Author Topic: Hack of Sigllent spectrum analyzer ssa3021X?  (Read 467693 times)

0 Members and 3 Guests are viewing this topic.

Offline nowlan

  • Frequent Contributor
  • **
  • Posts: 649
  • Country: au
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #25 on: June 25, 2016, 02:34:07 pm »
does it need a salt?
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 370
  • Country: ee
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #26 on: June 25, 2016, 02:49:34 pm »
I think it is DES / crypt(3) and 2 first byte is salt and for
https://hashcat.net/oclhashcat/
it is -m 1500
 

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1448
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #27 on: July 02, 2016, 11:41:24 am »
I also got myself one of these SA's and more or less directly hooked a USB-serial converter to the internal UART port (after I checked the signals with a scope). Serial port settings are 115200, n, 8, 1, no handshake. I labeled the UART lines in one of Dave's photos. It is easy to connect to the three required lines with a 2.54mm header with the pins slightly deformed and pushed into the holes so they make contact with the pads / hole plating of the PCB. It's not even necessary to remove the metal shielding from the back of the instrument to access this port and no soldering required whatsoever.

I attached a bootlog of the analyzer but since I'm not too much into hacking or programming, I'm also not too sure what to do next... Arago Project standard login doesn't work as well as anything I thought of (as Pinkus already reported). Yet, U-Boot is working and I can stop the bootup process and enter the U-Boot menu. I'm not sure if this helps to make some progress.

It seems in order to force the analyzer into the "Werewolf Mode"  ;) (see the other thread), it's only necessary to change the date to 1st January 1970. If the date is reset to correct parameters, the analyzer will become a "Sheep" again... That's with firmware 07.05.

Cheers,
Thomas
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 28247
  • Country: nl
    • NCT Developments
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #28 on: July 02, 2016, 03:30:57 pm »
You might be able to access the Linux filesystem through U-boot and overwrite the password file from there but it will take some carefull experimenting because you could brick the SA.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline cio74

  • Regular Contributor
  • *
  • Posts: 173
  • Country: gb
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #29 on: July 02, 2016, 06:38:08 pm »
What is this hacking process supposed to do?
 

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1448
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #30 on: July 02, 2016, 06:59:01 pm »
What hack? As I interpret the situation, there is no "Hack" for the analyzer available so far. Changing the date to the first possible setting in the unix (Linux) operating system apparently puts the SA in a (intended or unintended by the manufacturer) "special" mode which removes the software limits. If this will still work after the evaluation period (48 hours) has passed and if a 2.1GHz device is calibrated over the full 3.2GHz is so far also unknown. As far as I can tell, the tracking generator hasn't stellar performance in the 2.1GHz range (though my device is from the new batch with the supposedly improved TG) and between 2.3 and 3.2 GHz there are excursions down to -5dB and up to +2dB. I would say, it isn't calibrated above 2.1GHz or Siglent configures especially selected versions for 3.2GHz that perform better in the upper frequency range. What's also not too amusing is that RBW is limited to 30kHz and above when the TG is active. For what reason? Seems like the TG performance really needs some improvement (hopefully possible in software). So far this "peeking around" in the booting process and file system focuses on a better understanding how the analyzer works.

Cheers,
Thomas
 
The following users thanked this post: bks_mark

Offline kmike

  • Regular Contributor
  • *
  • Posts: 59
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #31 on: July 02, 2016, 07:15:48 pm »
I also got myself one of these SA's and more or less directly hooked a USB-serial converter to the internal UART port (after I checked the signals with a scope). Serial port settings are 115200, n, 8, 1, no handshake. I labeled the UART lines in one of Dave's photos. It is easy to connect to the three required lines with a 2.54mm header with the pins slightly deformed and pushed into the holes so they make contact with the pads / hole plating of the PCB. It's not even necessary to remove the metal shielding from the back of the instrument to access this port and no soldering required whatsoever.

I attached a bootlog of the analyzer but since I'm not too much into hacking or programming, I'm also not too sure what to do next... Arago Project standard login doesn't work as well as anything I thought of (as Pinkus already reported). Yet, U-Boot is working and I can stop the bootup process and enter the U-Boot menu. I'm not sure if this helps to make some progress.

It seems in order to force the analyzer into the "Werewolf Mode"  ;) (see the other thread), it's only necessary to change the date to 1st January 1970. If the date is reset to correct parameters, the analyzer will become a "Sheep" again... That's with firmware 07.05.

Cheers,
Thomas

Looking at the log:
- one would have to stop U-Boot
- add init=/bin/sh to the bootargs
- check how the filesystem is mounted, if mounted read-only then remount rw
- change the root password

Be careful if You want to try this method!

br,
mike
 
The following users thanked this post: bks_mark

Offline nugglix

  • Regular Contributor
  • *
  • Posts: 209
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #32 on: July 02, 2016, 07:19:36 pm »
What's also not too amusing is that RBW is limited to 30kHz and above when the TG is active.

Any details and sources for that?
Would like to know before I buy that thing.

Cheers
 

Offline cio74

  • Regular Contributor
  • *
  • Posts: 173
  • Country: gb
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #33 on: July 02, 2016, 08:01:33 pm »
Thanks Thomas, I think most are after the TG software option? This is 160 EUR + VAT on the Siglent.eu wesbsite.

Or is it more and I am missing it...
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29602
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #34 on: July 02, 2016, 08:47:43 pm »
What hack? As I interpret the situation, there is no "Hack" for the analyzer available so far......

If this will still work after the evaluation period (48 hours) has passed and if a 2.1GHz device is calibrated over the full 3.2GHz is so far also unknown. As far as I can tell, the tracking generator hasn't stellar performance in the 2.1GHz range (though my device is from the new batch with the supposedly improved TG) and between 2.3 and 3.2 GHz there are excursions down to -5dB and up to +2dB. I would say, it isn't calibrated above 2.1GHz or Siglent configures especially selected versions for 3.2GHz that perform better in the upper frequency range.
Will activation of the self cal improve what you are reporting?
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 
The following users thanked this post: F6DEX

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29602
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #35 on: July 02, 2016, 09:02:13 pm »
Thanks Thomas, I think most are after the TG software option? This is 160 EUR + VAT on the Siglent.eu wesbsite.

Or is it more and I am missing it...
Lots more, some of the options are many 100's in whatever currency.

EMI-SSA3000X    EMI Measurement Kit (Software)
AMK-SSA3000X   Advanced Measurement Kit (Software)
Refl-SSA3000X   Reflect Measurement Kit (Software)
TG-SSA3000X   Tracking Generator Kit (Software)
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline cio74

  • Regular Contributor
  • *
  • Posts: 173
  • Country: gb
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #36 on: July 02, 2016, 10:18:25 pm »
So you're saying they are poor and can't afford it. Basically that's the root of the issue, not enough income to support the purchase.
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29602
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #37 on: July 02, 2016, 10:27:42 pm »
So you're saying they are poor and can't afford it. Basically that's the root of the issue, not enough income to support the purchase.
NO.

Everybody wants something for free, don't you?

However just as the HW is one cost, accessories to enable complex measurement/s to be made are another and just like scopes a good set of accessories with cost just as much as the base unit, or more.
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1448
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #38 on: July 02, 2016, 10:44:05 pm »
Here's a screenshot of the message I get if I try to reduce the resolution bandwidth below 30kHz while the tracking generator is turned on. Since the message only appears for a relatively short time, and it isn't possible to save the screen with the message directly on USB-Stick, the photo with my cell phone didn't turn out too well. Anyway, it's readable. Yet, I don't understand why there's the lower limit for RBW with the TG open. Rigol's DSA800TG series hasn't got this shortcoming.

Cheers,
Thomas
 
The following users thanked this post: videobruce, nugglix

Offline cio74

  • Regular Contributor
  • *
  • Posts: 173
  • Country: gb
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #39 on: July 02, 2016, 10:47:50 pm »
Sorry, it does not make much sense, you will have to pay for those probes and accessories if you want/need them, regardless of their cost.
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29602
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #40 on: July 02, 2016, 11:16:24 pm »
Yet, I don't understand why there's the lower limit for RBW with the TG open. Rigol's DSA800TG series hasn't got this shortcoming.
I've had a scan through the https://www.eevblog.com/forum/testgear/siglent-ssa3000x-spectrum-analyzers/
thread for answers but maybe I missed it.

rf-loop may have some comment.....
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 
The following users thanked this post: nugglix

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1448
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #41 on: July 02, 2016, 11:20:46 pm »
I just did a quick scan of the manual http://www.siglentamerica.com/USA_website_2014/Documents/UserManual/SSA3000X_User%20Manual_UM0703X_E02A.pdf and neither I found any information regarding this behavior -- strange! I guess I'll have to hook up another analyzer to the TG output of the SSA3000X and see if I'll find anything "strange"...
 
