Re: A83: Patching the Ti83+ ROM?


[Prev][Next][Index][Thread]

Re: A83: Patching the Ti83+ ROM?




The problem is that things are simpler on the 83 Plus, and thus it's harder
to find a loophole (or maybe that's just 83 Plus programmers' excuses for
why they haven't found one yet ;).  Every time the Flash is unlocked,
interrupts are disabled, and IM 1 is set (which rules out just about all of
the "sneaky" stuff you can do on a Z80).  There are no external calls which
can be trapped, except small routines that are loaded to RAM, and it makes
sure that a RAM page is loaded, and not a ROM page, so so much for that...
All the routines that unlock Flash relock it before they return.  Anyhow, if
anyone wants to look, they can feel free to do so, all of the Flash stuff is
contained on pages 1Ch, 1Dh and 1Fh.  An example of the unlock code can be
found at address 4000h on page 1Dh.

-Dan Englender

----- Original Message -----
From: "Olle Hedman" <oh@hem.passagen.se>
To: <assembly-83@lists.ticalc.org>
Sent: Saturday, January 27, 2001 1:57 PM
Subject: Re: A83: Patching the Ti83+ ROM?


>
> At 19:26 2001-01-27, you wrote:
>
> >Yeah, it's possible to edit the OS file in a hex editor before sending it
to
> >a calculator.  The problem is that the calculator wont accept the file
> >afterwards :)  It uses a complicated validation scheme that you can feel
> >free to try to crack, but I don't think you'll have any success.
> >
> >-Dan Englender
>
> No, trying to crack the validation scheme and generating new checksums and
> such is probably that hard that it is virtually impossible.
> Much smarter to try to go "the other way around" and try to find loopholes
> in the OS on the calc.
> (The calc IS writing at some point to its own flash...)
> On the ti89, such loopholes have been found on almost every AMS (the OS)
> version, and now there is one that works on all AMS versions, all
> HW-versions (there is 2 version of the hardware of the ti89 out there),
but
> it is kept secret. (no, I don't know it)
> I don't know anything about how the protection in the 83+ is implemented
> though, so I can't say anything about where to look or something like
that.
>
> ///Olle
>
>




Follow-Ups: References: