Products > Test Equipment
Tektronix TDS1000B and TDS2000B series hacks
Fieroluke:
Don't use the *.TEK files, they don't work. I'm sure they have a block in there.
Unsolder your Flash, read it, and modify it by running the Python script (or manually like I did), then solder it back.
That way it's YOUR firmware, just a different model ID in the firmware.
Apparently the firmware uses the same base software, which switches features based on model ID, and maybe a driver portion, that is custom to the B and C series.
Impossible to know without comparing firmwares. Anyway, modifying this ID byte in YOUR SCOPE's firmware removes the limitations in the base firmware and also changes the model ID string associated with it, but keeps the drivers for the ModelB or C series. That would explain it.
This is a list from inside the C-Firmware that lists all supported models I guess (I don't know what the -SC models are (school = EDU?)):
TDS2002B 0x0D
TDS2012B 0x0E
TDS2022B 0x0B
TDS2004B 0x14
TDS2014B 0x0F
TDS2024B 0x0C
TDS2022B_1G 0x10
TDS1001B 0x13
TDS1002B 0x11
TDS1012B 0x12
TDS1001B-SC 0x15
TDS1002B-SC 0x16
TDS1012B-SC 0x17
TDS2002C 0x1A
TDS2012C 0x1B
TDS2022C 0x18
TDS2001C 0x1D
TDS2004C 0x1E
TDS2014C 0x1C
TDS2024C 0x19
TDS1001C-SC 0x1F
TDS1002C-SC 0x20
TDS1012C-SC 0x21
Note there’s no apparent order in this list. Ordering by known IDs it seems the “full” version 2024B starts the list, then the most limited 50 MHz 2002B, then 100MHz 2012B, 2014B, next sample limited 200MHz 2022B. Next up are the monochrome versions, but in random order. And at the end of the list come the C models.
It looks like the order was determined by chronological order and marketing department, lol.
[edited: updated model IDs according to my findings later in this thread]
vishaldotgupta:
sucess finally.
i used a stock fw from C series 4 channel and replaced the cal data from my original unit.
The unit now boots up with model TDS2022B, shows 16 measurements as stated in C model and now supports led type display from C model.
Thanks everyone for support
Fieroluke:
Awesome news, congratulations!
Fieroluke:
I dug a little deeper into my dumped ROM and I think I deciphered the model code list. The relevant code starts at ROM-Offset 0x30C9FA / address $50C9FA:
(this is disassembled by hand, but you get the idea. Use the info below at your own risk!)
--- Code: --- .org $50C9FA
4E56 0000 link A6,#0 ;set up stack frame
2F0A move.l A3,-(SP) ;save A3
246E 0008 move.l A4,8(A6) ;pass parameter to get device ID
6100 02F8 bsr $2F8(PC) ;get device ID $50CCFE: CAL_get_instrument_config()
72F5 moveq.l #$F5,D1 ;-0x0B
D081 add.l D1,D0 ;subtract offset for first ID code
7216 moveq.l #$16,D1 ;index 22 is last entry in table
B280 cmp.l D1,D0 ;check overflow
6500 0100 bcs $100(PC) ;branch on error
D080 add.l D0,D0 ;double D0 for table index, because we're addressing words
303B 0806 move.w 6(D0,PC),D0 ;get jump offset word from table
4EFB 0002 jmp 2(PC,D0) ;jump to model code
--- End code ---
So, this part gets a jump offset from the jump table immediately following the code. This jump table determines where to continue the code depending on the model ID. 0x0B is the first model ID and is the first table entry:
--- Code: --- .org $50CA1E
dc.w $42 ;$50CA60 - TDS2022B $0B
dc.w $60 ;$50CA7E - TDS2024B $0C
dc.w $2E ;$50CA4C - TDS2002B $0D
dc.w $38 ;$50CA56 - TDS2012B $0E
dc.w $56 ;$50CA74 - TDS2014B $0F
dc.w $6A ;$50CA88 - TDS2022B_1G $10
dc.w $7C ;$50CA9A - TDS1002B $11
dc.w $84 ;$50CAA2 - TDS1012B $12
dc.w $74 ;$50CA92 - TDS1001B $13
dc.w $4C ;$50CA6A - TDS2004B $14
dc.w $8C ;$50CAAA - TDS1001B-SC $15
dc.w $94 ;$50CAB2 - TDS1002B-SC $16
dc.w $9C ;$50CABA - TDS1012B-SC $17
dc.w $B4 ;$50CAD2 - TDS2022C $18
dc.w $D4 ;$50CAF2 - TDS2024C $19
dc.w $A4 ;$50CAC2 - TDS2002C $1A
dc.w $AC ;$50CACA - TDS2012C $1B
dc.w $CC ;$50CAEA - TDS2014C $1C
dc.w $BC ;$50CADA - TDS2001C $1D
dc.w $C4 ;$50CAE2 - TDS2004C $1E
dc.w $DC ;$50CAFA - TDS1001C-SC $1F
dc.w $E4 ;$50CB02 - TDS1002C-SC $20
dc.w $EC ;$50CB0A - TDS1012C-SC $21
--- End code ---
So, this jumptable jumps to the following code, which loads the model ID from a nearby string table:
--- Code: --- .org $50CA4C
24BC 0050C916 move.l #$050C916,(A2) ;TDS2002B
6000 00C4 bra.w $C4(PC)
.org $50CA56
24BC 0050C91F move.l #$050C91F,(A2) ;TDS2012B
6000 00BA bra.w $BA(PC)
.org $50CA60
24BC 0050C928 move.l #$050C928,(A2) ;TDS2022B
6000 00B0 bra.w $B0(PC)
.org $50CA6A
24BC 0050C931 move.l #$050C931,(A2) ;TDS2004B
6000 00A6 bra.w $A6(PC)
.org $50CA74
24BC 0050C93A move.l #$050C93A,(A2) ;TDS2014B
6000 009C bra.w $9C(PC)
.org $50CA7E
24BC 0050C943 move.l #$050C943,(A2) ;TDS2024B
6000 0092 bra.w $92(PC)
.org $50CA88
24BC 0050C94C move.l #$050C94C,(A2) ;TDS2022B_1G
6000 0088 bra.w $88(PC)
.org $50CA92
24BC 0050C958 move.l #$050C958,(A2) ;TDS1001B
607E bra.b $7E(PC)
.org $50CA9A
24BC 0050C961 move.l #$050C961,(A2) ;TDS1002B
6076 bra.b $76(PC)
.org $50CAA2
24BC 0050C96A move.l #$050C96A,(A2) ;TDS1012B
606E bra.b $6E(PC)
.org $50CAAA
24BC 0050C973 move.l #$050C973,(A2) ;TDS1001B-SC
6066 bra.b $66(PC)
.org $50CAB2
24BC 0050C97F move.l #$050C97F,(A2) ;TDS1002B-SC
605E bra.b $5E(PC)
.org $50CABA
24BC 0050C98B move.l #$050C98B,(A2) ;TDS1012B-SC
6056 bra.b $56(PC)
.org $50CAC2
24BC 0050C997 move.l #$050C997,(A2) ;TDS2002C
604E bra.b $4E(PC)
.org $50CACA
24BC 0050C9A0 move.l #$050C9A0,(A2) ;TDS2012C
6046 bra.b $46(PC)
.org $50CAD2
24BC 0050C9A9 move.l #$050C9A9,(A2) ;TDS2022C
603E bra.b $3E(PC)
.org $50CADA
24BC 0050C9B2 move.l #$050C9B2,(A2) ;TDS2001C
6036 bra.b $36(PC)
.org $50CAE2
24BC 0050C9BB move.l #$050C9BB,(A2) ;TDS2004C
602E bra.b $2E(PC)
.org $50CAEA
24BC 0050C9C4 move.l #$050C9C4,(A2) ;TDS2014C
6026 bra.b $26(PC)
.org $50CAF2
24BC 0050C9CD move.l #$050C9CD,(A2) ;TDS2024C
601E bra.b $1E(PC)
.org $50CAFA
24BC 0050C9D6 move.l #$050C9D6,(A2) ;TDS1001C-SC
6016 bra.b $16(PC)
.org $50CB02
24BC 0050C9E2 move.l #$050C9E2,(A2) ;TDS1002C-SC
600E bra.b $0E(PC)
.org $50CB0A
24BC 0050C9EE move.l #$050C9EE,(A2) ;TDS1012C-SC
6006 bra.b $06(PC)
.org $50CB12
24BC 0050C7E9 move.l #$050C7E9,(A2) ;XYZZY (Interesting!)
--- End code ---
I have added the strings which the address points to as a comment for your convenience. So, now you can happily chance between model IDs. You're welcome!
Fieroluke:
There's an error in the previous post I think.
The checksum is from 0x7F0004 to 0x7F09F5. Make sure you select the correct region and your checksum routine calculates the same value that is at 0x7F0000-0x7F0003 before changing the buffer!
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version