The following users thanked this post: nugglix

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4134
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #42 on: July 03, 2016, 04:33:58 am »
Here's a screenshot of the message I get if I try to reduce the resolution bandwidth below 30kHz while the tracking generator is turned on. Since the message only appears for a relatively short time, and it isn't possible to save the screen with the message directly on USB-Stick, the photo with my cell phone didn't turn out too well. Anyway, it's readable. Yet, I don't understand why there's the lower limit for RBW with the TG open. Rigol's DSA800TG series hasn't got this shortcoming.

Cheers,
Thomas

With TG minimum RBW is 30kHz. (this is also most narrow filter what can not go to FFT mode)
What is problem with it?  Do it have too fast response or what?

Here is one small example, Nominal center frequency 21.953MHz, width ~3.5kHz Band Pass filter.  (in this example filter under test have problem)
With RBW30 also used Span is 30kHz!   (note also used VBW)
With TG  there is some DUT between TG output and SA input. This is your "filter" and it have most relevance, not SA RBW filter.
Of course this 30kHz Span is not limit. If narrow filter under test there  can use more narrow Span.




As sidenote here is limits with different RBW widths.

Sweep Span limits using FFT or Sweep (SWP) mode

Spectrum analyzer. (TG Off)
10Hz, FFT 33.83MHz, SWP ---

30Hz, FFT 106.6MHz, SWP 330kHz
100Hz, FFT 318MHz, SWP 3.7MHz
300Hz, FFT 793.6MHz, SWP 33,3MHz
1kHz, FFT 2.1GHz, SWP 371MHz

3kHz, FFT, SWP 2.1GHz
10kHz, FFT, SWP 2.1GHz

Spectrum analyzer + TG in use.
30kHz, FFT ---, SWP 2.1GHz
100kHz, FFT ---, SWP 2.1GHz
300kHz, FFT ---, SWP 2.1GHz
1000kHz, FFT ---, SWP 2.1GHz
« Last Edit: July 03, 2016, 04:54:48 am by rf-loop »
EV of course. Cars with smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the (strong)wises gone?
 
The following users thanked this post: tautech, nugglix

Offline PartialDischarge

  • Super Contributor
  • ***
  • Posts: 1625
  • Country: 00
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #43 on: July 03, 2016, 06:04:28 am »
So the effective rbw is much less than 30khz although the displayed one is 30khz... weird but it works
 
The following users thanked this post: nugglix

Offline KE5FX

  • Super Contributor
  • ***
  • Posts: 2034
  • Country: us
    • KE5FX.COM
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #44 on: July 03, 2016, 06:17:34 am »
At lower bandwidths (presumably < 30 kHz), the sweep generator is not sweeping continuously.  It takes discrete steps in both frequency and time, captures a block of samples, and converts them to the frequency domain all at once. 

In other words, if the analyzer uses an FFT to implement its 100 Hz RBW, there is no moment in time when (e.g.) a signal of 10.000100 MHz is in the passband but a signal of 10.000500 MHz isn't.  So there's nothing to "track."
 
The following users thanked this post: nugglix

Offline nugglix

  • Regular Contributor
  • *
  • Posts: 209
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #45 on: July 03, 2016, 07:46:23 am »
Also went through the manual and didn't find any hint.

Thanks for the clarification!

Cheers
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4134
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #46 on: July 03, 2016, 07:52:35 am »
So the effective rbw is much less than 30khz although the displayed one is 30khz... weird but it works


Effective filter is DUT between TG out and SA in!

(I do not know what happend to my last message with more deep explanations but it is gone... and just now not time to write it all agen)



If TG is used for narrow and/or  steep shape filters user need be careful with SWEEP speed adjustment! In this case SA's defaults are not at all good for use.
RBW30kHz sweep speed default is very far too fast. User need understand basic fundamentals about theory and/or have practical experience enough for understand how to adjust system for acceptable result.  It need know how fast frequency can change! (DUT response time)
Look my previous image where is 21.9MHz 3.5kHz filter example. With 30kHz RBW SA can sweep much much more fast but why I have reduced Sweep time. Of course. Effective filter is between TG out and SA in and adjustments need do in this case for it, not for RBW30kHz gaussian type  filter in SA.
In some cases RBW30kHz step response speed is limiting factor but in other case filter under test give limits and user need take care about this.


Just for information
Here attached  SA  RBW30kHz filter top shape.  Think filter "speed" - simplified, if you go too fast or level change too fast  it do not have time to reach top.

-0.1dB BW 5.6kHz
-1.0dB BW 17.3kHz
-3.0dB BW 29.9kHz
-6.0dB BW 42.3kHz

(Filter shape factor -3dB / -60dB is around 1:4.5)

« Last Edit: July 03, 2016, 08:00:09 am by rf-loop »
EV of course. Cars with smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the (strong)wises gone?
 

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1448
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #47 on: July 03, 2016, 02:23:52 pm »
Okay, I did some more in-depth testing of the TG behavior of the SSA3000X and got some interesting results. Especially considering the information provided in the last few posts made me want to understand how the SSA is scanning the frequency range and if the TG is outputting a discrete set of frequencies or if it is "really" sweeping through. Since a test with another SA didn't turn out conclusive (both scanning at arbitrary frequencies/speeds), I decided to hook up the TG output to my scope. The SSA was configured at a center frequency of 10MHz and a span of 3MHz, sweep time 5 seconds. And that's a clip of what i got: http://www.turbinemuseum.de/files/HF_Wobble.3gp It's obvious that upon the sweep itself, there's a kind of frequency wobble superimposed, maybe to provide the bandwidth within one of the 30kHz "slots" that are (supposedly) analyzed at a time. But it's also well possible that the "wobble" is just an artefact of the PLL when it locks onto the new frequency during the sweep.

I then checked the TG at zero span to find out if the center frequency has "macroscopic" increments or if it's more or less continuously adjustable -- I found the latter to be the case.

After that, I wanted to understand if the TG frequency at a slow-rate sweep moves in increments (besides the wobble) and I decided to look at the signal with a delay of 30µs after the trigger. Once again, settings were 10MHz center frequency, 3MHz span but this time 1000 seconds sweep time. It appears that the "average" frequency sweeps continuously, see here: http://www.turbinemuseum.de/files/Smooth_Sweep.3gp

I did the same tests with the Rigol SA for comparison. This instrument sweeps the selected frequency range at increments that match the span divided by the number of horizontal pixels available on the display. This means, provided the "wobble" of the Siglent SA TG is intentional, the siglent will detect a very narrow BW "event" when it's within an "increment" whereas it's pure coincidence on the Rigol if the TG at larger increments "hits" the specific frequency that a DUT characteristic changes significantly. I.e. the Siglent TG is better at "finding" resonances and the like at wide spans while the Rigol TG is better suited for analyzing devices at narrow spans.

If considering these findings, it also becomes obvious that initially Siglent planned to implement more analog bandwidth settings (by means of the two four-point switches in the last IF section and the unpopulated filter circuitry in between) but finally decided to go the digital route. Yet, it should be possible to implement digital filtering as well without the FFT function and then the RBW would probably permit lower values with the TG running.

For comparison I tested a high accuracy crystal (first photo) on the Siglent (the best I could get  with RBW 30kHz, VBW 10Hz and span 10kHz), the same settings on a Rigol DSA815TG and finally on the same instrument with RBW 100Hz and VBW 10Hz. Only in the last configuration, both series- and parallel resonance are clearly visible while the first parameter set on the rigol is completely useless. The Siglent at least detects the series resonance fairly accurately while the parallel resonance is covered with artefacts (why?). Maybe I made some mistake with my settings? At least as yet to me it seems the 30kHz RBW limit with the TG active is a major shortcoming on the SSA3000X.
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4134
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #48 on: July 03, 2016, 05:56:06 pm »
Just as simple as can and also xtal loading really rotten but this is not problem because this is not xtal test but just for example about display.

Btw...(Sunday evening puzzle ;) )  in old times we have done thousands of sweep using logamp, detector,  sweep gen and just oscilloscope. Where is RBW filter? Just as wide as scope response is. ;)


« Last Edit: July 03, 2016, 05:59:35 pm by rf-loop »
EV of course. Cars with smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the (strong)wises gone?
 
The following users thanked this post: nugglix

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1448
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #49 on: July 04, 2016, 08:15:47 pm »
root password is "ding1234"  8)
 
The following users thanked this post: Pinkus, pmcouto, siggi, kado, nugglix, bitseeker, kerouanton, ljkjl


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf