Siglent SDS1104X-E Hack to 200Mhz， and full options ?

[S.Garrix]

I have two Siglent 1104x-e in my lab, and noticed the thread：https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/825/
and in Reply #785 @ian.ameline “upgraded” the SDS1104X-E to 200Mhz, Rf loop confirmed
thanks to Ian and rfloop,  I patch the OS update so that the root password is known, and had one of my SDS1104X-E upgraded to 200Mhz ,
1. patch the OS update , set password
2. Connect SDS1104X-E by telnet.
3. Input command "mount -o remount,rw,sync /usr/bin/siglent/firmdata0".
4. Input command "rm /usr/bin/siglent/firmdata0/bandwidth.txt".
5. Restart the scope.         

!!Update for commands
 by the exact same way I also got MSO,AWG, WIFI full options
Step 4,  command "rm /usr/bin/siglent/firmdata0/options_mso_times.txt".
"rm /usr/bin/siglent/usr/usr/options_mso_times.txt"
         "rm /usr/bin/siglent/firmdata0/options_awg_times.txt"
"rm/usr/bin/siglent/usr/usr/options_awg_times.txt"
"rm /usr/bin/siglent/firmdata0/options_wifi_times.txt"
"rm /usr/bin/siglent/usr/usr/options_wifi_times.txt"

Not sure if Siglent will close the door or not

[innkeeper]

unless someone sees fault with this, id use an mv (move) command to move it to a new name or place instead of rm (remove) in case you ever needed to put it back.

[GregDunn]

Yes, definitely do not remove the files - suppose Siglent requires them to be present for an OS or firmware upgrade at some future time?  You'd have to restore them from your backup (you did make a backup, right?).   

[tubularnut]

The files only contain the text "30" , if you still have the 30 remaining times.

However, it didn't work for me, either by renaming the files (mv) or deleting them.

As a note there are also 3 copies in the folder "/usr/bin/siglent/usr/usr" which get recreated if you rename or delete them.

[GregDunn]

Those files don't even exist on my scope in the firmdata0 directory...  and I can confirm that renaming the files in /usr/bin/siglent/usr/usr doesn't work.

[BillB]

Those files don't even exist on my scope in the firmdata0 directory...  and I can confirm that renaming the files in /usr/bin/siglent/usr/usr doesn't work.

Hmmm...

Code: [Select]

/usr/bin/siglent/firmdata0 # ls -l
total 140
-rw-r--r--    1 root     root           241 Jan  1 00:33 NSP_system_info.xml
-rw-r--r--    1 root     root            63 Jan  1 00:00 NSP_trends_config_info.xml
--wxr-Sr--    1 root     root          7012 Jan  1 00:31 acq_quick_cal_factory.bin
-rwxrwxrwx    1 1000     1000          7688 Aug 21  2017 acq_self_cal_user.bin
-rwxrwxrwx    1 1000     1000          7448 Jan  1 00:15 acq_self_factory_cal.bin
-rwxrwxrwx    1 1000     1000            16 Jan  1 00:00 bandwidth.bak
-rwxrwxrwx    1 root     root         52916 Jan  1 00:00 factory_setting.xml
---sr----x    1 root     root            20 Jan  1 00:23 options_awg_cfg.bin
---sr----x    1 root     root            20 Jan  1 00:23 options_awg_license.txt
-------r-x    1 root     root            10 Jan  1 00:00 options_awg_times.txt
-rwx--sr-T    1 root     root            20 Jan  1 00:21 options_mso_cfg.bin
-rwx--sr-T    1 root     root            20 Jan  1 00:21 options_mso_license.txt
------x---    1 root     root            10 Jan  1 00:00 options_mso_times.txt
--ws--x---    1 root     root            20 Jan  1 00:25 options_wifi_cfg.bin
--ws--x--x    1 root     root            20 Jan  1 00:25 options_wifi_license.txt
-------r-x    1 root     root            10 Jan  1 00:00 options_wifi_times.txt
-rwxrwxrwx    1 1000     1000            16 Jan  1 00:00 pro_filter_cfg.bin
-rw-r--r--    1 root     root          3320 Jan  1 00:00 sys_cfg.cfg
-rwxrwxrwx    1 1000     1000            67 Aug 21  2017 version.txt
-rw-r--r--    1 root     root             5 Jan  1 00:00 whoami.txt
/usr/bin/siglent/firmdata0 #

This is with the both the latest firmware and OS updates: 7.1.6.1.25R2
 

[GregDunn]

Code: [Select]

/usr/bin/siglent/firmdata0 # ls -l
total 100
-rw-r--r--    1 root     root           241 Jan  1 00:02 NSP_system_info.xml
-rw-r--r--    1 root     root            63 Jan  1 00:00 NSP_trends_config_info.xml
--wxr-Sr--    1 root     root          7012 Jan  1 00:31 acq_quick_cal_factory.bin
-rwxrwxrwx    1 1000     1000          7688 Sep 18  2017 acq_self_cal_user.bin
-rwxrwxrwx    1 1000     1000          7448 Jan  1 00:05 acq_self_factory_cal.bin
-rwxrwxrwx    1 1000     1000            16 Jan  1 00:01 bandwidth.bak
-rwxrwxrwx    1 root     root         52916 Jan  1 00:00 factory_setting.xml
-rwxrwxrwx    1 1000     1000            16 Jan  1 00:01 pro_filter_cfg.bin
-rw-r--r--    1 root     root          3320 Jan  1 00:00 sys_cfg.cfg
-rwxrwxrwx    1 1000     1000            67 Sep 18  2017 version.txt

Very interesting...  7.1.6.1.25 R2 here too.

[SMB784]

Code: [Select]

/usr/bin/siglent/firmdata0 # ls -l
total 100
-rw-r--r--    1 root     root           241 Jan  1 00:02 NSP_system_info.xml
-rw-r--r--    1 root     root            63 Jan  1 00:00 NSP_trends_config_info.xml
--wxr-Sr--    1 root     root          7012 Jan  1 00:31 acq_quick_cal_factory.bin
-rwxrwxrwx    1 1000     1000          7688 Sep 18  2017 acq_self_cal_user.bin
-rwxrwxrwx    1 1000     1000          7448 Jan  1 00:05 acq_self_factory_cal.bin
-rwxrwxrwx    1 1000     1000            16 Jan  1 00:01 bandwidth.bak
-rwxrwxrwx    1 root     root         52916 Jan  1 00:00 factory_setting.xml
-rwxrwxrwx    1 1000     1000            16 Jan  1 00:01 pro_filter_cfg.bin
-rw-r--r--    1 root     root          3320 Jan  1 00:00 sys_cfg.cfg
-rwxrwxrwx    1 1000     1000            67 Sep 18  2017 version.txt

Very interesting...  7.1.6.1.25 R2 here too.

Have you also installed the latest software update?

[GregDunn]

I installed the latest versions from Siglent's website as soon as I verified the scope was running properly:

SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.05.18 )
SDS1004X-E Operating System -V1 (Only For 4-Channel ) (Release Date 06.26.18 )

That's 7.1 (OS).6.1.25R2 (firmware), as I indicated, right?

[innkeeper]

7.1.6.1.25 R2 here too - similar - no mso,wifi,awg configs
and i did install and run the latest software - EasyScopeX – 100R001B02D01P20 (Release Date 06.07.18 ) (if that's what your referring to)
is there a newer os image we should be using?

Code: [Select]

/usr/bin/siglent/firmdata0 # ls -l
total 112
-rw-r--r--    1 root     root           241 Jan  1 00:00 NSP_system_info.xml
-rw-r--r--    1 root     root            63 Jan  1 00:00 NSP_trends_config_info.xml
--wxr-Sr--    1 root     root          7012 Jan  1 00:32 acq_quick_cal_factory.bin
-rwxrwxrwx    1 1000     1000          7688 Sep 18  2017 acq_self_cal_user.bin
-rwxrwxrwx    1 1000     1000          7448 Jan  1 00:12 acq_self_factory_cal.bin
-rwxrwxrwx    1 1000     1000            16 Jan  1 00:01 bandwidth.bak
-rwxrwxrwx    1 root     root         52916 Jan  1 00:00 factory_setting.xml
-------r-x    1 root     root            10 Jan  1 00:00 options_awg_times.txt
------x---    1 root     root            10 Jan  1 00:00 options_mso_times.txt
------x---    1 root     root            10 Jan  1 00:00 options_wifi_times.txt
-rwxrwxrwx    1 1000     1000            16 Jan  1 00:01 pro_filter_cfg.bin
-rw-r--r--    1 root     root          3320 Jan  1 00:00 sys_cfg.cfg
-rwxrwxrwx    1 1000     1000            67 Sep 18  2017 version.txt
/usr/bin/siglent/firmdata0 #


[GregDunn]

Are you suggesting that (for example) he has a wifi adapter plugged in, and set it up in the options?  Mine won't let me configure any of those options because the hardware is not attached; nonetheless, the temp licenses still show up on it:

[GregDunn]

Agreed.

[tautech]

Are you suggesting that (for example) he has a wifi adapter plugged in, and set it up in the options?  Mine won't let me configure any of those options because the hardware is not attached; nonetheless, the temp licenses still show up on it:

Correct.

The option HW modules at substantial extra cost so it's debatable that you need MSO and AWG permanent licensing whereas the WiFi HW is cheap at acquire. Just to do Bode plot no licensing at all is required.

BTW, see how your ch 3 and 4 0V position indicators are the same but the traces are not......means you need to run the Auto Cal.

[kerouanton]

The option HW modules at substantial extra cost so it's debatable that you need MSO and AWG permanent licensing whereas the WiFi HW is cheap at acquire. Just to do Bode plot no licensing at all is required.

Agreed. I don't see the point of having to activate options that require a specific, proprietary hardware. I ordered the SLA1016 and just received the license code to activate the software option. It seems obvious this option is totally useless without the hardware, which embedds a FPGA, buffer memory chips and probably another ARM processor to manage the whole. So the activation should simply be done by plugging the corresponding hardware (which has its own serial number).

Btw, since I managed to telnet into my 1104X-E and make full backups today, before and after activating the MSO option, it may be interesting to have a look at the changes on those backup files.

[S.Garrix]

what I can see after resetting is all option times back to 30 times

[ian.ameline]

You could try putting a larger number than "30" into those files. Try "32767" or "65535" or if you are feeling adventurous, "2147483647"
(2^15-1, 2^16-1 and 2^31-1)

 

[timgiles]

When I edit the options - it opens in vi as read only. What am I doing wrong?

[SMB784]

You could try putting a larger number than "30" into those files. Try "32767" or "65535" or if you are feeling adventurous, "2147483647"
(2^15-1, 2^16-1 and 2^31-1)

Does anyone know if this worked?

[ian.ameline]

When I edit the options - it opens in vi as read only. What am I doing wrong?

You need to remount as read/write

(Search the ads forum for "remount" for the form of the command)

[timgiles]

Thanks, Ill come back to the thread in the morning once I have a second bite of the sav!

[TheNewLab]

I want to do the MSO hack, and attempt to design my own hardware unit. What I have heard is the SLA1016 is nothing to write home about. For $200, my thought is why not make my own hardware unit to experiment/play around with?

Only I noticed above something about a serial number inside the SLA1016 that helps activate the feature on the scope?

What type of programming do I learn to try and encode the FPGA with? and other chips for a DIY SLA1016? Has anyone scanned or reversed engineered the PCB board inside the SLA1016?
RIght now, the only difficulty I see in getting parts is the non-standard SBUS connector

I am having too much fun pushing my first actual legitimate oscilloscope..

[timgiles]

Hi all,

Any value inserted in to the three text files (/usr/bin/siglent/usr/usr/options....) over 30, is shown as 30 in the menu 'Options' on the scope on restart.

What would be interesting is what would happen to the actual value in the text file if I have the MSO or AWG hardware. I assume it would tick from my set value (500 say) to 29 once the HW is plugged in the first time. But prehaps it is only the view function in the code that knows the maximum value for a temporary licence is 30...

Has someone tried the temporary licences and resetting to 30? Prehaps Ill buy the MSO or AWG and find out. The SAG isnt too expensive...


Nice idea to reverse engineer the SLA1016 protocol NewLab.

[BillB]

...
Only I noticed above something about a serial number inside the SLA1016 that helps activate the feature on the scope?
...

I believe the activation license for the MSO option on the scope is completely independent of the SLA1016.  That is, I do not believe the MSO option is locked to any particular SLA1016.  I've got one SDS1104X-E and and one SLA1016, so I can't confirm 100%, but the scope MSO option was activated prior to installing the SLA1016.

[tmbinc]

It would be great if someone could make pictures of the SLA1016. Based on my information (but I could be wrong; I haven't ever seen this device) the SLA1016 is a Zynq-based essentially "stand-alone LA", connected via "SBUS" via relatively-slow (non-realtime; USB even?) communication. Especially the sample memory seems to be on the SLA1016 itself.

Would be great if someone could confirm/refute this.

[ironcurtain]

Hey, just joined this. My time at the moment for personal reasons is very limited, but I can offer help and advice on reverse engineering firmware and Linux ELF DSOs and executables.

I own a SDS1204X-E though, and I can't or couldn't find the firmware images for my kit. I would like to unlock the WIFI options and others, especially if we can interface it with third-party solutions that are more affordable, or better quality.

I'm somewhat of a novice with EE, but I will trade OS design/reversing knowhow for some mentoring every now and then.

As for the firmware images: I see that they obfuscate them with XOR, correct? And another part is "encrypted" with a modified version of 3DES, presumably with the key known to us (they need to ship it so...). Are there any tools for reassembling images readily available?

[TheNewLab]

S.Garrix has the procedure for hacking the options, there are some questions though. No one has confirmed if it works for their units. It should be the same for all three of the 1000X-E models

[SaKhan]

I did the following trying to make the wifi option permanent:

After confirming that the value in /usr/bin/siglent/firmdata0/options_wifi_times.txt gets decremented after each boot, I remounted /usb/bin/siglent read-write and changed /usr/bin/siglent/usr/usr/options_wifi_times.txt with the plugged wifi dongle back to 30. After rebooting, both files had the same value - 30 and any further reboots didn't decrement it anymore. I tried several things afterwards to revert the hack but I couldn't, so if you intend to try it keep that in mind. I hope also that these were the correct steps as I tried that 2 weeks ago. Don't forget also to execute sync and remount read-only afterwards.

[kahuna0k]

hi, I'm trying to flash the _eevblog OS to gain root access, but when I plug the USB and power on nothing happens. The scope just starts as usual and the known password doesn't work. I've tried formatting and copying the files from Linux and Windows, from two different computers and in two different USB keys, all with the same result. My scope already come with 7.1.6.1.25 R2 software version (FPGA Version 2018-03-06 and HW Version 01-03). Could this be the reason? I tried to update the OS using the official firmware and nothing happen either (probably because it is already running that version). Any hint?

[tv84]

hi, I'm trying to flash the _eevblog OS to gain root access, but when I plug the USB and power on nothing happens. The scope just starts as usual and the known password doesn't work. I've tried formatting and copying the files from Linux and Windows, from two different computers and in two different USB keys, all with the same result. My scope already come with 7.1.6.1.25 R2 software version (FPGA Version 2018-03-06 and HW Version 01-03). Could this be the reason? I tried to update the OS using the official firmware and nothing happen either (probably because it is already running that version). Any hint?

The equip isn't recognizing the USB. Verify that you can save files to the USB key to check if it's available. You should be able to upgrade indefinitely.

[kahuna0k]

I'm able to capture files with the print button to the usb drive. They appear under \PNG and look ok. I've also tried with a Raspberry Pi (as suggested somewhere else) with the same result. Updating the firmware works without problems (through the menus). The problem is that the scope ignore the update to the OS. When booting it access the usb drive (the light lights up 3 times for around 2 seconds each and 1 last time for around 1 second.  The files in the root of the USB are:
devicetree.dtb
rootfs.cramfs
sds1004x_e_udiskEnv.txt
uImage

in the pdf it seems that the .txt does not have the extension, but I suppose it is because Windows hides it by default. Anyway I tried without the .txt and didn't work either. Also in the PDF, the uImage seems to have a space after ("uImage "), but probably is a mistake, I think it is possible to have a space at the end of a filename in FAT32 but it is not trivial to achieve. Running out of things to try. Right now I'm trying to explot the fact that the SHELLCMD SCPI command is executed as root to change the password, but it is not that easy, "passwd -d root" seems to do nothing, probably because /etc is mounted as read only. Could anybody with root access execute mount (if possible with a USB inserted) and pasted it here?

[kahuna0k]

well, after trying with the 3rd USB drive it worked ... Murphy is around me

[tv84]

but it is not that easy, "passwd -d root" seems to do nothing, probably because /etc is mounted as read only. Could anybody with root access execute mount (if possible with a USB inserted) and pasted it here?

If that was possible, life would be easier for everyone. You can't do that because CRAMFS is RO. That's why the FS needs to be patched beforehand.

[rf-loop]

well, after trying with the 3rd USB drive it worked ... Murphy is around me

One question, and if someone other wonder, do not think anything,  this is only because i am curious and investigative nature. 

These USB drive sizes, and speed version, these what fails and this what work.

[kahuna0k]

well, after trying with the 3rd USB drive it worked ... Murphy is around me

One question, and if someone other wonder, do not think anything,  this is only because i am curious and investigative nature. 

These USB drive sizes, and speed version, these what fails and this what work.

kingston 16GB USB2 -> fail
samsung 16GB USB3 -> fail
sharkoon accelerate 32GB USB3 -> success

[tubularnut]

Kingston DataTraveler G4 32GB usb3 = success
Lexar 8GB usb2 = success

[rf-loop]

well, after trying with the 3rd USB drive it worked ... Murphy is around me

One question, and if someone other wonder, do not think anything,  this is only because i am curious and investigative nature. 

These USB drive sizes, and speed version, these what fails and this what work.

kingston 16GB USB2 -> fail
samsung 16GB USB3 -> fail
sharkoon accelerate 32GB USB3 -> success

Good, it also gives a signal that the Siglent's the instructions are based on something.




Instructions for OS update tell it clearly:  8G or 32G.
In my logic it do not include 16G at all.
(But still I do not know why  16G is prohibited. I am curious to know why.
But if manufacturer set this kind of rule and if I understand or not  what is reason I still follow it. )

[bugi]

I guess the instructions should use the word "MUST" instead of "should" in that case. Just to reduce the amount of ? ? ?!?!?%%#***@!! from users.

[tv84]

Siglent designers seated at the coffee table: "let's do this work only in 8GB and 32GB sizes!" 

BTW i suggest that you should all report a few other details of the USB disks (namely the controller):
https://www.eevblog.com/forum/testgear/siglent-sdm3045x-boot-hang/msg1565089/#msg1565089

[timgiles]

Worked fine when I used a 4Gb USB drive.

[Coldblackice]

Anyone had any further progress (or luck!) on this? I'm considering getting this scope and would love to help out, if it's still thought that achieving this would be feasible.

[tautech]

Anyone had any further progress (or luck!) on this? I'm considering getting this scope and would love to help out, if it's still thought that achieving this would be feasible.

You can find some info here:
https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/

[Coldblackice]

Anyone had any further progress (or luck!) on this? I'm considering getting this scope and would love to help out, if it's still thought that achieving this would be feasible.

You can find some info here:
https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/

Thanks, but was that link meant to point somewhere else? It points to this same thread. I read through the thread + how to do it, but was wondering how this has been faring for those who have tried it:

• Does it actually work vs. just appearing to support/run at 200mhz?
• Has anyone noticed any issues?
• Have firmware updates affected it?
• etc.

[tautech]

Thanks, though was that link meant to point to somewhere else? It points to this same thread. Unless I'm misunderstanding the current status of this: my understanding is that the hack wasn't fully working/fleshed out (based on the followup discussion in the thread). If not,

Sorry.

Read here too:
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/

[ripnoel]

Greetings,

I am ready to move forward with my purchase of a Siglent SDS1104X-E and I am wondering if anyone who has recently purchased one of these units can confirm that this hack is still working? Replies and additional info greatly appreciated!

Cheers,

ripnoel

[Gege34]

Ordered last month. I used the memory dump and a hex editor to find all the keys.

[dkggpeters]

Greetings,

I am ready to move forward with my purchase of a Siglent SDS1104X-E and I am wondering if anyone who has recently purchased one of these units can confirm that this hack is still working? Replies and additional info greatly appreciated!

Cheers,

ripnoel

I just hacked mine over the weekend with no issues.  I purchased my unit back in August of 2018.  Also hacked sdg2042x and spd3303x-e.  No issues do all three.

[NicoEFI]

Hello, I received my new Siglent SDS1104x-e. 
I want upgrade it but i have a problem with my english for understand the process  .
Can you help me please (Gege34 peux être ?).

1. patch the OS update
this file ? SDS1xx4X-E Operating System -V1 (Only For 4-Channel models) (Release Date 06.26.18 )
1. set password = where can i find it ?
2. Connect SDS1104X-E by telnet : by usb or RJ45 ? telnet can work with windows10 ?
3-4. Input command " " : i use it in Telnet that right ?

[Gege34]

All necessary informations are here and found by others (thank to them ).
To summarize, I put what I use below (English and French). I use the technics of memory dump which works very well and avoids flashing an alternative firmware.

English:
All of this only works with firmware <= 6.1.26, from firmware 6.1.33 the SHELLCMD is deactivated. But you can downgrade the scope to 6.1.26 to find the keys and after upgrade it to the last version.

• Have a USB stick that is recognized by the oscilloscope (make a screenshot on it to try)
• Connect to the oscilloscope with the web interface
• In the SCPI tab, send the command SCOPEID? and note the result, it is like wwww-xxxx-yyyy-zzzz
• Send the command *IND? to get the serial number like SDSxxxxxxxxxxxx
• Send the command SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
• Wait a while for this command to finish (we will say 1mn, there is 240MB to write on the USB stick)
• Put the USB stick on a computer, there must be a file memdump.bin
• Open this file in a Hex editor (I use HxD on windows)
• Find your SCOPEID without the - (so wwwwxxxxyyyyzzzz)
• We must have just before a 100M (or 200M according to its oscilloscope), it's the active bandwidth and still a little (37 characters) above SDS1000X-E
• A little lower (116 characters) there must be letters, in fact 2 groups of 16 characters and one of 32 characters (that we cut in half), which makes us 4 groups of 16 characters corresponding to the key to activate the bandwidth option (respectively 100MHz, 200MHz, 50MHz, 70MHz)
• To activate the corresponding license it is necessary to send the command SCPI MCBD key and to turn off/on again the scope
• Start again from the beginning of the file and look for its serial number (SDSxxxxxxxxxxxx), search until find the one where it is written MSO 5 characters before
• A little lower (69 or 117 characters) a group of readable characters, there are 3 groups of 16 characters which correspond to the activation key of options, if this key appears 2 times is that it's already active. The options are respectively (AWG, WIFI, MSO) and can be activated with the command SCPI LCISL option,key

An interesting SCPI command to explore the scope (warning to not brick it), SHELLCMD telnetd -l/bin/sh -p9999 open a telnet (root shell) without password.

Français:
Tout ceci ne fonctionne qu'avec un firmware <= 6.1.26, à partir du firmware 6.1.33 la commande SHELLCMD a été désactivé. Mais vous pouvez rétrograder votre oscilloscope avec le firmware 6.1.26 pour trouver les clefs, puis remettre le dernier firmware.

• Avoir une clef USB qui est reconnu par l'oscilloscope (faire une copie d'écran dessus pour essayer)
• Se connecter à l'oscilloscope avec l'interface web
• Dans l'onglet SCPI, envoyer la commande SCOPEID? et noter le résultat, il est sous la forme wwww-xxxx-yyyy-zzzz
• Envoyer la command *IND? on récupère le numéro de série sous la forme SDSxxxxxxxxxxxx
• Envoyer la commande SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
• Attendre un certain temps que cette commande se termine (on va dire 1mn, il y a 240Mo à écrire sur la clef USB)
• Mettre la clef USB sur un ordi, il doit y avoir un fichier memdump.bin
• Ouvrir ce fichier dans un éditeur Hexa (J'utilise HxD sous windows)
• Chercher son SCOPEID sans les - (donc wwwwxxxxyyyyzzzz)
• On doit avoir juste avant un 100M (ou 200M en fonction de son oscilloscope), c'est la bande passante active et encore un peu (37 caractères) au dessus SDS1000X-E
• Un peu plus bas (116 caractères) il doit y avoir des lettres, en fait 2 groupes de 16 caractères et un de 32 caractères (que l'on coupe en deux), ce qui nous fait 4 groupes de 16 caractères correspondant à la clef pour activer l'option de bande passante (respectivement 100MHz, 200MHz, 50MHz, 70MHz)
• Pour activer la licence correspondant il faut envoyer la commande SCPI MCBD clef et éteindre/rallumer le scope
• Repartir du début du fichier et chercher son numéro de série (SDSxxxxxxxxxxxx), chercher jusqu'à trouver celui ou il est écrit MSO 5 caractères avant
• On a un peu plus bas (69 ou 117 caractères) un groupe de caractères lisibles, il y a 3 groupes de 16 caractères qui correspondent à la clef d'activation des options, si cette clef apparaît 2 fois c'est qu'elle est déjà active. Les options sont respectivement (AWG, WIFI, MSO) et peuvent être activé avec la commande SCPI LCISL option,clef

Une commande SCPI intéressante pour explorer l'oscilloscope (attention de ne pas tout casser), SHELLCMD telnetd -l/bin/sh -p9999 ouvre un accès telnet (root shell) sans mot de passe.

[vtwin@cox.net]

English:

It should be noted, and bears repeating, that this process only works if your option keys do not span a 4K memory page boundary. If they do, you could find a portion of a key is located 10's of megabytes away in the memory dump from the rest of the key.

cat /dev/mem simply dumps the scopes physical memory, and memory malloc'd by the linux kernel to the scope task may or may not be contiguous within physical memory.

[mroek]

English:

It should be noted, and bears repeating, that this process only works if your option keys do not span a 4K memory page boundary. If they do, you could find a portion of a key is located 10's of megabytes away in the memory dump from the rest of the key.

cat /dev/mem simply dumps the scopes physical memory, and memory malloc'd by the linux kernel to the scope task may or may not be contiguous within physical memory.

True, but it seems many have been lucky in finding keys using this method (myself included). And also, it might be possible to just reboot and retry if not successful the first time, since the memory allocations might not be exactly the same for every boot and application launch.

[Gege34]

I agree with you (specially vtwin@cox.net) that this is not the most reliable way to find the keys, but it is the simplest and it works for a majority of people.
And to improve the chances of success of this method, it is recommanded to do it (the dump of the memory) on an oscilloscope which has just been powered on.

[ian.ameline]

English:

It should be noted, and bears repeating, that this process only works if your option keys do not span a 4K memory page boundary. If they do, you could find a portion of a key is located 10's of megabytes away in the memory dump from the rest of the key.

cat /dev/mem simply dumps the scopes physical memory, and memory malloc'd by the linux kernel to the scope task may or may not be contiguous within physical memory.

True, but it seems many have been lucky in finding keys using this method (myself included). And also, it might be possible to just reboot and retry if not successful the first time, since the memory allocations might not be exactly the same for every boot and application launch.

There is also the fact that the memory allocator will most likely return memory aligned on 16 byte boundaries (to accommodate neon vector types). This makes it impossible for anything 16 bytes or under to cross a page (4k) boundary.

[vtwin@cox.net]

There is also the fact that the memory allocator will most likely return memory aligned on 16 byte boundaries (to accommodate neon vector types). This makes it impossible for anything 16 bytes or under to cross a page (4k) boundary.

My scope returned memory keys not aligned on a 4k boundary.... in one instance, 12 bytes of the key was in one 4k segment, and the remaining 4 bytes of the key were located 20+ megabytes earlier in the memory dump. It was also pretty consistent in this regard, where I would get 8 or 12 bytes in one 4k chunk and have to go look for the remaining portion elsewhere at the start of a 4k chunk. I created 10 cold-start dumps with various delays upon startup to see how the delay time, or things I did on the scope's panel) affected the placement of the keys.

(of course I also was not using the SHELLCMD method to gain root access... I used version of the firmware with the "known" root password to get to a telnet prompt the "old" way, before the SHELLCMD bypass was known, so this may have played a role too.)

It is good the "simple" method works for a large number of people... but new people reading the thread should simply be aware the "simple" method may not always work and to be prepared for the possibility of a "deep dive".... that's all.

[HookEm]

@Gege34: Thanks for the excellent 14-step summary:
https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2258400/#msg2258400

@vtwin@cox.net: In my case, you were proven correct!
My Option keys were broken apart: I only found 24 characters (1 complete key + 1/2 of another) at the expected "simple method" location. So I wrote a small C-program to parse the dump file, looking for the other 24 characters (uppercase letters or decimal numbers) at the start of each 4K-page boundary. It turns out that I only found 4 hits in the 240+MB file, so eye-balling each case with a Hex-editor was a very reasonable task!

Wow, I'm so glad I went with 1104X-E... This forum rocks!

[tv84]

My Option keys were broken apart: I only found 24 characters (1 complete key + 1/2 of another) at the expected "simple method" location. So I wrote a small C-program to parse the dump file, looking for the other 24 characters (uppercase letters or decimal numbers) at the start of each 4K-page boundary. It turns out that I only found 4 hits in the 240+MB file, so eye-balling each case with a Hex-editor was a very reasonable task!

That's what I call doing your homework! 

[KungFuJosh]

@vtwin@cox.net: I wrote a small C-program to parse the dump file, looking for the other 24 characters (uppercase letters or decimal numbers) at the start of each 4K-page boundary. It turns out that I only found 4 hits in the 240+MB file, so eye-balling each case with a Hex-editor was a very reasonable task!

Any chance you'd share that program?

Thanks,
Josh

[KungFuJosh]

English:

• Have a USB stick that is recognized by the oscilloscope (make a screenshot on it to try)
• Connect to the oscilloscope with the web interface
• In the SCPI tab, send the command SCOPEID? and note the result, it is like wwww-xxxx-yyyy-zzzz
• Send the command *IND? to get the serial number like SDSxxxxxxxxxxxx
• Send the command SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
• Wait a while for this command to finish (we will say 1mn, there is 240MB to write on the USB stick)
• Put the USB stick on a computer, there must be a file memdump.bin
• Open this file in a Hex editor (I use HxD on windows)
• Find your SCOPEID without the - (so wwwwxxxxyyyyzzzz)
• We must have just before a 100M (or 200M according to its oscilloscope), it's the active bandwidth and still a little (37 characters) above SDS1000X-E
• A little lower (116 characters) there must be letters, in fact 2 groups of 16 characters and one of 32 characters (that we cut in half), which makes us 4 groups of 16 characters corresponding to the key to activate the bandwidth option (respectively 100MHz, 200MHz, 50MHz, 70MHz)
• To activate the corresponding license it is necessary to send the command SCPI MCBD key and to turn off/on again the scope
• Start again from the beginning of the file and look for its serial number (SDSxxxxxxxxxxxx), search until find the one where it is written MSO 5 characters before
• A little lower (69 or 117 characters) a group of readable characters, there are 3 groups of 16 characters which correspond to the activation key of options, if this key appears 2 times is that it's already active. The options are respectively (AWG, WIFI, MSO) and can be activated with the command SCPI LCISL option,key

An interesting SCPI command to explore the scope (warning to not brick it), SHELLCMD telnetd -l/bin/sh -p9999 open a telnet (root shell) without password.

I tried this with firmware 7.1.6.25R2 and it didn't work well at all. The keys in my memdump file were reversed, or in different areas, making it very difficult to guess the correct order and corresponding function of each key.

After upgrading to firmware 7.1.6.1.26 it worked perfectly. The bandwidth keys and options keys were all correctly oriented, and exactly where they should be.

I installed all the option keys via SCPI, and they immediately became active/permanent without need to restart the scope. After restarting, the permanent keys are still working.

This gives me the impression that Siglent was trying to make it easier to hack the keys.

Side note: there was reference in my 25R2 memdump to Pikachu for some reason. 

Thanks,
Josh

[bloomingtonmike]

In the above post the serial number command is *IDN? Btw.

Thank you everyone for the reassurance. Mem dump and scpi commands worked great just as Josh said.

[KungFuJosh]

In the above post the serial number command is *IDN? Btw.

Thank you everyone for the reassurance. Mem dump and scpi commands worked great just as Josh said.

The serial number is also listed on the home screen of the Siglent web interface...so no effort really needed there with SCPI.

Glad it worked for you too. 

[bloomingtonmike]

Home screen is where I got it too Josh. It was just bugging me why I could not get the serial number back from the scpi interface so I looked it up. Just a typo.

[KungFuJosh]

lol, I was clearly lazier than you about it. I saw it on the home screen, and grabbed it before I tried any of the commands.

[Rerouter]

Its not that they are making it easier, Its more a case of a lot of people digging into whats happening to try and resolve there own desires and along the way finding odd quirks that benefit the whole.

Its like a school network admin Vs a school of high schoolers, one side is busy with other things, the other is full of hundreds or thousands of bored people with nothing better to do

So off I go running a incrementing character search on SCPI up to 12 characters because I wanted to find command for Bode plot mode, ended up digging up a lot in the process, didn't find the command and so went on to disassembling the system application to see if there was any way to add it, found more commands in the process and finally found a work around.

Then used some of his finding to try and help someone copy off a file of interest and a linux guru jumped up and thought, "lets try and dump the memory manually with this command some guy has shown us how to use." and here we are today.

[KungFuJosh]

Its not that they are making it easier, Its more a case of a lot of people digging into whats happening to try and resolve there own desires and along the way finding odd quirks that benefit the whole.

Its like a school network admin Vs a school of high schoolers, one side is busy with other things, the other is full of hundreds or thousands of bored people with nothing better to do

So off I go running a incrementing character search on SCPI up to 12 characters because I wanted to find command for Bode plot mode, ended up digging up a lot in the process, didn't find the command and so went on to disassembling the system application to see if there was any way to add it, found more commands in the process and finally found a work around.

Then used some of his finding to try and help someone copy off a file of interest and a linux guru jumped up and thought, "lets try and dump the memory manually with this command some guy has shown us how to use." and here we are today.

Older firmware was significantly harder to get the codes. Newer firmware was simple as hell. There's a significant sequential difference in ease of acquisition based on firmware versions. If that's not on purpose, that would be an insane coincidence.

[tv84]

Older firmware was significantly harder to get the codes. Newer firmware was simple as hell. There's a significant sequential difference in ease of acquisition based on firmware versions. If that's not on purpose, that would be an insane coincidence.

This is not something preplanned. That is the way the kernel is segmenting the processes mem in realtime. If you have that particular memory area in a segment frontier, you may end up with the lics splitted. If the area is in the middle of the segment, then everything will be next to each other.

Of course, based on the average level of expertise of the members, everyone should be able/obliged to find their solution without all these "guides for dummies".

[KungFuJosh]

This is not something preplanned. That is the way the kernel is segmenting the processes mem in realtime. If you have that particular memory area in a segment frontier, you may end up with the lics splitted. If the area is in the middle of the segment, then everything will be next to each other.

Of course, based on the average level of expertise of the members, everyone should be able/obliged to find their solution without all these "guides for dummies".

Why was it being segmented differently only based on the firmware change? I tried dumping the memory more than 10 times with 25R2 and it was never together.

BTW- as a dummy, I dig the guides.

[tv84]

Why was it being segmented differently only based on the firmware change? I tried dumping the memory more than 10 times with 25R2 and it was never together.

Because the program changes makes different memory allocations and, as more memory is (de)allocated, you may end up in a segment border.

And, if you dump before going to the lic menu or dump after trying to register a lic, you'll probably obtain completely different results... 

[KungFuJosh]

Because the program changes makes different memory allocations and, as more memory is (de)allocated, you may end up in a segment border.

And, if you dump before going to the lic menu or dump after trying to register a lic, you'll probably obtain completely different results... 

I tried a number of different routines and timing with 25R2 to get the dump. All the gibberish besides the codes changed, but never the codes.

From what you're saying, it sounds like I could have reflashed 25R2 and had similar results as the newer firmware? I'd be tempted to downgrade and test that theory if not for my laziness and lack of benefiting from it.

[tv84]

From what you're saying, it sounds like I could have reflashed 25R2 and had similar results as the newer firmware? I'd be tempted to downgrade and test that theory if not for my laziness and lack of benefiting from it.

No need to. Different people in this forum have reported different results with the same FW versions. Keep yourself in "laziness and lack of benefiting from it" mode.

[jtruc34]

Well, I'm requesting your help, because I tried the steps Gege34 suggested on my SDS1104X-E, and when I tried to dump the memory on the USB key, nothing happened. What am I doing wrong?

[Illusionist]

Well, I'm requesting your help...

I did that exact procedure myself on a new SDS1104X-E two weeks ago. It worked perfectly for me - couldn't believe it was so simple. Although I did have to search the file twice for the keys because I just didn't recognize them on the first pass.

Are you sure your USB stick is recognzied by the 'scope (two of mine were, one wasn't), and does your 'scope have the latest firmware (6.1.26)? The latest firmware makes a difference, from a quick review of the thread, for finding the keys at least.

When I dumped the memory, the USB stick's light started flashing, but never stopped. Eventually I gave up waiting for it to stop (15 minutes or so) and shut down and pulled it. The file was on there.

[Apofview]

It is *IDN? not IND? it took me a while... 
16GB usb stick worked, no problem, and stick did not have indication led so after dump command I pushed print button to make sure that scope is able to write to usb, scope prints on lcd file written to usb, not sure is this check valid but for me it worked...
scope version 8.1.6.

[KungFuJosh]

It is *IDN? not IND? it took me a while... 
16GB usb stick worked, no problem, and stick did not have indication led so after dump command I pushed print button to make sure that scope is able to write to usb, scope prints on lcd file written to usb, not sure is this check valid but for me it worked...
scope version 8.1.6.

The serial number is also available on the home screen of the web interface, no commands necessary.

[jtruc34]

Are you sure your USB stick is recognzied by the 'scope (two of mine were, one wasn't), and does your 'scope have the latest firmware (6.1.26)? The latest firmware makes a difference, from a quick review of the thread, for finding the keys at least.

Yes, I am sure it is recognised by the scope, since I could save a screenshot on it and then view it on my computer. I suspect it is the path of the USB stick that is wrong, since I tried SHELLCMD echo something > /usr/bin/siglent/usr/mass_storage/U-disk0/something.txt and it didn't do anything and nothing was on the key when I checked on my computer. Or could I find the path in another way?

[Apofview]

English:

• Have a USB stick that is recognized by the oscilloscope (make a screenshot on it to try)
• Connect to the oscilloscope with the web interface (conect scope to net and enable it in the IO tab)
• In the SCPI tab, send the command SCOPEID? and note the result, it is like wwww-xxxx-yyyy-zzzz
• Send the command *IND? to get the serial number like SDSxxxxxxxxxxxx
• Send the command SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
• Wait a while for this command to finish (we will say 1min, there is 240MB to write on the USB stick)
• Put the USB stick on a computer, there must be a file memdump.bin
• Open this file in a Hex editor (I use HxD on windows)
• Find your SCOPEID without the - (so wwwwxxxxyyyyzzzz)
• We must have just before a 100M (or 200M according to its oscilloscope), it's the active bandwidth and still a little (37 characters) above is SDS1000X-E
• A little lower (116 characters) there must be letters, in fact 2 groups of 16 characters and one of 32 characters (that we cut in half), which makes us 4 groups of 16 characters corresponding to the key to activate the bandwidth option (respectively 100MHz, 200MHz, 50MHz, 70MHz)
• To activate the corresponding license it is necessary to send the command SCPI MCBD key and to turn off/on again the scope
• Start again from the beginning of the file and look for its serial number (SDSxxxxxxxxxxxx), search until find the one where it is written MSO 5 characters before
• A little lower (69 or 117 characters) a group of readable characters, there are 3 groups of 16 characters which correspond to the activation key of options, if this key appears 2 times is that it's already active. The options are respectively (AWG, WIFI, MSO) and can be activated with the command SCPI LCISL option,key

Thank You, this info and of course Dave-s tear down and review video are the reasons why I choose Siglent.

[tv84]

Well, I'm requesting your help, because I tried the steps Gege34 suggested on my SDS1104X-E, and when I tried to dump the memory on the USB key, nothing happened. What am I doing wrong?

At the end of your command line add ";sync" without quotes.

[jtruc34]

Well, I'm requesting your help, because I tried the steps Gege34 suggested on my SDS1104X-E, and when I tried to dump the memory on the USB key, nothing happened. What am I doing wrong?

At the end of your command line add ";sync" without quotes.

I've just tried it, and it didn't change anything...

[Gege34]

Try this command SHELLCMD telnetd -l/bin/sh -p9999
And open a telnet application to your Siglent IP (root shell without password)
And list all device with ls /usr/bin/siglent/usr/mass_storage
to see if you have the U-disk0 or other thing.
And you can try the dump command in this telnet cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin

[jtruc34]

When I telneted it, it requested a login, I wrote root, and I just pressed enter when it requested the password. It then said incorrect password.

[tv84]

Using that way, you must telnet to port 9999 !!!

[jtruc34]

If I type telnet <ip> 9999, it says "Impossible to connect to the host, on the port 9999." It works if I don't specify any port. Until I have to enter the login and the password, of course...

[tv84]

If I type telnet <ip> 9999, it says "Impossible to connect to the host, on the port 9999." It works if I don't specify any port. Until I have to enter the login and the password, of course...

That means that your SHELLCMD is not taking effect. Please re-study the matter and try again.

[Gege34]

Also check if you have a firewall rule on your network router.

[jtruc34]

Also check if you have a firewall rule on your network router.

Since I was connecting the scope to a wireless access point created on my computer, I just deactivated temporarly the firewall of my computer, and it still didn't work.

That means that your SHELLCMD is not taking effect. Please re-study the matter and try again.

Since I really haven't got any experience in the subject, I really don't know what to do. What could I study, what changement could I make? Shouldn't your unit be the same as mine?

By the way, thank you for your help.

[rf-loop]

It works if all is ok including your network connection with scope

Most easy and reliable is direct connection from PC lan port to scope lan port (this is totally hassle free)
Direct or cross, not need care in modern systems.

This is just only example. You can use different IP setting what is ok in your system and for you. This 222.222.222.222 was just because I can remember it with my vintage memory and it is fast to write.

1.a Conf your scope IP settings and press save. (I do even reboot, perhaps not need but least some old system need it) (image)

1.b Conf your PC for fixed IP with settings as scope.  (not image because it depends your system)

2. Open PC web browser and give this IP address, just plain IP and nothing else. (image)
(scope responds with its internal server)
Send command as in image

3.  Open: PuTTYtel  (for avoid hassle this is one of most reliable without this and that traps)
(never ever use wondows own crapjunkshit telnet)
Write IP and this port
Push Open

4. next you see this window and  / #

5. you can command it and now. Do not try this and that and oops method... do not enter what you do not really know or what is not perfectly right typed - copied  from true reliable source. one mistake and... all want believe this never happen.

[jtruc34]

Well, it finally worked. The only error was to use EasyScopeX, that apparently doesn't handle SHELLCMD. Being connected in WLAN using a wireless access point works. I used telnet from Windows and it worked very well. In fact, I don't need to anymore, because SHELLCMD apprently works.

Thank you for your help anyway!

[ScottW]

I got my 1104x-e a few days ago.  It came with firmware 8.1.6.1.26.  I had no trouble using SHELLCMD to create the memory dump, and no trouble identifying the keys via hex editor.  (I did not actually use any of the keys; I just recorded them for future use.)

Today I installed latest firmware, 6.1.33, released 2019-05-23 (yesterday).  With the new firmware, using SHELLCMD to create memory dump does nothing (no file created).  Also the SHELLCMD to start telnetd on p9999 seems to do nothing (attempt to connect via telnet client subsequently fails).

I'm assuming the codes I harvested from 6.1.26 are still valid, but unsure whether the SCPI MCBD command still works (have not tried it).

Perhaps I'm doing something wrong, but it looks to me like 6.1.33 disables the SCPI SHELLCMD, or at least blocks access the /dev/mem and telnetd.  Can anyone else confirm?

[tv84]

Today I installed latest firmware, 6.1.33, released 2019-05-23 (yesterday).  With the new firmware, using SHELLCMD to create memory dump does nothing (no file created).  Also the SHELLCMD to start telnetd on p9999 seems to do nothing (attempt to connect via telnet client subsequently fails).

Confirmed.

SHELLCMD is no more.

MCBD still exists.

Well, maybe it's time for a .ADS to do the memdump... 

[vtwin@cox.net]

Confirmed.
SHELLCMD is no more.

Well, that's not shocking. You know it was just a matter of time before they closed that loophole.

Larger question would be whether or not it is possible to "downgrade" to an older version of the firmware and re-gain SHELLCMD access.

[ScottW]

Larger question would be whether or not it is possible to "downgrade" to an older version of the firmware and re-gain SHELLCMD access.

The answer is.... YES.  I was able to flash back (down) to 6.1.26 successfully and SHELLCMD again works.

[ewaller]

SHELLCMD is no more.

MCBD still exists.

Well, maybe it's time for a .ADS to do the memdump... 

Well, that is too bad.  I use it to allow me to use NTP to set the clock, among other reasons aside from obtaining memory dumps.   I suppose I could just stay with the version I have.    But, I wonder if a .ADS could be crafted to open a telnet port?  Unless they have munged Bash or telnetd, it should work.   Would you be interested in working on that with me?


Edit:  I just checked the Siglent America website and checked the release notes.  It looks like they have been busy fixing bugs and adding features; stuff that makes upgrading worthwhile.  Funny thing, they don't mention disabling SHELLCMD on the release notes 

[plurn]

...
Today I installed latest firmware, 6.1.33, released 2019-05-23 (yesterday). ...

... it looks to me like 6.1.33 disables the SCPI SHELLCMD, or at least blocks access the /dev/mem and telnetd. ...

Thanks for finding this out. I wonder if sales of SDS1104X-E will plummet now that Siglent is trying to discourage hacking, rather than ignoring it.

[tinhead]

... now that Siglent is trying to discourage hacking, rather than ignoring it.

they can close every hole, if the wish, at any time. All they did is to disable general security hole (open telnet, no auth to get telnet).
But as one can still downgrade (which need physical access to SDS, which is then not a security hole by definition), which is sufficient for all buyers to hack it, we still save.

[Performa01]

Last December, there has been quite some agitation regarding network security of Siglent oscilloscopes (SDS1202X-E in that particular case). Sec Consult, a company who makes their living by finding security holes in computer systems, treated a cheap entry level lab instrument (which will usually be connected to an isolated local network only, if at all) the same way as a computer that is connected to the public internet.

The forum community here acted cool and stayed calm - except for the usual Siglent bashers - just because it's a non-issue if the instrument is properly used and then the majority of test gear out there (no matter how expensive) have similar vulnerabilities.

Nevertheless, the Sec Consult article has been spread in many online media and Siglent had to respond somehow, promising to raise the security level on their devices. This is why it has been decided to close the all too obvious and all too easily accessible backdoors.

At the same time, this latest firmware also deals with a valid complaint by serveral users and increased the max. length of the WiFi WPA2 PSK Key to 63 characters.

I can assure you that Siglent doesn't give a 2nd thought about students and hobbyists hacking their gear and they are not willing to put any effort in preventing that, but the bad press because of the network security issue just could not be ignored and thus had to be addressed.

[Rerouter]

The SHELLCMD was more of a potential root exploit, so not a bad thing it was removed, (there are still ways in, they just now require physical access) It would be like any other networked device being able to run at root with no authentication.

I suspect I was part of the reason why that command was dragged to the surface, and may have lead to it being published against, If so, I do apologize Performa01, Not being infosec, waving a flag that says here is a command that will run arbitary code as Root was not my first though. more hunting for bode plot controls before I found the command to just press the buttons, and because there is no online updating, that possibility is nicely closed off.

[Performa01]

The SHELLCMD was more of a potential root exploit, so not a bad thing it was removed, (there are still ways in, they just now require physical access) It would be like any other networked device being able to run at root with no authentication.

I suspect I was part of the reason why that command was dragged to the surface, and may have lead to it being published against, If so, I do apologize Performa01, Not being infosec, waving a flag that says here is a command that will run arbitary code as Root was not my first though. more hunting for bode plot controls before I found the command to just press the buttons, and because there is no online updating, that possibility is nicely closed off.

No worries!

SEC Consult discovered the vulnerabilities in the middle of 2018 already - I think that was long before the SHELLCMD method was published here. And then it was about the SDS1202X-E, which did not have neither an integrated webserver nor WiFi (at least back at that time).
Half a year later, SEC Consult published their findings, because Siglent failed to respond properly (to their liking) in time. After that, Siglent was forced to do something about it, i.e. promised to close the identified security threats with the next firmware update. So you certainly need not feel bad or guilty - like you and others have said, it's not a bad thing to close backdoors that can actually be remote accessed over the LAN.

[plurn]

Ok. So I have figured out a quite easy method to set up a SDS1104X-E on previous firmware *.*.6.1.26, to have password free shell access on port 9999 that survives an upgrade to 6.1.33. So I can enable shell access on 6.1.33.

Not sure I should post it here publicly now as it would be very easy to block in next update. I suppose we could pass it around by private message but that could be a hassle. What do you think - post it publicly or private message?

Also just as an aside, my 200MHz upgrade applied by licence key is still active in 6.1.33.

[boblatino]

Hi @Gege34, I was able to get the keys and activate all the options with the dump on my SDS1104X-E but what I found is that before the activation keys it shows 200M instead of 100M (which is what my scope is supposed to be). Does that imply that mine came already activated as a 200Mhz scope? Should I try to enter the key to change the BW?

Thanks

[Gege34]

The activated option is show two time. So if you see 200 two time, it means you have the 200MHz option activated.
Whatever the result, you can try the BW without problem.

[dalhend]

Ok. So I have figured out a quite easy method to set up a SDS1104X-E on previous firmware *.*.6.1.26, to have password free shell access on port 9999 that survives an upgrade to 6.1.33. So I can enable shell access on 6.1.33.

Not sure I should post it here publicly now as it would be very easy to block in next update. I suppose we could pass it around by private message but that could be a hassle. What do you think - post it publicly or private message?

Also just as an aside, my 200MHz upgrade applied by licence key is still active in 6.1.33.

Hi Plurn... I'd like to here of your 6.1.33 workaround to the shellcmd issue.....  Please email me, if you feel that's best...

First post, and BTW I also thank everyone for the hints and tips to get the 1104 upgraded.  I was sidetracked along the way, but eventually focused on this and was successful.

[plurn]

Hi Plurn... I'd like to here of your 6.1.33 workaround to the shellcmd issue.....
...

details supplied via personal message.

[n3mmr]

Hi Plurn... I'd like to here of your 6.1.33 workaround to the shellcmd issue.....
...

details supplied via personal message.

Can I also partake of your way to achieve password free telnet access in release 33?

[plurn]

Can I also partake of your way to achieve password free telnet access in release 33?

details supplied via personal message.

For anyone else that wants this, I suggest request it here like n3mmr has done and anyone who has been given the details can send the details to the person requesting via personal message. Then put a note in this thread saying it has been supplied.

Just in case I am not around to provide the info.

That is just a suggestion - you can do as you please of course.

[sundance]

@plurn | n3mmr:
Mind to send me a PM?

[timgiles]

@anyone who who has the PM or wrote the original - can you pm timgiles :-) thank you in advance

[MikeLud]

Can someone PM Plurn workaround

Thanks In Advanced
Mike

[tv84]

Run the update (one time only) and do:

http://<scope_IP>/web_img/startTelnet9999.php

The rest is self-explanatory.

Made by plurn.

[starlight_tools]

Plurn, I would appreciate a copy of your work around as well please.

[tek2232]

Plurn can you send me a copy ?

Thanks

[plurn]

@ sundance timgiles MikeLud starlight_tools tek2232

details will be supplied via personal message in the next few minutes.

[toodle]

Hi,
Can I also get a pm of your way to achieve password free telnet access in release 33?
Thanks in advance

[MikeLud]

toodle PM sent

[Higginse]

Likewise I would appreciate a copy of the workaround info if you wouldn't mind.
Thanks in advance.

[melwin]

Any chance I could learn the magic incantation as well? Would be much appreciated! Thanks.

[bluejedi]

@plurn I too would appreciate a copy of the workaround info.
Thanks in advance.

[tv84]

Check my previous (edited) post.

[jousis]

One more question, will the hack mess the SAG1021 license ?


edit. it took me a while, sorry

[KungFuJosh]

The .33 firmware is annoying! There's so many extra steps to do basic things like setting probe attenuation. Before this stupid firmware, turning the dial would easily adjust. Now you have to select it, go to the next screen, select it again, and then turn the knob. 

[tinhead]

The .33 firmware is annoying! There's so many extra steps to do basic things like setting probe attenuation. Before this stupid firmware, turning the dial would easily adjust. Now you have to select it, go to the next screen, select it again, and then turn the knob. 

this is due to fact that the same firmware (executable) seems to compiled for different models, so one can find inside as well SDS5000X, SDS2000X-E, SDS1000X-E and SDS2000X+(10bit, what?), where some of these models support active probe and their information/calibration - that's why the menu has been changed

EDIT: actually deep look inside the .33 firmware shows as well other interesting things, like MIL-1553 or Flex options, not only new 10bit DSO SDS2000XPlus, hmm

[tv84]

EDIT: actually deep look inside the .33 firmware shows as well other interesting things, like MIL-1553 or Flex options, not only new 10bit DSO SDS2000XPlus, hmm

Because they are using the same source code as in the SDS5000X... Nothing more.

[tautech]

EDIT: actually deep look inside the .33 firmware shows as well other interesting things, like MIL-1553 or Flex options, not only new 10bit DSO SDS2000XPlus, hmm

Oh, juicy. 
Actually I need MIL-1553 as an option for one of my customers classroom sets of SDS1202X-E for cadet training use.....nice to know it's part of later FW but I did suspect it was. 

All we need now is to work on enabling it. 

[Rerouter]

Its fully baked in there. Its just the access chain for the menus are missing if you try using the specific commands you will soft lock the scope application.

They also hard coded the menu tree unlike previous versions. (I wonder why  ;. ) its not yet obvious to me where the menu / UI thread is. As I know where the menu entry points are. They are just dereferenced.

Personally I would love the option to buy the canfd decoder

[tinhead]

EDIT: actually deep look inside the .33 firmware shows as well other interesting things, like MIL-1553 or Flex options, not only new 10bit DSO SDS2000XPlus, hmm

Because they are using the same source code as in the SDS5000X... Nothing more.

that's right, but on the other hand what the firmware is doing depends on model name, i tried already SDS2000X-E binary on SDS1000X-E and was of course nothing special, it worked exactly as the SDS1000X-E firmware did. So vice versa it could be possible to lie about hardware version to get 2000 series features running on 1000 series.

Personally I would love the option to buy the canfd decoder

the firmware does read and evaluate at least options_canfd_cfg.bin files, once i placed it (copy of my unused wifi_cfg.bin), it immediately created options_canfd_times.txt, even if this is not available feature on 1000X-E, so the hope remains (however, there are some changes to licensing check, some extra _md5_ here and there ...)

[tv84]

that's right, but on the other hand what the firmware is doing depends on model name, i tried already SDS2000X-E binary on SDS1000X-E and was of course nothing special, it worked exactly as the SDS1000X-E firmware did. So vice versa it could be possible to lie about hardware version to get 2000 series features running on 1000 series.

But the 1000 and 2000 are equal in terms of Options licenses, so no much gain there.

The big question is: did you see anywhere the use of a 5000 option in a 1000/2000 menu?

Because running the 5000 FW in the 1000 should be another ballgame...

PS: is it possible to trigger, for example,  CANFD analysis/decoding via SCPI?

[bluejedi]

I tried several memory dumps made via web interface/SCPI but I am unable to find my scope id in the dump. I can only find a sequence of at most 2 scope id bytes matching in memory but not more. I'm running v7.1.6.1.26 + root telnet access patch (the one that requires root pwd).

I also tried to make a dump via telnet with: cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump10.bin but this consistently fails with the following error: cat: read error: Bad address

Are there any other possibilities to extract the keys from the scope?

[bluejedi]

Run the update (one time only) and do:

http://<scope_IP>/web_img/startTelnet9999.php

Install the attached .ads before or after the 6.1.33 update?

[Performa01]

... SDS2000X+(10bit, what?), ...
...
... new 10bit DSO SDS2000XPlus ...

SDS2000X+ is the successor of the SDS2000X, currently still under development. It will not be a 10bit DSO.

[Gege34]

Install the attached .ads before or after the 6.1.33 update?

Install the .ads after updated to 6.1.33.

To find your keys, I recommand to perform a factory reset and do the memory dump just after power on the scope.

[jemangedeslolos]

... SDS2000X+(10bit, what?), ...
...
... new 10bit DSO SDS2000XPlus ...

SDS2000X+ is the successor of the SDS2000X, currently still under development. It will not be a 10bit DSO.

Hello Performa01,

Do you have additional information regarding this SDS2000X+ ??
spec ? price ?
approx release date ?

Thank you

[Performa01]

Do you have additional information regarding this SDS2000X+ ??

Sorry, but I don't know anything yet. All I know is that there most definitely is no 10bit scope in the pipeline.

[ffabi]

Hello @plurn or anyone that knows the workaround
Could you please sende me the workaround for the .33

Thank you very much

[Illusionist]

PM sent ffabi

[crasymicci]

Hello , and for  me too, please      
 @plurn or anyone that knows the workaround
 please sende me the workaround for the ..33

Very Big Thanks !

[coy]

Hey,

I just took the chance before updating to 6.1.33 and did the update of bandwidth. I used the dump created with SHELLCMD, the key was easy to find in my case and MCBD <key> worked.

Then I started the telnetd without password on port 9999, logged into the device, remounted /usr/bin/siglent as rw and put my own backdoor in the lighttpd cgi directory:

/usr/bin/siglent/config/www # cat telnetd.php
<?php
shell_exec('telnetd -l/bin/sh -p9999');
?>

Then I did the update to 6.1.33, 200M bw is kept, and backdoor still working 

Thanks for your investigations!