Hack of Sigllent spectrum analyzer ssa3021X?

[Elasia]

Thank you tv84 and noreply.

I'll wait and see if someone can advise on the bootloader scenario.

I have another untouched SSA3021X here. Is there a way to dump its FW and load it on to the poorly one - unless someone has a copy of a stock FW?
This is assuming that there is a suitable bootloader. I also have the two original directories from before the update hack.

First step, open it up and attach to the uart port then paste here what it outputs to your terminal

Thats going to say what road you are about to go down


Edit: Poor wording, open the broke one and do the needful

[noreply]

I'll wait and see if someone can advise on the bootloader scenario.

No harm in getting into alternative way to recover your SSA
 
- but there is a specific way you can do this via recovery boot (USB)
- my Siglent contact is currently unavailable
- I have tried to get in touch during the last 24 hours to discover the best way to do this 
- unfortunately still waiting

BUT perhaps tautech can 'chime-in' and could PM you with specific instructions on the recovery procedure??

OR if allowed

- post the procedure for others here in the forum to make note
- in case we find ourselves in the same situation 

[rozzy]

I'll wait and see if someone can advise on the bootloader scenario.

No harm in getting into alternative way to recover your SSA
 
- but there is a specific way you can do this via recovery boot (USB)
- my Siglent contact is currently unavailable
- I have tried to get in touch during the last 24 hours to discover the best way to do this 
- unfortunately still waiting

BUT perhaps tautech can 'chime-in' and could PM you with specific instructions on the recovery procedure??

OR if allowed

- post the procedure for others here in the forum to make note
- in case we find ourselves in the same situation 

Thanks noreply.

I'll hang on and see what your Siglent contact says - and tautech as well.

Again, thanks for all the help so far....

[Elasia]

If memory serves this model has a hidden sd card slot inside that is used to recover from a bad flash.. but i think the last user with a bad flash had to send the unit into siglent's regional hq

and by bad flash, i mean nuking the bootloader as well

[iulisan]

Hello.It is worth to buy this spectrum analyzer ? My wife will KILL me if she finds out the price  . I will use it for hobby , ham radio.Is the mod for 3GHz still working ? Sorry if I ask silly question . 73! de YO8SHP

[Elasia]

Hello.It is worth to buy this spectrum analyzer ? My wife will KILL me if she finds out the price  . I will use it for hobby , ham radio.Is the mod for 3GHz still working ? Sorry if I ask silly question . 73! de YO8SHP

If you are going to burn you might as well get the plus model that is secretly a sva..  and is only 200 more

[iulisan]

Hello.It is worth to buy this spectrum analyzer ? My wife will KILL me if she finds out the price  . I will use it for hobby , ham radio.Is the mod for 3GHz still working ? Sorry if I ask silly question . 73! de YO8SHP

If you are going to burn you might as well get the plus model that is secretly a sva..  and is only 200 more

Indeed I have in mind to to buy the plus version if I sell my kidney why not buying this version  .But still I do not have an answer as I read almost all the topic : does the hack still apply ? I understand that the firmware is important...Thanks a lot for help.

[iulisan]

Thanks a lot.I will program for operation so that I have my kidney removed ( I hope that all know that is a joke )  Anyway if you will be kind you will help me into hack this beautiful machine.Thank you.

[iulisan]

Hello friends.I sold my kidney ( JOKE !!! - I borrow money from some friends of mine) so I bought the SSA 3021X PLUS witch I hope will arrive as a "gift" for my birthday.I'm just so happy that i wanted to share with you , and I hope you will help me solve the "problem" with the hack , meanwille I read half of the discussion.Thank you guys , keep safe.73! de YO8SHP.

[t92pin]

Hi everyone,

I just bought brand new ssa3021x plus with 2.2.1.2.5 fw. and I try telnet option but no response from network. Remote connection is ok as well as web. Maybe telnet is disabled in this fw. So if anyone have any suggestions to upgrade to 3.1Ghz please let me know.
Thnx

[iulisan]

Hello there my friend.Mine just arrived also.My firmware is also 2.2.1.2.5 and indeed I cant connect via telnet , is seems that we have to do some mods to see our beautifull machins in PUTTY . Maybe some one will help us.I read what we have to do but still i'm stuck.Thank you friends , have a nice day.

[Tleilax]

I'm in the same situation as rozzy in #845 and my device seems bricked now after using the telnet script SSA3000X_telnet of #832. Has anyone found a way to recover the instrument?
When I start it now it just shows the Power, TG and Mode button lit and nothing happens.

[tv84]

I want to understand how you bricked the SSA.

Was it just by running my telnet.ADS or any operation you did while inside the telnet session?

[Tleilax]

Thank you Rozzy for the quick reply and the link to the update files. I just gave it a shot with the USB files but that doesn't seem to work. When I switch the instrument on with the USB drive attached it doesn't seem to be doing anything, Mode and TG buttons are lit and that's it.
I'll have to see if I can open it up without voiding warranty, otherwise I'll return it.

To tv84's question: I downloaded the file of #832, put it on a USB drive and then initiated the update in the system menu. Then the device seemed stuck at 60%. I tried to log in via telnet and port 10101 but that didn't work. So I restarted the device (which is probably where I went wrong). At that point it was bricked.

[tv84]

To tv84's question: I downloaded the file of #832, put it on a USB drive and then initiated the update in the system menu. Then the device seemed stuck at 60%. I tried to log in via telnet and port 10101 but that didn't work. So I restarted the device (which is probably where I went wrong). At that point it was bricked.

I think it shouldn't be from the file. BUT, I don't want to facilitate people in bricking their devices so I removed the file. Until I get positive feedback that the file works, I won't make it available again.

Try different USB disks with the USB_recovery.

[rozzy]

Exactly what I did. As tv84 says, try a variety of usb sticks.
I'm sure the file wasn't at fault as other people have used it successfully.

Hope you fix it

[nealix]

I successfully unlocked all options and updated to model SSA-3032X tonight using a combination of posts on this thread.  It took a very long time to carefully gather all the details and corrections from many different posts.   Since it worked in the end for me, I thought I would share back by consolidating the instructions into one single post.  In general, I enhanced @Myexige's original post by adding into the steps what he found later about nsp_data_b file.  I also added the Telnet RC file fix to the steps, so everything is in one spot here. Please feel free to make enhancements/corrections/additions, to help others.   Here is the process from start to finish that worked fine for me, and others apparently;

NEW PROCEDURE FOR UNLOCK TO PRESERVE SERIAL NUMBER:

A.    First, Make Backup Files:

1. Insert USB stick
2. Establish a telnet session with root/ding1234
3. cp -R /usr/bin/siglent/usr/backup /usr/bin/siglent/usr/mass_storage/U-disk0/SA-backup
4. cp -R /usr/bin/siglent/firmdata0 /usr/bin/siglent/usr/mass_storage/U-disk0/SA-firmdata0
5. Sync

2.    Start with BOTH of your original "NSP_sn_bandwidth" XML files in place.  If you need to, restore them from backup if you tried some previous method to unlock.  Once the original files are there, then proceed below:


3.   SSA3021X - the final hack?
« Reply #737 on: October 04, 2019, 07:23:07 pm »
Today I hacked my SSA3021X and turned it into a SSA3032X with ALL options permanent AND KEPT MY SERIAL NUMBER, therefore (hopefully) future proofing it against any firmware updates 

When I received the unit the installed firmware was 1.2.9.2a which (thankfully) still had telnet access.
Whilst waiting for delivery I read this whole thread 3 or 4 times to get as much information as i could and it has been invaluable, thanks to all who contributed.

Ok, so we know if the "NSP_system_info.xml" from version 7 firmware was edited so that the license info was TRUE that this would open up the analyzer options on that firmware series.  Now we are at FW version 8 series, with actual firmware download versions like 1.2.8.1,  1.2.9.2,  1.2.9.3, etc.

Hint....Create a new "NSP_system_info.xml" file using your favorite editor now and make sure it contains YOUR serial number:

<?xml version="1.0" encoding="UTF-8"?>
<nsp_system_info_root>
  <device>
    <system_information>
      <serial_number>
        <chip>SSA3xxxxxxxxxx</chip>    <<<----  INSERT YOUR SERIAL# HERE!
      </serial_number>
    <license><_3032>TRUE</_3032><_3021>FALSE</_3021><_TG>TRUE</_TG><_EMI>TRUE</_EMI><_Meas>TRUE</_Meas><_CAT>TRUE</_CAT></license></system_information>
  </device>
</nsp_system_info_root>

Copy it to a blank USB stick.

Next step is to obtain a copy of the V8.01 firmware (1.2.8.1)  from the Siglent web site, and unzip it into a folder. Also, download the Firmware Converter Tool (that converts a  .ADS Firmware File to a .ZIP file from here:

https://www.eevblog.com/forum/testgear/siglent-ssa3000x-spectrum-analyzers/?action=dlattach;attach=269048

Using the "converter tool", Select the Siglent Firmware V01.02.08.01.ADS file that you downloaded and convert it to a ZIP file.
NOTE:  IT MUST BE FIRMWARE 1.2.8.1, because we need two files from that specific version to generate a license. NO OTHER VERSION WILL WORK!
The zip file that the above tool creates is fussy and can ONLY be opened with 7-Zip.  Extract it with 7-Zip. 

