Products > Test Equipment
Tektronix TBS1000 series hacking
bd139:
Got it thanks. Already have it open in HxD. It runs Linux by the looks! Definitely ain't M68k any more then. Still trying to ID the CPU arch.
Edit: looks like ARM. I'm going to try and extract the ROM FS out of it.
tv84:
--- Quote from: bd139 on August 16, 2021, 09:24:34 pm ---Edit: looks like ARM. I'm going to try and extract the ROM FS out of it.
--- End quote ---
0000011C Magic: 28CD3D45 CRAMFS MAGIC OK
00000120 Size: 01F61000
00000124 Flags: 00000003
00000128 Future: 00000000
0000012C Signature: Compressed ROMFS
0000013C CRC32: 9646CDC5 [0000011C-01F6111B] CRC OK
00000140 Edition: 0
00000144 Blocks: 18509
00000148 Files: 3013
0000014C Name: Compressed
List of the files is attached.
bd139:
Nice one :-+. Reading now.
I have kernel info from binwalk
uImage header, header size: 64 bytes, header CRC: 0x46B780DD, created: 2015-02-10 06:30:58, image size: 1577572 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x92CFE807, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-2.6.31-203-gee1fdae"
Linux kernel ARM boot executable zImage (little-endian)
Unfortunately cramfs tools are fecked on debian 11 at the moment.
Edit: oh man they left gdb and gdbserver on there and half their SVN repo metadata :palm: :palm: :palm:. Was hoping for strace :-DD
Edit 2: dropbear ssh server. Uses ADG522 - same capture ASIC IC as the TDS2024 apparently. Possibly 200MHz? :popcorn:
Edit 3: UI layer is minigui. Entry point is possibly "tekapp"
tv84:
01FA1DD4 Magic: 27051956 uImage File OK
01FA1DD8 Header CRC-32: 46B780DD [01FA1DD4-01FA1E13] CRC OK
01FA1DDC Created: 10/02/2015 06:30:58
01FA1DE0 Data Size: 00181264
01FA1DE4 Data Load Address: 80008000
01FA1DE8 Entry Point Address: 80008000
01FA1DEC Data CRC-32: 92CFE807 [01FA1E14-02123077] CRC OK
01FA1DF0 Operating System: Linux
01FA1DF1 CPU Architecture: ARM
01FA1DF2 Type: OS Kernel Image
01FA1DF3 Compression: None
01FA1DF4 Name: Linux-2.6.31-203-gee1fdae
01FA1E14 - Image 0 [01FA1E14-02123077] 00181264 bytes
------------------------------------------------------------------
FPGA .RBF file (experimental parsing):
FPGA - RBF/RPD (Raw Binary File) - Filesize: 1 463 520 bits (0002CA9C bytes)
02123078 - Start of File (Type 1)
[021230C0 02123099]
Bit 7 - 1111111111111111111111111111111111111111 FFFFFFFFFF
Bit 6 - 1111111111111111111111111111111111111111 FFFFFFFFFF
Bit 5 - 1111111111111111111111111111111111111111 FFFFFFFFFF
Bit 4 - 1111111111111111111111111111111111111111 FFFFFFFFFF
Bit 3 - 1111111111111111111111111110011010000000 FFFFFFE680
Bit 2 - 0000101010111010100011011000000000111111 0ABA8D803F
Bit 1 - 1111000000000111100011000000011111111111 F0078C07FF
Bit 0 - 1111111111111111111111111111111111111111 FFFFFFFFFF
Bits 0080 - EPCS/EPCQ ID check: Enabled
Bits 005F - Stream size: 1 406 235 bits (0002AEA4 bytes) Compression Bit ON (+1) Size NOT OK
Bits 0056 - 0000 0000 : 0x56-0x5D
Bits 004C - Programming Mode: 1-bit Passive Serial
Bits 003B - IDCode (Version+Part Number only): 0x020F1 (-> 0x024F1)
Bits 0008 - Usercode: FFFFFFFF
021230C1 - Header CRC-16_MODBUS: 74EC [02123099-021230C0] CRC OK
021230C3 - Data Framesize: 207 [021230C3-02123169]
0212316A - 4-byte words: 1260 [0212316A-02124519]
02123078 - Stream Size (Uncompressed): 3 034 104 bits
0212451A - CRC Framesize: 207+0 # Data Frames: 1779 [0212451A-0217F93E]
------------------------------------------------------------------
The last part of the file seems to be the programming of a HCS08 FrontPanel MCU (?), starting at 0x0214DF20.
bd139:
There's a bunch of certs in there. I bet that's where there's trouble.
Edit: and off to bed. Will resume when I receive it :)
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version