A83: Re: Flash Mem

To: <assembly-83@lists.ticalc.org>
Subject: A83: Re: Flash Mem
From: "Dan Englender" <dan@calc.org>
Date: Sun, 20 Aug 2000 11:24:28 -0400
References: <000b01c00a9f$cc47a8a0$780de4d5@cygnus-h1>
Reply-To: assembly-83@lists.ticalc.org

"one could search for nice pieces of code such as OUT (C),A / RET... "

...Well, one has already searched and there are no out (c),r , outi, outd, otdr, or otir on pages $1F,$1D,or $1C. I used the code below.

Since I was a bit on the lazy side programming it, it'll generate a couple of "false alarms" (like EDC9), but you can check out the five or so addresses it generates in Calcsys, and you'll see none of them are one of the commands we want.

bcall(_clrlcdfull)
in a,(6)
push af
ld a,$1F ;page to search, modify for other pages
out (6),a
ld bc,$4000
ld h,b
ld l,c
doloop:

ld a,$ED
cpir
jr nz,done
ld a,(hl)
and $47 ;change to $E7 to search for outi,outd,otir,otdr
xor $41 ;chage to $A3 to search for "" "" "" ""
jr nz,doloop
push hl
push bc
ld (currow),a
ld (curcol),a
bcall(_disphl)
bcall(_getkey)
pop bc
pop hl
jr doloop
done:
pop af
out (6),a
ret

-Dan Englender

----- Original Message -----

From: Solignac Julien

To: Assembly 83 List

Sent: Sunday, August 20, 2000 8:10 AM

Subject: A83: Flash Mem

Here's a small synthetical article on everything known on flash mem:

Unlocking flash mem requires sending a "1" to port 14h and a bit of preliminary code, but the Z80 will cause an exception if a "1" is sent to 14h out of pages 1Ch, 1Dh and 1Fh.

Also TI has protected it's code very well, the unlocking sequence is not a ret terminated routine but is included before every different type of flash use, i.e. spoofing code is sure going to be hard, after each unlocking sequence, there's also a call to 01A9h, a routine that checks the ROM page, the stack, interrupts...

For the moment I'm not sure whether the "NOP" code following the out to 14h is needed or not, if not, one could search for nice pieces of code such as OUT (C),A / RET... But if that code is needed, we're nearly out of luck. Nearly since page 1Fh, alias boot code (and thus unchangeable I think) contains many many segments of unlocking code, just have to find the right one, otherwise, spoofing is the last chance.

Then again, serious cryptology like RSA requires really LARGE numbers, with 99 numbers you get ln(10^99)/ln(2)=99ln(10)/ln(2)=328 bit encryption which is quite strong, but I'm talking about a 99 number key, with the exponents, you need to handle quite larger numbers, even though there is a modulo. Wanting to be serious, I reinstalled my base code(also because I wrecked it trying to send a modified .hex file) and I timed the validation sequence, it took 10.58 seconds for validating a 512kb stamp certificate I can't really believe that TI used RSA. I think that they're more close to something like CRC, and that the strength of their system lies on the hardware limitation to reading page 1Eh.

Solignac Julien
x1cygnus@xcalc.org
http://xcalc.org

References:

A83: Flash Mem

From: "Solignac Julien" <x1cygnus@online.fr>

Prev: Re: A83: What's up!
Next: A83: 83+ Tutorials
Index(es):
- Main
- Thread