Author Topic: Hack of Sigllent spectrum analyzer ssa3021X?  (Read 188580 times)

0 Members and 3 Guests are viewing this topic.

Offline hfleming

  • Contributor
  • Posts: 27
  • Country: no
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #725 on: August 02, 2019, 08:50:36 pm »
quite sure there was no overload. Spectrum Analyzer was connected via a 20dB pad to my signal generator and was reading -30dBm. The software is my own, talking to the SPA over USB.
 
The following users thanked this post: tautech

Online tautech

  • Super Contributor
  • ***
  • Posts: 16161
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #726 on: August 02, 2019, 09:05:22 pm »
quite sure there was no overload. Spectrum Analyzer was connected via a 20dB pad to my signal generator and was reading -30dBm. The software is my own, talking to the SPA over USB.
OK, I’ll see what the factory can give us to help you.
Avid Rabid Hobbyist
 
The following users thanked this post: hfleming

Offline hfleming

  • Contributor
  • Posts: 27
  • Country: no
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #727 on: August 02, 2019, 09:27:45 pm »
I guess it could have been just coincidence too that the SPA broke just after the PC crash. Murphy was really on the loose in my workshop today. 1 step forward, and 100 steps back. Guess I’ll give it some time to see if a solution can be found on EEVBlog, else will have to contact the seller and see what they say. The unit is only 2 months old.
 

Offline TurboTom

  • Frequent Contributor
  • **
  • Posts: 633
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #728 on: August 02, 2019, 09:39:27 pm »
Did you make a backup of the flash partitions when you were in there doing the hack? Several individuals managed to fix their SSAs via the UBOOT console by flashing back partition images. UBOOT can be accesses by the UART terminals at the lower right corner of the logic PCB (as viewed from behind). I think you'll find some more information on that "emergency" access port on the first few pages of this thread.

Good luck,
Thomas
 
The following users thanked this post: hfleming

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 908
  • Country: pt
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #729 on: August 02, 2019, 09:52:14 pm »
Script to dump the NAND. I had it here laying around. If anyone needs it...

Always good idea to have a NAND backup.
 
The following users thanked this post: hfleming, dennis788

Offline hfleming

  • Contributor
  • Posts: 27
  • Country: no
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #730 on: August 02, 2019, 11:36:44 pm »
hey guys, Spectrum Analyzer is now fixed!!!!  :-DD :-DD :-DD
Read through the fist couple of pages, and there was a comment about keeping the “System” button pressed whilst booting. Did it, and the unit came back to life!!!! Will check it out fully later (02:15 over here, and I don’t want to push my luck any further. Maybe that trick should be written up somewhere. Guess it is sort of a hard-reset.

Thanks for all the advice, was thinking of opening the unit up and hook into its serial port, but that seems not necessary. Will do the NAND dump later when I feel brave enough to open the unit.

Come to think of it, I have set my unit to start in the same state as when I switch it off, so maybe the the “system” button whilst booting forces it to start up in default state.

Hendrik

« Last Edit: August 03, 2019, 12:45:28 am by hfleming »
 
The following users thanked this post: tautech, myexige

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 908
  • Country: pt
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #731 on: August 03, 2019, 08:16:05 am »
Will do the NAND dump later when I feel brave enough to open the unit.

You don't need to open the unit. You just need to have telnet access to the SSA and run the script. Maybe I'll release a .ADS that does that...
 
The following users thanked this post: hfleming, snik, LPS

Offline linuxwanted

  • Newbie
  • Posts: 1
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #732 on: August 29, 2019, 10:15:23 pm »
the hack seems to stop working with SSA3000X_1.2.9.3a.ADS (if you update). Telnet is deactivated with this version, if you update. Tried to get access on the serial port -> works. Root password unchanged. But if i remove the serialno XMLs the user interface freezes. Serial access works, so i can go back. Now back to 2.1 GHz ... Easy come, easy go. On a factory new Analyzer with 1.2.9.3a telnet works and also the hack.
 

Offline maartenva

  • Newbie
  • Posts: 4
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #733 on: September 17, 2019, 12:35:23 pm »
the hack seems to stop working with SSA3000X_1.2.9.3a.ADS (if you update). Telnet is deactivated with this version, if you update. Tried to get access on the serial port -> works. Root password unchanged. But if i remove the serialno XMLs the user interface freezes. Serial access works, so i can go back. Now back to 2.1 GHz ... Easy come, easy go. On a factory new Analyzer with 1.2.9.3a telnet works and also the hack.

I just downgraded mine from 1.2.9.2.a to 1.2.8.3 and was able to do the firmware hack.

 

Offline jemangedeslolos

  • Regular Contributor
  • *
  • Posts: 64
  • Country: fr
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #734 on: September 25, 2019, 10:07:20 am »
Hello,

Do you know if this hack works on the SSA3000...Plus ?

Thank you :)
 

Offline LPS

  • Contributor
  • Posts: 10
  • Country: bh
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #735 on: September 28, 2019, 04:27:03 pm »
Hello,

I have made all the options permanent on my recently purchased SSA3021X using the method outlined in this thread.  The serial number has become XXXXX. . . as expected.  Current System Information Version is as follows :

SW1   1.2.9.2.a
SW2   20180708-1
SW3   000000E1
HW           0F.03.00

Can someone please advise if i upgrade my Firmware to the latest 1.2.9.3a, will all the options remain permanent as they are now ?  I would like the Peak Table Sort By Frequency / Amplitude feature, this is a good idea.

Thanks

Len
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 908
  • Country: pt
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #736 on: September 28, 2019, 04:36:44 pm »
... will all the options remain permanent as they are now ?

Yes.
 
The following users thanked this post: LPS

Offline myexige

  • Contributor
  • Posts: 8
  • Country: gb
SSA3021X - the final hack?
« Reply #737 on: October 04, 2019, 07:23:07 pm »
Today i hacked my SSA3021X and turned it into a SSA3032X with ALL options permanent AND KEPT MY SERIAL NUMBER, therefore (hopefully) future proofing it against any firmware updates  ;D

When i received the unit the installed firmware was 1.2.9.2a which (thankfully) still had telnet access.

Whilst waiting for delivery i read this whole thread 3 or 4 times to get as much information as i could and it has been invaluable, thanks to all who contributed  :)


Ok, so we know if the "NSP_system_info.xml" from version 7 was edited so that the license info was TRUE that this would open it up on that firmware series.

Hint....Create one now and make sure it has YOUR serial number ..

Code: [Select]
<?xml version="1.0" encoding="UTF-8"?>
<nsp_system_info_root>
  <device>
    <system_information>
      <serial_number>
        <chip>SSA3xxxxxxxxxx</chip>
      </serial_number>
    <license><_3032>TRUE</_3032><_3021>FALSE</_3021><_TG>TRUE</_TG><_EMI>TRUE</_EMI><_Meas>TRUE</_Meas><_CAT>TRUE</_CAT></license></system_information>
  </device>
</nsp_system_info_root>

Copy it to a blank USB stick.

Next step is to obtain a copy of the V8.01 firmware (1.2.8.1) and using the "converter tool", make a zip file and extract it with 7-Zip (details are on this thread).

In the extracted folder you will find a copy of the main application file "ecomb", copy this to the USB stick and rename it "ecomb8".

Place the USB stick into the SSA and open a telnet session.

Here is what i did, i'm not a linux user but there is plenty of info here and on the web to get some basics.
Remember, dont enter the " marks, just the text between them.

Enter "mount -o remount, rw /"
Enter "cd /usr/bin/siglent"
Enter "ps"
You will get a list like this...
Code: [Select]
  PID USER       VSZ STAT COMMAND
    1 root      1320 S    init [5]
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    4 root         0 SW   [kworker/0:0]
    5 root         0 SW   [kworker/u:0]
    6 root         0 SW<  [khelper]
    7 root         0 SW<  [netns]
    8 root         0 SW   [kworker/u:1]
  154 root         0 SW   [sync_supers]
  156 root         0 SW   [bdi-default]
  158 root         0 SW<  [kblockd]
  168 root         0 SW<  [omap2_mcspi]
  179 root         0 SW   [khubd]
  286 root         0 SW<  [musb-hdrc.0]
  291 root         0 SW<  [musb-hdrc.1]
  293 root         0 SW<  [rpciod]
  295 root         0 SW   [kworker/0:1]
  305 root         0 SW   [kswapd0]
  306 root         0 SW   [fsnotify_mark]
  307 root         0 SW<  [nfsiod]
  308 root         0 SW<  [crypto]
  324 root         0 SW<  [OMAP UART0]
  326 root         0 SW<  [OMAP UART1]
  328 root         0 SW<  [OMAP UART2]
  330 root         0 SW<  [OMAP UART3]
  332 root         0 SW<  [OMAP UART4]
  334 root         0 SW<  [OMAP UART5]
  411 root         0 SW   [mtdblock0]
  416 root         0 SW   [mtdblock1]
  421 root         0 SW   [mtdblock2]
  426 root         0 SW   [mtdblock3]
  431 root         0 SW   [mtdblock4]
  436 root         0 SW   [mtdblock5]
  441 root         0 SW   [mtdblock6]
  446 root         0 SW   [mtdblock7]
  451 root         0 SW   [mtdblock8]
  456 root         0 SW   [mtdblock9]
  461 root         0 SW   [mtdblock10]
  466 root         0 SW   [mtdblock11]
  471 root         0 SW   [mtdblock12]
  479 root         0 SW   [ubi_bgt0d]
  495 root         0 SW   [irq/172-ads7846]
  540 root      1776 S <  /sbin/udevd -d
  719 root      2112 S    /usr/sbin/telnetd
  726 root      152m S    ./ecomb
  727 root      1572 S    /sbin/getty 115200 ttyO0
  728 daemon    1456 S    portmap
  745 root         0 SW   [ubi_bgt1d]
  750 root         0 SW   [ubifs_bgt1_0]
  767 root         0 SW   [ubi_bgt2d]
  834 root      1772 S <  /sbin/udevd -d
  873 root      2588 S    -sh
 2530 root         0 SW   [ubifs_bgt0_0]
 2651 root         0 SW   [flush-ubifs_0_0]
 2652 root         0 SW   [flush-ubifs_1_0]
 2656 root         0 SW   [flush-ubifs_2_0]
 2704 root         0 SW   [scsi_eh_0]
 2705 root         0 SW   [usb-storage]
 2708 root         0 SW   [kworker/u:2]
 2711 root      1772 S <  /sbin/udevd -d
 2720 root      2112 R    ps

in YOUR list find "./ecomb" and get the "PID" number, in my case above, it was "726"

Enter "kill -9 726" - not sure if the "-9" is needed but it certainly killed the process.
Enter "ps" again and make sure "./ecomb" is NOT shown

Enter "cp /usr/bin/siglent/usr/mass_storage/U-disk0/ecomb8 ecomb8" - This copies "ecomb8" from the USB stick to the "/usr/bin/siglent" directory.
Enter "ls -l" - and make sure it is there.
Enter "mount -o remount,rw /dev/ubi2_0 /usr/bin/siglent/firmdata0"
Enter "cd firmdata0"
Enter "cp /usr/bin/siglent/usr/mass_storage/U-disk0/NSP_system_info.xml NSP_system_info.xml" - this copies the "NSP_system_info.xml" file you created above to "/usr/bin/siglent/firmdata0"
Enter "ls -l" and make sure it is there.
Enter "cd .." to drop back one level to the "/usr/bin/siglent" directory.

NOW FOR THE FUN PART

Enter "./ecomb8" - Loads of text will appear on the telnet screen, the application will start and will read the "NSP_system_info.xml" file and will automatically create a fully licensed "NSP_sn_bandwidth.xml" file, the application will start up on the SSA and using "System info" you will see that your SSA3021X is now a SSA3032X with all options permanent and with the correct serial number.

Power off the SSA, remove the USB and power it back on, all options will remain and it will be running the correct version of "ecomb"

Dont forget to backup to USB stick your new "NSP_sn_bandwidth.xml" file (details are in this thread).

Hope this helps and thanks again to those you have provided the tools and knowledge that has enabled me to do this, now i dont care if telnet has been removed as i can carry out firmware updates knowing it is safe.  ;D


P.S. One thing to note was i did have both the original "NSP_sn_bandwidth" files in place, the process just added all the licenses to it.
« Last Edit: October 04, 2019, 08:04:21 pm by myexige »
 
The following users thanked this post: TurboTom, nugglix, LPS, laurie_h

Online Bicurico

  • Frequent Contributor
  • **
  • Posts: 931
  • Country: pt
    • VMA's Satellite Blog
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #738 on: October 04, 2019, 08:06:15 pm »
Cool!

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 908
  • Country: pt
Re: SSA3021X - the final hack?
« Reply #739 on: October 04, 2019, 09:20:23 pm »
Today i hacked my SSA3021X and turned it into a SSA3032X with ALL options permanent AND KEPT MY SERIAL NUMBER, therefore (hopefully) future proofing it against any firmware updates  ;D

Not the "final hack" but very well done!   :clap:
 

Offline todac

  • Newbie
  • Posts: 1
  • Country: fr
Re: SSA3021X - the final hack?
« Reply #740 on: October 11, 2019, 07:25:40 am »
Good news
Can you tell more about "

Next step is to obtain a copy of the V8.01 firmware (1.2.8.1) and using the "converter tool", make a zip file and extract it with 7-Zip (details are on this thread).

In the extracted folder you will find a copy of the main application file "ecomb", copy this to the USB stick and rename it "ecomb8".


My English was very  poor and when i search "converter tool" or "1.2.8.1" i find only you're post.

In advance, thank you for your answer.
 

Online fact

  • Contributor
  • Posts: 27
  • Country: nl
 

Offline tv84

  • Frequent Contributor
  • **
  • Posts: 908
  • Country: pt
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #742 on: October 11, 2019, 09:15:15 am »
BEWARE: That tool is unable to extract a full working zip. But it should be OK to extract the ecomb app most of the times.

