Let's take a look in SDG1000-V100R001B01D01P31.ADS for example:
Like most of the firmwares, they are turned around. So first step is turn the file around (or look it backwards)
Next step is XOR FF it with pattern bytes 0, 1, 3, 6, A, F and so on - space increasing by 1. But this isn't all,
next XOR FF it from center -> file have 72 byte header (now at the end) -> (file length - 72)/2
For now we can investigate something but this isn't all. There is 2 crypted parts. 5120 bytes and 10239 (27FF)
bytes at the end + there is 72 bytes something... File is turned over before crypt so they are calculated actually
from the file beginning (I believe ...) So the second crypt is from 2E777 after header.
Let's forget this part at this time.
File is (now) beginning with:
E8 E6 01 FF 94 32 05 00 01 00 00 00 19 EE 01 FF ---- 05 32 94 is promising and next 05 32 7C too
7C 32 05 00 66 70 67 61 20 64 61 74 61 00 12 00 ---- ____FPGA DATA___
8F 04 D4 77 FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF AA 99 55 66 30 A1 00 07 20 00 31 A1
Turns out the 05 32 94 is data from first file header beginning to second file header beginning and
05 32 7C is from end of Fpga data file header and this is file length. So the first file header is beginning
with 19 EE 01 FF... and file data start with FF FF FF...
First file is ending:
30 A1 00 0D 20 00 20 00 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 <---- here is the end of first file
E1 ED 9E FA C6 FA 0A 00 02 00 00 00 40 00 00 00 ---- from E1 ED... is starting second file header
80 00 FF 00 04 00 00 00 00 00 00 00 12 00 00 00
There is 0A FA C6... this is promising. This is second file data length. So data is beginning with
40 00 00 00 80 00 FF 00... then it ends in right place and rest is 72 bytes.
But, now, the two regions in second file are crypted.
They have same crypt and key and patterns in other firmware files too and if you show me
this crypt procedure I can show you more... With the same procedure I opening all other
firmware files here, with notepad or this file viewer-compare and calculator. Actually I use hexedit too.