Products > Test Equipment
Tektronix TDS Scope Field Adjustment Software reverse engineering
<< < (8/11) > >>
PA0PBZ:

--- Quote ---If we can find those algorithms used in the adjustment procedure, we can then use them in an OS and GPIB adapter agnostic application of our own making right?
--- End quote ---

I think that is the way to go. It looks like the .CON files are a description of how the tests are done, so once there is a full understanding of the descriptive language in there nothing stops you from doing the communication with the TDS any way you like, it even tells you the commands (I think?):


--- Code: ---TEXT = MF_SET_GLO (
":SELECT:CH1 OFF;CH2 OFF;CH3 OFF;CH4 OFF"
":SELECT:CH2 ON"
":CH2:BANDWIDTH TWENTY"
":TRIGGER:MAIN:EDGE:SOURCE LINE"
":HORIZONTAL:SCALE 1E-3"
":HORIZONTAL:RECORDLENGTH 5000"
":ACQUIRE:MODE HIRES"
":PASSWORD PITBULL"
)
--- End code ---

I also tried to load the code in IDA but it pukes out most of the code because of the overlayed nature and Ghidra was not much better.
fenugrec:

--- Quote ---but something doesn't smell right, I have seen this used as an anti-reversing measure
--- End quote ---

In this case overlays are simply a way to use less memory at runtime. With a horrible penalty everytime an overlay is swapped but hey, those were the days of "RAMdisks" too... The MS 5.1 compiler docs have a good chapter on overlays, how & why to use them.


--- Quote ---always wondered why the DOS loader is not crashing and how the memory map may look like.
--- End quote ---

What do you mean by DOS loader crashing ?

As for the memory map, in the 'overlazy' docs I have some ASCII graphs attempting to show the memory map.


--- Quote ---MSC library is available and I attempt to steal some symbols for the math functions
--- End quote ---

I think I managed to generate signatures for MSC libs but I had trouble with PDCurses. I'm fairly certain they're using PDCurses 1.4, but I wasn't able to figure out the correct compiler switches to generate binary-identical functions. PDC has some .asm modules, and those eventually produced signatures that IDA was able to identify in the .exe. Less luck with the C functions. Here's an excerpt from my notes trying different compiler flags :


--- Code: ---comparing update.c::Putchar() , tests :

0 "CFLAGS=-M$(MODEL) -c -Ox -W2" ; missing _chkstack, doesn't use opcode "cwb"
1 "CFLAGS=-M$(MODEL) -c -Oails -W2" : chkstack ok; uses sar ? wtf. Also missing pushpop si+di
2 "CFLAGS=-M$(MODEL) -c -Oail -W2" : sar, but cwb ! Almost. No si+di
3 CFLAGS=-M$(MODEL) -c -W2 : same
4 CFLAGS=-M$(MODEL) -c -G2 -W2 : same
5 CFLAGS=-M$(MODEL) -c -Od -W2 : lol : again sar, but SI+DI !
--- End code ---

That said, as I recall the pdc functions are all next to each other and should be fairly recognizable; it's a beginner-friendly task to manually map them by hand. Signatures would definitely have been nice though...
If you want to port the software, I think it would save work to keep the same UI for now, since there are still plenty of curses implementations (including pdcurses) with probably all the same/similar API. This means TEK's in-house "CATS-OS" layer can be re-compiled mostly as-is, without needing to re-design it from scratch.



--- Quote ---Do you think is there some way to unwrap this executable and make it right ?
--- End quote ---

Yes, the 'overlazy' tool I linked previously does exactly that. It will create an unwrapped, but non-executable, .exe file.




--- Quote ---sniff the GPIB busses.
--- End quote ---

Remember you could also sniff the register accesses to the 7210 IC directly - IIRC it's 3 address lines, a few R/W and misc control lines, and one 8-bit data port. This may give more information than just a bus capture.


--- Quote ---I'm wondering if trying to port the DOS software across to another platform or modify it to use other GPIB cards is the harder way
--- End quote ---

It's a good question. Doing a full port of the software is a massive undertaking. Judging by the amount of soft-float functions in there, it's possibly also doing some DSP stuff to process acquisitions, it's not just reading a script.

But please, people, use a decompiler, don't just stare at 700kB of x86 asm trying to understand everything. You will never finish.

PS - I have found forum threads to be a mediocre medium for collaborating on substantial RE efforts, where sub-discussions branch out a lot, sometimes go dormant for a while, etc... For general discussions and progress reports, sure, but for in-depth technical stuff, not great.
For documenting findings and technical details, a wiki can be an alternative. Else, some kind of git-versioned, categorized text files might also work.