So, while you may get errors opening the zip, ensure that you don't get an error when unzipping the ecomb file!
 

Offline dennis788

  • Newbie
  • Posts: 3
  • Country: 00
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #743 on: October 11, 2019, 01:28:13 pm »
Script to dump the NAND. I had it here laying around. If anyone needs it...

Always good idea to have a NAND backup.

Hi,

I'm not familiar with linux and telnet. Can you, if you have time,  in short steps explain how to use this script?

Best regards

« Last Edit: October 11, 2019, 01:36:04 pm by dennis788 »
 

Online fact

  • Contributor
  • Posts: 27
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #744 on: October 11, 2019, 04:14:24 pm »
You could start reading here to get an idea of telnet access to the analyzer:
https://www.eevblog.com/forum/testgear/hack-of-sigllent-spectrum-analyzer-ssa3021x/msg1480492/?topicseen#msg1480492
 

Offline BillB

  • Supporter
  • ****
  • Posts: 569
  • Country: us
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #745 on: October 11, 2019, 04:33:10 pm »
Script to dump the NAND. I had it here laying around. If anyone needs it...

Always good idea to have a NAND backup.

Hi,

I'm not familiar with linux and telnet. Can you, if you have time,  in short steps explain how to use this script?

Best regards

Hi Dennis,

I wouldn't recommend an expensive spectrum analyzer as your first vehicle into the land of linux and telnet.  You may want to come up to speed on something else; there are tons of tiny little linux based devices that have a telnet console.
 
The following users thanked this post: rf-loop

Online fact

  • Contributor
  • Posts: 27
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #746 on: October 11, 2019, 04:45:51 pm »
You could try telnetting to a Raspberry Pi and honing your Linux skills on that platform. When you break something on the RPi, just start fresh with a new Raspbian image. You'll never end with an expensive paper weight.
 

Online fact

  • Contributor
  • Posts: 27
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #747 on: October 12, 2019, 12:19:38 pm »
@myexige
Tried your step by step instructions, but my SSA (also running 1.2.9.2.a) remains a SSA3021X and I see no changes in the NSP_sn _bandwidth.xml after executing the 1.2.8.1 ecomb executable. After ecomb1281 starts, In system info I see SW1 as 1.2.8.1 but the Model remains a SSA3021X and the trial licenses are what is shown under Option.
Is there anything you might have forgotten to mention? What was the exact contents of your backup and firmdata0 directories?
 

Offline myexige

  • Contributor
  • Posts: 8
  • Country: gb
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #748 on: October 12, 2019, 07:30:47 pm »
@myexige
Tried your step by step instructions, but my SSA (also running 1.2.9.2.a) remains a SSA3021X and I see no changes in the NSP_sn _bandwidth.xml after executing the 1.2.8.1 ecomb executable. After ecomb1281 starts, In system info I see SW1 as 1.2.8.1 but the Model remains a SSA3021X and the trial licenses are what is shown under Option.
Is there anything you might have forgotten to mention? What was the exact contents of your backup and firmdata0 directories?

I tried putting it all back to a 3021 with only the TG enabled and then ran through my previous instructions and it didn't work this time ???!!!

Ok so i have found the problem, you also need to rollback the "nsp_data_b" file in firmdata0 after the process has been killed, i have attached the file i used.

I have tried this numerous times now and each time it works, no changes to the original procedure.

n.b. when you save the file remove the .txt extension




 

Online fact

  • Contributor
  • Posts: 27
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #749 on: October 13, 2019, 09:26:19 am »
@myexige
Tried your step by step instructions, but my SSA (also running 1.2.9.2.a) remains a SSA3021X and I see no changes in the NSP_sn _bandwidth.xml after executing the 1.2.8.1 ecomb executable. After ecomb1281 starts, In system info I see SW1 as 1.2.8.1 but the Model remains a SSA3021X and the trial licenses are what is shown under Option.
Is there anything you might have forgotten to mention? What was the exact contents of your backup and firmdata0 directories?

I tried putting it all back to a 3021 with only the TG enabled and then ran through my previous instructions and it didn't work this time ???!!!

Ok so i have found the problem, you also need to rollback the "nsp_data_b" file in firmdata0 after the process has been killed, i have attached the file i used.

I have tried this numerous times now and each time it works, no changes to the original procedure.

n.b. when you save the file remove the .txt extension

I can confirm that, with the "original" nsp_data_b in place (kindly provided by myexige), the method works flawlessly.

@myexige
Thanks for sorting out the problem I had.
 
The following users thanked this post: myexige


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf