Author Topic: TDS3000C series BW & sampling hack  (Read 4108 times)

0 Members and 1 Guest are viewing this topic.

Offline giosifTopic starter

  • Frequent Contributor
  • **
  • Posts: 877
  • Country: gb
TDS3000C series BW & sampling hack
« on: June 28, 2020, 12:55:40 pm »
Hi,

Does anyone know of ways to hack the Tektronix TDS3000C series of scopes, please?
I've got a TDS3012C and would like to upgrade it to a TDS3052C.

I did some searching but, apart from other people asking the same question and one reference to an eBay listing, there isn't much showing up.
And I am aware of the thread on the TDS3000(B) series, but those instructions don't work on the C variant (tried it already).

Thanks!
 

Offline daveyk

  • Frequent Contributor
  • **
  • Posts: 413
  • Country: us
Re: TDS3000C series BW & sampling hack
« Reply #1 on: January 14, 2021, 07:53:15 pm »
Did you find out how?
 

Offline giosifTopic starter

  • Frequent Contributor
  • **
  • Posts: 877
  • Country: gb
Re: TDS3000C series BW & sampling hack
« Reply #2 on: January 14, 2021, 08:08:39 pm »
No, unfortunately.
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #3 on: January 15, 2021, 11:54:13 am »
I’m working on a budget version of my TDS3000 super-plug-in module. It will not only have the 10 pin BDM interface for program/erase the main board flash ROMs, but also a USB port with FT2232H with its extra TTL i/o wired to the BDM interface. Plus of course the DS1744W that takes over from the main board (empty battery...) DS1742W.

With that, it should be possible to reflash the ROMs, and, if these scopes are not too different from the TDS3000 no-suffix (or -b) models, then all that’s needed is a PC, and this board plugged into the expansion port on the back side. Plus a ROM image for the TDS3054-c.

Have confirmed that with TDS3034 and v3.41 firmware, I can upgrade to TDS3054. Or down to TDS3014. So without going back to v3.39.

What i do not have yet is the PC program that does BDM over FT2232. Lots of www examples found for JTAG, but for BDM I need to rebuild from scratch I fear. Unless of course someone reading this already did go through the effort... (please share if you did...).
So far I used the Abatron BDI2000 for reflashing TDS3000 scope via BDM.

 

Offline daveyk

  • Frequent Contributor
  • **
  • Posts: 413
  • Country: us
Re: TDS3000C series BW & sampling hack
« Reply #4 on: January 15, 2021, 06:22:11 pm »
If, WHEN, you work out the programming, keep me in mind and make some extra PCBs.  I would gladly pay you what you need for the PCB and your software.

Dave
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #5 on: January 23, 2021, 02:59:02 pm »
I got my 5 boards this week, the new budget version. Budget because no Ethernet, no isolated RS232 on DB9, and no isolated microUSB on this version. Edge connector instead of the official Molex 100 pin male part. This board has two 6 pin headers for two FTDI-TTL adapters, plus headers for a FT2232H mini module.
One serial port is for the generic user serial port, so can also do bandwidth hack trick on the old <= v3.39 firmware models. But not on -c models. For those I think only BDM port reflashing will work.
The other serial port is the VxWorks diagnostics port, with CTRL-X to reboot.
Both ports accessible at the same time via a FT2232H mini module, and then mini-USB cable to your PC.
Board has the 10 pin BDM port, and a slot for and ESP32 DevKit for Bluetooth or WiFi web server.
Plus of course a DS1744W RTC that can take over from the TDS3K main board DS1742W which has flat battery after 15 years. For that to work, either some patch work on the mainboard and re-using pin EXTCLK while disabling the old DS1742W - or a boot rom code edit that remaps the NVRAM/RTC /CS2 to /CE1 on the 100 pin connector. Lot of hassle, but proven feasible. the upside is no need to open the scope, no need to solder patch wires inside.

Tested OK on an old TDS3034 (no-suffix).

KiCad with Gerbers attached.

Works OK with the Abatron BDI2000. Still on my list of things to do: stand alone PC C or Java code that can program/erase the TDS3000 flash roms via BDM, via the XPC860 PowerPC. The BDM pins are linked to the FT2232H mini module, so must be feasible, but will be quite a project ahead still.



« Last Edit: January 23, 2021, 03:13:38 pm by sicco »
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #6 on: February 03, 2021, 08:19:22 pm »
Making good progress with some old style stand alone PC command line software that lets me read, erase, program the TDS3000 flash ROMs. Or the NVRAM. Using the plug-in discussed above. I’ve taken a 20 years old open source BDM project found in far deep www corners, all that was left was a zip with C sources. And then converted it from old style LPT printer port interface to FTDI FT2232 i/o. Had to add the definition for the AMD flash chips, something with top vs bottom boot sectors, but got it working now. Not yet in fast programming mode, so for now allow for a full hour before the programming is done.

I am confident that by fully reflashing mainboard roms also the -b and -c scopes will happily convert up to high bw spec, irrespective of initial firmware inside. Gut feeling is that there is no read protection. There was none on my TDS3034-no-suffix. However, we need the binaries for the ROMs. Reading these binaries is also via the BDM port, with same stand alone PC software.

So, daveyk, how would you want this progressed from here? You have a -c scope that is >3012 or >3014, that can be used to read out the roms?
 
The following users thanked this post: DC1MC, derree

Online DC1MC

  • Super Contributor
  • ***
  • Posts: 1880
  • Country: de
Re: TDS3000C series BW & sampling hack
« Reply #7 on: February 24, 2023, 08:45:50 pm »
I'm bringing this post out of the death slumber to see if I can revitalize my old decrepit TDS3012 (no letter).
So @sicco if you still have some adapter boards, can you sell me one, budget or luxury  ^-^ version ? If so, kindly please PL with all the needes details.

 Many thanks,
 DC1MC
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #8 on: February 24, 2023, 09:11:45 pm »
Hi DC1MC,

I no longer have the boards for sale. But feel free to use the KiCAD files and have JLCPCB etc produce a batch or just 1.
Till recently, availability of the FT4232H chips was a stumbling block, but i think that’s more or less behind us now.
 
The following users thanked this post: DC1MC

Online DC1MC

  • Super Contributor
  • ***
  • Posts: 1880
  • Country: de
Re: TDS3000C series BW & sampling hack
« Reply #9 on: February 25, 2023, 07:57:31 am »
@sicco are there any gotcha, things to avoid or that must be done for the design to work, or is "plug'n'play" and once soldered correctly and inserted It Just Works (TM) ? I'm asking because I spy some bogewires in the pictures above.

 Cheers,
 DC1MC
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #10 on: February 25, 2023, 12:34:53 pm »
I’ve lost track on what version is in the pictures that you’re referencing.

I think your prime interest now is to diagnose the scope via the BDM interface. And that you’re ok to keep using the original RTC DS1742W in your scope, likely with a new battery in/on it. If so, then what might work for you also is a FT4232H mini module (https://www.tme.eu/nl/details/ft4232hq-module/usb-modules/ftdi/ft4232h-mini-module/?brutto=1&currency=EUR&gclid=EAIaIQobChMIobm7zc6w_QIVhOF3Ch2SAA1NEAQYASABEgKWu_D_BwE) and maybe a 100 pin connector.

This alternative is described in https://www.eevblog.com/forum/repair/tds3014-adventures-(seeking-75-75mhz-oscillator)/msg3628994/#msg3628994
You can use the same PC software to access/edit the TDS3K RAM, Flash ROMs, RTC, I2C EEPROM option modules etc.

The 100 pin connector is a TE / AMP 1-1734099-0. But you can also solder the wires. Be aware of inconsistent pin numberings, edge connector counts differently as these AMPs.
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #11 on: August 07, 2023, 06:29:43 pm »
I finally have my first TDS 3034C. Eager to see if my 'second life' RTC fix board also works, and curious to see if the bandwidth can be edited to 600 MHz equivalent.
On that' I'm making progress with the PC program for BDM backdoor entry into the TDS3K models. That hardware that does the trick for the -b and the -no suffix models still fits in nicely in the -c model, and BDM mode works for controlling the CPU and accessing the DS1742W etc. But PC FT4232H USB BDM PPC software needed several tweaks because ROM and RAM sizes have doubled in the-c model.  And there's yet another flash ROM for the USB drivers and probably more.

I can now read and reflash the larger ROMs. And read/write the larger system RAM. And single step the PowerPC.

I have the ROM images on my PC now. I can edit these. With the earlier models (up to and including firmware 3.41) I could edit a keyword in the ROM image that ASCII shows and acts as the model number (and thus the bandwidth on offer), and then the TDS3034 became a TDS3064. The TDS3014C ROM image (v4.31 firmware) gets me the same keyword on a comparable location. I think it is part of a text file in the VxWorks internal file system in flash ROM. As before with the older models. But now after changing the 3 to a 6, it is a TDS 3014C on the next reboot. Luckily it becomes TDS 3034C again when setting the relevant rom byte back to 3.
So I think I am really close, but that there's just one last extra hurdle added. Possibly a conscious Tek protection. Or possibly just some file integrity in the VxWorks flash rom file system that got added.

What I'm curious about now is what model it will become if I load my flash ROMs with the exact 8Mbit image of a genuine TDS 3024C  or TDS 3044C or TDS 3054C or TDS 3064C ROM. My thinking is that it will then accept the model change. Because the extra last hurdle is just some hash or crc or checksum that also resides in the same rom image.
So I'm looking for volunteers to share such an image with me.
To get the image, the procedure is to insert my board in the 100pin scope expansion connector, USB connect to a Windows laptop, read the code, and share the file.
Anyone?
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #12 on: August 08, 2023, 07:19:57 pm »
Managed to upgrade my TDS3034C to TDS3054C  :)

Via the old style method that was PASSWORD PITBULL and MCONFIG TDS30*** that worked on the -B and -no suffix models up to firmware 3.31 or so.

For the -C model (with FW4.31), it was password INTEKRITY and mconfig tds3054c that did the trick.

This password I found elsewhere in EEVBLOG forum in a 2015 post on the later scope models, Re: DPO3000 Hacks, « Reply #3 on: April 23, 2015, 08:53:40 am.

the keywords password and mconfig appear to be case insensitive. But the model name tds3054c had to be lower case for it to work for me.

I'd not be surprised if the FW3.41 in -b models also accepts this other password.

What's weird though is that I can only go to tds3054c. Not to tds3064c, or down to tds3044c or tds3024c or so.

update next day: that’s not weird because TDS3024C, TDS3044C and TDS3064C were never Tektronix products.
« Last Edit: August 09, 2023, 07:38:56 am by sicco »
 

Offline Mkpirulo

  • Newbie
  • Posts: 7
  • Country: us
Re: TDS3000C series BW & sampling hack
« Reply #13 on: February 23, 2024, 09:39:52 pm »
Hi sicco,

Has the been confirmed by others to work?

Can you revert back to 3012C?

Does it only work for fw:3.41?

I’m ready to try it on mine, thanks for any info.
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #14 on: February 24, 2024, 06:24:41 am »

Hi  Mkpirulo,

Has the been confirmed by others to work?  yes (it, or this. Not the)

Can you revert back to 3012C? yes i would expect so. i only have experience with 4 channel -c units. Obviously you cannot change 30x4c into 30y2c. And you cannot change -b into a -c.

Does it only work for fw:3.41? that’s typically -b and -no suffix firmware, but yes it also works there. For earlier fw on those models it’s the other password (PITBULL) The -c models have higher firmware models, and for those INTEKRITY is the key to success.

I’m ready to try it on mine, thanks for any info.
 

Offline Mkpirulo

  • Newbie
  • Posts: 7
  • Country: us
Re: TDS3000C series BW & sampling hack
« Reply #15 on: February 25, 2024, 01:30:22 am »
Hi sicco,

Ok good to hear, thanks. Got TekVisa installed and it seems to see the instrument, well at least it sees the socket not really sure if I can talk to it. First time I’m doing this. Mines V4.01 can this version be pulled out and saved?
I down loaded V3.39 from here but I’m sure is for the 4CH version.I would need to find the TDS3052C version I would think.🤔
« Last Edit: February 25, 2024, 01:35:25 am by Mkpirulo »
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #16 on: February 25, 2024, 10:59:42 am »
The tds3000-c latest firmware you can still get from here:

https://www.tek.com/en/support/software/firmware/firmware-upgrade-tds3000c-series-oscilloscopes-v431

That will be good for for any -c unit, so both for 2 and for 4 channel units.

The BW is not part of the firmware as such. It’s a small text file that is read at boot time. For a 2 channel -c the valid strings in that file are TDS3012C, TDS3032C or TDS3052C. For a 4 channel -c, they are TDS3014C, TDS3034C or TDS3054C.
This text file is what gets added or edited when using the mconfig command, after the password INTEKRITY command. The model number for mconfig command must be entered in lower case i think.
 

Offline Mkpirulo

  • Newbie
  • Posts: 7
  • Country: us
Re: TDS3000C series BW & sampling hack
« Reply #17 on: February 25, 2024, 03:24:50 pm »
Hi sicco,
Thanks for your follow up with the added details. Ill try with my current version 4.01. Is there a straight forward way to pull this version out of the unit, maybe that doesn’t make sense since I can always rev to 4.31.
 

Offline sicco

  • Regular Contributor
  • *
  • Posts: 164
  • Country: nl
Re: TDS3000C series BW & sampling hack
« Reply #18 on: February 25, 2024, 03:35:15 pm »
Pulling old firmware (version) binary files out of a TDS3000 is not possible I believe.
That is, not via the user i/o (serial port, Ethernet, IEEE448 etc).
However, if you have the BDM plug-in interface and PC program that I made, then you can read out the flash roms. And program that back into the same, or into another unit. The flash images contain the application firmware but also the boot code and other files. Like files for calibration and BW configuration etc.
 

Offline Mkpirulo

  • Newbie
  • Posts: 7
  • Country: us
Re: TDS3000C series BW & sampling hack
« Reply #19 on: February 25, 2024, 05:23:47 pm »
Ok yes I reviewed all the work you did, nice job but I think parts might be hard to come by. Getting 4.01 out would only make sense if there was a need to, maybe if someone needed it.
Ok will try 4.01 with your new password and lower case model tds3052c.
If that does not work I’ll try reverting back to 3.39 or 3.41. Anything else I should try while I’m at it?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf