Hack of Sigllent spectrum analyzer ssa3021X?

[RyanBoggs]

Ok, I was definitely doing it wrong xP.  I wasn't telnetting to the right thing lol.  I was able to telnet into port 5024 and reactivate telnet on port 23 just as was suggested.  Now I just have to run back through this thread to find the appropriate method to pull off the hack.

[RyanBoggs]

Ok cool!  Was able to telnet in and change the file names and now everything is unlocked! Though I didn't do the thing where my SN is preserved, but I don't really care too much unless that somehow causes issues.

I followed this procedure:
https://www.eevblog.com/forum/testgear/hack-of-sigllent-spectrum-analyzer-ssa3021x/msg1299182/#msg1299182

Now I am only curious about this mysterious 2.1.1.1 firmware that doesn't seem to be available on Siglent's website.

[RoV]

Ok cool!  Was able to telnet in and change the file names and now everything is unlocked!
Now I am only curious about this mysterious 2.1.1.1 firmware that doesn't seem to be available on Siglent's website.

Happy that you managed to unlock options!
Regarding instruments sold with a newer firmware version than published as an update, it's not the only case: for example, SDS2202X-E scopes have been sold with firmware 1.1.20R3 since at least mid-2021, but most recent published firmware is still 1.1.19R5 dated 3/2020. I have one and I managed to find a copy of the 1.1.20R3 update ADS file thanks to an eevblog user. I have complained about this more than once and also with the Siglent representative for my country, but with no feedback from the factory. I wonder if the new release may not be 100% compatible with earlier hardware versions, although it seems to work fine with my scope and solves several bugs.

[epsilon888]

Hi. Did you only change file names (and not edit any of the files)?

I have managed to get access via telnet, but the NSP_sn_bandwidth.xml only contains:

<?xml version="1.0"?>
<nsp_system_info_root>
   <device>
      <system_information>
         <serial_number>
            <chip>0123456789</chip>
         </serial_number>
      </system_information>
   </device>
</nsp_system_info_root>


and the NSP_trends_config_info.xml

<?xml version="1.0" encoding="UTF-8"?>
<nsp_trends_info_root>
   <device>
      <language>english</language>
      <pid>0x1301</pid>
      <vid>0xf4ec</vid>
      <product_type_1>SSA3075X</product_type_1>
      <product_type_2>SSA3050X</product_type_2>
      <product_type_3>SSA3032X</product_type_3>
      <product_type_4>SSA3021X</product_type_4>
      <product_type_5>SSA3015X</product_type_5>
      <manufacturer>Siglent</manufacturer>
      <Support_Touch_Flag>1</Support_Touch_Flag>   
      <Support_VXI11_Flag>1</Support_VXI11_Flag>
      <file_prefix>CP_</file_prefix>
   </device>
</nsp_trends_info_root>

Thanks in advance!

[Pinkus]

I have one of the first ssa3021X (from 2016 OMG, how time flies) - this one could be hacked with the serial number preserved. This is also important, because e.g. EMCView from Tekbox is licensed to the serial number of the SA and will (probably) not run without a SN.
This fact has so far kept me from switching to a Plus model. As I am not 100% sure, I am asking: there is still no way to keep the serial number, even with the newer ssa3021X-Plus devices?

[RyanBoggs]

Hi. Did you only change file names (and not edit any of the files)?

You only need to change the file names to pull it off. However, your serial number wont be preserved in the system.  I dont see exactly why it might need to be preserved anyway though some seem to say it might prevent firmware updates from deleting the exploit.  The methods for preserving the SN seems a bit more complicated so I just went the easy route.

[mattjgriff66]

Yes, Root and password are needed, but how do you enter them when it doesn't ask for them?

[mattjgriff66]

Hi. Did you installed an older firmware than default in the instrument? If so, what was your default firmware? Thanks.

Hi, modification has been done with 1.3.9.6, which was updatet from initial version 1.3.9.5 @ delivery.
Finally after modification updated to 1.3.9.7


Regards
Thomas

Mine was at 1.3.9.8, dropped it down to 1.3.9.6 and was able to telnet on port 10101 with the file SSA3000X_telnet listed by tv84,
I didn't have to use a login or pw, when I tried it didn't recognize the commands, but it was displaying the Arago project logo and seem to be responding, I then typed in the following commands.

cd /   
cp -R /usr/bin/siglent/usr/backup /usr/bin/siglent/usr/mass_storage/U-disk0/SA-backup 
cp -R /usr/bin/siglent/firmdata0 /usr/bin/siglent/usr/mass_storage/U-disk0/SA-firmdata0
the progress bar on the SSA stopped at 60% so I waited about 20 minutes, I then pulled the USB out and re started the SSA, it was not bricked, then read the USB stick on the PC and the two files were in there. I tried the whole procedure again and this time after the two files were written to the USB stick by the SSA using SSA3000X_telnet I entered the following commands,

cd /   
mount -o remount,rw /dev/ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv NSP_sn_bandwidth.xml NSP_sn_bandwidthx.xml
cd /
cd /usr/bin/siglent/usr/backup
mv NSP_sn_bandwidth.xml NSP_sn_bandwidthx.xml
cd /
sync
exit

didn't get any errors but after re starting the SSA it turned on just fine but no upgrades. 

Any help would be appreciated.

Root and PW is necessary

How to enter root and the password ? It doesn't ask for it, straight to the command prompt.

[Bicurico]

Picture or it did not happen!

You are either telnetting to some other device or you are using the SCPI port at 5224 (if I am not mistaken). That does work with telnet protocol but only accepts SCPI commands.

[trampas]

I just got a SSA3021x with 2.1.1.1.r1 firmware.  I was able through the telnet do the hack, specifically:

Format USB flash drive as FAT32 and insert into unit, then:

- telnet to port 5024 (SCPI) and send the command 'DEBTTT' (this should start a telnet server on port 23)
- telnet to port 23 and log in as 'root', pw 'ding1234

cd /   
cp -R /usr/bin/siglent/usr/backup /usr/bin/siglent/usr/mass_storage/U-disk0/SA-backup
cp -R /usr/bin/siglent/firmdata0 /usr/bin/siglent/usr/mass_storage/U-disk0/SA-firmdata0
mount -o remount,rw /dev/ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv NSP_sn_bandwidth.xml NSP_sn_bandwidthx.xml
mv NSP_trends_config_info.xml NSP_trends_config_infox.xml   
mv nsp_data_b1 nsp_data_bx   
cd /usr/bin/siglent/usr/backup   
mv NSP_sn_bandwidth.xml NSP_sn_bandwidthx.xml
mv NSP_trends_config_info.xml NSP_trends_config_infox.xml
mv nsp_data_b1 nsp_data_bx
cd /
sync   
logout

reboot

Note, I had to change the nsp_data_b to nsp_data_b1, but once I did this It shows all the options.

Then I went to upgrade the firmware from siglent website and it appears that firmware updates do not work.  The unit shows it is updating firmware and has hour glass icon for several second but then when done it does not reboot and the firmware is the same version.
Has anyone else seen this problem?

[trampas]

I think the issue is that my unit is not the SSA3021X plus but rather the SSA3021X, so if you are buying a new unit you might want to make sure you are getting a plus unit, which appears to have higher bandwidth capability?

[tomud]

I think the issue is that my unit is not the SSA3021X plus but rather the SSA3021X, so if you are buying a new unit you might want to make sure you are getting a plus unit, which appears to have higher bandwidth capability?

Yes, it's different electronics, the Plus version can be upgraded to the full functionality of the SVA version (it's the same electronics). So we get VNA, digital modulation analysis etc.

However, in the case of the non-plus version, we can still extend the band to 3.2 GHz.

Recently, there has been some change regarding the hacking of spectrum analyzers from Siglent. It may turn out to be easier than you think;)
Check out this topic on the forum:  https://www.eevblog.com/forum/testgear/siglent-ssa3000x-spectrum-analyzers/msg4355635/#msg4355635

[trampas]

I returned the SSA3021X and purchased the SSA3021X-plus instead, for the extra $200 it is worth it to have the VNA features.

Thanks

[tomud]

I returned the SSA3021X and purchased the SSA3021X-plus instead, for the extra $200 it is worth it to have the VNA features.

Thanks

If it was possible, it was a good choice - now it is worth paying extra for the Plus version.

[RoV]

You are either telnetting to some other device or you are using the SCPI port at 5224 (if I am not mistaken). That does work with telnet protocol but only accepts SCPI commands.

Not absolutely sure about the 3021X, but with 3021X+ that I have, using tv84 special boot file to enable telnet on port 10101, no username/password are required. You get straight inside the Linux console.
Also later, by modifying startup_app.sh to include the telnet daemon.
User/pw are required if starting telnet from SCPI with command DEBTTT. Perhaps also when using the internal hardware serial port, but I never opened the unit to try  .

[Bicurico]

I stand corrected.

[SHF]

New Firmware Version： V2.1.1.3R1

Improvements:
•  Optimize the Ref level and Att couple
 
Solved Issues:
•  Fix the zero sweep  type when fft  in SA mode 
•  Fix the OPC response in EMI mode 

https://int.siglent.com/download/firmwares/?ProId=29

[tv84]

New Firmware Version： V2.1.1.3R1

This firmware must be upgraded from v2.1.1.1 or later. If your analyzer has an earlier version, don’t use this FW to update.

Huge change of Prod_ID to 11413.

Let's see what are the rest of the surprises...

[tv84]

I wonder if this is new HW... 

[Bicurico]

This is indeed probably due to new HW.

The old models with FW1.x are not compatible with FW2.x and vice-versa..

Interestingly they replaced the "ecomb" with the new "Aladdin " binary.

The Aladdin bin is 22622469 bytes in size, while the ecomb has just 5113340 bytes (latest FW). The Aladdin FW is 4x bigger! Can it be the same bin as used by the Plus model?

This single FW works for 15, 32 and 75 models. But hold your horses: the FW has an individual folder with the bin file for the FPGA. I don't know if the HW is really the same for 32 and 75 models, but chances are, it might actually be. --> any volunteer with a new FW 2.x model wanting to test if you can upgrade the 15 to 32 or 75, or the 32 to 75? This is interesting!

Finally, despite the new public hack, it is good news that the hash used remains the same.

Other interesting things: this firmware activates a FTP daemon and a VNC daemon. These did not exist in FW1.x. My guess is that the base HW has a faster CPU? Nah, I really think they use the same base HW for SSA-X/SSA-P/SSA-R/SVA (note that the SVA-R has an extra RT board fitted). Probably the board/device is not fully populated for higher models. This makes sense to keep prices competive. The SSA line has probably been effectively stopped from a HW point of view and for commercial reasons there is a new low-cost SSA-X based on the same HW platform as the SSA-P/SVA

UPDATE: I just checked and the Aladdin bin of the lates FW for the SSA-P is 13,856,588 bytes in size, half the size of the new SSA-X bin. That is strange!
UPDATE2: Apart from a different CRC on the Aladdin bin, all remaning files have the same CRC (SSA-X vs SSA-P) - All? Well, I checked most and they match. Conclusion: BOTH DEVICES USE THE SAME HW PLATFORM!

Regards,
Vitor

[tv84]

Then I wonder if there is the possibility of crossflashing a SSA-X 2.0 to SVA...   

[Bicurico]

A crossflash to SSA-P or SVA might be possible, now that I am thinking of it.

But It comes with added risk, while a Recovery USB is not available.

[Bicurico]

It kind of annoys me that the Aladdin is twice the size for the SSA-P.
Is it because this version works with all platforms and the license determines the functionality?
I would be interested to get any known key and matching HostID to check what model is used for the licensing.
But for sure there is potential for hacking! Any sponsor willing to provide me with a device?

[Bicurico]

These are the license options found in the new Aladdin bin:

AMK
tMeas
tAMK
tALL
tLALL
CAT
DMA
AMA
WDMA
RTA
tEMI
tTG
tCAT
tDMA
tAMA
WDMA
tDTF
tVNA
tRTA
3021
3032
1015
RT40
MA
tMA
NA
tNA
NONE
7075
t7075
7050
t7050
3032
t3021
t1015
RT25

Looks like this Aladdin works on all variants...

Perhaps there is no crossgrade required, but just the approriate license keys?

Just speculation, of course.

[TechMasterJoe]

just ordered a SSA3032X-R anyone want hardware photos when it gets here ?
I'm hoping for a 7.5ghz unlock