EEVblog Electronics Community Forum

Products => Test Equipment => Topic started by: Fungus on August 31, 2018, 06:06:03 pm

Title: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on August 31, 2018, 06:06:03 pm
This is an unofficial guide on how to unlock 200Mhz bandwidth on SDS1104X-E oscilloscopes, effectively turning them into SDS1204X-Es.

The steps are: (courtesy of user SMB74 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1789175/#msg1789175))

Here was my process

1.) Format a USB flash drive to FAT32

2.) Load the flash drive with the SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18) by downloading it from the Siglent website (https://www.siglentamerica.com/download/6422/) and unzipping it onto the flashdrive.

3.) Once the file is loaded, install the firmware onto the oscilloscope by following the instructions in the PDF included in the firmware zip file.  Verify the correct firmware version is installed using the menus within the Utility button, and take note of the model number (should read SDS1104X-E)

4.) Once the firmware has been installed on the scope, reformat the flash drive to FAT32 and unzip the SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18) after downloading it from the Siglent website (https://www.siglentamerica.com/download/6158/).

5.) Install the software update onto the oscilloscope by following the instructions in the PDF included in the firmware zip file.  Reboot the scope and verify the correct software version is installed using the menus within the Utility button.

6.) Download the custom operating system file (https://www45.zippyshare.com/v/SEUJEWE1/file.html) that possesses the known telnet password.  Unzip it onto a USB drive and install it just as you installed the stock software file from the Siglent website.  NOTE: Some computers do not correctly load the software file onto the USB drive, thus preventing the scope from updating from the stock software to the custom software.  I have experienced this problem personally.  If this occurs, try loading it onto the USB from a different computer.  I had success using a Raspberry Pi to load the custom software onto the USB.

7.) After installing the custom software, plug the oscilloscope into your router with an ethernet cable, and telnet into the scope on port 23. MOst operating systems have a built-in telnet client, try opening a command shell and type "telnet". If that doesn't work then you may have to install a third party client like "PuTTY" (https://en.wikipedia.org/wiki/PuTTY).

User: root
Password: eevblog

8.) Once in the scope via telnet, execute the following commands:

mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
sync

9.) Reboot the scope (eg. by typing "shutdown -r now") and verify that the model number displayed in the Utility button menus has been updated to show an SDS1204X-E

Now the scope should have 200MHz bandwidth.

EDIT: Thanks ian.ameline for the link to a download source for the custom software. I have updated step 6 with this information.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: gedong on August 31, 2018, 06:13:41 pm
plus a video will be great.


start from here from what i observe.
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: BillB on August 31, 2018, 07:58:56 pm
Ian posted the most concise instructions for the bandwidth upgrade in that thread:

1. Update with the OS update with the known root password.

2. telnet to the scope, and log in as root.

3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak

4. Reboot

I don't think there has been a definitive consensus on unlocking the other options without option codes?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on August 31, 2018, 08:12:12 pm
plus a video will be great.


start from here from what i observe.
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)
Yep like that and similar for SSA too.(mentioned in SSA hack thread)
There are other/better ways too.  :-X
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on August 31, 2018, 08:36:53 pm
Ian posted the most concise instructions for the bandwidth upgrade in that thread:

1. Update with the OS update with the known root password.

a) Which you get.... where?
b) How do you install it?

2. telnet to the scope, and log in as root.

a) Telnet port #?

3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak

4. Reboot

Is that definitively all it takes? I've read a few places that there's some weird aliasing at high frequencies that isn't in the real 200Mhz version of the 'scope, that maybe something else needs tweaking.

To me it seems weird that you'd hide the bandwidth.txt file instead of modifying it (if I were a Siglent firmware writer I'd default to low bandwidth when the file is missing)

I don't think there has been a definitive consensus on unlocking the other options without option codes?

You mean the "software" part of the AWG, MSO and WiFi options?

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on August 31, 2018, 08:37:10 pm
Here was my process

1.) Format a USB flash drive to FAT32

2.) Load the flash drive with the SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18) by downloading it from the Siglent website (https://www.siglentamerica.com/download/6422/) and unzipping it onto the flashdrive.

3.) Once the file is loaded, install the firmware onto the oscilloscope by following the instructions in the PDF included in the firmware zip file.  Verify the correct firmware version is installed using the menus within the Utility button, and take note of the model number (should read SDS1104X-E)

4.) Once the firmware has been installed on the scope, reformat the flash drive to FAT32 and unzip the SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18) after downloading it from the Siglent website (https://www.siglentamerica.com/download/6158/).

5.) Install the software update onto the oscilloscope by following the instructions in the PDF included in the firmware zip file.  Reboot the scope and verify the correct software version is installed using the menus within the Utility button.

6.) Download the custom operating system file (https://www45.zippyshare.com/v/SEUJEWE1/file.html) that possesses the known telnet password.  Unzip it onto a USB drive and install it just as you installed the stock software file from the Siglent website.  NOTE: Some computers do not correctly load the software file onto the USB drive, thus preventing the scope from updating from the stock software to the custom software.  I have experienced this problem personally.  If this occurs, try loading it onto the USB from a different computer.  I had success using a Raspberry Pi to load the custom software onto the USB.

7.) After installing the custom software, plug the oscilloscope into your router with an ethernet cable, and telnet into the scope on port 23 using the known password.

8.) Once in the scope via telnet, execute the following commands:

mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak

9.) Reboot the scope, and verify that the model number displayed in the Utility button menus has been updated to show an SDS1204X-E

Now the scope should have 200MHz bandwidth.  I have verified that mine possesses this bandwidth using a very reliable, stable signal generator (Fluke 6061A)

EDIT: Thanks ian.ameline for the link to a download source for the custom software. I have updated step 6 with this information.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on August 31, 2018, 08:52:18 pm
The OS with the known password can be found here; https://www45.zippyshare.com/v/SEUJEWE1/file.html

The instructions above are accurate.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on August 31, 2018, 08:56:13 pm
Ian posted the most concise instructions for the bandwidth upgrade in that thread:

1. Update with the OS update with the known root password.

a) Which you get.... where?
b) How do you install it?

2. telnet to the scope, and log in as root.

a) Telnet port #?

3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak

4. Reboot

Is that definitively all it takes? I've read a few places that there's some weird aliasing at high frequencies that isn't in the real 200Mhz version of the 'scope, that maybe something else needs tweaking.

To me it seems weird that you'd hide the bandwidth.txt file instead of modifying it (if I were a Siglent firmware writer I'd default to low bandwidth when the file is missing)

I don't think there has been a definitive consensus on unlocking the other options without option codes?

You mean the "software" part of the AWG, MSO and WiFi options?

- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions

- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.

- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.

- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: PhilipPeake on August 31, 2018, 10:37:16 pm
Does this work for the SDS1102X ?
Presumably it would need different hacked software?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 07:30:41 am
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions

- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.

Nice attitude.

Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).

- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.

Nobody's doubting the bandwidth increases but some people claim to have noticed weird aliasing (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1624537/#msg1624537) or that the capacitors (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613386/#msg1613386) are different.

Those problems might be just the probes (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1619152/#msg1619152). It's reasonably well known that cheap-ass probes start to go to hell around 250MHz and one of the differences between the two models is that you get much better probes with the 200MHz version.

If it is the probes then a new set of probes should probably be thrown into the upgrade mix, that puts the price of the "hacked" version up by $100.

Food for thought, yes?

- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.

How do you explain the fact that the 'scope is only eight months old but you already need to download old firmwares to be able to do it, that newer firmwares don't work? What happens if Siglent decides to encrypt that file and make it default to 50Mhz when it's missing? It is *very* easy to make it much harder. :popcorn:

(and what happens when Siglent removes that old firmware from their web site?)

PS: Nowhere near as easy as a Rigol (neener neener).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 07:50:51 am
Quote
3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak

4. Reboot

Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
I'm, not at all linux expert (far away) so I can not my self think when it is important exactly and when not, so I use it nearly always. In some cases it is extremely important, in some cases perhaps not so important and always we can try walk with just trusting good luck.

3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak
   sync

4. Reboot

Perhaps some who really know could take position to this with reasoning.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 07:56:33 am
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.

Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.

(take note, ian.ameline).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 08:11:55 am
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.

Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.

(take note, ian.ameline).
Just because this bolded...
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 08:33:40 am
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions

- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.

Nice attitude.

Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).


If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15.  L=23

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 08:52:35 am
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15.  L=23

I don't think "RTFM!" should be used in a "step by step" guide - this is the FM.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bugi on September 01, 2018, 10:35:47 am
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15.  L=23

I don't think "RTFM!" should be used in a "step by step" guide - this is the FM.
Yes, and if this FM would not mention port, then obviously, the less than experienced user would not write it in the command either, so the command ends up using the default port, which thus works. A more experienced user would already know that if the port is the default, it is typically left out from instructions, (and that if it is not default, it is shown). Thus, the earlier version without the port number was quite sufficient, and this nitpicking about port number is just that, useless nitpicking.

Otherwise  :-+, points for making the push to get those instructions done clearly in one place, instead of the typical spread of bits and pieces in here and there over 3 threads and 10 pages among all the other messages. Certainly makes it easier than before.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 11:14:56 am
Sometimes it is easy forget that not all peoples have used telnet at 80's ;)
So it is perhaps good to tell (but also most of good telnet client do it as default, as example many times recommended PuTTY or just plain  puttytel.exe (a Telnet-only client) )
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on September 01, 2018, 11:51:08 am
http://lmgtfy.com/?q=default+telnet+port (http://lmgtfy.com/?q=default+telnet+port)

If you're too lazy to use google, I really don't know how to respond. You may have chosen the wrong hobby if you expect someone else to do all the work for you.

There -- now my attitude is clear.


- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions

- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.

Nice attitude.

Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).

- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.

Nobody's doubting the bandwidth increases but some people claim to have noticed weird aliasing (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1624537/#msg1624537) or that the capacitors (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613386/#msg1613386) are different.

Those problems might be just the probes (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1619152/#msg1619152). It's reasonably well known that cheap-ass probes start to go to hell around 250MHz and one of the differences between the two models is that you get much better probes with the 200MHz version.

It it is the probes then a new set of probes should probably be thrown into the upgrade mix, that puts the price of the "hacked" version up by $100.

Food for thought, yes?

- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.

How do you explain the fact that the 'scope is only eight months old but you already need to download old firmwares to be able to do it, that newer firmwares don't work? What happens if Siglent decides to encrypt that file and make it default to 50Mhz when it's missing? It is *very* easy to make it much harder. :popcorn:

(and what happens when Siglent removes that old firmware from their web site?)

PS: Nowhere near as easy as a Rigol (neener neener).

What if purple monkeys fly out of my ass? What if, what if, what if.

You asked for the hack -- we gave it to you. Now you complain. Again, you probably should take up golf instead.

Cheers...
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on September 01, 2018, 11:58:59 am
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.

Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.

(take note, ian.ameline).

Good point -- I tend to assume people around here who poke around with electrons aren't lazy idiots, and research perhaps even a little background knowledge before poking their meat-probes at things they may have little experience with -- clearly an unexamined assumption -- google must be too hard to use.

But in the case here, buffers are flushed pretty quickly -- you'd need to power cycle within milliseconds to have a problem, and even then, you'd have to get really unlucky (in a microsecond wide window) to get an inconsistent state in the flash. I doubt you could make it happen by trying.


Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 12:07:02 pm

http://lmgtfy.com/?q=default+telnet+port (http://lmgtfy.com/?q=default+telnet+port)

If you're too lazy to use google, I really don't know how to respond. You may have chosen the wrong hobby if you expect someone else to do all the work for you.

Um, the question was whether Siglent uses the standard port, not if I (or somebody who doesn't spend their lives using green-screen Linux) can google what the standard port is.

There -- now my attitude is clear.

Crystal.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 12:13:37 pm
Next question: When people say "the one with the known root password", what would that password be?

(I think we have to assume that not everybody will "know" it)

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 12:32:55 pm
Next question: When people say "the one with the known root password", what would that password be?

(I think we have to assume that not everybody will "know" it)

Why lazy people should be fed.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on September 01, 2018, 01:21:58 pm
Next question: When people say "the one with the known root password", what would that password be?

(I think we have to assume that not everybody will "know" it)

Let's just say that if you are a regular eevblog reader, you are typing the password every day.

As regards the concern that you are restricted to using the outdated firmware to perform the bandwidth upgrade, it is possible to modify any firmware revision yourself and insert your own custom password. You can follow the posts by janekivi & tv84 in the Siglent .ads file thread where the process is described in detail.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 01:51:54 pm
As regards the concern that you are restricted to using the outdated firmware to perform the bandwidth upgrade, it is possible to modify any firmware revision yourself and insert your own custom password. You can follow the posts by janekivi & tv84 in the Siglent .ads file thread where the process is described in detail.

I'm more worried that in the future the 'scope might not default to 200Mhz when the bandwidth.txt file is missing.

(eg. it could just as easily default to 50MHz...  :popcorn: )
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 01, 2018, 02:40:43 pm
Although I disagree with the way the OP has been conducting this process, I would like to add my 2 cents to the benefit of the whole forum:

All must realize that the method described previously (removing the bandwidth.txt) triggers the activation of the PRO_MODE in the scope (which is the "Production Mode"). This mode enables all the Options and the BW to the max possible.

This mode can, in fact, be easily disabled in future FW versions and/or Siglent can change it to trigger the activation of the lowest BW instead of the highest. Maybe they use the highest precisely to evaluate the full potential of the equipment before leaving factory...

The activation using the official licenses as described by me in the Siglent .ADS thread is more future proof (and can also be used in other equipments). Of course, if you end up just discovering the lower BW licenses, then you can reinsert the original bandwidth.txt.

I leave a small "easter egg" attached that does the following:

Code: [Select]
sync
mount -o sync,rw,remount /usr/bin/siglent/firmdata0/
sync

mv /usr/bin/siglent/firmdata0/bandwidth.txt /usr/bin/siglent/firmdata0/bandwidth.bak

sync
mount -o sync,ro,remount /usr/bin/siglent/firmdata0/
sync

which means it replaces all the steps described previously in this thread without the need to change FS root password, etc.

Execute it as a normal update. It should be run after the scope is running and you should reboot after. For security reasons it won't overwrite any existing bandwidth.bak so that you can keep the original (in case people run it multiple times).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on September 01, 2018, 09:28:13 pm
This is an unofficial guide on how to unlock 200Mhz bandwidth on SDS1104X-E oscilloscopes, effectively turning them into SDS1204X-Es....................


Warning: The PP510 (https://store.siglentamerica.com/product/pp510-1000-mhz-oscilloscope-probe/) probes that are supplied with the SDS1104X-E are 100MHz probes. If you intend to make use of the 200Mhz bandwidth then you need to spend an extra $100 and get a set of real 200Mhz probes, eg. the PP215 (https://store.siglentamerica.com/product/pb215-150-mhz-oscilloscope-probe/) probes that are supplied with the SDS1204X-E.

If you don't do this then you won't have 200MHz bandwidth and you may get misleading readings on screen. You have been warned.
Scaremongering BS !  :bullshit:
Some ppls just don't/won't do their homework !  ::)
Or don't have a clue.  :-//

It is clearly seen PP510 and PP215 probe performance combined with scope performance is well within system specification !

(https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/?action=dlattach;attach=397963)

From this post:
https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665 (https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: janekivi on September 02, 2018, 08:06:02 am
Next question: When people say "the one with the known root password", what would that password be?

(I think we have to assume that not everybody will "know" it)
Then this not for those everybody.

"If you don't know the password, you are not qualified to hack your equipment!"
Password is our signature and made for us only. We don't speak about it loud everywhere.
You must be one of us. If you are, you have been here and you know things. If not...
you are not qualified to hack your equipment.
And even if strangers outside can use them, they can't spread them without our mark.

If this is too much asked and you just need all options and bandwidth, buy them!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bsas on September 24, 2018, 12:33:54 am
By the way, those "ZippyShare" links are not working at all for me (in my region). Don't know if I need VPN for this or not. If someone can provide me the file, I can try to put on another shared folder for plp with my issue... Thanks!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on September 27, 2018, 11:30:37 am
The activation using the official licenses as described by me in the Siglent .ADS thread is more future proof (and can also be used in other equipments). Of course, if you end up just discovering the lower BW licenses, then you can reinsert the original bandwidth.txt.

Okay, I'm attempting to follow this alternative path to unlock my brand new 1104X-E (delivered w/ 7.1.6.1.25R2) and I've encountered a problem/questions.

I loaded SS1004X-E_OSV1_EN_eevblog on a thumbdrive, and uploaded my scope.

I logged in via telnet, and executed the following:

cd /usr/bin/siglent/usr/mass_storage/U-disk0
cat /dev/mem > memdump.bin

this yields an error:

cat: read error: Bad address

the resulting file:

/usr/bin/siglent/usr/mass_storage/U-disk0 # ls -l memdump.bin
-rwxr-xr-x    1 root     root     251658240 Jan  1 00:22 memdump.bin

so I end up w/ a file 240MB in size (240*1024*1024)

yielding the question

(1) "is this expected?"  (e.g. both the error, and the resulting file size.)

If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and  b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So

(2) does anyone know what the license codes actually look like (e.g. should they be hexadecimal only? or can they include non-hex alphanumerics?)

(3) should I be attempting to enter the codes at this point, or should I be doing something else before I attempt it (e.g. perform a different update, etc.) and THEN try the codes?

Thanks,
Vin
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2018, 03:52:59 pm
1.  :-+

2. See my example.

3. Try codes.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on September 27, 2018, 05:48:49 pm
Of the 90+ sets of upper or lowercase characters/digits, only 6 appear to be random -- the remaining contain English words, which makes me believe they are part of the OS.

The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.

I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Taaning on September 27, 2018, 06:27:11 pm


If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and  b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So



Any chance you could share how you run the memdump.bin in the C# script?

Thank you :-)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2018, 08:09:02 pm
The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.

But they could be BW licenses... ;)

Quote
I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)

You're getting there! If you carefully RTFM it suggests:  "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2018, 08:13:05 pm
Any chance you could share how you run the memdump.bin in the C# script?

 :wtf:  Have you even looked at the script?

byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Taaning on September 27, 2018, 08:20:33 pm
Any chance you could share how you run the memdump.bin in the C# script?

 :wtf:  Have you even looked at the script?

byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");

Of course I have looked at the the script :-) I am not a programmer apart from some arduino stuff. I am sorry.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on September 27, 2018, 09:00:39 pm
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:

Code: [Select]
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace TestApp
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");

            for (int j = 0, l = 0; j < 2; j++, l += 0x20)
                for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
                    if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
                         ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
                         buffer[i] != ('L' + l) &&
                         buffer[i] != ('O' + l))
                    {
                        if (strSize == 16)
                            Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
                        strSize = 0;
                        strStart = i + 1;
                    }
                    else strSize++;
            Console.ReadKey();
        }
}

change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on September 27, 2018, 09:53:03 pm
If you carefully RTFM it suggests:  "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."

I did see this, but I'm having a difficult time grokking exactly what you mean.

Assuming I have the following:

0819ABBB     8ki7-axhk-yilk-bdgy
0819ABDB     8ki7-axhk-yilk-bdgy
0819ABFB     8ki7-axhk-yilk-bdgy

I interpreted the clause as meaning I should try "yilk-bggy-8ki7-axkh' in addition (which didn't work).

I also tried "axhk-yilk-bdgy-8ki7" and "bdgy-8ki7-axhk-yilk" without success.

Or, should I be trying all combinations, e.g. ki7a-..., i7ax..., 7axh..., shifting each character at a time, like a rotate w/ carry?

Is there an easier way to try license codes, other than keying them in though the intensity/adjust/select dial (e.g. through the telnet interface?)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Taaning on September 29, 2018, 01:27:50 pm
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:

Code: [Select]
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace TestApp
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");

            for (int j = 0, l = 0; j < 2; j++, l += 0x20)
                for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
                    if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
                         ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
                         buffer[i] != ('L' + l) &&
                         buffer[i] != ('O' + l))
                    {
                        if (strSize == 16)
                            Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
                        strSize = 0;
                        strStart = i + 1;
                    }
                    else strSize++;
            Console.ReadKey();
        }
}

change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.

Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help  8)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on October 08, 2018, 01:41:12 am
Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help  8)

For some real fun, check out these GitHub repositories:

https://github.com/Siglent/FindKeys
https://github.com/Siglent/TryKeys


Purely for educational purposes only. User is expected to comply with all applicable state, county, federal and international laws :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on October 08, 2018, 03:11:33 am
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)

Skill level: Easy/Moderate

Risk: Slim to none.

Assumptions: You know the root password to your scope.

Steps:

1. download full armv7l version of busybox which has core dump enabled.
    see: https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l

2. put version on thumb disk

3. reboot scope to known state

4. telnet to scope and log in as root

5. insert usb stick

6. copy busybox binary from usb to /tmp:
    cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp

7. unmount and remove usb
    umount /usr/bin/siglent/usr/mass_storage/U-disk0   
    (and then remove usb stick)

8. identify and kill existing sds1000b.app
    ps -ef | grep sds | awk  '{printf "kill -9 %s\n", $1}' | ash

9. change to /tmp directory:
    cd /tmp

10. launch new busybox ash shell
    /tmp/busybox_armv7l ash
   (when you press enter it looks like nothing happens, but something does)

11.  re-launch scope app in new busybox environment in background
      /usr/bin/siglent/sds1000b.app &

12. increase core dump ulimit to unlimited:
      ulimit -c unlimited
you can verify new limit by typing
      ulimit -c
and you should get a response "unlimited"

12. kill scope app again, telling OS to create a core dump of the app:
      ps -ef | grep sds | awk  '{printf "kill -ABRT %s\n", $1}' | ash

13. wait a few seconds, and press enter once or twice. you should see:
[1]+  Aborted (core dumped)      /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3

14. verify core dump is in /tmp:
      ls /tmp/core*
you should see something like this:
-rw-------    1 root     root     377511936 Jan  1 00:14 /tmp/core
if not, you did something wrong, go to step #3

15. exit out of usb version of busybox shell
     exit
(it will look like nothing happens when you press enter, but, something does)

16. re-launch Siglent scope application. See Step #11

17. insert usb drive

18. copy core dump to thumb drive
     cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)

19. unmount usb stick and remove (see step #7)

20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.

21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.

22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.

23. You can license a different bandwidth by typing MCBD (license key)  at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.

24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.

25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.

26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.

27. Write keys down in a safe place so you do not lose them again.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bitseeker on October 08, 2018, 03:42:05 am
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course).

...

27. Write keys down in a safe place so you do not lose them again.

I promise I won't lose my keys again. ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: nicolasg on November 13, 2018, 09:46:31 pm
Thanks for all the info posted here and in the firmware thread. The sample code really helped show me where in the memory dump to look for things and how they are stored. I can see patterns related to the restored keys location and surrounding data, hoping to make sense of it and then make the key backup better/easier.

Some tips...
1) A simple memdump is all you need to grab for trying to backup your keys. (In my case I didnt have to do a coredump)
2) The FindKeys/TryKeys code works very well.
3) Backup the whole "siglent" folder to your USB stick just in case.


I got sidetracked and started digging into the firmware files.
The webserver is very interesting, its lighthttpd with php 5.
They made a custom c module (.so) to handle communicating between the web front end and the hardware. AJAX scpi commands + more is possible.
Did you know, to change from english to chinese they do a file copy/move of php files around ? interesting.
The visual is via a custom/modified VNC server with websockets support. On the client its using the noVNC library, which for some reason has a quicker refresh rate and much faster updates than a real vnc client.


Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bugmenot on November 18, 2018, 07:47:23 am
I posted this in the general SDS1104/1204X-E thread, but was directed here. If you have a memory dump from their SDS1000X-E and want to parse it for keys, the Python function to do it. It works with all dumps from my oscilloscope (1104X-E), but I only have the one. It'd be great to hear if it works for others.

Code: [Select]
import re
import string

def getkeys(scopeid, serialno, memdumpfile):
    """
    Parse a memory dump from a Siglent 1000X-E oscilloscope and return a dict containing
    license keys for bandwidths and options. The 'activebw' key is the one that is currently
    active in the 'scope (e.g. if the value of '100M' is the same as the value of 'activebw',
    the oscilloscope is software locked to 100 MHz bandwidth)
    """
    if len(scopeid) == 16 and set(scopeid) <= set(string.hexdigits):
        scopeid = scopeid.lower().encode('utf-8')
    else:
        raise ValueError('Scope ID must be 16 hexadecimal characters (remove dashes).')
   
    if len(serialno) == 14 and set(serialno) <= set(string.ascii_letters + string.digits):
        serialno = serialno.upper().encode('utf-8')
    else:
        raise ValueError('Serial number must be 14 alphanumeric characters.')

    f = open(memdumpfile, 'rb')
    data = f.read()
    f.close()

    regex_bw = re.compile(scopeid + b'.*?'+ scopeid + b'.*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16})', re.DOTALL)
    regex_opt = re.compile(serialno + b'.*?' + serialno + b'.*?([0-9A-Z]{48})', re.DOTALL)
   
    key_bw = list([n.decode('utf-8') for n in re.findall(regex_bw, data)[0]])
    key_opt = re.findall('.{16}', re.findall(regex_opt, data)[0].decode('utf-8'))
   
    keys = {}
    key_labels = ('100M', '200M', '50M', '70M', 'activebw', 'awg', 'wifi', 'mso')
    keys.update(zip(key_labels, key_bw + key_opt))

    return(keys)

As nicolasg posted, a simple cat /dev/mem worked well for me - I didn't need to trigger a core dump.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: jacknife on November 25, 2018, 04:34:32 am
Hello, i have a simple question last month i've updated to SDS1004X-E Firmware (4-Channel Model)- 6.1.26 (Release Date 09.26.18 ) do I have to downgrade to 6.1.25R2 before the unlock ?

thanks !  ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on November 25, 2018, 07:17:39 am
Thanks for this guys, VT100s guide has a few typos, but worked well.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on November 25, 2018, 10:08:52 am
Hello, i have a simple question last month i've updated to SDS1004X-E Firmware (4-Channel Model)- 6.1.26 (Release Date 09.26.18 ) do I have to downgrade to 6.1.25R2 before the unlock ?

thanks !  ;D

No.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on November 25, 2018, 06:03:39 pm
Thanks for this guys, VT100s guide has a few typos, but worked well.

if you email me the typos I can update so things are correct. sometimes my brain and hands work at different speeds so what I am thinking and what comes out on the screen are two different things.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on December 06, 2018, 04:48:55 am
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)

Skill level: Easy/Moderate

Risk: Slim to none.

Assumptions: You know the root password to your scope.

Steps:

1. download full armv7l version of busybox which has core dump enabled.
    see: https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l

2. put version on thumb disk

3. reboot scope to known state

4. telnet to scope and log in as root

5. insert usb stick

6. copy busybox binary from usb to /tmp:
    cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp

7. unmount and remove usb
    umount /usr/bin/siglent/usr/mass_storage/U-disk0   
    (and then remove usb stick)

8. identify and kill existing sds1000b.app
    ps -ef | grep sds | awk  '{printf "kill -9 %s\n", $1}' | ash

9. change to /tmp directory:
    cd /tmp

10. launch new busybox ash shell
    /tmp/busybox_armv7l ash
   (when you press enter it looks like nothing happens, but something does)

11.  re-launch scope app in new busybox environment in background
      /usr/bin/siglent/sds1000b.app &

12. increase core dump ulimit to unlimited:
      ulimit -c unlimited
you can verify new limit by typing
      ulimit -c
and you should get a response "unlimited"

12. kill scope app again, telling OS to create a core dump of the app:
      ps -ef | grep sds | awk  '{printf "kill -ABRT %s\n", $1}' | ash

13. wait a few seconds, and press enter once or twice. you should see:
[1]+  Aborted (core dumped)      /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3

14. verify core dump is in /tmp:
      ls /tmp/core*
you should see something like this:
-rw-------    1 root     root     377511936 Jan  1 00:14 /tmp/core
if not, you did something wrong, go to step #3

15. exit out of usb version of busybox shell
     exit
(it will look like nothing happens when you press enter, but, something does)

16. re-launch Siglent scope application. See Step #11

17. insert usb drive

18. copy core dump to thumb drive
     cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)

19. unmount usb stick and remove (see step #7)

20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.

21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.

22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.

23. You can license a different bandwidth by typing MCBD (license key)  at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.

24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.

25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.

26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.

27. Write keys down in a safe place so you do not lose them again.


So it looks like the coredump utility of the ARM7L busybox file you linked us has not been enabled (at least according to the log file on that website).  Does anyone have a compiled version of busybox with coredump enabled?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 06, 2018, 10:40:30 am
The linked version did dump for me, I just had to kill it 3 times, third time worked.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on December 06, 2018, 02:43:25 pm
Which kill worked the third time? The first process kill or the second one after BusyBox was running? What was the procedure that worked for you?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: jgreco on December 06, 2018, 04:03:33 pm

For some real fun, check out these GitHub repositories:

https://github.com/Siglent/FindKeys
https://github.com/Siglent/TryKeys


Purely for educational purposes only. User is expected to comply with all applicable state, county, federal and international laws :)

This is almost awesome and almost worked swimmingly well.

The Tek 475 here decided to go traceless.  I'd been sorely tempted by the low end Rigol for the last few years, but the Siglent at 200MHz with four channels felt like a more compelling addition.  Don't need the 200MHz, don't actually need any of the other features either, don't even use a scope often anymore, but it's always fun to hack, and being able to log in to your devices to poke around is fun.  Aside from not immediately figuring out that the unit came with DHCP disabled, all of that went very well and I had the eevblog-modified OS loaded and running without much ado.

However, when I got to the github projects above, my code development environment is much closer to working on a VT100 than it is a PC with an IDE.  There was a little irony that a user with a handle of VT100 posted a bunch of Microsoft-dependent stuff.  I didn't have Visual Studio loaded anywhere, and how to use it wasn't entirely clear to me, as my development environment is usually just vi, cc, make, and the rest of the UNIX stack.  I figure if someone who's written tons of C had issues figuring this out, maybe non-developers or other old UNIX farts might have trouble too.  If this turns out to be helpful to someone, here's a few notes, hard won through about eight hours of persistence and one trashed VM, hopefully a clue or two for anyone similarly clueless-ish about Visual Studio:

Visual Studio is huge.  It almost overflowed my 50GB Windows lab VM's.  I installed Visual Studio Community 2017 with the Visual Studio Installer downloaded from Microsoft.  Under "Workloads" I had it install .NET Desktop Development, Desktop development with C++, and .NET Core cross platform development.  I also selected "NuGet targets and build tasks" under "Installation details" the second time around, because something went tragically wrong with my first VM, and NuGet wasn't working correctly.  Some of these selections are needlessly sloppy, I'm sure.

Once in Visual Studio 2017, I went to "File -> Open -> Open from Source Control", plugged in the FindKeys github URL, and it picked it up, bringing up a "Solution Explorer" window.  After spending some time looking around and wondering where a "build" button or key was, I opened "Program.cs" in the editor to look at it and suddenly "Build" became available in the menu bar.  Yay for obtuseness.  It built the FindKeys.dll just fine, depositing it in C:\Users\username\source\repos\FindKeys\bin\Debug\netcoreapp2.1, so I just moved the memory dump bin file to that directory and ran it there, and it worked.

At this point, things went off the rails unrecoverably on the first VM.  I tried to do the same process for TryKeys and it went seriously sideways.  It needed a package called "LiteGuard" and I couldn't figure out how to install it.  For whatever reason, NuGet was broken and unusable in the first VM.  Being unfamiliar with the tool and thinking myself just too dumb for modern tools, I wasted several hours stuck trying to remediate that.  Install-Package simply wasn't there or was broken or something.  So I switched to a different lab VM, installed Visual Studio again, and went to do TryKeys again.

This bombed as the build still needed "LiteGuard".  Trying to install that, it refused.  It really wanted a project name.  So I knew I wasn't really doing this correctly, but I didn't really care, so I exited out of VS to dump the mess, launched VS again, did "New -> Project from Existing Code", specified "Visual C#", pointed the dir at C:\Users\username\source\repos\TryKeys, and named it "TryKeys".  Then I was finally able to successfully go to "Tools -> NuGet Package Manager -> Package Manager Console" and entered

PM> Install-Package LiteGuard -Project TryKeys

It still presented an error but it seemed to complete, so I again opened Program.cs, ran "Build", and it built, and ran great.

Y'all are welcome to explain in excruciating detail how I made this more complicated than needed or went about it entirely the wrong way.  :-)  I just felt it would be a shame if the effort put into these two fine Siglent tools was not accessible to someone without any coding experience.  Thanks for the tools.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 06, 2018, 07:23:31 pm
My process was get to the point where you kill the application, step 12, then fire up the process again, step 11, then using "PS -A" to find its new PID, and "kill -ABRT <PID>" It was my third loop of starting and killing it that got me a core dump.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on December 07, 2018, 12:55:40 am
There was a little irony that a user with a handle of VT100 posted a bunch of Microsoft-dependent stuff.

I wanted to learn .netcore and this was my first .net core application.

Quote
Visual Studio is huge.  It almost overflowed my 50GB Windows lab VM's.

if someone makes a pre-compiled version available then you could get away with installing the .dot core runtime, which is significantly smaller, and would run on linux.  .dotcore apps will compile and run on linux, allegedly.

Quote
It needed a package called "LiteGuard" and I couldn't figure out how to install it.

I have absolutely no idea what LiteGuard is. It wasn't a nuget package I used, but it does show up in project.assets.json now that I look. Perhaps it was a dependency of another nuget package I used in TryKeys which I didn't use in FindKeys -- e.g. the telnet library, for instance.

It was my third loop of starting and killing it that got me a core dump.

Strange thing is, I get a core dump each and every time, on the first try. I have no explanation as to why others have problems getting a core dump. Maybe I'm lucky.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: plurn on December 15, 2018, 06:15:40 am
I think I found an easier way to get the mem dump. I did this without needing to set a known root password.

I did this with a stock standard unhacked new SDS1104X-E software version 8.1.6.1.26. Some notes:

Insert a USB thumb drive formatted appropriately for the SDS1104X-E
Using the SCPI control of the web interface, put the following command (or similar depending on what filename you want):

SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin

Wait a minute or more for it to complete - it needs to copy a 256 megabyte file

cleanly shutdown the SDS1104X-E (with the power button on the front)

You can now move the USB thumb drive to a pc. There should be a memdump.bin file on there. You can follow other people already mentioned processes to extract keys from this. I used vt100's instructions from step 20 onwards here: https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1877477/#msg1877477 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1877477/#msg1877477)   Thanks vt100. I used the free "Hex Fiend" on macos as the Hex editor but I expect any would do.

Thanks to Rerouter for letting me know about the "SHELLCMD" SCPI command https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2041069/#msg2041069 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2041069/#msg2041069).

Also thanks to everyone who provided procedures for extracting keys.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 15, 2018, 06:38:38 am
I should point out the memdump is slightly different to the core dump.

the core dump has the licenses loaded in somehow, (havent actually looked into it). while the memdump is just the application file.
so you cannot unlock at present with just the system file.

The other issue is if you tried to get a core dump, well the web interface is run by the system app, so once it crashes, the interface locks up.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: plurn on December 15, 2018, 06:47:39 am
I should point out the memdump is slightly different to the core dump.

the core dump has the licenses loaded in somehow, (havent actually looked into it). while the memdump is just the application file.
so you cannot unlock at present with just the system file.

The other issue is if you tried to get a core dump, well the web interface is run by the system app, so once it crashes, the interface locks up.

With the file produced by the "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" command, I believe I found all the keys. I think /dev/mem includes all memory - not just the memory from an application core dump. I only tested the bandwidth key as I don't have a need for the other ones. Bandwidth key worked for me.


Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on December 15, 2018, 08:47:38 am
Coredump provides a continuous mem image.

/dev/mem provides a fragmented memory image (in blocks of 4kB or something), with "random" order. For me it's random, if anyone can explain the logic it would be GREAT!

They are not the same and that's why some manipulations need to be done in /dev/mem.

BUT, both ways provide the needed licenses.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 15, 2018, 08:55:34 am
well if you wanted to play it that way, there are very few strings that are only capitalized alphanumeric, at least 16 characters long and contain no symbols, so on that basis you may be able to filter down memory images to only relevant ASCII formatted strings,
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bugi on December 15, 2018, 11:11:39 am
/dev/mem provides a fragmented memory image (in blocks of 4kB or something), with "random" order. For me it's random, if anyone can explain the logic it would be GREAT!
I'm no kernel expert, but at least on "bigger CPUs" most kernels these days do some kind of memory space randomization (which is probably "corrected" in the page tables inside CPU) for security reasons. Malware have harder time looking for data or injecting code, since the desired locations are randomly somewhere... (That description is probably too simple, slightly misunderstood by me, etc. but... might explain the random order in the /dev/mem.  Something like this: https://en.wikipedia.org/wiki/Address_space_layout_randomization)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on December 15, 2018, 12:46:36 pm
I spent quite a bit of time on this, with tv84's guidance, so let me state the following.

cat /dev/mem will give you a memory dump of the scope's entire memory. That memory is managed by the operating system kernel, and is broken up into 4k chunks, aka "pages". The kernel memory manager allots those pages to each process, using a process only someone intimately family with the kernel would be able to explain. Suffice to say, for our purposes, we can assume that any given process running on the scope will be assigned memory pages in a completely random order, even though to the process itself they may appear to be contiguous, they really are not, as the kernel is actually managing the allotment of and access to memory.

(if someone intimately family with the kernel memory management process can tell me where in a memory dump the paging table is located, and how to extract information from it in order to "reorganize" the memory pages for a given process into a single contiguous chunk, feel free to email me, I always enjoy a good intellectual exercise in programming.)

In order to retrieve your license keys from a memory dump, you need to utilize the process (either automatically or manually) captured in the "FindKeys" and "TryKeys" .net Core applications posted on GitHub. The reason being the memory keys will more than likely be "fragmented" into multiple 4k pages of memory. You may have 1/2 of a key at the end of one 4k memory page, and the remainder of the key at the start of another 4k memory page (I personally observe this w/ my own scope and was taking screen shots of a winhex display of the memory dump when I was going back and forth with tv84). And, those key fragments may be located megabytes apart in the file, with the 2nd half actually being 'first' in the file and the 1st half of the key being towards the end of the file.

So what FindKeys does is it examines the memory dump and identifies strings which may possibly be part of a license key. When it identifies a partial candidate, it will combine that partial candidate with other partial candidates to create one or more candidates to try  (e.g. given the program finds one 8-character string A and another 8 character string B, it will create two candidates, AB and BA, to try.  Trykeys takes the file of potential keys and tries to implement them.

A core dump, however, is a contiguous snapshot of a processes' memory. When the core dump is created, the memory pages assigned to the scope process are all arranged in the correct order by the kernel. The process of creating a core dump is handled at the OS level thus the OS can organize the memory pages into the correct order as they are written to a core dump file. Thus with a core dump, the keys will be contiguous as they are represented in their actual underlying class structures and are easily discoverable using the 'shortcut' of using a hex editor to search for your serial # or scope Id.

Whenever possible, I encourage people to use the core dump method, it is cleaner and faster. However, understandably some folks have a problem getting a core dump (I cannot replicate this issue on my scope, each and every time I follow the posted 'process' in the previous post, I get a core dump, so I have no idea what makes my scope different from someone else's). For those who cannot get a core dump, then the memory dump/findkeys/trykeys route is their only option to recover the license keys they previously paid for and accidentally lost the paperwork on.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rhb on December 15, 2018, 11:59:58 pm
SIGABRT and SIGSEGV should produce a core dump, but Linux has the ability to prevent that via compile time options as well as other means I've not been able to sort out.  There is a core_dump_filter in /proc/<pid>, but I don't know any of the details.  I use Solaris like God intended whenever possible.

My use of Linux is like my use of Windows, it is only done under coercion.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: jazper on December 18, 2018, 07:23:41 am
My method was slightly different:

1. dump memory to fat32 formatted USB through web interface on 1104x-e - wait 1minute after performing this, then shut down the scope before doing anything else.
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin

2. Compile find keys using Visual studio - https://github.com/Siglent/FindKeys

3. Run find keys on PC on the the memory dump - note you need to edit the config json.

4. Flash custom firmware with known telnet/root password ( https://www45.zippyshare.com/v/SEUJEWE1/file.html) - Follow instructions in pdf in the file. (note flash drive needs to be either 8gb or 32gb) - I tried to find a way to not do this, but it's the easiest way of getting root access.

5. Set up network on SDS1104x-e

6. Compile trykeys ( https://github.com/Siglent/TryKeys )

7. Use trykeys on a PC on the same network using the key file from findkeys, wait for reboot on 1104 - save the keys that are found - Note you need to edit the config json within findkeys

8. Update firmware to latest firmware from siglent
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on December 18, 2018, 10:42:25 pm
I think I found an easier way to get the mem dump. I did this without needing to set a known root password.
...
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin

that worked for me as well (options and BW), tested with unhacked new SDS1204X-E software version 8.1.6.1.26
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: photomankc on December 19, 2018, 03:02:33 pm
Now we are talking.  I'd much rather avoid tinkering around with modded firmware.  I'll give this method a try.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: MartyMacGyver on December 25, 2018, 09:03:28 am
My SDS1104X-E arrived today with 7.1.6.1.25R2 (stock) on it.

After some fun (creating a wireless client bridge to get wired LAN handy, and using Ubuntu in a VM to format the flash drive for the Unixy flash boots) I was able to log in, run the commands, and rebooted.

At that point my model number went from SDS1104X-E to SDS1204X-E.  :-+

(Note to others: For the "OSV" updates, if you try to format the USB from Windows (certainly 10, maybe earlier ones) you'll likely have an annoying time of it. Bite the bullet and format and extract from Linux.) The only clue you'll have that it's working is it takes a bit longer to boot up, and the telnet password ends up working. If you're already on 7.1.6.1.25R2 like I was I'm almost certain the stock "SDS1004X-E_OSV1_EN-1.zip" step is not necessary, just the modified one.

I then grabbed the "SDS1004X-E_6.1.26_EN.zip" update and installed that. The model number is still 1204, and the firmware is now 7.1.6.1.26. I can still log in via telnet so all this suggests the unlock and mod worked.

One question though... I see mention of "8.1.6.1.26" in the thread here: is that some entirely different firmware, a typo, or what? Am I (at the moment) on the latest and greatest with 7.1.6.1.26?

Edit: One other bit of advice - if using a VM to format disks and such and you have problems with new DHCP addresses (as I just did with the SDG2042X I'm fiddling with now) be sure to shut down that VM to rule it out - in my case it made it impossible to route to the new device under test!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on December 25, 2018, 09:15:07 pm
One question though... I see mention of "8.1.6.1.26" in the thread here: is that some entirely different firmware, a typo, or what? Am I (at the moment) on the latest and greatest with 7.1.6.1.26?

i made dump of my dso (8.1.6.1.26), haven't found any binary differences to OS update file (7.1.x.xx) nor to latest available firmware.
Sure there might be still something different in mtd7 or mtd8, but due to lack of dump from 7.1 i can't compare, but probably there is no diff a well.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 25, 2018, 09:50:01 pm
8. And 7. Are the exact same. Just a rename.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on December 27, 2018, 02:18:48 am
I found a much easier way to root the scope.

After mounting the cramfs  from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox.  And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.

tl;dr:

Go to the SCPI web interface and send:

SHELLCMD telnetd -l/bin/sh -p9999

Then, use your favorite Telnet client to attach to port 9999.  You are in -- no password challenge.

Edit:  Did I note that one does this with stock firmware?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 27, 2018, 02:33:29 am
All the fun new things that turn up from a little digging :)

Great work ewaller

On the not so stock side, Getting the hang of patching out most of the typos in the scope software,
Main pain is the HISTORY_LIST query, they pointed command and query to the same string so having to shuffle stuff around to fit a new string.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on December 27, 2018, 06:02:37 pm
I found a much easier way to root the scope.

After mounting the cramfs  from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox.  And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.

tl;dr:

Go to the SCPI web interface and send:

SHELLCMD telnetd -l/bin/sh -p9999

Then, use your favorite Telnet client to attach to port 9999.  You are in -- no password challenge.

Edit:  Did I note that one does this with stock firmware?

Do you think it is then possible to change the default root password?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on December 27, 2018, 06:22:43 pm

Do you think it is then possible to change the default root password?
Not from that shell.  The /etc/shadow file that contains the password hash is in a cramfs (Cram File System https://en.wikipedia.org/wiki/Cramfs ) which is inherently read only.  The solution that has been used to date involves updating the system with a rebuilt cramfs with a /etc/shadow file that has the new password hash in it; then that file system -- in it entirety -- is uploaded to the scope at boot time.

Part of my motivation was was to find a way to root the system when running stock firmware; and the nice part is that it requires no password.  With this, I think it will be possible to run code from a USB drive that has been cross compiled for ARM.  There may be issues find finding dynamically linked libraries, and the USB drives may be mounted with the noexec flag (meaning the OS will refuse to run code from the device).  I forgot to check that last night in my exploration :)  I'll look tonight.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on December 27, 2018, 07:05:41 pm
I'm guessing the SCPI SHELLCMD functionality will either be PDSH'd, or removed completely, in an upcoming firmware release  ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: plurn on December 28, 2018, 02:00:07 am
I found a much easier way to root the scope.

After mounting the cramfs  from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox.  And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.

tl;dr:

Go to the SCPI web interface and send:

SHELLCMD telnetd -l/bin/sh -p9999

Then, use your favorite Telnet client to attach to port 9999.  You are in -- no password challenge.

Edit:  Did I note that one does this with stock firmware?

That is awesome - works perfectly. Thank you.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 28, 2018, 08:08:33 am
I should also point out, most of the recent methods listed here should work just fine for a number of BK precision scopes. :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: t1d on December 28, 2018, 06:42:15 pm
I found a much easier way to root the scope.

After mounting the cramfs  from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox.  And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.

tl;dr:

Go to the SCPI web interface and send:

SHELLCMD telnetd -l/bin/sh -p9999

Then, use your favorite Telnet client to attach to port 9999.  You are in -- no password challenge.

Edit:  Did I note that one does this with stock firmware?
Hi, everyone. I have this scope on order and it should be here in a few days.

I very much appreciate the graciousness, expertise and effort that it took each and every participant to develop this thread. Thank you!

I am considering this upgrade, but its means is completely outside my knowledge base. I see that the steps are summarized, in the first post, but I have questions about how this post relates to the first.
- Is Ewaller's method the complete protocol, or only a portion of it?
- If it is complete in itself, Ewaller, please write a start to finish tutorial using it, for us noobs. Post #68 is still above my pay grade.
- If it is only a portion and it being easier, has it been incorporated into Post #1? If not, please do so.

Thank you for your help and kindness. I am sure I will have lots more questions.

PS: My current OS is Windows 8.1. I expect to buy a new laptop, soon. It will, likely, have Windows 10/Home.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 28, 2018, 08:08:19 pm
 His method gets you root access to do just about anything you want on the scope without changing from stock,

Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,

If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.

The telnet access is more if you want to fiddle with the scope
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: t1d on December 28, 2018, 11:18:04 pm
His method gets you root access to do just about anything you want on the scope without changing from stock,

Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,

If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.

The telnet access is more if you want to fiddle with the scope
Thank you, Rerouter.

I understand a little of this, but....

Is it that Post #1 gets you the 200MHz and nothing else? Or the options, too?

Is it that with the Ewaller method you could access the entire firmware and, given that you wrote code, you could modify it?

I just want the greater bandwidth and to use the pay-to-play options (with non-Siglent devices, like my own function generator, WiFi dongle, etc.)

I appreciate your help.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 28, 2018, 11:29:49 pm
the memdump method will get you a file that has all the option and bandwidth codes, just takes some digging with a hex editor.

Working with your own wifi dongle is harder to say. at this point it only has a driver for the MT7601 dongle, If your familiar enough with linux drivers you can probably try and make another work via patching, but doubtful out of the box.

With your own signal generator is equally a little difficult, If you want to use the bode plot mode then you need to use similar to an earlier thread where a Python application on another PC pretended to be a networked signal gen and translated the commands, There may be a way to patch in other devices, but I have not gone digging deep enough, I defiantly know where all the bode plot strings are located, but not sure if its just a straight patch or if it needs to be broken into elsewhere,

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: t1d on December 29, 2018, 12:52:33 am
Thanks, Rerouter. Much appreciated.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on December 29, 2018, 04:08:45 am
If you have used up all of your trial runs for MSO, WIFI or AWG; and you have not purchased your licence keys, you may be able to reset the number of trial runs by sending the following through the web interface SCPI mechanism (here I set the number to 99)

SHELLCMD echo -n 99 > /usr/bin/siglent/usr/usr/options_awg_times.txt

Replace the awg with wifi or mso  as appropriate.  change 99 to the number of demo runs you desire.
These files have  exactly two characters in them with no n/l or l/f, hence the -n option on echo.  99 may, or may not be a maxima -- again, these files have exactly two characters in them.

Note, I cannot actually test this through the GUI any more as my options are all permanent, but I am fairly certain this will work for those of you who need a couple more demo runs to decide.  I can see that the contents of these files do change the way I expect. Please let me know.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: not1xor1 on December 30, 2018, 08:50:47 am
Hi,

I do not know if it is OK to ask here of if I should start a new thread...

as I'm taking into account to buy a second hand SD1104X-E I'd like to know if any of you is aware of any hardware revision during the last year.

thanks
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 30, 2018, 08:52:02 am
yep, 04 as of the last month, no significant changes to functionality has been observed.

03 I can only speak of back to mid july, when my unit was made. it appears the FPGA code was compiled for 03 on the 7th of march 2018, so 02 likely was from before this date.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: gamerpaddy on December 30, 2018, 05:46:18 pm
Hello, i applied this Unlock (ProMode) to my 1104x-e, works great (havent tested the extra features)
But i noticed a bug(?)

I did some decoding a month ago, then i turned it off, unplugged the scope and put it on a shelf.
A month later i plugged it back in, booted it up.  it was dead slow.  time between action and reaction was like a minute. totally locked up
even after reboot.

Only fix was to hit the default button.

Did anyone notice this without the hack applied?  Could it be the Production Mode im in?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: booyeah on December 30, 2018, 09:27:14 pm
I followed plurns and vt100's posts as regards dumping memory to a usb and then looking through the dump in a hex editor.

Worked perfectly to recover all the codes.
Thanks a million.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: essele on January 04, 2019, 08:19:11 am
I received my scope last night, and managed to get everything sorted nicely, however there were a few things that weren't quite as some other people seem to have found them, it was already running the latest firmware (6.1.26), not sure if that's the reason.

1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)
2. The core dump didn't contain the required information, it was only about 200meg, so quite a bit smaller than other examples shown here (and smaller than the 250meg memory dump.)
3. Restarting the sds1000b process didn't work properly, a few errors and the scope was unusable, so I suspect this is the reason it didn't contain the right data.

So I resorted to a much simpler way as described by some other posters...

1. Use "SHELLCMD telnetd -l/bin/sh -p9999" to start an unauthenticated telnet server.
2. Connect to the scope using "telnet <ipaddress> 9999"
3. Insert a USB stick
4. Dump memory to the stick using "cat /dev/mem > /usr/bin/siglent/usr/mass_storage0/U-disk/memdump"
5. Pull the stick (I ran "sync" first, but I'm a legacy unix guy, need to see if that's really necessary), otherwise cleanly unmounting would be better.
5. Use a hex editor to find the keys as per post 39, from about step 20 onwards ... which worked perfectly, no obvious issues with the page ordering making it difficult to find things.)

It took about 10 mins start to finish once I'd decided to go the /dev/mem route.

You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.

What a nice scope ... this was an upgrade for me from a DS1052E, so it's fantastic! Thanks to all for providing this info!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on January 04, 2019, 02:03:04 pm
1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)

a core dump is substantially smaller than an entire memory dump. With the core dump you're only going to get the memory associated with the running task, compared the memdump, where you'll get all the scope's memory.

Its curious you didn't find the keys in the core dump.... the only thing I can think of, is, perhaps, you took the core dump prior to the sds1000b process creating the keys within its memory pages (there is logic in the scope app to generate the keys using the scopeid and serial # to check against the licensed options, they are not hard-coded in the scope app) so if you took a core dump prior to that routine executing (and at what point it runs, who knows). I'd be interested in taking a look at the core dump if you'd be willing to share it.

Quote
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.

These methods will continue to work until Siglent  pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rhb on January 04, 2019, 02:51:49 pm

Quote
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.

These methods will continue to work until Siglent  pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.

time(1) will tell you when the cat completes.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 18, 2019, 11:48:02 pm
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 19, 2019, 12:25:30 am
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
You can see here how the 100 MHz roll off is much improved after improving to the 200 MHz model:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613374/#msg1613374 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613374/#msg1613374)

There's some further supporting info in subsequent posts.
Also have a hunt through rf-loop's posts, he's switched his SDS1104X-E back and forth.
I've never hacked one but the info here is entirely convincing that it is a valid upgrade.  ;)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Dundarave on January 19, 2019, 09:19:38 pm
I wanted to thank all the contributors for all the various unlocking instructions, especially VT100 whose instructions I was following per post #39 for the keys to my options upgrade.  It's nice to have a fully upgraded scope, at just the right price. ;D

However, I have a question that I hope someone can clear up:

I first updated the bandwidth via the rooted OS & bandwidth.txt -> bandwidth.bak method, as that felt the most comfortable to me at the time.  With that success, I started to feel more confident (or cocky, I suppose, lol) and thought I would then use the mem dump method to find the keys for the options, which I then also successfully updated.

So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".

In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)

I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M. 

I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file?  If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be? 

I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.

I've attached a shot of the relevant part of the mem dump for the bandwidth keys.

Thanks again! :-+
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on January 19, 2019, 09:32:06 pm
Run the command. When a valid bandwith or option code is entered. The scope saves a bandwidth.txt or option.txt. so if your not seeing one yet it may change with later updates.

This would also explain why your not seeing the current code. It reads it from that txt file.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Dundarave on January 19, 2019, 10:18:11 pm
Brilliant!  Thanks, Rerouter.

I ran the MCBD command with the suggested 200M key (from my dump file as attached earlier), and then went into the scope via telnet and checked for the bandwidth.txt file.  It was there, as you called it, along with the older bandwidth.bak file from my original update.

I've attached a shot of the content of each file, the .txt now containing the 200M key, and the .bak containing the original 100M key.

I've also attached an updated memory dump excerpt showing the now repeated 200M key.

All good now!  Thanks for the prompt response. :-+

Nick
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on January 20, 2019, 12:31:29 pm
So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".

As earlier posts have indicated modifying the bandwidth.txt file puts the scope in "PRO MODE" which basically bypasses the licensing process so you have a scope with all options and full bandwidth. The problem with this approach is the next firmware update could easily change this by placing the scope into complete lockdown with no options and minimal bandwidth. Once you have your license keys, you never need to worry about losing access to bandwidth or options.


Quote
In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)

This is expected. One of those 5, the "duplicate", is read from your filesystem and compared against the other 4 generated keys to determine what bandwidth your scope has. By "hacking" the config file you eliminated the "5th" key and now only see the 4 that the scope program generates for comparison. This is the 'expected' behavior given you changed the bandwidth.txt file.


Quote
I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M.

Even if you enter the wrong one, you can always enter another one to change it again. the MCBD command is not a one-shot deal.
 
Quote
I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file?  If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be? 

See paragraph #1 above.

Quote
I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.

See paragraph #2 above. Your scope isn't licensed w/ any bandwidth key, it's in PRO MODE. Hence you only have 4 keys in your mem dump, not 5.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 20, 2019, 02:00:43 pm
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?

More importantly, someone mentioned a slight hardware difference in the analog front end of 1104x-e and 1204x-e. So, even if I can make my 1104 'think' he is a 1204, how can I make up for the hardware difference?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on January 20, 2019, 03:45:28 pm
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?

It is not an option one can purchase.  The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as.  It is supposed to be immutable.  What is not known is whether there are any inherent differences in the hardware platforms?  For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope?  I don't think so.   But, if one changes the configuration, and the scope well enough works at 200 MHz, why not?  Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.   
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 20, 2019, 03:52:05 pm
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?

It is not an option one can purchase.  The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as.  It is supposed to be immutable.  What is not known is whether there are any inherent differences in the hardware platforms?  For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope?  I don't think so.   But, if one changes the configuration, and the scope well enough works at 200 MHz, why not?  Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.   

So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on January 20, 2019, 03:58:48 pm
So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
No arguments from me there.  I did opt for the 1204x-e.  All I can say is that I cannot back my assertion that they may not be the exact same platform -- they could be.  But, I will stand behind my assertion that the calibration is not valid for a 1104x-e at 200 MHz
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on January 20, 2019, 07:47:48 pm
So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.

How can I word this correctly... umm... well, let's just say if you *need* 200mhz (with the associated calibrated accuracy) then spend the couple extra hundred, since (perhaps) your livelihood depends on it.

On the gripping hand, if you're just messing around with the scope in your shack, and that calibrated accuracy is not that important... why not?

Assuming of course the hardware platforms are different... which I doubt. I'm willing to wager the scopes are identical, and all that changes is the sticker on the front of the case and the bandwidth license pre-installed.

Much akin to how Windows now has several versions, all of which are on the DVD, but the features available to the user depends on the product key used to activate the product.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Dundarave on January 20, 2019, 08:40:43 pm
Thanks for the clarifications, I've now got a much better understanding of how the key mechanism works.  Trying to assimilate that combined knowledge from all the various thread posts was a challenge, and perhaps my questions & your answers have helped others as confused as I.

One more question on the same topic: I am also curious as to how the "option keys" work for the Wifi, MSO and AWG modules.  In the normal course of events, if I were to buy an AWG for example, how would the key needed to activate my scope to use the AWG be communicated to me (assuming that the option key itself is unique to my scope)?  Does the AWG itself communicate/handshake with the scope to authorize its use?  Would there be a piece of paper with the AWG that contains a code that needs to be entered somehow?

And why the need for an option key at all?  Is it just a function of wanting to prevent knock-off Wifi, MSO, and AWG modules from working with the scope?  If you have to pay for the module anyway, I can't see any other reason for needing an option key mechanism in the first place.

Thanks again -
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 20, 2019, 09:49:29 pm
The SAG1021 AWG can be thought as 2 units if you like, one for Bode plot usage where NO licensing is required and as a reasonably well featured AWG controlled from within the scope UI. For that functionality you do need the licensing.

Edit to add; Only once the trial licenses have expired is any option licensing required.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on January 20, 2019, 11:02:30 pm
I question the option vodes as anything other than a money grab. But the scope is the only thing that needs the code entered. While I have yet to get it to work. The AWG option should also respond via SCPI over usb. But i have yet to successfully test that.

You get option codes on printed off sheets of paper if you buy them with the scope. Possibly similar via email if after the purchase.

The AWG interface is limited via the scope UI. It leaves out any way to configure the SweepWave, BurstWave, ModulateWave, and ArbWave. Not to mention there is everything already in place for the scope to capture a waveform and to play it back under any of these modes. But I have not yet found an easy way to do that.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 20, 2019, 11:50:35 pm
I question the option codes as anything other than a money grab.
Er well yes but only for 3 options whereas other 'money grabbing' brands like Tek, KS, R&S, LeCroy, Rigol etc will want to charge you for more. Decode is commonly an option for most brands while Siglent provide it for free.
Your point is ?  :-//
Quote
But the scope is the only thing that needs the code entered. While I have yet to get it to work. The AWG option should also respond via SCPI over usb. But i have yet to successfully test that.
SAG1021 arbitrary use is intended to be via the EasyWave SW where you will use SCPI commands.
This is all mentioned in the X-E datasheet.
Quote
You get option codes on printed off sheets of paper if you buy them with the scope. Possibly similar via email if after the purchase.
Maybe, maybe not.
If I have them at sale time I'll install them and pack a sheet/s of paper with them printed on too.
Otherwise it's a pdf in an later email with an option authorization code with which you go onto Siglents option generation website and enter it along with model type and SN#. The 'real' option code is then generated automatically and you have the option to get it on a pdf with installation instructions. This is what we normally add to the box prior to shipment.
Quote
The AWG interface is limited via the scope UI. It leaves out any way to configure the SweepWave, BurstWave, ModulateWave, and ArbWave. Not to mention there is everything already in place for the scope to capture a waveform and to play it back under any of these modes. But I have not yet found an easy way to do that.
Good point, maybe 'play' a captured waveform can be added into future FW.  :-+
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 23, 2019, 11:27:10 am
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on January 23, 2019, 02:11:54 pm
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?

Of course.

After then it is SDS1204X-E (except front panel model sticker)  and works as SDS1204X-E including everything - (if it is properly modified).
Only difference is front panel sticker and probes included in carton. But even these probes are not bad for 200MHz. (you can find probe test in this forum)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 23, 2019, 06:46:18 pm
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?

Of course.

After then it is SDS1204X-E (except front panel model sticker)  and works as SDS1204X-E including everything - (if it is properly modified).
Only difference is front panel sticker and probes included in carton. But even these probes are not bad for 200MHz. (you can find probe test in this forum)

Someone before asserted that factory calibration after the hack was not valid anymore.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on January 23, 2019, 07:33:55 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 23, 2019, 07:51:19 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".

It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 23, 2019, 08:01:21 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".

It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 23, 2019, 08:38:09 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".

It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.

I must not have traceable equipment but I must have accurate equipment. So, if hacking the scope makes me lose  accuracy I'm not gonna hack it. So: am I losing accuracy with the hack?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 23, 2019, 09:00:26 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".

It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.

I must not have traceable equipment but I must have accurate equipment. So, if hacking the scope makes me lose  accuracy I'm not gonna hack it. So: am I losing accuracy with the hack?
'Proven' -3dB BW of hacked SDS1104X-E is ~230 MHz and and amplitude spec is +3% like all DSO's, is that good enough ?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 25, 2019, 10:46:05 am
So, in the 1104x-e the 100Mhz bandwidth is obtained by limiting the full 200Mhz bandwidth via a software low pass filter? No hardware?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on January 26, 2019, 04:33:08 pm
The 100Mhz bandwidth limit is achieved by FIR filter coefficients (https://en.wikipedia.org/wiki/Finite_impulse_response) - these coefficients are different for the different bandwidths. The FIR filter is implemented in the FPGA, and applied to the signal coming from the ADC.

Short answer - it is software, but not software running on the ARM CPU.

The 20Mhz selectable bandwith limit takes place in the analog front-end, and so is implemented in hardware.

--Ian.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 26, 2019, 05:02:25 pm
Very interesting. I really like this scope and, with this hack, you are getting a tremendous bang for your buck (4 channels, 200Mhz, 1Gsa/s, double ADC for 500$). This is double the scope w.r.t. a Rigol 1054z for only 50% more in price. Big A Brand scopes with similar features are at least three/four times as expensive.  Besides, the hack is really a piece of cake.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: guho on January 26, 2019, 11:30:19 pm
Got it to work, many thanks for the instructions. Note that if you go with the Visual Studio solutions, in the TryKeys you have to change the hardcoded 23 port to 9999 if you want to use the telnet daemon started via SCPI (SHELLCMD telnetd -l/bin/sh -p9999). Also comment out the TelnetClient.login section as it is not needed (and even fails) for this telnet access. Changing the port number from 23 to 9999 in the .json is not enough unfortunately.

This scope is one of the best deals around, got it for $125 off MSRP from Amazon Warehouse Deals and now unlocked 200MHz and the 3 other items  :)  :)

Also, Newegg has the TL-WN725N wifi USB dongle for only $7 using code EMCTUVA36 for $3 off. Just bought one for my new scope. This same module is offered by Siglent for a mere $49 at https://store.siglentamerica.com/product/sds1104x-e-100-mhz/ Is this scope compatible with many wifi adapters or just this one?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on January 27, 2019, 12:33:20 am
The scope only has the driver file for that exact wifi dongle. however the drivers are inside a directory that you can write files to, (needs to remount the directory),

Your free to try loading other drivers for other dongles, But i cannot say if it will work, as Its unclear to me exactly how the system app is hooking into it at this point.

\bin\siglent\drivers\mt7601u.ko
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on January 27, 2019, 09:32:53 am
Very interesting. I really like this scope and, with this hack, you are getting a tremendous bang for your buck (4 channels, 200Mhz, 1Gsa/s, double ADC for 500$). This is double the scope w.r.t. a Rigol 1054z for only 50% more in price. Big A Brand scopes with similar features are at least three/four times as expensive.  Besides, the hack is really a piece of cake.

If compare  Rigol 1kZ with Siglent 1104/1204X-E they give really lot of more performance and features than just more bandwidth and samplerate.
What big A brand scope have one scope with waveform history buffer, full memory measurements with full sample resolution, fast segmented memory with up to over 100M memory, true full resolution 500uV/div, up to 32000 bytes single shot I2C decode (simultaneously 2 independent separate I2C bus), or 1000bytes/channel single shot UART decode (simultaneously 2 separate independent UART RxTx bus) etc... and all this online and offline including history buffer.
1Mpoints FFT, 3 channels 501point BodePlot (need external what ever Siglent SDG) even with 500Hz span (1Hz step) for narrow filters, semi fast XY (up to 60kwfm/s (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1801388/#msg1801388)) including intensity gradation, XY plot history buffer and YT measurements in XY mode. Even simplest thing, Sinc interpolation,  Rigol 1kZ box can not do right way. In siglent there is always available true samples and interpolation is fully post processed and user have full freedom to select right display mode/interpolation afterwards (example when looking stopped scope including wfm  history buffer.) This is also important in real tool when user need detect if displayed wfm include well known Sinc interpolation "problems" when signal have fast changes related to current sample interval.
So, what we compare to what... perhaps lemons and shoes.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 27, 2019, 09:46:06 am


If compare  Rigol 1kZ with Siglent 1104/1204X-E they give really lot of more performance and features than just more bandwidth and samplerate.
What big A brand scope have one scope with waveform history buffer, full memory measurements with full sample resolution, fast segmented memory with up to over 100M memory, true full resolution 500uV/div, up to 32000 bytes single shot I2C decode (simultaneously 2 independent separate I2C bus), or 1000bytes/channel single shot UART decode (simultaneously 2 separate independent UART RxTx bus) etc... and all this online and offline including history buffer.
1Mpoints FFT, 3 channels 501point BodePlot (need external what ever Siglent SDG) even with 500Hz span (1Hz step) for narrow filters, semi fast XY (up to 60kwfm/s (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1801388/#msg1801388)) including intensity gradation, XY plot history buffer and YT measurements in XY mode. Even simplest thing, Sinc interpolation,  Rigol 1kZ box can not do right way. In siglent there is always available true samples and interpolation is fully post processed and user have full freedom to select right display mode/interpolation afterwards (example when looking stopped scope including wfm  history buffer.) This is also important in real tool when user need detect if displayed wfm include well known Sinc interpolation "problems" when signal have fast changes related to current sample interval.
So, what we compare to what... perhaps lemons and shoes.

No need to get upset. I'm with you. I was simply saying that these scopes are a tremendous value and that A Brand scopes with similar (similar!) features cost many times more. The other big contender which surpasses these scopes spec-wise is the new Rigol MSO5000, but for double the price. So 1000x-e scopes are still the best value on the market IMHO.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on January 27, 2019, 01:01:51 pm
The scope only has the driver file for that exact wifi dongle. however the drivers are inside a directory that you can write files to, (needs to remount the directory),

Your free to try loading other drivers for other dongles, But i cannot say if it will work, as Its unclear to me exactly how the system app is hooking into it at this point.

\bin\siglent\drivers\mt7601u.ko

I used a TPLink wifi dongle on mine and it worked fine.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: timgiles on January 27, 2019, 05:18:56 pm
I am going to try installing a few other wifi dongles and will provide any success stories in an additional thread. For me, I would like an AC dongle so I dont have to run legacy Wireless at home - just for the scope... I doubt the speed difference would help with the web server.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: guho on January 31, 2019, 06:17:58 pm
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.

Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on February 01, 2019, 08:52:33 am
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.

Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.
Have a study here:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2038612/#msg2038612 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2038612/#msg2038612)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: radensb on February 08, 2019, 06:36:15 pm
I just got this scope and completed the *upgrade*. My experience was a mashup of other users, so I figured I would comment on what didn't work and what I ended up doing to achieve success.

What didn't work:
I followed the core dump procedure. I did the following:

There are a few typos, but I was able to execute the procedures. I ran through it several times and was never able to generate a core dump on the first try. I then tried simply restarting SDS1000b.app without rebooting the scope and killing again (not what the above procedure suggested). A few times I was able to get the core dump file to generate, but that lead to another problem. As another user stated, the scope buttons remained unusable, even after restarting the app. The only way to recover was a power cycle. This would wipe out the core file that was created. In addition to the buttons not working, the scope would not detect the USB drive anymore to copy the core dump too. The Linux OS would detect the drive, but it would not mount. I had to manually create a temp directory in /usr/bin/siglent/usr/mass-storage/ and manually mount /dev/sda1 to it to copy the core dump. I did this several times with several core dumps. I got a ~207MB file each time, but most of it was empty and searching for the string "SDS1000X-E" always yeilded "no match". So, this method did not work for me. Perhaps someone can explain why?

What did work:
Using following command to get a mem dump on the USB drive worked perfectly: post#54
Code: [Select]
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
The flash drive I was using had an LED indicator that flashed when preforming a read/write and slowly dimmed when idle making it easy to tell when the file was done writing, which was nice. I created several mem dumps to compare. Each one was different, which was expected, but I noticed only one contained my BW keys in a contiguous block that was human readable. None of them contained the options keys in a contiguous block, thus I needed to use some tools. I ended up trying the FindKeys and Trykeys tools mentioned in post #38. make sure you have the current version of Visual Studios (I ran VS2017 15.9) and install .NET Core 2.1 as that is what the tools run on.

Define the proper parameters in the FindKeys .json file as instructed in the repo readme and run the FindKeys tool against your mem dump file. It will generate a txt file that has all the possible combinations of possible keys through the fragmentation of the mem file.

Define the proper parameters in the TryKeys .json file as instructed in the repo readme. I noticed some things about the TryKeys program that should be addressed before running it.
The root telnet access method is needed for the TryKeys program to run:
Run the SCPI command
Code: [Select]
SHELLCMD telnetd -l/bin/sh -p9999
Then run the Trykeys based on the above config/recommendations.
If you didnt use the Trykeys to update the bandwidth (like me), run the SCPI command
Code: [Select]
MCBD (license key) where (license key) is the key for the bandwidth you want, to update it manually. Then reboot and check with the
Code: [Select]
PRBD? command to verify.

All in all, I think the method that worked for me is the simplest as it requires no software modifications (I was running 7.1.6.1.25R2 out of the box). It is also the most reliable as I was able to get the mem dump file every time I ran the command and all the files ended up producing the valid keys.

Hope my experience makes this process easier for others! I am really enjoying me new scope!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: harpster58 on February 17, 2019, 07:13:47 pm
Hi All - Instructions are very good, thank you! After reading the entire 5 pages of posts I ended up doing the following. Also for the record my scope was bought in Jan-2019 with 6.1.25.R2 and I had upgraded to 6.1.26 before doing this. (7.1. prefix shows up the FW revision i.s. 7.1.6.1.26)

I did the mem dump technique below and did get the 250M file (thanks to post #54)

Code: [Select]
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
I used the Mac OS "Hex Friend" editor to view the memdump.bin file and initially I thought I wasn't getting it but then it kinda stuck out like a sore thumb exactly as described in post #39 steps 21 - 23. What I'm NOT seeing are the Option codes #38 step 24. I see my serial number in two places but no 16 character strings nearby.

I started to try to use FindKeys but I don't use Visual Studio so not sure what I was doing there. I did a build the FindKeys prj and it did put a bin folder with a FindKeys.DLL and FindKeys.json but I don't understand how to run that... I thought there would a FindKeys.exe file? But Bandwidth was the main thing I wanted to upgrade... I will keep checking back here and maybe try the option codes again later... need a break now haha...  Many thanks!
Title: What happened to politeness here?
Post by: videobruce on February 17, 2019, 08:15:43 pm
This refers to the just plain nastiness here, specifically on the 1st page and throughout this thread (and others).
It's a sad state that certain individuals (that happen to be at a higher level) look down on anyone that doesn't meet their standards. Especially when they question previous post simply because the text was not clear enough.

To these 'individuals'; everyone is NOT at your esteem level of knowledge. What MAY be simple to YOU, isn't to others. We have one Dictator Trump in my country that thinks is is always right, the world doesn't need more like him. 
Title: continued.....
Post by: videobruce on February 17, 2019, 08:27:16 pm
BTW, the thread title does state "step by step" which means exactly that. NOT skipping details (other than very basic), under the assumption those details should be already known..
Title: Re: What happened to politeness here?
Post by: not1xor1 on February 18, 2019, 07:25:29 am
Quote from: videobruce link=topic=136445.msg2207523#msg2207523 date=1550434543To these 'individuals'; [color=red
everyone is NOT at your esteem level of knowledge. What MAY be simple to YOU, isn't to others.[/color] We have one Dictator Trump in my country that thinks is is always right, the world doesn't need more like him.

IMHO it is a wrong comparison as people writing here do have some real competence while Trump competence is limited to his very peculiar hair style  ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: radiolistener on February 18, 2019, 07:43:34 am
hi guys. Is there any hack for SDS1102X model (not X-E)?

I tried to execute these commands through VXI11 SCPI:
- "SHELLCMD telnetd -l/bin/sh -p9999"
- "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage0/U-disk/memdump"

but telnet didn't started and it even doesn't try to access usb stick... :(
Unfortunately there is no response from SHELLCMD command executed on VXI11 SCPI interface, so I even don't know if it is implemented...
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on February 18, 2019, 08:22:07 am
The X model is blackfin based not arm-linux,

This thread seems to be for it, but it seems it needs a hardware patch for full bandwidth from a quick glance,
https://www.eevblog.com/forum/testgear/siglent-sds2000x-hack/ (https://www.eevblog.com/forum/testgear/siglent-sds2000x-hack/)

To Videobruce, If you need help, ask nicely, Most of the later discoveries where made by different users than those in the first few pages,

The SCPI memdump method is the most recent, in that it requires no custom firmwares or rooting, but as a trade off the memory is dumped in an odd segment ordering, and some times the keys will be split over a memory segment boundary, so you may need to dump more than once to catch them, The searching through with a hex editor for the keyword will still work with this method, just takes a few tries to get,

To make it easier to find those keys, you can also copy the "/bin/siglent/firmdata0" folder, In there you will find .bin files relating to each option, open them in a hex editor, take the last 4 bytes and xor them 0xFF00FF00, and reverse there order, e.g. 0xC734B24D = 0x38344d4d, this is ascii, 84MM, flip it so its MM48, and there is the first 4 characters of that option to search for.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: videobruce on February 18, 2019, 10:44:47 am
IMHO it is a wrong comparison as people writing here do have some real competence while Trump competence is limited to his very peculiar hair style  ;D
To Videobruce, If you need help, ask nicely, Most of the later discoveries where made by different users than those in the first few pages,

That was referring only to the disrespectful individuals mentioned, not the entire membership, nor was it referring to any 1st hand experience. (BTW, I wouldn't even give him credit for his hair either.)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on February 18, 2019, 10:59:12 am
I used the Mac OS "Hex Friend" editor to view the memdump.bin file and initially I thought I wasn't getting it but then it kinda stuck out like a sore thumb exactly as described in post #39 steps 21 - 23. What I'm NOT seeing are the Option codes #38 step 24. I see my serial number in two places but no 16 character strings nearby.

I started to try to use FindKeys but I don't use Visual Studio so not sure what I was doing there. I did a build the FindKeys prj and it did put a bin folder with a FindKeys.DLL and FindKeys.json but I don't understand how to run that... I thought there would a FindKeys.exe file? But Bandwidth was the main thing I wanted to upgrade... I will keep checking back here and maybe try the option codes again later... need a break now haha...  Many thanks!

I've never used visual studio on a mac, but normally when you build .net core apps on a PC you end up with a dll, which you execute from the command line via "dotnet mydllfilename.dll", e.g. dotnet.exe Findkeys.dll

I assume the same applies on a mac, from a terminal session.

Title: Re: What happened to politeness here?
Post by: vt100 on February 18, 2019, 11:39:50 am
This refers to the just plain nastiness here, specifically on the 1st page and throughout this thread (and others).

I'm new here, and I've found everyone completely helpful.

Presumably everyone is here to learn and so sometimes answers are not given to you on a silver platter, but answers contain enough information to make you think for yourself and hopefully learn something.

Understandably if you want someone to do it for you, you'll probably find their answer unhelpful.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: videobruce on February 18, 2019, 12:05:07 pm
This has nothing to do with a "silver platter", nor anyone asking for someone else to do it for you. Have you read thru the first the 1st couple of pages??
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on February 18, 2019, 12:24:58 pm
The few of us that have dug into these things and chose to share it, we are already giving you something for free just because we thought it would help others, most of us enjoy this, however its easy to forget the knowledge base of a beginner, And like some of the discussions on the first page, to fully explain the reasons behind why you made those choices, We are good at breaking into things, not always at explaining how we did it.

Personally I see stuff very similar to what a room of engineers look like, some bite and go on the attack rather than clarifying there question

If you need something clarified, I'm right here to explain it as best I can,

I will say your earlier posts read as hostile at first glance, and your latest one still does, I will offer you a suggestion, PM fungus asking to update the first post with the latest unlock information, If you feel comfortable with the info and procedure you could prepare it for him, otherwise just ask Nicely.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on February 18, 2019, 03:00:03 pm
This has nothing to do with a "silver platter", nor anyone asking for someone else to do it for you. Have you read thru the first the 1st couple of pages??

As others have indicated, how you ask is sometimes more important than what you ask.

Given your attitude, I am not surprised you meet resistance.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: BillB on February 18, 2019, 03:58:40 pm
videobruce,

Being one of those that posted on the first page of this thread, I do remember when/why it first started and the attitudes expressed that might not be clear to a new reader.  IIRC, there was some banter in other threads regarding which scope was the best bang-for-buck/most-easily-hackable - essentially a pissing-contest between two camps of brand supporters.  I won't speak for Fungus as to why he started this thread (I respect all those who've contributed to this forum; there are a number of highly knowledgeable and helpful people here) but my first impression at the time was that he started this ironically, to continue the banter  :D.  (I could certainly be wrong about this, but again that was my feeling at the time) 

I think that is why the tone of the first page of this thread was more adversarial than usual.  Please don't take this as an example of the attitudes of many of the regulars here; this is generally an extremely helpful and informative bunch.   
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: harpster58 on February 19, 2019, 12:00:29 am
[quote I've never used visual studio on a mac, but normally when you build .net core apps on a PC you end up with a dll, which you execute from the command line via "dotnet mydllfilename.dll", e.g. dotnet.exe Findkeys.dll [/quote]

Actually I only used the hex editor on Mac as Notepad++ on PC wasn't giving me the view I needed.  I downloaded Visual Studio and set up on PC... never worked with it before. So I guess I did everything correct but I just had no idea how to open the the file or even what file to open. I'll see if I can do it now using command line.  Tx!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: phil303 on February 19, 2019, 06:21:03 am
Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.

Code: [Select]
FP = 'YOUR_FILE_PATH'


def crazy_check(byte, l):
    return (
        (byte < ord('2') or byte > ord('9')) and
        ((byte < ord('A') + l) or (byte > ord('Z') + l)) and
        (byte != ord('L') + l) and (byte != ord('O') + l)
    )


parts4 = set()
parts8 = set()
parts12 = set()
keys = set()


def find_keys(fp):
    with open(fp, 'rb') as f:
        entire_buffer = f.read()

        l = 0
        for j in range(2):

            i = 0
            str_start = 0
            str_size = 0

            for i in range(len(entire_buffer)):
                byte = entire_buffer[i]

                if crazy_check(byte, l):
                    b = (str_start % 4096 == 0) or (i % 4096 == 0)

                    if str_size > 15 or (str_size > 3 and b):
                        str_end = str_start + str_size
                        if str_size % 16 == 0:
                            s = entire_buffer[str_start:str_end].decode('utf8')
                            while len(s) > 15:
                                left_string, s = peel_off_string(s, 16)
                                check_and_add(left_string)

                        if str_size % 4 == 0 and b:
                            for x in range(0, 16, 4):
                                s = entire_buffer[str_start:str_end].decode('utf8')
                                left_string, s = peel_off_string(s, x)
                                check_and_add(left_string)

                                while len(s) > 15:
                                    left_string, s = peel_off_string(s, 16)
                                    check_and_add(left_string)

                                check_and_add(s)

                    str_size = 0
                    str_start = i + 1

                else:
                    str_size += 1

            l += 32

        keys.union(consolidate_parts(parts8, parts8))
        keys.union(consolidate_parts(parts4, parts12))
        keys.union(consolidate_parts(parts12, parts4))

        for k in keys:
            print(k)


def check_and_add(string):
    is_ok = string.isupper() and len(string) % 4 == 0 and len(string) > 0
    if is_ok:
        if len(string) == 4:
            parts4.add(string)
        if len(string) == 8:
            parts8.add(string)
        if len(string) == 12:
            parts12.add(string)
        if len(string) == 16:
            keys.add(string)


def peel_off_string(string, i):
    left_string = ""
    if len(string) >= i:
        left_string = string[:i]
        string = string[i:]
    return left_string, string


def consolidate_parts(p1, p2):
    rc = set()
    for i, s1 in enumerate(p1):
        for j, s2 in enumerate(p2):
            if i != j:
                s = s1 + s2
                rc.add(s)
    return rc


if __name__ == '__main__':
    find_keys(FP)



Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: harpster58 on February 21, 2019, 12:21:00 am
Worked! When putting in File Path (FP = 'YOUR_FILE_PATH') be sure to use fwd slashes "/" not back "\" slashes. At first nothing happened... takes a little time to process then I got all the keys. Since i had already gotten the bandwidth keys I just deleted them and the 3 or 4 text strings that were returned. That left me with 4 keys and pretty easy to re-enter the keys for the options until I got them all correctly. Not sure with the extra key was for maybe an unused option.

Anyway very cool, thanks for posting this!

Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.

Code: [Select]
FP = 'YOUR_FILE_PATH'


def crazy_check(byte, l):
    return (
        (byte < ord('2') or byte > ord('9')) and
        ((byte < ord('A') + l) or (byte > ord('Z') + l)) and
        (byte != ord('L') + l) and (byte != ord('O') + l)
    )


parts4 = set()
parts8 = set()
parts12 = set()
keys = set()


def find_keys(fp):
    with open(fp, 'rb') as f:
        entire_buffer = f.read()

        l = 0
        for j in range(2):

            i = 0
            str_start = 0
            str_size = 0

            for i in range(len(entire_buffer)):
                byte = entire_buffer[i]

                if crazy_check(byte, l):
                    b = (str_start % 4096 == 0) or (i % 4096 == 0)

                    if str_size > 15 or (str_size > 3 and b):
                        str_end = str_start + str_size
                        if str_size % 16 == 0:
                            s = entire_buffer[str_start:str_end].decode('utf8')
                            while len(s) > 15:
                                left_string, s = peel_off_string(s, 16)
                                check_and_add(left_string)

                        if str_size % 4 == 0 and b:
                            for x in range(0, 16, 4):
                                s = entire_buffer[str_start:str_end].decode('utf8')
                                left_string, s = peel_off_string(s, x)
                                check_and_add(left_string)

                                while len(s) > 15:
                                    left_string, s = peel_off_string(s, 16)
                                    check_and_add(left_string)

                                check_and_add(s)

                    str_size = 0
                    str_start = i + 1

                else:
                    str_size += 1

            l += 32

        keys.union(consolidate_parts(parts8, parts8))
        keys.union(consolidate_parts(parts4, parts12))
        keys.union(consolidate_parts(parts12, parts4))

        for k in keys:
            print(k)


def check_and_add(string):
    is_ok = string.isupper() and len(string) % 4 == 0 and len(string) > 0
    if is_ok:
        if len(string) == 4:
            parts4.add(string)
        if len(string) == 8:
            parts8.add(string)
        if len(string) == 12:
            parts12.add(string)
        if len(string) == 16:
            keys.add(string)


def peel_off_string(string, i):
    left_string = ""
    if len(string) >= i:
        left_string = string[:i]
        string = string[i:]
    return left_string, string


def consolidate_parts(p1, p2):
    rc = set()
    for i, s1 in enumerate(p1):
        for j, s2 in enumerate(p2):
            if i != j:
                s = s1 + s2
                rc.add(s)
    return rc


if __name__ == '__main__':
    find_keys(FP)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: mroek on February 21, 2019, 01:19:04 pm
I'm a bit curious about the actual key generation. As far as I can understand, each individual scope has it's own unique set of keys. Are these keys stored in some kind of nonvolatile/read-only memory (perhaps in a separate memory partition), and generated during production? Or perhaps the keys are generated with the serial number as the input, so only the serial number needs to be stored during production?

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on February 22, 2019, 12:58:19 pm
Keys are generated off the scopeid and serial number using an algorithm only Siglent, and those savvy enough to disassemble the scope application, know.

Someday maybe I can afford a copy of IDA Pro with the requisite disassemblers so I can fall into the latter category :)

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: mroek on February 22, 2019, 01:10:21 pm
Keys are generated off the scopeid and serial number using an algorithm only Siglent, and those savvy enough to disassemble the scope application, know.

Someday maybe I can afford a copy of IDA Pro with the requisite disassemblers so I can fall into the latter category :)

Ok, thanks. IDA Pro is rather expensive, and it would still take quite a bit of work to reverse-engineer the algorithm, so as long as the actual generated keys (on a device you own) can be found by other methods, it really isn't worth it.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on February 22, 2019, 01:43:32 pm
Reverse engineering atleast from my own perspective is one of those few topics that throw you full well into the deep end from the get go, as there is no 1 true way to approach it, and the skill level of the power users, you will struggle finding answers on how to drive the bloody programs early days (not to many hits on stack overflow)

I only started digging because I was bored and had a program do a incrementing search for SCPI queries and started turning up a lot of things that where undocumented, I wanted to figure out what other functions where baked into the thing, and well now I'm down the rabbit whole patching typos, and trying to figure out how the protocol decoders work, in my own vain hopes that I may be able to format out some new ones.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: mroek on February 22, 2019, 06:27:23 pm
I received my scope today, and the info in this thread enabled me to find all keys without breaking a sweat, so thanks to all that contributed with info. For reference, I used the full memory dump method (by sending the SCPI command from the web interface), and then searched the dump file with a hex editor. No need for any scripts or anything.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Coldblackice on March 05, 2019, 11:59:37 pm
Reverse engineering atleast from my own perspective is one of those few topics that throw you full well into the deep end from the get go, as there is no 1 true way to approach it, and the skill level of the power users, you will struggle finding answers on how to drive the bloody programs early days (not to many hits on stack overflow)

I only started digging because I was bored and had a program do a incrementing search for SCPI queries and started turning up a lot of things that where undocumented, I wanted to figure out what other functions where baked into the thing, and well now I'm down the rabbit whole patching typos, and trying to figure out how the protocol decoders work, in my own vain hopes that I may be able to format out some new ones.

How did you learn how to do this? I would love to know how to go about doing this from scratch, what your process/tools were. Do you use IDA PRO at all? Would you be able to do this with IDA PRO?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on March 06, 2019, 01:54:38 am
I use IDA. Yes. Main things to start with is the strings subveiw. You dont really need to reverse anything to see some interesting strings in most programs.

Next would be setting the right architechture for what your reversing. Armv7 a/r from memory.

And finally the basics of the assembler your working with. E.g. BL branch load. And stack push and pull commands tend to give a nice indication where things start and stop.

There is some fiddly stuff to allow ida to name longer string variables. But that comes later.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on March 06, 2019, 02:55:13 pm
I use IDA. Yes. Main things to start with is the strings subveiw. You dont really need to reverse anything to see some interesting strings in most programs.

Next would be setting the right architechture for what your reversing. Armv7 a/r from memory.

And finally the basics of the assembler your working with. E.g. BL branch load. And stack push and pull commands tend to give a nice indication where things start and stop.

There is some fiddly stuff to allow ida to name longer string variables. But that comes later.

Reminds me of my childhood 40 years ago, when I would take hex dump reports of Z80 and 6502 machine code and manually disassemble the program into marble black graph-ruled notebooks. I learned z80 machine code when I was 13.

It is the only real way you can begin to learn what a program is doing. (It also made me a better developer, being able to think in low-level terms rather than at a higher, abstract level. I can visualize solutions (like bitmaps) that other developers I work with cannot.)

of course, this also assumes you have an understanding of processor operations (e.g. registers, stack, etc.), addressing schemes, etc. So at a minimum you have to find the technical documentation on the processor you're looking to work with.

I would say it was probably a lot easier back then, when programs were written in assembler. I've never tried to manually disassemble a program compiled from a higher-level language.

I do miss doing it. I also miss Latin class in school during my teenage years too. I must be getting nostalgic in my old age.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on March 06, 2019, 03:00:41 pm
I don't know if the IDA Latin language pack exists but you could try a 2-in-1 !  ;D

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on March 06, 2019, 03:48:04 pm
I don't know if the IDA Latin language pack exists but you could try a 2-in-1 !  ;D

About a year ago I purchased a latin vulgate and latin-to-english dictionary with the intention of reading/translating, but have yet to get around to it.

way back when, we had a local church which still held latin masses, it was good practice, once I was able to train my brain to decipher ecclesiastical latin.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on March 06, 2019, 03:52:04 pm
way back when, we had a local church which still held latin masses, it was good practice, once I was able to train my brain to decipher ecclesiastical latin.

WOW!  Compared with that, assembly is for kids!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: BillB on March 06, 2019, 05:28:48 pm
If IDA is too expensive for you, consider Ghidra

https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/ (https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on March 06, 2019, 05:55:51 pm
If IDA is too expensive for you, consider Ghidra

https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/ (https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/)

lmao yeah, I'm going to download stuff from the NSA and install it on my computer.

Nooooooo chance of it having some spyware or back-door capabilities for the federal government embedded in there. Noooo sireeeeee.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on March 10, 2019, 11:34:16 am
from the NSA and install it on my computer

actually CIA, later NSA. I'm using it since years, still alive, still no drones on the sky. EDIT (Ghidra is really useful, you can always use VM if you care).

I'm more complaint about useless online firmware updates for these DSOs, i don't need it, they are security holes by design, i wish Siglent could spend more time on firmware improvements/fix instead of useless online updates.
Title: In a single line of code
Post by: 48656C6C6F20576F726C6421 on April 10, 2019, 07:22:16 pm
I came across this thread and found it interesting. It looked like a nice puzzle. I thought whether there is any way to put all the previous information into a single line of code (e.g. shell code), so there is no need for:
- patching the firmware
- searching strings in a hex editor
- compiling some search tools with a version of VS you don't have, so you need to change the code before it runs
- messing arround with USB

The following code is for educational purpose. Do not use it if you have not bought the options or bandwith. If you want to play with it, you should first ask Siglent, how to remove/disable an unwanted/unlicenced option which was unlocked by accident while playing with the device.
This is important because they put a lot of time and work in it to disable some functionality. This work need to be paid!
There might be some exceptions (but I'm mot sure):
- if you lost your bought keys, and the device did it too, or you have not entered it before the precious loss
- if the device was delivered in a wrong configuration (i.e. bandwith)
- if your device came in a wrong case or with a wrong label

This code is for the shell (e.g. Telnet):
Code: [Select]
BW_OK="200M"; QuickSearch=500; cat /proc/$(pidof sds1000b.app)/maps | grep heap | while read line; do start=0x$(echo $line | cut -c 0-8); end=0x$(echo $line | cut -c 10-18); dd if=/proc/$(pidof sds1000b.app)/mem bs=4096 skip=$(($start/4096)) count=$( [ -z "$QuickSearch" ] && echo $((($end-$start)/4096)) || echo $QuickSearch) | grep -ohE "[A-Z0-9]{16}" | grep -vhE "([A-Z])\1{2}" | while read line; do echo "LCISL WIFI,$line" | nc -w1 127.0.0.1 5024; echo "LCISL AWG,$line" | nc -w1 127.0.0.1 5024; echo "LCISL MSO,$line" | nc -w1 127.0.0.1 5024; [ $BW_OK != "$(echo "PRBD?" | nc -w1 127.0.0.1 5024 | grep -o $BW_OK)" ] && echo "MCBD $line" | nc -w1 127.0.0.1 5024; done; done

You need to enable Telnet like described in post #67.

Yeah ok, it's not a single line in the meaning of code but in the meaning of a string.

Can this also be put into the web interface? Not directly but it can:
Code: [Select]
SHELLCMD sh -c $'BW_OK="200M" \x3b QuickSearch=500 \x3b cat /proc/$(pidof sds1000b.app)/maps | grep heap | while read line\x3b do start=0x$(echo $line | cut -c 0-8)\x3b end=0x$(echo $line | cut -c 10-18)\x3b dd if=/proc/$(pidof sds1000b.app)/mem bs=4096 skip=$(($start/4096)) count=$( [ -z "$QuickSearch" ] && echo $((($end-$start)/4096)) || echo $QuickSearch) | grep -ohE "[A-Z0-9]{16}" | grep -vhE "([A-Z])\\1{2}" | while read line\x3b do echo "LCISL WIFI,$line" | nc -w1 127.0.0.1 5024\x3b echo "LCISL AWG,$line" | nc -w1 127.0.0.1 5024\x3b echo "LCISL MSO,$line" | nc -w1 127.0.0.1 5024\x3b [ $BW_OK != "$(echo "PRBD?" | nc -w1 127.0.0.1 5024 | grep -o $BW_OK)" ] && echo "MCBD $line" | nc -w1 127.0.0.1 5024\x3b done\x3b done' &

This was a little bit more complicated because the web interface doesn't accept semicolons, so they needed to be masked. There is also a circular dependency for SCPI, which will lock netcat if the script is not running independently, so the ampersand at the end is mandatory.

The variable at the beginning is the bandwith you want to select, and need to be set to a correct string like "200M" or "100M". This can be used if you want to try a different BW (e.g. for benchmarks or so).
I figured out that the keys are at the very beginning of the heap. I put a QuickSearch limit at the beginning of the script, so that it does not need to grep through the whole heap, which would need more then a minute. With the limit of 500 it will run about 5 seconds. If it does not find the keys, you can remove the "500" and it will run through the full heap.
You can watch how the options get unlocked ("xx" instead of a value) if you have this info page opened.
I put an additional filter (grep -vhE "([A-Z])\1{2}") in it to remove found strings (about 50 in the whole heap) with low entropy. This is not really needed, and does not have huge effect on performance but it makes it a little bit more sophisticated. There is a chance of 1/3589 (if I'm right) that this will filter a valid key. You can remove it if you think this is the case.

What do we learn from that at the end?
If you want to use cryptography to check a key, do not calculate the right one in parallel and compare it to the entered one. I also don't understand why they did this if there is nothing to compare. Hmmm, intention?

I hope you have fun and don't forget "Piracy. It's a Crime." ;)
Title: Re: In a single line of code
Post by: bugi on April 10, 2019, 08:49:22 pm
I came across this thread and found it interesting. It looked like a nice puzzle. I thought whether there is any way to put all the previous information into a single line of code (e.g. shell code)
...
Awesome! (In more than one way.)

In couple pages someone will start compressing that from "single line of code" to "half a line of code", somehow, and producing Siglent logo in ASCII graphics as a side-effect. (Obfuscated code contest -style)...

... And in few more pages we have the code golfers doing it all in 17... scratch that, 15 characters. No, 11 is enough if you use the language.... no, 9 if you accept messy output.

:P of course.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: additude on May 12, 2019, 09:45:14 am
Hello,
Thanks to everyone that contributed to this thread.
I was able to easily SHELL the telnet on 9999, telnet in from my Win10 laptop, save a memory dump to a USB drive and use HxD editor to locate 5 codes, two of which were Nut2Butt... then use MCBD on the second code to change my bandwidth to 200M with PRBD? reporting such and all without any reboot.
A few things that I have question of I hope someone can insight me.
I was able to use the 200M code, what are the others for? I do not wish to break something so I ask for knowledge first.
Is it to do with other "Options"? I know post #39 has 100M, 200M, 50M and 70M.... Are the 5 codes I have retrieved strictly related to BW only?

So why 5 codes and not 4? "The one that appears twice is the license key your scope is currently licensed under."
Secondly, can I locate other unlock codes for the other features on my SDS1104X-E? "When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO."
In my own attempt to answer these questions, I rebooted the machine and I ran the latest "One Liner" code via telnet, but even leaving QuickSearch blank I received only:
Code: [Select]
7563+0 records in
7563+0 records out
30978048 bytes (29.5MB) copied, 80.243151 seconds, 377.0KB/s
Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
....

Running the SCPI SHELL of this with QuickSearch blank I received:
"Device Cannot Be Connected"
With QuickSearch=500 it finished but did not report any results.
Thanks..
--Wes
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: e0ne199 on May 12, 2019, 07:40:56 pm
damn so in the end i am wasting my money to buy SDS1204X-E...........if i knew something like this could happen then i wouldn't want to buy my current oscilloscope  :(

does anyone here have a chance to crack SDS1204X-E? i just want to know if there is still a possibility to crack more bandwidth out of this oscilloscope...
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: additude on May 13, 2019, 02:08:43 pm
Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.
I ran this and compared it to my outputs of key codes from the Hex Editor and this python mod worked fine. It harvested every possible key, just it ends up being a try/fail routine with 40-ish codes.
The program ran for minutes without any errors on a Windows 10 machine.
Thanks Phil.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: slaupin on July 02, 2019, 04:24:42 am
Does anyone know if this general approach works on any other Siglent oscilloscope series? After digging through this whole thread I think it was stated that it would NOT work on the SDS1kX series. What about the SDS2kX series? Thanks for all of the great info!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: wgoeo on July 24, 2019, 05:34:31 pm
I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.

Edit: Update (https://repl.it/@wgoeo/siglent-keygen), thanks tinhead!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Taaning on July 24, 2019, 06:55:51 pm
Ran the script, and it found all the correct keys for my scope.
Thank you :-)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on July 26, 2019, 05:18:56 pm
I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.

almost, for bandwidth SCOPE_ID and for other options S/N is the way to go. With some tricks (generate 500M License - which is not valid for that models but it opens somedoors, add it, generate 300M License, add it, reboot) one can go even to non existing but valid model SDS1304X-E, but for some reason even if shows that model, it defaults filter to 70MHz BW, so not "yet" perfekt hack

[attachimg=1]
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: wgoeo on July 27, 2019, 01:29:28 am
It seems there is another way to enable telnet without doing a firmware update. Create a file named siglent_device_startup.sh in the root directory of a FAT formatted USB disk containing the following:
Code: [Select]
#!/bin/sh
/usr/sbin/telnetd -l /bin/sh -p 2323 &
Insert the disk, reboot the scope, then try telnetting to port 2323. If something goes wrong, unplug the disk then reboot.
For 6.1.33 and possibly older versions. Untested as always.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: oldcqr on August 26, 2019, 11:56:11 pm
Hi Newbie here, but not a newbie.  But I sure feel like one right now!

I read the entire thread, and it appears that all I really need to do is establish a telnet session with the scope and/or use that whiz bang single line thing from the web interface.  I can't get either to work.

I've tried starting the telnet server on the scope using 2 methods - the one in message 67 (
Code: [Select]
SHELLCMD telnetd -l/bin/sh -p9999), and the one in 161 (should be just above this post) using the USB drive.  Neither appear to start the server.  When I try to telnet into the scope, (using PuTTY which I use frequently, or straight up Windows 10 Telnet) it fails:

Microsoft Telnet> o 192.168.1.55
Connecting To 192.168.1.55...Could not open connection to the host, on port 23: Connect failed
Microsoft Telnet> o 192.168.1.55 2323
Connecting To 192.168.1.55...Could not open connection to the host, on port 2323: Connect failed
Microsoft Telnet> o 192.168.1.55 9999
Connecting To 192.168.1.55...Could not open connection to the host, on port 9999: Connect failed

YES, 192.168.1.55 is the static address I assigned to the scope, and I am able to get to the web server on that address (so there is no weird subnet problem/etc. 

Tracing route to 192.168.1.55 over a maximum of 30 hops

  1     2 ms     1 ms    <1 ms  192.168.1.55

Trace complete.

[attachimg=1]


Running the one line update also does nothing. 

So I took another step backwards and just tried to create a memory dump on the USB stick using
Code: [Select]
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin.  I used both USB ports (the scope recognized the USB stick both places).  Neither time did I get a file of any size (not even an empty one).

So to me, it appears that despite the web interface saying 'command send success', it's not actually doing anything on the scope.  Am I missing something simple?  Do I need to enable something?  With none of this working, I'm a bit gun-shy to revert the firmware (like all the way back in msg 1).

FYI:
[attachimg=2]
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on August 27, 2019, 09:32:55 am
SHELLCMD doesnt exist in the FW anymore. So you can't use the commands based on that.

I think there is a public .GEL that allows you establish a SSH session or do a memdump.

Re-read this thread at least.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: e0ne199 on August 27, 2019, 02:18:16 pm
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on August 28, 2019, 05:32:35 am
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Bode plot is a free feature in every way.
All that's required is a sweeping sine wave source that can be controlled from the Bode plot UI within the scope.

