Author Topic: Hack of Sigllent spectrum analyzer ssa3021X?  (Read 407862 times)

0 Members and 2 Guests are viewing this topic.

Offline fact

  • Contributor
  • Posts: 35
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #225 on: January 05, 2017, 07:15:32 pm »
@KeBeNe
The tool transforms the ADS in a crippled zip where some files have invalid CRC's making it impossible to extract these files.
I'm looking for a way to get all files from the ADS like janekivi's zip file allows.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #226 on: January 05, 2017, 07:20:37 pm »
You could always drill a hole in the side for access. The sticker remains undamaged that way.  :)
Once video card broke in desktop computer. After removing side grill for cpu fan and
unscrewing psu 4 screws I managed to get it out without scratch on sticker...

Edit -> Sorry, was wrong url before:
Here is older firmware V100.01.02.07.07.zip firmware
--------------------------------------------------------

About those things we talk here:
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/
« Last Edit: January 07, 2017, 11:41:59 am by janekivi »
 
The following users thanked this post: videobruce, fact

Offline fact

  • Contributor
  • Posts: 35
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #227 on: January 05, 2017, 07:49:36 pm »
The link in your last post also points to 8.01.
 
The following users thanked this post: kado

Offline lz1pro

  • Newbie
  • Posts: 8
  • Country: bg
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #228 on: January 06, 2017, 03:45:17 pm »
Hi,
Is there anyone in the forum with firmware 7.07?

Regards,
Yanko
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 28139
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #229 on: January 06, 2017, 06:33:19 pm »
Avid Rabid Hobbyist
Siglent Youtube channel: https://www.youtube.com/@SiglentVideo/videos
 

Offline Bicurico

  • Super Contributor
  • ***
  • Posts: 1707
  • Country: pt
    • VMA's Satellite Blog
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #230 on: January 06, 2017, 06:47:51 pm »
@tautech: Lz1pro is of course looking for someone with P07.07 installed, so that a flash dump can be made.

Regards,
Vitor

Offline Johncanfield

  • Regular Contributor
  • *
  • Posts: 62
  • Country: us
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #231 on: January 06, 2017, 09:41:22 pm »
Just received my 3021X yesterday  :-+. Saelig just received a shipment about a week ago and they put one on the truck for me the same day. This one is pretty fresh - just calibrated 13 December.
 

Offline bozidarms

  • Regular Contributor
  • *
  • Posts: 175
  • Country: at
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #232 on: January 07, 2017, 08:53:03 am »
Welcome to the club, Johncanfield.
Have a pleasant time, with this wonderful instrument.
Regards
 
The following users thanked this post: Johncanfield

Offline ebclr

  • Super Contributor
  • ***
  • Posts: 2328
  • Country: 00
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #233 on: January 07, 2017, 09:05:11 am »
Found on amazing terminal

http://mobaxterm.mobatek.net/

Another SSA3021X upgraded sucessfull
« Last Edit: January 07, 2017, 09:30:35 am by ebclr »
 
The following users thanked this post: nugglix

Offline tautech

  • Super Contributor
  • ***
  • Posts: 28139
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #234 on: January 07, 2017, 07:08:10 pm »
Found on amazing terminal

http://mobaxterm.mobatek.net/

Another SSA3021X upgraded sucessfull
Firmware version ?
Avid Rabid Hobbyist
Siglent Youtube channel: https://www.youtube.com/@SiglentVideo/videos
 

Offline ebclr

  • Super Contributor
  • ***
  • Posts: 2328
  • Country: 00
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #235 on: January 08, 2017, 01:37:12 am »
07.03.00
 
The following users thanked this post: tautech

Offline tautech

  • Super Contributor
  • ***
  • Posts: 28139
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #236 on: January 08, 2017, 02:10:49 am »
07.03.00
Thanks, that's quite an early one. The later ones are here:
http://www.siglentamerica.com/gjjrj.aspx?id=15&page=1
8.01 is the version that attempts to restrict FW downgrade and improvements.
Check the "More Information" tabs and info in this thread before you select a version that you'd consider installing.

Enjoy.  ;)
Avid Rabid Hobbyist
Siglent Youtube channel: https://www.youtube.com/@SiglentVideo/videos
 

Offline ExplodingLemur

  • Newbie
  • Posts: 6
  • Country: us
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #237 on: January 08, 2017, 02:37:30 am »
I've got 8.01 installed on mine (just arrived today), and I've been looking at the 8.01 upgrade image scripts to see what I'd need to do to back this out to a prior version.  However I'm unable to mount the root filesystem as RW:
Code: [Select]
root@am335x-evm:/usr/bin/siglent# mount rootfs -o remount,rw
mount: mounting rootfs on / failed: Bad message

/proc/mounts shows:
Code: [Select]
rootfs / rootfs rw 0 0
ubi0:rootfs / ubifs ro,relatime 0 0

I'm guessing there's a u-boot option that flags the root partition as read-only?
Aha, looks like that's set at boot, with
Code: [Select]
console=ttyO0,115200n8 quiet root=ubi0:rootfs ro ubi.mtd=7,2048 rootfstype=ubifs rootwait=1t ip=none (visible in /proc/cmdline)

So, I'm not too familiar with u-boot, and even less so with UBIFS on top of UBI on top of MTD.  I've just tried attaching another UBI device to the U-Boot and U-Boot Env MTD devices with no luck.
Code: [Select]
root@am335x-evm:/etc# ubiattach -p /dev/mtd4ro -d 3
ubiattach: error!: cannot attach "/dev/mtd4ro"
           error 22 (Invalid argument)
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4064
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #238 on: January 08, 2017, 09:01:01 am »
I've got 8.01 installed on mine (just arrived today), and I've been looking at the 8.01 upgrade image scripts to see what I'd need to do to back this out to a prior version.

Why?????

Why you do not just use original genuine FW8.01 in "super mode"?
Much less any risk.
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline DL4RAJ

  • Contributor
  • Posts: 32
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #239 on: January 08, 2017, 10:30:23 am »
I've got 8.01 installed on mine (just arrived today), and I've been looking at the 8.01 upgrade image scripts to see what I'd need to do to back this out to a prior version.

Why?????

Why you do not just use original genuine FW8.01 in "super mode"?
Much less any risk.

That's exactly what I'm asking myself since a while.
Why are people with FW8.01 messing around with downgrade efforts braking possibly the OS of the SSA
instead of make use of the super simple and safe modification into "super mode"
which Turbo Tom has provided in this thread??
Nothing could be easier and it is easily reversible.

Regards

 

Offline Bicurico

  • Super Contributor
  • ***
  • Posts: 1707
  • Country: pt
    • VMA's Satellite Blog
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #240 on: January 08, 2017, 11:42:25 am »
Hi,


(1) Flash backup

@ebclr: Would you be willing to do a backup of your three partitions (ubi0_0, ubi1_0 and ubi2_0, which correspond to rootfs, usr and firmware0)?

All you need to do is:

1) telnet to your SSA
2) insert a USB disk
3) execute these three commands:
dd if=/dev/ubi0_0 of=/usr/bin/siglent/usr/mass_storage/U-disk0/ubi0_0-P0703.img
dd if=/dev/ubi1_0 of=/usr/bin/siglent/usr/mass_storage/U-disk0/ubi1_0-P0703.img
dd if=/dev/ubi2_0 of=/usr/bin/siglent/usr/mass_storage/U-disk0/ubi2_0-P0703.img

@all: It would be great to have these backups for P07.07, so please, if anyone has P07.07 installed, can you do such backup?

(2) Flash

@all: The filesystems used by the SSA reside on a flash memory chip. There are three partitions: the rootfs partition with the OS, the usr partition with the ecomb file amongst other and the firmware0 partition.

My guess to why some SSA broke was this:

a) The user replaced ecomb from P08.08 with ecomb from P07.07.
b) The user run the P07.07 upgrade, because this ecomb will accept the firmware update script of P07.07 - before P0.08 there was no downgrade check.
c) The SSA got broke. Why? Because the P07.07 just assumed that the partition size for UBI1_0 and UBI2_0 were correct (they never changed before). So, without resizing the rootfs (UBI0_0) partition, the usr and firmware0 partition are flashed starting from the WRONG flash memory address, thus effectively overwriting part of the rootfs!

Stupid but easy mistake...

(3)

@ExplodingLemur:

You are heading on fast lane to brick your SSA!

I think that the only way to downgrade to P07.07 is by writing a modified upgrade script, which uses the flash memory address of P07.07 to make sure, all partitions are correctly resized. The problem is, that I am not sure if the correct flash address is known/written in former upgrade batch files, because apparently it used to be the same. This is all guesses I am doing.

So, first of all, we need to figure out the memory organisation of the flash file to then edit the siglent.sh and edit the memory addresses.

Also, we need a copy of the P07.xx rootfs partition, which seems to be missing in the P07.xx fimrware upgrade - or - we need to disable the check that verifies if that partition needs upgrade.

(4)

@all: The question is: but WHY? Why do people want to downgrade, if there is a fully working hack for P08.01?

Answer: the next firmware might have all holes closed and be not hackable - would be nice to have a plan B then!

And then, this thread is about hacking: hacking is fun and insteresting and there might be no other reason...

Regards,
Vitor
« Last Edit: January 08, 2017, 11:47:12 am by Bicurico »
 

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1388
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #241 on: January 08, 2017, 01:46:42 pm »
As it appears, the /dev/ubi?_? devices are not the raw file systems, moreover they are not the complete contents of the NAND. I rather recommend to make 13 images of the /dev/mtdblock0 ... /dev/mtdblock12 devices in order to have a backup of the complete NAND with (from the O/S) hidden partitions and such.

Usage / Purpose of the NAND Flash Partitions in Siglent SSA3000X F/W 8.01

Device No.    | Size kByte  | Usage
----------------+---------------+------------------------------------------------------------------------
mtdblock0    | 128             | MLO (Memory Locator, X-Loader -- first file to be accessed during boot)
mtdblock1    | 128             | 1st copy of MLO
mtdblock2    | 128             | 2nd copy of MLO
mtdblock3    | 128             | 3rd copy of MLO
mtdblock4    | 1920           | U-Boot image
mtdblock5    | 128             | U-Boot environment / not used currently
mtdblock6    | 3072           | Siglent boot logo
mtdblock7    | 44032         | root F/S (ubi0_0)
mtdblock8    | 6144           | Linux Kernel Image
mtdblock9    | 6144           | ???FPGA Configuration???
mtdblock10  | 51200         | FIRMDATA0 (ubi2_0 -- /usr/bin/siglent/firmdata0 )
mtdblock11  | 51200         | FIRMDATA1 / not used currently
mtdblock12  | 97792         | DATAFS (ubi1_0 -- /usr/bin/siglent/usr )


So to modify Bicurico's first paragraph, please let me suggest to do the following steps:

_________

1) telnet to your SSA
2) insert a USB disk
3) execute these commands (sorry, more than three...):
ps
  - now look for the process number of ecomb (it's the first number in the line that ends with ./ecomb, say it's 723)
kill 723 (or whichever process number your ecomb instance had assigned)

dd if=/dev/mtdblock0 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock0-P0703.img
dd if=/dev/mtdblock1 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock1-P0703.img
dd if=/dev/mtdblock2 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock2-P0703.img
dd if=/dev/mtdblock3 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock3-P0703.img
dd if=/dev/mtdblock4 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock4-P0703.img
dd if=/dev/mtdblock5 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock5-P0703.img
dd if=/dev/mtdblock6 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock6-P0703.img
dd if=/dev/mtdblock7 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock7-P0703.img
dd if=/dev/mtdblock8 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock8-P0703.img
dd if=/dev/mtdblock9 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock9-P0703.img
dd if=/dev/mtdblock10 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock10-P0703.img
dd if=/dev/mtdblock11 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock11-P0703.img
dd if=/dev/mtdblock12 of=/usr/bin/siglent/usr/mass_storage/U-disk0/mtdblock12-P0703.img

sync

shutdown -r now

_________

The advantage of having the mtdblock images is that they can be directly re-written to the NAND from the U-Boot shell in case a file system is really messed up. I'm not sure if this is directly possible with the ubi images.
I hope this makes sense...

