Siglent SDS1104X-E Hack to 200Mhz， and full options ?

[jtruc34]

Well, I'm requesting your help, because I tried the steps Gege34 suggested on my SDS1104X-E, and when I tried to dump the memory on the USB key, nothing happened. What am I doing wrong?

At the end of your command line add ";sync" without quotes.

I've just tried it, and it didn't change anything...

[Gege34]

Try this command SHELLCMD telnetd -l/bin/sh -p9999
And open a telnet application to your Siglent IP (root shell without password)
And list all device with ls /usr/bin/siglent/usr/mass_storage
to see if you have the U-disk0 or other thing.
And you can try the dump command in this telnet cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin

[jtruc34]

When I telneted it, it requested a login, I wrote root, and I just pressed enter when it requested the password. It then said incorrect password.

[tv84]

Using that way, you must telnet to port 9999 !!!

[jtruc34]

If I type telnet <ip> 9999, it says "Impossible to connect to the host, on the port 9999." It works if I don't specify any port. Until I have to enter the login and the password, of course...

[tv84]

If I type telnet <ip> 9999, it says "Impossible to connect to the host, on the port 9999." It works if I don't specify any port. Until I have to enter the login and the password, of course...

That means that your SHELLCMD is not taking effect. Please re-study the matter and try again.

[Gege34]

Also check if you have a firewall rule on your network router.

[jtruc34]

Also check if you have a firewall rule on your network router.

Since I was connecting the scope to a wireless access point created on my computer, I just deactivated temporarly the firewall of my computer, and it still didn't work.

That means that your SHELLCMD is not taking effect. Please re-study the matter and try again.

Since I really haven't got any experience in the subject, I really don't know what to do. What could I study, what changement could I make? Shouldn't your unit be the same as mine?

By the way, thank you for your help.

[rf-loop]

It works if all is ok including your network connection with scope

Most easy and reliable is direct connection from PC lan port to scope lan port (this is totally hassle free)
Direct or cross, not need care in modern systems.

This is just only example. You can use different IP setting what is ok in your system and for you. This 222.222.222.222 was just because I can remember it with my vintage memory and it is fast to write.

1.a Conf your scope IP settings and press save. (I do even reboot, perhaps not need but least some old system need it) (image)

1.b Conf your PC for fixed IP with settings as scope.  (not image because it depends your system)

2. Open PC web browser and give this IP address, just plain IP and nothing else. (image)
(scope responds with its internal server)
Send command as in image

3.  Open: PuTTYtel  (for avoid hassle this is one of most reliable without this and that traps)
(never ever use wondows own crapjunkshit telnet)
Write IP and this port
Push Open

4. next you see this window and  / #

5. you can command it and now. Do not try this and that and oops method... do not enter what you do not really know or what is not perfectly right typed - copied  from true reliable source. one mistake and... all want believe this never happen.

[jtruc34]

Well, it finally worked. The only error was to use EasyScopeX, that apparently doesn't handle SHELLCMD. Being connected in WLAN using a wireless access point works. I used telnet from Windows and it worked very well. In fact, I don't need to anymore, because SHELLCMD apprently works.

Thank you for your help anyway!

[ScottW]

I got my 1104x-e a few days ago.  It came with firmware 8.1.6.1.26.  I had no trouble using SHELLCMD to create the memory dump, and no trouble identifying the keys via hex editor.  (I did not actually use any of the keys; I just recorded them for future use.)

Today I installed latest firmware, 6.1.33, released 2019-05-23 (yesterday).  With the new firmware, using SHELLCMD to create memory dump does nothing (no file created).  Also the SHELLCMD to start telnetd on p9999 seems to do nothing (attempt to connect via telnet client subsequently fails).

I'm assuming the codes I harvested from 6.1.26 are still valid, but unsure whether the SCPI MCBD command still works (have not tried it).

Perhaps I'm doing something wrong, but it looks to me like 6.1.33 disables the SCPI SHELLCMD, or at least blocks access the /dev/mem and telnetd.  Can anyone else confirm?

[tv84]

Today I installed latest firmware, 6.1.33, released 2019-05-23 (yesterday).  With the new firmware, using SHELLCMD to create memory dump does nothing (no file created).  Also the SHELLCMD to start telnetd on p9999 seems to do nothing (attempt to connect via telnet client subsequently fails).

Confirmed.

SHELLCMD is no more.

MCBD still exists.

Well, maybe it's time for a .ADS to do the memdump... 

[vtwin@cox.net]

Confirmed.
SHELLCMD is no more.

Well, that's not shocking. You know it was just a matter of time before they closed that loophole.

Larger question would be whether or not it is possible to "downgrade" to an older version of the firmware and re-gain SHELLCMD access.

[ScottW]

Larger question would be whether or not it is possible to "downgrade" to an older version of the firmware and re-gain SHELLCMD access.

The answer is.... YES.  I was able to flash back (down) to 6.1.26 successfully and SHELLCMD again works.

[ewaller]

SHELLCMD is no more.

MCBD still exists.

Well, maybe it's time for a .ADS to do the memdump... 

Well, that is too bad.  I use it to allow me to use NTP to set the clock, among other reasons aside from obtaining memory dumps.   I suppose I could just stay with the version I have.    But, I wonder if a .ADS could be crafted to open a telnet port?  Unless they have munged Bash or telnetd, it should work.   Would you be interested in working on that with me?


