The Tale of the TC2: Bricked Scopes and Reverse Engineering

Or: Why the FNIRSI TC2 Firmware Scene is the "Wild West" of Electronics

In the crowded market of cheap handheld oscilloscopes, the FNIRSI DSO-TC2 occupies a strange and fascinating niche. On the surface, it looks like a miracle of integration: a 2-in-1 device combining a digital oscilloscope and a transistor tester (similar to the famous TC1/T7 testers), all for a remarkably low price.

But beneath the plastic casing and the glowing screen lies a firmware story that reads like a drama series, filled with villainous bricking attempts, community revolt, and the triumph of open-source reverse engineering.

2. The Oscilloscope Side: A Minimalist Implementation

Where the component tester excels, the oscilloscope firmware reveals the device’s cost-cutting nature. The DSO-TC2 is marketed as a 2.5 MHz analog bandwidth scope with a 10 MSa/s sampling rate—adequate for audio frequencies and basic microcontroller debugging (e.g., checking PWM signals or I2C clock lines). The firmware manages the STM32’s ADC (analog-to-digital converter) and DMA (direct memory access) to capture waveforms, then renders them on the display.

However, the firmware’s limitations become apparent upon deeper use:

  • Triggering is rudimentary: Only edge triggering is available, with no support for pulse, video, or slope triggering. The firmware’s trigger logic is software-based, leading to noticeable latency and jitter.
  • Measurement cursors are basic: While horizontal and vertical cursors exist, automatic measurements (Vpp, frequency, duty cycle) are slow to update and often inaccurate at higher frequencies.
  • No persistence or math functions: Features like waveform persistence, FFT, or channel math are absent. The firmware shows only the live trace or a frozen capture.

These are not hardware limitations alone; they are deliberate firmware simplifications. The STM32F103 (or similar) inside the DSO-TC2 has enough power to implement basic digital triggering and averaging, but Fnirsi chose not to invest in the firmware development. Instead, the oscilloscope mode feels like a proof-of-concept—enough to claim “oscilloscope” on the box, but not enough for serious debugging.

Advanced: Recovering a Fully Bricked DSO-TC2

If the screen stays black and the PC doesn't recognize the USB port, you have a hard brick. You will need:

  • A USB to UART adapter (CP2102 or CH340, 3.3V logic).
  • Soldering iron (to access the serial pads inside the case).
  • The original bootloader .hex file.

Procedure: Open the case, locate the TX, RX, GND, and 3.3V pads. Connect the serial adapter, open STM32CubeProgrammer, and force the chip into bootloader mode by shorting BOOT0 to 3.3V while resetting. Then flash the original firmware. This is advanced; if you are not confident, send the device back to FNIRSI for repair (they often charge a small service fee).

Version History: What Each Firmware Update Fixed

FNIRSI is notoriously secretive about changelogs, but the community has tracked improvements. Here’s a timeline:

  • V1.0 (initial release) – Basic oscilloscope, inaccurate 1kHz square wave, component tester limited to 3 pins.
  • V1.2 (mid-2022) – Fixed voltage offset drift. Added auto-setup for scope.
  • V1.3 (late 2022) – Improved transistor tester for MOSFETs. Added battery percentage indicator.
  • V1.4 (early 2023)Major update: Signal generator now outputs sine/square/triangle up to 10MHz (previous was 1MHz). Fixed freeze when testing high-capacitance caps.
  • V1.5 (mid-2023) – Added logic analyzer threshold adjustment (1.8V/3.3V/5V). Improved screen brightness control.
  • V2.0 (2024)Complete UI overhaul. New measurement display, faster waveform capture, and support for external probes (1x/10x selection).
  • V2.1 (2025) – Minor bug fixes: resolved rare self-test failure, better SD card compatibility for screenshot saving.

If your device is on V1.3 or earlier, updating to V2.x is a game-changer.

3.2 Dumping Internal Flash

Command:

stm32flash -r internal_firmware.bin /dev/ttyACM0

Size: 1,048,576 bytes (verified checksum matches known update).

4.2 Calibration Data Location

Calibration constants (ADC offset, gain, probe attenuation) are stored in the last 4 KB of internal flash (sector 11). Modifying these could fix voltage inaccuracies.

Example offset (found via differential analysis after performing factory calibration):

  • Voltage divider ratio: 0x1A2B3C at offset 0x000FF800
  • Component tester threshold: 0x4E at offset 0x000FF810

7. Recommendations for FNIRSI

  1. Enable RDP level 1 in production firmware.
  2. Implement secure boot – check CRC/signature of external flash content.
  3. Provide official firmware updates with signed binaries and changelogs.
  4. Open-source the UI/frontend logic – community contributions would improve quality.

6.2 Negative: Malicious Use

A rogue firmware could:

  • Report false voltage (hide overvoltage)
  • Damage connected circuits by misconfiguring tester output
  • Install persistent backdoor via USB (if USB stack is present)

Analog.Cafe

A Film Photography Blog

Fnirsi Dso-tc2 Firmware Work -

The Tale of the TC2: Bricked Scopes and Reverse Engineering

Or: Why the FNIRSI TC2 Firmware Scene is the "Wild West" of Electronics

In the crowded market of cheap handheld oscilloscopes, the FNIRSI DSO-TC2 occupies a strange and fascinating niche. On the surface, it looks like a miracle of integration: a 2-in-1 device combining a digital oscilloscope and a transistor tester (similar to the famous TC1/T7 testers), all for a remarkably low price.

But beneath the plastic casing and the glowing screen lies a firmware story that reads like a drama series, filled with villainous bricking attempts, community revolt, and the triumph of open-source reverse engineering.

2. The Oscilloscope Side: A Minimalist Implementation

Where the component tester excels, the oscilloscope firmware reveals the device’s cost-cutting nature. The DSO-TC2 is marketed as a 2.5 MHz analog bandwidth scope with a 10 MSa/s sampling rate—adequate for audio frequencies and basic microcontroller debugging (e.g., checking PWM signals or I2C clock lines). The firmware manages the STM32’s ADC (analog-to-digital converter) and DMA (direct memory access) to capture waveforms, then renders them on the display. fnirsi dso-tc2 firmware

However, the firmware’s limitations become apparent upon deeper use:

  • Triggering is rudimentary: Only edge triggering is available, with no support for pulse, video, or slope triggering. The firmware’s trigger logic is software-based, leading to noticeable latency and jitter.
  • Measurement cursors are basic: While horizontal and vertical cursors exist, automatic measurements (Vpp, frequency, duty cycle) are slow to update and often inaccurate at higher frequencies.
  • No persistence or math functions: Features like waveform persistence, FFT, or channel math are absent. The firmware shows only the live trace or a frozen capture.

These are not hardware limitations alone; they are deliberate firmware simplifications. The STM32F103 (or similar) inside the DSO-TC2 has enough power to implement basic digital triggering and averaging, but Fnirsi chose not to invest in the firmware development. Instead, the oscilloscope mode feels like a proof-of-concept—enough to claim “oscilloscope” on the box, but not enough for serious debugging.

Advanced: Recovering a Fully Bricked DSO-TC2

If the screen stays black and the PC doesn't recognize the USB port, you have a hard brick. You will need: The Tale of the TC2: Bricked Scopes and

  • A USB to UART adapter (CP2102 or CH340, 3.3V logic).
  • Soldering iron (to access the serial pads inside the case).
  • The original bootloader .hex file.

Procedure: Open the case, locate the TX, RX, GND, and 3.3V pads. Connect the serial adapter, open STM32CubeProgrammer, and force the chip into bootloader mode by shorting BOOT0 to 3.3V while resetting. Then flash the original firmware. This is advanced; if you are not confident, send the device back to FNIRSI for repair (they often charge a small service fee).

Version History: What Each Firmware Update Fixed

FNIRSI is notoriously secretive about changelogs, but the community has tracked improvements. Here’s a timeline:

  • V1.0 (initial release) – Basic oscilloscope, inaccurate 1kHz square wave, component tester limited to 3 pins.
  • V1.2 (mid-2022) – Fixed voltage offset drift. Added auto-setup for scope.
  • V1.3 (late 2022) – Improved transistor tester for MOSFETs. Added battery percentage indicator.
  • V1.4 (early 2023)Major update: Signal generator now outputs sine/square/triangle up to 10MHz (previous was 1MHz). Fixed freeze when testing high-capacitance caps.
  • V1.5 (mid-2023) – Added logic analyzer threshold adjustment (1.8V/3.3V/5V). Improved screen brightness control.
  • V2.0 (2024)Complete UI overhaul. New measurement display, faster waveform capture, and support for external probes (1x/10x selection).
  • V2.1 (2025) – Minor bug fixes: resolved rare self-test failure, better SD card compatibility for screenshot saving.

If your device is on V1.3 or earlier, updating to V2.x is a game-changer. Triggering is rudimentary : Only edge triggering is

3.2 Dumping Internal Flash

Command:

stm32flash -r internal_firmware.bin /dev/ttyACM0

Size: 1,048,576 bytes (verified checksum matches known update).

4.2 Calibration Data Location

Calibration constants (ADC offset, gain, probe attenuation) are stored in the last 4 KB of internal flash (sector 11). Modifying these could fix voltage inaccuracies.

Example offset (found via differential analysis after performing factory calibration):

  • Voltage divider ratio: 0x1A2B3C at offset 0x000FF800
  • Component tester threshold: 0x4E at offset 0x000FF810

7. Recommendations for FNIRSI

  1. Enable RDP level 1 in production firmware.
  2. Implement secure boot – check CRC/signature of external flash content.
  3. Provide official firmware updates with signed binaries and changelogs.
  4. Open-source the UI/frontend logic – community contributions would improve quality.

6.2 Negative: Malicious Use

A rogue firmware could:

  • Report false voltage (hide overvoltage)
  • Damage connected circuits by misconfiguring tester output
  • Install persistent backdoor via USB (if USB stack is present)

About Submissions Comments Apps & Downloads Books Photo Essays Shop
Terms Privacy Cookies Disclaimer AUP Affiliate Disclosure Privacy Tools
RSS Feedly Mastodon Flipboard Instagram Threads Bluesky YouTube

v3.32.43

© 2026 — Cameron Vault