Cheers,
Thomas
 

Offline Bicurico

  • Super Contributor
  • ***
  • Posts: 1707
  • Country: pt
    • VMA's Satellite Blog
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #242 on: January 08, 2017, 02:07:20 pm »
Thanks TurboTom.

Indeed I am not that literate when it comes to filesystems...
...and their backup by means of dd.

It would be great to find a way to reflash this backup without having to open the SSA, hence avoiding any warranty loss.

I am not sure if that is possible: how to access the U-boot shell through ethernet? Is there any secret key-combination on power-up?

Regards,
Vitor

Offline TurboTom

  • Super Contributor
  • ***
  • Posts: 1388
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #243 on: January 08, 2017, 03:03:24 pm »
I don't think it would be possible to interrupt U-Boot without opening the SSA's enclosure. That is, unless Siglent utilized the unused contacts of the RJ45 100 base T interface (which are four) to route the UART interface outside (on some Hantek gear it is arranged that way). But anyway, in order to make a file system image available to U-Boot, the box has to be opened since U-Boot doesn't provide a driver for a USB disk. This is only possible via the internal Micro SD card slot (or the UART interface, but that's less comfortable and takes ages).

There are instructions in many threads how to remove a warranty void sticker without breaking it, i may add that application of a moderate amount of heat (hair dryer or the like) can make a big difference.

So in my opinion, opening the box is a real no-brainer, and an individual, before tampering with these instruments, always has the choice to pay for the added functionality without risking warranty (okay 1Hz and 3MHz RBW cannot be licensed from Siglent). Whenever I'm playing around with one of my "gadgets", I'm completely aware of the small risk of bricking it and if it happens, it's in my own responsibility and nobody else's. So if the warranty void sticker gets damaged, then losing the warranty is simply the price you have to pay for hacking... A fair deal I would say.

Cheers,
Thomas

 

Offline fact

  • Contributor
  • Posts: 35
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #244 on: January 08, 2017, 03:10:31 pm »
For people suffering a bricked 8.01 SSA (like me), it would be nice to have these mtdblock images too for 8.01.
So if anyone is up to it.......
 

Offline Johncanfield

  • Regular Contributor
  • *
  • Posts: 62
  • Country: us
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #245 on: January 08, 2017, 03:21:42 pm »
Just received my 3021X yesterday  :-+. Saelig just received a shipment about a week ago and they put one on the truck for me the same day. This one is pretty fresh - just calibrated 13 December.
I'm surprised mine left the factory with 7.03 firmware. I suppose I should not upgrade in case I get brave enough to hack it.
 
The following users thanked this post: PartialDischarge

Offline Emo

  • Regular Contributor
  • *
  • Posts: 129
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #246 on: January 08, 2017, 04:25:17 pm »
Johncanfield,

Are you sure you have FW 7.03 and not HW 7.03? in the image in your earlier post it says SW 1.2.8.1 = FW 8.01
 
The following users thanked this post: Johncanfield

Offline tautech

  • Super Contributor
  • ***
  • Posts: 28139
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #247 on: January 08, 2017, 06:21:08 pm »
Johncanfield,

Are you sure you have FW 7.03 and not HW 7.03? in the image in your earlier post it says SW 1.2.8.1 = FW 8.01
Quite correct Emo, it's an easy mistake to make. John's is indeed loaded with 8.1.
Avid Rabid Hobbyist
Siglent Youtube channel: https://www.youtube.com/@SiglentVideo/videos
 

Offline Johncanfield

  • Regular Contributor
  • *
  • Posts: 62
  • Country: us
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #248 on: January 08, 2017, 07:48:48 pm »
Ah-so. I originally thought HW meant hardware so I was correct.  Oh well.  :palm:
 

Offline jobber

  • Newbie
  • Posts: 9
  • Country: ru
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #249 on: January 09, 2017, 08:29:49 pm »
Hey all!

Let me just quickly recap my story about bricked SSA. I have sent it back for repair (under warranty) and received it upgraded to the latest version and fully unlocked! ;D It looks like they only flashed the faulty partition and left the user data intact. I am not sure if they didn't notice the modifications or they just let me go with it.  I would recommend anyone with bricked device that is still under warranty to try and send it back. It could be the easiest solution.

Successful hacking in 2017!
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf