Or: Why the FNIRSI TC2 Firmware Scene is the "Wild West" of Electronics
In the crowded market of cheap handheld oscilloscopes, the FNIRSI DSO-TC2 occupies a strange and fascinating niche. On the surface, it looks like a miracle of integration: a 2-in-1 device combining a digital oscilloscope and a transistor tester (similar to the famous TC1/T7 testers), all for a remarkably low price.
But beneath the plastic casing and the glowing screen lies a firmware story that reads like a drama series, filled with villainous bricking attempts, community revolt, and the triumph of open-source reverse engineering.
The PCB exposes SWDIO and SWCLK pads (unpopulated header). Using a J-Link or ST-Link, we connected: fnirsi dso-tc2 firmware
| Pad | Signal | |------|--------| | VCC | 3.3V | | SWDIO| Data | | SWCLK| Clock | | GND | Ground |
Result: The MCU has no Read-Out Protection (RDP) enabled (RDP level 0). This allows full read via STM32CubeProgrammer.
Calibration constants (ADC offset, gain, probe attenuation) are stored in the last 4 KB of internal flash (sector 11). Modifying these could fix voltage inaccuracies. Or: Why the FNIRSI TC2 Firmware Scene is
Example offset (found via differential analysis after performing factory calibration):
The SPI flash is not protected either. Using a Bus Pirate or dedicated programmer:
Contents: Framebuffer tiles, calibration tables, and strings. Contents: Framebuffer tiles, calibration tables, and strings
We changed the startup logo by replacing the compressed bitmap in external SPI flash:
Result: Device boots with custom logo, no checksum failure.