Author Topic: Tektronix TDS1000B and TDS2000B series hacks  (Read 70292 times)

BI3RZF and 1 Guest are viewing this topic.

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B series hacks
« Reply #25 on: July 20, 2014, 04:06:08 am »
what you doing is the wrong way, the firmware is for all models, so it does not matter what inside (unless you wish to search the whole firmware for model checks and patch it then). The best way is to patch the model itself, and this has been saved somewhere. The RTC clocke does have some user bytes, but htey can't be used (without special tricks) to store model. Are there any eeproms on the board? i bet the altera cpld is readback protected, but well, just try to dump it. If the model check is really in that cpld (and not eeprom) then it is still possible to change it, e.g. by watching the bus for call just before model check in fw, and then sending the crafted info back. When eepom used, then it will be much easier. Or even simple tricks like some "not populated" parts, TEK did that on other models and one can hack them very easy (which still did't change anything, without calibration mainly useless - and to run cal one need anyway some gears, so ppl who can calobrate have enought money anyways to buy higher TEK models).

There is at least one flash. The main flash holds the program code, and maybe some model ID/sn. There are two other unknown chips that may have some memory.

I am more of a software guy, and have disassembled 80% of the firmware, because you know the 80/20 rule! :D

I found it interesting because it gives me an overview of what is going on.

My random thoughts are-

It's more complicated than I would have guessed. They are programming a USB chip, on the fly, to offload tasks.

There is a lot of printer driver code embedded. Tons of remote programming code.

What's interesting are two specialized menu's that can be enabled.

Service Mode
Engineering Mode

Service mode is documented, but doesn't do anything special.

Engineering mode, I suspect, will let you change interesting things like serial number and model type. There are error messages that prevent you from enabling 4 channels when the model hardware only has two, and color when the hardware is black & whiite.

There are no error messages for bandwidth.

Additionally, there is a lot of code for power analysis. It is enabled when a USB key is verified for TBS2PWR1

My first thoughts are that the TDS scopes can do the power analysis functions the TBS scope can. Tektronix decided to limit those functions to there TBS series.

That series also has similar bandwidth and 2.5K/points memory so I'm thinking the hardware is again identical.

The goal of this mission is to enable all bandwidth options fot the TDS1000B/2000B scopes and potentially enable the TBS2PWR1 functions since they are in the same firmware. It's not just a reference I see the entire functions and calculations in my dis assembly.

My focus now is to decode how to get into "Engineering Mode" through the front panel. Disassembly helped me find out there is such a thing.
« Last Edit: July 20, 2014, 04:09:47 am by KK »
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29482
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #26 on: July 20, 2014, 04:37:50 am »
I can read all chips #'s on my PCB.
Tell me which you need.
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #27 on: July 20, 2014, 09:23:17 pm »
I can read all chips #'s on my PCB.
Tell me which you need.

They match all the ones in my photos right? I think the main boards are identical.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #28 on: July 20, 2014, 09:29:22 pm »
Zeroing in on it. Looking at the code that handles the front panel buttons to see the "secret" entry method.

The memory map appears to be-

0-4MB Main ram
4MB-8MB Flash program
8MB++ other hardware like usb controller etc

The model id and serial number are stored alongside the factory calibration data. These scopes let you re-calibrate through the service menu. Looking into where that data is stored.

Flash holds 4MB and the firmware file leaves about 647K free in the flash. The cal data might be at the end of the flash or it might be stored in some other chip.
« Last Edit: July 20, 2014, 09:34:04 pm by KK »
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29482
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #29 on: July 20, 2014, 09:41:45 pm »
I can read all chips #'s on my PCB.
Tell me which you need.

They match all the ones in my photos right? I think the main boards are identical.
Quite well.
There are minor variations with U502, 400, 301.
Looks like revisions.
« Last Edit: July 21, 2014, 12:09:13 am by tautech »
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #30 on: July 23, 2014, 04:51:56 am »
Whats the chip next to the USB port. I didn't pull the board all the way out of my enclosure so didn't see that one.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #31 on: July 23, 2014, 05:00:02 am »
Interesting discoveries so far...

