EEVblog Electronics Community Forum

Products => Test Equipment => Topic started by: Fungus on August 31, 2018, 06:06:03 pm

Title: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on August 31, 2018, 06:06:03 pm
This is an unofficial guide on how to unlock 200Mhz bandwidth on SDS1104X-E oscilloscopes, effectively turning them into SDS1204X-Es.

The steps are: (courtesy of user SMB74 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1789175/#msg1789175))

Here was my process

1.) Format a USB flash drive to FAT32

2.) Load the flash drive with the SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18) by downloading it from the Siglent website (https://www.siglentamerica.com/download/6422/) and unzipping it onto the flashdrive.

3.) Once the file is loaded, install the firmware onto the oscilloscope by following the instructions in the PDF included in the firmware zip file.  Verify the correct firmware version is installed using the menus within the Utility button, and take note of the model number (should read SDS1104X-E)

4.) Once the firmware has been installed on the scope, reformat the flash drive to FAT32 and unzip the SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18) after downloading it from the Siglent website (https://www.siglentamerica.com/download/6158/).

5.) Install the software update onto the oscilloscope by following the instructions in the PDF included in the firmware zip file.  Reboot the scope and verify the correct software version is installed using the menus within the Utility button.

6.) Download the custom operating system file (https://www45.zippyshare.com/v/SEUJEWE1/file.html) that possesses the known telnet password.  Unzip it onto a USB drive and install it just as you installed the stock software file from the Siglent website.  NOTE: Some computers do not correctly load the software file onto the USB drive, thus preventing the scope from updating from the stock software to the custom software.  I have experienced this problem personally.  If this occurs, try loading it onto the USB from a different computer.  I had success using a Raspberry Pi to load the custom software onto the USB.

7.) After installing the custom software, plug the oscilloscope into your router with an ethernet cable, and telnet into the scope on port 23. MOst operating systems have a built-in telnet client, try opening a command shell and type "telnet". If that doesn't work then you may have to install a third party client like "PuTTY" (https://en.wikipedia.org/wiki/PuTTY).

User: root
Password: eevblog

8.) Once in the scope via telnet, execute the following commands:

mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
sync

9.) Reboot the scope (eg. by typing "shutdown -r now") and verify that the model number displayed in the Utility button menus has been updated to show an SDS1204X-E

Now the scope should have 200MHz bandwidth.

EDIT: Thanks ian.ameline for the link to a download source for the custom software. I have updated step 6 with this information.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: gedong on August 31, 2018, 06:13:41 pm
plus a video will be great.


start from here from what i observe.
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: BillB on August 31, 2018, 07:58:56 pm
Ian posted the most concise instructions for the bandwidth upgrade in that thread:

1. Update with the OS update with the known root password.

2. telnet to the scope, and log in as root.

3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak

4. Reboot

I don't think there has been a definitive consensus on unlocking the other options without option codes?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on August 31, 2018, 08:12:12 pm
plus a video will be great.


start from here from what i observe.
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)
Yep like that and similar for SSA too.(mentioned in SSA hack thread)
There are other/better ways too.  :-X
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on August 31, 2018, 08:36:53 pm
Ian posted the most concise instructions for the bandwidth upgrade in that thread:

1. Update with the OS update with the known root password.

a) Which you get.... where?
b) How do you install it?

2. telnet to the scope, and log in as root.

a) Telnet port #?

3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak

4. Reboot

Is that definitively all it takes? I've read a few places that there's some weird aliasing at high frequencies that isn't in the real 200Mhz version of the 'scope, that maybe something else needs tweaking.

To me it seems weird that you'd hide the bandwidth.txt file instead of modifying it (if I were a Siglent firmware writer I'd default to low bandwidth when the file is missing)

I don't think there has been a definitive consensus on unlocking the other options without option codes?

You mean the "software" part of the AWG, MSO and WiFi options?

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on August 31, 2018, 08:37:10 pm
Here was my process

1.) Format a USB flash drive to FAT32

2.) Load the flash drive with the SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18) by downloading it from the Siglent website (https://www.siglentamerica.com/download/6422/) and unzipping it onto the flashdrive.

3.) Once the file is loaded, install the firmware onto the oscilloscope by following the instructions in the PDF included in the firmware zip file.  Verify the correct firmware version is installed using the menus within the Utility button, and take note of the model number (should read SDS1104X-E)

4.) Once the firmware has been installed on the scope, reformat the flash drive to FAT32 and unzip the SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18) after downloading it from the Siglent website (https://www.siglentamerica.com/download/6158/).

5.) Install the software update onto the oscilloscope by following the instructions in the PDF included in the firmware zip file.  Reboot the scope and verify the correct software version is installed using the menus within the Utility button.

6.) Download the custom operating system file (https://www45.zippyshare.com/v/SEUJEWE1/file.html) that possesses the known telnet password.  Unzip it onto a USB drive and install it just as you installed the stock software file from the Siglent website.  NOTE: Some computers do not correctly load the software file onto the USB drive, thus preventing the scope from updating from the stock software to the custom software.  I have experienced this problem personally.  If this occurs, try loading it onto the USB from a different computer.  I had success using a Raspberry Pi to load the custom software onto the USB.

7.) After installing the custom software, plug the oscilloscope into your router with an ethernet cable, and telnet into the scope on port 23 using the known password.

8.) Once in the scope via telnet, execute the following commands:

mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak

9.) Reboot the scope, and verify that the model number displayed in the Utility button menus has been updated to show an SDS1204X-E

Now the scope should have 200MHz bandwidth.  I have verified that mine possesses this bandwidth using a very reliable, stable signal generator (Fluke 6061A)

EDIT: Thanks ian.ameline for the link to a download source for the custom software. I have updated step 6 with this information.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on August 31, 2018, 08:52:18 pm
The OS with the known password can be found here; https://www45.zippyshare.com/v/SEUJEWE1/file.html

The instructions above are accurate.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on August 31, 2018, 08:56:13 pm
Ian posted the most concise instructions for the bandwidth upgrade in that thread:

1. Update with the OS update with the known root password.

a) Which you get.... where?
b) How do you install it?

2. telnet to the scope, and log in as root.

a) Telnet port #?

3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak

4. Reboot

Is that definitively all it takes? I've read a few places that there's some weird aliasing at high frequencies that isn't in the real 200Mhz version of the 'scope, that maybe something else needs tweaking.

To me it seems weird that you'd hide the bandwidth.txt file instead of modifying it (if I were a Siglent firmware writer I'd default to low bandwidth when the file is missing)

I don't think there has been a definitive consensus on unlocking the other options without option codes?

You mean the "software" part of the AWG, MSO and WiFi options?

- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions

- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.

- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.

- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: PhilipPeake on August 31, 2018, 10:37:16 pm
Does this work for the SDS1102X ?
Presumably it would need different hacked software?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 07:30:41 am
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions

- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.

Nice attitude.

Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).

- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.

Nobody's doubting the bandwidth increases but some people claim to have noticed weird aliasing (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1624537/#msg1624537) or that the capacitors (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613386/#msg1613386) are different.

Those problems might be just the probes (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1619152/#msg1619152). It's reasonably well known that cheap-ass probes start to go to hell around 250MHz and one of the differences between the two models is that you get much better probes with the 200MHz version.

If it is the probes then a new set of probes should probably be thrown into the upgrade mix, that puts the price of the "hacked" version up by $100.

Food for thought, yes?

- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.

How do you explain the fact that the 'scope is only eight months old but you already need to download old firmwares to be able to do it, that newer firmwares don't work? What happens if Siglent decides to encrypt that file and make it default to 50Mhz when it's missing? It is *very* easy to make it much harder. :popcorn:

(and what happens when Siglent removes that old firmware from their web site?)

PS: Nowhere near as easy as a Rigol (neener neener).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 07:50:51 am
Quote
3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak

4. Reboot

Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
I'm, not at all linux expert (far away) so I can not my self think when it is important exactly and when not, so I use it nearly always. In some cases it is extremely important, in some cases perhaps not so important and always we can try walk with just trusting good luck.

3. Execute these commands:
   mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
   cd /usr/bin/siglent/firmdata0
   mv bandwidth.txt bandwidth.bak
   sync

4. Reboot

Perhaps some who really know could take position to this with reasoning.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 07:56:33 am
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.

Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.

(take note, ian.ameline).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 08:11:55 am
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.

Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.

(take note, ian.ameline).
Just because this bolded...
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 08:33:40 am
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions

- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.

Nice attitude.

Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).


If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15.  L=23

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 08:52:35 am
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15.  L=23

I don't think "RTFM!" should be used in a "step by step" guide - this is the FM.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bugi on September 01, 2018, 10:35:47 am
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15.  L=23

I don't think "RTFM!" should be used in a "step by step" guide - this is the FM.
Yes, and if this FM would not mention port, then obviously, the less than experienced user would not write it in the command either, so the command ends up using the default port, which thus works. A more experienced user would already know that if the port is the default, it is typically left out from instructions, (and that if it is not default, it is shown). Thus, the earlier version without the port number was quite sufficient, and this nitpicking about port number is just that, useless nitpicking.

Otherwise  :-+, points for making the push to get those instructions done clearly in one place, instead of the typical spread of bits and pieces in here and there over 3 threads and 10 pages among all the other messages. Certainly makes it easier than before.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 11:14:56 am
Sometimes it is easy forget that not all peoples have used telnet at 80's ;)
So it is perhaps good to tell (but also most of good telnet client do it as default, as example many times recommended PuTTY or just plain  puttytel.exe (a Telnet-only client) )
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on September 01, 2018, 11:51:08 am
http://lmgtfy.com/?q=default+telnet+port (http://lmgtfy.com/?q=default+telnet+port)

If you're too lazy to use google, I really don't know how to respond. You may have chosen the wrong hobby if you expect someone else to do all the work for you.

There -- now my attitude is clear.


- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions

- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.

Nice attitude.

Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).

- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.

Nobody's doubting the bandwidth increases but some people claim to have noticed weird aliasing (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1624537/#msg1624537) or that the capacitors (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613386/#msg1613386) are different.

Those problems might be just the probes (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1619152/#msg1619152). It's reasonably well known that cheap-ass probes start to go to hell around 250MHz and one of the differences between the two models is that you get much better probes with the 200MHz version.

It it is the probes then a new set of probes should probably be thrown into the upgrade mix, that puts the price of the "hacked" version up by $100.

Food for thought, yes?

- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.

How do you explain the fact that the 'scope is only eight months old but you already need to download old firmwares to be able to do it, that newer firmwares don't work? What happens if Siglent decides to encrypt that file and make it default to 50Mhz when it's missing? It is *very* easy to make it much harder. :popcorn:

(and what happens when Siglent removes that old firmware from their web site?)

PS: Nowhere near as easy as a Rigol (neener neener).

What if purple monkeys fly out of my ass? What if, what if, what if.

You asked for the hack -- we gave it to you. Now you complain. Again, you probably should take up golf instead.

Cheers...
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on September 01, 2018, 11:58:59 am
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.

Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.

(take note, ian.ameline).

Good point -- I tend to assume people around here who poke around with electrons aren't lazy idiots, and research perhaps even a little background knowledge before poking their meat-probes at things they may have little experience with -- clearly an unexamined assumption -- google must be too hard to use.

But in the case here, buffers are flushed pretty quickly -- you'd need to power cycle within milliseconds to have a problem, and even then, you'd have to get really unlucky (in a microsecond wide window) to get an inconsistent state in the flash. I doubt you could make it happen by trying.


Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 12:07:02 pm

http://lmgtfy.com/?q=default+telnet+port (http://lmgtfy.com/?q=default+telnet+port)

If you're too lazy to use google, I really don't know how to respond. You may have chosen the wrong hobby if you expect someone else to do all the work for you.

Um, the question was whether Siglent uses the standard port, not if I (or somebody who doesn't spend their lives using green-screen Linux) can google what the standard port is.

There -- now my attitude is clear.

Crystal.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 12:13:37 pm
Next question: When people say "the one with the known root password", what would that password be?

(I think we have to assume that not everybody will "know" it)

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 01, 2018, 12:32:55 pm
Next question: When people say "the one with the known root password", what would that password be?

(I think we have to assume that not everybody will "know" it)

Why lazy people should be fed.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on September 01, 2018, 01:21:58 pm
Next question: When people say "the one with the known root password", what would that password be?

(I think we have to assume that not everybody will "know" it)

Let's just say that if you are a regular eevblog reader, you are typing the password every day.

As regards the concern that you are restricted to using the outdated firmware to perform the bandwidth upgrade, it is possible to modify any firmware revision yourself and insert your own custom password. You can follow the posts by janekivi & tv84 in the Siglent .ads file thread where the process is described in detail.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on September 01, 2018, 01:51:54 pm
As regards the concern that you are restricted to using the outdated firmware to perform the bandwidth upgrade, it is possible to modify any firmware revision yourself and insert your own custom password. You can follow the posts by janekivi & tv84 in the Siglent .ads file thread where the process is described in detail.

I'm more worried that in the future the 'scope might not default to 200Mhz when the bandwidth.txt file is missing.

(eg. it could just as easily default to 50MHz...  :popcorn: )
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 01, 2018, 02:40:43 pm
Although I disagree with the way the OP has been conducting this process, I would like to add my 2 cents to the benefit of the whole forum:

All must realize that the method described previously (removing the bandwidth.txt) triggers the activation of the PRO_MODE in the scope (which is the "Production Mode"). This mode enables all the Options and the BW to the max possible.

This mode can, in fact, be easily disabled in future FW versions and/or Siglent can change it to trigger the activation of the lowest BW instead of the highest. Maybe they use the highest precisely to evaluate the full potential of the equipment before leaving factory...

The activation using the official licenses as described by me in the Siglent .ADS thread is more future proof (and can also be used in other equipments). Of course, if you end up just discovering the lower BW licenses, then you can reinsert the original bandwidth.txt.

I leave a small "easter egg" attached that does the following:

Code: [Select]
sync
mount -o sync,rw,remount /usr/bin/siglent/firmdata0/
sync

mv /usr/bin/siglent/firmdata0/bandwidth.txt /usr/bin/siglent/firmdata0/bandwidth.bak

sync
mount -o sync,ro,remount /usr/bin/siglent/firmdata0/
sync

which means it replaces all the steps described previously in this thread without the need to change FS root password, etc.

Execute it as a normal update. It should be run after the scope is running and you should reboot after. For security reasons it won't overwrite any existing bandwidth.bak so that you can keep the original (in case people run it multiple times).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on September 01, 2018, 09:28:13 pm
This is an unofficial guide on how to unlock 200Mhz bandwidth on SDS1104X-E oscilloscopes, effectively turning them into SDS1204X-Es....................


Warning: The PP510 (https://store.siglentamerica.com/product/pp510-1000-mhz-oscilloscope-probe/) probes that are supplied with the SDS1104X-E are 100MHz probes. If you intend to make use of the 200Mhz bandwidth then you need to spend an extra $100 and get a set of real 200Mhz probes, eg. the PP215 (https://store.siglentamerica.com/product/pb215-150-mhz-oscilloscope-probe/) probes that are supplied with the SDS1204X-E.

If you don't do this then you won't have 200MHz bandwidth and you may get misleading readings on screen. You have been warned.
Scaremongering BS !  :bullshit:
Some ppls just don't/won't do their homework !  ::)
Or don't have a clue.  :-//

It is clearly seen PP510 and PP215 probe performance combined with scope performance is well within system specification !

(https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/?action=dlattach;attach=397963)

From this post:
https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665 (https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: janekivi on September 02, 2018, 08:06:02 am
Next question: When people say "the one with the known root password", what would that password be?

(I think we have to assume that not everybody will "know" it)
Then this not for those everybody.

"If you don't know the password, you are not qualified to hack your equipment!"
Password is our signature and made for us only. We don't speak about it loud everywhere.
You must be one of us. If you are, you have been here and you know things. If not...
you are not qualified to hack your equipment.
And even if strangers outside can use them, they can't spread them without our mark.

If this is too much asked and you just need all options and bandwidth, buy them!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bsas on September 24, 2018, 12:33:54 am
By the way, those "ZippyShare" links are not working at all for me (in my region). Don't know if I need VPN for this or not. If someone can provide me the file, I can try to put on another shared folder for plp with my issue... Thanks!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on September 27, 2018, 11:30:37 am
The activation using the official licenses as described by me in the Siglent .ADS thread is more future proof (and can also be used in other equipments). Of course, if you end up just discovering the lower BW licenses, then you can reinsert the original bandwidth.txt.

Okay, I'm attempting to follow this alternative path to unlock my brand new 1104X-E (delivered w/ 7.1.6.1.25R2) and I've encountered a problem/questions.

I loaded SS1004X-E_OSV1_EN_eevblog on a thumbdrive, and uploaded my scope.

I logged in via telnet, and executed the following:

cd /usr/bin/siglent/usr/mass_storage/U-disk0
cat /dev/mem > memdump.bin

this yields an error:

cat: read error: Bad address

the resulting file:

/usr/bin/siglent/usr/mass_storage/U-disk0 # ls -l memdump.bin
-rwxr-xr-x    1 root     root     251658240 Jan  1 00:22 memdump.bin

so I end up w/ a file 240MB in size (240*1024*1024)

yielding the question

(1) "is this expected?"  (e.g. both the error, and the resulting file size.)

If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and  b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So

(2) does anyone know what the license codes actually look like (e.g. should they be hexadecimal only? or can they include non-hex alphanumerics?)

(3) should I be attempting to enter the codes at this point, or should I be doing something else before I attempt it (e.g. perform a different update, etc.) and THEN try the codes?

Thanks,
Vin
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2018, 03:52:59 pm
1.  :-+

2. See my example.

3. Try codes.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on September 27, 2018, 05:48:49 pm
Of the 90+ sets of upper or lowercase characters/digits, only 6 appear to be random -- the remaining contain English words, which makes me believe they are part of the OS.

The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.

I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Taaning on September 27, 2018, 06:27:11 pm


If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and  b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So



Any chance you could share how you run the memdump.bin in the C# script?

Thank you :-)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2018, 08:09:02 pm
The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.

But they could be BW licenses... ;)

Quote
I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)

You're getting there! If you carefully RTFM it suggests:  "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2018, 08:13:05 pm
Any chance you could share how you run the memdump.bin in the C# script?

 :wtf:  Have you even looked at the script?

byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Taaning on September 27, 2018, 08:20:33 pm
Any chance you could share how you run the memdump.bin in the C# script?

 :wtf:  Have you even looked at the script?

byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");

Of course I have looked at the the script :-) I am not a programmer apart from some arduino stuff. I am sorry.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on September 27, 2018, 09:00:39 pm
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:

Code: [Select]
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace TestApp
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");

            for (int j = 0, l = 0; j < 2; j++, l += 0x20)
                for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
                    if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
                         ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
                         buffer[i] != ('L' + l) &&
                         buffer[i] != ('O' + l))
                    {
                        if (strSize == 16)
                            Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
                        strSize = 0;
                        strStart = i + 1;
                    }
                    else strSize++;
            Console.ReadKey();
        }
}

change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on September 27, 2018, 09:53:03 pm
If you carefully RTFM it suggests:  "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."

I did see this, but I'm having a difficult time grokking exactly what you mean.

Assuming I have the following:

0819ABBB     8ki7-axhk-yilk-bdgy
0819ABDB     8ki7-axhk-yilk-bdgy
0819ABFB     8ki7-axhk-yilk-bdgy

I interpreted the clause as meaning I should try "yilk-bggy-8ki7-axkh' in addition (which didn't work).

I also tried "axhk-yilk-bdgy-8ki7" and "bdgy-8ki7-axhk-yilk" without success.

Or, should I be trying all combinations, e.g. ki7a-..., i7ax..., 7axh..., shifting each character at a time, like a rotate w/ carry?

Is there an easier way to try license codes, other than keying them in though the intensity/adjust/select dial (e.g. through the telnet interface?)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Taaning on September 29, 2018, 01:27:50 pm
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:

Code: [Select]
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace TestApp
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");

            for (int j = 0, l = 0; j < 2; j++, l += 0x20)
                for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
                    if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
                         ((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
                         buffer[i] != ('L' + l) &&
                         buffer[i] != ('O' + l))
                    {
                        if (strSize == 16)
                            Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
                        strSize = 0;
                        strStart = i + 1;
                    }
                    else strSize++;
            Console.ReadKey();
        }
}

change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.

Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help  8)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on October 08, 2018, 01:41:12 am
Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help  8)

For some real fun, check out these GitHub repositories:

https://github.com/Siglent/FindKeys
https://github.com/Siglent/TryKeys


Purely for educational purposes only. User is expected to comply with all applicable state, county, federal and international laws :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on October 08, 2018, 03:11:33 am
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)

Skill level: Easy/Moderate

Risk: Slim to none.

Assumptions: You know the root password to your scope.

Steps:

1. download full armv7l version of busybox which has core dump enabled.
    see: https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l

2. put version on thumb disk

3. reboot scope to known state

4. telnet to scope and log in as root

5. insert usb stick

6. copy busybox binary from usb to /tmp:
    cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp

7. unmount and remove usb
    umount /usr/bin/siglent/usr/mass_storage/U-disk0   
    (and then remove usb stick)

8. identify and kill existing sds1000b.app
    ps -ef | grep sds | awk  '{printf "kill -9 %s\n", $1}' | ash

9. change to /tmp directory:
    cd /tmp

10. launch new busybox ash shell
    /tmp/busybox_armv7l ash
   (when you press enter it looks like nothing happens, but something does)

11.  re-launch scope app in new busybox environment in background
      /usr/bin/siglent/sds1000b.app &

12. increase core dump ulimit to unlimited:
      ulimit -c unlimited
you can verify new limit by typing
      ulimit -c
and you should get a response "unlimited"

12. kill scope app again, telling OS to create a core dump of the app:
      ps -ef | grep sds | awk  '{printf "kill -ABRT %s\n", $1}' | ash

13. wait a few seconds, and press enter once or twice. you should see:
[1]+  Aborted (core dumped)      /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3

14. verify core dump is in /tmp:
      ls /tmp/core*
you should see something like this:
-rw-------    1 root     root     377511936 Jan  1 00:14 /tmp/core
if not, you did something wrong, go to step #3

15. exit out of usb version of busybox shell
     exit
(it will look like nothing happens when you press enter, but, something does)

16. re-launch Siglent scope application. See Step #11

17. insert usb drive

18. copy core dump to thumb drive
     cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)

19. unmount usb stick and remove (see step #7)

20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.

21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.

22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.

23. You can license a different bandwidth by typing MCBD (license key)  at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.

24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.

25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.

26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.

27. Write keys down in a safe place so you do not lose them again.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bitseeker on October 08, 2018, 03:42:05 am
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course).

...

27. Write keys down in a safe place so you do not lose them again.

I promise I won't lose my keys again. ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: nicolasg on November 13, 2018, 09:46:31 pm
Thanks for all the info posted here and in the firmware thread. The sample code really helped show me where in the memory dump to look for things and how they are stored. I can see patterns related to the restored keys location and surrounding data, hoping to make sense of it and then make the key backup better/easier.

Some tips...
1) A simple memdump is all you need to grab for trying to backup your keys. (In my case I didnt have to do a coredump)
2) The FindKeys/TryKeys code works very well.
3) Backup the whole "siglent" folder to your USB stick just in case.


I got sidetracked and started digging into the firmware files.
The webserver is very interesting, its lighthttpd with php 5.
They made a custom c module (.so) to handle communicating between the web front end and the hardware. AJAX scpi commands + more is possible.
Did you know, to change from english to chinese they do a file copy/move of php files around ? interesting.
The visual is via a custom/modified VNC server with websockets support. On the client its using the noVNC library, which for some reason has a quicker refresh rate and much faster updates than a real vnc client.


Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bugmenot on November 18, 2018, 07:47:23 am
I posted this in the general SDS1104/1204X-E thread, but was directed here. If you have a memory dump from their SDS1000X-E and want to parse it for keys, the Python function to do it. It works with all dumps from my oscilloscope (1104X-E), but I only have the one. It'd be great to hear if it works for others.

Code: [Select]
import re
import string

def getkeys(scopeid, serialno, memdumpfile):
    """
    Parse a memory dump from a Siglent 1000X-E oscilloscope and return a dict containing
    license keys for bandwidths and options. The 'activebw' key is the one that is currently
    active in the 'scope (e.g. if the value of '100M' is the same as the value of 'activebw',
    the oscilloscope is software locked to 100 MHz bandwidth)
    """
    if len(scopeid) == 16 and set(scopeid) <= set(string.hexdigits):
        scopeid = scopeid.lower().encode('utf-8')
    else:
        raise ValueError('Scope ID must be 16 hexadecimal characters (remove dashes).')
   
    if len(serialno) == 14 and set(serialno) <= set(string.ascii_letters + string.digits):
        serialno = serialno.upper().encode('utf-8')
    else:
        raise ValueError('Serial number must be 14 alphanumeric characters.')

    f = open(memdumpfile, 'rb')
    data = f.read()
    f.close()

    regex_bw = re.compile(scopeid + b'.*?'+ scopeid + b'.*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16})', re.DOTALL)
    regex_opt = re.compile(serialno + b'.*?' + serialno + b'.*?([0-9A-Z]{48})', re.DOTALL)
   
    key_bw = list([n.decode('utf-8') for n in re.findall(regex_bw, data)[0]])
    key_opt = re.findall('.{16}', re.findall(regex_opt, data)[0].decode('utf-8'))
   
    keys = {}
    key_labels = ('100M', '200M', '50M', '70M', 'activebw', 'awg', 'wifi', 'mso')
    keys.update(zip(key_labels, key_bw + key_opt))

    return(keys)

As nicolasg posted, a simple cat /dev/mem worked well for me - I didn't need to trigger a core dump.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: jacknife on November 25, 2018, 04:34:32 am
Hello, i have a simple question last month i've updated to SDS1004X-E Firmware (4-Channel Model)- 6.1.26 (Release Date 09.26.18 ) do I have to downgrade to 6.1.25R2 before the unlock ?

thanks !  ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on November 25, 2018, 07:17:39 am
Thanks for this guys, VT100s guide has a few typos, but worked well.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on November 25, 2018, 10:08:52 am
Hello, i have a simple question last month i've updated to SDS1004X-E Firmware (4-Channel Model)- 6.1.26 (Release Date 09.26.18 ) do I have to downgrade to 6.1.25R2 before the unlock ?

thanks !  ;D

No.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on November 25, 2018, 06:03:39 pm
Thanks for this guys, VT100s guide has a few typos, but worked well.

if you email me the typos I can update so things are correct. sometimes my brain and hands work at different speeds so what I am thinking and what comes out on the screen are two different things.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on December 06, 2018, 04:48:55 am
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)

Skill level: Easy/Moderate

Risk: Slim to none.

Assumptions: You know the root password to your scope.

Steps:

1. download full armv7l version of busybox which has core dump enabled.
    see: https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l

2. put version on thumb disk

3. reboot scope to known state

4. telnet to scope and log in as root

5. insert usb stick

6. copy busybox binary from usb to /tmp:
    cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp

7. unmount and remove usb
    umount /usr/bin/siglent/usr/mass_storage/U-disk0   
    (and then remove usb stick)

8. identify and kill existing sds1000b.app
    ps -ef | grep sds | awk  '{printf "kill -9 %s\n", $1}' | ash

9. change to /tmp directory:
    cd /tmp

10. launch new busybox ash shell
    /tmp/busybox_armv7l ash
   (when you press enter it looks like nothing happens, but something does)

11.  re-launch scope app in new busybox environment in background
      /usr/bin/siglent/sds1000b.app &

12. increase core dump ulimit to unlimited:
      ulimit -c unlimited
you can verify new limit by typing
      ulimit -c
and you should get a response "unlimited"

12. kill scope app again, telling OS to create a core dump of the app:
      ps -ef | grep sds | awk  '{printf "kill -ABRT %s\n", $1}' | ash

13. wait a few seconds, and press enter once or twice. you should see:
[1]+  Aborted (core dumped)      /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3

14. verify core dump is in /tmp:
      ls /tmp/core*
you should see something like this:
-rw-------    1 root     root     377511936 Jan  1 00:14 /tmp/core
if not, you did something wrong, go to step #3

15. exit out of usb version of busybox shell
     exit
(it will look like nothing happens when you press enter, but, something does)

16. re-launch Siglent scope application. See Step #11

17. insert usb drive

18. copy core dump to thumb drive
     cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)

19. unmount usb stick and remove (see step #7)

20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.

21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.

22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.

23. You can license a different bandwidth by typing MCBD (license key)  at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.

24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.

25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.

26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.

27. Write keys down in a safe place so you do not lose them again.


So it looks like the coredump utility of the ARM7L busybox file you linked us has not been enabled (at least according to the log file on that website).  Does anyone have a compiled version of busybox with coredump enabled?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 06, 2018, 10:40:30 am
The linked version did dump for me, I just had to kill it 3 times, third time worked.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on December 06, 2018, 02:43:25 pm
Which kill worked the third time? The first process kill or the second one after BusyBox was running? What was the procedure that worked for you?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: jgreco on December 06, 2018, 04:03:33 pm

For some real fun, check out these GitHub repositories:

https://github.com/Siglent/FindKeys
https://github.com/Siglent/TryKeys


Purely for educational purposes only. User is expected to comply with all applicable state, county, federal and international laws :)

This is almost awesome and almost worked swimmingly well.

The Tek 475 here decided to go traceless.  I'd been sorely tempted by the low end Rigol for the last few years, but the Siglent at 200MHz with four channels felt like a more compelling addition.  Don't need the 200MHz, don't actually need any of the other features either, don't even use a scope often anymore, but it's always fun to hack, and being able to log in to your devices to poke around is fun.  Aside from not immediately figuring out that the unit came with DHCP disabled, all of that went very well and I had the eevblog-modified OS loaded and running without much ado.

However, when I got to the github projects above, my code development environment is much closer to working on a VT100 than it is a PC with an IDE.  There was a little irony that a user with a handle of VT100 posted a bunch of Microsoft-dependent stuff.  I didn't have Visual Studio loaded anywhere, and how to use it wasn't entirely clear to me, as my development environment is usually just vi, cc, make, and the rest of the UNIX stack.  I figure if someone who's written tons of C had issues figuring this out, maybe non-developers or other old UNIX farts might have trouble too.  If this turns out to be helpful to someone, here's a few notes, hard won through about eight hours of persistence and one trashed VM, hopefully a clue or two for anyone similarly clueless-ish about Visual Studio:

Visual Studio is huge.  It almost overflowed my 50GB Windows lab VM's.  I installed Visual Studio Community 2017 with the Visual Studio Installer downloaded from Microsoft.  Under "Workloads" I had it install .NET Desktop Development, Desktop development with C++, and .NET Core cross platform development.  I also selected "NuGet targets and build tasks" under "Installation details" the second time around, because something went tragically wrong with my first VM, and NuGet wasn't working correctly.  Some of these selections are needlessly sloppy, I'm sure.

Once in Visual Studio 2017, I went to "File -> Open -> Open from Source Control", plugged in the FindKeys github URL, and it picked it up, bringing up a "Solution Explorer" window.  After spending some time looking around and wondering where a "build" button or key was, I opened "Program.cs" in the editor to look at it and suddenly "Build" became available in the menu bar.  Yay for obtuseness.  It built the FindKeys.dll just fine, depositing it in C:\Users\username\source\repos\FindKeys\bin\Debug\netcoreapp2.1, so I just moved the memory dump bin file to that directory and ran it there, and it worked.

At this point, things went off the rails unrecoverably on the first VM.  I tried to do the same process for TryKeys and it went seriously sideways.  It needed a package called "LiteGuard" and I couldn't figure out how to install it.  For whatever reason, NuGet was broken and unusable in the first VM.  Being unfamiliar with the tool and thinking myself just too dumb for modern tools, I wasted several hours stuck trying to remediate that.  Install-Package simply wasn't there or was broken or something.  So I switched to a different lab VM, installed Visual Studio again, and went to do TryKeys again.

This bombed as the build still needed "LiteGuard".  Trying to install that, it refused.  It really wanted a project name.  So I knew I wasn't really doing this correctly, but I didn't really care, so I exited out of VS to dump the mess, launched VS again, did "New -> Project from Existing Code", specified "Visual C#", pointed the dir at C:\Users\username\source\repos\TryKeys, and named it "TryKeys".  Then I was finally able to successfully go to "Tools -> NuGet Package Manager -> Package Manager Console" and entered

PM> Install-Package LiteGuard -Project TryKeys

It still presented an error but it seemed to complete, so I again opened Program.cs, ran "Build", and it built, and ran great.

Y'all are welcome to explain in excruciating detail how I made this more complicated than needed or went about it entirely the wrong way.  :-)  I just felt it would be a shame if the effort put into these two fine Siglent tools was not accessible to someone without any coding experience.  Thanks for the tools.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 06, 2018, 07:23:31 pm
My process was get to the point where you kill the application, step 12, then fire up the process again, step 11, then using "PS -A" to find its new PID, and "kill -ABRT <PID>" It was my third loop of starting and killing it that got me a core dump.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on December 07, 2018, 12:55:40 am
There was a little irony that a user with a handle of VT100 posted a bunch of Microsoft-dependent stuff.

I wanted to learn .netcore and this was my first .net core application.

Quote
Visual Studio is huge.  It almost overflowed my 50GB Windows lab VM's.

if someone makes a pre-compiled version available then you could get away with installing the .dot core runtime, which is significantly smaller, and would run on linux.  .dotcore apps will compile and run on linux, allegedly.

Quote
It needed a package called "LiteGuard" and I couldn't figure out how to install it.

I have absolutely no idea what LiteGuard is. It wasn't a nuget package I used, but it does show up in project.assets.json now that I look. Perhaps it was a dependency of another nuget package I used in TryKeys which I didn't use in FindKeys -- e.g. the telnet library, for instance.

It was my third loop of starting and killing it that got me a core dump.

Strange thing is, I get a core dump each and every time, on the first try. I have no explanation as to why others have problems getting a core dump. Maybe I'm lucky.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: plurn on December 15, 2018, 06:15:40 am
I think I found an easier way to get the mem dump. I did this without needing to set a known root password.

I did this with a stock standard unhacked new SDS1104X-E software version 8.1.6.1.26. Some notes:

Insert a USB thumb drive formatted appropriately for the SDS1104X-E
Using the SCPI control of the web interface, put the following command (or similar depending on what filename you want):

SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin

Wait a minute or more for it to complete - it needs to copy a 256 megabyte file

cleanly shutdown the SDS1104X-E (with the power button on the front)

You can now move the USB thumb drive to a pc. There should be a memdump.bin file on there. You can follow other people already mentioned processes to extract keys from this. I used vt100's instructions from step 20 onwards here: https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1877477/#msg1877477 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1877477/#msg1877477)   Thanks vt100. I used the free "Hex Fiend" on macos as the Hex editor but I expect any would do.

Thanks to Rerouter for letting me know about the "SHELLCMD" SCPI command https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2041069/#msg2041069 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2041069/#msg2041069).

Also thanks to everyone who provided procedures for extracting keys.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 15, 2018, 06:38:38 am
I should point out the memdump is slightly different to the core dump.

the core dump has the licenses loaded in somehow, (havent actually looked into it). while the memdump is just the application file.
so you cannot unlock at present with just the system file.

The other issue is if you tried to get a core dump, well the web interface is run by the system app, so once it crashes, the interface locks up.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: plurn on December 15, 2018, 06:47:39 am
I should point out the memdump is slightly different to the core dump.

the core dump has the licenses loaded in somehow, (havent actually looked into it). while the memdump is just the application file.
so you cannot unlock at present with just the system file.

The other issue is if you tried to get a core dump, well the web interface is run by the system app, so once it crashes, the interface locks up.

With the file produced by the "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" command, I believe I found all the keys. I think /dev/mem includes all memory - not just the memory from an application core dump. I only tested the bandwidth key as I don't have a need for the other ones. Bandwidth key worked for me.


Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on December 15, 2018, 08:47:38 am
Coredump provides a continuous mem image.

/dev/mem provides a fragmented memory image (in blocks of 4kB or something), with "random" order. For me it's random, if anyone can explain the logic it would be GREAT!

They are not the same and that's why some manipulations need to be done in /dev/mem.

BUT, both ways provide the needed licenses.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 15, 2018, 08:55:34 am
well if you wanted to play it that way, there are very few strings that are only capitalized alphanumeric, at least 16 characters long and contain no symbols, so on that basis you may be able to filter down memory images to only relevant ASCII formatted strings,
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: bugi on December 15, 2018, 11:11:39 am
/dev/mem provides a fragmented memory image (in blocks of 4kB or something), with "random" order. For me it's random, if anyone can explain the logic it would be GREAT!
I'm no kernel expert, but at least on "bigger CPUs" most kernels these days do some kind of memory space randomization (which is probably "corrected" in the page tables inside CPU) for security reasons. Malware have harder time looking for data or injecting code, since the desired locations are randomly somewhere... (That description is probably too simple, slightly misunderstood by me, etc. but... might explain the random order in the /dev/mem.  Something like this: https://en.wikipedia.org/wiki/Address_space_layout_randomization)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on December 15, 2018, 12:46:36 pm
I spent quite a bit of time on this, with tv84's guidance, so let me state the following.

cat /dev/mem will give you a memory dump of the scope's entire memory. That memory is managed by the operating system kernel, and is broken up into 4k chunks, aka "pages". The kernel memory manager allots those pages to each process, using a process only someone intimately family with the kernel would be able to explain. Suffice to say, for our purposes, we can assume that any given process running on the scope will be assigned memory pages in a completely random order, even though to the process itself they may appear to be contiguous, they really are not, as the kernel is actually managing the allotment of and access to memory.

(if someone intimately family with the kernel memory management process can tell me where in a memory dump the paging table is located, and how to extract information from it in order to "reorganize" the memory pages for a given process into a single contiguous chunk, feel free to email me, I always enjoy a good intellectual exercise in programming.)

In order to retrieve your license keys from a memory dump, you need to utilize the process (either automatically or manually) captured in the "FindKeys" and "TryKeys" .net Core applications posted on GitHub. The reason being the memory keys will more than likely be "fragmented" into multiple 4k pages of memory. You may have 1/2 of a key at the end of one 4k memory page, and the remainder of the key at the start of another 4k memory page (I personally observe this w/ my own scope and was taking screen shots of a winhex display of the memory dump when I was going back and forth with tv84). And, those key fragments may be located megabytes apart in the file, with the 2nd half actually being 'first' in the file and the 1st half of the key being towards the end of the file.

So what FindKeys does is it examines the memory dump and identifies strings which may possibly be part of a license key. When it identifies a partial candidate, it will combine that partial candidate with other partial candidates to create one or more candidates to try  (e.g. given the program finds one 8-character string A and another 8 character string B, it will create two candidates, AB and BA, to try.  Trykeys takes the file of potential keys and tries to implement them.

A core dump, however, is a contiguous snapshot of a processes' memory. When the core dump is created, the memory pages assigned to the scope process are all arranged in the correct order by the kernel. The process of creating a core dump is handled at the OS level thus the OS can organize the memory pages into the correct order as they are written to a core dump file. Thus with a core dump, the keys will be contiguous as they are represented in their actual underlying class structures and are easily discoverable using the 'shortcut' of using a hex editor to search for your serial # or scope Id.

Whenever possible, I encourage people to use the core dump method, it is cleaner and faster. However, understandably some folks have a problem getting a core dump (I cannot replicate this issue on my scope, each and every time I follow the posted 'process' in the previous post, I get a core dump, so I have no idea what makes my scope different from someone else's). For those who cannot get a core dump, then the memory dump/findkeys/trykeys route is their only option to recover the license keys they previously paid for and accidentally lost the paperwork on.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rhb on December 15, 2018, 11:59:58 pm
SIGABRT and SIGSEGV should produce a core dump, but Linux has the ability to prevent that via compile time options as well as other means I've not been able to sort out.  There is a core_dump_filter in /proc/<pid>, but I don't know any of the details.  I use Solaris like God intended whenever possible.

My use of Linux is like my use of Windows, it is only done under coercion.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: jazper on December 18, 2018, 07:23:41 am
My method was slightly different:

1. dump memory to fat32 formatted USB through web interface on 1104x-e - wait 1minute after performing this, then shut down the scope before doing anything else.
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin

2. Compile find keys using Visual studio - https://github.com/Siglent/FindKeys

3. Run find keys on PC on the the memory dump - note you need to edit the config json.

4. Flash custom firmware with known telnet/root password ( https://www45.zippyshare.com/v/SEUJEWE1/file.html) - Follow instructions in pdf in the file. (note flash drive needs to be either 8gb or 32gb) - I tried to find a way to not do this, but it's the easiest way of getting root access.

5. Set up network on SDS1104x-e

6. Compile trykeys ( https://github.com/Siglent/TryKeys )

7. Use trykeys on a PC on the same network using the key file from findkeys, wait for reboot on 1104 - save the keys that are found - Note you need to edit the config json within findkeys

8. Update firmware to latest firmware from siglent
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on December 18, 2018, 10:42:25 pm
I think I found an easier way to get the mem dump. I did this without needing to set a known root password.
...
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin

that worked for me as well (options and BW), tested with unhacked new SDS1204X-E software version 8.1.6.1.26
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: photomankc on December 19, 2018, 03:02:33 pm
Now we are talking.  I'd much rather avoid tinkering around with modded firmware.  I'll give this method a try.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: MartyMacGyver on December 25, 2018, 09:03:28 am
My SDS1104X-E arrived today with 7.1.6.1.25R2 (stock) on it.

After some fun (creating a wireless client bridge to get wired LAN handy, and using Ubuntu in a VM to format the flash drive for the Unixy flash boots) I was able to log in, run the commands, and rebooted.

At that point my model number went from SDS1104X-E to SDS1204X-E.  :-+

(Note to others: For the "OSV" updates, if you try to format the USB from Windows (certainly 10, maybe earlier ones) you'll likely have an annoying time of it. Bite the bullet and format and extract from Linux.) The only clue you'll have that it's working is it takes a bit longer to boot up, and the telnet password ends up working. If you're already on 7.1.6.1.25R2 like I was I'm almost certain the stock "SDS1004X-E_OSV1_EN-1.zip" step is not necessary, just the modified one.

I then grabbed the "SDS1004X-E_6.1.26_EN.zip" update and installed that. The model number is still 1204, and the firmware is now 7.1.6.1.26. I can still log in via telnet so all this suggests the unlock and mod worked.

One question though... I see mention of "8.1.6.1.26" in the thread here: is that some entirely different firmware, a typo, or what? Am I (at the moment) on the latest and greatest with 7.1.6.1.26?

Edit: One other bit of advice - if using a VM to format disks and such and you have problems with new DHCP addresses (as I just did with the SDG2042X I'm fiddling with now) be sure to shut down that VM to rule it out - in my case it made it impossible to route to the new device under test!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on December 25, 2018, 09:15:07 pm
One question though... I see mention of "8.1.6.1.26" in the thread here: is that some entirely different firmware, a typo, or what? Am I (at the moment) on the latest and greatest with 7.1.6.1.26?

i made dump of my dso (8.1.6.1.26), haven't found any binary differences to OS update file (7.1.x.xx) nor to latest available firmware.
Sure there might be still something different in mtd7 or mtd8, but due to lack of dump from 7.1 i can't compare, but probably there is no diff a well.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 25, 2018, 09:50:01 pm
8. And 7. Are the exact same. Just a rename.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on December 27, 2018, 02:18:48 am
I found a much easier way to root the scope.

After mounting the cramfs  from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox.  And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.

tl;dr:

Go to the SCPI web interface and send:

SHELLCMD telnetd -l/bin/sh -p9999

Then, use your favorite Telnet client to attach to port 9999.  You are in -- no password challenge.

Edit:  Did I note that one does this with stock firmware?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 27, 2018, 02:33:29 am
All the fun new things that turn up from a little digging :)

Great work ewaller

On the not so stock side, Getting the hang of patching out most of the typos in the scope software,
Main pain is the HISTORY_LIST query, they pointed command and query to the same string so having to shuffle stuff around to fit a new string.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on December 27, 2018, 06:02:37 pm
I found a much easier way to root the scope.

After mounting the cramfs  from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox.  And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.

tl;dr:

Go to the SCPI web interface and send:

SHELLCMD telnetd -l/bin/sh -p9999

Then, use your favorite Telnet client to attach to port 9999.  You are in -- no password challenge.

Edit:  Did I note that one does this with stock firmware?

Do you think it is then possible to change the default root password?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on December 27, 2018, 06:22:43 pm

Do you think it is then possible to change the default root password?
Not from that shell.  The /etc/shadow file that contains the password hash is in a cramfs (Cram File System https://en.wikipedia.org/wiki/Cramfs ) which is inherently read only.  The solution that has been used to date involves updating the system with a rebuilt cramfs with a /etc/shadow file that has the new password hash in it; then that file system -- in it entirety -- is uploaded to the scope at boot time.

Part of my motivation was was to find a way to root the system when running stock firmware; and the nice part is that it requires no password.  With this, I think it will be possible to run code from a USB drive that has been cross compiled for ARM.  There may be issues find finding dynamically linked libraries, and the USB drives may be mounted with the noexec flag (meaning the OS will refuse to run code from the device).  I forgot to check that last night in my exploration :)  I'll look tonight.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on December 27, 2018, 07:05:41 pm
I'm guessing the SCPI SHELLCMD functionality will either be PDSH'd, or removed completely, in an upcoming firmware release  ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: plurn on December 28, 2018, 02:00:07 am
I found a much easier way to root the scope.

After mounting the cramfs  from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox.  And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.

tl;dr:

Go to the SCPI web interface and send:

SHELLCMD telnetd -l/bin/sh -p9999

Then, use your favorite Telnet client to attach to port 9999.  You are in -- no password challenge.

Edit:  Did I note that one does this with stock firmware?

That is awesome - works perfectly. Thank you.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 28, 2018, 08:08:33 am
I should also point out, most of the recent methods listed here should work just fine for a number of BK precision scopes. :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: t1d on December 28, 2018, 06:42:15 pm
I found a much easier way to root the scope.

After mounting the cramfs  from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox.  And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.

tl;dr:

Go to the SCPI web interface and send:

SHELLCMD telnetd -l/bin/sh -p9999

Then, use your favorite Telnet client to attach to port 9999.  You are in -- no password challenge.

Edit:  Did I note that one does this with stock firmware?
Hi, everyone. I have this scope on order and it should be here in a few days.

I very much appreciate the graciousness, expertise and effort that it took each and every participant to develop this thread. Thank you!

I am considering this upgrade, but its means is completely outside my knowledge base. I see that the steps are summarized, in the first post, but I have questions about how this post relates to the first.
- Is Ewaller's method the complete protocol, or only a portion of it?
- If it is complete in itself, Ewaller, please write a start to finish tutorial using it, for us noobs. Post #68 is still above my pay grade.
- If it is only a portion and it being easier, has it been incorporated into Post #1? If not, please do so.

Thank you for your help and kindness. I am sure I will have lots more questions.

PS: My current OS is Windows 8.1. I expect to buy a new laptop, soon. It will, likely, have Windows 10/Home.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 28, 2018, 08:08:19 pm
 His method gets you root access to do just about anything you want on the scope without changing from stock,

Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,

If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.

The telnet access is more if you want to fiddle with the scope
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: t1d on December 28, 2018, 11:18:04 pm
His method gets you root access to do just about anything you want on the scope without changing from stock,

Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,

If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.

The telnet access is more if you want to fiddle with the scope
Thank you, Rerouter.

I understand a little of this, but....

Is it that Post #1 gets you the 200MHz and nothing else? Or the options, too?

Is it that with the Ewaller method you could access the entire firmware and, given that you wrote code, you could modify it?

I just want the greater bandwidth and to use the pay-to-play options (with non-Siglent devices, like my own function generator, WiFi dongle, etc.)

I appreciate your help.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 28, 2018, 11:29:49 pm
the memdump method will get you a file that has all the option and bandwidth codes, just takes some digging with a hex editor.

Working with your own wifi dongle is harder to say. at this point it only has a driver for the MT7601 dongle, If your familiar enough with linux drivers you can probably try and make another work via patching, but doubtful out of the box.

With your own signal generator is equally a little difficult, If you want to use the bode plot mode then you need to use similar to an earlier thread where a Python application on another PC pretended to be a networked signal gen and translated the commands, There may be a way to patch in other devices, but I have not gone digging deep enough, I defiantly know where all the bode plot strings are located, but not sure if its just a straight patch or if it needs to be broken into elsewhere,

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: t1d on December 29, 2018, 12:52:33 am
Thanks, Rerouter. Much appreciated.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on December 29, 2018, 04:08:45 am
If you have used up all of your trial runs for MSO, WIFI or AWG; and you have not purchased your licence keys, you may be able to reset the number of trial runs by sending the following through the web interface SCPI mechanism (here I set the number to 99)

SHELLCMD echo -n 99 > /usr/bin/siglent/usr/usr/options_awg_times.txt

Replace the awg with wifi or mso  as appropriate.  change 99 to the number of demo runs you desire.
These files have  exactly two characters in them with no n/l or l/f, hence the -n option on echo.  99 may, or may not be a maxima -- again, these files have exactly two characters in them.

Note, I cannot actually test this through the GUI any more as my options are all permanent, but I am fairly certain this will work for those of you who need a couple more demo runs to decide.  I can see that the contents of these files do change the way I expect. Please let me know.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: not1xor1 on December 30, 2018, 08:50:47 am
Hi,

I do not know if it is OK to ask here of if I should start a new thread...

as I'm taking into account to buy a second hand SD1104X-E I'd like to know if any of you is aware of any hardware revision during the last year.

thanks
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on December 30, 2018, 08:52:02 am
yep, 04 as of the last month, no significant changes to functionality has been observed.

03 I can only speak of back to mid july, when my unit was made. it appears the FPGA code was compiled for 03 on the 7th of march 2018, so 02 likely was from before this date.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: gamerpaddy on December 30, 2018, 05:46:18 pm
Hello, i applied this Unlock (ProMode) to my 1104x-e, works great (havent tested the extra features)
But i noticed a bug(?)

I did some decoding a month ago, then i turned it off, unplugged the scope and put it on a shelf.
A month later i plugged it back in, booted it up.  it was dead slow.  time between action and reaction was like a minute. totally locked up
even after reboot.

Only fix was to hit the default button.

Did anyone notice this without the hack applied?  Could it be the Production Mode im in?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: booyeah on December 30, 2018, 09:27:14 pm
I followed plurns and vt100's posts as regards dumping memory to a usb and then looking through the dump in a hex editor.

Worked perfectly to recover all the codes.
Thanks a million.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: essele on January 04, 2019, 08:19:11 am
I received my scope last night, and managed to get everything sorted nicely, however there were a few things that weren't quite as some other people seem to have found them, it was already running the latest firmware (6.1.26), not sure if that's the reason.

1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)
2. The core dump didn't contain the required information, it was only about 200meg, so quite a bit smaller than other examples shown here (and smaller than the 250meg memory dump.)
3. Restarting the sds1000b process didn't work properly, a few errors and the scope was unusable, so I suspect this is the reason it didn't contain the right data.

So I resorted to a much simpler way as described by some other posters...

1. Use "SHELLCMD telnetd -l/bin/sh -p9999" to start an unauthenticated telnet server.
2. Connect to the scope using "telnet <ipaddress> 9999"
3. Insert a USB stick
4. Dump memory to the stick using "cat /dev/mem > /usr/bin/siglent/usr/mass_storage0/U-disk/memdump"
5. Pull the stick (I ran "sync" first, but I'm a legacy unix guy, need to see if that's really necessary), otherwise cleanly unmounting would be better.
5. Use a hex editor to find the keys as per post 39, from about step 20 onwards ... which worked perfectly, no obvious issues with the page ordering making it difficult to find things.)

It took about 10 mins start to finish once I'd decided to go the /dev/mem route.

You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.

What a nice scope ... this was an upgrade for me from a DS1052E, so it's fantastic! Thanks to all for providing this info!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on January 04, 2019, 02:03:04 pm
1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)

a core dump is substantially smaller than an entire memory dump. With the core dump you're only going to get the memory associated with the running task, compared the memdump, where you'll get all the scope's memory.

Its curious you didn't find the keys in the core dump.... the only thing I can think of, is, perhaps, you took the core dump prior to the sds1000b process creating the keys within its memory pages (there is logic in the scope app to generate the keys using the scopeid and serial # to check against the licensed options, they are not hard-coded in the scope app) so if you took a core dump prior to that routine executing (and at what point it runs, who knows). I'd be interested in taking a look at the core dump if you'd be willing to share it.

Quote
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.

These methods will continue to work until Siglent  pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rhb on January 04, 2019, 02:51:49 pm

Quote
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.

These methods will continue to work until Siglent  pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.

time(1) will tell you when the cat completes.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 18, 2019, 11:48:02 pm
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 19, 2019, 12:25:30 am
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
You can see here how the 100 MHz roll off is much improved after improving to the 200 MHz model:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613374/#msg1613374 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613374/#msg1613374)

There's some further supporting info in subsequent posts.
Also have a hunt through rf-loop's posts, he's switched his SDS1104X-E back and forth.
I've never hacked one but the info here is entirely convincing that it is a valid upgrade.  ;)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Dundarave on January 19, 2019, 09:19:38 pm
I wanted to thank all the contributors for all the various unlocking instructions, especially VT100 whose instructions I was following per post #39 for the keys to my options upgrade.  It's nice to have a fully upgraded scope, at just the right price. ;D

However, I have a question that I hope someone can clear up:

I first updated the bandwidth via the rooted OS & bandwidth.txt -> bandwidth.bak method, as that felt the most comfortable to me at the time.  With that success, I started to feel more confident (or cocky, I suppose, lol) and thought I would then use the mem dump method to find the keys for the options, which I then also successfully updated.

So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".

In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)

I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M. 

I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file?  If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be? 

I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.

I've attached a shot of the relevant part of the mem dump for the bandwidth keys.

Thanks again! :-+
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on January 19, 2019, 09:32:06 pm
Run the command. When a valid bandwith or option code is entered. The scope saves a bandwidth.txt or option.txt. so if your not seeing one yet it may change with later updates.

This would also explain why your not seeing the current code. It reads it from that txt file.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Dundarave on January 19, 2019, 10:18:11 pm
Brilliant!  Thanks, Rerouter.

I ran the MCBD command with the suggested 200M key (from my dump file as attached earlier), and then went into the scope via telnet and checked for the bandwidth.txt file.  It was there, as you called it, along with the older bandwidth.bak file from my original update.

I've attached a shot of the content of each file, the .txt now containing the 200M key, and the .bak containing the original 100M key.

I've also attached an updated memory dump excerpt showing the now repeated 200M key.

All good now!  Thanks for the prompt response. :-+

Nick
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vt100 on January 20, 2019, 12:31:29 pm
So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".

As earlier posts have indicated modifying the bandwidth.txt file puts the scope in "PRO MODE" which basically bypasses the licensing process so you have a scope with all options and full bandwidth. The problem with this approach is the next firmware update could easily change this by placing the scope into complete lockdown with no options and minimal bandwidth. Once you have your license keys, you never need to worry about losing access to bandwidth or options.


Quote
In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)

This is expected. One of those 5, the "duplicate", is read from your filesystem and compared against the other 4 generated keys to determine what bandwidth your scope has. By "hacking" the config file you eliminated the "5th" key and now only see the 4 that the scope program generates for comparison. This is the 'expected' behavior given you changed the bandwidth.txt file.


Quote
I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M.

Even if you enter the wrong one, you can always enter another one to change it again. the MCBD command is not a one-shot deal.
 
Quote
I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file?  If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be? 

See paragraph #1 above.

Quote
I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.

See paragraph #2 above. Your scope isn't licensed w/ any bandwidth key, it's in PRO MODE. Hence you only have 4 keys in your mem dump, not 5.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 20, 2019, 02:00:43 pm
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?

More importantly, someone mentioned a slight hardware difference in the analog front end of 1104x-e and 1204x-e. So, even if I can make my 1104 'think' he is a 1204, how can I make up for the hardware difference?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on January 20, 2019, 03:45:28 pm
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?

It is not an option one can purchase.  The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as.  It is supposed to be immutable.  What is not known is whether there are any inherent differences in the hardware platforms?  For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope?  I don't think so.   But, if one changes the configuration, and the scope well enough works at 200 MHz, why not?  Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.   
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 20, 2019, 03:52:05 pm
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?

It is not an option one can purchase.  The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as.  It is supposed to be immutable.  What is not known is whether there are any inherent differences in the hardware platforms?  For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope?  I don't think so.   But, if one changes the configuration, and the scope well enough works at 200 MHz, why not?  Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.   

So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ewaller on January 20, 2019, 03:58:48 pm
So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
No arguments from me there.  I did opt for the 1204x-e.  All I can say is that I cannot back my assertion that they may not be the exact same platform -- they could be.  But, I will stand behind my assertion that the calibration is not valid for a 1104x-e at 200 MHz
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on January 20, 2019, 07:47:48 pm
So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.

How can I word this correctly... umm... well, let's just say if you *need* 200mhz (with the associated calibrated accuracy) then spend the couple extra hundred, since (perhaps) your livelihood depends on it.

On the gripping hand, if you're just messing around with the scope in your shack, and that calibrated accuracy is not that important... why not?

Assuming of course the hardware platforms are different... which I doubt. I'm willing to wager the scopes are identical, and all that changes is the sticker on the front of the case and the bandwidth license pre-installed.

Much akin to how Windows now has several versions, all of which are on the DVD, but the features available to the user depends on the product key used to activate the product.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Dundarave on January 20, 2019, 08:40:43 pm
Thanks for the clarifications, I've now got a much better understanding of how the key mechanism works.  Trying to assimilate that combined knowledge from all the various thread posts was a challenge, and perhaps my questions & your answers have helped others as confused as I.

One more question on the same topic: I am also curious as to how the "option keys" work for the Wifi, MSO and AWG modules.  In the normal course of events, if I were to buy an AWG for example, how would the key needed to activate my scope to use the AWG be communicated to me (assuming that the option key itself is unique to my scope)?  Does the AWG itself communicate/handshake with the scope to authorize its use?  Would there be a piece of paper with the AWG that contains a code that needs to be entered somehow?

And why the need for an option key at all?  Is it just a function of wanting to prevent knock-off Wifi, MSO, and AWG modules from working with the scope?  If you have to pay for the module anyway, I can't see any other reason for needing an option key mechanism in the first place.

Thanks again -
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 20, 2019, 09:49:29 pm
The SAG1021 AWG can be thought as 2 units if you like, one for Bode plot usage where NO licensing is required and as a reasonably well featured AWG controlled from within the scope UI. For that functionality you do need the licensing.

Edit to add; Only once the trial licenses have expired is any option licensing required.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on January 20, 2019, 11:02:30 pm
I question the option vodes as anything other than a money grab. But the scope is the only thing that needs the code entered. While I have yet to get it to work. The AWG option should also respond via SCPI over usb. But i have yet to successfully test that.

You get option codes on printed off sheets of paper if you buy them with the scope. Possibly similar via email if after the purchase.

The AWG interface is limited via the scope UI. It leaves out any way to configure the SweepWave, BurstWave, ModulateWave, and ArbWave. Not to mention there is everything already in place for the scope to capture a waveform and to play it back under any of these modes. But I have not yet found an easy way to do that.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 20, 2019, 11:50:35 pm
I question the option codes as anything other than a money grab.
Er well yes but only for 3 options whereas other 'money grabbing' brands like Tek, KS, R&S, LeCroy, Rigol etc will want to charge you for more. Decode is commonly an option for most brands while Siglent provide it for free.
Your point is ?  :-//
Quote
But the scope is the only thing that needs the code entered. While I have yet to get it to work. The AWG option should also respond via SCPI over usb. But i have yet to successfully test that.
SAG1021 arbitrary use is intended to be via the EasyWave SW where you will use SCPI commands.
This is all mentioned in the X-E datasheet.
Quote
You get option codes on printed off sheets of paper if you buy them with the scope. Possibly similar via email if after the purchase.
Maybe, maybe not.
If I have them at sale time I'll install them and pack a sheet/s of paper with them printed on too.
Otherwise it's a pdf in an later email with an option authorization code with which you go onto Siglents option generation website and enter it along with model type and SN#. The 'real' option code is then generated automatically and you have the option to get it on a pdf with installation instructions. This is what we normally add to the box prior to shipment.
Quote
The AWG interface is limited via the scope UI. It leaves out any way to configure the SweepWave, BurstWave, ModulateWave, and ArbWave. Not to mention there is everything already in place for the scope to capture a waveform and to play it back under any of these modes. But I have not yet found an easy way to do that.
Good point, maybe 'play' a captured waveform can be added into future FW.  :-+
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 23, 2019, 11:27:10 am
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on January 23, 2019, 02:11:54 pm
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?

Of course.

After then it is SDS1204X-E (except front panel model sticker)  and works as SDS1204X-E including everything - (if it is properly modified).
Only difference is front panel sticker and probes included in carton. But even these probes are not bad for 200MHz. (you can find probe test in this forum)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 23, 2019, 06:46:18 pm
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?

Of course.

After then it is SDS1204X-E (except front panel model sticker)  and works as SDS1204X-E including everything - (if it is properly modified).
Only difference is front panel sticker and probes included in carton. But even these probes are not bad for 200MHz. (you can find probe test in this forum)

Someone before asserted that factory calibration after the hack was not valid anymore.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on January 23, 2019, 07:33:55 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 23, 2019, 07:51:19 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".

It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 23, 2019, 08:01:21 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".

It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 23, 2019, 08:38:09 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".

It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.

I must not have traceable equipment but I must have accurate equipment. So, if hacking the scope makes me lose  accuracy I'm not gonna hack it. So: am I losing accuracy with the hack?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on January 23, 2019, 09:00:26 pm
Someone before asserted that factory calibration after the hack was not valid anymore.

Then, go ask that "someone".

It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.

I must not have traceable equipment but I must have accurate equipment. So, if hacking the scope makes me lose  accuracy I'm not gonna hack it. So: am I losing accuracy with the hack?
'Proven' -3dB BW of hacked SDS1104X-E is ~230 MHz and and amplitude spec is +3% like all DSO's, is that good enough ?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 25, 2019, 10:46:05 am
So, in the 1104x-e the 100Mhz bandwidth is obtained by limiting the full 200Mhz bandwidth via a software low pass filter? No hardware?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ian.ameline on January 26, 2019, 04:33:08 pm
The 100Mhz bandwidth limit is achieved by FIR filter coefficients (https://en.wikipedia.org/wiki/Finite_impulse_response) - these coefficients are different for the different bandwidths. The FIR filter is implemented in the FPGA, and applied to the signal coming from the ADC.

Short answer - it is software, but not software running on the ARM CPU.

The 20Mhz selectable bandwith limit takes place in the analog front-end, and so is implemented in hardware.

--Ian.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 26, 2019, 05:02:25 pm
Very interesting. I really like this scope and, with this hack, you are getting a tremendous bang for your buck (4 channels, 200Mhz, 1Gsa/s, double ADC for 500$). This is double the scope w.r.t. a Rigol 1054z for only 50% more in price. Big A Brand scopes with similar features are at least three/four times as expensive.  Besides, the hack is really a piece of cake.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: guho on January 26, 2019, 11:30:19 pm
Got it to work, many thanks for the instructions. Note that if you go with the Visual Studio solutions, in the TryKeys you have to change the hardcoded 23 port to 9999 if you want to use the telnet daemon started via SCPI (SHELLCMD telnetd -l/bin/sh -p9999). Also comment out the TelnetClient.login section as it is not needed (and even fails) for this telnet access. Changing the port number from 23 to 9999 in the .json is not enough unfortunately.

This scope is one of the best deals around, got it for $125 off MSRP from Amazon Warehouse Deals and now unlocked 200MHz and the 3 other items  :)  :)

Also, Newegg has the TL-WN725N wifi USB dongle for only $7 using code EMCTUVA36 for $3 off. Just bought one for my new scope. This same module is offered by Siglent for a mere $49 at https://store.siglentamerica.com/product/sds1104x-e-100-mhz/ Is this scope compatible with many wifi adapters or just this one?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on January 27, 2019, 12:33:20 am
The scope only has the driver file for that exact wifi dongle. however the drivers are inside a directory that you can write files to, (needs to remount the directory),

Your free to try loading other drivers for other dongles, But i cannot say if it will work, as Its unclear to me exactly how the system app is hooking into it at this point.

\bin\siglent\drivers\mt7601u.ko
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on January 27, 2019, 09:32:53 am
Very interesting. I really like this scope and, with this hack, you are getting a tremendous bang for your buck (4 channels, 200Mhz, 1Gsa/s, double ADC for 500$). This is double the scope w.r.t. a Rigol 1054z for only 50% more in price. Big A Brand scopes with similar features are at least three/four times as expensive.  Besides, the hack is really a piece of cake.

If compare  Rigol 1kZ with Siglent 1104/1204X-E they give really lot of more performance and features than just more bandwidth and samplerate.
What big A brand scope have one scope with waveform history buffer, full memory measurements with full sample resolution, fast segmented memory with up to over 100M memory, true full resolution 500uV/div, up to 32000 bytes single shot I2C decode (simultaneously 2 independent separate I2C bus), or 1000bytes/channel single shot UART decode (simultaneously 2 separate independent UART RxTx bus) etc... and all this online and offline including history buffer.
1Mpoints FFT, 3 channels 501point BodePlot (need external what ever Siglent SDG) even with 500Hz span (1Hz step) for narrow filters, semi fast XY (up to 60kwfm/s (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1801388/#msg1801388)) including intensity gradation, XY plot history buffer and YT measurements in XY mode. Even simplest thing, Sinc interpolation,  Rigol 1kZ box can not do right way. In siglent there is always available true samples and interpolation is fully post processed and user have full freedom to select right display mode/interpolation afterwards (example when looking stopped scope including wfm  history buffer.) This is also important in real tool when user need detect if displayed wfm include well known Sinc interpolation "problems" when signal have fast changes related to current sample interval.
So, what we compare to what... perhaps lemons and shoes.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Andreax1985 on January 27, 2019, 09:46:06 am


If compare  Rigol 1kZ with Siglent 1104/1204X-E they give really lot of more performance and features than just more bandwidth and samplerate.
What big A brand scope have one scope with waveform history buffer, full memory measurements with full sample resolution, fast segmented memory with up to over 100M memory, true full resolution 500uV/div, up to 32000 bytes single shot I2C decode (simultaneously 2 independent separate I2C bus), or 1000bytes/channel single shot UART decode (simultaneously 2 separate independent UART RxTx bus) etc... and all this online and offline including history buffer.
1Mpoints FFT, 3 channels 501point BodePlot (need external what ever Siglent SDG) even with 500Hz span (1Hz step) for narrow filters, semi fast XY (up to 60kwfm/s (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1801388/#msg1801388)) including intensity gradation, XY plot history buffer and YT measurements in XY mode. Even simplest thing, Sinc interpolation,  Rigol 1kZ box can not do right way. In siglent there is always available true samples and interpolation is fully post processed and user have full freedom to select right display mode/interpolation afterwards (example when looking stopped scope including wfm  history buffer.) This is also important in real tool when user need detect if displayed wfm include well known Sinc interpolation "problems" when signal have fast changes related to current sample interval.
So, what we compare to what... perhaps lemons and shoes.

No need to get upset. I'm with you. I was simply saying that these scopes are a tremendous value and that A Brand scopes with similar (similar!) features cost many times more. The other big contender which surpasses these scopes spec-wise is the new Rigol MSO5000, but for double the price. So 1000x-e scopes are still the best value on the market IMHO.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on January 27, 2019, 01:01:51 pm
The scope only has the driver file for that exact wifi dongle. however the drivers are inside a directory that you can write files to, (needs to remount the directory),

Your free to try loading other drivers for other dongles, But i cannot say if it will work, as Its unclear to me exactly how the system app is hooking into it at this point.

\bin\siglent\drivers\mt7601u.ko

I used a TPLink wifi dongle on mine and it worked fine.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: timgiles on January 27, 2019, 05:18:56 pm
I am going to try installing a few other wifi dongles and will provide any success stories in an additional thread. For me, I would like an AC dongle so I dont have to run legacy Wireless at home - just for the scope... I doubt the speed difference would help with the web server.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: guho on January 31, 2019, 06:17:58 pm
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.

Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on February 01, 2019, 08:52:33 am
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.

Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.
Have a study here:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2038612/#msg2038612 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2038612/#msg2038612)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: radensb on February 08, 2019, 06:36:15 pm
I just got this scope and completed the *upgrade*. My experience was a mashup of other users, so I figured I would comment on what didn't work and what I ended up doing to achieve success.

What didn't work:
I followed the core dump procedure. I did the following:

There are a few typos, but I was able to execute the procedures. I ran through it several times and was never able to generate a core dump on the first try. I then tried simply restarting SDS1000b.app without rebooting the scope and killing again (not what the above procedure suggested). A few times I was able to get the core dump file to generate, but that lead to another problem. As another user stated, the scope buttons remained unusable, even after restarting the app. The only way to recover was a power cycle. This would wipe out the core file that was created. In addition to the buttons not working, the scope would not detect the USB drive anymore to copy the core dump too. The Linux OS would detect the drive, but it would not mount. I had to manually create a temp directory in /usr/bin/siglent/usr/mass-storage/ and manually mount /dev/sda1 to it to copy the core dump. I did this several times with several core dumps. I got a ~207MB file each time, but most of it was empty and searching for the string "SDS1000X-E" always yeilded "no match". So, this method did not work for me. Perhaps someone can explain why?

What did work:
Using following command to get a mem dump on the USB drive worked perfectly: post#54
Code: [Select]
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
The flash drive I was using had an LED indicator that flashed when preforming a read/write and slowly dimmed when idle making it easy to tell when the file was done writing, which was nice. I created several mem dumps to compare. Each one was different, which was expected, but I noticed only one contained my BW keys in a contiguous block that was human readable. None of them contained the options keys in a contiguous block, thus I needed to use some tools. I ended up trying the FindKeys and Trykeys tools mentioned in post #38. make sure you have the current version of Visual Studios (I ran VS2017 15.9) and install .NET Core 2.1 as that is what the tools run on.

Define the proper parameters in the FindKeys .json file as instructed in the repo readme and run the FindKeys tool against your mem dump file. It will generate a txt file that has all the possible combinations of possible keys through the fragmentation of the mem file.

Define the proper parameters in the TryKeys .json file as instructed in the repo readme. I noticed some things about the TryKeys program that should be addressed before running it.
The root telnet access method is needed for the TryKeys program to run:
Run the SCPI command
Code: [Select]
SHELLCMD telnetd -l/bin/sh -p9999
Then run the Trykeys based on the above config/recommendations.
If you didnt use the Trykeys to update the bandwidth (like me), run the SCPI command
Code: [Select]
MCBD (license key) where (license key) is the key for the bandwidth you want, to update it manually. Then reboot and check with the
Code: [Select]
PRBD? command to verify.

All in all, I think the method that worked for me is the simplest as it requires no software modifications (I was running 7.1.6.1.25R2 out of the box). It is also the most reliable as I was able to get the mem dump file every time I ran the command and all the files ended up producing the valid keys.

Hope my experience makes this process easier for others! I am really enjoying me new scope!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: harpster58 on February 17, 2019, 07:13:47 pm
Hi All - Instructions are very good, thank you! After reading the entire 5 pages of posts I ended up doing the following. Also for the record my scope was bought in Jan-2019 with 6.1.25.R2 and I had upgraded to 6.1.26 before doing this. (7.1. prefix shows up the FW revision i.s. 7.1.6.1.26)

I did the mem dump technique below and did get the 250M file (thanks to post #54)

Code: [Select]
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
I used the Mac OS "Hex Friend" editor to view the memdump.bin file and initially I thought I wasn't getting it but then it kinda stuck out like a sore thumb exactly as described in post #39 steps 21 - 23. What I'm NOT seeing are the Option codes #38 step 24. I see my serial number in two places but no 16 character strings nearby.

I started to try to use FindKeys but I don't use Visual Studio so not sure what I was doing there. I did a build the FindKeys prj and it did put a bin folder with a FindKeys.DLL and FindKeys.json but I don't understand how to run that... I thought there would a FindKeys.exe file? But Bandwidth was the main thing I wanted to upgrade... I will keep checking back here and maybe try the option codes again later... need a break now haha...  Many thanks!
Title: What happened to politeness here?
Post by: videobruce on February 17, 2019, 08:15:43 pm
This refers to the just plain nastiness here, specifically on the 1st page and throughout this thread (and others).
It's a sad state that certain individuals (that happen to be at a higher level) look down on anyone that doesn't meet their standards. Especially when they question previous post simply because the text was not clear enough.

To these 'individuals'; everyone is NOT at your esteem level of knowledge. What MAY be simple to YOU, isn't to others. We have one Dictator Trump in my country that thinks is is always right, the world doesn't need more like him. 
Title: continued.....
Post by: videobruce on February 17, 2019, 08:27:16 pm
BTW, the thread title does state "step by step" which means exactly that. NOT skipping details (other than very basic), under the assumption those details should be already known..
Title: Re: What happened to politeness here?
Post by: not1xor1 on February 18, 2019, 07:25:29 am
Quote from: videobruce link=topic=136445.msg2207523#msg2207523 date=1550434543To these 'individuals'; [color=red
everyone is NOT at your esteem level of knowledge. What MAY be simple to YOU, isn't to others.[/color] We have one Dictator Trump in my country that thinks is is always right, the world doesn't need more like him.

IMHO it is a wrong comparison as people writing here do have some real competence while Trump competence is limited to his very peculiar hair style  ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: radiolistener on February 18, 2019, 07:43:34 am
hi guys. Is there any hack for SDS1102X model (not X-E)?

I tried to execute these commands through VXI11 SCPI:
- "SHELLCMD telnetd -l/bin/sh -p9999"
- "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage0/U-disk/memdump"

but telnet didn't started and it even doesn't try to access usb stick... :(
Unfortunately there is no response from SHELLCMD command executed on VXI11 SCPI interface, so I even don't know if it is implemented...
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on February 18, 2019, 08:22:07 am
The X model is blackfin based not arm-linux,

This thread seems to be for it, but it seems it needs a hardware patch for full bandwidth from a quick glance,
https://www.eevblog.com/forum/testgear/siglent-sds2000x-hack/ (https://www.eevblog.com/forum/testgear/siglent-sds2000x-hack/)

To Videobruce, If you need help, ask nicely, Most of the later discoveries where made by different users than those in the first few pages,

The SCPI memdump method is the most recent, in that it requires no custom firmwares or rooting, but as a trade off the memory is dumped in an odd segment ordering, and some times the keys will be split over a memory segment boundary, so you may need to dump more than once to catch them, The searching through with a hex editor for the keyword will still work with this method, just takes a few tries to get,

To make it easier to find those keys, you can also copy the "/bin/siglent/firmdata0" folder, In there you will find .bin files relating to each option, open them in a hex editor, take the last 4 bytes and xor them 0xFF00FF00, and reverse there order, e.g. 0xC734B24D = 0x38344d4d, this is ascii, 84MM, flip it so its MM48, and there is the first 4 characters of that option to search for.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: videobruce on February 18, 2019, 10:44:47 am
IMHO it is a wrong comparison as people writing here do have some real competence while Trump competence is limited to his very peculiar hair style  ;D
To Videobruce, If you need help, ask nicely, Most of the later discoveries where made by different users than those in the first few pages,

That was referring only to the disrespectful individuals mentioned, not the entire membership, nor was it referring to any 1st hand experience. (BTW, I wouldn't even give him credit for his hair either.)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on February 18, 2019, 10:59:12 am
I used the Mac OS "Hex Friend" editor to view the memdump.bin file and initially I thought I wasn't getting it but then it kinda stuck out like a sore thumb exactly as described in post #39 steps 21 - 23. What I'm NOT seeing are the Option codes #38 step 24. I see my serial number in two places but no 16 character strings nearby.

I started to try to use FindKeys but I don't use Visual Studio so not sure what I was doing there. I did a build the FindKeys prj and it did put a bin folder with a FindKeys.DLL and FindKeys.json but I don't understand how to run that... I thought there would a FindKeys.exe file? But Bandwidth was the main thing I wanted to upgrade... I will keep checking back here and maybe try the option codes again later... need a break now haha...  Many thanks!

I've never used visual studio on a mac, but normally when you build .net core apps on a PC you end up with a dll, which you execute from the command line via "dotnet mydllfilename.dll", e.g. dotnet.exe Findkeys.dll

I assume the same applies on a mac, from a terminal session.

Title: Re: What happened to politeness here?
Post by: vt100 on February 18, 2019, 11:39:50 am
This refers to the just plain nastiness here, specifically on the 1st page and throughout this thread (and others).

I'm new here, and I've found everyone completely helpful.

Presumably everyone is here to learn and so sometimes answers are not given to you on a silver platter, but answers contain enough information to make you think for yourself and hopefully learn something.

Understandably if you want someone to do it for you, you'll probably find their answer unhelpful.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: videobruce on February 18, 2019, 12:05:07 pm
This has nothing to do with a "silver platter", nor anyone asking for someone else to do it for you. Have you read thru the first the 1st couple of pages??
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on February 18, 2019, 12:24:58 pm
The few of us that have dug into these things and chose to share it, we are already giving you something for free just because we thought it would help others, most of us enjoy this, however its easy to forget the knowledge base of a beginner, And like some of the discussions on the first page, to fully explain the reasons behind why you made those choices, We are good at breaking into things, not always at explaining how we did it.

Personally I see stuff very similar to what a room of engineers look like, some bite and go on the attack rather than clarifying there question

If you need something clarified, I'm right here to explain it as best I can,

I will say your earlier posts read as hostile at first glance, and your latest one still does, I will offer you a suggestion, PM fungus asking to update the first post with the latest unlock information, If you feel comfortable with the info and procedure you could prepare it for him, otherwise just ask Nicely.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on February 18, 2019, 03:00:03 pm
This has nothing to do with a "silver platter", nor anyone asking for someone else to do it for you. Have you read thru the first the 1st couple of pages??

As others have indicated, how you ask is sometimes more important than what you ask.

Given your attitude, I am not surprised you meet resistance.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: BillB on February 18, 2019, 03:58:40 pm
videobruce,

Being one of those that posted on the first page of this thread, I do remember when/why it first started and the attitudes expressed that might not be clear to a new reader.  IIRC, there was some banter in other threads regarding which scope was the best bang-for-buck/most-easily-hackable - essentially a pissing-contest between two camps of brand supporters.  I won't speak for Fungus as to why he started this thread (I respect all those who've contributed to this forum; there are a number of highly knowledgeable and helpful people here) but my first impression at the time was that he started this ironically, to continue the banter  :D.  (I could certainly be wrong about this, but again that was my feeling at the time) 

I think that is why the tone of the first page of this thread was more adversarial than usual.  Please don't take this as an example of the attitudes of many of the regulars here; this is generally an extremely helpful and informative bunch.   
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: harpster58 on February 19, 2019, 12:00:29 am
[quote I've never used visual studio on a mac, but normally when you build .net core apps on a PC you end up with a dll, which you execute from the command line via "dotnet mydllfilename.dll", e.g. dotnet.exe Findkeys.dll [/quote]

Actually I only used the hex editor on Mac as Notepad++ on PC wasn't giving me the view I needed.  I downloaded Visual Studio and set up on PC... never worked with it before. So I guess I did everything correct but I just had no idea how to open the the file or even what file to open. I'll see if I can do it now using command line.  Tx!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: phil303 on February 19, 2019, 06:21:03 am
Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.

Code: [Select]
FP = 'YOUR_FILE_PATH'


def crazy_check(byte, l):
    return (
        (byte < ord('2') or byte > ord('9')) and
        ((byte < ord('A') + l) or (byte > ord('Z') + l)) and
        (byte != ord('L') + l) and (byte != ord('O') + l)
    )


parts4 = set()
parts8 = set()
parts12 = set()
keys = set()


def find_keys(fp):
    with open(fp, 'rb') as f:
        entire_buffer = f.read()

        l = 0
        for j in range(2):

            i = 0
            str_start = 0
            str_size = 0

            for i in range(len(entire_buffer)):
                byte = entire_buffer[i]

                if crazy_check(byte, l):
                    b = (str_start % 4096 == 0) or (i % 4096 == 0)

                    if str_size > 15 or (str_size > 3 and b):
                        str_end = str_start + str_size
                        if str_size % 16 == 0:
                            s = entire_buffer[str_start:str_end].decode('utf8')
                            while len(s) > 15:
                                left_string, s = peel_off_string(s, 16)
                                check_and_add(left_string)

                        if str_size % 4 == 0 and b:
                            for x in range(0, 16, 4):
                                s = entire_buffer[str_start:str_end].decode('utf8')
                                left_string, s = peel_off_string(s, x)
                                check_and_add(left_string)

                                while len(s) > 15:
                                    left_string, s = peel_off_string(s, 16)
                                    check_and_add(left_string)

                                check_and_add(s)

                    str_size = 0
                    str_start = i + 1

                else:
                    str_size += 1

            l += 32

        keys.union(consolidate_parts(parts8, parts8))
        keys.union(consolidate_parts(parts4, parts12))
        keys.union(consolidate_parts(parts12, parts4))

        for k in keys:
            print(k)


def check_and_add(string):
    is_ok = string.isupper() and len(string) % 4 == 0 and len(string) > 0
    if is_ok:
        if len(string) == 4:
            parts4.add(string)
        if len(string) == 8:
            parts8.add(string)
        if len(string) == 12:
            parts12.add(string)
        if len(string) == 16:
            keys.add(string)


def peel_off_string(string, i):
    left_string = ""
    if len(string) >= i:
        left_string = string[:i]
        string = string[i:]
    return left_string, string


def consolidate_parts(p1, p2):
    rc = set()
    for i, s1 in enumerate(p1):
        for j, s2 in enumerate(p2):
            if i != j:
                s = s1 + s2
                rc.add(s)
    return rc


if __name__ == '__main__':
    find_keys(FP)



Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: harpster58 on February 21, 2019, 12:21:00 am
Worked! When putting in File Path (FP = 'YOUR_FILE_PATH') be sure to use fwd slashes "/" not back "\" slashes. At first nothing happened... takes a little time to process then I got all the keys. Since i had already gotten the bandwidth keys I just deleted them and the 3 or 4 text strings that were returned. That left me with 4 keys and pretty easy to re-enter the keys for the options until I got them all correctly. Not sure with the extra key was for maybe an unused option.

Anyway very cool, thanks for posting this!

Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.

Code: [Select]
FP = 'YOUR_FILE_PATH'


def crazy_check(byte, l):
    return (
        (byte < ord('2') or byte > ord('9')) and
        ((byte < ord('A') + l) or (byte > ord('Z') + l)) and
        (byte != ord('L') + l) and (byte != ord('O') + l)
    )


parts4 = set()
parts8 = set()
parts12 = set()
keys = set()


def find_keys(fp):
    with open(fp, 'rb') as f:
        entire_buffer = f.read()

        l = 0
        for j in range(2):

            i = 0
            str_start = 0
            str_size = 0

            for i in range(len(entire_buffer)):
                byte = entire_buffer[i]

                if crazy_check(byte, l):
                    b = (str_start % 4096 == 0) or (i % 4096 == 0)

                    if str_size > 15 or (str_size > 3 and b):
                        str_end = str_start + str_size
                        if str_size % 16 == 0:
                            s = entire_buffer[str_start:str_end].decode('utf8')
                            while len(s) > 15:
                                left_string, s = peel_off_string(s, 16)
                                check_and_add(left_string)

                        if str_size % 4 == 0 and b:
                            for x in range(0, 16, 4):
                                s = entire_buffer[str_start:str_end].decode('utf8')
                                left_string, s = peel_off_string(s, x)
                                check_and_add(left_string)

                                while len(s) > 15:
                                    left_string, s = peel_off_string(s, 16)
                                    check_and_add(left_string)

                                check_and_add(s)

                    str_size = 0
                    str_start = i + 1

                else:
                    str_size += 1

            l += 32

        keys.union(consolidate_parts(parts8, parts8))
        keys.union(consolidate_parts(parts4, parts12))
        keys.union(consolidate_parts(parts12, parts4))

        for k in keys:
            print(k)


def check_and_add(string):
    is_ok = string.isupper() and len(string) % 4 == 0 and len(string) > 0
    if is_ok:
        if len(string) == 4:
            parts4.add(string)
        if len(string) == 8:
            parts8.add(string)
        if len(string) == 12:
            parts12.add(string)
        if len(string) == 16:
            keys.add(string)


def peel_off_string(string, i):
    left_string = ""
    if len(string) >= i:
        left_string = string[:i]
        string = string[i:]
    return left_string, string


def consolidate_parts(p1, p2):
    rc = set()
    for i, s1 in enumerate(p1):
        for j, s2 in enumerate(p2):
            if i != j:
                s = s1 + s2
                rc.add(s)
    return rc


if __name__ == '__main__':
    find_keys(FP)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: mroek on February 21, 2019, 01:19:04 pm
I'm a bit curious about the actual key generation. As far as I can understand, each individual scope has it's own unique set of keys. Are these keys stored in some kind of nonvolatile/read-only memory (perhaps in a separate memory partition), and generated during production? Or perhaps the keys are generated with the serial number as the input, so only the serial number needs to be stored during production?

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on February 22, 2019, 12:58:19 pm
Keys are generated off the scopeid and serial number using an algorithm only Siglent, and those savvy enough to disassemble the scope application, know.

Someday maybe I can afford a copy of IDA Pro with the requisite disassemblers so I can fall into the latter category :)

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: mroek on February 22, 2019, 01:10:21 pm
Keys are generated off the scopeid and serial number using an algorithm only Siglent, and those savvy enough to disassemble the scope application, know.

Someday maybe I can afford a copy of IDA Pro with the requisite disassemblers so I can fall into the latter category :)

Ok, thanks. IDA Pro is rather expensive, and it would still take quite a bit of work to reverse-engineer the algorithm, so as long as the actual generated keys (on a device you own) can be found by other methods, it really isn't worth it.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on February 22, 2019, 01:43:32 pm
Reverse engineering atleast from my own perspective is one of those few topics that throw you full well into the deep end from the get go, as there is no 1 true way to approach it, and the skill level of the power users, you will struggle finding answers on how to drive the bloody programs early days (not to many hits on stack overflow)

I only started digging because I was bored and had a program do a incrementing search for SCPI queries and started turning up a lot of things that where undocumented, I wanted to figure out what other functions where baked into the thing, and well now I'm down the rabbit whole patching typos, and trying to figure out how the protocol decoders work, in my own vain hopes that I may be able to format out some new ones.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: mroek on February 22, 2019, 06:27:23 pm
I received my scope today, and the info in this thread enabled me to find all keys without breaking a sweat, so thanks to all that contributed with info. For reference, I used the full memory dump method (by sending the SCPI command from the web interface), and then searched the dump file with a hex editor. No need for any scripts or anything.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Coldblackice on March 05, 2019, 11:59:37 pm
Reverse engineering atleast from my own perspective is one of those few topics that throw you full well into the deep end from the get go, as there is no 1 true way to approach it, and the skill level of the power users, you will struggle finding answers on how to drive the bloody programs early days (not to many hits on stack overflow)

I only started digging because I was bored and had a program do a incrementing search for SCPI queries and started turning up a lot of things that where undocumented, I wanted to figure out what other functions where baked into the thing, and well now I'm down the rabbit whole patching typos, and trying to figure out how the protocol decoders work, in my own vain hopes that I may be able to format out some new ones.

How did you learn how to do this? I would love to know how to go about doing this from scratch, what your process/tools were. Do you use IDA PRO at all? Would you be able to do this with IDA PRO?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on March 06, 2019, 01:54:38 am
I use IDA. Yes. Main things to start with is the strings subveiw. You dont really need to reverse anything to see some interesting strings in most programs.

Next would be setting the right architechture for what your reversing. Armv7 a/r from memory.

And finally the basics of the assembler your working with. E.g. BL branch load. And stack push and pull commands tend to give a nice indication where things start and stop.

There is some fiddly stuff to allow ida to name longer string variables. But that comes later.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on March 06, 2019, 02:55:13 pm
I use IDA. Yes. Main things to start with is the strings subveiw. You dont really need to reverse anything to see some interesting strings in most programs.

Next would be setting the right architechture for what your reversing. Armv7 a/r from memory.

And finally the basics of the assembler your working with. E.g. BL branch load. And stack push and pull commands tend to give a nice indication where things start and stop.

There is some fiddly stuff to allow ida to name longer string variables. But that comes later.

Reminds me of my childhood 40 years ago, when I would take hex dump reports of Z80 and 6502 machine code and manually disassemble the program into marble black graph-ruled notebooks. I learned z80 machine code when I was 13.

It is the only real way you can begin to learn what a program is doing. (It also made me a better developer, being able to think in low-level terms rather than at a higher, abstract level. I can visualize solutions (like bitmaps) that other developers I work with cannot.)

of course, this also assumes you have an understanding of processor operations (e.g. registers, stack, etc.), addressing schemes, etc. So at a minimum you have to find the technical documentation on the processor you're looking to work with.

I would say it was probably a lot easier back then, when programs were written in assembler. I've never tried to manually disassemble a program compiled from a higher-level language.

I do miss doing it. I also miss Latin class in school during my teenage years too. I must be getting nostalgic in my old age.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on March 06, 2019, 03:00:41 pm
I don't know if the IDA Latin language pack exists but you could try a 2-in-1 !  ;D

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on March 06, 2019, 03:48:04 pm
I don't know if the IDA Latin language pack exists but you could try a 2-in-1 !  ;D

About a year ago I purchased a latin vulgate and latin-to-english dictionary with the intention of reading/translating, but have yet to get around to it.

way back when, we had a local church which still held latin masses, it was good practice, once I was able to train my brain to decipher ecclesiastical latin.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on March 06, 2019, 03:52:04 pm
way back when, we had a local church which still held latin masses, it was good practice, once I was able to train my brain to decipher ecclesiastical latin.

WOW!  Compared with that, assembly is for kids!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: BillB on March 06, 2019, 05:28:48 pm
If IDA is too expensive for you, consider Ghidra

https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/ (https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on March 06, 2019, 05:55:51 pm
If IDA is too expensive for you, consider Ghidra

https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/ (https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/)

lmao yeah, I'm going to download stuff from the NSA and install it on my computer.

Nooooooo chance of it having some spyware or back-door capabilities for the federal government embedded in there. Noooo sireeeeee.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on March 10, 2019, 11:34:16 am
from the NSA and install it on my computer

actually CIA, later NSA. I'm using it since years, still alive, still no drones on the sky. EDIT (Ghidra is really useful, you can always use VM if you care).

I'm more complaint about useless online firmware updates for these DSOs, i don't need it, they are security holes by design, i wish Siglent could spend more time on firmware improvements/fix instead of useless online updates.
Title: In a single line of code
Post by: 48656C6C6F20576F726C6421 on April 10, 2019, 07:22:16 pm
I came across this thread and found it interesting. It looked like a nice puzzle. I thought whether there is any way to put all the previous information into a single line of code (e.g. shell code), so there is no need for:
- patching the firmware
- searching strings in a hex editor
- compiling some search tools with a version of VS you don't have, so you need to change the code before it runs
- messing arround with USB

The following code is for educational purpose. Do not use it if you have not bought the options or bandwith. If you want to play with it, you should first ask Siglent, how to remove/disable an unwanted/unlicenced option which was unlocked by accident while playing with the device.
This is important because they put a lot of time and work in it to disable some functionality. This work need to be paid!
There might be some exceptions (but I'm mot sure):
- if you lost your bought keys, and the device did it too, or you have not entered it before the precious loss
- if the device was delivered in a wrong configuration (i.e. bandwith)
- if your device came in a wrong case or with a wrong label

This code is for the shell (e.g. Telnet):
Code: [Select]
BW_OK="200M"; QuickSearch=500; cat /proc/$(pidof sds1000b.app)/maps | grep heap | while read line; do start=0x$(echo $line | cut -c 0-8); end=0x$(echo $line | cut -c 10-18); dd if=/proc/$(pidof sds1000b.app)/mem bs=4096 skip=$(($start/4096)) count=$( [ -z "$QuickSearch" ] && echo $((($end-$start)/4096)) || echo $QuickSearch) | grep -ohE "[A-Z0-9]{16}" | grep -vhE "([A-Z])\1{2}" | while read line; do echo "LCISL WIFI,$line" | nc -w1 127.0.0.1 5024; echo "LCISL AWG,$line" | nc -w1 127.0.0.1 5024; echo "LCISL MSO,$line" | nc -w1 127.0.0.1 5024; [ $BW_OK != "$(echo "PRBD?" | nc -w1 127.0.0.1 5024 | grep -o $BW_OK)" ] && echo "MCBD $line" | nc -w1 127.0.0.1 5024; done; done

You need to enable Telnet like described in post #67.

Yeah ok, it's not a single line in the meaning of code but in the meaning of a string.

Can this also be put into the web interface? Not directly but it can:
Code: [Select]
SHELLCMD sh -c $'BW_OK="200M" \x3b QuickSearch=500 \x3b cat /proc/$(pidof sds1000b.app)/maps | grep heap | while read line\x3b do start=0x$(echo $line | cut -c 0-8)\x3b end=0x$(echo $line | cut -c 10-18)\x3b dd if=/proc/$(pidof sds1000b.app)/mem bs=4096 skip=$(($start/4096)) count=$( [ -z "$QuickSearch" ] && echo $((($end-$start)/4096)) || echo $QuickSearch) | grep -ohE "[A-Z0-9]{16}" | grep -vhE "([A-Z])\\1{2}" | while read line\x3b do echo "LCISL WIFI,$line" | nc -w1 127.0.0.1 5024\x3b echo "LCISL AWG,$line" | nc -w1 127.0.0.1 5024\x3b echo "LCISL MSO,$line" | nc -w1 127.0.0.1 5024\x3b [ $BW_OK != "$(echo "PRBD?" | nc -w1 127.0.0.1 5024 | grep -o $BW_OK)" ] && echo "MCBD $line" | nc -w1 127.0.0.1 5024\x3b done\x3b done' &

This was a little bit more complicated because the web interface doesn't accept semicolons, so they needed to be masked. There is also a circular dependency for SCPI, which will lock netcat if the script is not running independently, so the ampersand at the end is mandatory.

The variable at the beginning is the bandwith you want to select, and need to be set to a correct string like "200M" or "100M". This can be used if you want to try a different BW (e.g. for benchmarks or so).
I figured out that the keys are at the very beginning of the heap. I put a QuickSearch limit at the beginning of the script, so that it does not need to grep through the whole heap, which would need more then a minute. With the limit of 500 it will run about 5 seconds. If it does not find the keys, you can remove the "500" and it will run through the full heap.
You can watch how the options get unlocked ("xx" instead of a value) if you have this info page opened.
I put an additional filter (grep -vhE "([A-Z])\1{2}") in it to remove found strings (about 50 in the whole heap) with low entropy. This is not really needed, and does not have huge effect on performance but it makes it a little bit more sophisticated. There is a chance of 1/3589 (if I'm right) that this will filter a valid key. You can remove it if you think this is the case.

What do we learn from that at the end?
If you want to use cryptography to check a key, do not calculate the right one in parallel and compare it to the entered one. I also don't understand why they did this if there is nothing to compare. Hmmm, intention?

I hope you have fun and don't forget "Piracy. It's a Crime." ;)
Title: Re: In a single line of code
Post by: bugi on April 10, 2019, 08:49:22 pm
I came across this thread and found it interesting. It looked like a nice puzzle. I thought whether there is any way to put all the previous information into a single line of code (e.g. shell code)
...
Awesome! (In more than one way.)

In couple pages someone will start compressing that from "single line of code" to "half a line of code", somehow, and producing Siglent logo in ASCII graphics as a side-effect. (Obfuscated code contest -style)...

... And in few more pages we have the code golfers doing it all in 17... scratch that, 15 characters. No, 11 is enough if you use the language.... no, 9 if you accept messy output.

:P of course.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: additude on May 12, 2019, 09:45:14 am
Hello,
Thanks to everyone that contributed to this thread.
I was able to easily SHELL the telnet on 9999, telnet in from my Win10 laptop, save a memory dump to a USB drive and use HxD editor to locate 5 codes, two of which were Nut2Butt... then use MCBD on the second code to change my bandwidth to 200M with PRBD? reporting such and all without any reboot.
A few things that I have question of I hope someone can insight me.
I was able to use the 200M code, what are the others for? I do not wish to break something so I ask for knowledge first.
Is it to do with other "Options"? I know post #39 has 100M, 200M, 50M and 70M.... Are the 5 codes I have retrieved strictly related to BW only?

So why 5 codes and not 4? "The one that appears twice is the license key your scope is currently licensed under."
Secondly, can I locate other unlock codes for the other features on my SDS1104X-E? "When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO."
In my own attempt to answer these questions, I rebooted the machine and I ran the latest "One Liner" code via telnet, but even leaving QuickSearch blank I received only:
Code: [Select]
7563+0 records in
7563+0 records out
30978048 bytes (29.5MB) copied, 80.243151 seconds, 377.0KB/s
Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
....

Running the SCPI SHELL of this with QuickSearch blank I received:
"Device Cannot Be Connected"
With QuickSearch=500 it finished but did not report any results.
Thanks..
--Wes
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: e0ne199 on May 12, 2019, 07:40:56 pm
damn so in the end i am wasting my money to buy SDS1204X-E...........if i knew something like this could happen then i wouldn't want to buy my current oscilloscope  :(

does anyone here have a chance to crack SDS1204X-E? i just want to know if there is still a possibility to crack more bandwidth out of this oscilloscope...
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: additude on May 13, 2019, 02:08:43 pm
Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.
I ran this and compared it to my outputs of key codes from the Hex Editor and this python mod worked fine. It harvested every possible key, just it ends up being a try/fail routine with 40-ish codes.
The program ran for minutes without any errors on a Windows 10 machine.
Thanks Phil.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: slaupin on July 02, 2019, 04:24:42 am
Does anyone know if this general approach works on any other Siglent oscilloscope series? After digging through this whole thread I think it was stated that it would NOT work on the SDS1kX series. What about the SDS2kX series? Thanks for all of the great info!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: wgoeo on July 24, 2019, 05:34:31 pm
I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.

Edit: Update (https://repl.it/@wgoeo/siglent-keygen), thanks tinhead!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Taaning on July 24, 2019, 06:55:51 pm
Ran the script, and it found all the correct keys for my scope.
Thank you :-)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on July 26, 2019, 05:18:56 pm
I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.

almost, for bandwidth SCOPE_ID and for other options S/N is the way to go. With some tricks (generate 500M License - which is not valid for that models but it opens somedoors, add it, generate 300M License, add it, reboot) one can go even to non existing but valid model SDS1304X-E, but for some reason even if shows that model, it defaults filter to 70MHz BW, so not "yet" perfekt hack

[attachimg=1]
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: wgoeo on July 27, 2019, 01:29:28 am
It seems there is another way to enable telnet without doing a firmware update. Create a file named siglent_device_startup.sh in the root directory of a FAT formatted USB disk containing the following:
Code: [Select]
#!/bin/sh
/usr/sbin/telnetd -l /bin/sh -p 2323 &
Insert the disk, reboot the scope, then try telnetting to port 2323. If something goes wrong, unplug the disk then reboot.
For 6.1.33 and possibly older versions. Untested as always.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: oldcqr on August 26, 2019, 11:56:11 pm
Hi Newbie here, but not a newbie.  But I sure feel like one right now!

I read the entire thread, and it appears that all I really need to do is establish a telnet session with the scope and/or use that whiz bang single line thing from the web interface.  I can't get either to work.

I've tried starting the telnet server on the scope using 2 methods - the one in message 67 (
Code: [Select]
SHELLCMD telnetd -l/bin/sh -p9999), and the one in 161 (should be just above this post) using the USB drive.  Neither appear to start the server.  When I try to telnet into the scope, (using PuTTY which I use frequently, or straight up Windows 10 Telnet) it fails:

Microsoft Telnet> o 192.168.1.55
Connecting To 192.168.1.55...Could not open connection to the host, on port 23: Connect failed
Microsoft Telnet> o 192.168.1.55 2323
Connecting To 192.168.1.55...Could not open connection to the host, on port 2323: Connect failed
Microsoft Telnet> o 192.168.1.55 9999
Connecting To 192.168.1.55...Could not open connection to the host, on port 9999: Connect failed

YES, 192.168.1.55 is the static address I assigned to the scope, and I am able to get to the web server on that address (so there is no weird subnet problem/etc. 

Tracing route to 192.168.1.55 over a maximum of 30 hops

  1     2 ms     1 ms    <1 ms  192.168.1.55

Trace complete.

[attachimg=1]


Running the one line update also does nothing. 

So I took another step backwards and just tried to create a memory dump on the USB stick using
Code: [Select]
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin.  I used both USB ports (the scope recognized the USB stick both places).  Neither time did I get a file of any size (not even an empty one).

So to me, it appears that despite the web interface saying 'command send success', it's not actually doing anything on the scope.  Am I missing something simple?  Do I need to enable something?  With none of this working, I'm a bit gun-shy to revert the firmware (like all the way back in msg 1).

FYI:
[attachimg=2]
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on August 27, 2019, 09:32:55 am
SHELLCMD doesnt exist in the FW anymore. So you can't use the commands based on that.

I think there is a public .GEL that allows you establish a SSH session or do a memdump.

Re-read this thread at least.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: e0ne199 on August 27, 2019, 02:18:16 pm
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on August 28, 2019, 05:32:35 am
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Bode plot is a free feature in every way.
All that's required is a sweeping sine wave source that can be controlled from the Bode plot UI within the scope.

Yes that's additional cost of the SAG1021 AWG module or one of Siglent's stand alone AWG's.
SAG1021 has sine to 25 MHz while the stand alone AWG's from the SDG ranges start with the single channel 5 MHz  SDG805 to the 500 MHz 2ch SDG6052X.
An excellent Bode plot pairing would be with SDG2042X or the bit cheaper SDG1032X.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: oldcqr on August 28, 2019, 05:54:35 pm
SHELLCMD doesnt exist in the FW anymore. So you can't use the commands based on that.

I think there is a public .GEL that allows you establish a SSH session or do a memdump.

Re-read this thread at least.

Ok, I reread the thread and I came at it differently....

1 - I already have python on this machine (I use it frequently)
2 - I downloaded the script wgoeo posted a couple of messages back
3 - I updated the serial number in the script with my serial number from the back of the unit/System status screen (note - I used the entire serial number, all in caps, starting with SDSM (not sure if that is right nor not)
4 - Ran the script and it generated the keys
5 - In the SCPI web page I entered "MCBD [generatedkey]" (obvs without " or [])
6 -Reboot

Nothing changed.  MCBD? shows no change.  I also tried lower case serial number, as well as changing the 'SDS1000X-E to SDS1104X-E' - which I probably didn't need to do, but tried anyway.  I also tried using Scope ID (from ScopeID? command) both as-is and with removing the hyphens and changing lowercase HEX to uppercase.

Please, can you give me a point in the right direction?

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tinhead on August 28, 2019, 08:35:30 pm
Nothing changed... python

for bandwidth license you need to use scope id (scope id is somthing like 007c32...), for other software options the serial number (SDSMMEXA123...).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: oldcqr on August 28, 2019, 10:47:46 pm
I thought I had tried all the different Scope ID permutations.  Looks like I didn't.  The one that works is without dashes and leaving any other characters as they are.

For Bandwidth Upgrade (Worked for me on 8.1.6.1.33):

Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on August 29, 2019, 05:48:50 am
...
Example:
If SCOPEID? Returns: 1234-fedc-567b-89a0
then the serial line in the script is:
serial = '1234fedc567b89a0'

Just remove the dashes.  Leave the rest alone.

I've never understood this. Isn't the whole point of computers that they can effortlessly do things like removing dashes from numbers, thus making life easier for everybody?

(apparently not, I've actually written to banking API teams telling them that life would be a lot easier for my customers if they accepted credit card numbers with and without spaces and received corporate-boilerplate replies telling me I need to make it more clear on the web site...)

Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)

Nobody ever reads instructions.

How about getting the slob who wrote the script to fix that?  :popcorn:

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: e0ne199 on September 01, 2019, 11:55:28 am
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Bode plot is a free feature in every way.
All that's required is a sweeping sine wave source that can be controlled from the Bode plot UI within the scope.

Yes that's additional cost of the SAG1021 AWG module or one of Siglent's stand alone AWG's.
SAG1021 has sine to 25 MHz while the stand alone AWG's from the SDG ranges start with the single channel 5 MHz  SDG805 to the 500 MHz 2ch SDG6052X.
An excellent Bode plot pairing would be with SDG2042X or the bit cheaper SDG1032X.

do i need to purchase license to activate bode plot? i see there is a 30 day trial for AWG...i am planning to buy a stand alone AWG, so what should i do?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on September 01, 2019, 12:03:47 pm
bode plot is free, to use the AWG for anything other than bode plot needs the AWG license,
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on September 01, 2019, 12:12:41 pm
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Bode plot is a free feature in every way.
All that's required is a sweeping sine wave source that can be controlled from the Bode plot UI within the scope.

Yes that's additional cost of the SAG1021 AWG module or one of Siglent's stand alone AWG's.
SAG1021 has sine to 25 MHz while the stand alone AWG's from the SDG ranges start with the single channel 5 MHz  SDG805 to the 500 MHz 2ch SDG6052X.
An excellent Bode plot pairing would be with SDG2042X or the bit cheaper SDG1032X.

do i need to purchase license to activate bode plot?
Nope, not at all. Bode plot works plug and play with all Siglent AWG's
Quote
i see there is a 30 day trial for AWG...i am planning to buy a stand alone AWG, so what should i do?
The trial usage only applies to the SAG1021 AWG module for use as an AWG from within the SDS1*04X-E Function Gen inbuilt interface.
You have 2 options, use a Siglent AWG and have simple no hassle Bode Plot usage or attempt to interface another brand AWG so the Bode Plot feature can control the other AWG. It can be done as I've already given you a link in another earlier reply but not everyone wants to have the hassle of converting the control code to get it all to work.

Any/all the examples I've posted of Bode plot use was with a SDG1032X.
Use the forum Search and 'bode plot example tautech' should find them all.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: sdt on September 01, 2019, 11:58:27 pm
I bought an SDS1104X-E last week, and I have all the same version numbers as oldcqr in reply #162

SHELLCMD doesn't seem to do anything from the SCPI interface, but wgoeo's siglent_device_startup.sh script on a usb stick from reply #161 did. Oddly it didn't seem to work every time, but often enough that it wasn't a big deal.

Dumping out the process memory of sds1000b.app didn't seem to reveal any keys. I could find my scopeid and my serial number, but very few 16-character ascii strings, none of which worked.

The updated python script from wgoeo in reply #158 worked perfectly. Bandwidth, wifi, awg & mso all unlocked without any need for telnet or any other out-of-band mods.

(I ended up needing shell access to manually fix my wpa.conf, but that's another story)

Thanks wgoeo & tinhead, and everyone else who has contributed to this thread  :-+
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on September 02, 2019, 07:28:31 pm
I bought an SDS1104X-E last week, and I have all the same version numbers as oldcqr in reply #162

SHELLCMD doesn't seem to do anything from the SCPI interface, but wgoeo's siglent_device_startup.sh script on a usb stick from reply #161 did. Oddly it didn't seem to work every time, but often enough that it wasn't a big deal.

Dumping out the process memory of sds1000b.app didn't seem to reveal any keys. I could find my scopeid and my serial number, but very few 16-character ascii strings, none of which worked.

The updated python script from wgoeo in reply #158 worked perfectly. Bandwidth, wifi, awg & mso all unlocked without any need for telnet or any other out-of-band mods.

(I ended up needing shell access to manually fix my wpa.conf, but that's another story)

Thanks wgoeo & tinhead, and everyone else who has contributed to this thread  :-+

Agreed! I just got a brand new SDS1104X-E and I am a step away from MCBD'ing the 200M key. But I am a bit of a skeptical nature and wanted to know if it would be possible to reverse-downgrade (for whatever reason) the process to 100M key? The TryKeys GitHub comments suggest that this is not possible with MBCD. Did anyone try this? Also after updating does indeed the model name change?

Thank you guys in advance
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: sdt on September 04, 2019, 10:14:46 pm
wanted to know if it would be possible to reverse-downgrade (for whatever reason) the process to 100M key?

It is. Run the MCBD command again with your 100M key and it's back to 100Mhz.

Also after updating does indeed the model name change?

It does. There's screenshots in this thread showing the status page with the updated model code.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 24, 2019, 11:52:51 am
hi guys,
I've read all posts from this topic and I'm impressed.
It seems that all is done regarding this oscilloscope but I have other problem fitting well to this topic. I hope will be interesting for you.

Some time ago I've been in China (8 months in totall of living and working in Shenzhen city). Just before returning to Europe I bought oscilloscope from taobao (chinese ebay). I haven't known about hacking possibility in this time, by the way. I've choosen it because of parameters vs price ratio. Price was 3,1k CNY (~430 USD - current rate). So, cheaper then in Europe but not much. On Chinese market this oscilloscope has little bit different name: SDS1104X-C. I noticed it  but didn't expect that only different between ...X-C nad ...X-E are Chinese language in menu that can't be change to any other:)
I wrote a message to Siglent China with question how to change the language to English but they rid me off and suggested to return device back (it was too late for me because of next day flight). Also Siglent Europe(Netherlands) didn't help me (they even didn't know about ...X-C model exist:)). Only thing I've known from Siglent was that only this model (4ch) SDS1104X has unchangable Chinese language on domestic market. On any other Siglent product you can change language to English:)

Hardware seems to be the same like ...X-E. On the motherboard is a label with SDS1000X-E text. Reading of .ads files works and I can changes firmware. But Operation System updating is disable. I think there is no bootloader in flash. It would be too easy to change from ...X-C to ...X-E I guess.

Information in this topic helped me to (almost) fix this problem. My idea was to locate language files and simply exchange chinese and englishc file names. I did it by following steps:

1. change firmware version to 6.1.25R2 (by loading .ads file)
2. change ip on oscilloscope to 192.168.1.57
3. switche to root by:

telnet 192.168.1.57 5024
SHELLCMD telnetd -l/bin/sh -p9999
---------------------------------------------------------
telnet 192.168.1.57 9999

4. remounte partition to rw by:

mount -o remount,rw ubi2_0 /usr/bin/siglent

5. all languages files are in .xml format and are located in:

/usr/bin/siglent/config/ui_data/

chinese simplified version:

simp_help_info.xml
simp_menu_info.xml
simp_text_info.xml

chinese traditional version:

trad_help_info.xml
trad_menu_info.xml
trad_text_info.xml

english version:

english_help_info.xml
english_menu_info.xml
english_text_info.xml

I copied all above files to USB drive:

/usr/bin/siglent/usr/mass_storage/U-disk0/

then changed names of english... files (under windows) to simp... and trad... and coppied back rom USB to:

/usr/bin/siglent/config/ui_data/

After reboot I seen all menu names in english:)
I was happy but it was working on old firmware 6.1.25R2 so I changed firmware to newest 6.1.33 but with this change language changed back to chinese (logical, because new functions requaier new menu files). Unfortunetly, rooting method, mentioned above isn't work on this firmware version, so I couldn't change language files.

I returned to 6.1.25R2 and repeated procedure but I did HORRIBLE mistake this time: during exchanging files I removed them first from ui_data and then copy form USB but I didn't check the files was in ui_data folder after operation. Probably I did some typo and files didn't copy. After reboot the device has hange up on Siglent logo and can't go next.
I can ping it but SHELLCMD (telnet 192.168.1.57 5024) doesn't work:(
so I lost root access. Only I can do is:

 telnet 192.168.1.57 23

but I don't know root password off course.
This is my story:)


but it isn't end of the world and I have new idea how to resurrect my device by restore dumped memory. I see 2 possibilities:

1. I localized flash memory on the motherboard. It is one chip: 29F2G08ABAEA WP. This is 2Gb nand flash with 8 bit organization. Unfortunetly, this is parallel programming memory so need to be take off from board to programm it directly. Of corse there is special programmer and adapter needed(I can get it).

2. On the motherboard we can find JTAG connector. Main processor is Xilinx Zynq so using Xilinx SDK(https://www.xilinx.com/html_docs/xilinx2019_1/SDK_Doc/SDK_tasks/sdk_t_memory_dump_restore.html (https://www.xilinx.com/html_docs/xilinx2019_1/SDK_Doc/SDK_tasks/sdk_t_memory_dump_restore.html)) and Digilent JTAG-HS3(https://store.digilentinc.com/jtag-hs3-programming-cable/ (https://store.digilentinc.com/jtag-hs3-programming-cable/)) or JTAG-HS2 USB flashing memory throught Jtag should be possible. Another problem could be to confirme that this is for sure JTAG connector and what is the pinout.

I'm wondering could I flash dumped memory from another oscilloscope (...X-E version with different serial number).
I did dump mem from my scope but if I flash it back there will be the same problem with language and bootloader.

I would be grateful if somebody could share with me dumped memory from SDS1104X-E scope (best for me would be OSV1_EN_eevblog with known root password).

What do you think about my idea to fix it and flashing method I'm mentioning? I would be happy for any suggestions or corrections.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Gege34 on September 24, 2019, 12:24:13 pm
On this thread (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2478699/#msg2478699) tv84 (and plurn) give a way to activate telnet on firmware 6.1.33
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 24, 2019, 12:49:15 pm
Thanks for this info. I'll try it on hanging scope first.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 24, 2019, 02:28:32 pm
Thanks for this info. I'll try it on hanging scope first.

First, get control of your machine once again. After that, worry about changing language.

To solve the language problem you should change the scope model from X-C to X-E. Don't go around patching the filesystem.

Maybe you can do it with a simple SCPI command.

PS: If you have any memdump of your machine I would be interested in having a look.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on September 24, 2019, 04:17:20 pm
Thanks for this info. I'll try it on hanging scope first.

First, get control of your machine once again. After that, worry about changing language.

To solve the language problem you should change the scope model from X-C to X-E. Don't go around patching the filesystem.

Maybe you can do it with a simple SCPI command.

PS: If you have any memdump of your machine I would be interested in having a look.

Jus very tiny sidenote for yours this: "Also Siglent Europe(Netherlands) didn't help me (they even didn't know about ...X-C model exist:))."

Siglent Europe(Netherlands) is not Siglent at all. It is one Siglent distributor. (also sell many other equipments but using different domain)

If you need Siglent (manufacturer) help in Europe: Right place is Siglent Technologies Germany GmbH
Web side: https://www.siglenteu.com/ (https://www.siglenteu.com/)

Problem is also factory warranty in EU area. You have model localized for China domestic markets what have warranty only there and its serial number is not in EU area database.

But...    no one can deny when the owner makes "some" changes and modifications at his own risk. ;)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 25, 2019, 08:46:09 am
tv84,
regarding getting control once again, do you think that two ways I mentioned above are only possible or maybe you have another idea how to do this easier?
I sent you memdump to PW.

rf-loop,
you've right. I don't remember how I reached to this contact. I could swear that from siglent.com link but as I'm checking now there is link to Siglent Hamburg.
Regarding warranty, yes I was full aware of it. I expected something like "to solve your problem we need to reflash device. Cost of this operation is ...." I didn't expect any free warranty actions.
But it doesn't metter now because I've gone to hardware mafia already:)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 25, 2019, 09:36:03 am
I don't remember if you can force an FW upgrade while the scope is booting (supported by the bootloader).

Maybe tautech can help in that regard.

Do you have access to serial port? What does that log show?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 25, 2019, 10:16:36 am
I'll try to read log in the evening. Will let you know.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 25, 2019, 06:40:46 pm
serial transmition work with baudrate 115200kbps. It seems that I can write commands also.

here are
Code: [Select]
df command response:

Code: [Select]
df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                29868     29868         0 100% /
devtmpfs                110060         0    110060   0% /dev
none                    118348         0    118348   0% /tmp
ubi1_0                   29816     14388     15428  48% /usr/bin/siglent
ubi2_0                    5848        72      5776   1% /usr/bin/siglent/firmdata0
ubi0_0                   84752       280     84472   0% /usr/bin/siglent/usr
/dev/sda1             15711208     31136  15680072   0% /usr/bin/siglent/usr/mass_storage/U-disk0
/ #




here are the logs:

1.Booting of scope

Code: [Select]
Start menu vdma ...
Config AXI VDMA...
Start menu vdma done.


U-Boot 2014.07-svn32760 (Mar 23 2018 - 01:35:12)

Board: Xilinx Zynq
I2C:   ready
DRAM:  ECC disabled 243 MiB
NAND:  256 MiB
MMC:   zynq_sdhci: 0
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
int board_late_init(void)+++++
[INFO]int fb_display_logo(void)++++++++++++
[INFO]pStorageMem=0xfa00000, logo_data=0x200036, width=800, height=480
 [INFO]int fb_display_logo(void)----------
int board_late_init(void)-----
Net:   Gem.e000b000
Hit any key to stop autoboot:  0
(Re)start USB...
USB0:   USB EHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
USB1:   ULPI request timed out
zynq ULPI viewport init failed
lowlevel init failed
       scanning usb for storage devices... 0 Storage Device(s) found
Copying Linux from USB to RAM...
** Bad device usb 0 **
** Bad device usb 0 **
Copying Linux from NAND flash to RAM...

NAND read: device 0 offset 0x780000, size 0x400000
 4194304 bytes read: OK

NAND read: device 0 offset 0xb80000, size 0x80000
 524288 bytes read: OK
## Booting kernel from Legacy Image at 02080000 ...
   Image Name:   Linux-3.19.0-xilinx-svn8988
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    3614680 Bytes = 3.4 MiB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
## Flattened Device Tree blob at 02000000
   Booting using the fdt blob at 0x2000000
EHCI failed to shut down host controller.
   Loading Kernel Image ... OK
   Loading Device Tree to 0e00d000, end 0e013e8b ... OK

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 3.19.0-xilinx-svn8988 (david@david-virtual-machine) (gcc version 4.6.1 (Sourcery CodeBench Lite 2011.09-50) ) #187 SMP PREEMPT Wed Feb 28 18:55:09 CST 2018
[    0.000000] CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine model: Zynq Zed Development Board
[    0.000000] cma: Reserved 16 MiB at 0x0d000000
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] PERCPU: Embedded 9 pages/cpu @4edf2000 s8128 r8192 d20544 u36864
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 60960
[    0.000000] Kernel command line: console=ttyPS0,115200 root=/dev/mtdblock5 rootfstype=cramfs init=/linuxrc earlyprintk uboot_version=08
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Memory: 220120K/245760K available (4514K kernel code, 229K rwdata, 1748K rodata, 192K init, 223K bss, 9256K reserved, 16384K cma-reserved, 0K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0x4f800000 - 0xff000000   (2808 MB)
[    0.000000]     lowmem  : 0x40000000 - 0x4f000000   ( 240 MB)
[    0.000000]     pkmap   : 0x3fe00000 - 0x40000000   (   2 MB)
[    0.000000]     modules : 0x3f000000 - 0x3fe00000   (  14 MB)
[    0.000000]       .text : 0x40008000 - 0x40625c7c   (6264 kB)
[    0.000000]       .init : 0x40626000 - 0x40656000   ( 192 kB)
[    0.000000]       .data : 0x40656000 - 0x4068f620   ( 230 kB)
[    0.000000]        .bss : 0x4068f620 - 0x406c74c4   ( 224 kB)
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000] RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
[    0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000000] L2C: platform modifies aux control register: 0x72360000 -> 0x72760000
[    0.000000] L2C: DT/platform modifies aux control register: 0x72360000 -> 0x72760000
[    0.000000] L2C-310 erratum 769419 enabled
[    0.000000] L2C-310 enabling early BRESP for Cortex-A9
[    0.000000] L2C-310 full line of zeros enabled for Cortex-A9
[    0.000000] L2C-310 ID prefetch enabled, offset 1 lines
[    0.000000] L2C-310 dynamic clock gating enabled, standby mode enabled
[    0.000000] L2C-310 cache controller enabled, 8 ways, 512 kB
[    0.000000] L2C-310: CACHE_ID 0x410000c8, AUX_CTRL 0x76760001
[    0.000000] slcr mapped to 4f804000
[    0.000000] zynq_clock_init: clkc starts at 4f804100
[    0.000000] Zynq clock init
[    0.000011] sched_clock: 64 bits at 333MHz, resolution 3ns, wraps every 3298534883328ns
[    0.000137] timer #0 at 4f806000, irq=17
[    0.000507] Console: colour dummy device 80x30
[    0.000528] Calibrating delay loop... 1332.01 BogoMIPS (lpj=6660096)
[    0.090280] pid_max: default: 32768 minimum: 301
[    0.090439] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.090454] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.091117] CPU: Testing write buffer coherency: ok
[    0.091334] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[    0.091420] Setting up static identity map for 0x441b50 - 0x441ba8
[    0.240268] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
[    0.240353] Brought up 2 CPUs
[    0.240373] SMP: Total of 2 processors activated (2664.03 BogoMIPS).
[    0.240382] CPU: All CPU(s) started in SVC mode.
[    0.240922] devtmpfs: initialized
[    0.241765] VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
[    0.247861] NET: Registered protocol family 16
[    0.250053] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.281232] cpuidle: using governor ladder
[    0.311198] cpuidle: using governor menu
[    0.319920] hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
[    0.319937] hw-breakpoint: maximum watchpoint size is 4 bytes.
[    0.320085] zynq-ocm f800c000.ocmc: ZYNQ OCM pool: 256 KiB @ 0x4f880000
[    0.338397] vgaarb: loaded
[    0.338845] SCSI subsystem initialized
[    0.339258] usbcore: registered new interface driver usbfs
[    0.339354] usbcore: registered new interface driver hub
[    0.339533] usbcore: registered new device driver usb
[    0.339696] phy0 supply vcc not found, using dummy regulator
[    0.339788] phy1 supply vcc not found, using dummy regulator
[    0.339918] --------------usb_udc_init ------
[    0.340147] pps_core: LinuxPPS API ver. 1 registered
[    0.340160] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.340211] PTP clock support registered
[    0.340340] EDAC MC: Ver: 3.0.0
[    0.342110] cfg80211: Calling CRDA to update world regulatory domain
[    0.342491] Switched to clocksource arm_global_timer
[    0.355818] NET: Registered protocol family 2
[    0.356660] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.356711] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.356769] TCP: Hash tables configured (established 2048 bind 2048)
[    0.356821] TCP: reno registered
[    0.356837] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.356871] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.357079] NET: Registered protocol family 1
[    0.357408] RPC: Registered named UNIX socket transport module.
[    0.357421] RPC: Registered udp transport module.
[    0.357430] RPC: Registered tcp transport module.
[    0.357439] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[    0.359295] futex hash table entries: 512 (order: 3, 32768 bytes)
[    0.360980] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.362084] io scheduler noop registered
[    0.362106] io scheduler deadline registered
[    0.362157] io scheduler cfq registered (default)
[    0.364345] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[    0.364368] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[    0.364875] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[    0.943761] console [ttyPS0] enabled
[    0.947945] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[    0.954721] [drm] Initialized drm 1.1.0 20060810
[    0.967430] brd: module loaded
[    0.974577] loop: module loaded
[    0.985927] libphy: MACB_mii_bus: probed
[    1.062680] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[    1.072565] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[    1.083970] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.090420] ehci-pci: EHCI PCI platform driver
[    1.095032] usbcore: registered new interface driver usbtmc
[    1.100611] usbcore: registered new interface driver usb-storage
[    1.106791] e0002000.usb supply vbus not found, using dummy regulator
[    1.113516] ci_hdrc ci_hdrc.0: EHCI Host Controller
[    1.118334] ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
[    1.142513] ci_hdrc ci_hdrc.0: USB 2.0 started, EHCI 1.00
[    1.148689] hub 1-0:1.0: USB hub found
[    1.152388] hub 1-0:1.0: 1 port detected
[    1.156845] e0003000.usb supply vbus not found, using dummy regulator
[    1.165041] i2c /dev entries driver
[    1.169306] cdns-i2c e0005000.i2c: 20 kHz mmio e0005000 irq 144
[    1.176565] zynq-edac f8006000.memory-controller: ecc not enabled
[    1.182821] Xilinx Zynq CpuIdle Driver started
[    1.187860] ledtrig-cpu: registered to indicate activity on CPUs
[    1.193949] usbcore: registered new interface driver r8188eu
[    1.200381] nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xda
[    1.206679] nand: Micron MT29F2G08ABAEAWP
[    1.210650] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    1.218244] nand: WARNING: pl353-nand: the ECC used on your system is too weak compared to the one required by the NAND chip
[    1.229708] Bad block table found at page 131008, version 0x01
[    1.235969] Bad block table found at page 130944, version 0x01
[    1.242072] 11 ofpart partitions found on MTD device pl353-nand
[    1.247919] Creating 11 MTD partitions on "pl353-nand":
[    1.253229] 0x000000000000-0x000000780000 : "fsbl"
[    1.259101] 0x000000780000-0x000000b80000 : "kerneldata"
[    1.265424] 0x000000b80000-0x000000c00000 : "device-tree"
[    1.271702] 0x000000c00000-0x000001100000 : "Manufacturedata"
[    1.278368] 0x000001100000-0x000001600000 : "reserved1"
[    1.284559] 0x000001600000-0x000003e00000 : "rootfs"
[    1.290488] 0x000003e00000-0x000004800000 : "firmdata0"
[    1.296687] 0x000004800000-0x000007000000 : "siglent"
[    1.302875] 0x000007000000-0x00000d400000 : "datafs"
[    1.308928] 0x00000d400000-0x00000fc00000 : "upgrade_cramdisk"
[    1.315809] 0x00000fc00000-0x000010000000 : "reserved2"
[    1.324085] TCP: cubic registered
[    1.327329] NET: Registered protocol family 17
[    1.331766] lib80211: common routines for IEEE802.11 drivers
[    1.337774] Registering SWP/SWPB emulation handler
[    1.349485] cramfs_fill_nand blocks is 320-----------------------
[    1.349485]
[    1.349485]
[    1.349485]
[    1.362746] VFS: Mounted root (cramfs filesystem) readonly on device 31:5.
[    1.369593] devtmpfs: mounted
[    1.372790] Freeing unused kernel memory: 192K (40626000 - 40656000)
[    1.482595] usb 1-1: new high-speed USB device number 2 using ci_hdrc
[    1.633815] hub 1-1:1.0: USB hub found
[    1.637694] hub 1-1:1.0: 3 ports detected
Starting rcS...
 Mounting filesystem
[    1.798962] UBI-0: ubi_attach_mtd_dev:attaching mtd8 to ubi0
[    2.201038] UBI-0: scan_all:scanning is finished
 40
[    2.760356] UBIFS: mounted UBI device 1, volume 0, name "siglent", R/O mode
[    2.767266] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.776374] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[    2.786001] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.791032] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[    2.867658] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[    2.874396] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.883497] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[    2.892864] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.897890] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[    2.911607] UBIFS: background thread "ubifs_bgt0_0" started, PID 675
[    2.943197] UBIFS: recovery needed
 2.760356] UBIFS: mounted UBI device 1, volume 0, name "siglent", R/O mode
[    2.767266] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.776374] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[    2.786001] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.791032] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[    2.867658] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[    2.874396] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.883497] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[    2.892864] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.897890] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[    2.911607] UBIFS: background thread "ubifs_bgt0_0" started, PID 675
[    2.943197] UBIFS: recovery needed
h_mtd_dev:available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 9
[    2.674601] UBI-2: ubi_thread:background thread "ubi_bgt2d" started, PID 670
, name "siglent", R/O mode
[    2.767266] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.776374] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[    2.786001] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.791032] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[    2.867658] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[    2.874396] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.883497] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[    2.892864] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.897890] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[    3.025920] UBIFS: recovery completed
[    3.029594] UBIFS: mounted UBI device 0, volume 0, name "rootfs"
[    3.035545] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    3.044644] UBIFS: FS size: 94597120 bytes (90 MiB, 745 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
[    3.054276] UBIFS: reserved for root: 0 bytes (0 KiB)
[    3.059305] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C886A817-B838-46DF-AE16-F9920045A7D7, small LPT model
Upgrade start
 Configure eth0
Starting mdev
[    2.911607] UBIFS: background thread "ubifs_bgt0_0" started, PID 675
[    2.943197] UBIFS: recovery needed
h_mtd_dev:available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 9
[    2.674601] UBI-2: ubi_thread:background thread "ubi_bgt2d" started, PID 670
8 KiB), LEB size: 126976 bytes
[    2.478605] UBI-1: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.487104] UBI-1: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.495793] UBI-1: ubi_attach_mtd_dev:good PEBs: 320, bad PEBs: 0, corrupted PEBs: 0
[    2.503509] UBI-1: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[    2.512435] UBI-1: ubi_attach_mtd_dev:max/mean erase counter: 13/9, WL threshold: 4096, image sequence number: 1819264682
[    2.523399] UBI-1: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 320, PEBs reserved for bad PEB handling:[    4.045576] xilinx-dma 40400000.dma: Probing xilinx axi dma engine...Successful
[    4.087569] sigdma_init++++++
[    4.111420] siglentkb probe
[    4.114484] ##### siglentkb registers 4fc1e580 4fc365a4 4fc385b8
[    4.139471] usbcore: registered new interface driver mt7601u
[    4.152355] irq = 170
config read
###### Config vdma for wave transform #######
config write
config read
dump s2mm registers
dump mm2s registers
####### done! ########
Config vnc  data to memory
Config done!
#### siglentkb registers 4fc1e580 4fc365a4 4fc385b8
[    4.139471] usbcore: regis[    4.371815] UBIFS: background thread "ubifs_bgt1_0" started, PID 778
ln: /usr/bin/siglent/config/www/web_img/usr: File exists
Starting Lighttpd Web Server: Initializing framebuffer device /dev/fb0...
xres=800, yres=480, xresv=800, yresv=480, xoffs=0, yoffs=0, bpp=16
Initializing touch device /dev/input/event0 ...
Initializing VNC server:
width:  800
height: 480
bpp:    16
port:   5900
Initializing server...
01/01/1970 00:00:04 Listening for VNC connections on TCP port 5900
[    4.504615] random: lighttpd urandom read with 17 bits of entropy available
lighttpd.
[    4.643624] UBIFS: background thread "ubifs_bgt1_0" stops
rcS Complete

Processing /etc/profile... Done

/ # [INFO]:calibrate_t():line=81:calibrate_t::calibrate_t()
product_type SDS1004X_E
mkdir: can't create directory '/usr/bin/siglent/usr/wifi/': File exists
rm: can't remove '/usr/bin/siglent/usr/wifi/wpa_supplicant': No such file or directory

                                                       $Task start:: SCPI
 
                                                       $Task start:: Devce
 
                                                       $Task start:: WLAN
 
                                                       $Task start:: Udisk&Lan
 vxi11_main = 6821.64

                                                       $Task start:: Vxi11_client
sh: write error: Invalid argument
 drv_instance_manage_t: produce_id: 13501
(DRV_PRODUCT_PIKACHU)
_drv_product=4
acq_scal_user = -1.000000
ready...
ready...
ready...
ready...
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_awg_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_wifi_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_mso_license.txt
[    7.232355] export_store: invalid GPIO 115
sh: write error: Invalid argument
sh: can't create /sys/class/gpio/gpio115/direction: nonexistent directory
sh: can't create /sys/class/gpio/gpio115/value: nonexistent directory
open file %s fail !!!!/usr/bin/siglent/config/arb/2ASK.wav
scpi_register_cmd_boardtest
ready...
cp: can't stat '/usr/bin/siglent/usr/usr/save_setting.xml': No such file or directory
/usr/bin/siglent/usr/usr/save_setting.xml  not exist

                                                       $Task start:: UI
ifconfig: SIOCGIFFLAGS: No such device
 
                                                       $Task start:: awg_thread
 mod_if_exit_handler:signal=11
Clean Up Ready!
Clean Up - nlog
Clean Up - Main Thread
Clean Up - scpi
Clean Up - timer
Clean Up - dev_thread
Clean Up - ui
Clean Up - acq_thread
Clean Up - acq_data
Clean Up - draw_wave
Clean Up - bu_cfg
Clean Up - bu_main
Clean Up - bu_app
Clean Up - key
Clean Up - other
Clean Up - usbtmc
Clean Up - VXI_11
Clean Up - dev_interrupt
Clean Up - wlan_manager
Clean Up - power_off
Clean Up - telnet_scpi
Clean Up - socket_scpi
Clean Up - vxi11_client
Clean Up - Config
Clean Up - sdg_Timer
Clean Up - awg_threa[   10.912150] Free all channel resources.
d
Clean Up - usbtmc_assistant_interrupt
Clean Up Over!
sds100[   10.919150] Free all channel resources.
0b.app: mempool.h:81: MemoryChunk::~MemoryChunk(): Assertion `tempcount==count' failed.


2. Booting of scope with OS stored in external USB drive

Code: [Select]
Start menu vdma ...
Config AXI VDMA...
Start menu vdma done.


U-Boot 2014.07-svn32760 (Mar 23 2018 - 01:35:12)

Board: Xilinx Zynq
I2C:   ready
DRAM:  ECC disabled 243 MiB
NAND:  256 MiB
MMC:   zynq_sdhci: 0
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
int board_late_init(void)+++++
[INFO]int fb_display_logo(void)++++++++++++
[INFO]pStorageMem=0xfa00000, logo_data=0x200036, width=800, height=480
 [INFO]int fb_display_logo(void)----------
int board_late_init(void)-----
Net:   Gem.e000b000
Hit any key to stop autoboot:  0
(Re)start USB...
USB0:   USB EHCI 1.00
scanning bus 0 for devices... 3 USB Device(s) found
USB1:   ULPI request timed out
zynq ULPI viewport init failed
lowlevel init failed
       scanning usb for storage devices... 1 Storage Device(s) found
Copying Linux from USB to RAM...
** Invalid partition 1 **
** Invalid partition 1 **
Copying Linux from NAND flash to RAM...

NAND read: device 0 offset 0x780000, size 0x400000
 4194304 bytes read: OK

NAND read: device 0 offset 0xb80000, size 0x80000
 524288 bytes read: OK
## Booting kernel from Legacy Image at 02080000 ...
   Image Name:   Linux-3.19.0-xilinx-svn8988
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    3614680 Bytes = 3.4 MiB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
## Flattened Device Tree blob at 02000000
   Booting using the fdt blob at 0x2000000
EHCI failed to shut down host controller.
   Loading Kernel Image ... OK
   Loading Device Tree to 0e00d000, end 0e013e8b ... OK

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
 enabled
 0.356649] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.356703] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.356761] TCP: Hash tables configured (established 2048 bind 2048)
[    0.356810] TCP: reno registered
[    0.356828] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.356863] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.357070] NET: Registered protocol family 1
[    0.357416] RPC: Registered named UNIX socket transport module.
[    0.357429] RPC: Registered udp transport module.
[    0.357438] RPC: Registered tcp transport module.
[    0.357447] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[    0.359290] futex hash table entries: 512 (order: 3, 32768 bytes)
[    0.360978] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.362068] io scheduler noop registered
[    0.362090] io scheduler deadline registered
[    0.362140] io scheduler cfq registered (default)
[    0.364310] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[    0.364330] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[    0.364832] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[    0.943655] console [ttyPS0] enabled
[    0.947840] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[    0.954616] [drm] Initialized drm 1.1.0 20060810
[    0.967322] brd: module loaded
[    0.974502] loop: module loaded
[    0.985953] libphy: MACB_mii_bus: probed
[    1.062452] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[    1.072328] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[    1.083738] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.356703] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.356761] TCP: Hash tables configured (established 2048 bind 2048)
[    0.356810] TCP: reno registered
[    0.356828] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.356863] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.357070] NET: Registered protocol family 1
[    0.357416] RPC: Registered named UNIX socket transport module.
[    0.357429] RPC: Registered udp transport module.
[    0.357438] RPC: Registered tcp transport module.
[    0.357447] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[    0.359290] futex hash table entries: 512 (order: 3, 32768 bytes)
[    0.360978] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.362068] io scheduler noop registered
[    0.362090] io scheduler deadline registered
[    0.362140] io scheduler cfq registered (default)
[    0.364310] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[    0.364330] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[    0.364832] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[    0.943655] console [ttyPS0] enabled
[    0.947840] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[    0.954616] [drm] Initialized drm 1.1.0 20060810
[    0.967322] brd: module loaded
[    0.974502] loop: module loaded
[    0.985953] libphy: MACB_mii_bus: probed
[    1.062452] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[    1.072328] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[    1.083738] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.090186] ehci-pci: EHCI driver usb
[    0.339429] phy0 supply vcc not found, using dummy regulator
[    0.339536] phy1 supply vcc not found, using dummy regulator
[    0.339670] --------------usb_udc_init ------
[    0.339897] pps_core: LinuxPPS API ver. 1 registered
[    0.339911] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.339967] PTP clock support registered
[    0.340296] EDAC MC: Ver: 3.0.0
[    0.341900] cfg80211: Calling CRDA to update world regulatory domain
[    0.342332] Switched to clocksource arm_global_timer
[    0.355865] NET: Registered protocol family 2
48 (order: 1, 8192 bytes)
[    0.356703] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.356761] TCP: Hash tables configured (established 2048 bind 2048)
[    0.356810] TCP: reno registered
[    0.356828] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.356863] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.357070] NET: Registered protocol family 1
[    0.357416] RPC: Registered named UNIX socket transport module.
[    0.357429] RPC: Registered udp transport module.
[    0.357438] RPC: Registered tcp transport module.
[    0.357447] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[    0.359290] futex hash table entries: 512 (order: 3, 32768 bytes)
[    0.360978] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.362068] io scheduler noop registered
[    0.362090] io scheduler deadline registered
[    0.362140] io scheduler cfq registered (default)
[    0.364310] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[    0.364330] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[    0.364832] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[    0.943655] console [ttyPS0] enabled
[    0.947840] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[    0.954616] [drm] Initialized drm 1.1.0 20060810
[    0.967322] brd: module loaded
[    0.974502] loop: module loaded
[    0.985953] libphy: MACB_mii_bus: probed
[    1.062452] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[    1.072328] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[    1.083738] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.090186] ehci-pci: EHCI driver usb
[    0.339429] phy0 supply vcc not found, using dummy regulator
[    0.339536] phy1 supply vcc not found, using dummy regulator
[    0.339670] --------------usb_udc_init ------
[    0.339897] pps_core: LinuxPPS API ver. 1 registered
[    0.339911] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.339967] PTP clock support registered
[    0.340296] EDAC MC: Ver: 3.0.0
[    0.341900] cfg80211: Calling CRDA to update world regulatory domain
[    0.342332] Switched to clocksource arm_global_timer
[    0.355865] NET: Registered protocol family 2
[   tch enabled, offset 1 lines
[    0.000000] L2C-310 dynamic clock gating enabled, standby mode PCI platform driver
[    1.094784] usbcore: registered new interface driver usbtmc
[    1.100365] usbcore: registered new interface driver usb-storage
[    1.106534] e0002000.usb supply vbus not found, using dummy regulator
[    1.113235] ci_hdrc ci_hdrc.0: EHCI Host Controller
[    1.118047] ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
[    1.142353] ci_hdrc ci_hdrc.0: USB 2.0 started, EHCI 1.00
[    1.148519] hub 1-0:1.0: USB hub found
[    1.152214] hub 1-0:1.0: 1 port detected
[    1.156695] e0003000.usb supply vbus not found, using du2c: 20 kHz mmio e0005000 irq 144
[    1.176481] zynq-edac f8006000.memory-controller: ecc not enabled
[    1.182760] Xilinx Zynq CpuIdle Driver started
[    1.187808] ledtrig-cpu: registered to indicate activity on CPUs
[    1.193902] usbcore: registered new interface driver r8188eu
[    1.200310] nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xda
[    1.206606] nand: Micron MT29F2G08ABAEAWP
[    1.210572] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    1.218145] nand: WARNING: pl353-nand: the ECC used on your system is too weak compared to the one required by the NAND chip
[    1.229703] Bad block table found at page 131008, version 0x01
[    1.235974] Bad block table found at page 130944, version 0x01
[    1.242082] 11 ofpart partitions found on MTD device pl353-nand
[    1.247931] Creating 11 MTD partitions on "pl353-nand":
[    1.253145] 0x000000000000-0x000000780000 : "fsbl"
[    1.259061] 0x000000780000-0x000000b80000 : "kerneldata"
[    1.265382] 0x000000b80000-0x000000c00000 : "device-tree"
[    1.271670] 0x000000c00000-0x000001100000 : "Manufacturedata"
[    1.278360] 0x000001100000-0x000001600000 : "reserved1"
[    1.284536] 0x000001600000-0x000003e00000 : "rootfs"
[    1.290490] 0x000003e00000-0x000004800000 : "firmdata0"
[    1.296725] 0x000004800000-0x000007000000 : "siglent"
[    1.302817] 0x000007000000-0x00000d400000 : "datafs"
[    1.308894] 0x00000d400000-0x00000fc00000 : "upgrade_cramdisk"
[    1.315820] 0x00000fc00000-0x000010000000 : "reserved2"
[    1.324034] TCP: cubic registered
[    1.327276] NET: Registered protocol family 17
[    1.331716] lib80211: common routines for IEEE802.11 drivers
[    1.337825] Registering SWP/SWPB emulation handler
[    1.349593] cramfs_fill_nand blocks is 320-----------------------
[    1.349593]
[    1.349593]
[    1.349593]
[    1.363081] VFS: Mounted root (cramfs filesystem) readonly on device 31:5.
[    1.369933] devtmpfs: mounted
[    1.373116] Freeing unused kernel memory: 192K (40626000 - 40656000)
[    1.472440] usb 1-1: new high-speed USB device number 2 using ci_hdrc
[    1.623754] hub 1-1:1.0: USB hub found
[    1.627935] hub 1-1:1.0: 3 ports detected
Starting rcS...
 Mounting filesystem
[    1.804378] UBI-0: ubi_attach_mtd_dev:attaching mtd8 to ubi0
[    2.206471] UBI-0: scan_all:scanning is finished
[    2.218867] UBI-0: ubi_attach_mtd_dev:attached mtd8 (name "datafs", size 100 MiB)
[    2.226325] UBI-0: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    2.234884] UBI-0: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.243387] UBI-0: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.252052] UBI-0: ubi_attach_mtd_dev:good PEBs: 800, bad PEBs: 0, corrupted PEBs: 0
[    2.259802] UBI-0: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[    2.268735] UBI-0: ubi_attach_mtd_dev:max/mean erase counter: 10/4, WL threshold: 4096, image sequence number: 950638423
[    2.279582] UBI-0: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 800, PEBs reserved for bad PEB handling: 40
[    2.290534] UBI-0: ubi_thread:background thread "ubi_bgt0d" started, PID 662
[    2.294871] UBI-1: ubi_attach_mtd_dev:attaching mtd7 to ubi1
[    2.456155] UBI-1: scan_all:scanning is finished
[    2.467921] UBI-1: ubi_attach_mtd_dev:attached mtd7 (name "siglent", size 40 MiB)
[    2.475371] UBI-1: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    2.483930] UBI-1: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.492433] UBI-1: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.501232] UBI-1: ubi_attach_mtd_dev:good PEBs: 320, bad PEBs: 0, corrupted PEBs: 0
[    2.508958] UBI-1: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[    2.517855] UBI-1: ubi_attach_mtd_dev:max/mean erase counter: 13/9, WL threshold: 4096, image sequence number: 1819264682
[    2.528786] UBI-1: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 320, PEBs reserved for bad PEB handling: 40
[    2.539818] UBI-1: ubi_thread:background thread "ubi_bgt1d" started, PID 666
[    2.544307] UBI-2: ubi_attach_mtd_dev:attaching mtd6 to ubi2
[    2.586871] UBI-2: scan_all:scanning is finished
[    2.597656] UBI-2 warning: print_rsvd_warning: cannot reserve enough PEBs for bad PEB handling, reserved 9, need 40
[    2.608741] UBI-2: ubi_attach_mtd_dev:attached mtd6 (name "firmdata0", size 10 MiB)
[    2.616346] UBI-2: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    2.624925] UBI-2: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.633428] UBI-2: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.642096] UBI-2: ubi_attach_mtd_dev:good PEBs: 80, bad PEBs: 0, corrupted PEBs: 0
[    2.649747] UBI-2: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[    2.658688] UBI-2: ubi_attach_mtd_dev:max/mean erase counter: 10/6, WL threshold: 4096, image sequence number: 1777018790
[    2.669646] UBI-2: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 9
[    2.680416] UBI-2: ubi_thread:background thread "ubi_bgt2d" started, PID 670
[    2.742578] usb 1-1.2: new high-speed USB device number 3 using ci_hdrc
[    2.767135] UBIFS: mounted UBI device 1, volume 0, name "siglent", R/O mode
[    2.774059] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.783150] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[    2.792774] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.797803] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[    2.874537] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[    2.881260] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.890386] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[    2.895761] usb-storage 1-1.2:1.0: USB Mass Storage device detected
[    2.899916] scsi host0: usb-storage 1-1.2:1.0
[    2.910329] UBIFS: reserved for root: 0 bytes (0 KiB)
[    2.915380] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[    2.929148] UBIFS: background thread "ubifs_bgt0_0" started, PID 682
[    2.960826] UBIFS: recovery needed
[    3.026853] UBIFS: recovery completed
[    3.030538] UBIFS: mounted UBI device 0, volume 0, name "rootfs"
[    3.036487] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    3.045634] UBIFS: FS size: 94597120 bytes (90 MiB, 745 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
[    3.055228] UBIFS: reserved for root: 0 bytes (0 KiB)
[    3.060251] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C886A817-B838-46DF-AE16-F9920045A7D7, small LPT model
Upgrade start
 Configure eth0
Starting mdev
[    3.893675] scsi 0:0:0:0: Direct-Access     Generic  Flash-Disk       1.09 PQ: 0 ANSI: 2
[    3.904053] sd 0:0:0:0: Attached scsi generic sg0 type 0
[    3.909788] sd 0:0:0:0: [sda] 15728640 512-byte logical blocks: (8.05 GB/7.50 GiB)
[    3.919526] sd 0:0:0:0: [sda] Write Protect is off
[    3.926123] sd 0:0:0:0: [sda] No Caching mode page found
[    3.931375] sd 0:0:0:0: [sda] Assuming drive cache: write through
[    3.945598]  sda:
[    3.953257] sd 0:0:0:0: [sda] Attached SCSI removable disk
[    4.106171] xilinx-dma 40400000.dma: Probing xilinx axi dma engine...Successful
[    4.132424] xilinx-vdma 43010000.dma: Xilinx AXI VDMA Engine Driver Probed!!
[    4.148108] sigdma_init++++++
[    4.171856] siglentkb probe
[    4.174840] ##### siglentkb registers 4fc3c580 4fc3e5a4 4fc525b8
[    4.201999] usbcore: registered new interface driver mt7601u
[    4.215120] irq = 170
config read
###### Config vdma for wave transform #######
config write
config read
dump s2mm registers
dump mm2s registers
####### done! ########
Config vnc  data to memory
Config done!
[    4.434381] UBIFS: background thread "ubifs_bgt1_0" started, PID 792
ln: /usr/bin/siglent/config/www/web_img/usr: File exists
Starting Lighttpd Web Server: Initializing framebuffer device /dev/fb0...
xres=800, yres=480, xresv=800, yresv=480, xoffs=0, yoffs=0, bpp=16
Initializing touch device /dev/input/event0 ...
Initializing VNC server:
width:  800
height: 480
bpp:    16
port:   5900
Initializing server...
01/01/1970 00:00:04 Listening for VNC connections on TCP port 5900
[    4.619329] random: lighttpd urandom read with 27 bits of entropy available
lighttpd.
[    4.757138] UBIFS: background thread "ubifs_bgt1_0" stops
rcS Complete

Processing /etc/profile... Done

/ # [    5.064577] macb e000b000.ethernet eth0: link up (100/Full)
[INFO]:calibrate_t():line=81:calibrate_t::calibrate_t()
product_type SDS1004X_E
mkdir: can't create directory '/usr/bin/siglent/usr/wifi/': File exists
rm: can't remove '/usr/bin/siglent/usr/wifi/wpa_supplicant': No such file or directory

                                                       $Task start:: SCPI
 
                                                       $Task start:: Devce
 
                                                       $Task start:: WLAN
 vxi11_main = 6861.09

                                                       $Task start:: Udisk&Lan
sh: write error: Invalid argument
 
                                                       $Task start:: Vxi11_client
 drv_instance_manage_t: produce_id: 13501[    6.916941] FAT-fs (sda): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.

(DRV_PRODUCT_PIKACHU)
_drv_product=4
acq_scal_user = -1.000000
eth0 on

[    6.984507] device eth0 entered promiscuous mode
ready...
ready...
ready...
ready...
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_awg_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_wifi_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_mso_license.txt
[    7.336193] export_store: invalid GPIO 115
sh: write error: Invalid argument
scpi_register_cmd_boardtest
sh: can't create /sys/class/gpio/gpio115/direction: nonexistent directory
sh: can't create /sys/class/gpio/gpio115/value: nonexistent directory
open file %s fail !!!!/usr/bin/siglent/config/arb/2ASK.wav
ready...
cp: can't stat '/usr/bin/siglent/usr/usr/save_setting.xml': No such file or directory
/usr/bin/siglent/usr/usr/save_setting.xml  not exist

                                                       $Task start:: UI
ifconfig: SIOCGIFFLAGS: No such device
 
                                                       $Task start:: awg_thread
 mod_if_exit_handler:signal=11
Clean Up Ready!
Clean Up - nlog
Clean Up - Main Thread
Clean Up - scpi
Clean Up - timer
Clean Up - dev_thread
Clean Up - ui
Clean Up - acq_thread
Clean Up - acq_data
Clean Up - draw_wave
Clean Up - bu_cfg
Clean Up - bu_main
Clean Up - bu_app
Clean Up - key
Clean Up - other
Clean Up - usbtmc
Clean Up - VXI_11
Clean Up - dev_interrupt
Clean Up - wlan_manager
Clean Up - power_off
Clean Up - telnet_scpi
Clean Up - socket_scpi
Clean Up - vxi11_client
Clean Up - Config
Clean Up - sdg_Timer
Clean Up - awg_thread
Clean Up - usbtmc_assistant_interrupt
Clean Up Over!
sds1000b.app: mempool.h:81: MemoryChunk::~M[   11.072046] Free all channel resources.
emoryChunk(): Assertion `tempcount==count' failed.
tempcount=0,[   11.077790] Free all channel resources.


3. Start sds1000b.app commnd

Code: [Select]
/usr/bin/siglent/sds1000b.app &
[1]-  Aborted                    /usr/bin/siglent/sds1000b.app
/ #
/ # [INFO]:calibrate_t():line=81:calibrate_t::calibrate_t()
product_type SDS1004X_E
mkdir: can't create directory '/usr/bin/siglent/usr/wifi/': File exists
rm: can't remove '/usr/bin/siglent/usr/wifi/wpa_supplicant': No such file or directory

                                                       $Task start:: SCPI
route: SIOCADDRT: File exists
 
                                                       $Task start:: Devce
sh: write error: Device or resource busy
sh: write error: Device or resource busy
sh: write error: Device or resource busy
sh: write error: Device or resource busy
 vxi11_main = 1.89248e+06
drv_instance_manage_t: produce_id: 13501
(DRV_PRODUCT_PIKACHU)
_drv_product=4

                                                       $Task start:: WLAN
 
                                                       $Task start:: Udisk&Lan
 acq_scal_user = -1.000000

                                                       $Task start:: Vxi11_client
[ 1892.568522] export_store: invalid GPIO 115
sh: write error: Invalid argument
sh: can't create /sys/class/gpio/gpio115/direction: nonexistent directory
sh: can't create /sys/class/gpio/gpio115/value: nonexistent directory
 open file %s fail !!!!/usr/bin/siglent/config/arb/2ASK.wav
ready...
ready...
ready...
ready...
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_awg_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_wifi_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_mso_license.txt
scpi_register_cmd_boardtest
ready...
cp: can't stat '/usr/bin/siglent/usr/usr/save_setting.xml': No such file or directory
/usr/bin/siglent/usr/usr/save_setting.xml  not exist

                                                       $Task start:: UI
 mod_if_exit_handler:signal=11
Clean Up Ready!
Clean Up - nlog
Clean Up - Main Thread
Clean Up - scpi
Clean Up - timer
Clean Up - dev_thread
Clean Up - ui
Clean Up - acq_thread
Clean Up - acq_data
Clean Up - draw_wave
Clean Up - bu_cfg
Clean Up - bu_main
Clean Up - bu_app
Clean Up - key
Clean Up - other
Clean Up - usbtmc
Clean Up - VXI_11
Clean Up - dev_interru[ 1894.929648] Free all channel resources.
pt
Clean Up - wlan_manager
Clean Up - power_off
Clean Up - te[ 1894.937666] Free all channel resources.
lnet_scpi
Clean Up - socket_scpi
Clean Up - vxi11_client
Clean Up - Config
Clean Up - sdg_Timer
Clean Up - awg_thread
Clean Up - usbtmc_assistant_interrupt
Clean Up Over!
sds1000b.app: mempool.h:81: MemoryChunk::~MemoryChunk(): Assertion `tempcount==count' failed.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 25, 2019, 09:08:21 pm
So, you can place back the missing files, right?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 26, 2019, 07:24:21 am
turned out that languages files are on right place. ???
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on September 26, 2019, 02:02:27 pm
Thank you for all this work! I would be interested if anyone really measured the bandwidth after this "upgrade" that merely shows a different Siglent product which is capable of 200MHz. Just seeing a different model name is not really convincing! No one in this forum has posted a sweep up to 200MHz before and after the hack. Could someone please do so to satisfy my curiosity but more importantly the fact that this upgrade indeed is valid?

Thanks
Lutz
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 26, 2019, 02:15:18 pm
No one in this forum has posted a sweep up to 200MHz before and after the hack. Could someone please do so to satisfy my curiosity but more importantly the fact that this upgrade indeed is valid?

There are plenty of those validations in the right threads. You just didn't search enough. No need to start over that theme.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 26, 2019, 02:17:27 pm
turned out that languages files are on right place. ???

 :o  :o
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on September 27, 2019, 02:33:51 am
Indeed, my bad - sorry. I found the validations in a different thread.
Thanks
Lutz
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 27, 2019, 12:26:14 pm
I'm a little bit farther with my work:)

Using UART interface there is an option to stop autoboot by taping any key during starting of scope.

Code: [Select]
Start menu vdma ...
Config AXI VDMA...
Start menu vdma done.


U-Boot 2014.07-svn32760 (Mar 23 2018 - 01:35:12)

Board: Xilinx Zynq
I2C:   ready
DRAM:  ECC disabled 243 MiB
NAND:  256 MiB
MMC:   zynq_sdhci: 0
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
int board_late_init(void)+++++
[INFO]int fb_display_logo(void)++++++++++++
[INFO]pStorageMem=0xfa00000, logo_data=0x200036, width=800, height=480
 [INFO]int fb_display_logo(void)----------
int board_late_init(void)-----
Net:   Gem.e000b000
Hit any key to stop autoboot:  0

I'm using putty (serial mode) to tapping any key. This giving me access to uboot command line. Using uboot it is possible to read and write NAND memory without any limits.

here is uboot commands list:

Code: [Select]
zynq-uboot> help
?       - alias for 'help'
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bootvx  - Boot vxWorks from an ELF image
bootz   - boot Linux zImage image from memory
clk     - CLK sub-system
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
dfu     - Device Firmware Upgrade
dhcp    - boot image via network using DHCP/TFTP protocol
echo    - echo args to console
editenv - edit environment variable
env     - environment handling commands
exit    - exit script
ext2load- load binary file from a Ext2 filesystem
ext2ls  - list files in a directory (default /)
ext4load- load binary file from a Ext4 filesystem
ext4ls  - list files in a directory (default /)
ext4write- create a file in the root directory
false   - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fatwrite- write file into a dos filesystem
fdt     - flattened device tree utility commands
fpga    - loadable FPGA image support
go      - start application at address 'addr'
help    - print command description/usage
i2c     - I2C sub-system
icache  - enable or disable instruction cache
iminfo  - print header information for application image
imxtract- extract a part of a multi-image
itest   - return true/false on integer compare
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loadx   - load binary file over serial line (xmodem mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mdio    - MDIO utility commands
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
showvar - print local hushshell variables
sleep   - delay execution for some time
source  - run script from memory
spl     - SPL configuration
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
thordown- TIZEN "THOR" downloader
true    - do nothing, successfully
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version

using it I've updated OS manually. All necessery comands and adresses for uboot are in sds1004x_e_udiskEnv.txt file from official siglent SDS1004X-E_OSV1_EN pack. All need to be done is putting files(uImage, devicetree.dtb, rootfs.cramfs) to USB drive, insert it to scope and  mount by command:

usb start

and then flash files to nand by:

Code: [Select]
if fatload usb 0 0x100000 uImage; then nand erase 0x780000 0x400000;nand write 0x100000 0x780000 ${filesize};mw.b 0x100000 0x0 ${filesize}; fi
if fatload usb 0 0x100000 devicetree.dtb; then nand erase 0xB80000 0x80000;nand write 0x100000 0xB80000 ${filesize};mw.b 0x100000 0x0 ${filesize}; fi
if fatload usb 0 0x100000 rootfs.cramfs; then nand erase 0x1600000 0x2800000;nand write 0x100000 0x1600000 ${filesize};mw.b 0x100000 0x0 ${filesize}; fi

I've done it, but my scope still can't start sds1000b.app
Probably the mess is somewhere else. Maybe flash of others files (firmdata0.img, siglent.img, datafs.img) from sds1004x_e_udiskEnv.txt would fix this problem but I don't have them.  Seems like this data are included in .ads firmware file. In my case I can't use .ads file before sds1000b.app starting.

In fact I have memdump.bin file with all data inside but I'm scare to erase all NAND content(including uboot) and then flash it because comparinng contents of dump with OS pack files I see some differences: e.g.
begining of uImage file should be on address 0x780000 regarding sds1004x_e_udiskEnv.txt but this content in dump file are started in two points: 0x2080000 and 0x6B7C000

devicetree.dtb:
sds1004x_e_udiskEnv.txt -> 0xB80000
memdump.bin -> 0x2000000 and 0x6AFC000

rootfs.cramfs:
sds1004x_e_udiskEnv.txt -> 0x1600000
memdump.bin -> 0xEA27000

I'm not sure is my logic correct?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2019, 12:45:30 pm
Probably the mess is somewhere else. Maybe flash of others files (firmdata0.img, siglent.img, datafs.img) from sds1004x_e_udiskEnv.txt would fix this problem but I don't have them.  Seems like this data are included in .ads firmware file. In my case I can't use .ads file before sds1000b.app starting.

Don't flash the whole NAND!

You've done a great job. Just continue with it, methodically.

Later today I'll decrypt those .ADS where you can extract the .img files. Then you can flash them individually.

Which was the FW version that you had in the scope?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 27, 2019, 01:22:16 pm
Thanks in advance. I have 6.1.25R2 now.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 27, 2019, 04:52:59 pm
tv84

it works:)

I found "siglent" backup folder and replaced files manually.
After this operation sds1000b.app got up. I updated to .33 version and did trick with language files names using putty serial(it works exactly like a root).
Now it's ok. Scope is fully unlocked with english language.

thanks for help. I hope our conversation can help others also. This serial access to root and uboot is pretty interesting. I'm wondering is this option also on others siglent devices.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 27, 2019, 07:00:19 pm
it works:)

What's the answer to this SCPI command?

MD5_PR?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 28, 2019, 03:35:00 pm
SDS1000X-E
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 28, 2019, 03:48:38 pm
So, can you simply update with the latest FW and it will stay in english? Or does it revert to chinese?

Besides the label on the scope box, where do you see the "X-C" reference? (in what screen/menu)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on September 28, 2019, 05:56:10 pm
No need to start over that theme.

You are absolutely right, there is no need to warm up old stories. To my excuse, I wasn't aware of them. Nonetheless, I am attaching the max. DFT's (direct 50 Ohm BNC-T terminated) of a 50-400MHz sweep from the VCO of a "Geekcreit® Spectrum Analyzer USB LTDZ 35-4400M" from Banggood - before and after the hack. Its an absolute Bobby Dazzler  ;D. A different can of worms seems to be the questions of what probes to use now. I know there is tons of material on the EEVBlog forums and comprehensive reviews, so I will find my way.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on September 29, 2019, 04:01:34 pm
After updating FW language is changing back to Chinese.

I see X-C label on scope info screen with versions.
Also *IND? command return X-C model name.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on September 29, 2019, 04:42:03 pm
Also *IND? command return X-C model name.

Try this command and report:

MD5_PR SDS1000X-E  (you have already told me this one outputs X-E...)

See what is the output of this one:

PROD?

Then do:

PROD SDS1000X-E (or similar)

Show these  ones:

LAGG?      
LANG?   
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on September 30, 2019, 01:17:09 pm
LANG is for scope
LAGG is for AWG
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on October 02, 2019, 07:55:48 am
I'm not sure that changing model name is possible by SCPI.

PROD?
PROD MODEL,SDS1000X-E,BAND,25MHZ

LAGG?
LAGG CH

LANG?
LANG SC
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vtwin@cox.net on October 02, 2019, 09:53:09 am
I'm not sure that changing model name is possible by SCPI.

I do not believe so.

It is my recollection the scope calculates its "model" number based on the bandwidth, e.g. a SDS1104X-E with a 200 mhz bandwidth key will show up as a SDS1204X-E in the menus, etc.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on October 02, 2019, 10:10:06 am
I'm not sure that changing model name is possible by SCPI.

PROD?
PROD MODEL,SDS1000X-E,BAND,25MHZ

LAGG?
LAGG CH

LANG?
LANG SC

Just try:

LANG EN

I agree that we won't be able to change it with the PRODUCT MODEL as you show with the SCPI responses.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ucognitive on October 08, 2019, 08:42:56 am
I've tried LANG EN, LANG ENG, LANG SE with not effect:(
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on October 08, 2019, 09:00:36 am
On the latest firmware, they hard coded the language text inside the scope application, with the help files just being a left over. I've not dug into it recently, but it could be as simple as patching the language tree in the application

Other places you can have a look

usr\bin\siglent\config\NSP_trends_config_info.xml
usr\bin\siglent\firmdata0\factory_settings.xml
usr\bin\siglent\usr\user_default_settings.xml
usr\bin\siglent\usr\config\NSP_usr_system_info.xml
usr\bin\siglent\usr\config\temp_settings.xml
usr\bin\siglent\usr\config\save_settings.xml

for the ones that use a numeric language, looks like "2" is english
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: KaLi on October 25, 2019, 06:24:04 am
Hi folks,

about a year ago I had the idea to buy this scope and read the thread about patching and hacking it... but I didn't.

Now -- with christmas vacation spare time in mind -- I came back to this idea.

To make my question short: Does everything work with the same hacking instruction as a year ago? Are the actual firmwares safe, or is there a catch? It's much to read and especially over-read in this and the other thread about that topic. And the important parts are well distributed in that large amounts of text.

thank you
Kai
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on October 31, 2019, 11:53:10 am
Dear Kai, if your question concerns the SDS1104X-E, the bandwidth hack (with model number change to SDS1204X-E) still works perfectly fine. I did mine about a month ago (see also my posts).
Regards, Lutz
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tonykids on November 09, 2019, 10:14:05 am
After updating FW language is changing back to Chinese.

I see X-C label on scope info screen with versions.
Also *IND? command return X-C model name.
update the the X-C model whit X-E's update package will change it to X-E , right?
The capture rate is 400000wfm/s but X-C is 200000wfm/s
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tjohejsanhopp on November 14, 2019, 05:42:58 pm
The codes generated by the python-script (doing it as described in #168) seem to activate the 200MHz correctly, but no other features show up as activated, and instead stay as Trial with a countdown.
I tried to enter all codes at once, then do the reboot.
Then tried one and one, rebooting in between, same result.
Is the script not able to correctly generate the other codes correctly or am I doing it wrong?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on November 14, 2019, 06:17:49 pm
The codes generated by the python-script (doing it as described in #168) seem to activate the 200MHz correctly, but no other features show up as activated, and instead stay as Trial with a countdown.
I tried to enter all codes at once, then do the reboot.
Then tried one and one, rebooting in between, same result.
Is the script not able to correctly generate the other codes correctly or am I doing it wrong?

Everything is working correctly, have a look at my post below. Did you use the newer (see "update" link inside post from wgoe) Python code? If not, you need to use the serial number instead of the scope id. Also, for the SW options you can't use MCBD. Best way is to type it in the scopes UI as if you bought the upgrade...
Hope this helps.
Lutz

Hi all! I am newbie and I have some questions about updating my SDS1104X-E (Current FW is 6.1.26):

I have done memorydump, but not yet activating wifi, 200 MHz etc.. So should I first upgrade FW to 6.1.33, and next install Plurs .ads file from usbstick? And what is Python file, I can't find it ?

Could someone please send me more detailed instructions on the upgrade via PM?

Thanks

Well, I had my fair share of mishaps, but now I can say with confidence that everything is quiet trivial. Here is what worked for me:

1) I updated to 6.1.33 but as I understood from others you don't have to. All license changes will be persistent after FW changes.
2) Connect your scope to your local network and write down the IP address. You can also use the USB if you don't have LAN, in this case skip to (4).
3) Use IE or other browser from a PC in that LAN simply by the IP address (http://xxx.yyy.zzz.aaa (http://xxx.yyy.zzz.aaa)).
4) Your scope answers you with a web page containing 4 big buttons on the left, push the bottom (SPCI control) one.
5) In the command line enter SCOPEID? and receive your scope ID in the text window below, write it down, remove the dashes.
6) Have your scope's serial number ready. Get it from either your cal sheet or from scope Info button, or finally via SPCI command *IDN? (it returns comma separated model, SN, SW version)
7) Get the updated (!) Python code from here: (The updated link from wgoeo goes to a website that can also run the code).

I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.

Edit: Update (https://repl.it/@wgoeo/siglent-keygen), thanks tinhead!

8 ) Enter 16 character Scope ID (remove the dashes inbetween!) and the 14 character serial number in the corresponding placeholders of the py-code file.
9) Run the Python code, either on your PC if you have PyCharm or Visual Studio or find an online Python engine where you can paste the patched py code and run it. Most simple is to just run it off the website provided by wgeoe. There you can also paste your ID/SN in.
10) Pick the for the SDS1000X-E relevant keys from the result (100M, 200M, AWG, WIFI, MSO).
11) Go back to the SPCI terminal and install the bandwidth key with MCBD <key> (e.g. MCBD 0123456789ABCDEF). If the key was taken you will see with MCBD?. Then the same key you just entered appears in the result window. Also you can see instantly that the scope has now changed model number. (No scope restart is needed, result is immediate. You even see the change in noise when in the 0.5mV range with nothing connected).
12) Now install the SW options. On the SPCI use LCISL <option> <key> (Option AWG, WIFI, MSO), (e.g. LCISL WIFI 0123456789ABCDE). I used the scope's function to enter the key under Utilities, Options, on one of the pages select one of the three options and press install button to enter the key, scope will answer "License key installed" (make sure the key is correct, I fell victim to my own handwriting and almost gave up until I noticed that I mistook Z for a 2  |O ).
13) Although changes are imminent, for sanity reboot the scope and do a calibration.
14) Congratulations you are done. Don't forget to thank wgoeo and tinhead.

cheers
Lutz
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tjohejsanhopp on November 14, 2019, 08:25:18 pm
Ok, I figured out my error.
On the scope-UI, one must FIRST SELECT TYPE on the left most button before pressing INSTALL-button :)
Well that was...in a way logical...but...yeah...;)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: troian on December 23, 2019, 05:40:23 pm
Quote
Ok, I figured out my error.
On the scope-UI, one must FIRST SELECT TYPE on the left most button before pressing INSTALL-button :)
Well that was...in a way logical...but...yeah...;)

I've go same issue as tjohejsanhopp, 200MHz upgrade went just fine. All other options returning The data is invalid! on scope screen. LCISL command returns Success but options remains trial.
Scope fw is 6.1.33
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on December 25, 2019, 04:25:57 am
Quote
Ok, I figured out my error.
On the scope-UI, one must FIRST SELECT TYPE on the left most button before pressing INSTALL-button :)
Well that was...in a way logical...but...yeah...;)

I've go same issue as tjohejsanhopp, 200MHz upgrade went just fine. All other options returning The data is invalid! on scope screen. LCISL command returns Success but options remains trial.
Scope fw is 6.1.33

Have you tried the scope UI? This should work nonetheless. Check again the key(s) for typos and remember to use the serial number (not the scope ID) to generate them.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: troian on December 26, 2019, 04:12:01 pm
That was just extra 0 in serial #. All went fine through
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Musclor on January 19, 2020, 08:27:19 am
Hi all, amazing thread, I read every message carefully - great to see the teamwork at play here!
One non-technical question, I spotted a few users having successfully 'upgraded' their scope even after updating the fw to 6.1.33 (which is the very latest).

