Author Topic: Unlocking Siglent SDS1104X-E, step by step  (Read 2573 times)

0 Members and 2 Guests are viewing this topic.

Offline tautech

  • Super Contributor
  • ***
  • Posts: 12790
  • Country: nz
  • NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #25 on: September 02, 2018, 07:28:13 am »
This is an unofficial guide on how to unlock 200Mhz bandwidth on SDS1104X-E oscilloscopes, effectively turning them into SDS1204X-Es....................


Warning: The PP510 probes that are supplied with the SDS1104X-E are 100MHz probes. If you intend to make use of the 200Mhz bandwidth then you need to spend an extra $100 and get a set of real 200Mhz probes, eg. the PP215 probes that are supplied with the SDS1204X-E.

If you don't do this then you won't have 200MHz bandwidth and you may get misleading readings on screen. You have been warned.
Scaremongering BS !  :bullshit:
Some ppls just don't/won't do their homework !  ::)
Or don't have a clue.  :-//

It is clearly seen PP510 and PP215 probe performance combined with scope performance is well within system specification !



From this post:
http://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665
Avid Rabid Hobbyist
 
The following users thanked this post: MT, ian.ameline

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ee
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #26 on: September 02, 2018, 06:06:02 pm »
Next question: When people say "the one with the known root password", what would that password be?

(I think we have to assume that not everybody will "know" it)
Then this not for those everybody.

"If you don't know the password, you are not qualified to hack your equipment!"
Password is our signature and made for us only. We don't speak about it loud everywhere.
You must be one of us. If you are, you have been here and you know things. If not...
you are not qualified to hack your equipment.
And even if strangers outside can use them, they can't spread them without our mark.

If this is too much asked and you just need all options and bandwidth, buy them!
 
The following users thanked this post: ian.ameline

Offline bsas

  • Contributor
  • Posts: 49
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #27 on: September 24, 2018, 10:33:54 am »
By the way, those "ZippyShare" links are not working at all for me (in my region). Don't know if I need VPN for this or not. If someone can provide me the file, I can try to put on another shared folder for plp with my issue... Thanks!
 

Online vtwin@cox.net

  • Newbie
  • Posts: 4
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #28 on: September 27, 2018, 09:30:37 pm »
The activation using the official licenses as described by me in the Siglent .ADS thread is more future proof (and can also be used in other equipments). Of course, if you end up just discovering the lower BW licenses, then you can reinsert the original bandwidth.txt.

Okay, I'm attempting to follow this alternative path to unlock my brand new 1104X-E (delivered w/ 7.1.6.1.25R2) and I've encountered a problem/questions.

I loaded SS1004X-E_OSV1_EN_eevblog on a thumbdrive, and uploaded my scope.

I logged in via telnet, and executed the following:

cd /usr/bin/siglent/usr/mass_storage/U-disk0
cat /dev/mem > memdump.bin

this yields an error:

cat: read error: Bad address

the resulting file:

/usr/bin/siglent/usr/mass_storage/U-disk0 # ls -l memdump.bin
-rwxr-xr-x    1 root     root     251658240 Jan  1 00:22 memdump.bin

so I end up w/ a file 240MB in size (240*1024*1024)

yielding the question

(1) "is this expected?"  (e.g. both the error, and the resulting file size.)

If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and  b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So

(2) does anyone know what the license codes actually look like (e.g. should they be hexadecimal only? or can they include non-hex alphanumerics?)

(3) should I be attempting to enter the codes at this point, or should I be doing something else before I attempt it (e.g. perform a different update, etc.) and THEN try the codes?

Thanks,
Vin
 

Offline tv84

  • Regular Contributor
  • *
  • Posts: 241
  • Country: pt
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #29 on: September 28, 2018, 01:52:59 am »
1.  :-+

2. See my example.

3. Try codes.
 
The following users thanked this post: vtwin@cox.net

Online vtwin@cox.net

  • Newbie
  • Posts: 4
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #30 on: September 28, 2018, 03:48:49 am »
Of the 90+ sets of upper or lowercase characters/digits, only 6 appear to be random -- the remaining contain English words, which makes me believe they are part of the OS.

The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.

I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)
 

Offline Taaning

  • Newbie
  • Posts: 3
  • Country: dk
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #31 on: September 28, 2018, 04:27:11 am »


If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and  b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So



Any chance you could share how you run the memdump.bin in the C# script?

Thank you :-)
 

Offline tv84

  • Regular Contributor
  • *
  • Posts: 241
  • Country: pt
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #32 on: September 28, 2018, 06:09:02 am »
The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.

But they could be BW licenses... ;)

Quote
I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)

You're getting there! If you carefully RTFM it suggests:  "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."
 

Offline tv84

  • Regular Contributor
  • *
  • Posts: 241
  • Country: pt
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #33 on: September 28, 2018, 06:13:05 am »
Any chance you could share how you run the memdump.bin in the C# script?

 :wtf:  Have you even looked at the script?

byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");
 

Offline Taaning

  • Newbie
  • Posts: 3
  • Country: dk
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #34 on: September 28, 2018, 06:20:33 am »
Any chance you could share how you run the memdump.bin in the C# script?

 :wtf:  Have you even looked at the script?

byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");

Of course I have looked at the the script :-) I am not a programmer apart from some arduino stuff. I am sorry.
 

Online vtwin@cox.net

  • Newbie
  • Posts: 4
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #35 on: September 28, 2018, 07:00:39 am »
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:

Code: [Select]
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace TestApp
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");

            for (int j = 0, l = 0; j < 2; j++, l += 0x20)
                for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
                    if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
                         ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
                         buffer[i] != ('L' + l) &&
                         buffer[i] != ('O' + l))
                    {
                        if (strSize == 16)
                            Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
                        strSize = 0;
                        strStart = i + 1;
                    }
                    else strSize++;
            Console.ReadKey();
        }
}

change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.
 
The following users thanked this post: Taaning

Online vtwin@cox.net

  • Newbie
  • Posts: 4
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #36 on: September 28, 2018, 07:53:03 am »
If you carefully RTFM it suggests:  "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."

I did see this, but I'm having a difficult time grokking exactly what you mean.

Assuming I have the following:

0819ABBB     8ki7-axhk-yilk-bdgy
0819ABDB     8ki7-axhk-yilk-bdgy
0819ABFB     8ki7-axhk-yilk-bdgy

I interpreted the clause as meaning I should try "yilk-bggy-8ki7-axkh' in addition (which didn't work).

I also tried "axhk-yilk-bdgy-8ki7" and "bdgy-8ki7-axhk-yilk" without success.

Or, should I be trying all combinations, e.g. ki7a-..., i7ax..., 7axh..., shifting each character at a time, like a rotate w/ carry?

Is there an easier way to try license codes, other than keying them in though the intensity/adjust/select dial (e.g. through the telnet interface?)
 
The following users thanked this post: vt100

Offline Taaning

  • Newbie
  • Posts: 3
  • Country: dk
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #37 on: September 29, 2018, 11:27:50 pm »
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:

Code: [Select]
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace TestApp
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");

            for (int j = 0, l = 0; j < 2; j++, l += 0x20)
                for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
                    if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
                         ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
                         buffer[i] != ('L' + l) &&
                         buffer[i] != ('O' + l))
                    {
                        if (strSize == 16)
                            Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
                        strSize = 0;
                        strStart = i + 1;
                    }
                    else strSize++;
            Console.ReadKey();
        }
}

change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.

Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help  8)
 

Offline vt100

  • Contributor
  • Posts: 5
  • Country: af
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #38 on: October 08, 2018, 12:41:12 pm »
Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help  8)

For some real fun, check out these GitHub repositories:

https://github.com/Siglent/FindKeys
https://github.com/Siglent/TryKeys


Purely for educational purposes only. User is expected to comply with all applicable state, county, federal and international laws :)
 
The following users thanked this post: vtwin@cox.net

Offline vt100

  • Contributor
  • Posts: 5
  • Country: af
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #39 on: October 08, 2018, 02:11:33 pm »
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)

Skill level: Easy/Moderate

Risk: Slim to none.

Assumptions: You know the root password to your scope.

Steps:

1. download full armv7l version of busybox which has core dump enabled.
    see: https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l

2. put version on thumb disk

3. reboot scope to known state

4. telnet to scope and log in as root

5. insert usb stick

6. copy busybox binary from usb to /tmp:
    cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp

7. unmount and remove usb
    umount /usr/bin/siglent/usr/mass_storage/U-disk0   
    (and then remove usb stick)

8. identify and kill existing sds1000b.app
    ps -ef | grep sds | awk  '{printf "kill -9 %s\n", $1}' | ash

9. change to /tmp directory:
    cd /tmp

10. launch new busybox ash shell
    /tmp/busybox_armv7l ash
   (when you press enter it looks like nothing happens, but something does)

11.  re-launch scope app in new busybox environment in background
      /usr/bin/siglent/sds1000b.app &

12. increase core dump ulimit to unlimited:
      ulimit -c unlimited
you can verify new limit by typing
      ulimit -c
and you should get a response "unlimited"

12. kill scope app again, telling OS to create a core dump of the app:
      ps -ef | grep sds | awk  '{printf "kill -ABRT %s\n", $1}' | ash

13. wait a few seconds, and press enter once or twice. you should see:
[1]+  Aborted (core dumped)      /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3

14. verify core dump is in /tmp:
      ls /tmp/core*
you should see something like this:
-rw-------    1 root     root     377511936 Jan  1 00:14 /tmp/core
if not, you did something wrong, go to step #3

15. exit out of usb version of busybox shell
     exit
(it will look like nothing happens when you press enter, but, something does)

16. re-launch Siglent scope application. See Step #11

17. insert usb drive

18. copy core dump to thumb drive
     cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)

19. unmount usb stick and remove (see step #7)

20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.

21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.

22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.

23. You can license a different bandwidth by typing MCBD (license key)  at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.

24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.

25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.

26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.

27. Write keys down in a safe place so you do not lose them again.
 
The following users thanked this post: bitseeker, tubularnut, twinter145

Offline bitseeker

  • Super Contributor
  • ***
  • Posts: 5903
  • Country: us
  • Lots of engineer-tweakable parts inside!
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #40 on: October 08, 2018, 02:42:05 pm »
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course).

...

27. Write keys down in a safe place so you do not lose them again.

I promise I won't lose my keys again. ;D
You don't acquire TEA. It acquires you.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf