| Products > Test Equipment |
| Tektronix TDS Scope Field Adjustment Software reverse engineering |
| << < (8/11) > >> |
| PA0PBZ:
--- Quote ---If we can find those algorithms used in the adjustment procedure, we can then use them in an OS and GPIB adapter agnostic application of our own making right? --- End quote --- I think that is the way to go. It looks like the .CON files are a description of how the tests are done, so once there is a full understanding of the descriptive language in there nothing stops you from doing the communication with the TDS any way you like, it even tells you the commands (I think?): --- Code: ---TEXT = MF_SET_GLO ( ":SELECT:CH1 OFF;CH2 OFF;CH3 OFF;CH4 OFF" ":SELECT:CH2 ON" ":CH2:BANDWIDTH TWENTY" ":TRIGGER:MAIN:EDGE:SOURCE LINE" ":HORIZONTAL:SCALE 1E-3" ":HORIZONTAL:RECORDLENGTH 5000" ":ACQUIRE:MODE HIRES" ":PASSWORD PITBULL" ) --- End code --- I also tried to load the code in IDA but it pukes out most of the code because of the overlayed nature and Ghidra was not much better. |
| fenugrec:
--- Quote ---but something doesn't smell right, I have seen this used as an anti-reversing measure --- End quote --- In this case overlays are simply a way to use less memory at runtime. With a horrible penalty everytime an overlay is swapped but hey, those were the days of "RAMdisks" too... The MS 5.1 compiler docs have a good chapter on overlays, how & why to use them. --- Quote ---always wondered why the DOS loader is not crashing and how the memory map may look like. --- End quote --- What do you mean by DOS loader crashing ? As for the memory map, in the 'overlazy' docs I have some ASCII graphs attempting to show the memory map. --- Quote ---MSC library is available and I attempt to steal some symbols for the math functions --- End quote --- I think I managed to generate signatures for MSC libs but I had trouble with PDCurses. I'm fairly certain they're using PDCurses 1.4, but I wasn't able to figure out the correct compiler switches to generate binary-identical functions. PDC has some .asm modules, and those eventually produced signatures that IDA was able to identify in the .exe. Less luck with the C functions. Here's an excerpt from my notes trying different compiler flags : --- Code: ---comparing update.c::Putchar() , tests : 0 "CFLAGS=-M$(MODEL) -c -Ox -W2" ; missing _chkstack, doesn't use opcode "cwb" 1 "CFLAGS=-M$(MODEL) -c -Oails -W2" : chkstack ok; uses sar ? wtf. Also missing pushpop si+di 2 "CFLAGS=-M$(MODEL) -c -Oail -W2" : sar, but cwb ! Almost. No si+di 3 CFLAGS=-M$(MODEL) -c -W2 : same 4 CFLAGS=-M$(MODEL) -c -G2 -W2 : same 5 CFLAGS=-M$(MODEL) -c -Od -W2 : lol : again sar, but SI+DI ! --- End code --- That said, as I recall the pdc functions are all next to each other and should be fairly recognizable; it's a beginner-friendly task to manually map them by hand. Signatures would definitely have been nice though... If you want to port the software, I think it would save work to keep the same UI for now, since there are still plenty of curses implementations (including pdcurses) with probably all the same/similar API. This means TEK's in-house "CATS-OS" layer can be re-compiled mostly as-is, without needing to re-design it from scratch. --- Quote ---Do you think is there some way to unwrap this executable and make it right ? --- End quote --- Yes, the 'overlazy' tool I linked previously does exactly that. It will create an unwrapped, but non-executable, .exe file. --- Quote ---sniff the GPIB busses. --- End quote --- Remember you could also sniff the register accesses to the 7210 IC directly - IIRC it's 3 address lines, a few R/W and misc control lines, and one 8-bit data port. This may give more information than just a bus capture. --- Quote ---I'm wondering if trying to port the DOS software across to another platform or modify it to use other GPIB cards is the harder way --- End quote --- It's a good question. Doing a full port of the software is a massive undertaking. Judging by the amount of soft-float functions in there, it's possibly also doing some DSP stuff to process acquisitions, it's not just reading a script. But please, people, use a decompiler, don't just stare at 700kB of x86 asm trying to understand everything. You will never finish. PS - I have found forum threads to be a mediocre medium for collaborating on substantial RE efforts, where sub-discussions branch out a lot, sometimes go dormant for a while, etc... For general discussions and progress reports, sure, but for in-depth technical stuff, not great. For documenting findings and technical details, a wiki can be an alternative. Else, some kind of git-versioned, categorized text files might also work. One thing I'd be curious to try someday is using ghidra with a shared server (e.g. https://www.ghidra-server.org/ ) to collaborate on a single db. Though I would probably want to run ghidra in a sandbox / VM before doing that. |
| m k:
TDS700CG.EXE from TERRA's ZIP 0xac1c jbe +6 How that area should be disassembled? Same file and I found only one I/O out that is not floating point something. --- Code: --- ************************************************************** * FUNCTION * ************************************************************** undefined FUN_379e_1b08(undefined2 param_1, undefined1 p assume CS = 0x379e undefined AL:1 <RETURN> undefined2 Stack[0x4]:2 param_1 XREF[1]: 379e:1b0b(*) undefined1 Stack[0x6]:1 param_2 XREF[1]: 379e:1b0e(*) FUN_379e_1b08 XREF[70]: FUN_239c_01fc:239c:0223(c), FUN_239c_01fc:239c:0232(c), FUN_239c_01fc:239c:0241(c), FUN_239c_01fc:239c:0263(c), FUN_239c_01fc:239c:02c9(c), FUN_359a_0008:359a:0068(c), FUN_35ad_0000:35ad:0063(c), FUN_35ad_0000:35ad:00b3(c), FUN_35e3_0002:35e3:0130(c), FUN_35e3_0002:35e3:014a(c), FUN_35e3_0002:35e3:017f(c), FUN_35e3_0002:35e3:0198(c), FUN_3601_0008:3601:02cf(c), FUN_3601_0008:3601:0366(c), FUN_3601_0008:3601:037f(c), FUN_3601_0008:3601:0398(c), FUN_3601_0008:3601:03bb(c), FUN_3601_0008:3601:03d5(c), FUN_3601_0008:3601:03ef(c), FUN_3601_0008:3601:0409(c), [more] 379e:1b08 55 PUSH BP 379e:1b09 8b ec MOV BP,SP 379e:1b0b 8b 56 06 MOV DX,word ptr [BP + param_1] 379e:1b0e 8a 46 08 MOV AL,byte ptr [BP + param_2] 379e:1b11 ee OUT DX,AL 379e:1b12 b4 00 MOV AH,0x0 379e:1b14 5d POP BP 379e:1b15 cb RET --- End code --- This one NI GPIB.COM I checked used mainly double indirect I/O port addressing. That is many bytes compared to fixed address or memory mapped I/O. Maybe creating a memory mapped filter driver between forked and fixed address GPIB.COM and what ever GPIB hardware is also a possibility. (if that GPIB.COM is actually used) *.COM file can be extended easily and remapping double indirect I/O ports to memory locations should be also pretty easy. Filter driver can also export stuff to where ever. --- Code: --- 2000:1f1f b8 02 00 MOV AX,0x2 2000:1f22 8b 57 06 MOV DX,word ptr [BX + 0x6] 2000:1f25 83 c2 05 ADD DX,0x5 2000:1f28 ee OUT DX,AL ... 2000:2a3a 25 1f 00 AND AX,0x1f 2000:2a3d 8b 1e 00 bc MOV BX,word ptr [0xbc00] 2000:2a41 8b 57 0c MOV DX,word ptr [BX + 0xc] 2000:2a44 03 16 e6 ae ADD DX,word ptr [0xaee6] 2000:2a48 ee OUT DX,AL ... 2000:2a83 b8 e0 00 MOV AX,0xe0 2000:2a86 8b 1e 00 bc MOV BX,word ptr [0xbc00] 2000:2a8a 8b 57 0c MOV DX,word ptr [BX + 0xc] 2000:2a8d 03 16 e6 ae ADD DX,word ptr [0xaee6] 2000:2a91 ee OUT DX,AL --- End code --- |
| m k:
Some possible IRQ specials, 2F0-2F7. |
| vaualbus:
Amazing thread! I too original decomp the software just to get the list of instruments that there were mentioned. Anyway in respect to the user told us that he add a contact inside Tek what would be amazing to get is the repair software that allows to run board specific test to the scope. (Basically the one that allow to execute all the tests that the repair manuals told). To my knowledge it has never been released. The software apparently download some kind of FW to the scope that than execute the tests )via the debug/console port that the CPU has) Any way I really hope we will eventually be able to make a software that work with any GPIB adapter and not just 16bit ISA one one for which we do not have drivers for NT system as NI never made the 32bit driver. |
| Navigation |
| Message Index |
| Next page |
| Previous page |