Tektronix TDS1000B and TDS2000B series hacks

[vishaldotgupta]

unfortunately this didn't work for me.  scope doesnt boot.

i had verified the data buffer twice before programming.  no issues with soldering

product id programmed is 0x0B (for TDS2022B). 

if for some reason the checsum isn't correct, will the scope boot?

[vishaldotgupta]

pics of soldering Flash after re programming

[DogP]

I haven't personally done a firmware upgrade (mine is already a 2024B), so I don't have any personal experience... but looking at the picture, the soldering on pin 2 in particular looks suspect.  The pad of pin 1 and/or pin 2 looks like it might be lifted as well (or maybe it's just the solder that makes it look crooked).

I guess you could try removing the chip again, reflashing to the stock, and making sure it still works... though of course the pins and pads are delicate, so I'd only try that if you think they're in good enough shape to hold up to the extra soldering cycles.

DogP

[vishaldotgupta]

hi,

i did noticed that, and did some touching with no success.

i could see some waveforms on it when probed with another scope, which means some bus activity happened in the past.

neverthess will check again.  the two pins are from address bus.  if there is activity  on these, it means they are connected

[vishaldotgupta]

checked with DMM, these are not shorted.

just after power on, there is a  bus activity on these for few seconds.

this means they are connected and main processor is accessing active.

something else is not correct.

Will give a last attempt of removing rom.  Else there is a possibility of loosing some pads thus making board of no use

[vishaldotgupta]

hi

as per python scirpt, there are two different ID for TDS 2022B

0x0D and 0x10

what is the difference between two?

[vishaldotgupta]

i noticed Firmware version is 22.01 .

could that be the reason for the hack not working

[BG9ICN]

Try to flash back the read-out version.
And check what did you changed. If you change another block, system doesn't startup.
Two TDS2022, one is 1GSa/s, the other is 2GSa/s.

[vishaldotgupta]

i flashed back the original FW and re soldered.  its still not booting.

there is activity on data bus for few seconds and then it gives up.   further the probe compensation signal is at 5 Khz.

it seems either the flash is faulty or it was not properly read during the first instance.  Though, before saving the original ROM, i ready it for 3 to 4 times.  Every time check sum was same.

Also noticed that when i remove the flash from board and try to compare it with image ( i copied into) there is a small variation in the check sum between flash contents and image file.  it seems that some content changed either by scope or due to faulty flash.

had checked with another working unit.  There is no signal if flash is missing.  soon after power up, it is at 5Khz, then as it boots up, it changes on to finally at 1Khz.  as per service manual 1 Khz means booting is okay.

now need to get a confirmed working flash from another scope to troubleshoot further.

[Fieroluke]

You could get the bin file from http://www.ko4bb.com/ (search TDS1001C) and see if that works?
Sounds like your flash is damaged or the initial readout failed? Using the file from KO4BB might help…

[vishaldotgupta]

thanks but i need file for 2 channel B model

C model file may not work

[Fieroluke]

I report success changing a TDS2001C (50 MHZ / 500Ms/s) to TDS2022B (200 MHz/2 Gs/s)!

The firmware installed was v24.09. The board seemed the same, Flash was also 8M Spansion S29JL064H so I bit the bullet. The model ID is 0x1D, same address 0x7F0007.

Since I’m not a Python person I patched directly in the EPROM editor. Filters also started at 0xF700B6, all 05’s in the first block, 05’s and 06’s in second block. Changed them to 0x0F.

Checksum is 0x7F0004 to 7F09F9. My programmer (Galep5) could calculate that, so I transferred the new checksum to 0x7F0000.

First boot took longer than usual and I thought I killed the board, but then the boot screen reported as 2022B with self cal failure. Self calibrated, and viola: personality change! Strangely the firmware now identifies as v24.26, even though it’s 24.09 that I changed. I don’t know how Tek calculates revision numbers.

But bandwith reports 200 MHz, timebase goes down to 2.5 ns. Don’t know where else to check, but it seems to be working!

P.S.: Maybe someone wants to update the python script…

[Fieroluke]

Interesting information:

Tek says the difference between the B and C series https://www.tek.com/-/media/documents/faq6520.pdf is basically a bit more bandwidth for the low end models, a better TFT and a few more Measure and Utility entries, RMS, duty cycle and others.

After setting the model code to TDS2022B the big question is: does the scope still have the C-series firmware’s features?
The answer is YES, the measure menu now contains all the new entries! So (not owning a 2022B model) apparently v22.16 seems to be the latest firmware for the 2022B, but changing a 2001C to 2022B takes it to v24.26! So maybe Tek just blocked the firmware from loading on older hardware?! Maybe just setting the 2022B’s model code to 0x1D will let you update to v24.09, and then resetting the model code magically transforms the v24.09 to v24.26…?

And ideally if we knew the model code for the TDS2022C (probably between 0x15 and 0x27), we could change any 2000c model directly to 2022c…

[vishaldotgupta]

hi,

this is really interesting to note.

there is a hardware difference between B and C series.  B series display is CCFL type and C is of LED type.  Apart from this C series has a small interface board (with FPGA and led driver) between display and connector on motherboard and actual display.

i had once tried to use connect LED display from C series (along with interface board) to B series but it doesnt work.  which means the data data from motherboard is different.

so i wonder how come the updated b series is now able to drive a LED board?  or this could also mean there was a revision in board for B (supporting LED display) as well and the new FW supports B series models as well

for my board i need a bin file of 2 channel B series model

[vishaldotgupta]

just to add here.

the fw file have an extension *.tek

C series FW file should not work unless it is renamed and "C"at the end is replaced by "B"

i did an experiment today.  for a C model used a FW file of B model (after replacing C with B)

at the end scope said fw update done, press ok.  the screen went blank and the scope got bricked.

fortunately i have a kept a copy of original ROM to restore it back

[Fieroluke]

Don't use the *.TEK files, they don't work. I'm sure they have a block in there.

Unsolder your Flash, read it, and modify it by running the Python script (or manually like I did), then solder it back.

That way it's YOUR firmware, just a different model ID in the firmware.

Apparently the firmware uses the same base software, which switches features based on model ID, and maybe a driver portion, that is custom to the B and C series.
Impossible to know without comparing firmwares. Anyway, modifying this ID byte in YOUR SCOPE's firmware removes the limitations in the base firmware and also changes the model ID string associated with it, but keeps the drivers for the ModelB or C series. That would explain it.

This is a list from inside the C-Firmware that lists all supported models I guess (I don't know what the -SC models are (school = EDU?)):
TDS2002B 0x0D
TDS2012B 0x0E
TDS2022B 0x0B
TDS2004B 0x14
TDS2014B 0x0F
TDS2024B 0x0C
TDS2022B_1G 0x10
TDS1001B 0x13
TDS1002B 0x11
TDS1012B 0x12
TDS1001B-SC 0x15
TDS1002B-SC 0x16
TDS1012B-SC 0x17
TDS2002C 0x1A
TDS2012C 0x1B
TDS2022C 0x18
TDS2001C 0x1D
TDS2004C 0x1E
TDS2014C 0x1C
TDS2024C 0x19
TDS1001C-SC 0x1F
TDS1002C-SC 0x20
TDS1012C-SC 0x21

Note there’s no apparent order in this list. Ordering by known IDs it seems the “full” version 2024B starts the list, then the most limited 50 MHz 2002B, then 100MHz 2012B, 2014B, next sample limited 200MHz 2022B. Next up are the monochrome versions, but in random order. And at the end of the list come the C models.

It looks like the order was determined by chronological order and marketing department, lol.

[edited: updated model IDs according to my findings later in this thread]

[vishaldotgupta]

sucess finally.

i used a stock fw from C series 4 channel and replaced the cal data from my original unit.

The unit now boots up with model TDS2022B, shows 16 measurements as stated in C model and now supports led type display from C model.

Thanks everyone for support

[Fieroluke]

Awesome news, congratulations!

[Fieroluke]

I dug a little deeper into my dumped ROM and I think I deciphered the model code list. The relevant code starts at ROM-Offset 0x30C9FA / address $50C9FA:

(this is disassembled by hand, but you get the idea. Use the info below at your own risk!)

Code: [Select]

.org $50C9FA
4E56 0000 link A6,#0              ;set up stack frame
2F0A move.l A3,-(SP)         ;save A3
246E 0008 move.l A4,8(A6)         ;pass parameter to get device ID
6100 02F8 bsr $2F8(PC) ;get device ID $50CCFE: CAL_get_instrument_config()
72F5 moveq.l #$F5,D1  ;-0x0B
D081 add.l D1,D0 ;subtract offset for first ID code
7216 moveq.l #$16,D1 ;index 22 is last entry in table
B280 cmp.l D1,D0 ;check overflow
6500 0100 bcs $100(PC) ;branch on error

D080 add.l D0,D0 ;double D0 for table index, because we're addressing words
303B 0806 move.w 6(D0,PC),D0 ;get jump offset word from table
4EFB 0002 jmp 2(PC,D0) ;jump to model code
So, this part gets a jump offset from the jump table immediately following the code. This jump table determines where to continue the code depending on the model ID. 0x0B is the first model ID and is the first table entry:

Code: [Select]

.org $50CA1E
dc.w $42 ;$50CA60 - TDS2022B $0B
dc.w $60 ;$50CA7E - TDS2024B $0C
dc.w $2E ;$50CA4C - TDS2002B $0D
dc.w $38 ;$50CA56 - TDS2012B $0E
dc.w $56 ;$50CA74 - TDS2014B $0F
dc.w $6A ;$50CA88 - TDS2022B_1G $10
dc.w $7C ;$50CA9A - TDS1002B $11
dc.w $84 ;$50CAA2 - TDS1012B $12
dc.w $74 ;$50CA92 - TDS1001B $13
dc.w $4C ;$50CA6A - TDS2004B $14
dc.w $8C ;$50CAAA - TDS1001B-SC $15
dc.w $94 ;$50CAB2 - TDS1002B-SC $16
dc.w $9C ;$50CABA - TDS1012B-SC $17
dc.w $B4 ;$50CAD2 - TDS2022C $18
dc.w $D4 ;$50CAF2 - TDS2024C $19
dc.w $A4 ;$50CAC2 - TDS2002C $1A
dc.w $AC ;$50CACA - TDS2012C $1B
dc.w $CC ;$50CAEA - TDS2014C $1C
dc.w $BC ;$50CADA - TDS2001C $1D
dc.w $C4 ;$50CAE2 - TDS2004C $1E
dc.w $DC ;$50CAFA - TDS1001C-SC $1F
dc.w $E4 ;$50CB02 - TDS1002C-SC $20
dc.w $EC ;$50CB0A - TDS1012C-SC $21

So, this jumptable jumps to the following code, which loads the model ID from a nearby string table:

Code: [Select]

.org $50CA4C
24BC 0050C916 move.l #$050C916,(A2) ;TDS2002B
6000 00C4 bra.w $C4(PC)

.org $50CA56
24BC 0050C91F move.l #$050C91F,(A2) ;TDS2012B
6000 00BA bra.w $BA(PC)

.org $50CA60
24BC 0050C928 move.l #$050C928,(A2) ;TDS2022B
6000 00B0 bra.w $B0(PC)

.org $50CA6A
24BC 0050C931 move.l #$050C931,(A2) ;TDS2004B
6000 00A6 bra.w $A6(PC)

.org $50CA74
24BC 0050C93A move.l #$050C93A,(A2) ;TDS2014B
6000 009C bra.w $9C(PC)

.org $50CA7E
24BC 0050C943 move.l #$050C943,(A2) ;TDS2024B
6000 0092 bra.w $92(PC)

.org $50CA88
24BC 0050C94C move.l #$050C94C,(A2) ;TDS2022B_1G
6000 0088 bra.w $88(PC)

.org $50CA92
24BC 0050C958 move.l #$050C958,(A2) ;TDS1001B
607E bra.b $7E(PC)

.org $50CA9A
24BC 0050C961 move.l #$050C961,(A2) ;TDS1002B
6076 bra.b $76(PC)

.org $50CAA2
24BC 0050C96A move.l #$050C96A,(A2) ;TDS1012B
606E bra.b $6E(PC)

.org $50CAAA
24BC 0050C973 move.l #$050C973,(A2) ;TDS1001B-SC
6066 bra.b $66(PC)

.org $50CAB2
24BC 0050C97F move.l #$050C97F,(A2) ;TDS1002B-SC
605E bra.b $5E(PC)

.org $50CABA
24BC 0050C98B move.l #$050C98B,(A2) ;TDS1012B-SC
6056 bra.b $56(PC)

.org $50CAC2
24BC 0050C997 move.l #$050C997,(A2) ;TDS2002C
604E bra.b $4E(PC)

.org $50CACA
24BC 0050C9A0 move.l #$050C9A0,(A2) ;TDS2012C
6046 bra.b $46(PC)

.org $50CAD2
24BC 0050C9A9 move.l #$050C9A9,(A2) ;TDS2022C
603E bra.b $3E(PC)

.org $50CADA
24BC 0050C9B2 move.l #$050C9B2,(A2) ;TDS2001C
6036 bra.b $36(PC)

.org $50CAE2
24BC 0050C9BB move.l #$050C9BB,(A2) ;TDS2004C
602E bra.b $2E(PC)

.org $50CAEA
24BC 0050C9C4 move.l #$050C9C4,(A2) ;TDS2014C
6026 bra.b $26(PC)

.org $50CAF2
24BC 0050C9CD move.l #$050C9CD,(A2) ;TDS2024C
601E bra.b $1E(PC)

.org $50CAFA
24BC 0050C9D6 move.l #$050C9D6,(A2) ;TDS1001C-SC
6016 bra.b $16(PC)

.org $50CB02
24BC 0050C9E2 move.l #$050C9E2,(A2) ;TDS1002C-SC
600E bra.b $0E(PC)

.org $50CB0A
24BC 0050C9EE move.l #$050C9EE,(A2) ;TDS1012C-SC
6006 bra.b $06(PC)

.org $50CB12
24BC 0050C7E9 move.l #$050C7E9,(A2) ;XYZZY (Interesting!)


I have added the strings which the address points to as a comment for your convenience. So, now you can happily chance between model IDs. You're welcome!

[Fieroluke]

There's an error in the previous post I think.

The checksum is from 0x7F0004 to 0x7F09F5. Make sure you select the correct region and your checksum routine calculates the same value that is at 0x7F0000-0x7F0003 before changing the buffer!

[TheKellerman]

Hi,

sucess finally.

i used a stock fw from C series 4 channel and replaced the cal data from my original unit.

The unit now boots up with model TDS2022B, shows 16 measurements as stated in C model and now supports led type display from C model.

Thanks everyone for support

By "stock fw" you mean a flash dump from a working unit, right? And is the "original unit" a TDS2000B series?

I got a TDS2014B with (probably) corrupted FW. At least it shows the typically symptoms, meaning the three green LEDs. I already desoldered the flash and read it out.
My expectations were to see mostly 0xFF, but there is nothing obviously wrong in there. So maybe an update was interrupted just before the finish line?

Is it possible to take the TDS1001C FW from ko4bb.com and put my cal data in there? Or does someone maybe have a readout from a 2000B series unit?   

[Fieroluke]

Success again!

Changed my TDS2001C from TDS2022B (ID $0B) to TDS2022C (ID $18)

[66bono]

@Use the Python script to patch the image
How do I use the script, paste on USB and update. I have no idea, I made a copy of U 801

[TheKellerman]

Install python 2.7. and run

Code: [Select]

python patch2.py rom.bin
This worked for me (I haven't tried the updated pxthon3 script). Then write the flash the same way you read it. You cant put the update on a USB stick.

Edit:
I now see you have a TDS1001B and the patch2.py does not include that in the model check. To which model you want to update your scope?

[Fieroluke]

If the scope is a TDS1001B it should be model ID $13 at $7F0007.

Changing it to $12 should result in a TDS1012B, which should be all that’s possible upgradewise.