually after request. I can't test it.

A year ago nobody volunteered to confirm Janekivi's work so I resuscitated the challenge and was successfull!   :popcorn:

Attached is the proof of a Siglent SPD3303X-E conversion to a SPD3303X model.

The method is simple:

1. Run the SCPI command in the X-E to enable the 1mV step:

FACTORY ON

2. Using EasyPower flash the required FW file from the attached ZIP. (ConvertFromX-E)

(3. If you want to rollback, flash the other file.)

The FWs are Siglent official versions with Prod_ID's swapped like janekivi suggested.

The HW version of the board where the test was done is 0.3.

ATTENTION: This may involve a certain risk so do it at your own responsability!

Enjoy!

Does the FACTORY ON have any feedback? Or after hitting "Query" it's OK that nothing is output?
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #217 on: October 11, 2018, 12:48:47 am »
I can make the same trick here like when I was uploading LeCroy in to SDG1025
but who can try this and there may be the same check routine and instrument
will say "Not supported firmware, please reflash correct. Otherwise I will wait 15 min".
This is stupid, it will wait that time anyway before you can access flash menu...

So... do not be the first who is using this firmware file on SPD3303X-E
but this first hack may be needed to be tried out by someone.

SPD3303X-V100R001B01D02P03_with _E_header.zip
OK, I give this only individually after request. I can't test it.

A year ago nobody volunteered to confirm Janekivi's work so I resuscitated the challenge and was successfull!   :popcorn:

Attached is the proof of a Siglent SPD3303X-E conversion to a SPD3303X model.

The method is simple:

1. Run the SCPI command in the X-E to enable the 1mV step:

FACTORY ON

2. Using EasyPower flash the required FW file from the attached ZIP. (ConvertFromX-E)

(3. If you want to rollback, flash the other file.)

The FWs are Siglent official versions with Prod_ID's swapped like janekivi suggested.

The HW version of the board where the test was done is 0.3.

ATTENTION: This may involve a certain risk so do it at your own responsability!

Enjoy!

Does the FACTORY ON have any feedback?
Five not four digits on the PSU display.  ;)
Avid Rabid Hobbyist
 

Offline joeyjoejoe

  • Regular Contributor
  • *
  • Posts: 141
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #218 on: October 11, 2018, 12:51:39 am »
After FACTORY ON cmd is sent



PSU is no longer responsive via EasyPower - cannot do any sort of commands. Re-connecting to the device re-enables functionality.

Also, is this a "Normal Mode" FW update, or "Firmware mode"?
« Last Edit: October 11, 2018, 12:56:20 am by joeyjoejoe »
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #219 on: October 11, 2018, 01:24:54 am »
Reboot PSU.
Avid Rabid Hobbyist
 

Offline joeyjoejoe

  • Regular Contributor
  • *
  • Posts: 141
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #220 on: October 11, 2018, 01:28:09 am »
Oh, so FACTORY ON is just some sort of factory defaults? Then a reboot, and a normal firmware flash with these files?
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 15988
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #221 on: October 11, 2018, 01:38:07 am »
Oh, so FACTORY ON is just some sort of factory defaults? Then a reboot, and a normal firmware flash with these files?
My notes show something like that.  ;)
Avid Rabid Hobbyist
 

Offline joeyjoejoe

  • Regular Contributor
  • *
  • Posts: 141
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #222 on: October 11, 2018, 01:43:22 am »
Bingo! You have good notes ;)
 

Online DaJMasta

  • Super Contributor
  • ***
  • Posts: 1586
  • Country: us
    • medpants.com
Re: Siglent .ads firmware file format
« Reply #223 on: October 13, 2018, 05:13:48 am »
Got a similar readout running FACTORY ON, but it was actually on every command because I had resintalled recently and didn't have the NI VISA drivers (and 18.0 work just as well as 5.4 as listed in the manual.....)

In any case, running factory on gave me no return information, but I flashed two hardware version 3.0 units, one with firmware that was so old it still had the screensaver, successfully to SPD3303X using the file and EasyPower.  Very easy to do, the hardest part was definitely installing the program and NI VISA drivers.
 

Offline firstcolle

  • Regular Contributor
  • *
  • Posts: 127
  • Country: it
Re: Siglent .ads firmware file format
« Reply #224 on: October 20, 2018, 11:27:19 am »
hi, I searched in the forum for a couple of hours but I didn't find anything.. where can I find a patched version of the latest firmware for a sds1104x-e with known telnet password?

thanks
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 3069
  • Country: fi
  • Starting with DLL21
Re: Siglent .ads firmware file format
« Reply #225 on: October 20, 2018, 12:48:52 pm »
hi, I searched in the forum for a couple of hours but I didn't find anything.. where can I find a patched version of the latest firmware for a sds1104x-e with known telnet password?

thanks

Read first all Instructions

download links looks like broken. I do not understand at all why peoples use these total crap file sharing sides  with tons of ads and popups etc junk and very limited time.

better quality place for files:
Here SDS1004X-E_OSV1_EN_eevblog.zip


« Last Edit: October 20, 2018, 12:57:41 pm by rf-loop »
If practice and theory is not equal it tells that used application of theory  is wrong or the theory itself is wrong.
It is much easier to think an apple fall to the ground than to think that the earth and the apple will begin to move toward each other and collide.
 
The following users thanked this post: firstcolle

Offline cguareschi

  • Contributor
  • Posts: 12
  • Country: us
Re: Siglent .ads firmware file format
« Reply #226 on: October 21, 2018, 12:03:42 pm »
Very interesting thread and great work on decrypting ADS files. Read the entire thread several times and I would like to get my hands dirty with this as well.
I tried janekivi tools v 0.1.4 on SDS1004X_E_6.1.26 but it didn't work. It says:  This is not SDS firmware file. Do I need to reverse-xor the file before it can be parsed by janekivi tools?
It would be great to be able to find out where the model is stored (EEPROM?), then change it to the 1004X model then use regular upgrades.

Cheers