Products > Test Equipment
Siglent .ads firmware file format
<< < (51/85) > >>
tautech:

--- Quote from: ewaller on December 06, 2018, 04:31:49 am ---I have ordered an SDS 1204x-e,..............

As many here may be aware, this instrument has been recently reported to have security issues by online security forums. 

--- End quote ---
Correction if I may, those issues are unconfirmed for SDS1004X-E models. Only SDS1202X-E are implicated as having WLAN security issues.....which may or may not effect all manner of test equipment and brands.
ewaller:
As I said, I've not my instrument yet, but...

Does the instrument not open a Telnet port?  Does it not ask for a root password when attempting to log in via telnet?  Is there not a hashed entry in /etc/passwd for which there is a password that is not well known?  Does replacing that hash with that for a known password not permit one to log in using that well known password?  If these are yes, this instrument is vulnerable.

Note that I am asking these questions as it is my intent to root this instrument; but I am trying to determine which tack I want to take.  I might add that I choose to do this purely for intellectual curiosity.  I do fully intend to buy appropriate licence keys when and if I choose to add options.
rf-loop:

--- Quote from: ewaller on December 06, 2018, 05:13:43 am ---As I said, I've not my instrument yet, but...

Does the instrument not open a Telnet port?  Does it not ask for a root password when attempting to log in via telnet?  Is there not a hashed entry in /etc/passwd for which there is a password that is not well known?  Does replacing that hash with that for a known password not permit one to log in using that well known password?  If these are yes, this instrument is vulnerable.

Note that I am asking these questions as it is my intent to root this instrument; but I am trying to determine which tack I want to take.  I might add that I choose to do this purely for intellectual curiosity.  I do fully intend to buy appropriate licence keys when and if I choose to add options.

--- End quote ---

There is normal telnet port 23 open.
For access to system you need know user and password.
You can try bruteforce these using telnet connection and loose your rest limited life time or scope limited life time. Which one is first reached.  But if you are lucky of course randonmly it may open this worm can tomorrow... who knows.
But there is other way... I will recommend you now take some time for carefully read this forum and you soon hit how all works (tip, first you need change other OSV in scope (and after then "close door" changing original genuine OSV with unknown usr/pw back to scope) = "RTFM" (what is scattered around inside the forum.)

There is also other ports open for use SCPI commands.
https://www.siglentamerica.com/application-note/verification-lan-connection-using-telnet/

Also of course for web server.

tv84:

--- Quote from: ewaller on December 06, 2018, 04:31:49 am ---Two questions:  First, I cannot find where you have conveyed what these scripts specifically do.  Would you state what it is they do?  Second:  Have you automated the process of creating an ads file?

--- End quote ---

1. These X-E specific .ADS have an update.sh script that is run to accomplish the installation.
2. You could say semi-automated.

The best way to protect the equipment is to leave outside the internet. Of course if you have a rogue colleague in the lab...

You cannot change the pwd since the FS is RO. To change the pwd you need to patch the FS and flash it again. That's what janekivi usually creates for forum members.

All your other indications seem correct and have been used/implemented...

PS: As rf-loop says, for someone who reads carefully, the info is already in the forum.
ewaller:
TV84,

I am not overly concerned about security for my instrument.  It will be on my private Lan on a guest subnet jail that I use for my IoT devices .  I have read the threads with interest, and I agree that there is probably enough information here to create an ads file myself.  What is not clear is what those scripts do.  On the surface, they open a new port at 10101 (IIRC) that does not require a password.  Is that what they do?  Is that a transient port that goes away at the next reboot? or is it persistent?  Unfortunately, there is no easy way to audit those files so I would have to trust you as to what they do.

If they open a port with a root session, and it is transient, that would be my preferred method to root the instrument, rather than uploaded the OS image with a modified /etc/shadow. 
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod