Author Topic: TDS 744A (& friends) firmware reverse engineering  (Read 8673 times)

0 Members and 1 Guest are viewing this topic.

Offline fenugrec

  • Contributor
  • Posts: 46
  • Country: ca
TDS 744A (& friends) firmware reverse engineering
« on: March 23, 2017, 07:12:07 am »
Hi,
so, I have a 744A with some problems; while I'm at it I thought I'd do some reverse engineering. There's a lot of knowledge spread out in forums (here, the Tek forums), some Yahoo groups, and who knows where else.

I'm thinking of adding some info to the w140 wiki but I'm not sure where it would fit in on there.

My main interest is the internal service console port (see https://forum.tek.com/viewtopic.php?f=568&t=137307 ).
From that console port, the "lkup" command outputs a list of over 5000 (!) symbols, many of which are callable functions :

http://pastebin.com/yEnTKHwG

look at, for example, the familiar "libManagerWordAtPut" entries and related entries.
These are also intriguing:
Code: [Select]
_enableBackdoor 0x011c70d6  text    18641110
_checkBackDoor  0x011c7166  text    18641254

I could dump the firmware through the console port but that would be extremely slow (9600bps serial link; ASCII hex dump so 3 chars per byte; firmware image at least 2.5MB ). Does anyone have a firmware dump for one of these TDS scopes ?



 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 96
  • Country: de
 

Offline snoopy

  • Frequent Contributor
  • **
  • Posts: 539
  • Country: au
    • Analog Precision
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #2 on: March 23, 2017, 12:00:13 pm »
Here you go:

https://stackframe.org/tekfwtool/

https://stackframe.org/tektool.shtml

I can't seem to download anything from that site. Also what USB to GPIB interface do you recommend ?

cheers
 

Offline Jwalling

  • Supporter
  • ****
  • Posts: 1093
  • Country: us
  • This is work?
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #3 on: March 23, 2017, 09:14:40 pm »
The 784D and 784C firmware is here: http://www.ko4bb.com/getsimple/index.php?id=manuals

Put TDS784D or TDS784C in the search box.
Jay

System error. Strike any user to continue.
 

Offline fenugrec

  • Contributor
  • Posts: 46
  • Country: ca
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #4 on: March 24, 2017, 11:32:31 am »
@dxl , @Jwalling, thanks ! for some reason I didn't even think of checking KO4BB. Interesting that there are no 744A dumps though.
 

Offline Jay_Diddy_B

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: ca
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #5 on: March 24, 2017, 12:27:49 pm »
Hi,

I suspect the 744A, 754A and 784A all use the same firmware ;-)

Jay_Diddy_B

 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 96
  • Country: de
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #6 on: March 24, 2017, 09:37:45 pm »
@dxl , @Jwalling, thanks ! for some reason I didn't even think of checking KO4BB. Interesting that there are no 744A dumps though.

Well, the reason is that i uploaded the dumps when i wrote the tekfwtool. And i simply didn't had a TDS744 :)
 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 96
  • Country: de
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #7 on: March 24, 2017, 09:39:40 pm »
Hi,

I suspect the 744A, 754A and 784A all use the same firmware ;-)

Jay_Diddy_B

Not sure. I tried 'upgrading' my TDS784D at that time to a newer version i fetched from another TDS784D. That didn't work. It booted, but made all kinds of strange effects. I don't remember the details, but either the calibration data format changes between versions, or only specific firmware version run on a scope.
 

Offline andy2000

  • Regular Contributor
  • *
  • Posts: 143
  • Country: us
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #8 on: March 25, 2017, 02:04:40 am »
I upgraded my 784D successfully to version 6.6e without trouble.  I've heard that version 7.x requires a different processor board.  Your experience might confirm that.

Be aware that upgrading a 744A does require recalibration because the new firmware doesn't recognize the old calibration.
 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 96
  • Country: de
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #9 on: March 25, 2017, 05:48:13 am »
I upgraded my 784D successfully to version 6.6e without trouble.  I've heard that version 7.x requires a different processor board.  Your experience might confirm that.

Be aware that upgrading a 744A does require recalibration because the new firmware doesn't recognize the old calibration.

I guess you're right - i think i tried to upgrade from 6.6e to 7.2e at that time.
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 6238
  • Country: us
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #10 on: March 25, 2017, 06:49:42 am »
I'd be interested in seeing any information you manage to gain from this. I'm always curious to know more about how things work and I have a TDS784C myself. Fantastic piece of gear, I just wish there was more information out there on it.
 

Offline fenugrec

  • Contributor
  • Posts: 46
  • Country: ca
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #11 on: March 25, 2017, 07:07:10 am »
I started looking at some of those 784C/784D dumps, but it would really help if someone could hook up to the service port and run "lkup" - that would print out the symbol list which will be a huge help to analyze the firmware.

My TDS744A has firmware 1.1e and it's just too different to these 7xxC / 7xxD models. Don't those later ones have some java garbage in them too ?

****
Some other commands for the service console :

Code: [Select]
ringBell ( ding !! I love how these have a nice bell sound instead of the simpler piezo buzzer they could've chosen instead)

Code: [Select]
HWADumpOptValues
HWADumpCpuValues
HWADumpSysValues


 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 6238
  • Country: us
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #12 on: March 25, 2017, 07:55:01 am »
Is this something I can do over the GPIB interface? I'd be happy to give it a try over the weekend. I have not made a serial console cable for it yet but that's another thing on my list.
 

Offline fenugrec

  • Contributor
  • Posts: 46
  • Country: ca
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #13 on: March 25, 2017, 11:21:32 pm »
Is this something I can do over the GPIB interface?
I don't think so, unfortunately.

I'm slowly dumping small chunks of my firmware through the service port ( ~ 150B/s ! slo-o-ow). I think I might be able to change its speed from 9600bps to something more usable... maybe.
 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 96
  • Country: de
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #14 on: March 26, 2017, 02:37:27 am »
Is this something I can do over the GPIB interface?
I don't think so, unfortunately.

I'm slowly dumping small chunks of my firmware through the service port ( ~ 150B/s ! slo-o-ow). I think I might be able to change its speed from 9600bps to something more usable... maybe.

There is an option to do it via GPIB. If you set the Calibration switch to 'unprotected' and power on the scope it will appear dead (nothing on the screen, no sound, etc). But it isn't dead. It spawns a minimalistic bootloader, which listen on GPIB address 29 (IIRC), and that will accept commands via GPIB. The format is binary, so you cannot talk with the usual GPIB commands to it.

This is where my tekfwtool comes into the picture - you can start it on your PC, and it will download a minimal binary to the scope which get's executed and takes care about reading/writing memory.

As mentioned before, tekfwtool is here:

https://stackframe.org/tekfwtool/

It's been a while since i used it the last time, but you propably need:

https://stackframe.org/tekfwtool/tekfwtool.exe and https://stackframe.org/tekfwtool/target.bin
 

Offline andy2000

  • Regular Contributor
  • *
  • Posts: 143
  • Country: us
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #15 on: March 26, 2017, 08:56:12 am »
Is this something I can do over the GPIB interface?
I don't think so, unfortunately.

I'm slowly dumping small chunks of my firmware through the service port ( ~ 150B/s ! slo-o-ow). I think I might be able to change its speed from 9600bps to something more usable... maybe.

There is an option to do it via GPIB. If you set the Calibration switch to 'unprotected' and power on the scope it will appear dead (nothing on the screen, no sound, etc). But it isn't dead. It spawns a minimalistic bootloader, which listen on GPIB address 29 (IIRC), and that will accept commands via GPIB. The format is binary, so you cannot talk with the usual GPIB commands to it.

This is where my tekfwtool comes into the picture - you can start it on your PC, and it will download a minimal binary to the scope which get's executed and takes care about reading/writing memory.

As mentioned before, tekfwtool is here:

https://stackframe.org/tekfwtool/

It's been a while since i used it the last time, but you propably need:

https://stackframe.org/tekfwtool/tekfwtool.exe and https://stackframe.org/tekfwtool/target.bin

I just get this when I try to download those files:

Forbidden

You don't have permission to access /tekfwtool/tekfwtool.exe on this server.
Apache/2.4.18 (Ubuntu) Server at stackframe.org Port 443
 

Offline dxl

  • Regular Contributor
  • *
  • Posts: 96
  • Country: de
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #16 on: March 26, 2017, 09:24:57 am »
I just get this when I try to download those files:

Forbidden

You don't have permission to access /tekfwtool/tekfwtool.exe on this server.
Apache/2.4.18 (Ubuntu) Server at stackframe.org Port 443

Whoops, my fault. Should be fixed now.
 

Offline fenugrec

  • Contributor
  • Posts: 46
  • Country: ca
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #17 on: March 26, 2017, 09:56:30 am »
There is an option to do it via GPIB. If you set the Calibration switch to 'unprotected'

Oh yes, I'm aware of that but not equipped with any kind of GPIB hardware (yet) so I'm trying to do everything from the service port. Which is theoretically possible since it gives access to everything, essentially.

Interestingly, when booting the scope in Unprotected mode, it seems the service port doesn't run a command interpreter anymore, but is only used as a debug output. I wasn't able to enter any commands while Unprotected.
 

Offline snoopy

  • Frequent Contributor
  • **
  • Posts: 539
  • Country: au
    • Analog Precision
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #18 on: March 26, 2017, 10:42:57 pm »
I just get this when I try to download those files:

Forbidden

You don't have permission to access /tekfwtool/tekfwtool.exe on this server.
Apache/2.4.18 (Ubuntu) Server at stackframe.org Port 443

Whoops, my fault. Should be fixed now.

Avast is flagging a DRep virus when I try and download the exe. Is this a false positive ?

cheers
 

Offline 1Ghz

  • Supporter
  • ****
  • Posts: 34
  • Country: kr
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #19 on: March 26, 2017, 11:10:44 pm »
Avast is flagging a DRep virus when I try and download the exe. Is this a false positive ?

Seems to be a false positive. See link below.

https://forum.avast.com/index.php?topic=163221.msg1164286#msg1164286
 

Offline snoopy

  • Frequent Contributor
  • **
  • Posts: 539
  • Country: au
    • Analog Precision
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #20 on: March 26, 2017, 11:28:36 pm »
Avast is flagging a DRep virus when I try and download the exe. Is this a false positive ?

Seems to be a false positive. See link below.

https://forum.avast.com/index.php?topic=163221.msg1164286#msg1164286

Does anyone know how I can bypass this so I can download the file ?

cheers
 

Offline Jwalling

  • Supporter
  • ****
  • Posts: 1093
  • Country: us
  • This is work?
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #21 on: March 27, 2017, 12:03:58 am »
I just get this when I try to download those files:

Forbidden

You don't have permission to access /tekfwtool/tekfwtool.exe on this server.
Apache/2.4.18 (Ubuntu) Server at stackframe.org Port 443

Whoops, my fault. Should be fixed now.

Avast is flagging a DRep virus when I try and download the exe. Is this a false positive ?

cheers

Norton reports this:
https://us.norton.com/security_response/writeup.jsp?docid=2010-051308-1854-99

Virustotal sees nothing wrong with it. 0/61
https://www.virustotal.com/en/file/40b810b6dd88b8a65b9b5f5138c7669fc0f81222ebc58e463de0d0fdd19f2f21/analysis/1490533278/
You should be able to temporarily disable your virus protection.
Jay

System error. Strike any user to continue.
 

Offline snoopy

  • Frequent Contributor
  • **
  • Posts: 539
  • Country: au
    • Analog Precision
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #22 on: March 27, 2017, 11:04:07 am »
I just get this when I try to download those files:

Forbidden

You don't have permission to access /tekfwtool/tekfwtool.exe on this server.
Apache/2.4.18 (Ubuntu) Server at stackframe.org Port 443

Whoops, my fault. Should be fixed now.

Avast is flagging a DRep virus when I try and download the exe. Is this a false positive ?

cheers

Norton reports this:
https://us.norton.com/security_response/writeup.jsp?docid=2010-051308-1854-99

Virustotal sees nothing wrong with it. 0/61
https://www.virustotal.com/en/file/40b810b6dd88b8a65b9b5f5138c7669fc0f81222ebc58e463de0d0fdd19f2f21/analysis/1490533278/
You should be able to temporarily disable your virus protection.

Yes I temporarily disabled avast and downloaded it and did a scan and avast wanted to take a copy and analyse it and later get back to me. By that time I went off to bed.

cheers
 

Offline fenugrec

  • Contributor
  • Posts: 46
  • Country: ca
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #23 on: March 28, 2017, 07:22:24 am »
For anyone having problems downloading the .exe, I don't think it would be very hard to compile from source.
 

Offline Jwalling

  • Supporter
  • ****
  • Posts: 1093
  • Country: us
  • This is work?
Re: TDS 744A (& friends) firmware reverse engineering
« Reply #24 on: March 30, 2017, 01:44:27 am »
I'd be happy to get the firmware from a TDS784A (V4.1e) but the Tekfwtool doesn't seem to work for me.
I get this:
Code: [Select]
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

E:\TekFWtool>tekfwtool -r test.bin -b 0x01000000 -l 0x400000
Unable to open device
ibsta = 0x8000 iberr = 0

E:\TekFWtool>

I'm using a Prologix USB to GPIB converter which looks like a serial port to the system. Maybe that's the problem? Does it require an NI GPIB adapter?
Jay

System error. Strike any user to continue.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf