Products > Test Equipment

Siglent SDG1025 hack?

<< < (4/4)

Macbeth:

--- Quote from: tv84 on May 29, 2018, 04:04:02 pm ---That could be a 1st attempt or change inside the previous call... I'm gonna see with janekivi now that I know he has an experimental testbed. :)

--- End quote ---

Good on janekivi! I was a little reluctant to be the Guinea Pig  :-DD

janekivi:
OooKey...
Did the experiments and there was no difference with this function change.

--- Quote ---E4F02 B8 E4 0D 00                       R0 = B[FP + 0xd] (Z);

to something like

E4F02 80 E1 05 00                       R0 = 0x5 (Z);
--- End quote ---

Now I can make new files bit easyer and try other changes you suggest.
First edited ADS update file I made wit notepad (hex edit)...

toli:

--- Quote from: Macbeth on May 28, 2018, 04:51:05 pm ---To force it into an SDG1050, maybe changing

E4F02 B8 E4 0D 00                       R0 = B[FP + 0xd] (Z);

to something like

E4F02 80 E1 05 00                       R0 = 0x5 (Z);

 :-//

--- End quote ---

The value its compared against is actually different, if you have a look, its:
ROM:E4F62 29 60                             R1 = 0x5 (X);           # R1=0x5
which is (X), not (Z). So its extended with sign, no zeros. I've looked at the BF manual, and its indeed different as its extending with '1's instead of '0's. I'm unsure of the actual instruction code to define R0 to be this value, no experience with the BF at all on my side. If you know the instruction structure and which bits state the register number, it would be great.
From the few instruction in the snippet of code above, I think its 2860 (similar to the 2960 for setting R1 to 0x5(X), with a single bit change to mark the register number), but I can't verify this.

One other way would be to try and set:
ROM:E4F68 01 E1 20 E9                       R1.L = 0xe920;          # R1=0xe920
instead of the different values set for the other models. As other than that the section seems practically identical for all models. Although its hard to say what happening at the subroutine in address "sub_575F2" which is being called there. Right before jumping into it, R0 is again set to the value of R7, so it is possible that  its used there again for defining the parameters, and therefore this change wont suffice. Chances are I'm just too pessimistic :)

sleary78:
Any updates on this. Is there anything i can do to help? I have a SDG1025 and its im happy to test out firmwares. The IDA database is no longer available.

azaaxx:
Hi,
I`m also the owner of SDG1025.
There has been not much activity there since a lot of time.

I noticed that there is a way to "unlock" siglent scopes and awg by using license:
https://www.eevblog.com/forum/testgear/siglent-sds-sdg-hack-script
I also saw on other sites same procedure for spectrum analyzers.
I believe the procedure should be pretty much similar for this scope.
I have some experience in reverse engineering and also can do some stuff with device itself (if needed)
I would need to get decoded binaries / mem dump of scope.

Anyway, It is better to ask instead of reinventing the wheel.

Navigation

[0] Message Index

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod