TDS420 with lost options

[Gismo]

Hello

I have a Tektronix TDS420 and it have a Batterie lost from the CPU Board. So I had change it to a new one but now I have lost my Options.
On the Backpanel it says i must have 1M 05 2F.
On the PCB I can see that there was 1M Ram (8x 256x4)

I have GBIP Adapter and intern RS232 running but no idea to make my Options back. 
Can anywhere help? 

[Andy Watson]

I enabled the maths option on my TD510A. YMMV but all the research that I did on the 510A suggested that Tektronix employed the same mechanism and memory locations throughout many of their TDS5xx/6xx/7xx series.

Check this thread and the links it contains:
https://www.eevblog.com/forum/testgear/hackingupgrading-old-scope-%28tds754d%29/msg759588/#msg759588

Here is the code that I used (as ever, I re-used code that I had written for other purposes - so ignore anything that does not apply!)
The important bits are sending the password and then setting the memory location.

Code: [Select]

/* Upgrade Tek TDS510A options via GPIB
 *
 * Software/firmware options are enabled by writing one to the
 * NVRAM. The following locations are common to the TDS range:
 * Address     Option
 * 327686        1M Memory expansion enable  (130,000 record length)
 * 327687        05 (Video trigger) Hardware required.
 * 327688        13 (RS-232/Centronics Hardcopy Interface Ports). Hardware required
 * 327689        2F (Advanced DSP math)
 * 327690        1F (Floppy disk). Hardware required.
 *
 * 327692        2C (Communication Signal Analyzer)
 * 327693        3C (P6701B with system calibration). Hardware required.
 * 327694        4C (P6703B with system calibration). Hardware required.
 * 327695        2M (8 M acquisition length). Hardware required.
 *
 * These NVRAM locations appear to be consistent across the TDS5xx, TDS6xx and
 * TDS7xx ranges of oscilloscopes.
 *
*/
/*    How to drive IEEE card from N.I.s  ni488m-320351b.pdf manual
     on using TNT488 PCI driver software
     compile with added library file -> gcc this_file.c -o thatfile  -lgpib
*/

/* Installation                                                                                   
 * Prior to first use, the NI driver has to be compiled and installed.                           
 * As root ldconfig the library/driver                                                           
 * Also modprobe tnt4882.                                                                         
 *                                                                                               
 * In use                                                                                         
 * The ports must have approriate read/write access privilleges                                   
 * chmod a+rw /dev/gpib*                                                                         
 *                                                                                               
 * After each power-up the card needs to be configured with                                       
 * gpib_config  (as root).                                                                       
 */
 
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <math.h>
//#include "ugpib.h"
#include "gpib/ib.h"

#define Istr_len 15L


/* IEEE primary address of HP1630 Logic Analyzer */
#define Osc_GPIB_Addr 8

/* File handle for GPIB interface */
int TekTDS;

int main(int argc, char *argp[])
{
   int x,z;
   char buffer[2048];
   char sstr[100];
   
   /*  Initialise device and state
       (also sends IFC - clear interface message) */
//    dmm1 = ibdev (0, HPLA_address, 0, 11, 1, 0x40a);
   TekTDS = ibdev (0, Osc_GPIB_Addr, 0, 13, 1, 0);
 
   printf("\n The value returned is %i\n",TekTDS);

   x = sprintf(sstr,"*IDN?");   // Ask for identification
   ibwrt (TekTDS, sstr, x);
   sleep(1);
 
   z = ibrd(TekTDS, buffer, 1023);
 
   z = ibcnt;
   
   printf("\nReturned %i bytes, thus:\n",z);
   for (z=0;z<64;z++) {
      if ((buffer[z] == 10) || (buffer[z] == 13) || (buffer[z] == 0)) break;
      printf("%c",buffer[z]);
   }
   printf("  ");
   for (z=0;z<64;z++) {
      printf(" %02x",buffer[z]);
      if ((buffer[z] == 10) || (buffer[z] == 13) || (buffer[z] == 0)) break;
   }
   printf("\nAnd the value of z is %i\n",z);

    x = sprintf(sstr,"PASSWORD PITBULL");   // Unlock the services
    ibwrt (TekTDS, sstr, x);
    sleep(1);
   
    x = sprintf(sstr,"WORDCONSTANT:ATPUT 327689,1");   // Set the enable bit for option 2F - Maths
   ibwrt (TekTDS, sstr, x);
   sleep(1);

    printf("\nDone\n");
   
    exit(0);
   
}


[Gismo]

OK thanks,

I know that it works in the 5xx / 6xx / 7xx so , but the TDS4xx appear to be slightly different. The processor board also has dip switches (8 and 2). I think this I must adjust .
Your proposal is to program all in C, which puts me at the moment against major obstacles .
Maybe there is still a guide for TDS4xx series.

[Andy Watson]

I found most of my information from other scopes in the series and took the gamble that Mr Tektronix would have used the same system for my scope. The procedure is: flip the switch to put the scope in CAL mode, send the password "PITBULL", then write the memory location, flip the cal switch back and reboot.

However, may be this will be more help to you:
http://www1.tek.com/forum/viewtopic.php?f=5&t=6319

[Gismo]

I have no CAL Switch. I Have only this DIP Switches. IF I Switch the two Switches (have ever read..) see attachments

Thats the Log without the two Switches:

Code: [Select]

        Bootrom Header Checksum passed.
        Bootrom Total Checksum passed.
        BootRom Check Sum passed.
        Bus Error Timeout test passed.
        Bus Error Write to Bootrom passed.
        GPIB Test passed.
Kernel Diagnostics Complete.

Calling SDM (monitor) Routine.

SDM (monitor) not enabled.
        Enabling Bus Control register. Value = 0x2
        Flashrom Programming Voltage is OFF.
        Flashrom DSACK and JumpCode test passed.
        Flashrom Checksums passed.
Bootrom Diagnostics Complete.

Transferring control to the Flashrom.
sysDramControllerInit
sysDramByteStrobeTest
sysDramTest
bcopy(<Idata>)
bzero(<bss>)
intVecBaseSet(getVbr())
sysSymTbl=standAloneSymTbl
sysDevDramTest
0x0 bytes of development dram found
validateDataSpace
Outer Kernel DSACK Test
Pending Interrupt Test
Walk IPL to Zero Test
Timer Int Test
Start Power-On Diag Sequence
hwAccountant probe routines
  Probe for unexpected pending ints
  Dsp Instr mem size
  Dsp D2 mem size
  Dsp D1 mem size
  Dsy Vect0 mem size
  Dsy Vect1 mem size
  Dsy Wfm0 mem size
  Dsy Wfm1 mem size
  Dsy Text0 mem size
  Dsy Text1 mem size
  Acq number of digitizers
  Acq mem size
  Cpu timer interval uSec
  Cpu Dram size
  NvRam mem size
  Opt RS232/ Cent presence
  Acq 8051 presence
  Acq ADG209C presence
  Acq record length size
dsyWaitClock ................... pass
clockCalVerify ................. pass
cpuDiagBatTest ................. pass
cpuDiagAllInts ................. pass
cpuEEromLibDiag ................ pass
calLibDefaultCk ................ pass
dspForcedBus ................... pass
dsp68kD2MemTest ................ pass
optRS232DuartIO ................ UNTESTED
dsp68kMemTest .................. pass
dspRunVerify ................... pass
dspBusRequestTest .............. pass
dspImplicitBusAccess ........... pass
dspTristarMemTest .............. pass
dspDsyToDspInts ................ pass
dspAcqToDspInts ................ pass
nvLibrariansDiag ............... pass
dsyDiagResetReg ................ pass
atBusTest ...................... pass
dsyDiagResetReg ................ pass
dsyDiagVscReg .................. pass
dsyDiagPPRegMem ................ pass
dsyDiagRasRegMem ............... pass
dsyDiagRegSelect ............... pass
dsyDiagRamdacRegMem ............ pass
dsyDiagAllMem .................. pass
dsySeqYTModeV0Intens ........... pass
dsyDiagSeqXYModeV1 ............. pass
dsyRastModeV0Walk .............. pass
dsyRastModeV1Attrib ............ pass
dsyWaitClock ................... pass
attn8051testResult ............. pass
attnDACReadback ................ pass
acq8051testResult .............. pass
adgRegDiag ..................... pass
dsyWaitClock ................... pass
adgMemTestDiag ................. pass
trigComparatorTest ............. pass
trigDBERunsAfter ............... pass
tbiRampTest .................... pass
acqRampDiagAll ................. pass
dsyWaitClock ................... pass
fpDiagConf ..................... pass

$Header: scopeSTR.version,v 1.10 94/06/23 17:08:17 aland Exp $
->
Smalltalk/V Sun Version 1.12
Copyright (C) 1990 Object Technology International Inc.

and with selectet: (I selectet it after BOOT UP)
 

Code: [Select]

        Bootrom Header Checksum passed.
        Bootrom Total Checksum passed.
        BootRom Check Sum passed.
        Bus Error Timeout test passed.
        Bus Error Write to Bootrom passed.
        GPIB Test passed.
Kernel Diagnostics Complete.

Calling SDM (monitor) Routine.

SDM (monitor) not enabled.
        Enabling Bus Control register. Value = 0x2
+12V applied to Flashroms

Flashrom Programming Voltage is ON.
Cannot transfer control to Flashrom.
Transferring control to the SDM (monitor).

no sent help but nothing, send lkup you see all what i can type as command

[code]
-> help
undefined symbol: help
-> lkup
_verState       0x010029d7 text
_verSource      0x010029f7 text
_verRevision    0x010029e5 text
_verHeader      0x0100296c text
_verDate        0x010029bc text
_verAuthor      0x010029ab text
_v              0x01151d94 text
_ttExcludeSetup 0x01152ac2 text
_tt             0x01000a8a text
_ts             0x01005764 text
_tr             0x010057bc text
_ti             0x010058b2 text
_td             0x0100582a text
_sysNvRamSet    0x01002f6a text
_sysNvRamGet    0x01002f44 text
_syncClock      0x01152298 text
_sdata          0x02f01000 data
_scopeErrorLogDumpToConsole 0x01118fe8 text
_scopeErrorLogClear 0x0111867e text
_runScope       0x01002812 text
_repeatRun      0x01004f12 text
_repeat         0x01004f6a text
_repairSemOn    0x01168b6c text
_repairSemOff   0x01168b5e text
_pu_diag        0x0110d6a2 text
_periodi        0x01004ec2 text
_periodRun      0x01004e74 text
_patGen         0x0114819c text
_pL             0x02f121c4 bss
_mRegs          0x01006d30 text
_m              0x01005a3e text
_logIBuffer     0x0110d12a text
_lkup           0x01006618 text
_i              0x01005518 text
_dumpConstants  0x01141400 text
_dumpCalSet     0x011416a4 text
_devs           0x0100660a text
_debugMode      0x02f27e4c bss
_d              0x01005b6e text
_centronicsPutMsgHardcopy 0x01131b10 text
_centronicsPutC 0x01131a38 text
_bzero          0x0115ba9c text
_bfill          0x0115b944 text
_bcopy          0x0115b736 text
_bcmp           0x0115b9e6 text
value = 1 = 0x1

and type

-> libManagerWordAtPut(0x50006, 1) undefined symbol: libManagerWordAtPut ->

 

[Andy Watson]

The service manual indicates that those two dip switches allow the firmware to be updated - this may also be the route to enabling the optons - but be careful, you could also brick it.

Have you tried the yahoo tektronix group ?

[apaluch]

Hi

I have TDS420A with lost options (1M, 05, 2F). After reading Andy's post (thank you Andy) I succesfully recover 05 and 2F with GPIB commands:
    WORDCONSTANT:ATPUT 327687,1
    WORDCONSTANT:ATPUT 327689,1
But enabling 1M with command:
    WORDCONSTANT:ATPUT 327686,1
don't work.
Gismo, did you solved your problem?
(I tried the switches used to firmware update described in service manual but if device starts with them, GPIB don't work)

[capt bullshot]

From my own tests, TDS420 uses slightly different addresses. Didn't record each step, so I can't tell the exact values, but by setting each address from 327686 to 327695 to 1, FFT, Memory and Video trig. were enabled. Beware, either 327693 or 327694 enables RS232 / Centronics which leads to a POST message if the HW isn't installed.

[meltdown03]

I see you have/had F/W 2.5.5e on your TDS420 @Gismo. Can you upload a dump of the firmware rom by chance if you still have the scope? Here are some instructions that may apply: https://tomverbeure.github.io/2020/07/02/Extracting-the-Tektronix-TDS420A-Firmware.html

[sd_tony]

Not sure if anybody has successfully enabled options on TDS420, I followed what Tom Verbeure did on this TDS420A, but got "undefined symbols":

https://tomverbeure.github.io/2020/07/11/Option-Hacking-the-Tektronix-TDS-420A.html

I tried _lkup command, it only shows up limited functions, most of functions Tom mentioned are invisible, they are just named FUN_010xxxxx on Ghidra, I tried to find the function to read 0x50007, I got something like below:

undefined2 FUN_010f8314(uint param_1)
{
  return *(undefined2 *)
          (*(int *)(*(int *)(&DAT_010faca6 + ((param_1 << 8 ) >> 0x18) * 4) + 0x10) +
          *(int *)(*(int *)(*(int *)(&DAT_010faca6 + ((param_1 << 8 ) >> 0x18) * 4) + 8 ) +
                  (param_1 & 0xffff) * 4));
}

I know param_1 is 0x50007, and the address of DAT_010faca6 is 0x010FACA6, and the value of this DAT is 0x0000, so what address this function is trying access? There are _d and _m function which can display and modify memory, so if I can find out the option address in NVRAM, maybe I can modify it by _m? 

[colorburst]

The address is difficult to tell because it depends on data in other memory locations, which may or may not be static. More analysis is needed.

DAT_010faca6 seems to be an array of struct pointers. Once you start telling ghidra about the contents of this struct, based on your best guess and other code accessing the array, it will automatically simplify the calculation and make it readable.

The lack of symbols complicates things, but there may still be a lot of other clues left in the binary. Tom gives a good outline for things to look for: https://tomverbeure.github.io/2020/07/03/TDS420A-Serial-Debug-Console-Symbol-Table-Ghidra.html#when-you-dont-have-a-symbol-table

Who knows, maybe there is a printf showing the status of the option and then you don't need to bother with the array at all. It pays to explore a bit before jumping in.

[sd_tony]

Thanks colorburst. I’m not good at software coding, fortunately now we have AI, you don’t have to be an experienced software engineer to understand the complex software code, AI can help to explain what the code is doing. With the help of ChatGPT, I figured out what exactly function FUN_010f8314 is doing, basically it points to a data structure in ROM, where it stores a base and an offset address for data stored in NVRAM, which is 0x02f12d58 plus 0x1a. Given this function most probably is _libManagerWordAt(), the other function _libManagerWordAt(), which is to change NVRAM for options, must be nearby, after research in the binary it is FUN_010f834e:

void FUN_010f834e(uint param_1,short param_2)

{
  int iVar1;
  short sVar2;
  short *psVar3;
 
  iVar1 = *(int *)(&DAT_010faca6 + ((param_1 << 8 ) >> 0x18) * 4);
  psVar3 = (short *)(*(int *)(iVar1 + 0x10) + *(int *)(*(int *)(iVar1 + 8 ) + (param_1 & 0xffff) * 4)
                    );
  sVar2 = *psVar3;
  *psVar3 = param_2;
  psVar3 = (short *)(*(int *)(iVar1 + 0x10) + -2);
  *psVar3 = (param_2 - sVar2) + *psVar3;
  return;
} 

Again, with the help of ChatGPT, what this function does is it changes a data in NVRAM, and  changes a checksum as well, the address of checksum is 0x02f12d58 -2=0x02f12d56, or 49,360,214. We can use “_d 49360214” command to display the data in NVRAM start from 0x02f12d56 are as below:

-> _d 49360214

2f12d50:                           0074  0000 0000 0000 0000   *      .t........*
2f12d60:  0000 0000 0000 0042  0000 0000 0000 0001   *.......B........*
2f12d70:  0001 0000 0000 0000  0000 0000 0000 0000   *................*
2f12d80:  0000 0000 0000 0030  cabc 002f 0048 0000   *.......0.../.H..*
2f12d90:  0000 3f80 0000 0060  0062 0062 0192 01b9   *..?....`.b.b....*
2f12da0:  01b9 0000 0000 0000  0000 0239 0027 0000   *...........9.'..*
2f12db0:  0000 0000 0000 0239  0027 0000 0000 0000   *.......9.'......*
2f12dc0:  0000 0239 0027 0000  0000 0000 0000 0239   *...9.'.........9*
2f12dd0:  0027 011d 0000                                             *.'....          *

The 1st data 0x0074 is the checksum, and following data are options or other information,  0x0074=0x0042+0x0001+0x001+0x0030, so if you change any data between 0x02f12d58 and 0x02f12d88 you will need change checksum, otherwise it won’t take effect.

After further research I found that the data in following address are for the options we are interested:

0x02f12d70: memory (3000 or 6000 for TDS420)
0x02f12d72: video trigger
0x02f12d80: RS232/Centronics
0x02f12d82: Math FFT

Next step is to change the data in these address with _m command, you can only change one data together with checksum each time, then reboot scope to let it take effect. Followings steps are to enable video trigger option:

_m 49360242
0001
*
_m 49360214
0075
*

I have successfully enabled memory, video trigger, and FFT option on my TDS420, depends on the firmware version you may have different address, but the process of find it out is similar.

[tverbeure]

I don't have my TDS420 anymore, but I saved the extracted symbols here:
https://github.com/tomverbeure/tek420a/tree/master/binaries/symbols.

The same GitHub repo also has my Ghidra database.

If you're lucky, the FW version of your TDS420 is the same as mine.