The service mode can be entered with the following procedure-

Power on scope
Press MEASURE button
Press CH1 soft button

Press and hold SINGLE SEQ button
Press and hold AUTOSET button

Wait 5 seconds

Release SINGLE SEQ button
Release AUTOSET button

Notice lower left of screen displays "Service mode ON"

Press UTILITY button

Press SERVICE soft button

Press Service Diag. soft button

Press Peek/Poke soft button

Isn't that nice. Tektronix included a way to read or write memory, live. Any location. Right from the front panel.

I'm correlating the disassembly with some configuration memory locations in ram. I believe I can test some config changes (changing bandwidth) on the fly. It won't be permanent with this method, but it will let me confirm what part of the code is handling that process.

Engineering  Mode is entered in a similar, but as of yet unknown way.

I believe I see code that lets Tektronix quickly configure models with USB keys. They insert one key to configure the model to a TDS1001B or another to configure it to a TDS1002B with higher bandwidth.

Will be looking further into both angles.
« Last Edit: July 23, 2014, 05:04:02 am by KK »
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29482
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #32 on: July 23, 2014, 05:58:34 am »
Whats the chip next to the USB port. I didn't pull the board all the way out of my enclosure so didn't see that one.
SOIC8 Atmel 24C1024W close to front panel USB

From the Tek Service manual:

Enable the Service Menu
1. Power on the oscilloscope.
2. Push the front-panel MEASURE button to access the MEASURE menu.
3. Push the top option button to access the Measure 1 menu.
4. Push and hold the front-panel SINGLE SEQ button.
5. Push and hold the front-panel AUTOSET button.
6. Wait at least two seconds.
7. Release the SINGLE SEQ button.
8. Release the AUTOSET button. A message appears in the lower left corner of
the screen stating “Service mode ON.”
9. Push the front-panel UTILITY button. The last item in the Utility menu is
now “Service.”
At completion of the Adjust procedure disable the “Service” menu through the
UTILITY front panel button, the “Service” option button, and the “Service”
Mode Off” option button.
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #33 on: July 23, 2014, 06:52:31 am »
24C1024W serial EEPROM 128K x 8

Aha! I wondered why I never spotted a smaller EEPROM even after suspecting there must be one.
« Last Edit: August 11, 2014, 09:30:37 pm by KK »
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #34 on: July 24, 2014, 10:34:19 pm »

Since yours is already apart, can you read the memory and post it.

Meanwhile, I am reverse engineering the front panel code and matching it up to the key identifiers to figure out what key combo will get us into Engineering Mode.

The code is interrupt driven and creates jump tables at runtime in ram so it is a mess. The beauty of VXWORKS.
« Last Edit: August 11, 2014, 09:31:12 pm by KK »
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29482
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #35 on: July 24, 2014, 11:03:24 pm »
Sorry I do not have any sniffing gear.
Been wondering about getting some, what do you recommend to start with?

As far as I can tell, the 3 interconnect leads will have enough length to power up scope disassembled. Just checked, it is no problem for the 3 leads.  :)
Then access is easy.
You may have to add a GND lead, but probably not for your needs.

There is only a few screws and all the knobs just pull off.
Service manual describes full dis-assembly. I don't remember it being difficult at all.

I can send you the manual, PM me with your email.
« Last Edit: July 24, 2014, 11:18:37 pm by tautech »
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #36 on: July 24, 2014, 11:55:14 pm »
I pulled the knobs and keys but then I noticed I would have to pull all the bnc's mounting hardware off too and just called it a night and pit it back together.

I'll work some more on the code angle.

The tll866a with an 8 pin soic clip will work without any hassle. It supports the memory and the clip means no wire mods.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B series hacks
« Reply #37 on: July 25, 2014, 02:22:23 am »
what you doing is the wrong way, the firmware is for all models, so it does not matter what inside (unless you wish to search the whole firmware for model checks and patch it then). The best way is to patch the model itself, and this has been saved somewhere. The RTC clocke does have some user bytes, but htey can't be used (without special tricks) to store model. Are there any eeproms on the board? i bet the altera cpld is readback protected, but well, just try to dump it. If the model check is really in that cpld (and not eeprom) then it is still possible to change it, e.g. by watching the bus for call just before model check in fw, and then sending the crafted info back. When eepom used, then it will be much easier. Or even simple tricks like some "not populated" parts, TEK did that on other models and one can hack them very easy (which still did't change anything, without calibration mainly useless - and to run cal one need anyway some gears, so ppl who can calobrate have enought money anyways to buy higher TEK models).

Hi Tinhead,

You have a great reputation here. I appreciate your interest and response.

Your thoughts are interesting, especially the parts not installed and patching the device itself.

I'm an experienced MC68000 assembly programmer, so I thought it would be fun to dive into the firmware.

Not many products use the 68000 these days. But, the fact they used VXWORKS complicates everything. The code is mostly unlabeled and jump tables are obfuscated by VXWORKS, not on purpose I think.

There is a small i2c EEPROM. That's where the interesting things are stored. I am working that angle, but enjoyed the disassembly. It brought back old memories of 68K code :D
« Last Edit: July 25, 2014, 02:27:17 am by KK »
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #38 on: August 09, 2014, 04:25:18 pm »
I disassembled the scope again and dumped the i2c eeprom. It contains the boot code for the Cypress USB controller. No config/calibration data.

The memory map so far-

000000-00FFFF  RAM 64K Cypress?
010000-010FFF  Memory mapped I/O?
011000-012FFF  Altera Max II CPLD?
013000-0FFFFF  RAM?
100000-1FFFFF  Unreadable/Privilege Exception
200000-3FFFFF  Ram Spansion 48lC2m3202?
400000-56BEE4 Flash memory main
56BEE5-7FFFFF  Empty but is reserved for Flash memory
800000-FFFFFF  Unreadable/Privilege Exception - End of addressable memory

Being a 68000, maximum address space is 16MB. But, it appears only the first 8MB has been used.

To get into Service mode requires two simultaneous key presses. Engineering mode will likely be similar, as there is code to support two simultaneous key presses, but not three. Although the hardware register shows that it can at least see up to 4 simultaneous presses.

Each key is assigned a base code, and the code is +1 if the key is held. Key codes are spaced out by 2.

Knobs are memory mapped. The memory locations for each knob (2 channel scopes have 8 knobs) store a #$FF if they are turned to the right and a #$01 if turned to the left.

The Altera CPLD has 8K of user flash. It is possible the model config, serial number, and calibration data is stored there. In fact, it is likely. There is some code to suggest the serial number is stored in the ADG522 chip which is totally undocumented. So that is one other place.

Getting in through the OS is still the ideal way if possible.


Tautech- Can you take Hires photos of your key matrix. Particularly the traces so I can see how the matrix is setup compared to a two channel scope.
« Last Edit: August 10, 2014, 08:29:05 pm by KK »
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29482
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #39 on: August 10, 2014, 07:36:50 am »
KK, image sent to your email(5MB)
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #40 on: August 10, 2014, 08:32:12 pm »
At this point I have documented much of the boot process, and can probably just patch the firmware where it gets the model id, and force a bandwidth upgrade.

I will use that option last and would still like to figure out how to enter engineering mode.

Making a custom firmware isn't such a bad option though since it would only patch a couple of bytes and these models are long in the tooth now and Tek isn't likely to issue any future firmware updates.
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 28084
  • Country: nl
    • NCT Developments
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #41 on: August 10, 2014, 09:14:55 pm »
If you can force a bandwidth upgrade it would be nice to see if it has any effect. Maybe the board needs some component changes as well.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #42 on: August 10, 2014, 09:20:36 pm »
If you can force a bandwidth upgrade it would be nice to see if it has any effect. Maybe the board needs some component changes as well.

It looks like the boards are identical for bandwidth options and even the 1000B and 2000B series boards appear identical.

The display module is color on the 2000B series but the Firmware is identical.
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29482
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #43 on: August 11, 2014, 08:04:15 am »
Quote
I will use that option last and would still like to figure out how to enter engineering mode.
I wonder if any ex-Tek members could contribute by way of PM?
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #44 on: August 12, 2014, 03:18:58 am »
KK, image sent to your email(5MB)

Thanks for that! It helped me fill in some unknown key codes. Notice the Ref/menu button is silkscreened as Power App. On the TPS series scopes that button is labeled Application.

We should be able to activate the power application in these scopes as the code is all there. Of course, the TPS has battery operation so doing some of the measurements would require an isolation transformer on the TDS non-battery operated models.

Keycodes

Bezel 1-4
3A
3C
06
08
0A

0C Probe check
04 Print

12 Autorange
14 Ref/menu - Power App
16 Save/Recall
18 Utility
1A Measure
1C Cursor
20 Acquire
2C Display
2E Help
30 Default Setup
44 Autoset
46 Single Seq
48 Run/stop
4A Trigger Menu
58 Set to 50%
5A Force Trigger
5C Trigger View

Knobs
08 General purpose
09 Ch1 Pos
0A Ch2 Pos
0B Ch1 Volts
0C Ch2 Volts
0D Horz
0E Horz POS
0F Trigger Level
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 29482
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #45 on: August 12, 2014, 04:45:26 am »
How are the key codes derived from Ch1 Volts, Ch2 Volts, and Horz ?
I realize all other buttons/knobs can be pushed, but these 3 can only be rotated L or R.
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #46 on: August 12, 2014, 07:59:21 am »
The key codes come in through a memory mapped register at:

0x000A8A04

The button id is the value listed or +1 if held. That's why the button ID's are spaced by 2.

I should have been clear on the knobs, they are individually memory mapped.

The base address is:

0x000A8Axx (where xx is the code for the knob)
#$FF is stored in that location if the knob is turned to the right
#$01 if turned to the left

Might be modified by 1 if (+/-) if pushed and 2 if held. But haven't confirmed that.

I don't actually have the key codes for knob presses, but I likely don't care. What I wanted to derive is the Autoset button which your picture helped me get.

I need to look in the disassembly where the two key codes #$44 and #$46 are checked because that is how you get into service mode. I expect the code to get into Engineering to be very close to that.

The Peek/Poke utility in Service mode is crippled. Peek works, but Poke does not allow writes. Looking in the disassembly there is some way to make Poke work and it gives a warning about "Write enabled, use caution". If you try to use poke, it says "Denied".

If I can get into Poke then I could conceivable set the bandwidth flag to give 200mhz bandwidth for that powered session. Not ideal, but it would help speed along where to patch the firmware if I end up going that route.

This is one of those projects, where the target is zero'd in on slowly every day or two, with some leaps and then bingo.
« Last Edit: August 12, 2014, 08:01:43 am by KK »
 

Offline EduardoLM

  • Contributor
  • Posts: 22
  • Country: br
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #47 on: October 13, 2015, 05:03:19 pm »
Sorry to revive this old thread, but I just found it, it's VERY interesting, and I would love to see this puzzle solved. Did you have any progress KK?

I own a TDS1001C-30EDU, perhaps the most crippled one on the TDS series: only 30MHz. I can open, take pictures of it and / or make tests to help you on this mission!

Hope to hear from you, thanks!

Eduardo
 

Offline KKTopic starter

  • Regular Contributor
  • *
  • Posts: 99
  • Country: us
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #48 on: October 21, 2015, 11:42:25 pm »
Can't say I made any more progress as other projects caught my attention, but would like to revisit one day for fun as the 68000 CPU is one of my favorites.
 

Offline dav

  • Regular Contributor
  • *
  • Posts: 133
  • Country: it
Re: Tektronix TDS1000B and TDS2000B series hacks
« Reply #49 on: May 15, 2016, 10:10:19 am »
If you should find how to entering the engineering mode, please post it on the forum!  ;)
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf