Unlocking Siglent SDS1104X-E, step by step

[not1xor1]

everyone is NOT at your esteem level of knowledge. What MAY be simple to YOU, isn't to others.[/color] We have one Dictator Trump in my country that thinks is is always right, the world doesn't need more like him.

IMHO it is a wrong comparison as people writing here do have some real competence while Trump competence is limited to his very peculiar hair style 

[radiolistener]

hi guys. Is there any hack for SDS1102X model (not X-E)?

I tried to execute these commands through VXI11 SCPI:
- "SHELLCMD telnetd -l/bin/sh -p9999"
- "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage0/U-disk/memdump"

but telnet didn't started and it even doesn't try to access usb stick...
Unfortunately there is no response from SHELLCMD command executed on VXI11 SCPI interface, so I even don't know if it is implemented...

[Rerouter]

The X model is blackfin based not arm-linux,

This thread seems to be for it, but it seems it needs a hardware patch for full bandwidth from a quick glance,
https://www.eevblog.com/forum/testgear/siglent-sds2000x-hack/

To Videobruce, If you need help, ask nicely, Most of the later discoveries where made by different users than those in the first few pages,

The SCPI memdump method is the most recent, in that it requires no custom firmwares or rooting, but as a trade off the memory is dumped in an odd segment ordering, and some times the keys will be split over a memory segment boundary, so you may need to dump more than once to catch them, The searching through with a hex editor for the keyword will still work with this method, just takes a few tries to get,

To make it easier to find those keys, you can also copy the "/bin/siglent/firmdata0" folder, In there you will find .bin files relating to each option, open them in a hex editor, take the last 4 bytes and xor them 0xFF00FF00, and reverse there order, e.g. 0xC734B24D = 0x38344d4d, this is ascii, 84MM, flip it so its MM48, and there is the first 4 characters of that option to search for.

[videobruce]

IMHO it is a wrong comparison as people writing here do have some real competence while Trump competence is limited to his very peculiar hair style 

To Videobruce, If you need help, ask nicely, Most of the later discoveries where made by different users than those in the first few pages,

That was referring only to the disrespectful individuals mentioned, not the entire membership, nor was it referring to any 1st hand experience. (BTW, I wouldn't even give him credit for his hair either.)

[vtwin@cox.net]

I used the Mac OS "Hex Friend" editor to view the memdump.bin file and initially I thought I wasn't getting it but then it kinda stuck out like a sore thumb exactly as described in post #39 steps 21 - 23. What I'm NOT seeing are the Option codes #38 step 24. I see my serial number in two places but no 16 character strings nearby.

I started to try to use FindKeys but I don't use Visual Studio so not sure what I was doing there. I did a build the FindKeys prj and it did put a bin folder with a FindKeys.DLL and FindKeys.json but I don't understand how to run that... I thought there would a FindKeys.exe file? But Bandwidth was the main thing I wanted to upgrade... I will keep checking back here and maybe try the option codes again later... need a break now haha...  Many thanks!

I've never used visual studio on a mac, but normally when you build .net core apps on a PC you end up with a dll, which you execute from the command line via "dotnet mydllfilename.dll", e.g. dotnet.exe Findkeys.dll

I assume the same applies on a mac, from a terminal session.

[vt100]

This refers to the just plain nastiness here, specifically on the 1st page and throughout this thread (and others).

I'm new here, and I've found everyone completely helpful.

Presumably everyone is here to learn and so sometimes answers are not given to you on a silver platter, but answers contain enough information to make you think for yourself and hopefully learn something.

Understandably if you want someone to do it for you, you'll probably find their answer unhelpful.

[videobruce]

This has nothing to do with a "silver platter", nor anyone asking for someone else to do it for you. Have you read thru the first the 1st couple of pages??

[Rerouter]

The few of us that have dug into these things and chose to share it, we are already giving you something for free just because we thought it would help others, most of us enjoy this, however its easy to forget the knowledge base of a beginner, And like some of the discussions on the first page, to fully explain the reasons behind why you made those choices, We are good at breaking into things, not always at explaining how we did it.

Personally I see stuff very similar to what a room of engineers look like, some bite and go on the attack rather than clarifying there question

If you need something clarified, I'm right here to explain it as best I can,

I will say your earlier posts read as hostile at first glance, and your latest one still does, I will offer you a suggestion, PM fungus asking to update the first post with the latest unlock information, If you feel comfortable with the info and procedure you could prepare it for him, otherwise just ask Nicely.

[vtwin@cox.net]

This has nothing to do with a "silver platter", nor anyone asking for someone else to do it for you. Have you read thru the first the 1st couple of pages??

As others have indicated, how you ask is sometimes more important than what you ask.

Given your attitude, I am not surprised you meet resistance.

[BillB]

videobruce,

Being one of those that posted on the first page of this thread, I do remember when/why it first started and the attitudes expressed that might not be clear to a new reader.  IIRC, there was some banter in other threads regarding which scope was the best bang-for-buck/most-easily-hackable - essentially a pissing-contest between two camps of brand supporters.  I won't speak for Fungus as to why he started this thread (I respect all those who've contributed to this forum; there are a number of highly knowledgeable and helpful people here) but my first impression at the time was that he started this ironically, to continue the banter  .  (I could certainly be wrong about this, but again that was my feeling at the time) 

I think that is why the tone of the first page of this thread was more adversarial than usual.  Please don't take this as an example of the attitudes of many of the regulars here; this is generally an extremely helpful and informative bunch.   

[harpster58]

[quote I've never used visual studio on a mac, but normally when you build .net core apps on a PC you end up with a dll, which you execute from the command line via "dotnet mydllfilename.dll", e.g. dotnet.exe Findkeys.dll [/quote]

Actually I only used the hex editor on Mac as Notepad++ on PC wasn't giving me the view I needed.  I downloaded Visual Studio and set up on PC... never worked with it before. So I guess I did everything correct but I just had no idea how to open the the file or even what file to open. I'll see if I can do it now using command line.  Tx!

[phil303]

Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.

Code: [Select]

FP = 'YOUR_FILE_PATH'


def crazy_check(byte, l):
    return (
        (byte < ord('2') or byte > ord('9')) and
        ((byte < ord('A') + l) or (byte > ord('Z') + l)) and
        (byte != ord('L') + l) and (byte != ord('O') + l)
    )


parts4 = set()
parts8 = set()
parts12 = set()
keys = set()


def find_keys(fp):
    with open(fp, 'rb') as f:
        entire_buffer = f.read()

        l = 0
        for j in range(2):

            i = 0
            str_start = 0
            str_size = 0

            for i in range(len(entire_buffer)):
                byte = entire_buffer[i]

                if crazy_check(byte, l):
                    b = (str_start % 4096 == 0) or (i % 4096 == 0)

                    if str_size > 15 or (str_size > 3 and b):
                        str_end = str_start + str_size
                        if str_size % 16 == 0:
                            s = entire_buffer[str_start:str_end].decode('utf8')
                            while len(s) > 15:
                                left_string, s = peel_off_string(s, 16)
                                check_and_add(left_string)

                        if str_size % 4 == 0 and b:
                            for x in range(0, 16, 4):
                                s = entire_buffer[str_start:str_end].decode('utf8')
                                left_string, s = peel_off_string(s, x)
                                check_and_add(left_string)

                                while len(s) > 15:
                                    left_string, s = peel_off_string(s, 16)
                                    check_and_add(left_string)

                                check_and_add(s)

                    str_size = 0
                    str_start = i + 1

                else:
                    str_size += 1

            l += 32

        keys.union(consolidate_parts(parts8, parts8))
        keys.union(consolidate_parts(parts4, parts12))
        keys.union(consolidate_parts(parts12, parts4))

        for k in keys:
            print(k)


def check_and_add(string):
    is_ok = string.isupper() and len(string) % 4 == 0 and len(string) > 0
    if is_ok:
        if len(string) == 4:
            parts4.add(string)
        if len(string) == 8:
            parts8.add(string)
        if len(string) == 12:
            parts12.add(string)
        if len(string) == 16:
            keys.add(string)


def peel_off_string(string, i):
    left_string = ""
    if len(string) >= i:
        left_string = string[:i]
        string = string[i:]
    return left_string, string


def consolidate_parts(p1, p2):
    rc = set()
    for i, s1 in enumerate(p1):
        for j, s2 in enumerate(p2):
            if i != j:
                s = s1 + s2
                rc.add(s)
    return rc


if __name__ == '__main__':
    find_keys(FP)


[harpster58]

Worked! When putting in File Path (FP = 'YOUR_FILE_PATH') be sure to use fwd slashes "/" not back "\" slashes. At first nothing happened... takes a little time to process then I got all the keys. Since i had already gotten the bandwidth keys I just deleted them and the 3 or 4 text strings that were returned. That left me with 4 keys and pretty easy to re-enter the keys for the options until I got them all correctly. Not sure with the extra key was for maybe an unused option.

Anyway very cool, thanks for posting this!

Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.

Code: [Select]

FP = 'YOUR_FILE_PATH'


def crazy_check(byte, l):
    return (
        (byte < ord('2') or byte > ord('9')) and
        ((byte < ord('A') + l) or (byte > ord('Z') + l)) and
        (byte != ord('L') + l) and (byte != ord('O') + l)
    )


parts4 = set()
parts8 = set()
parts12 = set()
keys = set()


def find_keys(fp):
    with open(fp, 'rb') as f:
        entire_buffer = f.read()

        l = 0
        for j in range(2):

            i = 0
            str_start = 0
            str_size = 0

            for i in range(len(entire_buffer)):
                byte = entire_buffer[i]

                if crazy_check(byte, l):
                    b = (str_start % 4096 == 0) or (i % 4096 == 0)

                    if str_size > 15 or (str_size > 3 and b):
                        str_end = str_start + str_size
                        if str_size % 16 == 0:
                            s = entire_buffer[str_start:str_end].decode('utf8')
                            while len(s) > 15:
                                left_string, s = peel_off_string(s, 16)
                                check_and_add(left_string)

                        if str_size % 4 == 0 and b:
                            for x in range(0, 16, 4):
                                s = entire_buffer[str_start:str_end].decode('utf8')
                                left_string, s = peel_off_string(s, x)
                                check_and_add(left_string)

                                while len(s) > 15:
                                    left_string, s = peel_off_string(s, 16)
                                    check_and_add(left_string)

                                check_and_add(s)

                    str_size = 0
                    str_start = i + 1

                else:
                    str_size += 1

            l += 32

        keys.union(consolidate_parts(parts8, parts8))
        keys.union(consolidate_parts(parts4, parts12))
        keys.union(consolidate_parts(parts12, parts4))

        for k in keys:
            print(k)


def check_and_add(string):
    is_ok = string.isupper() and len(string) % 4 == 0 and len(string) > 0
    if is_ok:
        if len(string) == 4:
            parts4.add(string)
        if len(string) == 8:
            parts8.add(string)
        if len(string) == 12:
            parts12.add(string)
        if len(string) == 16:
            keys.add(string)


def peel_off_string(string, i):
    left_string = ""
    if len(string) >= i:
        left_string = string[:i]
        string = string[i:]
    return left_string, string


def consolidate_parts(p1, p2):
    rc = set()
    for i, s1 in enumerate(p1):
        for j, s2 in enumerate(p2):
            if i != j:
                s = s1 + s2
                rc.add(s)
    return rc


if __name__ == '__main__':
    find_keys(FP)


[mroek]

I'm a bit curious about the actual key generation. As far as I can understand, each individual scope has it's own unique set of keys. Are these keys stored in some kind of nonvolatile/read-only memory (perhaps in a separate memory partition), and generated during production? Or perhaps the keys are generated with the serial number as the input, so only the serial number needs to be stored during production?

[vtwin@cox.net]

Keys are generated off the scopeid and serial number using an algorithm only Siglent, and those savvy enough to disassemble the scope application, know.

Someday maybe I can afford a copy of IDA Pro with the requisite disassemblers so I can fall into the latter category

[mroek]

Keys are generated off the scopeid and serial number using an algorithm only Siglent, and those savvy enough to disassemble the scope application, know.

Someday maybe I can afford a copy of IDA Pro with the requisite disassemblers so I can fall into the latter category

Ok, thanks. IDA Pro is rather expensive, and it would still take quite a bit of work to reverse-engineer the algorithm, so as long as the actual generated keys (on a device you own) can be found by other methods, it really isn't worth it.

[Rerouter]

Reverse engineering atleast from my own perspective is one of those few topics that throw you full well into the deep end from the get go, as there is no 1 true way to approach it, and the skill level of the power users, you will struggle finding answers on how to drive the bloody programs early days (not to many hits on stack overflow)

I only started digging because I was bored and had a program do a incrementing search for SCPI queries and started turning up a lot of things that where undocumented, I wanted to figure out what other functions where baked into the thing, and well now I'm down the rabbit whole patching typos, and trying to figure out how the protocol decoders work, in my own vain hopes that I may be able to format out some new ones.

[mroek]

I received my scope today, and the info in this thread enabled me to find all keys without breaking a sweat, so thanks to all that contributed with info. For reference, I used the full memory dump method (by sending the SCPI command from the web interface), and then searched the dump file with a hex editor. No need for any scripts or anything.

[Coldblackice]

Reverse engineering atleast from my own perspective is one of those few topics that throw you full well into the deep end from the get go, as there is no 1 true way to approach it, and the skill level of the power users, you will struggle finding answers on how to drive the bloody programs early days (not to many hits on stack overflow)

I only started digging because I was bored and had a program do a incrementing search for SCPI queries and started turning up a lot of things that where undocumented, I wanted to figure out what other functions where baked into the thing, and well now I'm down the rabbit whole patching typos, and trying to figure out how the protocol decoders work, in my own vain hopes that I may be able to format out some new ones.

How did you learn how to do this? I would love to know how to go about doing this from scratch, what your process/tools were. Do you use IDA PRO at all? Would you be able to do this with IDA PRO?

[Rerouter]

I use IDA. Yes. Main things to start with is the strings subveiw. You dont really need to reverse anything to see some interesting strings in most programs.

Next would be setting the right architechture for what your reversing. Armv7 a/r from memory.

And finally the basics of the assembler your working with. E.g. BL branch load. And stack push and pull commands tend to give a nice indication where things start and stop.

There is some fiddly stuff to allow ida to name longer string variables. But that comes later.

[vtwin@cox.net]

I use IDA. Yes. Main things to start with is the strings subveiw. You dont really need to reverse anything to see some interesting strings in most programs.

Next would be setting the right architechture for what your reversing. Armv7 a/r from memory.

And finally the basics of the assembler your working with. E.g. BL branch load. And stack push and pull commands tend to give a nice indication where things start and stop.

There is some fiddly stuff to allow ida to name longer string variables. But that comes later.

Reminds me of my childhood 40 years ago, when I would take hex dump reports of Z80 and 6502 machine code and manually disassemble the program into marble black graph-ruled notebooks. I learned z80 machine code when I was 13.

It is the only real way you can begin to learn what a program is doing. (It also made me a better developer, being able to think in low-level terms rather than at a higher, abstract level. I can visualize solutions (like bitmaps) that other developers I work with cannot.)

of course, this also assumes you have an understanding of processor operations (e.g. registers, stack, etc.), addressing schemes, etc. So at a minimum you have to find the technical documentation on the processor you're looking to work with.

I would say it was probably a lot easier back then, when programs were written in assembler. I've never tried to manually disassemble a program compiled from a higher-level language.

I do miss doing it. I also miss Latin class in school during my teenage years too. I must be getting nostalgic in my old age.

[tv84]

I don't know if the IDA Latin language pack exists but you could try a 2-in-1 ! 

[vtwin@cox.net]

I don't know if the IDA Latin language pack exists but you could try a 2-in-1 ! 

About a year ago I purchased a latin vulgate and latin-to-english dictionary with the intention of reading/translating, but have yet to get around to it.

way back when, we had a local church which still held latin masses, it was good practice, once I was able to train my brain to decipher ecclesiastical latin.

[tv84]

way back when, we had a local church which still held latin masses, it was good practice, once I was able to train my brain to decipher ecclesiastical latin.

WOW!  Compared with that, assembly is for kids!

[BillB]

If IDA is too expensive for you, consider Ghidra

https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/