Siglent SDS5000X Oscilloscope Hack status - Dec 2021

[Detlef]

Allow me to introduce myself: I’m a retired engineer. My former profession has been software and hardware design, mostly for embedded microcontrollers, which is still my hobby, among general electronic design.

A few month ago, I have bought a Siglent SDS5054X oscilloscope. Although I don’t even need the built-in features, this instrument offers, for academic purposes, I am interested in some “enhancements”.

Well ladies and gentlemen, is there any functioning hack like the old Python script (which doesn’t work anymore) - and if so, how can I get it. And of course, I would keep it secret. My e-mail address is deposited with my account…

[IM3]

Let's see if the UART on my SDS5034X is accessible.

To do this, I will need to open the device first. I wanted to avoid damaging the 'calibration void' sticker. You can easily remove this sticker by following the instructions in the following thread:

https://www.eevblog.com/forum/blog/eevblog-799-how-to-remove-warranty-void-security-stickers/

First, let me emphasize that opening such devices should always be done in an ESD-safe manner. Be aware that even just lifting yourself off your chair can generate ten's of kilovolts of static charge. A tiny spark of 100 volts can damage your expensive equipment, sometimes not immediately, but maybe after a year due to latent damage. So, be careful!

That's why you need an ESD mat, ideally in a vibrant red color (RGB 255-0-0).

After removing the back cover, the power supply needs to be unscrewed first because of disconnect a few connectors. Only then can you access the main board.

It turns out the UART connector is not populated on the main board. There is no Jedec header present. Wires need to be soldered to the pads for GND, TX, and RX. Do not connect VCC, as this would introduce supply voltage from two sources and that is never a good thing.

So now you can connect a PC to the UART via a USB to Serial converter, and you'll have a connection. (Baudrate 115200, 8N1).

But then comes the real challenge: Username and Password.

There is a lot of old discussion on EEVBlog about this, and some believe there is only one password. That is definitely not the case. Passwords can change per device and even per firmware version.

For a long time, the username was 'root'. The password used to be a combination of the manufacturer's name and the device name, so here it would be 'siglent_sds5000x'.

Unfortunately, this is not the case anymore. I've tried at least 100 different combinations, but the story seems to end here quickly.

Does anyone have any suggestions?    (Except for screwing everything back together.)

[IM3]

Alright, the experiment with the UART has not been successful so far. Those pesky passwords!

The ultimate goal is still to liberate my SDS5000X.

I’ve tried experimenting with JTAG as well, but that’s not straightforward either. (for me)
A Lattice FPGA is visible in the JTAG communication. Thanks to tv84 for the support with that. This FPGA is located on the main board, right next to the JTAG header (see photos 1 and 2).

The processor on a separate PCB hasn’t been detected yet. (Xilinx XC7Z020) I need a mem-dump on that processor to get any further.

What I find strange on the processor board is the J2 connector. (foto 3 ) It’s labeled as NAND and JTAG. Does anyone have an idea what that might be? I will try to measure activity on those pins.

[44kgk1lkf6u]

You can see that the leftmost hole is ground.  I guess that it is intended for a jumper.  Shorting the center to the left makes the chip boot from the NAND flash.  Shorting the center to the right makes the chip boot from JTAG.  The right hole may not be connected at all, that is, it is only there to rest the jumper.  You can see if the hole is connected by measuring the diode drop from ground to it.  In the finished product there may be a resistor to make it always boot from the flash.  Some document for the chip should say how it works.

[IM3]

What I know so far:

Indeed, one of the pins on the 3-pin connector is ground.
The middle pin transmits unknown data during boot and shutdown. The bit time is 200ns, measured with an oscilloscope.
The third pin is always low; it might be an input...?

The CPU board also features two USB3320 Hi-Speed USB Transceivers, and there is also a DS83848 Ethernet Transceiver. They are close to the 3-pin header.

I was hoping to easily memdump the CPU but now I'm not sure if this is the right path that will lead me to liberating the SDS5000X.

I have not enough knowledge of this as well.

Maybe others find this usefull data to get any further.

[44kgk1lkf6u]

I was not expecting data to be transmitted on the pin.  I thought the boot select pin was an input.  What kind of chip is the header connected to?  Do you still have the capture of the waveform saved?  Do you know if the third pin is connected to anything?  I am sorry that I can not answer the questions myself.  I don't have the device.

[IM3]

No, this is what I have.

The photos show which chips are on the PCB. The pin that stays low might be an input, but on this multilayer PCB, I can't trace where it leads.

Additionally, I don't want to risk damaging the board by randomly applying voltages to these logic inputs with a multimeter. The potential for damage is not worth the risk to me. I am already far outside my comfort zone with this scope disassembly. It’s brand new, and I still remember what I paid for it.

Initially, I hoped to establish a connection with the CPU via a JTAG interface so that I could create a memory dump. After that, other experts might be able to generate the keys to liberate this scope.

But unfortunately, the CPU doesn’t appear in the JTAG chain.

I think this is where it ends for me, and I’ll just put everything back together neatly.

[Lydia]

It seems like that although firmware 0.9.5 uses a brand new key system, but it can be directly downgrade to 0.9.3, then use some python stuff and upgrade back to 0.9.5 or higher.
But the latest firmware 0.9.9 disabled firmware downgrade... so...

[DrMefistO]

Here is a new keygen for SDS5000X models that supports updated (V0.9.9R8+) devices. Since the new updates only support LIC-V2 (SCPI: :syst:board?) licensing subsystem, it's not possible to generate valid keys without getting a shell on your device. So, here is it!

Usage:
Remove .txt extension from the filename, put the .ADS update file on a USB flash and update using the menu: Utility->Maintenance->Upgrade, or open the device Web-interface, then go to Instrument control->FirmWareUpdate, choose the file and let the oscilloscope reboot.

In result your device will open TCP/1234 port listening for the following commands:

• modes: gives you available licensing options
• Any command from the modes response, for ex. 500M: gives you a license key
• exit: closes TCP/1234 port (until reboot)

To send command to the keygen you can use netcat like that:

Code: [Select]

echo 500M | nc 192.168.1.100 1234
In this example in result, it will print a license key to update to 500MHz bandwidth.


Another file is a tool to unpack and rebuild ADS files manually. Usage:

Code: [Select]

ads_tool_5k <in_update.ADS> [<in_update.zip>]
Using the following command you can unpack ADS files (it will produce SDS5000X-V0.9.9R8.zip):

Code: [Select]

ads_tool_5k SDS5000X-V0.9.9R8.ADS
Using the following command you can make new ADS files with a new content (it will produce SDS5000X-V0.9.9R8_new.ADS):

Code: [Select]

ads_tool_5k SDS5000X-V0.9.9R8.ADS keygen.zip

[CrabApple]

It's cool that you were able to RE it as well but, and perhaps I'm being lame but, I'd really appreciate it if you didn't share this so publicly. There's a very good reason TV84 has kept his tool under wraps. This will cause more problems than it's worth and in the end ruin it for everyone. I've seen it happen a million times over.

Could you at least just only hand it out over PMs?

[DrMefistO]

Rigol's topic with the kg in public still exists. What's the difference between this one?

[Starpoint]

Hi DrMefistO,

Is this also possible for the Siglent SNA5000A series?

I understand this is also LIC-V2

They just released new firmware but the new options (2) are no longer demo options like everything else so you can try it at your leisure.

Regards