Author Topic: Siglent .ads firmware file format (Read 173797 times)

tv84 · « **Reply #100 on:** November 12, 2017, 07:29:56 pm »

The SDS1000 FW files sometimes come with a .CFG file which contains the scope logo image and ID strings of the model involved.

Attached is a ZIP with some of those .CFG taken from several SDS1000_Update files.

Their format is simple but I couldn't work out all the fields involved:

Code: [Select]

F:\zscan\original\Siglent\cfg\2000SIGLENT.cfg
Reversing 1st part of the file [00000000-0005E0E3]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0002F072 until 0x0005E0E3

00000000 - Main Checksum: FFD1EE25 [00000004-0005E0E3]  CKSM OK
00000004 - ***** Boot Logo image (800x480 8-bit w/ RGB32 palette) ***** [00000004-0005E003]
0005E004 - Vendor: SIGLENT                         
0005E024 - CFG Type: SDS2000             
0005E038 - Manufacturer: Siglent 
0005E040 - Ref1 (?): 00000000
0005E044 - HW Version: 1
0005E048 - Image Size: 00119400 (384.000 pixels)
0005E04C - Magic Number (?): EE3AEE38EE39
0005E052 - Ref2 (?): F4EC
0005E054 - Product Family: SDS 
0005E05C - Company: Siglent Technologies Co,. Ltd.                                  
0005E09C - Image flags (?): 01 01 01 01 00 01 01 00 00 00 00 00 00 00 00 00                                                 
0005E0E4 - Footer Checksum: FFFF8BB9 [0005E0E8-0005E184]  CKSM OK
0005E0EC - Product Type 0:                
0005E0FB - Product Type 1:                
0005E10A - Product Type 2:                
0005E119 - Product Type 3:                
0005E128 - Product Type 4:                
0005E137 - Product Type 5:                
0005E146 - Product Type 6:                
0005E155 - Product Type 7:                
0005E164 - Product Type 8:                
0005E173 - Product Type 9:                


F:\zscan\original\Siglent\cfg\LeCroy_CF.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FDF472FE [00000004-00036E55]  CKSM OK
00000004 - Vendor: LECROY                          
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: LeCroy  
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 70
00000048 - Image Size: 00036D7E (74.880 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): 05FF
00000054 - Product Family: WA  
00000058 - Company: LeCroy Corp                                                     
00000098 - Image flags (?): 00 01 01 01 00 00 01 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (320x234 RGB24) ***** [000000D8-00036E55]
00036E56 - Footer Checksum: FFFF8BB9 [00036E5A-00036EF6]  CKSM OK
00036E5E - Product Type 0:                
00036E6D - Product Type 1:                
00036E7C - Product Type 2:                
00036E8B - Product Type 3:                
00036E9A - Product Type 4:                
00036EA9 - Product Type 5:                
00036EB8 - Product Type 6:                
00036EC7 - Product Type 7:                
00036ED6 - Product Type 8:                
00036EE5 - Product Type 9:                


F:\zscan\original\Siglent\cfg\SDS2000.cfg
Reversing 1st part of the file [00000000-0005E0E3]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0002F072 until 0x0005E0E3

00000000 - Main Checksum: FFFC3864 [00000004-0005E0E3]  CKSM OK
00000004 - ***** Boot Logo image (800x480 8-bit w/ RGB32 palette) ***** [00000004-0005E003]
0005E004 - Vendor: SIGLENT                         
0005E024 - CFG Type: SDS2000             
0005E038 - Manufacturer: Siglent 
0005E040 - Ref1 (?): 00000000
0005E044 - HW Version: 1
0005E048 - Image Size: 00119400 (384.000 pixels)
0005E04C - Magic Number (?): EE3AEE38EE39
0005E052 - Ref2 (?): F4EC
0005E054 - Product Family: SDS 
0005E05C - Company: Siglent Technologies Co,. Ltd.                                  
0005E09C - Image flags (?): 01 01 01 01 00 01 01 00 00 00 00 18 0B 02 00 00                                                 
0005E0E4 - Footer Checksum: FFFF415D [0005E0E8-0005E21C]  CKSM OK
0005E0EC - Product Type 0:                
0005E0FB - Product Type 1:                
0005E10A - Product Type 2:                
0005E119 - Product Type 3: SDS2102        
0005E128 - Product Type 4: SDS2152        
0005E137 - Product Type 5: SDS2202        
0005E146 - Product Type 6:                
0005E155 - Product Type 7: SDS2302        
0005E164 - Product Type 8:                
0005E173 - Product Type 9: SDS2072        
0005E182 - Product Type 10:                
0005E191 - Product Type 11:                
0005E1A0 - Product Type 12:                
0005E1AF - Product Type 13: SDS2104        
0005E1BE - Product Type 14: SDS2154        
0005E1CD - Product Type 15: SDS2204        
0005E1DC - Product Type 16:                
0005E1EB - Product Type 17: SDS2304        
0005E1FA - Product Type 18:                
0005E209 - Product Type 19: SDS2074        


F:\zscan\original\Siglent\cfg\Siglent_CFL.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3CD [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 71
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 01 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFFA17C [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:                
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1104CFL     
0005255C - Product Type 4:                
0005256B - Product Type 5: SDS1204CFL     
0005257A - Product Type 6:                
00052589 - Product Type 7: SDS1304CFL     
00052598 - Product Type 8:                
000525A7 - Product Type 9: SDS1074CFL     


F:\zscan\original\Siglent\cfg\Siglent_CFL_2CH.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3CD [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 71
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 01 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFFA184 [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:                
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1102CFL     
0005255C - Product Type 4:                
0005256B - Product Type 5: SDS1202CFL     
0005257A - Product Type 6:                
00052589 - Product Type 7: SDS1302CFL     
00052598 - Product Type 8:                
000525A7 - Product Type 9: SDS1072CFL     


F:\zscan\original\Siglent\cfg\Siglent_CML.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3C5 [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 01000000
00000044 - HW Version: 79
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFF9BF8 [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:                
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1102CML     
0005255C - Product Type 4: SDS1152CML     
0005256B - Product Type 5:                
0005257A - Product Type 6:                
00052589 - Product Type 7:                
00052598 - Product Type 8:                
000525A7 - Product Type 9: SDS1072CML     


F:\zscan\original\Siglent\cfg\Siglent_CNL.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3C6 [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 79
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFF968D [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0:                
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1102CNL     
0005255C - Product Type 4:                
0005256B - Product Type 5:                
0005257A - Product Type 6:                
00052589 - Product Type 7:                
00052598 - Product Type 8:                
000525A7 - Product Type 9: SDS1072CNL     


F:\zscan\original\Siglent\cfg\Siglent_DL.cfg
Reversing 1st part of the file [00000000-000000D7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000006C until 0x000000D7

00000000 - Main Checksum: FC38E3C6 [00000004-00052517]  CKSM OK
00000004 - Vendor: SIGLENT                         
00000024 - CFG Type: SDS1204CF           
00000038 - Manufacturer: Siglent 
00000040 - Ref1 (?): 00000000
00000044 - HW Version: 79
00000048 - Image Size: 00052440 (112.320 pixels)
0000004C - Magic Number (?): EE3AEE38EE39
00000052 - Ref2 (?): F4EC
00000054 - Product Family: SDS 
00000058 - Company: Siglent Technologies Co,. Ltd.                                  
00000098 - Image flags (?): 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00                                                 
000000D8 - ***** Boot Logo image (480x234 RGB24) ***** [000000D8-00052517]
00052518 - Footer Checksum: FFFF9F6B [0005251C-000525B8]  CKSM OK
00052520 - Product Type 0: SDS1022DL      
0005252F - Product Type 1:                
0005253E - Product Type 2:                
0005254D - Product Type 3: SDS1102DL      
0005255C - Product Type 4:                
0005256B - Product Type 5: SDS1202DL      
0005257A - Product Type 6:                
00052589 - Product Type 7:                
00052598 - Product Type 8: SDS1052DL      
000525A7 - Product Type 9:

The imageB was taken from those SDS1000 files (byte-XORed with 0xFF).

Edit1: The SDS2000 was taken from a SDS2000 CFG.

The Lecroy logo was taken from the CFG in waveace2x4_5_05_02_14.zip (Lecroy website).

For those guys who have wrongly flashed SDS1000 FWs:

320x234 image = 5.7" LCD (SDS1000 non-"L" version)
480x234 image = 7" LCD (SDS1000 "L" version)

tv84 · « **Reply #101 on:** November 16, 2017, 09:32:56 pm »

If we look inside Atten ADS1000CML_V100R003B01D01P31R16.ADS.LDR (Blackfin code extracted from the .ADS ZLIB block), the parsing is in the ZIP, one can extract the Atten boot logo starting in the block at offset 0x497A0. (480 x 234 RGB24 inverted)

tv84 · « **Reply #102 on:** November 17, 2017, 10:52:38 pm »

Taken from the FWs referenced in the image names.

PS: Un-inverted the SDG images. The SPD3303X has en embedded image like the SDG5000 but in .JPG format.

SDG1000 - 3.5" LCD
SDG5000 - 4.3" LCD

tv84 · « **Reply #103 on:** December 02, 2017, 10:36:14 pm »

Looking at all the .ADS files available (Siglent and others), I noticed a field (I assumed a UInt32) in the header of the files that seems to represent the "Product_ID" for which the file is intended. In all the files I've looked, I think that this is the only field that may have that purpose.

I updated my parsings log in previous Posts.

Attached is a table with a compilation of those models/products.

The FWs that possess a NSP_config_upgrade_info.xml, confirm that information.

Edit: updated Feb 12, 2018
Edit: updated Jun 15, 2018, added SDG6000X(-E)
Edit: updated Jul 24, 2018, added SVA1000X
Edit: updated Sep 9, 2018, corrected SDS1002X-E exclusivity
Edit: updated Sep 15, 2018, added all SPD models (based on the EasyPower.exe)
Edit: updated Nov 14, 2018, added SSG3000X
Edit: updated Mar 3, 2019, added SDS5000X
Edit: updated Mar 14, 2019, added SDS2000X-E
Edit: updated May 11, 2019, added SPD1305X
Edit: updated July 4, 2019, added SDL1000X-E
Edit: updated June 2, 2020, added SDS2000X+ and others
Edit: updated April 30, 2021, added SSG5000X and new SVA/SSA

janekivi · « **Reply #104 on:** February 07, 2018, 04:06:43 pm »

You can add new SDS1004X-E firmware to the table.
And SLA1016 too...

tv84 · « **Reply #105 on:** February 10, 2018, 10:26:11 am »

Cool. Another equipment!

Code: [Select]

F:\zscan\original\Siglent\SLA1016_7.8.1.8.ADS  /  CRC32: 492B6D07
File Header Size: 00000070
00000000 - File Checksum: D9EB15AD [00000004-004B4954] (with only the File Header decrypted)  CKSM OK
00000004 - File Size: 004B48E5 (without 0x70 bytes of the File Header)
0000000C - HW Version: 14501
00000026 - Vendor/Brand: SIGLENT
0000003A - USB Host Controller: ISP1763
****************************************************
Decrypting the 0x2800 and 0x1400 blocks...
Reversing file...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0025A473 until 0x004B48E4
****************************************************
00000000 --- Section Checksum: D8B146AD
00000004 --- Section Size: 004B48B1 [00000034-004B48E4]  CKSM OK
00000008 --- Section # 00000007
00000034 --- 004B48E4  ***** ZIP file *****
Offset    Ver  Flag  Comp  Size      Packed    Modified             CRC32                          Name         Extra Details
00000034  2.0  0000  0008  0000C483  00000F68  16-11-2017 18:03:02  A971148C  [00000065-00000FCC]  factory_setting.xml    000A
00000FCD  2.0  0000  0008  00C559D4  003D8B35  31-01-2018 13:43:29  5BC6F8E8  [00000FF7-003D9B2B]  sds1000b.app    000A
003D9B2C  2.0  0000  0008  003DBB68  000DA8BA  20-01-2018 10:50:22  18E4BC6E  [003D9B5F-004B4418]  top_sds1000b_fpga.bit    000A
004B4419  2.0  0000  0008  00000CD1  0000030A  08-11-2017 16:59:20  63FABAD6  [004B4440-004B4749]  update.sh    000A
Disk Entries: 4   Total Entries: 4   Directory Size: 389 bytes  [004B474A-004B48CE]
****************************************************

I'll add it in the next few days.

tautech · « **Reply #106 on:** February 10, 2018, 10:53:13 am »

Quote from: tv84 on February 10, 2018, 10:26:11 am

Cool. Another equipment!

SLA1016 is the LA hardware for the 4ch X-E models.
The SW licence that's needed to make it functional is SDS1000X-E-16LA
This LA ^ functionality has just been added to SDS1004X-E models in v7.6.1.20 firmware.