In the extracted folder you will find a copy of the main application file "ecomb", copy this to the USB stick and rename it "ecomb8". 
Also copy the file nsp_data_b from the extracted folder, onto your USB stick.  We will need it below.

BEWARE: That tool is unable to extract a full working zip. But it should be OK to extract the ecomb app and the nsp_data_b file most of the times. Those are the only two files we need from the 1.2.8.1 firmware.

So, while you may get errors opening the zip, ensure that you don't get an error when unzipping the ecomb file or the nsp_data_b file!


Place the USB stick into the SSA and open a telnet session.  For the commands below, copy and paste them into your putty telnet window.  ( Control-C copy on the windows side,  Right-Mouse-Click on the Putty Telnet side. )
Remember, don’t enter the quotation " marks, just the text between them.

Enter "mount -o remount, rw /"
Enter "cd /usr/bin/siglent"
Enter "ps"
You will get a list like this...

  PID USER       VSZ STAT COMMAND
    1 root      1320 S    init [5]
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    4 root         0 SW   [kworker/0:0]
    …lots more lines here…

  719 root      2112 S    /usr/sbin/telnetd
  726 root      152m S    ./ecomb                    <<<--- ECOMB
  727 root      1572 S    /sbin/getty 115200 ttyO0


in YOUR list of processes, find "./ecomb" and get the "PID" number, in my case above, it was "726".

Enter "kill -9  726" - not sure if the "-9" is needed but it certainly killed the process.
Or “kill -9 <The Process ID of YOUR ./ecomb>”
Enter "ps" again and make sure "./ecomb" is NOT shown.  It MUST NOT be running for the next steps.

Enter "cp /usr/bin/siglent/usr/mass_storage/U-disk0/ecomb8 ecomb8" - This copies "ecomb8" from the USB stick to the "/usr/bin/siglent" directory.
Enter "ls -l" - and make sure it is there.
Enter "mount -o remount,rw /dev/ubi2_0 /usr/bin/siglent/firmdata0"
Enter "cd firmdata0"
Enter "cp /usr/bin/siglent/usr/mass_storage/U-disk0/NSP_system_info.xml NSP_system_info.xml"  - this copies the "NSP_system_info.xml" file you created above to "/usr/bin/siglent/firmdata0"
Enter "ls -l" and make sure it is there.

Next:  you also need to roll-back (The version) of the "nsp_data_b" file in firmdata0 after the ecomb process has been killed. Roll it back to the version from the 1.2.8.1 FW.  Copy it from the USB stick into the "/usr/bin/siglent/firmdata0" directory as follows:
Enter “cp /usr/bin/siglent/usr/mass_storage/U-disk0/nsp_data_b  nsp_data_b”
Enter “ls –l” and make sure it is there.

Next,
Enter "cd .." to drop back one level to the "/usr/bin/siglent" directory.

NOW FOR THE FUN PART

Enter "./ecomb8" - Loads of text will appear on the telnet screen, the application will start and will read the "NSP_system_info.xml" file and will automatically create a fully licensed "NSP_sn_bandwidth.xml" file, the application will start up on the SSA and using "System info" you will see that your SSA3021X is now a SSA3032X with all options permanent and with the correct serial number.

Power off the SSA, remove the USB and power it back on, all options will remain and it will be running the correct version of "ecomb"

Don’t forget to backup to USB stick your new "NSP_sn_bandwidth.xml" licensing file.
<START Backup Procedure>
1.  Make sure USB stick is still inserted in the analyzer.
2.  cp -R /usr/bin/siglent/usr/backup /usr/bin/siglent/usr/mass_storage/U-disk0/SA-backup-NEW
3.  cp -R /usr/bin/siglent/firmdata0 /usr/bin/siglent/usr/mass_storage/U-disk0/SA-firmdata0-NEW
4.  Sync
<END Backup Procedure>


Finally, If you wish to upgrade PAST the 1.2.9.2a Firmware:
PRESERVE TELNET ++BEFORE++ UPGRADING TO FW VERSION 1.2.9.3

Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #752 on: October 13, 2019, 06:00:59 pm »
Easy way to overcome losing telnet before updating to 1.2.9.3a is to create your own symbolic links for the telnet deamon.
e.g.
Enter "mount -o remount,rw /"
Enter "cd /etc/rc0.d"
Enter "ls -al"
Examine the telnet symbolic link, K10telnetd in this case and create your own with a different number, 15 in this example.
Enter "ln -s ../init.d/telnetd  K15telnetd"
Enter “cd /etc/rc1.d”
Enter "ln -s ../init.d/telnetd  K15telnetd"
Enter “cd /etc/rc6.d”
Enter "ln -s ../init.d/telnetd  K15telnetd"
NOW, this next directory uses a little different syntax, it is S15telnetd;  ("S" for Start)
Enter “cd /etc/rc5.d”
Enter "ln -s ../init.d/telnetd  S15telnetd”
Enter "sync"

Restart the analyzer.
After this, you can safely update to 1.2.9.3a and forward, while preserving telnet access.

[Decibel123]

Hi nealix,

I just received my ssa3021. Version 1.2.9.3a.
Ready to go. Ping works, no telnet on port 10101 (port 23 neither) . How did you solve this? Youre instructions are great and very clear but don't know how to start without telnet.
Should I start with the telnet telnet_11201.ADS file who failed by Tleilax  scarry.

Rgds,
Herman

[nealix]

Yes.  I have not done a unit that came with 1.2.9.3a, but others have.  You Start with the telnet_11201.ADS file to get access.  Once you get access, install the links per:
=====
Easy way to overcome losing telnet before updating to 1.2.9.3a is to create your own symbolic links for the telnet deamon.
e.g.
Enter "mount -o remount,rw /"
Enter "cd /etc/rc0.d"
Enter "ls -al"
Examine the telnet symbolic link, K10telnetd in this case and create your own with a different number, 15 in this example.
Enter "ln -s ../init.d/telnetd  K15telnetd"
Enter “cd /etc/rc1.d”
Enter "ln -s ../init.d/telnetd  K15telnetd"
Enter “cd /etc/rc6.d”
Enter "ln -s ../init.d/telnetd  K15telnetd"
NOW, this next directory uses a little different syntax, it is S15telnetd;  ("S" for Start)
Enter “cd /etc/rc5.d”
Enter "ln -s ../init.d/telnetd  S15telnetd”
Enter "sync"
=====

Then, if you reboot/repower, you should come up able to login via telnet.  If you can do that, you can upgrade.
You could also at that point down-grade to 1.2.9.2, do the changes, and then upgrade to the latest.
The main key is that you want normal telnet access, and THEN try to do the update.
Another user also mentions that he had to use the nsp_data_b file from @myexige in post #748,
and not the one that I used from the actual 1.2.8.1 firmware.   It worked for me just fine, but if yours
does not, you could try the file from post 748.

Neal

[Decibel123]

Hi Neal & others,

I started today. Put the file on a USB stick (Double checked that the stick was ok). Load the file telnet_11201.ADS. It was loaded till 60%. Then it stops.
Wait for 15 minutes. No progress. Escape etc. did'nt work. Every button i pressed gave the message: Please wait for the upgrade to complete.
With putty no telnet access. Ping was ok.
So the only possibility was to power cycle.

Luckely, it came back up to normal. Tried again telnet, no result.

Downgraded to version V1.2.9.1
ping worked. Again no telnet access.
Did run again  file telnet_11201.ADS. Still no telnet.

I'm puzzelded. I believe that there is something done to prevent us from hacking 

Any suggestions are appriciated.

Thanks,

Herman.

[tv84]

  The telnet ADS is supposed to hang. You should telnet while it is hanged.

[Decibel123]

Really thanks!

It works!

After running the script and starting putty I used port 23 (not 10101) end pressed several times enter. Then the telnet session was established 
Then I did exactly what Neal did summerizing in his post.
The ./ecomb8 script however failed.

I followed port 800 to create sym link S15telnetd in /etc/rc5.d pointing to /etc/init.d/telnetd
Then did run ./ecomb8 again & then everything updated as expected.

Rgds,
Herman.

 

[kakeller1]

Hi tv84,

I unzipped the file SSA3000X_NAND_dump.zip and ran the ADS update
on my new SSA3021X running 1.2.9.3a.
It ran and then dumped 12 files successfully, as reported by the SSA3KDMP.log file. All files are non-zero and contain something.
Now my unit is bricked.
The power button is lit, as well as the TG and MODE buttons.
There is nothing on the display.
Is there any recovery other than trying to send it in?

[tv84]

@kakeller1,

I don't know what is happening...     But other members have said the same.

For that reason I had already deleted my post where I shared the file.

The script that does the NAND dump (which is inside the .ADS) is attached. So you can see it seems peaceful.

Don't know if it is something with the latest FW units, NAND or something.

I think many guys have used in the script in the past without problems.

My best hint is to try get UART access to see the booting log and try to see the error.  (but this involves opening the machine) 

[olc]

Hi!

Given the problems faced by some users when applying the .ADS, is it possible to alternatively upgrade/convert the SSAX+ via UART (assuming machine is open, of course)? I think it is but I'd prefer to have confirmation in order to ease my buying decision.

Thanks in anticipation!

--
Olivier