I have ordered an SDS 1204x-e,..............
As many here may be aware, this instrument has been recently reported to have security issues by online security forums.
As I said, I've not my instrument yet, but...
Does the instrument not open a Telnet port? Does it not ask for a root password when attempting to log in via telnet? Is there not a hashed entry in /etc/passwd for which there is a password that is not well known? Does replacing that hash with that for a known password not permit one to log in using that well known password? If these are yes, this instrument is vulnerable.
Note that I am asking these questions as it is my intent to root this instrument; but I am trying to determine which tack I want to take. I might add that I choose to do this purely for intellectual curiosity. I do fully intend to buy appropriate licence keys when and if I choose to add options.
Two questions: First, I cannot find where you have conveyed what these scripts specifically do. Would you state what it is they do? Second: Have you automated the process of creating an ads file?
There is normal telnet port 23 open.
For access to system you need know user and password.
You can try bruteforce these using telnet connection and loose your rest limited life time or scope limited life time. Which one is first reached. But if you are lucky of course randonmly it may open this worm can tomorrow... who knows.
But there is other way... I will recommend you now take some time for carefully read this forum and you soon hit how all works (tip, first you need change other OSV in scope (and after then "close door" changing original genuine OSV with unknown usr/pw back to scope) = "RTFM" (what is scattered around inside the forum.)
There is also other ports open for use SCPI commands.
https://www.siglentamerica.com/application-note/verification-lan-connection-using-telnet/
I am not overly concerned about security for my instrument.
...
so I would have to trust you as to what they do.
You cannot change the pwd since the FS is RO. To change the pwd you need to patch the FS and flash it again. That's what janekivi usually creates for forum members.
Contradiction? You are not obliged to trust me. You must weight the pros and cons of what the script allegedly allows you to do
open a transient port with root access, versus not being able to audit the script and continue without access.
Of course, i'm not a TPM so you decide who/what to trust.
If you don't feel comfortable, put it aside and move on.
Correct me if I am wrong, but these scripts instantiate a port at 10101 that stays open until the next restart, and that after restart, the instrument has stock firmware, unchanged by the script.
I could answer yes but, since I'm not a TPM, you would have to trust me... Do you?
Nothing personal, but not fully. But enough to try your scripts, especially if they make no permanent changes.
He's a huge international criminal wanted by the FBI and Interpol. Trust me, you're reading it here on the internet, so, it must be true, right?
Since you can always flash the original firmware back on your scope, what are you worried about?
Even if he was a notorious ransomware bitcoin criminal, what's the worst that happens? you flash your old firmware back on the box and you're none the worse for wear.
sheesh.
tv84 and Janekivi are literal wizards.
I'm just a physicist, but I trust them.
There is a little problem, we were hacking Rigol 1054Z and siglent gear with tv84
and only he knows and can trust me - how little I know and can do.
Others here really think I can make a program which does something...
How to open a telnet session in a Siglent when the root password is unknown?
Use the following scripts, according to each equipment.
They provide a root session via port 10101.
I got curious and took memcopy (cp /dev/mem) on my SDG6022X.
I got 175 something MB file.
I can't seem to find strings that look like licenses ( 16 chars. all caps and numbers no dashes)
There is a cluster of 128 bytes that looks like license material, but is lowercase+numbers.
There is no existing 200MHz valid lic in there.
Any more hints what to look for?
Thanks.
Should probably move these ancillary posts to a new thread, they've gotten off topic quite a bit, however, that said, a 175MB file sounds kind of odd in terms of memory size... although 176 is a multiple of 4 so I suppose it could be correct... but, that said, my SDG6000 bandwidth license and IQ Function license are both 16-character uppercase values. How did you obtain the memdump?