It's just one of 3 optional licence codes for these models. The other two of interest for some will be for WiFi and the AWG to get full functionality from the AWG USB module SAG1021.
SDS1000X-E-WIFI
SDS1000X-E-FG

tv84 · « **Reply #107 on:** February 12, 2018, 08:13:22 pm »

I updated my parsing log of Siglent FWs:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892

and the models table:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1364981/#msg1364981

To commemorate the SLA:

.APP

Code: [Select]

00000000                 Magic: 7F454C46    ELF File OK
00000004                Format: 32-bits
00000005                  Data: Little endian
00000006               Version: 1
00000007                OS/ABI: System V (often set to this)
00000008           ABI Version: 0
00000010           Object Type: Executable
00000012       Instruction Set: ARM
00000014               Version: 1
00000018           Entry Point: 0000FD90
0000001C  Program Header Table: 00000034
00000020  Section Header Table: 00C5554C
00000024                 Flags: 05000002
00000028           Header Size: 00000034
0000002A  Program Headers Size: 00000020
0000002C Numb. Program Headers: 9
0000002E  Section Headers Size: 00000028
00000032 SH String Table Index: 28
**********  PROGRAM HEADERS:
          SegmType  SegmOffs  VirtAddr  PhysAddr  FilSegSz  MemSegSz  Flags     Align
00000034  70000001  008901D4  008981D4  008981D4  0004CAC8  0004CAC8  00000004  00000004
00000054  PHDR      00000034  00008034  00008034  00000120  00000120  00000005  00000004
00000074  INTERP    00000154  00008154  00008154  00000013  00000013  00000004  00000001
  00000154  [Requesting program interpreter: /lib/ld-linux.so.3 ]
00000094  LOAD      00000000  00008000  00008000  008DCCA0  008DCCA0  00000005  00008000
000000B4  LOAD      008DD000  008ED000  008ED000  003783F4  01F19B04  00000006  00008000
000000D4  DYNAMIC   008DDFD8  008EDFD8  008EDFD8  00000140  00000140  00000006  00000004
000000F4  NOTE      00000168  00008168  00008168  00000020  00000020  00000004  00000004
  00000168  [Owner: GNU ] [OS: Linux 2.6.16]
00000114  00000007  008DD000  008ED000  008ED000  00000000  00000004  00000004  00000004
00000134  6474E551  00000000  00000000  00000000  00000000  00000000  00000006  00000004
**********  SECTION HEADERS:
         [Nr] Name                          Type       VirtAddr Offset  Size    ES Flg Lk Inf Al
00C5554C [ 0]                               NULL       00000000 0000000 0000000 00 000  0   0  0
00C55574 [ 1] .interp                       PROGBITS   00008154 0000154 0000013 00 002  0   0  1
00C5559C [ 2] .note.ABI-tag                 NOTE       00008168 0000168 0000020 00 002  0   0  4
00C555C4 [ 3] .hash                         HASH       00008188 0000188 0000BD4 04 002  4   0  4
00C555EC [ 4] .dynsym                       DYNSYM     00008D5C 0000D5C 0001EC0 10 002  5   1  4
00C55614 [ 5] .dynstr                       STRTAB     0000AC1C 0002C1C 000262B 00 002  0   0  1
00C5563C [ 6] .gnu.version                  0x6FFFFFFF 0000D248 0005248 00003D8 02 002  4   0  2
00C55664 [ 7] .gnu.version_r                0x6FFFFFFE 0000D620 0005620 0000180 00 002  5   8  4
00C5568C [ 8] .rel.dyn                      REL        0000D7A0 00057A0 00000B8 08 002  4   0  4
00C556B4 [ 9] .rel.plt                      REL        0000D858 0005858 0000E00 08 002  4  11  4
00C556DC [10] .init                         PROGBITS   0000E658 0006658 000000C 00 006  0   0  4
00C55704 [11] .plt                          PROGBITS   0000E664 0006664 0001514 04 006  0   0  4
00C5572C [12] .text                         PROGBITS   0000FB80 0007B80 076BFB4 00 006  0   0 16
00C55754 [13] .fini                         PROGBITS   0077BB34 0773B34 0000008 00 006  0   0  4
00C5577C [14] .rodata                       PROGBITS   0077BB40 0773B40 0089EE0 00 002  0   0  8
00C557A4 [15] .ARM.extab                    PROGBITS   00805A20 07FDA20 00927B4 00 002  0   0  4
00C557CC [16] .ARM.exidx                    0x70000001 008981D4 08901D4 004CAC8 00 082 12   0  4
00C557F4 [17] .eh_frame                     PROGBITS   008E4C9C 08DCC9C 0000004 00 002  0   0  4
00C5581C [18] .tbss                         NOBITS     008ED000 08DD000 0000004 00 403  0   0  4
00C55844 [19] .init_array                   INIT_ARRAY 008ED000 08DD000 0000FD0 00 003  0   0  4
00C5586C [20] .fini_array                   FINI_ARRAY 008EDFD0 08DDFD0 0000004 00 003  0   0  4
00C55894 [21] .jcr                          PROGBITS   008EDFD4 08DDFD4 0000004 00 003  0   0  4
00C558BC [22] .dynamic                      DYNAMIC    008EDFD8 08DDFD8 0000140 08 003  5   0  4
00C558E4 [23] .got                          PROGBITS   008EE118 08DE118 0000720 04 003  0   0  4
00C5590C [24] .data                         PROGBITS   008EE838 08DE838 0376BBC 00 003  0   0  8
00C55934 [25] .bss                          NOBITS     00C653F8 0C553F4 1BA170C 00 003  0   0  8
00C5595C [26] .comment                      PROGBITS   00000000 0C553F4 0000030 01 030  0   0  1
00C55984 [27] .ARM.attributes               0x70000003 00000000 0C55424 0000033 00 000  0   0  1
00C559AC [28] .shstrtab                     STRTAB     00000000 0C55457 00000F4 00 000  0   0  1

.BIT (it's a Xilinx XC7Z020 bitstream)

Code: [Select]

00000000 - 0009         (0x0009) File Header Length
00000002 - 0FF00FF0     (0x0FF00FF0) File Header Long 1
00000006 - 0FF00FF0     (0x0FF00FF0) File Header Long 2
0000000A - 00           (0x00) File Header Zero
0000000B - 0001         (0x0001) Key Length
0000000D - 61 002E      (key a) Design Name: top_mso_fpga;UserID=0XFFFFFFFF;Version=2014.4
0000003E - 62 000C      (key b) Part Name: 7z020clg484
0000004D - 63 000B      (key c) Generation Date: 2018/01/20
0000005B - 64 0009      (key d) Generation Time: 10:50:44
00000067 - 65 003DBAFC  (key e) Bitstream Length: 003DBAFC  [0000006C-003DBB67]
--------------  BITSTREAM  ------------------------
0000006C - FFFFFFFF             Padding
00000070 - FFFFFFFF             Padding
00000074 - FFFFFFFF             Padding
00000078 - FFFFFFFF             Padding
0000007C - FFFFFFFF             Padding
00000080 - FFFFFFFF             Padding
00000084 - FFFFFFFF             Padding
00000088 - FFFFFFFF             Padding
0000008C - 000000BB             Bus width auto detect, word 1
00000090 - 11220044             Bus width auto detect, word 2
00000094 - FFFFFFFF             Padding
00000098 - FFFFFFFF             Padding
0000009C - AA995566             Sync Word (BPI/SPI Mode)
000000A0 - 20000000             T1 - 00000000  NOP      (1x)
000000A4 - 30022001 00000000    T1 W 00000001  TIMER
000000AC - 30020001 00000000    T1 W 00000001  WBSTAR
000000B4 - 30008001 00000000    T1 W 00000001  CMD      NULL - No Operation
000000BC - 20000000             T1 - 00000000  NOP      (1x)
000000C0 - 30008001 00000007    T1 W 00000001  CMD      RCRC - Reset CRC
000000C8 - 20000000             T1 - 00000000  NOP      (2x)
000000D0 - 30026001 00000000    T1 W 00000001  FALL_EDGE
000000D8 - 30012001 02003FE5    T1 W 00000001  COR0
000000E0 - 3001C001 00000000    T1 W 00000001  COR1
000000E8 - 30018001 03727093    T1 W 00000001  IDCODE
000000F0 - 30008001 00000009    T1 W 00000001  CMD      SWITCH - Switch CCLK Frequency
000000F8 - 20000000             T1 - 00000000  NOP      (1x)
000000FC - 3000C001 00000401    T1 W 00000001  MASK
00000104 - 3000A001 00000501    T1 W 00000001  CTL0
0000010C - 3000C001 00000000    T1 W 00000001  MASK
00000114 - 30030001 00000000    T1 W 00000001  CTL1
0000011C - 20000000             T1 - 00000000  NOP      (8x)
0000013C - 30002001 00000000    T1 W 00000001  FAR
00000144 - 30008001 00000001    T1 W 00000001  CMD      WCFG - Write Config Data
0000014C - 20000000             T1 - 00000000  NOP      (1x)
00000150 - 30004000             T1 W 00000000  FDRI
00000154 - 500F6C78             T2 W 000F6C78
003DB340 - 20000000             T1 - 00000000  NOP      (2x)
003DB348 - 30008001 0000000A    T1 W 00000001  CMD      GRESTORE - Pulse GRESTORE Signal
003DB350 - 20000000             T1 - 00000000  NOP      (1x)
003DB354 - 30008001 00000003    T1 W 00000001  CMD      DGHIGH/LFRM - Last Frame Write
003DB35C - 20000000             T1 - 00000000  NOP      (100x)
003DB4EC - 30008001 00000005    T1 W 00000001  CMD      START - Begin Startup Sequence
003DB4F4 - 20000000             T1 - 00000000  NOP      (1x)
003DB4F8 - 30002001 03BE0000    T1 W 00000001  FAR
003DB500 - 3000C001 00000501    T1 W 00000001  MASK
003DB508 - 3000A001 00000501    T1 W 00000001  CTL0
003DB510 - 30000001 E3AD7EA5    T1 W 00000001  CRC
003DB518 - 20000000             T1 - 00000000  NOP      (2x)
003DB520 - 30008001 0000000D    T1 W 00000001  CMD      DESYNC - Reset DALIGN Signal
003DB528 - 20000000             T1 - 00000000  NOP      (400x)

Didn't include them in the ZIP because they are too big.

rf-loop · « **Reply #108 on:** March 07, 2018, 10:00:40 am »

Fun that SDS10004X-E FW update file (.ADS) is in reverse order.
Who could write the secret door key words of telnet song....

janekivi · « **Reply #109 on:** June 10, 2018, 10:55:57 am »

Shadow file is something like this

Code: [Select]

root:$6$DZO.HiUy$JKaJGKC8ynyAn.7IF64GzC6cGnmJCQgGlqoPQ9QTc7EW8iF/8lMD00EtiiS3/GpgzN7rvfTbmfnAKzAg66dnu/:17177:0:99999:7:::
siglent:$6$tOEDgvF2$A2zA0bgMZ9XU7LTZN5FVGl4iuDUoPGqGG8IrHoTRaPRJzYyIDXQ8lh8.E1PX98HS8UDRBgDdXwRHlWUG5fY4M1:17029:0:99999:7:::

Algorithm: SHA-512 / crypt(3) / $6$

https://samsclass.info/123/proj10/p12-hashcat.htm

tv84 · « **Reply #110 on:** June 11, 2018, 09:59:00 am »

Quote from: janekivi on June 10, 2018, 10:55:57 am

Shadow file is something like this
Code: [Select]
root:$6$DZO.HiUy$JKaJGKC8ynyAn.7IF64GzC6cGnmJCQgGlqoPQ9QTc7EW8iF/8lMD00EtiiS3/GpgzN7rvfTbmfnAKzAg66dnu/:17177:0:99999:7::: siglent:$6$tOEDgvF2$A2zA0bgMZ9XU7LTZN5FVGl4iuDUoPGqGG8IrHoTRaPRJzYyIDXQ8lh8.E1PX98HS8UDRBgDdXwRHlWUG5fY4M1:17029:0:99999:7:::
Algorithm: SHA-512 / crypt(3) / $6$

https://samsclass.info/123/proj10/p12-hashcat.htm

Which .ADS ? Have you released it with a known shadow?

janekivi · « **Reply #111 on:** June 11, 2018, 03:53:08 pm »

This is in latest update files. They are the original passwords.
I don't have any hardware to do any replacing or hacking tests...

ian.ameline · « **Reply #112 on:** June 12, 2018, 01:29:30 pm »

Quote from: janekivi on June 11, 2018, 03:53:08 pm

This is in latest update files. They are the original passwords.
I don't have any hardware to do any replacing ... tests...

I can volunteer to try an image with a substituted password (similar to that for the SDG2000 series.)

tv84 · « **Reply #113 on:** June 12, 2018, 01:39:23 pm »

Quote from: ian.ameline on June 12, 2018, 01:29:30 pm

I can volunteer to try an image with a substituted password (similar to that for the SDG2000 series.)

janekivi, now you have your first customer!

janekivi · « **Reply #114 on:** June 12, 2018, 03:47:48 pm »

OK, but this time it may be bit tricky.
In normal update like SDS1004X-E_6.1.25R2 you don't see any passwords or anything else.
But they have released Operating System -V1 (Only For 4-Channel) update and there is
all the root file system for example. So looking into rootfs.cramfs in \etc\ is shadow. Now we
need to repack it after change and do the Operating System update again.
May be it is possible...
Otherwise my Radeon R9-390 decodes only 80000 passwords in sec - that may take years.

ian.ameline · « **Reply #115 on:** June 12, 2018, 04:07:13 pm »

Quote from: janekivi on June 12, 2018, 03:47:48 pm

OK, but this time it may be bit tricky.
In normal update like SDS1004X-E_6.1.25R2 you don't see any passwords or anything else.
But they have released Operating System -V1 (Only For 4-Channel) update and there is
all the root file system for example. So looking into rootfs.cramfs in \etc\ is shadow. Now we
need to repack it after change and do the Operating System update again.
May be it is possible...
Otherwise my Radeon R9-390 decodes only 80000 passwords in sec - that may take years.

Yes -- I was assuming it would be the OS update that is modified to substitute a known password for the root account. (as was done for the SDG)
I'm fairly technically experienced -- many years of compiler development on unix platforms.
Cracking the password itself in less than years is not a good bet assuming they didn't chose a word in a dictionary.

janekivi · « **Reply #116 on:** June 12, 2018, 04:33:51 pm »

I see the cramfs can be made with mkfs.cramfs. You unpack all files and then generate new cramfs
from new files. There is many options and we need know what format it needs to be exactly.
http://manpages.ubuntu.com/manpages/bionic/man8/mkfs.cramfs.8.html
Update is done during the startup so may be the wrong file don't kill it much and during next
startup we can try other file and so on...

janekivi · « **Reply #117 on:** June 12, 2018, 05:19:30 pm »

This way I don't need to do anything.
You can take the update
https://www.siglentamerica.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series
Unpack rootfs.cramfs file (with 7zip for example).
Generate new password for root (and siglent)
https://quickhash.com/crypt3-sha512-online
Replace shadow file, then pack new rootfs.cramfs together with mkfs.cramfs your_filesdir rootfs.cramfs
Then put all files to USB and follow the PDF guide

ian.ameline · « **Reply #118 on:** June 12, 2018, 06:35:58 pm »

I'll give that a shot later this week when I get some spare time.

janekivi · « **Reply #119 on:** June 12, 2018, 07:53:02 pm »

I can't get it use "best compression" but new file is only 25Kb bigger.
I don't know what you can do with it...

~~SDS1004X-E_OSV1_EN_eevblog.zip~~

ian.ameline · « **Reply #120 on:** June 12, 2018, 08:15:32 pm »

Thanks -- I'll give it a try...

ian.ameline · « **Reply #121 on:** June 12, 2018, 08:25:20 pm »

It appeared to copy the new OS over, but the machine freezes on boot -- all the panel leds are lit, the siglent logo is displayed on the lcd, but no activity -- even after 2 minutes.

Fortunately putting he old OS on the key and restarting loads the old OS back on and it works as expected -- no brick.

janekivi · « **Reply #122 on:** June 13, 2018, 03:15:00 pm »

So there is needed some tinkering with packing this rootfs.cramfs back together to get the needed output.
I did it with all default settings in Ubuntu. mkfs.cramfs my_filesdir rootfs.cramfs

tv84 · « **Reply #123 on:** June 13, 2018, 03:49:33 pm »

In the extreme maybe we can patch only the shadow without extracting the whole cramfs...

janekivi · « **Reply #124 on:** June 13, 2018, 04:44:08 pm »

But is there some crc or other critical attribute?
There may be something Siglent special.


EEVblog Main Site	EEVblog on Youtube	EEVblog on Twitter	EEVblog on Facebook	EEVblog on Odysee

Author Topic: Siglent .ads firmware file format (Read 173797 times)

Share me