Edit:  I just checked the Siglent America website and checked the release notes.  It looks like they have been busy fixing bugs and adding features; stuff that makes upgrading worthwhile.  Funny thing, they don't mention disabling SHELLCMD on the release notes 

[plurn]

...
Today I installed latest firmware, 6.1.33, released 2019-05-23 (yesterday). ...

... it looks to me like 6.1.33 disables the SCPI SHELLCMD, or at least blocks access the /dev/mem and telnetd. ...

Thanks for finding this out. I wonder if sales of SDS1104X-E will plummet now that Siglent is trying to discourage hacking, rather than ignoring it.

[tinhead]

... now that Siglent is trying to discourage hacking, rather than ignoring it.

they can close every hole, if the wish, at any time. All they did is to disable general security hole (open telnet, no auth to get telnet).
But as one can still downgrade (which need physical access to SDS, which is then not a security hole by definition), which is sufficient for all buyers to hack it, we still save.

[Performa01]

Last December, there has been quite some agitation regarding network security of Siglent oscilloscopes (SDS1202X-E in that particular case). Sec Consult, a company who makes their living by finding security holes in computer systems, treated a cheap entry level lab instrument (which will usually be connected to an isolated local network only, if at all) the same way as a computer that is connected to the public internet.

The forum community here acted cool and stayed calm - except for the usual Siglent bashers - just because it's a non-issue if the instrument is properly used and then the majority of test gear out there (no matter how expensive) have similar vulnerabilities.

Nevertheless, the Sec Consult article has been spread in many online media and Siglent had to respond somehow, promising to raise the security level on their devices. This is why it has been decided to close the all too obvious and all too easily accessible backdoors.

At the same time, this latest firmware also deals with a valid complaint by serveral users and increased the max. length of the WiFi WPA2 PSK Key to 63 characters.

I can assure you that Siglent doesn't give a 2nd thought about students and hobbyists hacking their gear and they are not willing to put any effort in preventing that, but the bad press because of the network security issue just could not be ignored and thus had to be addressed.

[Rerouter]

The SHELLCMD was more of a potential root exploit, so not a bad thing it was removed, (there are still ways in, they just now require physical access) It would be like any other networked device being able to run at root with no authentication.

I suspect I was part of the reason why that command was dragged to the surface, and may have lead to it being published against, If so, I do apologize Performa01, Not being infosec, waving a flag that says here is a command that will run arbitary code as Root was not my first though. more hunting for bode plot controls before I found the command to just press the buttons, and because there is no online updating, that possibility is nicely closed off.

[Performa01]

The SHELLCMD was more of a potential root exploit, so not a bad thing it was removed, (there are still ways in, they just now require physical access) It would be like any other networked device being able to run at root with no authentication.

I suspect I was part of the reason why that command was dragged to the surface, and may have lead to it being published against, If so, I do apologize Performa01, Not being infosec, waving a flag that says here is a command that will run arbitary code as Root was not my first though. more hunting for bode plot controls before I found the command to just press the buttons, and because there is no online updating, that possibility is nicely closed off.

No worries!

SEC Consult discovered the vulnerabilities in the middle of 2018 already - I think that was long before the SHELLCMD method was published here. And then it was about the SDS1202X-E, which did not have neither an integrated webserver nor WiFi (at least back at that time).
Half a year later, SEC Consult published their findings, because Siglent failed to respond properly (to their liking) in time. After that, Siglent was forced to do something about it, i.e. promised to close the identified security threats with the next firmware update. So you certainly need not feel bad or guilty - like you and others have said, it's not a bad thing to close backdoors that can actually be remote accessed over the LAN.

[plurn]

Ok. So I have figured out a quite easy method to set up a SDS1104X-E on previous firmware *.*.6.1.26, to have password free shell access on port 9999 that survives an upgrade to 6.1.33. So I can enable shell access on 6.1.33.

Not sure I should post it here publicly now as it would be very easy to block in next update. I suppose we could pass it around by private message but that could be a hassle. What do you think - post it publicly or private message?

Also just as an aside, my 200MHz upgrade applied by licence key is still active in 6.1.33.

[boblatino]

Hi @Gege34, I was able to get the keys and activate all the options with the dump on my SDS1104X-E but what I found is that before the activation keys it shows 200M instead of 100M (which is what my scope is supposed to be). Does that imply that mine came already activated as a 200Mhz scope? Should I try to enter the key to change the BW?

Thanks

[Gege34]

The activated option is show two time. So if you see 200 two time, it means you have the 200MHz option activated.
Whatever the result, you can try the BW without problem.

[dalhend]

Ok. So I have figured out a quite easy method to set up a SDS1104X-E on previous firmware *.*.6.1.26, to have password free shell access on port 9999 that survives an upgrade to 6.1.33. So I can enable shell access on 6.1.33.

Not sure I should post it here publicly now as it would be very easy to block in next update. I suppose we could pass it around by private message but that could be a hassle. What do you think - post it publicly or private message?

Also just as an aside, my 200MHz upgrade applied by licence key is still active in 6.1.33.

Hi Plurn... I'd like to here of your 6.1.33 workaround to the shellcmd issue.....  Please email me, if you feel that's best...

First post, and BTW I also thank everyone for the hints and tips to get the 1104 upgraded.  I was sidetracked along the way, but eventually focused on this and was successful.

[plurn]

Hi Plurn... I'd like to here of your 6.1.33 workaround to the shellcmd issue.....
...

details supplied via personal message.