Topics

New software-only method to extract 11801 or CSA803 series SRAM and other memory locations

junk@...
 

Hi all,

I just finished extracting the contents of the battery backed SRAM on my 11801B using a software-only approach. The method is a little hacky right now, but with some effort an automated tool could probably be created to extract this or any other memory without cracking open the case. This is possible by using the somewhat hidden low-level debugging feature built into the extended diagnostics mode. With some effort, it can be made to read back arbitrary memory addresses.

Here's the proof of concept:
1. Navigate to the Extended Diagnostics Menu (Utility->Enhanced Accuracy->Utility2->Extended Diagnostics)
2. Enable the debugger option - Press Waveform 5 times and then Touch Panel On/Off
3. Reactivate the touch panel by pressing Touch Panel On/Off again
4. Touch the subsystem you want to work with (eg: Time Base for the SRAM)
5. Touch the Debugger button
6. The top of the screen should now say "Time Base Low-Level Hardware Debugger". Be very careful here as you can read/write any address and mess things up if you're not careful. Take a look at page 52 of this document (http://w140.com/tekwiki/images/5/54/Tek_11801_11802_SM11_diagnostics.pdf) to familiarize yourself with the debugger.
7. To read a memory location ensure that operation is set to "Read", the starting address is set (eg: 1FFF6), Show Read is set to "Yes", and the desired read length is set (eg: 4 or 100, etc.). Then press Test.
8. This will execute the read as specified and present a hex dump of the results. On my scope a read at 1FFF6 of length 4 gives "DE BC FF BF".
9. Press Exit to exit the debugger (the following step will not work as written if you're not back on the Extended Diagnostics screen).
10. Here's where it get's interesting... We can read arbitrary memory locations, but the results only appear on the screen. To fix this, connect a serial cable to the RS 232 port on the back of the scope and start up a terminal emulator program on your computer. Use 9600 baud, 8N1.
11. Once the serial connection is active, ensure the terminal emulator has keyboard focus and press shift-T (eg: capital T) on your keyboard. The 11801 screen should go blank and you should now see a menu in the serial terminal. We're in...
12. You can control the system by using the letters in listed in parenthesis by each button (eg: D for debugger). Note that capitalization is important.
13. Press capital T again at any time to escape serial mode and re-enable the 11801 screen. Check out page 61 in the Tek diagnostics PDF I linked above for more details on the serial mode including how to bump your connection to a blistering 38400 baud.
14. Okay time to dump some memory. Using the serial interface, activate the debugger (D), set the address to the start address and the length as you wish. This process is very slow so chose a smaller length at first. (Note: I believe the battery backed SRAM starts at 10000 and runs to 1FFFF)
15. Before you start the dump by hitting Test (T), enable the feature in your PC serial program that saves to file. This will log the results of the dump. Now hit T to initiate the process.
16. Once the dump is complete, stop the serial logging and save the log file. You can also exit serial mode on the scope (T) at this time.
17. Unfortunately, the file you dumped will be full of POSIX terminal emulator commands and many repetitions of the dumped data. We need to post process all of this garbage out to make a usable dump.
18. I wrote a very basic dump cleanup tool in python that you can get here: (https://pastebin.com/mSnastcj). It takes the above dump filename as a parameter and spits out a cleaned binary file that should work with any hex editor. This binary file directly corresponds to the range of memory you dumped. Please note I have done only very minimal testing on this program.

I hope this is interesting and I look forward to seeing what others do with this new capability.

David

Albert Otten
 

Thanks for this useful info David!
I have done the steps up to 9 in the past but so far judged it impossible to get the output in my pc. I bought a universal programmer to read/write the SRAM and that brings more risk of damage.

Albert

Ragnar S
 

Hi,

Thanks a lot for this information!

Did you ever find out if 10000 .. 1FFFF actually is the the NVRAMs on the A5 board (U500 and U511)?

Ragnar

Reginald Beardsley
 

Yes, It's stated in the service manual.

Reg