Unlocking the Siglent SDS-1104X-E

As a birthday present, I recently bought myself my first oscilloscope. After researching the various makes and models for a fair while and eventually decided on the Siglent SDS-1104X-E. It’s a four channel model, with 100 MHz bandwidth and options to add a waveform generator and digital input.

Given this is my first ‘scope, I started a bit of reading to find out how to best use it. In the process, I came across an interesting post on the EEVblog forums indicating that it was possible to ‘upgrade’ the 1104X-E to the 200 MHz 1204X-E. This, of course, generated a fair bit of interest, with people eventually coming up with a method to extract the license keys from the oscilloscope’s memory.

I didn’t have a whole lot of luck with this, as I wasn’t able to get the version of busybox linked in the post to actually save a core dump. In addition, I wasn’t particularly fond of having to use a modified firmware file from a file sharing site as the first step in the process. After a bit of reading (particularly this blog post from 2007 and a post on the chumby forum), I managed to come up with a slightly different method.

• Download SDS1xx4X-E Operating System -V1 from the Siglent support site.
• Extract and mount the rootfs.cramfs file:

# mount -o loop -t cramfs /path/to/rootfs.cramfs ~/tmp

• As cramfs file systems are read-only, we need to copy the files to a new directory. Make a list of the files in the original file system, copy them to the new directory, then unmount the cramfs file system:

$ find ~/tmp > filelist.txt
$ cat filelist.txt | cpio -pdm siglentfs-mod/
# umount ~/tmp

• The only edit we’ll make is to the /etc/shadow file. Open the file using your favourite text editor, which looks like this:

root:$6$DZO.HiUy$JKaJGKC8ynyAn.7IF64GzC6cGnmJCQgGlqoPQ9QTc7EW8iF/8lMD00EtiiS3/GpgzN7rvfTbmfnAKzAg66dnu/:17177:0:99999:7:::
siglent:$6$tOEDgvF2$A2zA0bgMZ9XU7LTZN5FVGl4iuDUoPGqGG8IrHoTRaPRJzYyIDXQ8lh8.E1PX98HS8UDRBgDdXwRHlWUG5fY4M1:17029:0:99999:7:::

• The hash is between the first and second colons in the line starting root. Generate a new password hash, and replace the hash in the shadow file with this new one.

$ mkpasswd -m sha-512 yourpassword DZO.HiUy
$6$DZO.HiUy$tws7P/jPrYETgX5rZCuyU5nhUTjaP//4o5W/6Ruq/Q95qUb5CLxB/i6uBMm7lMl6Y3P1ExXbMk3qPisxH14.H1

• Finally, use mkcramfs to compress the filesystem again. Current versions of Ubuntu include mkfs.cramfs, which for some reason the Siglent doesn’t seem to like. However, mkcramfs can be found as part of the original cramfs tools. Once you’ve built them, compress the filesystem:

$ mkcramfs siglentfs-mod/ rootfs.cramfs

• Follow the instructions in the Siglent update file, replacing rootfs.cramfs with the edited version.
• You should now be able to telnet to the oscillscope and log in as root with the new password. Plug in a USB drive, dump the contents of memory, and unmount the USB.

# cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
cat: read error: Bad address
# umount /usr/bin/siglent/usr/mass_storage/U-disk0/

From this point, the steps are the same as those in the step-by-step post, starting from step 21. Just in case they disappear, this is my interpretation of them:

• Open the memory dump using a hex editor search for the string ‘SDS1000X-E’. It’ll occur a number of times, you’re looking for where it appears approximately 25-30 bytes before the scope ID (found by typing SCOPEID? at the web-based SCPI prompt) and the serial number.
• After the scope ID appears twice, there will be five 16-character strings made of uppercase characters and digits. The first four are the licenses for 100 Mhz, 200 MHz, 50 MHz, and 70 MHz bandwidths respectively, and the fifth is the currently active bandwidth license.
• The ‘SDS1000X-E’ string will also appear near the serial number which for me was repeated as well. Following the serial number there will be a 48-character (again, uppercase and digits) string. Separating this into 16-character strings will give you your AWG, WIFI and MSO keys respectively.
• The bandwidth licenses need to be activated through the SCPI interface using MCBD <key>, while options can be activated either via the oscillscope’s menus or using the command LCISL <option> <key>.

Hopefully these steps help someone else work through the process. Please bear in mind that playing with the firmware of your test equipment carries the potential for Bad Things to happen (up to and including leaving it entirely non-functional), so don’t say you weren’t warned.

Getting started with the Pluto SDR

I’ve been interested in Software Defined Radio (SDR) for a while, and after tinkering with an RTL-SDR for a while decided to get something with a larger tuning range and transmit capability. Although I was originally planning to buy a HackRF One because of the well-established community around it, I ended up going with the Analog Devices ADALM-PLUTO as I was able to get it for significantly cheaper (approximately NZ$100 including shipping - the HackRF is easily NZ$500+).

My plan is to work through Michael Ossman’s SDR with HackRF, which uses GNU Radio. The Analog Devices Wiki recommends using PyBOMBS, but that doesn’t seem to be working on Ubuntu 18.04 and their alternative, building from source, is something I try to avoid if possible because I almost always make a mistake somewhere. If anyone else is in a similar situation, the myriadrf ppa has all of the packages you need. Since I was also looking to use Gqrx, the commands below include that as well.

Add the repositories to the package manager:

sudo add-apt-repository ppa:myriadrf/drivers
sudo add-apt-repository ppa:myriadrf/gnuradio
sudo add-apt-repository ppa:gqrx/gqrx-sdr        # Leave out if you don't want Gqrx.
sudo apt update

Then you just need to install GNU Radio, the gr-iio drivers and gqrx.

sudo apt install gnuradio gr-iio gqrx-sdr

Faster sampling over USB

I found a page on the Wiki that compares throughput between the USB and network backends (since the Pluto uses RNDIS to provide a virtual ethernet link). Playing around with a simple GNU Radio FM receiver seemed to give similar results as those on the Wiki, as I was able to push the sample rate to 5.25 MHz over USB without buffer underruns, compared with around 4 MHz over the network interface. I’m sure there’s a standard Linux tool to find it, but I used iio_info from the iio_utils package. That gave me a URI in the form of [usb:x.x.x], which replaced pluto.local in the Device URI field of the PlutoSDR block.

Update (21 August 2018) to add performance improvement.

Posting from multiple computers

One of the issues with my current Jekyll/NearlyFreeSpeech.NET setup is that I haven’t been able to post if I’m not working on my laptop which has the only copy of the site’s git repository. That’s not been a problem previously, but lately I’ve been working from my desktop a bit more and have a project on that machine that I’d like to write up. My goal with this little tweak was to migrate the repository to a server, though setting this up has been more useful than I expected.

Full post →