| Products > Test Equipment |
| Tektronix TBS1000 series hacking |
| << < (3/6) > >> |
| bd139:
Got it thanks. Already have it open in HxD. It runs Linux by the looks! Definitely ain't M68k any more then. Still trying to ID the CPU arch. Edit: looks like ARM. I'm going to try and extract the ROM FS out of it. |
| tv84:
--- Quote from: bd139 on August 16, 2021, 09:24:34 pm ---Edit: looks like ARM. I'm going to try and extract the ROM FS out of it. --- End quote --- 0000011C Magic: 28CD3D45 CRAMFS MAGIC OK 00000120 Size: 01F61000 00000124 Flags: 00000003 00000128 Future: 00000000 0000012C Signature: Compressed ROMFS 0000013C CRC32: 9646CDC5 [0000011C-01F6111B] CRC OK 00000140 Edition: 0 00000144 Blocks: 18509 00000148 Files: 3013 0000014C Name: Compressed List of the files is attached. |
| bd139:
Nice one :-+. Reading now. I have kernel info from binwalk uImage header, header size: 64 bytes, header CRC: 0x46B780DD, created: 2015-02-10 06:30:58, image size: 1577572 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x92CFE807, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-2.6.31-203-gee1fdae" Linux kernel ARM boot executable zImage (little-endian) Unfortunately cramfs tools are fecked on debian 11 at the moment. Edit: oh man they left gdb and gdbserver on there and half their SVN repo metadata :palm: :palm: :palm:. Was hoping for strace :-DD Edit 2: dropbear ssh server. Uses ADG522 - same capture ASIC IC as the TDS2024 apparently. Possibly 200MHz? :popcorn: Edit 3: UI layer is minigui. Entry point is possibly "tekapp" |
| tv84:
01FA1DD4 Magic: 27051956 uImage File OK 01FA1DD8 Header CRC-32: 46B780DD [01FA1DD4-01FA1E13] CRC OK 01FA1DDC Created: 10/02/2015 06:30:58 01FA1DE0 Data Size: 00181264 01FA1DE4 Data Load Address: 80008000 01FA1DE8 Entry Point Address: 80008000 01FA1DEC Data CRC-32: 92CFE807 [01FA1E14-02123077] CRC OK 01FA1DF0 Operating System: Linux 01FA1DF1 CPU Architecture: ARM 01FA1DF2 Type: OS Kernel Image 01FA1DF3 Compression: None 01FA1DF4 Name: Linux-2.6.31-203-gee1fdae 01FA1E14 - Image 0 [01FA1E14-02123077] 00181264 bytes ------------------------------------------------------------------ FPGA .RBF file (experimental parsing): FPGA - RBF/RPD (Raw Binary File) - Filesize: 1 463 520 bits (0002CA9C bytes) 02123078 - Start of File (Type 1) [021230C0 02123099] Bit 7 - 1111111111111111111111111111111111111111 FFFFFFFFFF Bit 6 - 1111111111111111111111111111111111111111 FFFFFFFFFF Bit 5 - 1111111111111111111111111111111111111111 FFFFFFFFFF Bit 4 - 1111111111111111111111111111111111111111 FFFFFFFFFF Bit 3 - 1111111111111111111111111110011010000000 FFFFFFE680 Bit 2 - 0000101010111010100011011000000000111111 0ABA8D803F Bit 1 - 1111000000000111100011000000011111111111 F0078C07FF Bit 0 - 1111111111111111111111111111111111111111 FFFFFFFFFF Bits 0080 - EPCS/EPCQ ID check: Enabled Bits 005F - Stream size: 1 406 235 bits (0002AEA4 bytes) Compression Bit ON (+1) Size NOT OK Bits 0056 - 0000 0000 : 0x56-0x5D Bits 004C - Programming Mode: 1-bit Passive Serial Bits 003B - IDCode (Version+Part Number only): 0x020F1 (-> 0x024F1) Bits 0008 - Usercode: FFFFFFFF 021230C1 - Header CRC-16_MODBUS: 74EC [02123099-021230C0] CRC OK 021230C3 - Data Framesize: 207 [021230C3-02123169] 0212316A - 4-byte words: 1260 [0212316A-02124519] 02123078 - Stream Size (Uncompressed): 3 034 104 bits 0212451A - CRC Framesize: 207+0 # Data Frames: 1779 [0212451A-0217F93E] ------------------------------------------------------------------ The last part of the file seems to be the programming of a HCS08 FrontPanel MCU (?), starting at 0x0214DF20. |
| bd139:
There's a bunch of certs in there. I bet that's where there's trouble. Edit: and off to bed. Will resume when I receive it :) |
| Navigation |
| Message Index |
| Next page |
| Previous page |