Re: A83: Patching the Ti83+ ROM?
[Prev][Next][Index][Thread]
Re: A83: Patching the Ti83+ ROM?
I've only searched ROMs 1.03 and 1.12. (If anyone happens to have a
different ROM loaded, they can use the SEARCH feature of Calcsys to see if
anything interesting exists on those ROMs) On 1.03 there is an accidental
out to port 16h somewhere or another, but since I have no idea what port 16h
is, I didn't pay too close attention. On ROM 1.12, there are two accidental
outputs to port 3Ch. Once at 6A0Fh and once at 6A72h, both on page 1Dh.
You may be asking yourself what 3Ch has to do with anything. Well, the way
the outputs are handled, the ports repeat. You'll see that while the link
port is "supposed" to be port 0, you can access it from port 8h, 20h, 28h,
40h, etc. (not 10h, 18h, or 30h because those are the LCD instruction
port). It's harder to tell if ports like 14h repeat, since I can't
physically test it (unlike the link port and key port), but if you look at
the value you get as an input from the port, you'll find that it repeats the
same way as the link port, in this case at: 1Ch, 34h, 3Ch, 54h, 5Ch, etc.
It's possible the reason I wasn't able to get it to work was that it was
using one of these "shadow" ports instead of a real one, but it's also quite
possible that it's something else, like all the weird code that precedes it.
Just in case anyone who doesn't have an 83 Plus is wondering what code I
keep talking about, here it is:
push af
ld a,01
nop
di
nop
nop
im 1
di
out (14h),a
di
call yadda ;This does a bunch of checking stuff to make sure
you're not trying to trick TIOS, like checking ROM and RAM pages, stack
pointer, etc.
pop af
....Here is where the code for whatever it's doing with the flash would
go
jp 666Eh
666Eh:
push af
xor a
nop
di
nop
nop
im 1
di
out (14h),a
di
or a
jp nz,0000 ;There's no way to capture control from 0000
AFAIK
pop af
ret
-Dan Englender
----- Original Message -----
> Dan Englender wrote:
> >
> > I actually did look for accidental code on the correct ROM pages that
would
> > unlock the flash. As there's only 12K of code to look through (only
three
> > pages have "flash unlocking rights" AFAIK), the chances aren't very
good. I
> > did find one port output to a port that should have functioned like the
> > flash instruction port (14h), but it did not work correctly, so I have
to
> > assume that there's something more complicated in the unlock procedure
(like
> > all the superfluous nop's and the such in the unlock procedure being
> > necessary).
> >
> > I don't know how successful lowering the protect line on the flash chip
> > would be (there may be an intermediary device that will block writes
unless
> > it gets it's "OK" from the TIOS), but I think a possible way of
unlocking
> > via hardware would go something like this:
> > 1) Run a halt so that the interrupt cycle wont trigger in the next few
> > instructions
> > 2) Set the cursor timer so the cursor will invert next interrupt cycle,
and
> > set the cursor on flag.
> > 3) Set a hook for the text display routines.
> > 4) Pull one of the link lines low, and then jump to a routine that
unlocks
> > the Flash.
> > 5) Have a simple device sitting on the link line, and when it goes low
(you
> > might have to wait a few milliseconds so that the flash will have been
> > unlocked), generate a NMI pulse on the Z80 chip.
> > 6) The TIOS is not properly set up to handle NMIs, so it will jump to a
> > bunch of junk, but will eventually end up in the regular interrupt
routine.
> > 7) When the interrupt routine gets to the cursor display, it will be
hooked
> > by the text hook, and control will be passed to whatever code you want.
> >
> > Someone can have fun trying that, I'm sure not going to,
> > -Dan Englender
> >
>
> Hi,
>
> Could you precise the address of that out instruction, I'm willing to
> pass (yet another) night on the Ti-sim...
>
> --
> Solignac Julien
> x1cygnus@xcalc.org
> http://xcalc.org
>
> - A hacker does for love what others wouldn't do for money
>
References: