Unlocking the Siglent SDS1104X-E

As a birthday present, I recently bought myself my first oscilloscope. After researching the various makes and models for a fair while, I eventually decided on the Siglent SDS1104X-E. It's a four channel model, with 100 MHz bandwidth and options to add a waveform generator and digital input.

Given this is my first 'scope, I started a bit of reading to find out how to best use it. In the process, I came across an interesting post on the EEVblog forums indicating that it was possible to 'upgrade' the 1104X-E to the 200 MHz 1204X-E. This, of course, generated a fair bit of interest, with people eventually coming up with a method to extract the license keys from the oscilloscope's memory.

I didn't have a whole lot of luck with this, as I wasn't able to get the version of busybox linked in the post to actually save a core dump. In addition, I wasn't particularly fond of having to use a modified firmware file from a file sharing site as the first step in the process. After a bit of reading (particularly this blog post from 2007 and a post on the chumby forum), I managed to come up with a slightly different method.

• Download SDS1xx4X-E Operating System -V1 from the Siglent support site.
• Extract and mount the rootfs.cramfs file:

# mount -o loop -t cramfs /path/to/rootfs.cramfs ~/tmp

• As cramfs file systems are read-only, we need to copy the files to a new directory. Make a list of the files in the original file system, copy them to the new directory, then unmount the cramfs file system:

$ find ~/tmp > filelist.txt
$ cat filelist.txt | cpio -pdm siglentfs-mod/
# umount ~/tmp

• The only edit we'll make is to the /etc/shadow file. Open the file using your favourite text editor, which looks like this:

root:$6$DZO.HiUy$JKaJGKC8ynyAn.7IF64GzC6cGnmJCQgGlqoPQ9QTc7EW8iF/8lMD00EtiiS3/GpgzN7rvfTbmfnAKzAg66dnu/:17177:0:99999:7:::
siglent:$6$tOEDgvF2$A2zA0bgMZ9XU7LTZN5FVGl4iuDUoPGqGG8IrHoTRaPRJzYyIDXQ8lh8.E1PX98HS8UDRBgDdXwRHlWUG5fY4M1:17029:0:99999:7:::

• The hash is between the first and second colons in the line starting root. Generate a new password hash, and replace the hash in the shadow file with this new one.

$ mkpasswd -m sha-512 yourpassword DZO.HiUy
$6$DZO.HiUy$tws7P/jPrYETgX5rZCuyU5nhUTjaP//4o5W/6Ruq/Q95qUb5CLxB/i6uBMm7lMl6Y3P1ExXbMk3qPisxH14.H1

• Finally, use mkcramfs to compress the filesystem again. Current versions of Ubuntu include mkfs.cramfs, which for some reason the Siglent doesn't seem to like. However, mkcramfs can be found as part of the original cramfs tools. Once you've built them, compress the filesystem:

$ mkcramfs siglentfs-mod/ rootfs.cramfs

• Follow the instructions in the Siglent update file, replacing rootfs.cramfs with the edited version.
• You should now be able to telnet to the oscillscope and log in as root with the new password. Plug in a USB drive, dump the contents of memory, and unmount the USB.

# cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
cat: read error: Bad address
# umount /usr/bin/siglent/usr/mass_storage/U-disk0/

From this point, the steps are the same as those in the step-by-step post, starting from step 21. Just in case they disappear, this is my interpretation of them:

• Open the memory dump using a hex editor search for the string 'SDS1000X-E'. It'll occur a number of times, you're looking for where it appears approximately 25-30 bytes before the scope ID (found by typing SCOPEID? at the web-based SCPI prompt) and the serial number.
• After the scope ID appears twice, there will be five 16-character strings made of uppercase characters and digits. The first four are the licenses for 100 Mhz, 200 MHz, 50 MHz, and 70 MHz bandwidths respectively, and the fifth is the currently active bandwidth license.
• The 'SDS1000X-E' string will also appear near the serial number which for me was repeated as well. Following the serial number there will be a 48-character (again, uppercase and digits) string. Separating this into 16-character strings will give you your AWG, WIFI and MSO keys respectively.
• The bandwidth licenses need to be activated through the SCPI interface using MCBD <key>, while options can be activated either via the oscillscope's menus or using the command LCISL <option> <key>.

Hopefully these steps help someone else work through the process. Please bear in mind that playing with the firmware of your test equipment carries the potential for Bad Things to happen (up to and including leaving it entirely non-functional), so don't say you weren't warned.