Siglent SDS3000(X) / LeCroy WS3000(Z) - Anyone has one?

[tv84]

FINALLY!!! After 3 years searching/waiting I was able to find this unicorn and look at some its innerworkings! 

I confirmed the suspicions that the LeCroy WS3000 FW packages are AES128-CBC encrypted and the licensing methods used are the same as all other old WinCE LeCroy stuff.  However it uses a different Blowfish key from the one that is public.

The analysis is ongoing as I want also to try and correctly parse the Siglent SDS3000 FW packages.   

As a useless teaser, here is the "usual" options config file taken from inside.

[tv84]

Siglent SDS3000 FW packages use a different AES128-CBC key but the options licenses' Blowfish key is the same as in LeCroy WS3000.

Here is a more complete parsing of the SDS3000X_8.7.0.6.fla FW package:

Code: [Select]

00000000 - Manufacturer: Shglent
00000010 - Name 2: RELSVR  (Release Version)
00000016 - FW Version: 8_7
00000020 - Encrypted Block [00000020-0B86089F]  Size: 0B860880
00000020 - Block Type: 00000101  -  nk.nb0
00000024 - Block Size: 0B860870  SIZE OK
0B8608A0 - Checksum: EAD7413C  CKSUM OK

0B8608A4 - Manufacturer: Shglent
0B8608B4 - Name 2: RELSVR  (Release Version)
0B8608BA - FW Version: 8_7
0B8608C4 - Encrypted Block [0B8608C4-0BA22913]  Size: 001C2050
0B8608C4 - Block Type: 00000104  -  LeCroyLG.bmp
0B8608C8 - Block Size: 001C2040  SIZE OK
0BA22914 - Checksum: 0047D675  CKSUM OK

0BA22918 - Manufacturer: Shglent
0BA22928 - Name 2: RELSVR  (Release Version)
0BA2292E - FW Version: 8_7
0BA22938 - Encrypted Block [0BA22938-0BB8CFC7]  Size: 0016A690
0BA22938 - Block Type: 00000105  -  LcdFpga.bin
0BA2293C - Block Size: 0016A680  SIZE OK
0BB8CFC8 - Checksum: 0166690E  CKSUM OK

0BB8CFCC - Manufacturer: Shglent
0BB8CFDC - Name 2: RELSVR  (Release Version)
0BB8CFE2 - FW Version: 8_7
0BB8CFEC - Encrypted Block [0BB8CFEC-0BBCCFFB]  Size: 00040010
0BB8CFEC - Block Type: 00000103  -  LeCroyEN.up
0BB8CFF0 - Block Size: 00040000  SIZE OK
0BBCCFFC - Checksum: 00AD74D7  CKSUM OK

0BBCD000 - Manufacturer: Shglent
0BBCD010 - Name 2: RELSVR  (Release Version)
0BBCD016 - FW Version: 8_7
0BBCD020 - Encrypted Block [0BBCD020-0BBD146F]  Size: 00004450
0BBCD020 - Block Type: 00000106  -  ???
0BBCD024 - Block Size: 00004440  SIZE OK
0BBD1470 - Checksum: 001A4498  CKSUM OK

0BBD1474 - Manufacturer: Shglent
0BBD1484 - Name 2: RELSVR  (Release Version)
0BBD148A - FW Version: 8_7
0BBD1494 - Encrypted Block [0BBD1494-0BCA47E3]  Size: 000D3350
0BBD1494 - Block Type: 00000107  -  Registry ??? (generated by RegSnifferCE)
0BBD1498 - Block Size: 000D3340  SIZE OK
0BCA47E4 - Checksum: 03D9A8E5  CKSUM OK

0BCA47E8 - Manufacturer: Shglent
0BCA47F8 - Name 2: RELSVR  (Release Version)
0BCA47FE - FW Version: 8_7
0BCA4808 - Encrypted Block [0BCA4808-0BCA4997]  Size: 00000190
0BCA4808 - Block Type: 00000108  -  Registry (XStream Version)
0BCA480C - Block Size: 00000180  SIZE OK
0BCA4998 - Checksum: 000076EE  CKSUM OK

0BCA499C - Manufacturer: Shglent
0BCA49AC - Name 2: RELSVR  (Release Version)
0BCA49B2 - FW Version: 8_7
0BCA49BC - Encrypted Block [0BCA49BC-0BCA6A2B]  Size: 00002070
0BCA49BC - Block Type: 00000109  -  Registry ???
0BCA49C0 - Block Size: 00002060  SIZE OK
0BCA6A2C - Checksum: 000985B9  CKSUM OK



[tv84]

Due to some family requests, here is the decrypted contents of X-Stream Options Low.cfg.

All configuration sections are visible.

[Azusa]

What's the blowfish key for this model is?