Yes that's additional cost of the SAG1021 AWG module or one of Siglent's stand alone AWG's.
SAG1021 has sine to 25 MHz while the stand alone AWG's from the SDG ranges start with the single channel 5 MHz  SDG805 to the 500 MHz 2ch SDG6052X.
An excellent Bode plot pairing would be with SDG2042X or the bit cheaper SDG1032X.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: oldcqr on August 28, 2019, 05:54:35 pm
SHELLCMD doesnt exist in the FW anymore. So you can't use the commands based on that.

I think there is a public .GEL that allows you establish a SSH session or do a memdump.

Re-read this thread at least.

Ok, I reread the thread and I came at it differently....

1 - I already have python on this machine (I use it frequently)
2 - I downloaded the script wgoeo posted a couple of messages back
3 - I updated the serial number in the script with my serial number from the back of the unit/System status screen (note - I used the entire serial number, all in caps, starting with SDSM (not sure if that is right nor not)
4 - Ran the script and it generated the keys
5 - In the SCPI web page I entered "MCBD [generatedkey]" (obvs without " or [])
6 -Reboot

Nothing changed.  MCBD? shows no change.  I also tried lower case serial number, as well as changing the 'SDS1000X-E to SDS1104X-E' - which I probably didn't need to do, but tried anyway.  I also tried using Scope ID (from ScopeID? command) both as-is and with removing the hyphens and changing lowercase HEX to uppercase.

Please, can you give me a point in the right direction?

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on August 28, 2019, 08:35:30 pm
Nothing changed... python

for bandwidth license you need to use scope id (scope id is somthing like 007c32...), for other software options the serial number (SDSMMEXA123...).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: oldcqr on August 28, 2019, 10:47:46 pm
I thought I had tried all the different Scope ID permutations.  Looks like I didn't.  The one that works is without dashes and leaving any other characters as they are.

For Bandwidth Upgrade (Worked for me on 8.1.6.1.33):

Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on August 29, 2019, 05:48:50 am
...
Example:
If SCOPEID? Returns: 1234-fedc-567b-89a0
then the serial line in the script is:
serial = '1234fedc567b89a0'

Just remove the dashes.  Leave the rest alone.

I've never understood this. Isn't the whole point of computers that they can effortlessly do things like removing dashes from numbers, thus making life easier for everybody?

(apparently not, I've actually written to banking API teams telling them that life would be a lot easier for my customers if they accepted credit card numbers with and without spaces and received corporate-boilerplate replies telling me I need to make it more clear on the web site...)

Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)

Nobody ever reads instructions.

How about getting the slob who wrote the script to fix that?  :popcorn:

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: e0ne199 on September 01, 2019, 11:55:28 am
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Bode plot is a free feature in every way.
All that's required is a sweeping sine wave source that can be controlled from the Bode plot UI within the scope.

Yes that's additional cost of the SAG1021 AWG module or one of Siglent's stand alone AWG's.
SAG1021 has sine to 25 MHz while the stand alone AWG's from the SDG ranges start with the single channel 5 MHz  SDG805 to the 500 MHz 2ch SDG6052X.
An excellent Bode plot pairing would be with SDG2042X or the bit cheaper SDG1032X.

do i need to purchase license to activate bode plot? i see there is a 30 day trial for AWG...i am planning to buy a stand alone AWG, so what should i do?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on September 01, 2019, 12:03:47 pm
bode plot is free, to use the AWG for anything other than bode plot needs the AWG license,
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on September 01, 2019, 12:12:41 pm
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Bode plot is a free feature in every way.
All that's required is a sweeping sine wave source that can be controlled from the Bode plot UI within the scope.

Yes that's additional cost of the SAG1021 AWG module or one of Siglent's stand alone AWG's.
SAG1021 has sine to 25 MHz while the stand alone AWG's from the SDG ranges start with the single channel 5 MHz  SDG805 to the 500 MHz 2ch SDG6052X.
An excellent Bode plot pairing would be with SDG2042X or the bit cheaper SDG1032X.

do i need to purchase license to activate bode plot?
Nope, not at all. Bode plot works plug and play with all Siglent AWG's
Quote
i see there is a 30 day trial for AWG...i am planning to buy a stand alone AWG, so what should i do?
The trial usage only applies to the SAG1021 AWG module for use as an AWG from within the SDS1*04X-E Function Gen inbuilt interface.
You have 2 options, use a Siglent AWG and have simple no hassle Bode Plot usage or attempt to interface another brand AWG so the Bode Plot feature can control the other AWG. It can be done as I've already given you a link in another earlier reply but not everyone wants to have the hassle of converting the control code to get it all to work.

Any/all the examples I've posted of Bode plot use was with a SDG1032X.
Use the forum Search and 'bode plot example tautech' should find them all.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: sdt on September 01, 2019, 11:58:27 pm
I bought an SDS1104X-E last week, and I have all the same version numbers as oldcqr in reply #162

SHELLCMD doesn't seem to do anything from the SCPI interface, but wgoeo's siglent_device_startup.sh script on a usb stick from reply #161 did. Oddly it didn't seem to work every time, but often enough that it wasn't a big deal.

Dumping out the process memory of sds1000b.app didn't seem to reveal any keys. I could find my scopeid and my serial number, but very few 16-character ascii strings, none of which worked.

The updated python script from wgoeo in reply #158 worked perfectly. Bandwidth, wifi, awg & mso all unlocked without any need for telnet or any other out-of-band mods.

(I ended up needing shell access to manually fix my wpa.conf, but that's another story)

Thanks wgoeo & tinhead, and everyone else who has contributed to this thread  :-+
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on September 02, 2019, 07:28:31 pm
I bought an SDS1104X-E last week, and I have all the same version numbers as oldcqr in reply #162

SHELLCMD doesn't seem to do anything from the SCPI interface, but wgoeo's siglent_device_startup.sh script on a usb stick from reply #161 did. Oddly it didn't seem to work every time, but often enough that it wasn't a big deal.

Dumping out the process memory of sds1000b.app didn't seem to reveal any keys. I could find my scopeid and my serial number, but very few 16-character ascii strings, none of which worked.

The updated python script from wgoeo in reply #158 worked perfectly. Bandwidth, wifi, awg & mso all unlocked without any need for telnet or any other out-of-band mods.

(I ended up needing shell access to manually fix my wpa.conf, but that's another story)

Thanks wgoeo & tinhead, and everyone else who has contributed to this thread  :-+

Agreed! I just got a brand new SDS1104X-E and I am a step away from MCBD'ing the 200M key. But I am a bit of a skeptical nature and wanted to know if it would be possible to reverse-downgrade (for whatever reason) the process to 100M key? The TryKeys GitHub comments suggest that this is not possible with MBCD. Did anyone try this? Also after updating does indeed the model name change?

Thank you guys in advance
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: sdt on September 04, 2019, 10:14:46 pm
wanted to know if it would be possible to reverse-downgrade (for whatever reason) the process to 100M key?

It is. Run the MCBD command again with your 100M key and it's back to 100Mhz.

Also after updating does indeed the model name change?

It does. There's screenshots in this thread showing the status page with the updated model code.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 24, 2019, 11:52:51 am
hi guys,
I've read all posts from this topic and I'm impressed.
It seems that all is done regarding this oscilloscope but I have other problem fitting well to this topic. I hope will be interesting for you.

Some time ago I've been in China (8 months in totall of living and working in Shenzhen city). Just before returning to Europe I bought oscilloscope from taobao (chinese ebay). I haven't known about hacking possibility in this time, by the way. I've choosen it because of parameters vs price ratio. Price was 3,1k CNY (~430 USD - current rate). So, cheaper then in Europe but not much. On Chinese market this oscilloscope has little bit different name: SDS1104X-C. I noticed it  but didn't expect that only different between ...X-C nad ...X-E are Chinese language in menu that can't be change to any other:)
I wrote a message to Siglent China with question how to change the language to English but they rid me off and suggested to return device back (it was too late for me because of next day flight). Also Siglent Europe(Netherlands) didn't help me (they even didn't know about ...X-C model exist:)). Only thing I've known from Siglent was that only this model (4ch) SDS1104X has unchangable Chinese language on domestic market. On any other Siglent product you can change language to English:)

Hardware seems to be the same like ...X-E. On the motherboard is a label with SDS1000X-E text. Reading of .ads files works and I can changes firmware. But Operation System updating is disable. I think there is no bootloader in flash. It would be too easy to change from ...X-C to ...X-E I guess.

Information in this topic helped me to (almost) fix this problem. My idea was to locate language files and simply exchange chinese and englishc file names. I did it by following steps:

1. change firmware version to 6.1.25R2 (by loading .ads file)
2. change ip on oscilloscope to 192.168.1.57
3. switche to root by:

telnet 192.168.1.57 5024
SHELLCMD telnetd -l/bin/sh -p9999
---------------------------------------------------------
telnet 192.168.1.57 9999

4. remounte partition to rw by:

mount -o remount,rw ubi2_0 /usr/bin/siglent

5. all languages files are in .xml format and are located in:

/usr/bin/siglent/config/ui_data/

chinese simplified version:

simp_help_info.xml
simp_menu_info.xml
simp_text_info.xml

chinese traditional version:

trad_help_info.xml
trad_menu_info.xml
trad_text_info.xml

english version:

english_help_info.xml
english_menu_info.xml
english_text_info.xml

I copied all above files to USB drive:

/usr/bin/siglent/usr/mass_storage/U-disk0/

then changed names of english... files (under windows) to simp... and trad... and coppied back rom USB to:

/usr/bin/siglent/config/ui_data/

After reboot I seen all menu names in english:)
I was happy but it was working on old firmware 6.1.25R2 so I changed firmware to newest 6.1.33 but with this change language changed back to chinese (logical, because new functions requaier new menu files). Unfortunetly, rooting method, mentioned above isn't work on this firmware version, so I couldn't change language files.

I returned to 6.1.25R2 and repeated procedure but I did HORRIBLE mistake this time: during exchanging files I removed them first from ui_data and then copy form USB but I didn't check the files was in ui_data folder after operation. Probably I did some typo and files didn't copy. After reboot the device has hange up on Siglent logo and can't go next.
I can ping it but SHELLCMD (telnet 192.168.1.57 5024) doesn't work:(
so I lost root access. Only I can do is:

 telnet 192.168.1.57 23

but I don't know root password off course.
This is my story:)


but it isn't end of the world and I have new idea how to resurrect my device by restore dumped memory. I see 2 possibilities:

1. I localized flash memory on the motherboard. It is one chip: 29F2G08ABAEA WP. This is 2Gb nand flash with 8 bit organization. Unfortunetly, this is parallel programming memory so need to be take off from board to programm it directly. Of corse there is special programmer and adapter needed(I can get it).

2. On the motherboard we can find JTAG connector. Main processor is Xilinx Zynq so using Xilinx SDK(https://www.xilinx.com/html_docs/xilinx2019_1/SDK_Doc/SDK_tasks/sdk_t_memory_dump_restore.html (https://www.xilinx.com/html_docs/xilinx2019_1/SDK_Doc/SDK_tasks/sdk_t_memory_dump_restore.html)) and Digilent JTAG-HS3(https://store.digilentinc.com/jtag-hs3-programming-cable/ (https://store.digilentinc.com/jtag-hs3-programming-cable/)) or JTAG-HS2 USB flashing memory throught Jtag should be possible. Another problem could be to confirme that this is for sure JTAG connector and what is the pinout.

I'm wondering could I flash dumped memory from another oscilloscope (...X-E version with different serial number).
I did dump mem from my scope but if I flash it back there will be the same problem with language and bootloader.

I would be grateful if somebody could share with me dumped memory from SDS1104X-E scope (best for me would be OSV1_EN_eevblog with known root password).

What do you think about my idea to fix it and flashing method I'm mentioning? I would be happy for any suggestions or corrections.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Gege34 on September 24, 2019, 12:24:13 pm
On this thread (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2478699/#msg2478699) tv84 (and plurn) give a way to activate telnet on firmware 6.1.33
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 24, 2019, 12:49:15 pm
Thanks for this info. I'll try it on hanging scope first.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 24, 2019, 02:28:32 pm
Thanks for this info. I'll try it on hanging scope first.

First, get control of your machine once again. After that, worry about changing language.

To solve the language problem you should change the scope model from X-C to X-E. Don't go around patching the filesystem.

Maybe you can do it with a simple SCPI command.

PS: If you have any memdump of your machine I would be interested in having a look.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 24, 2019, 04:17:20 pm
Thanks for this info. I'll try it on hanging scope first.

First, get control of your machine once again. After that, worry about changing language.

To solve the language problem you should change the scope model from X-C to X-E. Don't go around patching the filesystem.

Maybe you can do it with a simple SCPI command.

PS: If you have any memdump of your machine I would be interested in having a look.

Jus very tiny sidenote for yours this: "Also Siglent Europe(Netherlands) didn't help me (they even didn't know about ...X-C model exist:))."

Siglent Europe(Netherlands) is not Siglent at all. It is one Siglent distributor. (also sell many other equipments but using different domain)

If you need Siglent (manufacturer) help in Europe: Right place is Siglent Technologies Germany GmbH
Web side: https://www.siglenteu.com/ (https://www.siglenteu.com/)

Problem is also factory warranty in EU area. You have model localized for China domestic markets what have warranty only there and its serial number is not in EU area database.

But...    no one can deny when the owner makes "some" changes and modifications at his own risk. ;)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 25, 2019, 08:46:09 am
tv84,
regarding getting control once again, do you think that two ways I mentioned above are only possible or maybe you have another idea how to do this easier?
I sent you memdump to PW.

rf-loop,
you've right. I don't remember how I reached to this contact. I could swear that from siglent.com link but as I'm checking now there is link to Siglent Hamburg.
Regarding warranty, yes I was full aware of it. I expected something like "to solve your problem we need to reflash device. Cost of this operation is ...." I didn't expect any free warranty actions.
But it doesn't metter now because I've gone to hardware mafia already:)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 25, 2019, 09:36:03 am
I don't remember if you can force an FW upgrade while the scope is booting (supported by the bootloader).

Maybe tautech can help in that regard.

Do you have access to serial port? What does that log show?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 25, 2019, 10:16:36 am
I'll try to read log in the evening. Will let you know.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 25, 2019, 06:40:46 pm
serial transmition work with baudrate 115200kbps. It seems that I can write commands also.

here are
Code: [Select]
df command response:

Code: [Select]
df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                29868     29868         0 100% /
devtmpfs                110060         0    110060   0% /dev
none                    118348         0    118348   0% /tmp
ubi1_0                   29816     14388     15428  48% /usr/bin/siglent
ubi2_0                    5848        72      5776   1% /usr/bin/siglent/firmdata0
ubi0_0                   84752       280     84472   0% /usr/bin/siglent/usr
/dev/sda1             15711208     31136  15680072   0% /usr/bin/siglent/usr/mass_storage/U-disk0
/ #




here are the logs:

1.Booting of scope

Code: [Select]
Start menu vdma ...
Config AXI VDMA...
Start menu vdma done.


U-Boot 2014.07-svn32760 (Mar 23 2018 - 01:35:12)

Board: Xilinx Zynq
I2C:   ready
DRAM:  ECC disabled 243 MiB
NAND:  256 MiB
MMC:   zynq_sdhci: 0
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
int board_late_init(void)+++++
[INFO]int fb_display_logo(void)++++++++++++
[INFO]pStorageMem=0xfa00000, logo_data=0x200036, width=800, height=480
 [INFO]int fb_display_logo(void)----------
int board_late_init(void)-----
Net:   Gem.e000b000
Hit any key to stop autoboot:  0
(Re)start USB...
USB0:   USB EHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
USB1:   ULPI request timed out
zynq ULPI viewport init failed
lowlevel init failed
       scanning usb for storage devices... 0 Storage Device(s) found
Copying Linux from USB to RAM...
** Bad device usb 0 **
** Bad device usb 0 **
Copying Linux from NAND flash to RAM...

NAND read: device 0 offset 0x780000, size 0x400000
 4194304 bytes read: OK

NAND read: device 0 offset 0xb80000, size 0x80000
 524288 bytes read: OK
 ## Booting kernel from Legacy Image at 02080000 ...
   Image Name:   Linux-3.19.0-xilinx-svn8988
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    3614680 Bytes = 3.4 MiB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
 ## Flattened Device Tree blob at 02000000
   Booting using the fdt blob at 0x2000000
EHCI failed to shut down host controller.
   Loading Kernel Image ... OK
   Loading Device Tree to 0e00d000, end 0e013e8b ... OK

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 3.19.0-xilinx-svn8988 (david@david-virtual-machine) (gcc version 4.6.1 (Sourcery CodeBench Lite 2011.09-50) ) #187 SMP PREEMPT Wed Feb 28 18:55:09 CST 2018
[    0.000000] CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine model: Zynq Zed Development Board
[    0.000000] cma: Reserved 16 MiB at 0x0d000000
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] PERCPU: Embedded 9 pages/cpu @4edf2000 s8128 r8192 d20544 u36864
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 60960
[    0.000000] Kernel command line: console=ttyPS0,115200 root=/dev/mtdblock5 rootfstype=cramfs init=/linuxrc earlyprintk uboot_version=08
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Memory: 220120K/245760K available (4514K kernel code, 229K rwdata, 1748K rodata, 192K init, 223K bss, 9256K reserved, 16384K cma-reserved, 0K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0x4f800000 - 0xff000000   (2808 MB)
[    0.000000]     lowmem  : 0x40000000 - 0x4f000000   ( 240 MB)
[    0.000000]     pkmap   : 0x3fe00000 - 0x40000000   (   2 MB)
[    0.000000]     modules : 0x3f000000 - 0x3fe00000   (  14 MB)
[    0.000000]       .text : 0x40008000 - 0x40625c7c   (6264 kB)
[    0.000000]       .init : 0x40626000 - 0x40656000   ( 192 kB)
[    0.000000]       .data : 0x40656000 - 0x4068f620   ( 230 kB)
[    0.000000]        .bss : 0x4068f620 - 0x406c74c4   ( 224 kB)
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000] RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
[    0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000000] L2C: platform modifies aux control register: 0x72360000 -> 0x72760000
[    0.000000] L2C: DT/platform modifies aux control register: 0x72360000 -> 0x72760000
[    0.000000] L2C-310 erratum 769419 enabled
[    0.000000] L2C-310 enabling early BRESP for Cortex-A9
[    0.000000] L2C-310 full line of zeros enabled for Cortex-A9
[    0.000000] L2C-310 ID prefetch enabled, offset 1 lines
[    0.000000] L2C-310 dynamic clock gating enabled, standby mode enabled
[    0.000000] L2C-310 cache controller enabled, 8 ways, 512 kB
[    0.000000] L2C-310: CACHE_ID 0x410000c8, AUX_CTRL 0x76760001
[    0.000000] slcr mapped to 4f804000
[    0.000000] zynq_clock_init: clkc starts at 4f804100
[    0.000000] Zynq clock init
[    0.000011] sched_clock: 64 bits at 333MHz, resolution 3ns, wraps every 3298534883328ns
[    0.000137] timer #0 at 4f806000, irq=17
[    0.000507] Console: colour dummy device 80x30
[    0.000528] Calibrating delay loop... 1332.01 BogoMIPS (lpj=6660096)
[    0.090280] pid_max: default: 32768 minimum: 301
[    0.090439] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.090454] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.091117] CPU: Testing write buffer coherency: ok
[    0.091334] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[    0.091420] Setting up static identity map for 0x441b50 - 0x441ba8
[    0.240268] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
[    0.240353] Brought up 2 CPUs
[    0.240373] SMP: Total of 2 processors activated (2664.03 BogoMIPS).
[    0.240382] CPU: All CPU(s) started in SVC mode.
[    0.240922] devtmpfs: initialized
[    0.241765] VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
[    0.247861] NET: Registered protocol family 16
[    0.250053] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.281232] cpuidle: using governor ladder
[    0.311198] cpuidle: using governor menu
[    0.319920] hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
[    0.319937] hw-breakpoint: maximum watchpoint size is 4 bytes.
[    0.320085] zynq-ocm f800c000.ocmc: ZYNQ OCM pool: 256 KiB @ 0x4f880000
[    0.338397] vgaarb: loaded
[    0.338845] SCSI subsystem initialized
[    0.339258] usbcore: registered new interface driver usbfs
[    0.339354] usbcore: registered new interface driver hub
[    0.339533] usbcore: registered new device driver usb
[    0.339696] phy0 supply vcc not found, using dummy regulator
[    0.339788] phy1 supply vcc not found, using dummy regulator
[    0.339918] --------------usb_udc_init ------
[    0.340147] pps_core: LinuxPPS API ver. 1 registered
[    0.340160] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.340211] PTP clock support registered
[    0.340340] EDAC MC: Ver: 3.0.0
[    0.342110] cfg80211: Calling CRDA to update world regulatory domain
[    0.342491] Switched to clocksource arm_global_timer
[    0.355818] NET: Registered protocol family 2
[    0.356660] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.356711] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.356769] TCP: Hash tables configured (established 2048 bind 2048)
[    0.356821] TCP: reno registered
[    0.356837] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.356871] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.357079] NET: Registered protocol family 1
[    0.357408] RPC: Registered named UNIX socket transport module.
[    0.357421] RPC: Registered udp transport module.
[    0.357430] RPC: Registered tcp transport module.
[    0.357439] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[    0.359295] futex hash table entries: 512 (order: 3, 32768 bytes)
[    0.360980] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.362084] io scheduler noop registered
[    0.362106] io scheduler deadline registered
[    0.362157] io scheduler cfq registered (default)
[    0.364345] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[    0.364368] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[    0.364875] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[    0.943761] console [ttyPS0] enabled
[    0.947945] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[    0.954721] [drm] Initialized drm 1.1.0 20060810
[    0.967430] brd: module loaded
[    0.974577] loop: module loaded
[    0.985927] libphy: MACB_mii_bus: probed
[    1.062680] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[    1.072565] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[    1.083970] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.090420] ehci-pci: EHCI PCI platform driver
[    1.095032] usbcore: registered new interface driver usbtmc
[    1.100611] usbcore: registered new interface driver usb-storage
[    1.106791] e0002000.usb supply vbus not found, using dummy regulator
[    1.113516] ci_hdrc ci_hdrc.0: EHCI Host Controller
[    1.118334] ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
[    1.142513] ci_hdrc ci_hdrc.0: USB 2.0 started, EHCI 1.00
[    1.148689] hub 1-0:1.0: USB hub found
[    1.152388] hub 1-0:1.0: 1 port detected
[    1.156845] e0003000.usb supply vbus not found, using dummy regulator
[    1.165041] i2c /dev entries driver
[    1.169306] cdns-i2c e0005000.i2c: 20 kHz mmio e0005000 irq 144
[    1.176565] zynq-edac f8006000.memory-controller: ecc not enabled
[    1.182821] Xilinx Zynq CpuIdle Driver started
[    1.187860] ledtrig-cpu: registered to indicate activity on CPUs
[    1.193949] usbcore: registered new interface driver r8188eu
[    1.200381] nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xda
[    1.206679] nand: Micron MT29F2G08ABAEAWP
[    1.210650] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    1.218244] nand: WARNING: pl353-nand: the ECC used on your system is too weak compared to the one required by the NAND chip
[    1.229708] Bad block table found at page 131008, version 0x01
[    1.235969] Bad block table found at page 130944, version 0x01
[    1.242072] 11 ofpart partitions found on MTD device pl353-nand
[    1.247919] Creating 11 MTD partitions on "pl353-nand":
[    1.253229] 0x000000000000-0x000000780000 : "fsbl"
[    1.259101] 0x000000780000-0x000000b80000 : "kerneldata"
[    1.265424] 0x000000b80000-0x000000c00000 : "device-tree"
[    1.271702] 0x000000c00000-0x000001100000 : "Manufacturedata"
[    1.278368] 0x000001100000-0x000001600000 : "reserved1"
[    1.284559] 0x000001600000-0x000003e00000 : "rootfs"
[    1.290488] 0x000003e00000-0x000004800000 : "firmdata0"
[    1.296687] 0x000004800000-0x000007000000 : "siglent"
[    1.302875] 0x000007000000-0x00000d400000 : "datafs"
[    1.308928] 0x00000d400000-0x00000fc00000 : "upgrade_cramdisk"
[    1.315809] 0x00000fc00000-0x000010000000 : "reserved2"
[    1.324085] TCP: cubic registered
[    1.327329] NET: Registered protocol family 17
[    1.331766] lib80211: common routines for IEEE802.11 drivers
[    1.337774] Registering SWP/SWPB emulation handler
[    1.349485] cramfs_fill_nand blocks is 320-----------------------
[    1.349485]
[    1.349485]
[    1.349485]
[    1.362746] VFS: Mounted root (cramfs filesystem) readonly on device 31:5.
[    1.369593] devtmpfs: mounted
[    1.372790] Freeing unused kernel memory: 192K (40626000 - 40656000)
[    1.482595] usb 1-1: new high-speed USB device number 2 using ci_hdrc
[    1.633815] hub 1-1:1.0: USB hub found
[    1.637694] hub 1-1:1.0: 3 ports detected
Starting rcS...
 Mounting filesystem
[    1.798962] UBI-0: ubi_attach_mtd_dev:attaching mtd8 to ubi0
[    2.201038] UBI-0: scan_all:scanning is finished
 40
[    2.760356] UBIFS: mounted UBI device 1, volume 0, name "siglent", R/O mode
[    2.767266] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.776374] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[    2.786001] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.791032] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[    2.867658] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[    2.874396] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.883497] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[    2.892864] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.897890] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[    2.911607] UBIFS: background thread "ubifs_bgt0_0" started, PID 675
[    2.943197] UBIFS: recovery needed
 2.760356] UBIFS: mounted UBI device 1, volume 0, name "siglent", R/O mode
[    2.767266] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.776374] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[    2.786001] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.791032] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[    2.867658] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[    2.874396] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.883497] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[    2.892864] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.897890] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[    2.911607] UBIFS: background thread "ubifs_bgt0_0" started, PID 675
[    2.943197] UBIFS: recovery needed
h_mtd_dev:available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 9
[    2.674601] UBI-2: ubi_thread:background thread "ubi_bgt2d" started, PID 670
, name "siglent", R/O mode
[    2.767266] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.776374] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[    2.786001] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.791032] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[    2.867658] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[    2.874396] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.883497] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[    2.892864] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.897890] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[    3.025920] UBIFS: recovery completed
[    3.029594] UBIFS: mounted UBI device 0, volume 0, name "rootfs"
[    3.035545] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    3.044644] UBIFS: FS size: 94597120 bytes (90 MiB, 745 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
[    3.054276] UBIFS: reserved for root: 0 bytes (0 KiB)
[    3.059305] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C886A817-B838-46DF-AE16-F9920045A7D7, small LPT model
Upgrade start
 Configure eth0
Starting mdev
[    2.911607] UBIFS: background thread "ubifs_bgt0_0" started, PID 675
[    2.943197] UBIFS: recovery needed
h_mtd_dev:available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 9
[    2.674601] UBI-2: ubi_thread:background thread "ubi_bgt2d" started, PID 670
8 KiB), LEB size: 126976 bytes
[    2.478605] UBI-1: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.487104] UBI-1: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.495793] UBI-1: ubi_attach_mtd_dev:good PEBs: 320, bad PEBs: 0, corrupted PEBs: 0
[    2.503509] UBI-1: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[    2.512435] UBI-1: ubi_attach_mtd_dev:max/mean erase counter: 13/9, WL threshold: 4096, image sequence number: 1819264682
[    2.523399] UBI-1: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 320, PEBs reserved for bad PEB handling:[    4.045576] xilinx-dma 40400000.dma: Probing xilinx axi dma engine...Successful
[    4.087569] sigdma_init++++++
[    4.111420] siglentkb probe
[    4.114484] ##### siglentkb registers 4fc1e580 4fc365a4 4fc385b8
[    4.139471] usbcore: registered new interface driver mt7601u
[    4.152355] irq = 170
config read
 ###### Config vdma for wave transform #######
config write
config read
dump s2mm registers
dump mm2s registers
 ####### done! ########
Config vnc  data to memory
Config done!
 #### siglentkb registers 4fc1e580 4fc365a4 4fc385b8
[    4.139471] usbcore: regis[    4.371815] UBIFS: background thread "ubifs_bgt1_0" started, PID 778
ln: /usr/bin/siglent/config/www/web_img/usr: File exists
Starting Lighttpd Web Server: Initializing framebuffer device /dev/fb0...
xres=800, yres=480, xresv=800, yresv=480, xoffs=0, yoffs=0, bpp=16
Initializing touch device /dev/input/event0 ...
Initializing VNC server:
width:  800
height: 480
bpp:    16
port:   5900
Initializing server...
01/01/1970 00:00:04 Listening for VNC connections on TCP port 5900
[    4.504615] random: lighttpd urandom read with 17 bits of entropy available
lighttpd.
[    4.643624] UBIFS: background thread "ubifs_bgt1_0" stops
rcS Complete

Processing /etc/profile... Done

/ # [INFO]:calibrate_t():line=81:calibrate_t::calibrate_t()
product_type SDS1004X_E
mkdir: can't create directory '/usr/bin/siglent/usr/wifi/': File exists
rm: can't remove '/usr/bin/siglent/usr/wifi/wpa_supplicant': No such file or directory

                                                       $Task start:: SCPI
 
                                                       $Task start:: Devce
 
                                                       $Task start:: WLAN
 
                                                       $Task start:: Udisk&Lan
 vxi11_main = 6821.64

                                                       $Task start:: Vxi11_client
sh: write error: Invalid argument
 drv_instance_manage_t: produce_id: 13501
(DRV_PRODUCT_PIKACHU)
_drv_product=4
acq_scal_user = -1.000000
ready...
ready...
ready...
ready...
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_awg_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_wifi_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_mso_license.txt
[    7.232355] export_store: invalid GPIO 115
sh: write error: Invalid argument
sh: can't create /sys/class/gpio/gpio115/direction: nonexistent directory
sh: can't create /sys/class/gpio/gpio115/value: nonexistent directory
open file %s fail !!!!/usr/bin/siglent/config/arb/2ASK.wav
scpi_register_cmd_boardtest
ready...
cp: can't stat '/usr/bin/siglent/usr/usr/save_setting.xml': No such file or directory
/usr/bin/siglent/usr/usr/save_setting.xml  not exist

                                                       $Task start:: UI
ifconfig: SIOCGIFFLAGS: No such device
 
                                                       $Task start:: awg_thread
 mod_if_exit_handler:signal=11
Clean Up Ready!
Clean Up - nlog
Clean Up - Main Thread
Clean Up - scpi
Clean Up - timer
Clean Up - dev_thread
Clean Up - ui
Clean Up - acq_thread
Clean Up - acq_data
Clean Up - draw_wave
Clean Up - bu_cfg
Clean Up - bu_main
Clean Up - bu_app
Clean Up - key
Clean Up - other
Clean Up - usbtmc
Clean Up - VXI_11
Clean Up - dev_interrupt
Clean Up - wlan_manager
Clean Up - power_off
Clean Up - telnet_scpi
Clean Up - socket_scpi
Clean Up - vxi11_client
Clean Up - Config
Clean Up - sdg_Timer
Clean Up - awg_threa[   10.912150] Free all channel resources.
d
Clean Up - usbtmc_assistant_interrupt
Clean Up Over!
sds100[   10.919150] Free all channel resources.
0b.app: mempool.h:81: MemoryChunk::~MemoryChunk(): Assertion `tempcount==count' failed.


2. Booting of scope with OS stored in external USB drive

Code: [Select]
Start menu vdma ...
Config AXI VDMA...
Start menu vdma done.


U-Boot 2014.07-svn32760 (Mar 23 2018 - 01:35:12)

Board: Xilinx Zynq
I2C:   ready
DRAM:  ECC disabled 243 MiB
NAND:  256 MiB
MMC:   zynq_sdhci: 0
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
int board_late_init(void)+++++
[INFO]int fb_display_logo(void)++++++++++++
[INFO]pStorageMem=0xfa00000, logo_data=0x200036, width=800, height=480
 [INFO]int fb_display_logo(void)----------
int board_late_init(void)-----
Net:   Gem.e000b000
Hit any key to stop autoboot:  0
(Re)start USB...
USB0:   USB EHCI 1.00
scanning bus 0 for devices... 3 USB Device(s) found
USB1:   ULPI request timed out
zynq ULPI viewport init failed
lowlevel init failed
       scanning usb for storage devices... 1 Storage Device(s) found
Copying Linux from USB to RAM...
** Invalid partition 1 **
** Invalid partition 1 **
Copying Linux from NAND flash to RAM...

NAND read: device 0 offset 0x780000, size 0x400000
 4194304 bytes read: OK

NAND read: device 0 offset 0xb80000, size 0x80000
 524288 bytes read: OK
 ## Booting kernel from Legacy Image at 02080000 ...
   Image Name:   Linux-3.19.0-xilinx-svn8988
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    3614680 Bytes = 3.4 MiB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
 ## Flattened Device Tree blob at 02000000
   Booting using the fdt blob at 0x2000000
EHCI failed to shut down host controller.
   Loading Kernel Image ... OK
   Loading Device Tree to 0e00d000, end 0e013e8b ... OK

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
 enabled
 0.356649] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.356703] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.356761] TCP: Hash tables configured (established 2048 bind 2048)
[    0.356810] TCP: reno registered
[    0.356828] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.356863] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.357070] NET: Registered protocol family 1
[    0.357416] RPC: Registered named UNIX socket transport module.
[    0.357429] RPC: Registered udp transport module.
[    0.357438] RPC: Registered tcp transport module.
[    0.357447] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[    0.359290] futex hash table entries: 512 (order: 3, 32768 bytes)
[    0.360978] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.362068] io scheduler noop registered
[    0.362090] io scheduler deadline registered
[    0.362140] io scheduler cfq registered (default)
[    0.364310] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[    0.364330] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[    0.364832] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[    0.943655] console [ttyPS0] enabled
[    0.947840] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[    0.954616] [drm] Initialized drm 1.1.0 20060810
[    0.967322] brd: module loaded
[    0.974502] loop: module loaded
[    0.985953] libphy: MACB_mii_bus: probed
[    1.062452] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[    1.072328] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[    1.083738] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.356703] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.356761] TCP: Hash tables configured (established 2048 bind 2048)
[    0.356810] TCP: reno registered
[    0.356828] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.356863] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.357070] NET: Registered protocol family 1
[    0.357416] RPC: Registered named UNIX socket transport module.
[    0.357429] RPC: Registered udp transport module.
[    0.357438] RPC: Registered tcp transport module.
[    0.357447] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[    0.359290] futex hash table entries: 512 (order: 3, 32768 bytes)
[    0.360978] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.362068] io scheduler noop registered
[    0.362090] io scheduler deadline registered
[    0.362140] io scheduler cfq registered (default)
[    0.364310] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[    0.364330] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[    0.364832] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[    0.943655] console [ttyPS0] enabled
[    0.947840] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[    0.954616] [drm] Initialized drm 1.1.0 20060810
[    0.967322] brd: module loaded
[    0.974502] loop: module loaded
[    0.985953] libphy: MACB_mii_bus: probed
[    1.062452] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[    1.072328] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[    1.083738] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.090186] ehci-pci: EHCI driver usb
[    0.339429] phy0 supply vcc not found, using dummy regulator
[    0.339536] phy1 supply vcc not found, using dummy regulator
[    0.339670] --------------usb_udc_init ------
[    0.339897] pps_core: LinuxPPS API ver. 1 registered
[    0.339911] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.339967] PTP clock support registered
[    0.340296] EDAC MC: Ver: 3.0.0
[    0.341900] cfg80211: Calling CRDA to update world regulatory domain
[    0.342332] Switched to clocksource arm_global_timer
[    0.355865] NET: Registered protocol family 2
48 (order: 1, 8192 bytes)
[    0.356703] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.356761] TCP: Hash tables configured (established 2048 bind 2048)
[    0.356810] TCP: reno registered
[    0.356828] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.356863] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.357070] NET: Registered protocol family 1
[    0.357416] RPC: Registered named UNIX socket transport module.
[    0.357429] RPC: Registered udp transport module.
[    0.357438] RPC: Registered tcp transport module.
[    0.357447] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[    0.359290] futex hash table entries: 512 (order: 3, 32768 bytes)
[    0.360978] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.362068] io scheduler noop registered
[    0.362090] io scheduler deadline registered
[    0.362140] io scheduler cfq registered (default)
[    0.364310] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[    0.364330] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[    0.364832] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[    0.943655] console [ttyPS0] enabled
[    0.947840] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[    0.954616] [drm] Initialized drm 1.1.0 20060810
[    0.967322] brd: module loaded
[    0.974502] loop: module loaded
[    0.985953] libphy: MACB_mii_bus: probed
[    1.062452] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[    1.072328] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[    1.083738] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.090186] ehci-pci: EHCI driver usb
[    0.339429] phy0 supply vcc not found, using dummy regulator
[    0.339536] phy1 supply vcc not found, using dummy regulator
[    0.339670] --------------usb_udc_init ------
[    0.339897] pps_core: LinuxPPS API ver. 1 registered
[    0.339911] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.339967] PTP clock support registered
[    0.340296] EDAC MC: Ver: 3.0.0
[    0.341900] cfg80211: Calling CRDA to update world regulatory domain
[    0.342332] Switched to clocksource arm_global_timer
[    0.355865] NET: Registered protocol family 2
[   tch enabled, offset 1 lines
[    0.000000] L2C-310 dynamic clock gating enabled, standby mode PCI platform driver
[    1.094784] usbcore: registered new interface driver usbtmc
[    1.100365] usbcore: registered new interface driver usb-storage
[    1.106534] e0002000.usb supply vbus not found, using dummy regulator
[    1.113235] ci_hdrc ci_hdrc.0: EHCI Host Controller
[    1.118047] ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
[    1.142353] ci_hdrc ci_hdrc.0: USB 2.0 started, EHCI 1.00
[    1.148519] hub 1-0:1.0: USB hub found
[    1.152214] hub 1-0:1.0: 1 port detected
[    1.156695] e0003000.usb supply vbus not found, using du2c: 20 kHz mmio e0005000 irq 144
[    1.176481] zynq-edac f8006000.memory-controller: ecc not enabled
[    1.182760] Xilinx Zynq CpuIdle Driver started
[    1.187808] ledtrig-cpu: registered to indicate activity on CPUs
[    1.193902] usbcore: registered new interface driver r8188eu
[    1.200310] nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xda
[    1.206606] nand: Micron MT29F2G08ABAEAWP
[    1.210572] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    1.218145] nand: WARNING: pl353-nand: the ECC used on your system is too weak compared to the one required by the NAND chip
[    1.229703] Bad block table found at page 131008, version 0x01
[    1.235974] Bad block table found at page 130944, version 0x01
[    1.242082] 11 ofpart partitions found on MTD device pl353-nand
[    1.247931] Creating 11 MTD partitions on "pl353-nand":
[    1.253145] 0x000000000000-0x000000780000 : "fsbl"
[    1.259061] 0x000000780000-0x000000b80000 : "kerneldata"
[    1.265382] 0x000000b80000-0x000000c00000 : "device-tree"
[    1.271670] 0x000000c00000-0x000001100000 : "Manufacturedata"
[    1.278360] 0x000001100000-0x000001600000 : "reserved1"
[    1.284536] 0x000001600000-0x000003e00000 : "rootfs"
[    1.290490] 0x000003e00000-0x000004800000 : "firmdata0"
[    1.296725] 0x000004800000-0x000007000000 : "siglent"
[    1.302817] 0x000007000000-0x00000d400000 : "datafs"
[    1.308894] 0x00000d400000-0x00000fc00000 : "upgrade_cramdisk"
[    1.315820] 0x00000fc00000-0x000010000000 : "reserved2"
[    1.324034] TCP: cubic registered
[    1.327276] NET: Registered protocol family 17
[    1.331716] lib80211: common routines for IEEE802.11 drivers
[    1.337825] Registering SWP/SWPB emulation handler
[    1.349593] cramfs_fill_nand blocks is 320-----------------------
[    1.349593]
[    1.349593]
[    1.349593]
[    1.363081] VFS: Mounted root (cramfs filesystem) readonly on device 31:5.
[    1.369933] devtmpfs: mounted
[    1.373116] Freeing unused kernel memory: 192K (40626000 - 40656000)
[    1.472440] usb 1-1: new high-speed USB device number 2 using ci_hdrc
[    1.623754] hub 1-1:1.0: USB hub found
[    1.627935] hub 1-1:1.0: 3 ports detected
Starting rcS...
 Mounting filesystem
[    1.804378] UBI-0: ubi_attach_mtd_dev:attaching mtd8 to ubi0
[    2.206471] UBI-0: scan_all:scanning is finished
[    2.218867] UBI-0: ubi_attach_mtd_dev:attached mtd8 (name "datafs", size 100 MiB)
[    2.226325] UBI-0: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    2.234884] UBI-0: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.243387] UBI-0: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.252052] UBI-0: ubi_attach_mtd_dev:good PEBs: 800, bad PEBs: 0, corrupted PEBs: 0
[    2.259802] UBI-0: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[    2.268735] UBI-0: ubi_attach_mtd_dev:max/mean erase counter: 10/4, WL threshold: 4096, image sequence number: 950638423
[    2.279582] UBI-0: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 800, PEBs reserved for bad PEB handling: 40
[    2.290534] UBI-0: ubi_thread:background thread "ubi_bgt0d" started, PID 662
[    2.294871] UBI-1: ubi_attach_mtd_dev:attaching mtd7 to ubi1
[    2.456155] UBI-1: scan_all:scanning is finished
[    2.467921] UBI-1: ubi_attach_mtd_dev:attached mtd7 (name "siglent", size 40 MiB)
[    2.475371] UBI-1: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    2.483930] UBI-1: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.492433] UBI-1: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.501232] UBI-1: ubi_attach_mtd_dev:good PEBs: 320, bad PEBs: 0, corrupted PEBs: 0
[    2.508958] UBI-1: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[    2.517855] UBI-1: ubi_attach_mtd_dev:max/mean erase counter: 13/9, WL threshold: 4096, image sequence number: 1819264682
[    2.528786] UBI-1: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 320, PEBs reserved for bad PEB handling: 40
[    2.539818] UBI-1: ubi_thread:background thread "ubi_bgt1d" started, PID 666
[    2.544307] UBI-2: ubi_attach_mtd_dev:attaching mtd6 to ubi2
[    2.586871] UBI-2: scan_all:scanning is finished
[    2.597656] UBI-2 warning: print_rsvd_warning: cannot reserve enough PEBs for bad PEB handling, reserved 9, need 40
[    2.608741] UBI-2: ubi_attach_mtd_dev:attached mtd6 (name "firmdata0", size 10 MiB)
[    2.616346] UBI-2: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    2.624925] UBI-2: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.633428] UBI-2: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.642096] UBI-2: ubi_attach_mtd_dev:good PEBs: 80, bad PEBs: 0, corrupted PEBs: 0
[    2.649747] UBI-2: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[    2.658688] UBI-2: ubi_attach_mtd_dev:max/mean erase counter: 10/6, WL threshold: 4096, image sequence number: 1777018790
[    2.669646] UBI-2: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 9
[    2.680416] UBI-2: ubi_thread:background thread "ubi_bgt2d" started, PID 670
[    2.742578] usb 1-1.2: new high-speed USB device number 3 using ci_hdrc
[    2.767135] UBIFS: mounted UBI device 1, volume 0, name "siglent", R/O mode
[    2.774059] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.783150] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[    2.792774] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.797803] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[    2.874537] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[    2.881260] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.890386] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[    2.895761] usb-storage 1-1.2:1.0: USB Mass Storage device detected
[    2.899916] scsi host0: usb-storage 1-1.2:1.0
[    2.910329] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.915380] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[    2.929148] UBIFS: background thread "ubifs_bgt0_0" started, PID 682
[    2.960826] UBIFS: recovery needed
[    3.026853] UBIFS: recovery completed
[    3.030538] UBIFS: mounted UBI device 0, volume 0, name "rootfs"
[    3.036487] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    3.045634] UBIFS: FS size: 94597120 bytes (90 MiB, 745 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
[    3.055228] UBIFS: reserved for root: 0 bytes (0 KiB)
[    3.060251] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C886A817-B838-46DF-AE16-F9920045A7D7, small LPT model
Upgrade start
 Configure eth0
Starting mdev
[    3.893675] scsi 0:0:0:0: Direct-Access     Generic  Flash-Disk       1.09 PQ: 0 ANSI: 2
[    3.904053] sd 0:0:0:0: Attached scsi generic sg0 type 0
[    3.909788] sd 0:0:0:0: [sda] 15728640 512-byte logical blocks: (8.05 GB/7.50 GiB)
[    3.919526] sd 0:0:0:0: [sda] Write Protect is off
[    3.926123] sd 0:0:0:0: [sda] No Caching mode page found
[    3.931375] sd 0:0:0:0: [sda] Assuming drive cache: write through
[    3.945598]  sda:
[    3.953257] sd 0:0:0:0: [sda] Attached SCSI removable disk
[    4.106171] xilinx-dma 40400000.dma: Probing xilinx axi dma engine...Successful
[    4.132424] xilinx-vdma 43010000.dma: Xilinx AXI VDMA Engine Driver Probed!!
[    4.148108] sigdma_init++++++
[    4.171856] siglentkb probe
[    4.174840] ##### siglentkb registers 4fc3c580 4fc3e5a4 4fc525b8
[    4.201999] usbcore: registered new interface driver mt7601u
[    4.215120] irq = 170
config read
 ###### Config vdma for wave transform #######
config write
config read
dump s2mm registers
dump mm2s registers
 ####### done! ########
Config vnc  data to memory
Config done!
[    4.434381] UBIFS: background thread "ubifs_bgt1_0" started, PID 792
ln: /usr/bin/siglent/config/www/web_img/usr: File exists
Starting Lighttpd Web Server: Initializing framebuffer device /dev/fb0...
xres=800, yres=480, xresv=800, yresv=480, xoffs=0, yoffs=0, bpp=16
Initializing touch device /dev/input/event0 ...
Initializing VNC server:
width:  800
height: 480
bpp:    16
port:   5900
Initializing server...
01/01/1970 00:00:04 Listening for VNC connections on TCP port 5900
[    4.619329] random: lighttpd urandom read with 27 bits of entropy available
lighttpd.
[    4.757138] UBIFS: background thread "ubifs_bgt1_0" stops
rcS Complete

Processing /etc/profile... Done

/ # [    5.064577] macb e000b000.ethernet eth0: link up (100/Full)
[INFO]:calibrate_t():line=81:calibrate_t::calibrate_t()
product_type SDS1004X_E
mkdir: can't create directory '/usr/bin/siglent/usr/wifi/': File exists
rm: can't remove '/usr/bin/siglent/usr/wifi/wpa_supplicant': No such file or directory

                                                       $Task start:: SCPI
 
                                                       $Task start:: Devce
 
                                                       $Task start:: WLAN
 vxi11_main = 6861.09

                                                       $Task start:: Udisk&Lan
sh: write error: Invalid argument
 
                                                       $Task start:: Vxi11_client
 drv_instance_manage_t: produce_id: 13501[    6.916941] FAT-fs (sda): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.

(DRV_PRODUCT_PIKACHU)
_drv_product=4
acq_scal_user = -1.000000
eth0 on

[    6.984507] device eth0 entered promiscuous mode
ready...
ready...
ready...
ready...
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_awg_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_wifi_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_mso_license.txt
[    7.336193] export_store: invalid GPIO 115
sh: write error: Invalid argument
scpi_register_cmd_boardtest
sh: can't create /sys/class/gpio/gpio115/direction: nonexistent directory
sh: can't create /sys/class/gpio/gpio115/value: nonexistent directory
open file %s fail !!!!/usr/bin/siglent/config/arb/2ASK.wav
ready...
cp: can't stat '/usr/bin/siglent/usr/usr/save_setting.xml': No such file or directory
/usr/bin/siglent/usr/usr/save_setting.xml  not exist

                                                       $Task start:: UI
ifconfig: SIOCGIFFLAGS: No such device
 
                                                       $Task start:: awg_thread
 mod_if_exit_handler:signal=11
Clean Up Ready!
Clean Up - nlog
Clean Up - Main Thread
Clean Up - scpi
Clean Up - timer
Clean Up - dev_thread
Clean Up - ui
Clean Up - acq_thread
Clean Up - acq_data
Clean Up - draw_wave
Clean Up - bu_cfg
Clean Up - bu_main
Clean Up - bu_app
Clean Up - key
Clean Up - other
Clean Up - usbtmc
Clean Up - VXI_11
Clean Up - dev_interrupt
Clean Up - wlan_manager
Clean Up - power_off
Clean Up - telnet_scpi
Clean Up - socket_scpi
Clean Up - vxi11_client
Clean Up - Config
Clean Up - sdg_Timer
Clean Up - awg_thread
Clean Up - usbtmc_assistant_interrupt
Clean Up Over!
sds1000b.app: mempool.h:81: MemoryChunk::~M[   11.072046] Free all channel resources.
emoryChunk(): Assertion `tempcount==count' failed.
tempcount=0,[   11.077790] Free all channel resources.


3. Start sds1000b.app commnd

Code: [Select]
/usr/bin/siglent/sds1000b.app &
[1]-  Aborted                    /usr/bin/siglent/sds1000b.app
/ #
/ # [INFO]:calibrate_t():line=81:calibrate_t::calibrate_t()
product_type SDS1004X_E
mkdir: can't create directory '/usr/bin/siglent/usr/wifi/': File exists
rm: can't remove '/usr/bin/siglent/usr/wifi/wpa_supplicant': No such file or directory

                                                       $Task start:: SCPI
route: SIOCADDRT: File exists
 
                                                       $Task start:: Devce
sh: write error: Device or resource busy
sh: write error: Device or resource busy
sh: write error: Device or resource busy
sh: write error: Device or resource busy
 vxi11_main = 1.89248e+06
drv_instance_manage_t: produce_id: 13501
(DRV_PRODUCT_PIKACHU)
_drv_product=4

                                                       $Task start:: WLAN
 
                                                       $Task start:: Udisk&Lan
 acq_scal_user = -1.000000

                                                       $Task start:: Vxi11_client
[ 1892.568522] export_store: invalid GPIO 115
sh: write error: Invalid argument
sh: can't create /sys/class/gpio/gpio115/direction: nonexistent directory
sh: can't create /sys/class/gpio/gpio115/value: nonexistent directory
 open file %s fail !!!!/usr/bin/siglent/config/arb/2ASK.wav
ready...
ready...
ready...
ready...
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_awg_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_wifi_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_mso_license.txt
scpi_register_cmd_boardtest
ready...
cp: can't stat '/usr/bin/siglent/usr/usr/save_setting.xml': No such file or directory
/usr/bin/siglent/usr/usr/save_setting.xml  not exist

                                                       $Task start:: UI
 mod_if_exit_handler:signal=11
Clean Up Ready!
Clean Up - nlog
Clean Up - Main Thread
Clean Up - scpi
Clean Up - timer
Clean Up - dev_thread
Clean Up - ui
Clean Up - acq_thread
Clean Up - acq_data
Clean Up - draw_wave
Clean Up - bu_cfg
Clean Up - bu_main
Clean Up - bu_app
Clean Up - key
Clean Up - other
Clean Up - usbtmc
Clean Up - VXI_11
Clean Up - dev_interru[ 1894.929648] Free all channel resources.
pt
Clean Up - wlan_manager
Clean Up - power_off
Clean Up - te[ 1894.937666] Free all channel resources.
lnet_scpi
Clean Up - socket_scpi
Clean Up - vxi11_client
Clean Up - Config
Clean Up - sdg_Timer
Clean Up - awg_thread
Clean Up - usbtmc_assistant_interrupt
Clean Up Over!
sds1000b.app: mempool.h:81: MemoryChunk::~MemoryChunk(): Assertion `tempcount==count' failed.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 25, 2019, 09:08:21 pm
So, you can place back the missing files, right?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 26, 2019, 07:24:21 am
turned out that languages files are on right place. ???
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on September 26, 2019, 02:02:27 pm
Thank you for all this work! I would be interested if anyone really measured the bandwidth after this "upgrade" that merely shows a different Siglent product which is capable of 200MHz. Just seeing a different model name is not really convincing! No one in this forum has posted a sweep up to 200MHz before and after the hack. Could someone please do so to satisfy my curiosity but more importantly the fact that this upgrade indeed is valid?

Thanks
Lutz
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 26, 2019, 02:15:18 pm
No one in this forum has posted a sweep up to 200MHz before and after the hack. Could someone please do so to satisfy my curiosity but more importantly the fact that this upgrade indeed is valid?

There are plenty of those validations in the right threads. You just didn't search enough. No need to start over that theme.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 26, 2019, 02:17:27 pm
turned out that languages files are on right place. ???

 :o  :o
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on September 27, 2019, 02:33:51 am
Indeed, my bad - sorry. I found the validations in a different thread.
Thanks
Lutz
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 27, 2019, 12:26:14 pm
I'm a little bit farther with my work:)

Using UART interface there is an option to stop autoboot by taping any key during starting of scope.

Code: [Select]
Start menu vdma ...
Config AXI VDMA...
Start menu vdma done.


U-Boot 2014.07-svn32760 (Mar 23 2018 - 01:35:12)

Board: Xilinx Zynq
I2C:   ready
DRAM:  ECC disabled 243 MiB
NAND:  256 MiB
MMC:   zynq_sdhci: 0
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
int board_late_init(void)+++++
[INFO]int fb_display_logo(void)++++++++++++
[INFO]pStorageMem=0xfa00000, logo_data=0x200036, width=800, height=480
 [INFO]int fb_display_logo(void)----------
int board_late_init(void)-----
Net:   Gem.e000b000
Hit any key to stop autoboot:  0

I'm using putty (serial mode) to tapping any key. This giving me access to uboot command line. Using uboot it is possible to read and write NAND memory without any limits.

here is uboot commands list:

Code: [Select]
zynq-uboot> help
?       - alias for 'help'
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bootvx  - Boot vxWorks from an ELF image
bootz   - boot Linux zImage image from memory
clk     - CLK sub-system
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
dfu     - Device Firmware Upgrade
dhcp    - boot image via network using DHCP/TFTP protocol
echo    - echo args to console
editenv - edit environment variable
env     - environment handling commands
exit    - exit script
ext2load- load binary file from a Ext2 filesystem
ext2ls  - list files in a directory (default /)
ext4load- load binary file from a Ext4 filesystem
ext4ls  - list files in a directory (default /)
ext4write- create a file in the root directory
false   - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fatwrite- write file into a dos filesystem
fdt     - flattened device tree utility commands
fpga    - loadable FPGA image support
go      - start application at address 'addr'
help    - print command description/usage
i2c     - I2C sub-system
icache  - enable or disable instruction cache
iminfo  - print header information for application image
imxtract- extract a part of a multi-image
itest   - return true/false on integer compare
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loadx   - load binary file over serial line (xmodem mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mdio    - MDIO utility commands
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
showvar - print local hushshell variables
sleep   - delay execution for some time
source  - run script from memory
spl     - SPL configuration
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
thordown- TIZEN "THOR" downloader
true    - do nothing, successfully
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version

using it I've updated OS manually. All necessery comands and adresses for uboot are in sds1004x_e_udiskEnv.txt file from official siglent SDS1004X-E_OSV1_EN pack. All need to be done is putting files(uImage, devicetree.dtb, rootfs.cramfs) to USB drive, insert it to scope and  mount by command:

usb start

and then flash files to nand by:

Code: [Select]
if fatload usb 0 0x100000 uImage; then nand erase 0x780000 0x400000;nand write 0x100000 0x780000 ${filesize};mw.b 0x100000 0x0 ${filesize}; fi
if fatload usb 0 0x100000 devicetree.dtb; then nand erase 0xB80000 0x80000;nand write 0x100000 0xB80000 ${filesize};mw.b 0x100000 0x0 ${filesize}; fi
if fatload usb 0 0x100000 rootfs.cramfs; then nand erase 0x1600000 0x2800000;nand write 0x100000 0x1600000 ${filesize};mw.b 0x100000 0x0 ${filesize}; fi

I've done it, but my scope still can't start sds1000b.app
Probably the mess is somewhere else. Maybe flash of others files (firmdata0.img, siglent.img, datafs.img) from sds1004x_e_udiskEnv.txt would fix this problem but I don't have them.  Seems like this data are included in .ads firmware file. In my case I can't use .ads file before sds1000b.app starting.

In fact I have memdump.bin file with all data inside but I'm scare to erase all NAND content(including uboot) and then flash it because comparinng contents of dump with OS pack files I see some differences: e.g.
begining of uImage file should be on address 0x780000 regarding sds1004x_e_udiskEnv.txt but this content in dump file are started in two points: 0x2080000 and 0x6B7C000

devicetree.dtb:
sds1004x_e_udiskEnv.txt -> 0xB80000
memdump.bin -> 0x2000000 and 0x6AFC000

rootfs.cramfs:
sds1004x_e_udiskEnv.txt -> 0x1600000
memdump.bin -> 0xEA27000

I'm not sure is my logic correct?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2019, 12:45:30 pm
Probably the mess is somewhere else. Maybe flash of others files (firmdata0.img, siglent.img, datafs.img) from sds1004x_e_udiskEnv.txt would fix this problem but I don't have them.  Seems like this data are included in .ads firmware file. In my case I can't use .ads file before sds1000b.app starting.

Don't flash the whole NAND!

You've done a great job. Just continue with it, methodically.

Later today I'll decrypt those .ADS where you can extract the .img files. Then you can flash them individually.

Which was the FW version that you had in the scope?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 27, 2019, 01:22:16 pm
Thanks in advance. I have 6.1.25R2 now.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 27, 2019, 04:52:59 pm
tv84

it works:)

I found "siglent" backup folder and replaced files manually.
After this operation sds1000b.app got up. I updated to .33 version and did trick with language files names using putty serial(it works exactly like a root).
Now it's ok. Scope is fully unlocked with english language.

thanks for help. I hope our conversation can help others also. This serial access to root and uboot is pretty interesting. I'm wondering is this option also on others siglent devices.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2019, 07:00:19 pm
it works:)

What's the answer to this SCPI command?

MD5_PR?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 28, 2019, 03:35:00 pm
SDS1000X-E
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 28, 2019, 03:48:38 pm
So, can you simply update with the latest FW and it will stay in english? Or does it revert to chinese?

Besides the label on the scope box, where do you see the "X-C" reference? (in what screen/menu)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on September 28, 2019, 05:56:10 pm
No need to start over that theme.

You are absolutely right, there is no need to warm up old stories. To my excuse, I wasn't aware of them. Nonetheless, I am attaching the max. DFT's (direct 50 Ohm BNC-T terminated) of a 50-400MHz sweep from the VCO of a "Geekcreit® Spectrum Analyzer USB LTDZ 35-4400M" from Banggood - before and after the hack. Its an absolute Bobby Dazzler  ;D. A different can of worms seems to be the questions of what probes to use now. I know there is tons of material on the EEVBlog forums and comprehensive reviews, so I will find my way.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 29, 2019, 04:01:34 pm
After updating FW language is changing back to Chinese.

I see X-C label on scope info screen with versions.
Also *IND? command return X-C model name.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 29, 2019, 04:42:03 pm
Also *IND? command return X-C model name.

Try this command and report:

MD5_PR SDS1000X-E  (you have already told me this one outputs X-E...)

See what is the output of this one:

PROD?

Then do:

PROD SDS1000X-E (or similar)

Show these  ones:

LAGG?      
LANG?   
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on September 30, 2019, 01:17:09 pm
LANG is for scope
LAGG is for AWG
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on October 02, 2019, 07:55:48 am
I'm not sure that changing model name is possible by SCPI.

PROD?
PROD MODEL,SDS1000X-E,BAND,25MHZ

LAGG?
LAGG CH

LANG?
LANG SC
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on October 02, 2019, 09:53:09 am
I'm not sure that changing model name is possible by SCPI.

I do not believe so.

It is my recollection the scope calculates its "model" number based on the bandwidth, e.g. a SDS1104X-E with a 200 mhz bandwidth key will show up as a SDS1204X-E in the menus, etc.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on October 02, 2019, 10:10:06 am
I'm not sure that changing model name is possible by SCPI.

PROD?
PROD MODEL,SDS1000X-E,BAND,25MHZ

LAGG?
LAGG CH

LANG?
LANG SC

Just try:

LANG EN

I agree that we won't be able to change it with the PRODUCT MODEL as you show with the SCPI responses.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on October 08, 2019, 08:42:56 am
I've tried LANG EN, LANG ENG, LANG SE with not effect:(
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on October 08, 2019, 09:00:36 am
On the latest firmware, they hard coded the language text inside the scope application, with the help files just being a left over. I've not dug into it recently, but it could be as simple as patching the language tree in the application

Other places you can have a look

usr\bin\siglent\config\NSP_trends_config_info.xml
usr\bin\siglent\firmdata0\factory_settings.xml
usr\bin\siglent\usr\user_default_settings.xml
usr\bin\siglent\usr\config\NSP_usr_system_info.xml
usr\bin\siglent\usr\config\temp_settings.xml
usr\bin\siglent\usr\config\save_settings.xml

for the ones that use a numeric language, looks like "2" is english