One thing I'd be curious to try someday is using ghidra with a shared server (e.g. https://www.ghidra-server.org/ ) to collaborate on a single db. Though I would probably want to run ghidra in a sandbox / VM before doing that.
m k:
TDS700CG.EXE from TERRA's ZIP

0xac1c jbe +6

How that area should be disassembled?


Same file and I found only one I/O out that is not floating point something.


--- Code: ---                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_379e_1b08(undefined2 param_1, undefined1 p
                               assume CS = 0x379e
             undefined         AL:1           <RETURN>
             undefined2        Stack[0x4]:2   param_1                                 XREF[1]:     379e:1b0b(*) 
             undefined1        Stack[0x6]:1   param_2                                 XREF[1]:     379e:1b0e(*) 
                             FUN_379e_1b08                                   XREF[70]:    FUN_239c_01fc:239c:0223(c),
                                                                                          FUN_239c_01fc:239c:0232(c),
                                                                                          FUN_239c_01fc:239c:0241(c),
                                                                                          FUN_239c_01fc:239c:0263(c),
                                                                                          FUN_239c_01fc:239c:02c9(c),
                                                                                          FUN_359a_0008:359a:0068(c),
                                                                                          FUN_35ad_0000:35ad:0063(c),
                                                                                          FUN_35ad_0000:35ad:00b3(c),
                                                                                          FUN_35e3_0002:35e3:0130(c),
                                                                                          FUN_35e3_0002:35e3:014a(c),
                                                                                          FUN_35e3_0002:35e3:017f(c),
                                                                                          FUN_35e3_0002:35e3:0198(c),
                                                                                          FUN_3601_0008:3601:02cf(c),
                                                                                          FUN_3601_0008:3601:0366(c),
                                                                                          FUN_3601_0008:3601:037f(c),
                                                                                          FUN_3601_0008:3601:0398(c),
                                                                                          FUN_3601_0008:3601:03bb(c),
                                                                                          FUN_3601_0008:3601:03d5(c),
                                                                                          FUN_3601_0008:3601:03ef(c),
                                                                                          FUN_3601_0008:3601:0409(c), [more]
       379e:1b08 55              PUSH       BP
       379e:1b09 8b ec           MOV        BP,SP
       379e:1b0b 8b 56 06        MOV        DX,word ptr [BP + param_1]
       379e:1b0e 8a 46 08        MOV        AL,byte ptr [BP + param_2]
       379e:1b11 ee              OUT        DX,AL
       379e:1b12 b4 00           MOV        AH,0x0
       379e:1b14 5d              POP        BP
       379e:1b15 cb              RET

--- End code ---


This one NI GPIB.COM I checked used mainly double indirect I/O port addressing.
That is many bytes compared to fixed address or memory mapped I/O.

Maybe creating a memory mapped filter driver between forked and fixed address GPIB.COM and what ever GPIB hardware is also a possibility.
(if that GPIB.COM is actually used)
*.COM file can be extended easily and remapping double indirect I/O ports to memory locations should be also pretty easy.

Filter driver can also export stuff to where ever.


--- Code: ---       2000:1f1f b8 02 00        MOV        AX,0x2
       2000:1f22 8b 57 06        MOV        DX,word ptr [BX + 0x6]
       2000:1f25 83 c2 05        ADD        DX,0x5
       2000:1f28 ee              OUT        DX,AL
...
       2000:2a3a 25 1f 00        AND        AX,0x1f
       2000:2a3d 8b 1e 00 bc     MOV        BX,word ptr [0xbc00]
       2000:2a41 8b 57 0c        MOV        DX,word ptr [BX + 0xc]
       2000:2a44 03 16 e6 ae     ADD        DX,word ptr [0xaee6]
       2000:2a48 ee              OUT        DX,AL
...
       2000:2a83 b8 e0 00        MOV        AX,0xe0
       2000:2a86 8b 1e 00 bc     MOV        BX,word ptr [0xbc00]
       2000:2a8a 8b 57 0c        MOV        DX,word ptr [BX + 0xc]
       2000:2a8d 03 16 e6 ae     ADD        DX,word ptr [0xaee6]
       2000:2a91 ee              OUT        DX,AL

--- End code ---
m k:
Some possible IRQ specials, 2F0-2F7.
vaualbus:
Amazing thread! I too original decomp the software just to get the list of instruments that there were mentioned.
Anyway in respect to the user told us that he add a contact inside Tek what would be amazing to get is the repair software that allows to run board specific test to the scope.
(Basically the one that allow to execute all the tests that the repair manuals told).
To my knowledge it has never been released. The software apparently download some kind of FW to the scope that than execute the tests )via the debug/console port that the CPU has)
Any way I really hope we will eventually be able to make a software that work with any GPIB adapter and not just 16bit ISA one one for which we do not have drivers for NT system as NI never made the 32bit driver. 
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod