I see the comment ;) Well we are not jailbreaking the new iPhone herein with all the possible and impossible protection switched on ;))
Well, we can start it in a few ways.
by using the real-time INVASM with the logic analyzer: connect the probes to the CPU address/data/control. The first is to set the breakpoint at the DAC and CD4051 multiplexer register decode and trace this to the rouine executable. We have to make sure, that the routine in question doesn't run from RAM but from the ROM. The instruction fetch will be identified as well as the area where it was called from. Then we have to trace back the stack and find our from where the I/O routine which controls the DAC was called. This method is called "bottom up HW signature".
by using IDA disassembler. We have to find a symbol data in the code and the references linking the DAC/ADC comparator and 4051 multiplexer select (at the low level) with the high level message labels reading LIMIT, CAL0x and the step number. This method is called "top down symbol search".
There is a 3rd one, but it will require the ROM emulator upfront, where the modified ROM code can be placed (however the checksum routing must be identified and disabled first).
To me, the 1st or the 2nd method would require around 10-20 hours to understand the FW code structure. More detailed analysis, however, likely require some testing.
However, I do hope, that Tek guys have placed some hooks in their code or they write to the CPU BUS connected device to display more detailed data. For example, by how much one of the parameters is off. Likely such a discovery can be made by looking at the TEK code.