This implies that Siglent has not implemented a countermeasure to this 'upgrade' - am i missing something? Not that I'm complaining, but I find it curious, to say the least (a quick google search returns this thread when you look for 'most hackable scope' etc).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on January 19, 2020, 08:40:56 am
This implies that Siglent has not implemented a countermeasure to this 'upgrade' - am i missing something?

Would you have bought yours if ir wasn't hackable?  :popcorn:

Not that I'm complaining, but I find it curious, to say the least (a quick google search returns this thread when you look for 'most hackable scope' etc).

It's a marketing ploy - make the buyers feel clever and like they're getting something for free. Who can resist that feeling?

It also allows them to sell 'scopes for double price to institutional people people who are paranoid about warranties - double win!

PS: It was Rigol who really started this practice. I'm convinced the riglol website is really run by Rigol.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Rerouter on January 19, 2020, 08:44:15 am
Siglents stance on it is, as long as it is not a remote code execution exploit, they have better things to work on,

The earlier SCPI method was a remote command that executed as root with no authentication... so that got patched quickly,
The new method needs physcial access, so much less of a concern. seeing as they are trying to sell these things in schools and businesses.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on January 19, 2020, 05:55:44 pm
This implies that Siglent has not implemented a countermeasure to this 'upgrade' - am i missing something?

Would you have bought yours if ir wasn't hackable?  :popcorn:

Not that I'm complaining, but I find it curious, to say the least (a quick google search returns this thread when you look for 'most hackable scope' etc).

It's a marketing ploy - make the buyers feel clever and like they're getting something for free. Who can resist that feeling?

It also allows them to sell 'scopes for double price to institutional people people who are paranoid about warranties - double win!

PS: It was Rigol who really started this practice. I'm convinced the riglol website is really run by Rigol.

Oh you really think its a business plan for us nerd population? Sounds plausible ...
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: e0ne199 on January 21, 2020, 03:57:39 pm
hello everyone, i just want to hack my SDS1204X-E 's AWG, LA, and WIFI license...does anyone here know how to do that? thx before, and i am sorry if it is OOT  ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tmcks on January 22, 2020, 10:15:29 pm


Quote from: aimc on November 14, 2019, 06:17:49 pm (https://www.eevblog.com/forum/index.php?topic=136445.msg2784554#msg2784554)


...



Thanks for posting this step-by-step summary. Followed it precisely and completed my 1104X-E -> "1204X-E," w/ options unlocked, in ~10 mins.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: e0ne199 on January 24, 2020, 03:02:05 pm
The codes generated by the python-script (doing it as described in #168) seem to activate the 200MHz correctly, but no other features show up as activated, and instead stay as Trial with a countdown.
I tried to enter all codes at once, then do the reboot.
Then tried one and one, rebooting in between, same result.
Is the script not able to correctly generate the other codes correctly or am I doing it wrong?

Everything is working correctly, have a look at my post below. Did you use the newer (see "update" link inside post from wgoe) Python code? If not, you need to use the serial number instead of the scope id. Also, for the SW options you can't use MCBD. Best way is to type it in the scopes UI as if you bought the upgrade...
Hope this helps.
Lutz

Hi all! I am newbie and I have some questions about updating my SDS1104X-E (Current FW is 6.1.26):

I have done memorydump, but not yet activating wifi, 200 MHz etc.. So should I first upgrade FW to 6.1.33, and next install Plurs .ads file from usbstick? And what is Python file, I can't find it ?

Could someone please send me more detailed instructions on the upgrade via PM?

Thanks

Well, I had my fair share of mishaps, but now I can say with confidence that everything is quiet trivial. Here is what worked for me:

1) I updated to 6.1.33 but as I understood from others you don't have to. All license changes will be persistent after FW changes.
2) Connect your scope to your local network and write down the IP address. You can also use the USB if you don't have LAN, in this case skip to (4).
3) Use IE or other browser from a PC in that LAN simply by the IP address (http://xxx.yyy.zzz.aaa (http://xxx.yyy.zzz.aaa)).
4) Your scope answers you with a web page containing 4 big buttons on the left, push the bottom (SPCI control) one.
5) In the command line enter SCOPEID? and receive your scope ID in the text window below, write it down, remove the dashes.
6) Have your scope's serial number ready. Get it from either your cal sheet or from scope Info button, or finally via SPCI command *IDN? (it returns comma separated model, SN, SW version)
7) Get the updated (!) Python code from here: (The updated link from wgoeo goes to a website that can also run the code).

I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.

Edit: Update (https://repl.it/@wgoeo/siglent-keygen), thanks tinhead!

8 ) Enter 16 character Scope ID (remove the dashes inbetween!) and the 14 character serial number in the corresponding placeholders of the py-code file.
9) Run the Python code, either on your PC if you have PyCharm or Visual Studio or find an online Python engine where you can paste the patched py code and run it. Most simple is to just run it off the website provided by wgeoe. There you can also paste your ID/SN in.
10) Pick the for the SDS1000X-E relevant keys from the result (100M, 200M, AWG, WIFI, MSO).
11) Go back to the SPCI terminal and install the bandwidth key with MCBD <key> (e.g. MCBD 0123456789ABCDEF). If the key was taken you will see with MCBD?. Then the same key you just entered appears in the result window. Also you can see instantly that the scope has now changed model number. (No scope restart is needed, result is immediate. You even see the change in noise when in the 0.5mV range with nothing connected).
12) Now install the SW options. On the SPCI use LCISL <option> <key> (Option AWG, WIFI, MSO), (e.g. LCISL WIFI 0123456789ABCDE). I used the scope's function to enter the key under Utilities, Options, on one of the pages select one of the three options and press install button to enter the key, scope will answer "License key installed" (make sure the key is correct, I fell victim to my own handwriting and almost gave up until I noticed that I mistook Z for a 2  |O ).
13) Although changes are imminent, for sanity reboot the scope and do a calibration.
14) Congratulations you are done. Don't forget to thank wgoeo and tinhead.

cheers
Lutz

lols thx so much everyone... i have finally unlocked them all..hope that siglent won't get angry about this  ;D ;D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: modoran on January 25, 2020, 02:31:12 pm
Unlocking 1104x-e to 200 Mhz bandwith ( 1204x-e ) is reversible ?   I suppose this voids the warranty ?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: aimc on January 25, 2020, 03:16:55 pm
Unlocking 1104x-e to 200 Mhz bandwith ( 1204x-e ) is reversible ?   I suppose this voids the warranty ?

You can reverse to 100MHz. Just use the key for 100MHz. Does not void warranty.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vicenç on February 16, 2020, 11:18:11 am
I also succeeded finding codes with wgoeo python script (thanks man!!) and later on MCBD ing for 200MHz and introducing codes for MSO / WIFI / AWG directly on scope interface. They seem to be properly set as when pressing the options => Information menu i can not change they appear as permanent licenses.

BUT... i bought a WIFI TPLINK WN725N, the one advertised to be used. After plugging it I am able to manually scan for the Wifi networks, finding those around without hassle. I am able to connect to a wlan and to manually set an ip or to leave it to DHCP. In both cases the scope returns a wlan connected message and shows the wifi wave icon in the bottom down menu. In the dhcp mode it is assigned a proper IP, according to the range defined in the wlan router (so no random IP, but a logical one).

BUT... unfortunately it is not really working. I cannot access the webpage (that i am capable to do so with a wired LAN connection). If i ping it, no answer at all. If i try to use it to connect to my awg emulated server it is not working either.

Therefore, I don't know if it is TPLINK usb interface (there seems to be several versions out there) despite it properly finds wlan's and says "wlan connected" OR if it is an issue with the codes the python script calculated, requiring an extra step

Reading through the entire pages it seems to happen at least to another user.

Regards
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vicenç on February 16, 2020, 11:27:28 am
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.

Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.

The very same issue here. I followed a different approach (wgoeo python script). Did you manage to work out a solution?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on February 16, 2020, 11:32:54 am

Therefore, I don't know if it is TPLINK usb interface (there seems to be several versions out there) despite it properly finds wlan's and says "wlan connected" OR if it is an issue with the codes the python script calculated, requiring an extra step
If it accepted the licence codes you should be good to go.
The correct dongle is the gold one but I have not heard problems with the other ones. Maybe yours is a copy ?
Just make sure all your WLAN, PW and IP are all correct as it's easy to make a mistake.
Dongle range can sometimes be a problem so move closer to your access point and try again.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: vicenç on February 18, 2020, 07:49:28 pm
Yeah. It is the golden plated one. It seems the original one (packaging, instructions and so).

I will check the range suggestion. I will come back to the forum let others users know.

Regards
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: zebu on February 24, 2020, 06:45:47 am
Please tell me I can not get SCOPEID.
SDS2000X-E firmware 1.1.19R2_EN.
I went through the browser to the ip address
In the SCPI field, I execute the SCOPEID command, but in response I get nothing.

SCPI no longer works on new firmware?

How can I find ScopeID


P/S

Everything works ! I entered the command incorrectly
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: mikef137 on February 24, 2020, 07:17:23 pm
are you using SCOPEID?  with the question mark?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ArcticPhoenix0 on March 08, 2020, 12:13:49 am
Now that I've unlocked my Siglent 1104X-E to a 1204X-E, what passive probe upgrade do you recommend? Looking to try to keep it under $30 per probe.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on March 08, 2020, 12:30:22 am
Now that I've unlocked my Siglent 1104X-E to a 1204X-E, what passive probe upgrade do you recommend? Looking to try to keep it under $30 per probe.
Answered here:
https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2953604/#new (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2953604/#new)

BTW, double posting is frowned upon here.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: ArcticPhoenix0 on March 08, 2020, 04:02:09 am
What... I was supposed to find that post amongst all that is the EEVBlog forum? C'mon, man. Thanks for the answer.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: digitalsignals5 on May 07, 2020, 10:36:49 pm
Hello all!

I am planning on hacking my scope and was curious on what all the other options were from the python script? I tried looking around different threads but I couldn't find explanations. Thanks!

MAX   
FLX   
CFD   
I2S   
1553 
FG   
16LA

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on May 07, 2020, 10:46:34 pm
Hello all!

I am planning on hacking my scope and was curious on what all the other options were from the python script? I tried looking around different threads but I couldn't find explanations. Thanks!

MAX   
FLX   
CFD   
I2S   
1553 
FG   
16LA
Welcome to the forum.

Only 2 are valid options, FG which needs the USB powered AWG HW and LA that also needs the 16ch MSO hardware.

As these share some core programming with other models is the reason you see some options pop out but they aren't applicable to any of the X-E models.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: digitalsignals5 on May 07, 2020, 10:59:25 pm
Thank you! Excited to be on here! Have been a lurker for a few years now and finally decided to create an account!  ;D

I noticed there are several threads hacking the 1104X-E and have different ways to hack it. Some require a USB stick, and others do not. Some ways also require downgrading firmware.

What is the latest / best way? Would either of these two ways work? Thanks for your help!

https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg3014076/#msg3014076 (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg3014076/#msg3014076)

https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: digitalsignals5 on May 09, 2020, 11:08:18 pm
Update:
The method without the memory dump worked great for me. I installed the options manually via the Utility menu. Pretty straight forward. Scope FW: 6.1.33

https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705)

Thanks! :D
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: gianluigi on June 30, 2020, 07:20:42 am
Hello all!

I am planning on hacking my scope and was curious on what all the other options were from the python script? I tried looking around different threads but I couldn't find explanations. Thanks!

MAX   
FLX   
CFD   
I2S   
1553 
FG   
16LA
Welcome to the forum.

Only 2 are valid options, FG which needs the USB powered AWG HW and LA that also needs the 16ch MSO hardware.

As these share some core programming with other models is the reason you see some options pop out but they aren't applicable to any of the X-E models.
thank you,
wich are the differences between MSO and 16LA key?
I used MSO key from option menù and it is ok, but how can I use 16LA?
LCISD <option> <key> doesn't work from SCPI web interface
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: doru.cazan on July 08, 2020, 05:05:26 pm
Got my SDS1104X-E today:

software 6.1.35R2
uboot 8.1
fpga 2019-11-15
hw 01-04

python script worked fine, bandwidth "fixed" using web server, options "adjusted" using scope physical buttons.

Thank you all!  :-+
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: 0x10c on July 15, 2020, 05:33:08 am
Good day! How about the rise time after the hacking oscilloscope. Did anyone make a comparison before the hack and after the hack?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: StillTrying on July 15, 2020, 11:47:18 am
"How about the rise time"
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1635386/#msg1635386 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1635386/#msg1635386)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Ze Pink Panther on July 21, 2020, 08:04:41 pm
Hello all,

First and foremost, I'd like to send many *_kudos_* to each and all of you for your fantastic contribution to this forum / thread. I've learned a lot from you guys!  :-+  :clap:

Now... My scope is a SDS1104X-E, "fixed" to 200 MHz and with all options permanently activated (I've been using the "memdump" method). Currently it runs the FW 6.1.26. I've played a little with the 6.1.35R2 but I reverted to the 6.1.26 in order to keep the "good old" options...
I also wanted to install the "eevblog" version of the OS (SDS1004X-E_OSV1_EN_eevblog) just to be able to gain telnet acces, and that's where I had to stop. According to the doc, when booting-up with a USB key containig the four files (at the root level) the scope is supposed to automatically begin the upgrade process. Well... mine doesn't do anything, although it does "see" the USB key and its content. And yes, the key is a 32GB, freshly formatted in FAT32.
Am I missing something?

Thanks in advance and best regards,
ZPP

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on July 21, 2020, 08:10:06 pm
I've played a little with the 6.1.35R2 but I reverted to the 6.1.26 in order to keep the "good old" options...

Please explain what is the good old options?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Ze Pink Panther on July 21, 2020, 09:14:56 pm
For example, being able to use SHELLCMD.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on July 21, 2020, 09:17:38 pm
For example, being able to use SHELLCMD.
The SCPI command panel in the webserver utility permits running all manner of SCPI commands. Valid, hidden and undocumented.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Ze Pink Panther on July 21, 2020, 09:23:06 pm
Is it?
Then why, using 6.1.35R2, using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" didn't do anything (while in 6.1.26 it yielded the expected result)?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on July 21, 2020, 09:26:17 pm
For example, being able to use SHELLCMD.

Why don't you use this (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2478699/#msg2478699)?   :-//
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Ze Pink Panther on July 21, 2020, 09:54:02 pm
You have a valid point, but it shouldn't exclude some other (equally valid) options. My option, for example, was to stick with 6.1.26 (for the time being). I don't think that's a show stopper.
Anyway... my initial post was not about discussing, judging and arguing about _my_ option to keep 6.1.26 - it was about the inability to load "SDS1004X-E_OSV1_EN_eevblog" into my scope. Yet, I _do_ thank you for your advice.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on July 21, 2020, 10:04:04 pm
In that case let me do a final judgement and argument:

As you seem able to find advantages in downgrading the FW just for having a telnet capability which is also available in my suggestion, I'm sure you will be able to sort the flashing problem.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Ze Pink Panther on July 21, 2020, 10:20:10 pm
...That wasn't very nice...  :(
I'd asked a simple, techical question, hoping that I was talking to very knowledgeable and techically-oriented people... and yet, with my first post, I'm stuck with an ego...
Is it my alias, the fact that I'm a newbie (although I haven't fallen on Earth with the last rain...) in this forum or because I haven't got on my knees at your suggestion that turned on your flamethrower? I respectfully point to you that your suggestion _did not_ answer my question; it only eluded it.
Anyway... thanks for your time...

"- What time does this bus leave?
 - Why don't you take the train instead?
 - I'd still want to get on this bus...
 - If you don't want to take the train, go figure yourself the timetable !"
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on July 22, 2020, 02:45:30 am
...That wasn't very nice...  :(
I'd asked a simple, techical question, hoping that I was talking to very knowledgeable and techically-oriented people... and yet, with my first post, I'm stuck with an ego...
Is it my alias, the fact that I'm a newbie (although I haven't fallen on Earth with the last rain...) in this forum or because I haven't got on my knees at your suggestion that turned on your flamethrower? I respectfully point to you that your suggestion _did not_ answer my question; it only eluded it.
Anyway... thanks for your time...

"- What time does this bus leave?
 - Why don't you take the train instead?
 - I'd still want to get on this bus...
 - If you don't want to take the train, go figure yourself the timetable !"

Try formatting and configuring the USB on a raspberry pi; that's what worked for me with the custom eevblog firmware
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Ze Pink Panther on July 22, 2020, 03:02:30 am
Thank you for your kind reply.
Unfortunately I don't have a Raspberry Pi, so I can't try your suggestion.
Regards,
ZPP
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on July 22, 2020, 03:09:20 am
Thank you for your kind reply.
Unfortunately I don't have a Raspberry Pi, so I can't try your suggestion.
Regards,
ZPP

Try making the USB on a different system then 32 bit vs 64 bit, Linux vs Windows, etc)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: dashpuppy on August 15, 2020, 03:53:14 pm
Thank you for this, extremely easy to do and worked :)

Was googling for the WebSock error: [object Event] error on my scope and came across the firmware hack :)  updated now have 200mhz & webview works good !!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Archades on November 06, 2020, 04:57:34 pm
I just bought the SAG1021I with the license file, but I already hacked the MSO part to unlimited, does that mean the SAG1021I will work without my genuine license? (bundle deal was good and I figured why not lol). Or do I have to somehow unhack and install my license. I used the python script method.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on November 06, 2020, 05:33:01 pm
It should be exactly the same license.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: JamesLynton on November 18, 2020, 10:10:48 pm
WGoeo's old passive k-gen script hack confirmed still fully working on a brand new SDS1104X-E

Just note here to save some folks a little time and a few headaches.
I got a brand new SDS1104X-E a-few days back with a recent manufacturing date, ALL the SDS1000 series keys which WGoeo's script generates work just fine.

(I expect on this software/hardware revision that it will always work)
(SW:6.1.35R2 (Release Date 03.07.20) - Uboot: 8.1 - FPGA: 2019-11-15 - HW: 01-04)


Thing is, a few things along the way will likely catch some folks out, so i will detail those below:

* Firstly, when you run the script in rep.it you *must* (it seems) Fork it to run the code with the correct, valid ID & SN actually going thru the compiler (it doesnt seem to compile what it displays if you edit it in your session).
https://repl.it/@wgoeo/siglent-keygen#main.py
When you are done running it in a fork, you can then delete it from your account.

* Secondly, whilst the MCBD command to modify MHz rating of the scope does indeed work in the SCPI terminal over the network, you will need to enter the remaining keys for AWG, WIFI &  MSO as below:
Use the Options menu directly on the scope to enter the keys, make sure the key TYPE you are entering is shown on the left softkey before you open the menu. Be SURE to select CAPS mode for entering the key (by intensity adj. scrolling to the end option & clicking), then enter your keys one at a time, changing the type entered in the previous menu as and when needed.

Now everything should show as activated.
Enjoy :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: protektwar on November 24, 2020, 09:09:15 pm
Hi,

Can someone share the file which is not anymore accessible.
https://www45.zippyshare.com/v/SEUJEWE1/file.html

Thanks!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rickathe on November 25, 2020, 12:53:21 am
Hi,

Can someone share the file which is not anymore accessible.
https://www45.zippyshare.com/v/SEUJEWE1/file.html (https://www45.zippyshare.com/v/SEUJEWE1/file.html)

Thanks!

Protektwar--

The zippy file should still work, I just downloaded it fine.

Anyway, it looks like the newest method of hacking the 1104x-e is here: https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705)

Good luck!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: JamesLynton on November 26, 2020, 05:23:30 pm
Found - A Known Good Source of Siglent SDS1xx4X-E compatible TP-Link WIFI Dongles.

Just dropping this here to notify that I've found (and tested) a good source of compatible wifi dongles, so if you are having trouble finding them, try this link:
https://www.ebay.co.uk/itm/TP-Link-TL-WN725N-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569 (https://www.ebay.co.uk/itm/TP-Link-TL-WN725N-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569)

Currently £7.29 from Picstop in the UK, the packaging style to look out for is as follows below:

(https://i.ibb.co/FwGY1f8/s-l500.jpg) (https://imgbb.com/)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on November 27, 2020, 01:59:25 am
Found - A Known Good Source of Siglent SDS1xx4X-E compatible TP-Link WIFI Dongles.

Just dropping this here to notify that I've found (and tested) a good source of compatible wifi dongles, so if you are having trouble finding them, try this link:
TL-WN725N[/b]-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569]https://www.ebay.co.uk/itm/TP-Link-TL-WN725N-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569 (https://www.ebay.co.uk/itm/TP-Link-[b)

Currently £7.29 from Picstop in the UK, the packaging style to look out for is as follows below:

(https://i.ibb.co/FwGY1f8/s-l500.jpg) (https://imgbb.com/)
:)
Can I point you to this link where you can see this same Pt#: SKU: TL_WN725N
https://siglentna.com/product/usb-wifi-adapter/ (https://siglentna.com/product/usb-wifi-adapter/)

A correction if I may: compatible OEM equivalent.  ;)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: JamesLynton on November 27, 2020, 02:26:41 am
..I do like the way the official photo on Siglent's website shows the dongle with the original, plain 'oem' branding on as well; not noticed that before & it gave me quite the chuckle ;) :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: graybeard on November 27, 2020, 04:01:18 am
I thought I had tried all the different Scope ID permutations.  Looks like I didn't.  The one that works is without dashes and leaving any other characters as they are.

For Bandwidth Upgrade (Worked for me on 8.1.6.1.33):
  • Connect Scope to LAN
  • On Scope: In Utility menu -> Page (page 2)-I/O-IP Set
  • Either set a static IP address or enable DHCP-Save
  • Reboot.  If DHCP, use step 2 and get your scope's IP
  • Open Web Browser-input the IP address of scope
  • SCPI button on left.  In the command field: SCOPEID?
    (dont forget or miss the ? at the end.  it is important)
  • Copy the ID shown
  • Download the python script from wgeon just a few messages before this one
  • Open the script in Notepad.  Find the line that starts serial =
  • Delete everything between the two single quote marks, then place your scope ID there.

    NOTE: Your scope ID will probably contain dashes.  Remove them.  All you want are the the numbers and letters without spaces or dashes or anything else.

    Example:
    If SCOPEID? Returns: 1234-fedc-567b-89a0
    then the serial line in the script is:
    serial = '1234fedc567b89a0'

    Just remove the dashes.  Leave the rest alone.

  • Run this python script.  If you have Python already installed on your computer you can run it locally.  Otherwise a quick google search will turn up places to upload/paste the script and run it. (The first link in a Google of 'run python online' works)
  • In the 200M line the script will return a key of 16 characters.  Copy them.
  • Back in the web browser on the web page for the scope, in the SCPI command enter:MCBD (key)
    Don't include the ()s, just the 16 characters like this:  MCBD 0123456789ABCDEF

  • Reboot the scope

Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)

This method worked great today for my SDS1104X-E with firmware 6.1.5R2.

Here you can see it now reports as a SDS1204X-E.

(http://diver.net/eevblog/siglent_1104X-E_hack/SDS1204X-E_hack_result.jpg)

The rise time measured with my Colby PG1000A pulse generator (250ps rise/fall time) into a 50 Ohm termination decreased from 2.9ns to 1.6ns.  Not quite a factor of two, but close.

(http://diver.net/eevblog/siglent_1104X-E_hack/SDS00003.png)

I ran the edited python script on my Mint Linux laptop by typing
Code: [Select]
python3 sds1000xe.py
Many thanks to wgoeo (https://www.eevblog.com/forum/profile/?u=142156) for developing the key producing script (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=793485) and oldcqr (https://www.eevblog.com/forum/profile/?u=609576) for the step-by-step instructions (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705).

Chris

p.s. the 50 Ohm termination I used was the inexpensive one I describe in this video (https://youtu.be/4GyCAe34N0k).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on November 27, 2020, 04:43:30 am
I thought I had tried all the different Scope ID permutations.  Looks like I didn't.  The one that works is without dashes and leaving any other characters as they are.

For Bandwidth Upgrade (Worked for me on 8.1.6.1.33):
  • Connect Scope to LAN
  • On Scope: In Utility menu -> Page (page 2)-I/O-IP Set
  • Either set a static IP address or enable DHCP-Save
  • Reboot.  If DHCP, use step 2 and get your scope's IP
  • Open Web Browser-input the IP address of scope
  • SCPI button on left.  In the command field: SCOPEID?
    (dont forget or miss the ? at the end.  it is important)
  • Copy the ID shown
  • Download the python script from wgeon just a few messages before this one
  • Open the script in Notepad.  Find the line that starts serial =
  • Delete everything between the two single quote marks, then place your scope ID there.

    NOTE: Your scope ID will probably contain dashes.  Remove them.  All you want are the the numbers and letters without spaces or dashes or anything else.

    Example:
    If SCOPEID? Returns: 1234-fedc-567b-89a0
    then the serial line in the script is:
    serial = '1234fedc567b89a0'

    Just remove the dashes.  Leave the rest alone.

  • Run this python script.  If you have Python already installed on your computer you can run it locally.  Otherwise a quick google search will turn up places to upload/paste the script and run it. (The first link in a Google of 'run python online' works)
  • In the 200M line the script will return a key of 16 characters.  Copy them.
  • Back in the web browser on the web page for the scope, in the SCPI command enter:MCBD (key)
    Don't include the ()s, just the 16 characters like this:  MCBD 0123456789ABCDEF

  • Reboot the scope

Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)

This method worked great today for my SDS1104X-E with firmware 6.1.5R2.

Here you can see it now reports as a SDS1204X-E.

(http://diver.net/eevblog/siglent_1104X-E_hack/SDS1204X-E_hack_result.jpg)

The rise time measured with my Colby PG1000A pulse generator (250ps rise/fall time) into a 50 Ohm termination decreased from 2.9ns to 1.6ns.  Not quite a factor of two, but close.

(http://diver.net/eevblog/siglent_1104X-E_hack/SDS00003.png)

I ran the edited python script on my Mint Linux laptop by typing
Code: [Select]
python3 sds1000xe.py
Many thanks to wgoeo (https://www.eevblog.com/forum/profile/?u=142156) for developing the key producing script (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=793485) and oldcqr (https://www.eevblog.com/forum/profile/?u=609576) for the step-by-step instructions (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705).

Chris

p.s. the 50 Ohm termination I used was the inexpensive one I describe in this video (https://youtu.be/4GyCAe34N0k).


This Video is very good for everyone watch who is interested about feed thru with oscilloscope normal 1M / xx pF /xx nH  inputs.

Btw, it is possible to make feed thru so that it have bit better impedance for whole scope bandwidth but it is hard work with NVA for adjust special feed thru L and C compensations. Can not do perfect but perhaps good compromise. Then these need label "for use only with this xxxx"  ;)

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: SMB784 on November 28, 2020, 05:52:12 am
Found - A Known Good Source of Siglent SDS1xx4X-E compatible TP-Link WIFI Dongles.

Just dropping this here to notify that I've found (and tested) a good source of compatible wifi dongles, so if you are having trouble finding them, try this link:
TL-WN725N[/b]-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569]https://www.ebay.co.uk/itm/TP-Link-TL-WN725N-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569 (https://www.ebay.co.uk/itm/TP-Link-[b)

Currently £7.29 from Picstop in the UK, the packaging style to look out for is as follows below:

(https://i.ibb.co/FwGY1f8/s-l500.jpg) (https://imgbb.com/)
:)
Can I point you to this link where you can see this same Pt#: SKU: TL_WN725N
https://siglentna.com/product/usb-wifi-adapter/ (https://siglentna.com/product/usb-wifi-adapter/)

A correction if I may: compatible OEM equivalent.  ;)

Now if only they would fix the firmware so I don't have to change the name of my wifi network in order to use it  ;)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: chronos42 on December 06, 2020, 09:47:07 pm
Hi,
is there a way to change in the script for activating AWG and MSO for a SDS2202X-E?

(I already changed the model string in the script to SDS2202X-E, but as expected this is too easy and not working)

Thank you for any information.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on December 07, 2020, 12:07:02 pm
Hi,
is there a way to change in the script for activating AWG and MSO for a SDS2202X-E?

(I already changed the model string in the script to SDS2202X-E, but as expected this is too easy and not working)

Thank you for any information.

For what. You still need these hardware. Or do you think you buy HW and then do not need but licenses.
And example for what is FG option. You need exactly SAG1021I what is very limited generator, of course if this is enough then it is naturally ok.  If you have SAG1021I and want do BodePlot, it do not need this license at all.

MSO option you can not do any single thing without SBus connected MSO / LA hardware and if you want build it from scratch you perhaps pay more than purchase it from Siglent and loose lot of time. This scope is obsolete before it is ready.

But for success... read more. All is here in forum. But there is not free lounges. ;)

My question was just about... what you do with these licenses if you do not have these hardware.   ;)

In trial period you sure can look what these licenses give if you just want know.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: chronos42 on December 07, 2020, 10:43:26 pm
I know that I need this hardware. And, surprise, I have this hardware, at least the SAG1021I waveform generator. That was the reason for my question :palm:

I use it for Bode plots, (you need no license for Bode plots) but also want to use the full AWG funktion. It is a useful, insulated stimulus source for a lot of measurements. For the rest I have some other waveform generators.
But the hardware + the license together is way too expensive in my opinion, it is not worth 270 Euro together for a 25Mhz waveform generator which only can be used with some Siglent scopes.
Ok, I will read the whole thread and hope that I find a solution for me.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: rf-loop on December 08, 2020, 10:03:18 am
I know that I need this hardware. And, surprise, I have this hardware, at least the SAG1021I waveform generator. That was the reason for my question :palm:

I use it for Bode plots, (you need no license for Bode plots) but also want to use the full AWG funktion. It is a useful, insulated stimulus source for a lot of measurements. For the rest I have some other waveform generators.
But the hardware + the license together is way too expensive in my opinion, it is not worth 270 Euro together for a 25Mhz waveform generator which only can be used with some Siglent scopes.
Ok, I will read the whole thread and hope that I find a solution for me.

In this situation... yess... naturally.  :)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: 2112 on December 20, 2020, 02:58:28 pm
Noob here
I was researching low end DSO's when I came across this thread. Buying a decent 200 Mhz, 4 channel, feature rich DSO for $500 seems too good to pass up. I do require 4 channels.

Unless someone with more experience can suggest another model, I'll order the SDS1104X-E after the Christmas rush and attempt to perform this fix. I do not have Python or a LAN at the moment, so I'll start piecing this together. I may return with questions. An above post mentions a fork. I have no idea what he is referring to  :-//     

Thanks
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on December 20, 2020, 04:14:07 pm
Unless someone with more experience can suggest another model...

Micsig STO1104C.

It's not 200Mhz but it has a big touch screen and the user interface is easily more than an order of magnitude faster/better than doing everything through a stupid twisty knob. It also runs off battery and has a lot of built-in talents like Wifi and web browser.

(https://www.batronix.com/images/generated/sto1000-hero2-1200x735-White-b.jpg)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on December 20, 2020, 07:04:59 pm
Noob here
I was researching low end DSO's when I came across this thread. Buying a decent 200 Mhz, 4 channel, feature rich DSO for $500 seems too good to pass up. I do require 4 channels.

Unless someone with more experience can suggest another model, I'll order the SDS1104X-E after the Christmas rush and attempt to perform this fix. I do not have Python or a LAN at the moment, so I'll start piecing this together. I may return with questions. An above post mentions a fork. I have no idea what he is referring to  :-//     

Thanks
Welcome to the forum.

For ongoing 4ch needs you are best served by a scope with dual ADC's like these 4ch X-E's so to not have low sampling rates with all 4 channels active.
If you don't require 200 MHz maybe the new single ADC SDS1104X-U for just $ 399 could interest you.
Thread about them here:
https://www.eevblog.com/forum/testgear/siglent-1120-new-sds1104x-u-4-channel-100mhz-1gsas-economy-oscilloscope/ (https://www.eevblog.com/forum/testgear/siglent-1120-new-sds1104x-u-4-channel-100mhz-1gsas-economy-oscilloscope/)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: 2112 on December 21, 2020, 02:12:43 am
I really do like the Micsig, a lot. Unfortunately, they don't seem to be well represented here in the US. I'm not sure who will be there for me if warranty issues arise. Plus it's about $200 more.

The one thing that seems to be missing on the Siglent is a force trigger. Am I just not finding it?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on December 21, 2020, 02:36:12 am
I really do like the Micsig, a lot. Unfortunately, they don't seem to be well represented here in the US. I'm not sure who will be there for me if warranty issues arise. Plus it's about $200 more.

The one thing that seems to be missing on the Siglent is a force trigger. Am I just not finding it?
Modern Siglents don't have a Force and I've never found any need for it. Stop will let you see the waveform as still where you can make the settings required to get stable triggering.
The most powerful feature of a DSO is its trigger suite and knowing have to use it to best effect is paramount to using a DSO to its potential.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: 2112 on December 21, 2020, 02:58:58 am
I found this in the manual "Note: You can force the oscilloscope to trigger by pressing the Single button
twice. The trigger status in the upper left corner of the screen will be displayed
as "FStop"."


I will use force sometimes to to look at my signal while waiting for a trigger
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Fungus on December 21, 2020, 09:57:40 am
I really do like the Micsig, a lot. Unfortunately, they don't seem to be well represented here in the US. I'm not sure who will be there for me if warranty issues arise.

Fair enough.

Plus it's about $200 more.

 :o  I hadn't checked over there but here in Europe they're only about 35 Euros more than the Siglent.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: 2112 on December 26, 2020, 03:23:30 pm
I contacted Siglent USA. They handle all warranty and repair issues at their Ohio facility. That's a big plus.
They also recommend a 2G memory stick, 4G max.

I'll place my order on Monday
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: DarthDomo on December 31, 2020, 12:28:45 pm
Just wanted to say that I got my SDS1104X-E today (12/30/2020), and thanks to the Python script method, got it upgraded to 200 MHz and unlocked all options within 10 minutes of getting it out of the box  ;D

Thank you to everyone who's contributed, for the guide and overall very helpful info!  ^-^
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: GnomeZA on January 06, 2021, 11:04:25 am
I bought my scope from Amazon over December.  It was out of stock there when I ordered and shipped late December.  So in theory I should have one of the latest manufactured batches.

Calibration date on my scope is 2020-10-19.
Scope came from the factory with firmware "6.1.35R2".

200Mhz, AWG, MSO and WIFI unlock all worked out of the box.

It took me a few tries to get it to work, so for future visitors:

Use the script attached here: https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2568012/#msg2568012 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2568012/#msg2568012)
Note that the linked URL didn't work for me, I had to use the script attached to the post.
I ran it twice.  Once using SCOPEID? once using the scope serial number.

The SCOPEID? output for 200Mhz "upgraded" the scope to 1204X-E.
The serial number output for WIFI, AWG & MSO was entered using the scope "install module" option.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: chronos42 on January 09, 2021, 10:37:43 am
After some trying I now have enabled all options at my SDS2202X-E with the python script from WGoeo.
Here the modified phyton script for the 2000X-E series:

-----------
import hashlib

serial = 'your serial number'

for opt in ('AWG', 'WIFI', 'MSO'):
   h = hashlib.md5((
      '5zao9lyua01pp7hjzm3orcq90mds63z6zi5kv7vmv3ih981vlwn06txnjdtas3u2'
      'wa8msx61i12ueh14t7kqwsfskg032nhyuy1d9vv2wm925rd18kih9xhkyilobbgy' +
      'SDS2000X-E\n'.ljust(32, '\x00') +
      opt.ljust(5, '\x00') +
      2*((serial + '\n').ljust(32, '\x00')) +
      '\x00'*16).encode('ascii')
   ).digest()
   key = ''
   for b in h:
      if (b <= 0x2F or b > 0x39) and (b <= 0x60 or b > 0x7A):
         m = b % 0x24
         b = m + (0x57 if m > 9 else 0x30)
      if b == 0x30: b = 0x32
      if b == 0x31: b = 0x33
      if b == 0x6c: b = 0x6d
      if b == 0x6f: b = 0x70
      key += chr(b)
   print('{:4} {}'.format(opt, key.upper()))

---------------
Important: You need the serial number, not the scope ID for this codes!

There is no bandwith hack for the SDS2202X-E, because this is not necessarry. I have this 200Mhz version, but to my surprise the -3dB point is @355MHz (checked with a Tektronix SG 504) with a 50Ohm termination. It seems the only difference between the 200Mhz and 350Mhz models are the probes.

Thank you for all the people here which had made this possible.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Sineira on January 09, 2021, 07:52:29 pm
The Mhz update worked by using the SCPI control.
However I can't get the AWG to update by entering it on the scope.
I also tried SCPI with LCISL AWG 0123456789ABCDE but it doesn't work.

SW:6.1.35R2 (Release Date 03.07.20) - Uboot: 8.1 - FPGA: 2019-11-15 - HW: 01-05

Could this be due to the new hardware version?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tv84 on January 09, 2021, 08:12:07 pm
I also tried SCPI with LCISL AWG 0123456789ABCDE but it doesn't work.

Tried with comma?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Sineira on January 09, 2021, 08:35:21 pm
I also tried SCPI with LCISL AWG 0123456789ABCDE but it doesn't work.

Tried with comma?

Yes, responds with success but no change.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Sineira on January 09, 2021, 09:58:04 pm
Well, using the wrong script, someone said the download version was good but it's a completely different script which only works for the Bandwidth.
Also, didn't work to do via SCPI but worked fine via the options menu on the scope.

This is the complete script:
import hashlib

SCOPEID = '0123456789abcdef'
SN      = 'SDSXXXXXXXXXXX'
Model   = 'SDS1000X-E'
          # 'SDS1000X-E', 'SDS2000X-E', 'SDS2000X+', 'SDS5000X', 'ZODIAC-'

bwopt = ('25M', '40M', '50M', '60M', '70M', '100M', '150M', '200M', '250M', '300M', '350M', '500M', '750M', '1000M', 'MAX')
otheropt = ('AWG', 'WIFI', 'MSO', 'FLX', 'CFD', 'I2S', '1553', 'FG', '16LA')

hashkey = '5zao9lyua01pp7hjzm3orcq90mds63z6zi5kv7vmv3ih981vlwn06txnjdtas3u2wa8msx61i12ueh14t7kqwsfskg032nhyuy1d9vv2wm925rd18kih9xhkyilobbgy'

def gen(x):
   h = hashlib.md5((
      hashkey +
      (Model+'\n').ljust(32, '\x00') +
      opt.ljust(5, '\x00') +
      2*(((SCOPEID if opt in bwopt else SN) + '\n').ljust(32, '\x00')) +
      '\x00'*16).encode('ascii')
   ).digest()
   key = ''
   for b in h:
      if (b <= 0x2F or b > 0x39) and (b <= 0x60 or b > 0x7A):
         m = b % 0x24
         b = m + (0x57 if m > 9 else 0x30)
      if b == 0x30: b = 0x32
      if b == 0x31: b = 0x33
      if b == 0x6c: b = 0x6d
      if b == 0x6f: b = 0x70
      key += chr(b)
   return key.upper()
   
for opt in bwopt:
   print('{:5} {}'.format(opt, gen(SCOPEID)))
for opt in otheropt:
   print('{:5} {}'.format(opt, gen(SN)))
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: torch on January 22, 2021, 06:10:26 pm
I thought I had tried all the different Scope ID permutations.  Looks like I didn't.  The one that works is without dashes and leaving any other characters as they are.

For Bandwidth Upgrade (Worked for me on 8.1.6.1.33):
  • Connect Scope to LAN
  • On Scope: In Utility menu -> Page (page 2)-I/O-IP Set
  • Either set a static IP address or enable DHCP-Save
  • Reboot.  If DHCP, use step 2 and get your scope's IP
  • Open Web Browser-input the IP address of scope
  • SCPI button on left.  In the command field: SCOPEID?
    (dont forget or miss the ? at the end.  it is important)
  • Copy the ID shown
  • Download the python script from wgeon just a few messages before this one
  • Open the script in Notepad.  Find the line that starts serial =
  • Delete everything between the two single quote marks, then place your scope ID there.

    NOTE: Your scope ID will probably contain dashes.  Remove them.  All you want are the the numbers and letters without spaces or dashes or anything else.

    Example:
    If SCOPEID? Returns: 1234-fedc-567b-89a0
    then the serial line in the script is:
    serial = '1234fedc567b89a0'

    Just remove the dashes.  Leave the rest alone.

  • Run this python script.  If you have Python already installed on your computer you can run it locally.  Otherwise a quick google search will turn up places to upload/paste the script and run it. (The first link in a Google of 'run python online' works)
  • In the 200M line the script will return a key of 16 characters.  Copy them.
  • Back in the web browser on the web page for the scope, in the SCPI command enter:MCBD (key)
    Don't include the ()s, just the 16 characters like this:  MCBD 0123456789ABCDEF

  • Reboot the scope

Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)

I wonder if there is a slight error in the above? I followed your directions until I got to that point, but then I put the ScopeID number in the "SCOPEID = '0123456789abcdef' line and the unit serial number (from the utility page) in the SN="SDSxxxxxxxxxxx" line.

I used the webpage script provided by WGoeo. But I had to fork it to insert my own numbers and run it. I bought this wifi dongle for $10, which is gold coloured, appears to be the correct one and worked perfectly:

https://www.amazon.ca/gp/product/B008IFXQFU (https://www.amazon.ca/gp/product/B008IFXQFU)

Since the unit comes with 30 free tries of the wifi, I just plugged in the dongle and didn't have to go hunt down a network cable to access the SCPI interface.

I unlocked the bandwidth in the SCPI command line and installed the other keys via the control panel.

Prior to unlocking, I used a fast-pulse generator to check the rise time. It was slower than my trusty old hacked DS1052. After the hack, it was dramatically improved, approaching (but not quite meeting) the performance of my ancient Tek 475. But much easier to see in daylight!!!

Firmware is 6.1.35R2, and the calibration certificate suggests it left the factory mid-December. (I had to laugh when I noticed the certificate was signed by "Your Wang"  :-DD)

I read through pages and pages of the 2 or 3 different threads on this hack before pulling the trigger and I think my eyes are still bleeding a little bit.  My thanks to all that went before, figured this out and shared it. Too many to mention all, but you know who you are!
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: torch on January 23, 2021, 08:06:08 pm
I have discovered that step 14 is not necessary. The scope changes bandwidth immediately on running the MCBD (key) command in the web UI. Not quite as convenient as a panel button or menu option, but with a laptop nearby and the wifi dongle installed, it is a readily available bandwidth limit switch.

For those that are still wondering if the hack really affects bandwidth, here are some screenshots of the signal from a home-made pulse generator I put together when hacking my Rigol DS1052. (all screen shots adjusted to 6 divisions of height, 2 nS/Div) (The pulse generator is directly BNC coupled to the scope input, so no probes involved.)

First, the signal as seen by the unlocked Rigol:

(https://picturehosting.verhey.org/siglint/rigol_DS1052-hacked.bmp)

Now, the same signal seen by a Tek 475, with the bandwidth limiter set to 100MHz:

(https://picturehosting.verhey.org/siglint/tek475_100MHz.JPG)

and finally, as seen by the stock, unhacked SDS1104X-E:

(https://picturehosting.verhey.org/siglint/siglent_SDS1104X-E.png)

But here it is in all it's glory with the Tek 475 set to 200MHz:

(https://picturehosting.verhey.org/siglint/tek475_200MHz.JPG)

And now the one you really wanted to see, the Siglent SDS1104X-E unlocked to think it is a SDS1204X-E:

(https://picturehosting.verhey.org/siglint/siglentSDS1204X-E.png)

Remember, each of these were fine-adjusted to 6 segments of height. This is what happens when I command the Siglent back to 100MHz from the laptop, without rebooting or making any other changes:

(https://picturehosting.verhey.org/siglint/siglentSDS1104X-E_unadjusted.png)

 



Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Sparky Faraday on January 27, 2021, 06:50:43 am
Hi,
Fascinating and way over my BW. I do audio . . . with tubes. However I want to buy this Siglent and do the hack as it will probably be the last scope I buy. Data logging and FFT are nice.

Beforehand I checked the downloads to make sure they are still available.

Here's the problem: Zippyshare is loaded with porn, malware links and everything but the software needed. Dazzled by the female body parts, an hour later I noticed this link, https://www45.zippyshare.com/v/SEUJEWE1/file.html, doesn't work.
Is there a work around?, a valid safe place where it's parked?
Thanks
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: thaistatos on January 27, 2021, 06:54:08 am
No need for download, simply run the python script online.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: torch on January 29, 2021, 03:21:17 pm
I ran the on-line script, BUT to do so, I had to create a free account and then fork the script. It would not allow me to substitute in my own scopeid and serial number otherwise.

I gather this is something new, put in place because of problems caused by anonymous users.

Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Pugduck on January 30, 2021, 07:14:02 am
I tried the Python app to increase my SDS1104x-e bandwidth to 200M. The app produced 4 key codes which I then tried on SCPI with the MBCD command. Unfortunately none of the codes worked. I know this as after each try I used the MBCD? command to see if the code was accepted but each time it returned the original 100M key code.
I am not sure if my software version is the cause of this : Software Version: 6.1.35R2
Are there any guys out there that had the bandwidth upgraded with this software version?
 :phew:
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Sparky Faraday on February 02, 2021, 05:16:54 am
I saw the 1104X-E at amazon today for $449 and pulled the trigger.

https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_4?dchild=1&keywords=siglent+sds1104x-u&qid=1612242815&sr=8-4 (https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_4?dchild=1&keywords=siglent+sds1104x-u&qid=1612242815&sr=8-4)

Delivery date is 2/6.
Last scope I will own. My analogue scope is a Hitachi 2ch 35mhz. Nice scope for audio but I want to have capture and be able to do some distortion analysis.

Please forgive me. I don't code and all the acronyms are unrecognizable to me so I may need some tutoring.

Now when you say run the Python code is this the code I downloaded from this thread, reply #24 from TV84, the Easter Egg code or this: * SDS1004X-E_ProMode.zip , or something else. ? It's a long thread.

And as always, I thank everybody on this forum. I would also be happy to find someone to either walk me thru this or have them do it for me all though doing it myself would be a novel experience. I just don't want to screw up a new piece of gear right away.

Thanks
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Sparky Faraday on February 02, 2021, 05:29:29 am
Everyone says the fan is noisy.

What fan is recommended to replace the stock fan or will a resistor do the job?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on February 02, 2021, 06:20:26 am
Everyone says the fan is noisy.

What fan is recommended to replace the stock fan or will a resistor do the job?
Noise is relative and it worries some and not others.

Replacing the fan with a similar spec Noctua won't noticeably reduce the noise which a customer reported to me today.
Wait until you receive the scope and then decide if it's an issue.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: cmd on February 02, 2021, 06:44:33 am
Everyone says the fan is noisy.

What fan is recommended to replace the stock fan or will a resistor do the job?
Noise is relative and it worries some and not others.

Replacing the fan with a similar spec Noctua won't noticeably reduce the noise which a customer reported to me today.
Wait until you receive the scope and then decide if it's an issue.

Dang, got this scope in yesterday, and I was literally gonna start looking at what size fan it uses because I have a handful of tiny noctua fans on hand! Guess I'll just skip it then.

Noise is certainly relative, and it's loud enough it bugs me — but my lab is quiet. It's slightly louder than my mini-fridge, which also bugs me, but less loud than my PC's fans at a moderate load on a warm day.

But I tend to not get bugged when I zone in working on something, so I imagine I'll get used to it pretty quickly.

I uploaded a short clip of it to YT here so you can kinda try and get a sense for the sound. I turn the power off at the end so you can hear the level of ambient noise in my room: https://youtu.be/uH3uQ4Qn9dI
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: tautech on February 02, 2021, 08:13:31 am
Everyone says the fan is noisy.

What fan is recommended to replace the stock fan or will a resistor do the job?
Noise is relative and it worries some and not others.

Replacing the fan with a similar spec Noctua won't noticeably reduce the noise which a customer reported to me today.
Wait until you receive the scope and then decide if it's an issue.

Dang, got this scope in yesterday, and I was literally gonna start looking at what size fan it uses because I have a handful of tiny noctua fans on hand! Guess I'll just skip it then.

Noise is certainly relative, and it's loud enough it bugs me — but my lab is quiet. It's slightly louder than my mini-fridge, which also bugs me, but less loud than my PC's fans at a moderate load on a warm day.

But I tend to not get bugged when I zone in working on something, so I imagine I'll get used to it pretty quickly.

I uploaded a short clip of it to YT here so you can kinda try and get a sense for the sound. I turn the power off at the end so you can hear the level of ambient noise in my room: https://youtu.be/uH3uQ4Qn9dI
Welcome to the forum.

Sounds perfectly normal in the vid.
Part of an investigation I cut the metal grille away from the fan however it made no appreciable difference so with the info from a customer that fitted a stock equivalent Noctua fan I believe the only options left are to place a series resistor in the fan lead to slow the fan marginally to a noise level to your liking.

Would I do it.......no !
We already know these scopes have a Quick Cal feature that makes minor adjustments to maintain accuracy while the scope reaches full operation temp with the stock fan and when doing those adjustments it's been reported that minor periods off scope inactivity take place so to mess too much with the stock setup could have unexpected undesirable consequences.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: jamesraykenney on February 02, 2021, 10:01:53 pm
I saw the 1104X-E at amazon today for $449 and pulled the trigger.

https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_4?dchild=1&keywords=siglent+sds1104x-u&qid=1612242815&sr=8-4 (https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_4?dchild=1&keywords=siglent+sds1104x-u&qid=1612242815&sr=8-4)

Delivery date is 2/6.
Last scope I will own. My analogue scope is a Hitachi 2ch 35mhz. Nice scope for audio but I want to have capture and be able to do some distortion analysis.

<snip>

And as always, I thank everybody on this forum. I would also be happy to find someone to either walk me thru this or have them do it for me all though doing it myself would be a novel experience. I just don't want to screw up a new piece of gear right away.

Thanks

Same here, except that I saw it yesterday, fought with myself until this morning, and pulled the cord... It says:  Arriving Thursday!!!


Partially off topic, but what type of bnc cable should I get to connect it to my signal generator? I already have at some 50ohm bnc terminators and some bnc 'T' adapters ordered, but just what specs do I need for the cable itself?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: MMARTINI on February 04, 2021, 11:36:37 pm
I tried the Python app to increase my SDS1104x-e bandwidth to 200M. The app produced 4 key codes which I then tried on SCPI with the MBCD command. Unfortunately none of the codes worked. I know this as after each try I used the MBCD? command to see if the code was accepted but each time it returned the original 100M key code.
I am not sure if my software version is the cause of this : Software Version: 6.1.35R2
Are there any guys out there that had the bandwidth upgraded with this software version?
 :phew:

I have the same firmware version as you. The MBCD command worked for me. The first time I tried the python script it didn't work. I am pretty sure I had one of the letters as a capital rather than lower case. I just copied the scope id from the SCPI and directly pasted it into python. Just make sure to delete the dashes. Are you are using the link from post #158?   
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Sparky Faraday on February 07, 2021, 05:31:39 pm
Fan is tolerable. Thanks
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Roman oh on February 11, 2021, 09:44:31 am
I got my SDS1104X-E the other day, got it upgraded to 200 MHz and unlocked all options with 15 minutes at the computer all as per the advice on this board ;D
Of course, reading the board in the first place from go to whoa took a bit longer ;D
 
Thank you to everyone who's contributed, for the step by step guide and overall very helpful info!  ^-^
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Seeed on March 03, 2021, 02:33:32 pm
#168, BIG THX to oldcqr,

this was the only way for me to enable the requested function(s). I got the scope at the 1st of March with firmware/software as described in this post, but it was NOT possible to connect via telnet. Only the way around the Python-Script worked like a charm. I think, that SIGLENT did some "adjustments" within the firm.  8)
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: volkerk on May 09, 2021, 03:48:16 pm
Hi all,

thanks for this excellent work.
Just bought a SDS1104X-E.
Software Version: 8.1.6.1.35R2
For all that wan't to know if it's still possible, to recover your keys in a case of an emergency (lost receipt etc.): yes!

I can confirm, that using this https://replit.com/@wgoeo/siglent-keygen (https://replit.com/@wgoeo/siglent-keygen) script, which I ran locally on my PC using Python 3.9 interpreter, works like a charm.

Enter in the script header:
- the SCOPE-ID without dashes, spaces etc (just numbers and lowercase letters), which you can obtain via the SCPI web interface using the command > SCOPEID? (without the leading >)
- The SN, which you can see at the web interface of the scope at the start page (connect your scope via LAN or WLAN).

The 200M option needs to be entered via the SCPI web interfaces using the command > MCBD XXXXYYYYYY (without the leading > and XXXXYYYYYY being the output of the above python script in the line starting with "200M")
The other options (AWG; WIFI, MSO) need to entered via the UI of the scope. Printing them out like this AAAA BBB CCCC DDDD make life a lot easier, since you need to enter them in blocks of 4.

Using this TP-Link stick will result in a working Wifi:
https://www.tp-link.com/en/home-networking/adapter/tl-wn725n/ (https://www.tp-link.com/en/home-networking/adapter/tl-wn725n/)

It's dirt cheap at .e.g Amazon.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: Jarrod on June 23, 2021, 04:52:51 am
The 200M option needs to be entered via the SCPI web interfaces using the command > MCBD XXXXYYYYYY (without the leading > and XXXXYYYYYY being the output of the above python script in the line starting with "200M")
The other options (AWG; WIFI, MSO) need to entered via the UI of the scope. Printing them out like this AAAA BBB CCCC DDDD make life a lot easier, since you need to enter them in blocks of 4.
It's dirt cheap at .e.g Amazon.

Just got my 1104x-e today.  It is also running firmware 6.1.35R2.  This (and the previous python script posted earlier) worked for me, producing keys that unlocked the WiFi, MSO, AWG features.

I had problems with the bandwidth key because originally I did not remove the dash characters from my SCOPEID? output before putting it in the python script.  You have to do that.  Then and only then will the hash function also produce the correct keys for the bandwidth settings.  I actually think it produces the correct keys for the add-on features without SCOPEID at all.

I put an updated-for-2021 step-by-step guide in this blog post (https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/).
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: oldcqr on July 12, 2021, 06:29:01 pm
To everyone that said thank you, you are welcome!

Just an update [tl;dr  - Now up on latest firmware with all options enabled]

My scope came with 8.1.6.1.33, and a few pages ago (almost 2 years now) I was successful in the update from 100m to 200m.  At the time I did not apply any of the other codes. 

A few days ago I found the wireless adapter I was pretty sure I needed (https://amzn.to/2TU4hLB).  I got it and sure enough, it worked in Demo mode.  Perfect.  I got the script back out, successfully generated the 3 option keys (using my Serial number, not scope ID).  Installed via the UI.  All 3 activated without issue.  WOO!

I then went ahead and downloaded the latest available firmware from Siglent (the 6.1.35R2 others have talked about), and installed that into the scope.  Again no problem and all the options remained activated (along with 200m).

The only weirdness was that the Wireless adapter did not get found after the first reboot.  I had to remove the USB adapter, reboot a second time, and then install it.  Wireless came back up.  I was sweating just a little - but it didn't make sense it worked on the older version and not the new.

As per the release notes, you should perform a self calibrate if you came from 6.1.33 or earlier.
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: cdc3oo on September 12, 2021, 02:10:22 pm
Hi 1104X-E users !

I just discovered FW 6.1.37R2 has been issued few weeks ago. This update requires base OS V2 install (I assume it is for new NTP client functionality but I may be wrong).

Anyone had a try with it ? If yes, is there any nasty side effect ?
Title: Re: Unlocking Siglent SDS1104X-E, step by step
Post by: blurpy on September 12, 2021, 02:21:04 pm
Hi 1104X-E users !

I just discovered FW 6.1.37R2 has been issued few weeks ago. This update requires base OS V2 install (I assume it is for new NTP client functionality but I may be wrong).

Anyone had a try with it ? If yes, is there any nasty side effect ?

I think the OSv2 update is voluntary. The new firmware breaks WiFi though, if you use that.
See more in the regular thread: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg3666196/#msg3666196 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg3666196/#msg3666196)

Edit: the announcement: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg3643876/#msg3643876 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg3643876/#msg3643876)