Author Topic: Unlocking Siglent SDS1104X-E, step by step  (Read 15299 times)

0 Members and 1 Guest are viewing this topic.

Offline Rerouter

  • Super Contributor
  • ***
  • Posts: 3815
  • Country: au
  • Question Everything... Except This Statement
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #75 on: December 29, 2018, 07:08:19 am »
 His method gets you root access to do just about anything you want on the scope without changing from stock,

Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,

If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.

The telnet access is more if you want to fiddle with the scope
 

Offline t1d

  • Frequent Contributor
  • **
  • Posts: 560
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #76 on: December 29, 2018, 10:18:04 am »
His method gets you root access to do just about anything you want on the scope without changing from stock,

Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,

If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.

The telnet access is more if you want to fiddle with the scope
Thank you, Rerouter.

I understand a little of this, but....

Is it that Post #1 gets you the 200MHz and nothing else? Or the options, too?

Is it that with the Ewaller method you could access the entire firmware and, given that you wrote code, you could modify it?

I just want the greater bandwidth and to use the pay-to-play options (with non-Siglent devices, like my own function generator, WiFi dongle, etc.)

I appreciate your help.
« Last Edit: January 11, 2019, 02:40:36 pm by t1d »
 

Offline Rerouter

  • Super Contributor
  • ***
  • Posts: 3815
  • Country: au
  • Question Everything... Except This Statement
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #77 on: December 29, 2018, 10:29:49 am »
the memdump method will get you a file that has all the option and bandwidth codes, just takes some digging with a hex editor.

Working with your own wifi dongle is harder to say. at this point it only has a driver for the MT7601 dongle, If your familiar enough with linux drivers you can probably try and make another work via patching, but doubtful out of the box.

With your own signal generator is equally a little difficult, If you want to use the bode plot mode then you need to use similar to an earlier thread where a Python application on another PC pretended to be a networked signal gen and translated the commands, There may be a way to patch in other devices, but I have not gone digging deep enough, I defiantly know where all the bode plot strings are located, but not sure if its just a straight patch or if it needs to be broken into elsewhere,

 

Offline t1d

  • Frequent Contributor
  • **
  • Posts: 560
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #78 on: December 29, 2018, 11:52:33 am »
Thanks, Rerouter. Much appreciated.
 

Offline ewaller

  • Contributor
  • Posts: 23
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #79 on: December 29, 2018, 03:08:45 pm »
If you have used up all of your trial runs for MSO, WIFI or AWG; and you have not purchased your licence keys, you may be able to reset the number of trial runs by sending the following through the web interface SCPI mechanism (here I set the number to 99)

SHELLCMD echo -n 99 > /usr/bin/siglent/usr/usr/options_awg_times.txt

Replace the awg with wifi or mso  as appropriate.  change 99 to the number of demo runs you desire.
These files have  exactly two characters in them with no n/l or l/f, hence the -n option on echo.  99 may, or may not be a maxima -- again, these files have exactly two characters in them.

Note, I cannot actually test this through the GUI any more as my options are all permanent, but I am fairly certain this will work for those of you who need a couple more demo runs to decide.  I can see that the contents of these files do change the way I expect. Please let me know.
« Last Edit: December 29, 2018, 03:11:50 pm by ewaller »
 

Offline not1xor1

  • Frequent Contributor
  • **
  • Posts: 348
  • Country: it
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #80 on: December 30, 2018, 07:50:47 pm »
Hi,

I do not know if it is OK to ask here of if I should start a new thread...

as I'm taking into account to buy a second hand SD1104X-E I'd like to know if any of you is aware of any hardware revision during the last year.

thanks
 

Offline Rerouter

  • Super Contributor
  • ***
  • Posts: 3815
  • Country: au
  • Question Everything... Except This Statement
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #81 on: December 30, 2018, 07:52:02 pm »
yep, 04 as of the last month, no significant changes to functionality has been observed.

03 I can only speak of back to mid july, when my unit was made. it appears the FPGA code was compiled for 03 on the 7th of march 2018, so 02 likely was from before this date.
« Last Edit: December 30, 2018, 07:56:35 pm by Rerouter »
 
The following users thanked this post: not1xor1

Offline gamerpaddy

  • Contributor
  • Posts: 7
  • Country: de
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #82 on: December 31, 2018, 04:46:18 am »
Hello, i applied this Unlock (ProMode) to my 1104x-e, works great (havent tested the extra features)
But i noticed a bug(?)

I did some decoding a month ago, then i turned it off, unplugged the scope and put it on a shelf.
A month later i plugged it back in, booted it up.  it was dead slow.  time between action and reaction was like a minute. totally locked up
even after reboot.

Only fix was to hit the default button.

Did anyone notice this without the hack applied?  Could it be the Production Mode im in?
 

Offline booyeah

  • Newbie
  • Posts: 4
  • Country: ie
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #83 on: December 31, 2018, 08:27:14 am »
I followed plurns and vt100's posts as regards dumping memory to a usb and then looking through the dump in a hex editor.

Worked perfectly to recover all the codes.
Thanks a million.
 
The following users thanked this post: plurn

Offline essele

  • Contributor
  • Posts: 47
  • Country: gb
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #84 on: January 04, 2019, 07:19:11 pm »
I received my scope last night, and managed to get everything sorted nicely, however there were a few things that weren't quite as some other people seem to have found them, it was already running the latest firmware (6.1.26), not sure if that's the reason.

1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)
2. The core dump didn't contain the required information, it was only about 200meg, so quite a bit smaller than other examples shown here (and smaller than the 250meg memory dump.)
3. Restarting the sds1000b process didn't work properly, a few errors and the scope was unusable, so I suspect this is the reason it didn't contain the right data.

So I resorted to a much simpler way as described by some other posters...

1. Use "SHELLCMD telnetd -l/bin/sh -p9999" to start an unauthenticated telnet server.
2. Connect to the scope using "telnet <ipaddress> 9999"
3. Insert a USB stick
4. Dump memory to the stick using "cat /dev/mem > /usr/bin/siglent/usr/mass_storage0/U-disk/memdump"
5. Pull the stick (I ran "sync" first, but I'm a legacy unix guy, need to see if that's really necessary), otherwise cleanly unmounting would be better.
5. Use a hex editor to find the keys as per post 39, from about step 20 onwards ... which worked perfectly, no obvious issues with the page ordering making it difficult to find things.)

It took about 10 mins start to finish once I'd decided to go the /dev/mem route.

You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.

What a nice scope ... this was an upgrade for me from a DS1052E, so it's fantastic! Thanks to all for providing this info!
 
The following users thanked this post: TheNewLab, jack-daniels

Offline vt100

  • Contributor
  • Posts: 15
  • Country: af
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #85 on: January 05, 2019, 01:03:04 am »
1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)

a core dump is substantially smaller than an entire memory dump. With the core dump you're only going to get the memory associated with the running task, compared the memdump, where you'll get all the scope's memory.

Its curious you didn't find the keys in the core dump.... the only thing I can think of, is, perhaps, you took the core dump prior to the sds1000b process creating the keys within its memory pages (there is logic in the scope app to generate the keys using the scopeid and serial # to check against the licensed options, they are not hard-coded in the scope app) so if you took a core dump prior to that routine executing (and at what point it runs, who knows). I'd be interested in taking a look at the core dump if you'd be willing to share it.

Quote
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.

These methods will continue to work until Siglent  pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.
vt100
the world's best dumb terminal
 

Online rhb

  • Super Contributor
  • ***
  • Posts: 2281
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #86 on: January 05, 2019, 01:51:49 am »

Quote
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.

These methods will continue to work until Siglent  pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.

time(1) will tell you when the cat completes.
 

Online Andreax1985

  • Regular Contributor
  • *
  • Posts: 64
  • Country: it
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #87 on: January 19, 2019, 10:48:02 am »
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 14037
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #88 on: January 19, 2019, 11:25:30 am »
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
You can see here how the 100 MHz roll off is much improved after improving to the 200 MHz model:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613374/#msg1613374

There's some further supporting info in subsequent posts.
Also have a hunt through rf-loop's posts, he's switched his SDS1104X-E back and forth.
I've never hacked one but the info here is entirely convincing that it is a valid upgrade.  ;)
Avid Rabid Hobbyist
 

Offline Dundarave

  • Contributor
  • Posts: 40
  • Country: ca
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #89 on: January 20, 2019, 08:19:38 am »
I wanted to thank all the contributors for all the various unlocking instructions, especially VT100 whose instructions I was following per post #39 for the keys to my options upgrade.  It's nice to have a fully upgraded scope, at just the right price. ;D

However, I have a question that I hope someone can clear up:

I first updated the bandwidth via the rooted OS & bandwidth.txt -> bandwidth.bak method, as that felt the most comfortable to me at the time.  With that success, I started to feel more confident (or cocky, I suppose, lol) and thought I would then use the mem dump method to find the keys for the options, which I then also successfully updated.

So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".

In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)

I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M. 

I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file?  If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be? 

I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.

I've attached a shot of the relevant part of the mem dump for the bandwidth keys.

Thanks again! :-+
 

Offline Rerouter

  • Super Contributor
  • ***
  • Posts: 3815
  • Country: au
  • Question Everything... Except This Statement
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #90 on: January 20, 2019, 08:32:06 am »
Run the command. When a valid bandwith or option code is entered. The scope saves a bandwidth.txt or option.txt. so if your not seeing one yet it may change with later updates.

This would also explain why your not seeing the current code. It reads it from that txt file.
 

Offline Dundarave

  • Contributor
  • Posts: 40
  • Country: ca
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #91 on: January 20, 2019, 09:18:11 am »
Brilliant!  Thanks, Rerouter.

I ran the MCBD command with the suggested 200M key (from my dump file as attached earlier), and then went into the scope via telnet and checked for the bandwidth.txt file.  It was there, as you called it, along with the older bandwidth.bak file from my original update.

I've attached a shot of the content of each file, the .txt now containing the 200M key, and the .bak containing the original 100M key.

I've also attached an updated memory dump excerpt showing the now repeated 200M key.

All good now!  Thanks for the prompt response. :-+

Nick
 

Offline vt100

  • Contributor
  • Posts: 15
  • Country: af
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #92 on: January 20, 2019, 11:31:29 pm »
So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".

As earlier posts have indicated modifying the bandwidth.txt file puts the scope in "PRO MODE" which basically bypasses the licensing process so you have a scope with all options and full bandwidth. The problem with this approach is the next firmware update could easily change this by placing the scope into complete lockdown with no options and minimal bandwidth. Once you have your license keys, you never need to worry about losing access to bandwidth or options.


Quote
In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)

This is expected. One of those 5, the "duplicate", is read from your filesystem and compared against the other 4 generated keys to determine what bandwidth your scope has. By "hacking" the config file you eliminated the "5th" key and now only see the 4 that the scope program generates for comparison. This is the 'expected' behavior given you changed the bandwidth.txt file.


Quote
I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M.

Even if you enter the wrong one, you can always enter another one to change it again. the MCBD command is not a one-shot deal.
 
Quote
I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file?  If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be? 

See paragraph #1 above.

Quote
I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.

See paragraph #2 above. Your scope isn't licensed w/ any bandwidth key, it's in PRO MODE. Hence you only have 4 keys in your mem dump, not 5.
vt100
the world's best dumb terminal
 
The following users thanked this post: Dundarave

Online Andreax1985

  • Regular Contributor
  • *
  • Posts: 64
  • Country: it
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #93 on: January 21, 2019, 01:00:43 am »
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?

More importantly, someone mentioned a slight hardware difference in the analog front end of 1104x-e and 1204x-e. So, even if I can make my 1104 'think' he is a 1204, how can I make up for the hardware difference?
« Last Edit: January 21, 2019, 01:03:39 am by Andreax1985 »
 

Offline ewaller

  • Contributor
  • Posts: 23
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #94 on: January 21, 2019, 02:45:28 am »
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?

It is not an option one can purchase.  The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as.  It is supposed to be immutable.  What is not known is whether there are any inherent differences in the hardware platforms?  For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope?  I don't think so.   But, if one changes the configuration, and the scope well enough works at 200 MHz, why not?  Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.   
 

Online Andreax1985

  • Regular Contributor
  • *
  • Posts: 64
  • Country: it
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #95 on: January 21, 2019, 02:52:05 am »
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?

It is not an option one can purchase.  The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as.  It is supposed to be immutable.  What is not known is whether there are any inherent differences in the hardware platforms?  For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope?  I don't think so.   But, if one changes the configuration, and the scope well enough works at 200 MHz, why not?  Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.   

So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
 

Offline ewaller

  • Contributor
  • Posts: 23
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #96 on: January 21, 2019, 02:58:48 am »
So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
No arguments from me there.  I did opt for the 1204x-e.  All I can say is that I cannot back my assertion that they may not be the exact same platform -- they could be.  But, I will stand behind my assertion that the calibration is not valid for a 1104x-e at 200 MHz
 

Offline vtwin@cox.net

  • Regular Contributor
  • *
  • Posts: 125
  • Country: us
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #97 on: January 21, 2019, 06:47:48 am »
So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.

How can I word this correctly... umm... well, let's just say if you *need* 200mhz (with the associated calibrated accuracy) then spend the couple extra hundred, since (perhaps) your livelihood depends on it.

On the gripping hand, if you're just messing around with the scope in your shack, and that calibrated accuracy is not that important... why not?

Assuming of course the hardware platforms are different... which I doubt. I'm willing to wager the scopes are identical, and all that changes is the sticker on the front of the case and the bandwidth license pre-installed.

Much akin to how Windows now has several versions, all of which are on the DVD, but the features available to the user depends on the product key used to activate the product.
A hollow voice says 'PLUGH'.
 

Offline Dundarave

  • Contributor
  • Posts: 40
  • Country: ca
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #98 on: January 21, 2019, 07:40:43 am »
Thanks for the clarifications, I've now got a much better understanding of how the key mechanism works.  Trying to assimilate that combined knowledge from all the various thread posts was a challenge, and perhaps my questions & your answers have helped others as confused as I.

One more question on the same topic: I am also curious as to how the "option keys" work for the Wifi, MSO and AWG modules.  In the normal course of events, if I were to buy an AWG for example, how would the key needed to activate my scope to use the AWG be communicated to me (assuming that the option key itself is unique to my scope)?  Does the AWG itself communicate/handshake with the scope to authorize its use?  Would there be a piece of paper with the AWG that contains a code that needs to be entered somehow?

And why the need for an option key at all?  Is it just a function of wanting to prevent knock-off Wifi, MSO, and AWG modules from working with the scope?  If you have to pay for the module anyway, I can't see any other reason for needing an option key mechanism in the first place.

Thanks again -
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 14037
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Unlocking Siglent SDS1104X-E, step by step
« Reply #99 on: January 21, 2019, 08:49:29 am »
The SAG1021 AWG can be thought as 2 units if you like, one for Bode plot usage where NO licensing is required and as a reasonably well featured AWG controlled from within the scope UI. For that functionality you do need the licensing.

Edit to add; Only once the trial licenses have expired is any option licensing required.
« Last Edit: January 21, 2019, 10:18:40 am by tautech »
Avid Rabid Hobbyist
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf