Tektronix TBS1000 series hacking

[bd139]

Has anyone looked at these scopes at all with respect to upgrades? I just landed a TBS1052-EDU for pocket money. Was considering having a poke around at it. I can't even find a teardown.

For ref I know these are 2.5kpts garbage but this is merely an arbitrage purchase 

[tautech]

I wouldn't imagine they are any different to TDS models:
https://www.eevblog.com/forum/testgear/tektronix-tds1000b-series-hacks/

[bd139]

Not sure about that. They have completely different interface to the TDS series. I suspect they might have different MCU. I will tear this one down and have a look when it turns up. Also you can flash these off a USB stick apparently.

[bd139]

Actually tried to download firmware for it to have a poke and get greeted by this fucking turd:



Remind me never to do business with Tek professionally 

[tautech]

Bit to do this morning but I'll log in later and get any FW you need.
Flick me mail and we'll sort it out. 

[tv84]

Has anyone looked at these scopes at all with respect to upgrades?

Do you have any license? Can you show the license menu?

[bd139]

Bit to do this morning but I'll log in later and get any FW you need.
Flick me mail and we'll sort it out. 

Thanks appreciated. I will ping you when I actually get it. Seller sent it untracked via idiot post.

Has anyone looked at these scopes at all with respect to upgrades?

Do you have any license? Can you show the license menu?

I don’t actually have the scope yet. It’s on its way to me at the moment.

I’m fishing for ideas. Slightly hope they canned M68k and moved to ARM for this line if I’m honest.

[tv84]

I don’t actually have the scope yet. It’s on its way to me at the moment.

I’m fishing for ideas. Slightly hope they canned M68k and moved to ARM for this line if I’m honest.

So let's wait.

Here. Page 84 helps?

[bd139]

Interesting. So only thing IDable from that is the Spartan on the main board. Construction isn’t that different to the TDS series. So place your bets: ColdFire or something less dead 

Edit: jumped on the PC and embiggened the image...



I suspect that's the CPU but I don't recognise the vendor logo. It's not NXP ColdFire though...

[tautech]

Bit to do this morning but I'll log in later and get any FW you need.
Flick me mail and we'll sort it out. 

Thanks appreciated. I will ping you when I actually get it. Seller sent it untracked via idiot post.

Some stuff in your inbox. 

[bd139]

Got it thanks. Already have it open in HxD. It runs Linux by the looks! Definitely ain't M68k any more then. Still trying to ID the CPU arch.



Edit: looks like ARM. I'm going to try and extract the ROM FS out of it.

[tv84]

Edit: looks like ARM. I'm going to try and extract the ROM FS out of it.

0000011C      Magic: 28CD3D45  CRAMFS MAGIC OK
00000120       Size: 01F61000
00000124      Flags: 00000003
00000128     Future: 00000000
0000012C  Signature: Compressed ROMFS
0000013C      CRC32: 9646CDC5  [0000011C-01F6111B]  CRC OK
00000140    Edition: 0
00000144     Blocks: 18509
00000148      Files: 3013
0000014C       Name: Compressed

List of the files is attached.

[bd139]

Nice one  . Reading now.

I have kernel info from binwalk

uImage header, header size: 64 bytes, header CRC: 0x46B780DD, created: 2015-02-10 06:30:58, image size: 1577572 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x92CFE807, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-2.6.31-203-gee1fdae"

Linux kernel ARM boot executable zImage (little-endian)

Unfortunately cramfs tools are fecked on debian 11 at the moment.

Edit: oh man they left gdb and gdbserver on there and half their SVN repo metadata . Was hoping for strace 

Edit 2: dropbear ssh server. Uses ADG522 - same capture ASIC IC as the TDS2024 apparently. Possibly 200MHz? 

Edit 3: UI layer is minigui. Entry point is possibly "tekapp"

[tv84]

01FA1DD4                 Magic: 27051956    uImage File OK
01FA1DD8         Header CRC-32: 46B780DD  [01FA1DD4-01FA1E13]    CRC OK
01FA1DDC               Created: 10/02/2015 06:30:58
01FA1DE0             Data Size: 00181264
01FA1DE4     Data Load Address: 80008000
01FA1DE8   Entry Point Address: 80008000
01FA1DEC           Data CRC-32: 92CFE807  [01FA1E14-02123077]    CRC OK
01FA1DF0      Operating System: Linux
01FA1DF1      CPU Architecture: ARM
01FA1DF2                  Type: OS Kernel Image
01FA1DF3           Compression: None
01FA1DF4                  Name: Linux-2.6.31-203-gee1fdae
01FA1E14 - Image 0 [01FA1E14-02123077]  00181264 bytes

------------------------------------------------------------------
FPGA .RBF file (experimental parsing):

FPGA - RBF/RPD (Raw Binary File) - Filesize: 1 463 520 bits (0002CA9C bytes)
02123078 - Start of File  (Type 1)

         [021230C0                      02123099]
Bit 7  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 6  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 5  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 4  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bit 3  - 1111111111111111111111111110011010000000       FFFFFFE680
Bit 2  - 0000101010111010100011011000000000111111       0ABA8D803F
Bit 1  - 1111000000000111100011000000011111111111       F0078C07FF
Bit 0  - 1111111111111111111111111111111111111111       FFFFFFFFFF
Bits 0080 - EPCS/EPCQ ID check: Enabled
Bits 005F - Stream size: 1 406 235 bits  (0002AEA4 bytes)  Compression Bit ON  (+1)     Size NOT OK
Bits 0056 - 0000 0000 : 0x56-0x5D
Bits 004C - Programming Mode: 1-bit Passive Serial
Bits 003B - IDCode (Version+Part Number only): 0x020F1  (-> 0x024F1)
Bits 0008 - Usercode: FFFFFFFF
021230C1 - Header CRC-16_MODBUS: 74EC  [02123099-021230C0]        CRC OK
021230C3 - Data Framesize: 207  [021230C3-02123169]
0212316A - 4-byte words: 1260  [0212316A-02124519]
02123078 - Stream Size (Uncompressed): 3 034 104 bits
0212451A - CRC Framesize: 207+0     # Data Frames: 1779  [0212451A-0217F93E]

------------------------------------------------------------------
The last part of the file seems to be the programming of a HCS08 FrontPanel MCU (?), starting at 0x0214DF20.

[bd139]

There's a bunch of certs in there. I bet that's where there's trouble.

Edit: and off to bed. Will resume when I receive it

[tv84]

Some files extracted.

[bd139]

Nice one. Will have a look after work. 

[tv84]

Full parsing of the .TEK file:

Code: [Select]

00000000 - Header Magic: 01010100  Magic OK
Offset     Block        Version                  Size     Checksum
00000004 - Rootfs       4.06                     01F61000 FEB8A541  [0000011C-01F6111B]  CHKSUM OK
0000003C - U-Boot       2009.08-bund-1.03.001    00040CB8 0167CB55  [01F6111C-01FA1DD3]  CHKSUM OK
00000074 - Kernel       2.6.31-bund-1.03.001     001812A4 0CAC0D96  [01FA1DD4-02123077]  CHKSUM OK
000000AC - FPGA         0.3                      0002AEA8 00AB3E39  [02123078-0214DF1F]  CHKSUM OK
000000E4 - FrontPanel   ufp-mc9-020103           00001BF0 00060D8A  [0214DF20-0214FB0F]  CHKSUM OK
0214FB10 - File Total Checksum: 0D7DE4EE  [00000000-0214FB0F]  CHKSUM OK

[bd139]

Nice work. Hopefully receiving it tomorrow so will do some disassembly and take some photos when I get some time in the evening.

[bd139]

Scope received. Idiot packaging but no serious damage done.

Internal photos attached. Looks like JTAG headers all over it 

Core is i.MX25: https://www.nxp.com/docs/en/data-sheet/IMX25CEC.pdf

FPGA is mid-range Cyclone IV part. Cyclone IV E 645 LABs 179 IOs - https://www.mouser.co.uk/datasheet/2/612/cyiv-51001-1299459.pdf



Assuming these are the sampling ASICs descended from the old TDS ones based on the miserable 2.5kpts and similar numbering. Can't find any other ref to them.



JTAG ports?





Power supply shot for completeness - nice Astec unit.



Nearly new!



Got to complain though - what idiot sends scopes like this  ... only a couple of dinks fortunately and nothing major



Really Tek did a nice job of this. Just need that entry level spec to go away and be replaced with something better 

[coromonadalix]

for the pcb jtag pads, you can put an 0.1''  header with right angled pins

https://www.harwin.com/products/M20-8760346/

[bd139]

Quick update on this. Due to work commitments I haven't had a chance to even look at this properly yet.

[jgustavoam]

Hi ,
I have a TBS1062 scope (60 MHz - 1 G S/s). I'll start my research to see if it's possible to change the scope's frequency.
I created a disassembly procedure for my scope in IFIXIT:
https://www.ifixit.com/Guide/TBS1062+Disassembly+-+Tektronix+Oscilloscope/155060

[jgustavoam]

TBS1000 Series firmware :
https://www.tek.com/en/support/software/firmware/firmware-update-tbs1k-scopes

This software applies to: TBS1062, TBS1042, TBS1102, TBS1152, TBS1022 - The firmware is the same for all models!

History
-----------------------
v26.02 July 22, 2013
1) support for five TBS1K models: TBS1022, TBS1042, TBS1062, TBS1102, TBS1152.

I also think that the model configuration is recorded in the EEPROM.

The most likely EEPROM should be this:  U902 = ATML H326 2GB 2 2X6399A.
I still haven't found the specific datasheet for this chip

[alexfloca]

Hello, did anyone make any progress? I recently bought a tbs1052, or status up with a white screen, when i connect it to the pc via usb it identifies itself as tbs1202, did a firmware update using the pc to download the screen information and it keeps saying it is a tbs 1202, the screen does not work, the vertical data aquisition does not work and on the 1khz output in have 3 khz!!!  Now i opened it up thinking there is a simple issue with the lcd display, the display works just fine! I can see there are headers installed all over (i suspect someone tried to hack it) also a lot of screws were loose not tighned at all. Also one screw missing and some  messy repair work on the front panel cable.

Forgot to mention, the scope says, serial number "0" and channel a, b and trigger fail. I asume, there is a difference between 1052b and 1202b at hardware level.

Did you make any progress?