Hack of Sigllent spectrum analyzer ssa3021X?

[Noob68]

Hi,

I see the same pike in the same conditions as seen in your screenshot.
But, only with VBW less or equal 300Hz (and RBW leass or equal 3Khz, not tested each case).
On any trace, go to trace menu, push View, then Clear write and the pike is there.
With 100Hz VWB, you can see a little pike before making the trace view/clear write operation.

[cesarpaz]

Hi, everybody.


Please, anyone who has hacked in 8.3 firmware can show me the exact contents of the finished file and working NSP_sn_bandwidth.xml ?

I have discrepancies between the content of the versions prior to now.

My attached results in images

<license> <_ 3032> TRUE </ _ 3032> <_ 3030> FALSE </ _ 3030> <

_3021> FALSE </ _ 3021> <_ tTG> TRUE </ _ tTG> <_ TEMI> TRUE </ _ TEMI> <_ tMeas> TRUE </ _ tMeas> <_ tCAT> TRUE < TRUE </ _ EMI> <_ Meas> TRUE </ _ Meas> <_ CAT> TRUE </ _ CAT> </ license> </ system_information>

Thanks so much.

[eduy2k]

Hello my name is Eduardo and I have a new arrival 3021 with firmware V-8.3, perform the steps of post 417 without doing the first backup and firmware update since my factory version is already V-8.3
The second backup step for 8.3 is done correctly but when I get to the steps to modify it does not find the files

root@am335x-evm: cd /usr/bin/siglent/usr/backup
root@am335x-evm:/usr/bin/siglent/usr/backup# mv X.xml X.xml.org
root@am335x-evm:/usr/bin/siglent/usr/backup# mv Y.xml Y.xml.org

In the backup folder I have

Calib folder
NSP_sn_bandwidth.xm
NSP_sn_bandwidthx.xml 
NSP_trends_config_infox.xml 
nsp_data_b
nsp_data_bx 

In the firmdata0 folder I have

Calib folder
Firmdata0 folder
NSP_sn_bandwidth.xml
NSP_sn_bandwidthx.xml 
NSP_trends_config_info.xml
NSP_trends_config_infox.xml 
nsp_data_b
nsp_data_bx 

I'm a little lost can help me

Thank you very much for the hard work to be able to carry out this post

Eduardo

Ready problem solved

[gonzo_the_great]

On a unit, brought last week, with rev 8.3 firmware, we used the following script:


plug in FAT32 formatted USB memory stick (to take a backup).
telnet to SSA30xxX
root/ding1234

cd /   
cp -R /usr/bin/siglent/usr/backup /usr/bin/siglent/usr/mass_storage/U-disk0/SA-backup 
cp -R /usr/bin/siglent/firmdata0 /usr/bin/siglent/usr/mass_storage/U-disk0/SA-firmdata0 
mount -o remount,rw /dev/ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0 
mv NSP_sn_bandwidth.xml NSP_sn_bandwidthx.xml 
mv NSP_trends_config_info.xml NSP_trends_config_infox.xml   
mv nsp_data_b nsp_data_bx   
cd /usr/bin/siglent/usr/backup   
mv NSP_sn_bandwidth.xml NSP_sn_bandwidthx.xml 
mv NSP_trends_config_info.xml NSP_trends_config_infox.xml 
mv nsp_data_b nsp_data_bx 
cd /
sync   
logout

reboot



Works fine. All options enabled, including bandwidth extension, permenant licences.
I'm happy!

[arturfra]

New firmware on the siglent site

[Bicurico]

Look here: https://www.eevblog.com/forum/testgear/siglent-ssa3000x-spectrum-analyzers/msg1300942/#msg1300942

Also, the firmware is safe to upgrade, at least telnet access is still there with the usual root password.

Note that the firmware release from yesterday has just been replaced with the correct file today!

Regards,
Vitor

[arturfra]

thanks

[analogRF]

Hi
I am finally ready to buy an SSA3021X.
Could someone confirm that the latest firmware is still possible to hack with same procedure?
thanks

[sdouble]

read 3 post up, and you'll know.

[tautech]

read 3 post up, and you'll know.

Yes. it's very very likely that sellers holding stock with have 8.3 FW installed as 8.5 was only released a few days ago.

[Joel_l]

Also note that there is a much shorter way to "hack" the scope that only requires renaming one file.

[analogRF]

read 3 post up, and you'll know.

I did but it only says: " ... at least telnet access is still there with the usual root password..."
doesn't mean Bicurico has actually implemented the hack

[Joel_l]

That was kind of incomplete. It has already been verified that the hack works on 8.5. and that message verified that you can still log in.

[tautech]

read 3 post up, and you'll know.

I did but it only says: " ... at least telnet access is still there with the usual root password..."
doesn't mean Bicurico has actually implemented the hack

Read what gonzo wrote.....root/ding1234 

[Joel_l]

Gonzo was on 8.3, the OP asked if anyone actually tried it on 8.5. The answers are fragmented, one says the telnet is still there but did not try the hack, another that 8.5 still works with the hack but unclear if it was already hacked previously and just stuck through the upgrade ( this was also my case and it worked fine ).

From the bits and pieces it seems that yes, you can take an unhacked unit on 8.5 and apply the hack.

I'm still curious why most are still doing the long hack and not just renaming the one pertinent file and being done with it.

[analogRF]

Gonzo was on 8.3, the OP asked if anyone actually tried it on 8.5. The answers are fragmented, one says the telnet is still there but did not try the hack, another that 8.5 still works with the hack but unclear if it was already hacked previously and just stuck through the upgrade ( this was also my case and it worked fine ).

From the bits and pieces it seems that yes, you can take an unhacked unit on 8.5 and apply the hack.

I'm still curious why most are still doing the long hack and not just renaming the one pertinent file and being done with it.

Thanks for confirmation.

Would you be kind enough to let me know how does "one file renaming" hack work? All I have found suggest renaming 3 files in "firmdata0" directory and their copies in "usr\backup" directory.

[analogRF]

I also have another question. Apparently the units that are being shipped now have their tracking generators enabled as a gift (promotional offer for limited time). Is that gonna affect the hack procedure? Can I still use the same method and get the same result?

[Joel_l]

For the short version, see post 363/364

[analogRF]

For the short version, see post 363/364

thanks, man. I don't know why I missed that one

[analogRF]

I also have another question. Apparently the units that are being shipped now have their tracking generators enabled as a gift (promotional offer for limited time). Is that gonna affect the hack procedure? Can I still use the same method and get the same result?

any thought on this?
mine is coming with TG enabled but I still need to do the mod for 3.2GHz and reflection meas.

[cpuerror]

My unit came with the TG enabled even though I didn't order it. I upgraded from unhacked 8.1 to 8.5a, then did the hack just by renaming the NSP_sp_bandwidth file. Hack still works fine as before.

[rf-loop]

My unit came with the TG enabled even though I didn't order it.

You did not know this:
http://siglentamerica.com/qyxwxx.aspx?id=6420&sid=216

TG is free! (limited time offer from Siglent)

[cpuerror]

Actually I bought mine ~6 months ago and it came with the TG

[analogRF]

My unit came with the TG enabled even though I didn't order it. I upgraded from unhacked 8.1 to 8.5a, then did the hack just by renaming the NSP_sp_bandwidth file. Hack still works fine as before.

excellent!
thanks!

[Kitsyboy]

Since some people have questions about the hack-ability of the analyzer when they have options installed, I will try to explain how
the whole option mechanism works:


The NSP_edsn_bandwidth.xml has the following structure (I have changed the real data in example data and added comments)
 

<?xml version="1.0" encoding="UTF-8"?>
<sn_bw_root>
  <serial_number>
    <chip>SSA_SERIALNUMBER</chip> (here is the serial number of the unit)
  </serial_number>
   <license>
      <_3021>
         <lic>aaaaaaaaaaaaaaaa</lic> (here is the general key to indicate that this is a 3021 model)
      </_3021>
      <_tTG>
         <lic>bbbbbbbbbbbbbbbb</lic> (here is the license key for the tracking generator option)
         <remain>2690</remain>       (here is the remaining demo time in minutes if you have a temporary key)
      </_tTG>
      <_tEMI>
         <lic>cccccccccccccccc</lic> (here is the license key for the EMI option)
         <remain>2690</remain>       (here is the remaining demo time in minutes if you have a temporary key)
      </_tEMI>
      <_tMeas>
         <lic>dddddddddddddddd</lic> (here is the license key for the Advanced Measuring AMK option)
         <remain>2690</remain>       (here is the remaining demo time in minutes if you have a temporary key)
      </_tMeas>
      <_tCAT>
         <lic>eeeeeeeeeeeeeeee</lic> (here is the license key for the Reflection option)
         <remain>2690</remain>       (here is the remaining demo time in minutes if you have a temporary key)
      </_tCAT>
   </license>
</sn_bw_root>



If the unit does not find the file NSP_edsn_bandwidth.xml or does not find a serial number in the <chip> node it will enter the
factory test mode with all options enabled and full bandwidth (This is our hacked mode)
however if the unit finds any serialnumber in the <chip> node it will calculate a check number for each of the license options

here is where the aaaaaaaaa,bbbbbbbb,ccccccccc etc come to play, these correspond to the licensenumbers you get when you legally buy the options.

If your unit is shipped with options already enabled then you will see a valid code for your unit on the corresponding location.

The <remain> nodes will 'remember' the remaining time for residual license options, this number will count down to zero but you can always set them back to 2880 which will restore the residual time to the 48 hours you got when your unit was brand new...