Re: A83: Patching the Ti83+ ROM?


[Prev][Next][Index][Thread]

Re: A83: Patching the Ti83+ ROM?




At 20:53 2001-01-27, you wrote:

>The problem is that things are simpler on the 83 Plus, and thus it's harder
>to find a loophole (or maybe that's just 83 Plus programmers' excuses for
>why they haven't found one yet ;).  Every time the Flash is unlocked,
>interrupts are disabled, and IM 1 is set (which rules out just about all of
>the "sneaky" stuff you can do on a Z80).  There are no external calls which
>can be trapped, except small routines that are loaded to RAM, and it makes
>sure that a RAM page is loaded, and not a ROM page, so so much for that...
>All the routines that unlock Flash relock it before they return.  Anyhow, if
>anyone wants to look, they can feel free to do so, all of the Flash stuff is
>contained on pages 1Ch, 1Dh and 1Fh.  An example of the unlock code can be
>found at address 4000h on page 1Dh.
>
>-Dan Englender

When finding a loophole, it isn't as interesting to look where the calc 
unlocks it, theese routines are often very well protected, as it is to know 
exactly how the calc unlocks, and what criterias there is for a successful 
unlock..
The first way found to unlock the 89 was to jump to a textstring in 
romspace, that just happened to do the right things (three reads 
(instruction fetch is enough, probably this the TI OS coders didn't think 
of, or they just forgot to check their data) from the right adress, and 
then a write.), and then generate an illeagal instruction or adress error 
or something like that.
Not the first thing to think of, if you are not a mad hacker :)
But ofcourse, the simpler the processor, the fewer things to think of, and 
prevent...
And with the paged memory of the 83+, it is probably even easier to 
implement a waterproof protection.
There is always hardware hacks though :) But that isn't as usefull 
ofcourse, not many people are very keen of soldering in their calcs...

///Olle




Follow-Ups: References: