Re: A83: Patching the Ti83+ ROM?


[Prev][Next][Index][Thread]

Re: A83: Patching the Ti83+ ROM?




At 04:54 2001-01-28, you wrote:
>I vaguely remembered someone mentioning that TI's protection device will
>block writes to the flash chip if it isn't in an unlocked state, that's why
>I said that.  Of course, it may just be a figment of my imagination.

I downloaded the pdf from AMD now, and have skimmed through it, reading 
about its protection feutures.
It has something called "Temporary Sector Unprotect", and this is probably 
what TI uses.
To go around it, you have to find Vid, a 11.5V - 12.5V programming voltage, 
and reroute this, past the circuit for protection, and to the Reset-pin.
Could be easy or quite tricky, depending on how they have implemented it.
I find it unprobable that they have added any extra protection except this, 
since that is just to much work. The protection isn't against people 
attacking it the hardware way, it is to protect against software attacks.
But ofcourse, TI has amased me before :)
When reset is at Vid, then the chip accept write and erase commands over 
the bus.
There are some operations involved with WE and CE in programming too, but I 
havn't read it closly enough to know if it will cause any problems. It also 
depends on the implementation.
Ofcourse, all this is my speculations based on experience and what I have 
read on this list and other places.
I have never even used a ti83+

>Actually, the TI-83 Plus is newer than the TI-89 (at least in terms of when
>it was announced).  The TI-89 was announced with the TI-73 on March 13th,
>1998.  The TI-83 Plus was announced on January 11th, 1999.  Quite a few
>things could have happened in that gap.

Oh. I was wrong then. But then the 89HW2 and the 83+ is about the same age 
at least.

>Port 14h is what is used to unlock the flash.  Outputting a value of one
>(from a "special" page, perhaps after a series of strange code execution)
>will unlock.  This will cause the usually read-protected page of 1Eh to be
>unprotected, and will allow writes to flash (using an equally complicated
>procedure).  A value of 0  to port 14h will lock the flash again.  Port 16h
>is used somewhere along the line too, but I haven't looked closely enough to
>see what that is.

Nice to see that at least someone is trying :)
Some monitoring of the hardware, and reading of pin-activity, along with 
testing from software, is probably needed to gain full understanding of the 
procedure...

>As for the flash chip, it's an AMD manufactured AM29F400B.  The docs for it
>should be available from AMD's website, if not, I can upload the .pdf
>somewhere.  It's a 512K chip, and has a minimum of 1,000,000 program/erase
>cycles per sector according to AMD (as opposed to the 100,000 figure TI
>quotes).

Maybe they mixed it up with the ti89s flash. This one has a minimum of 
100,000 erases.

>There is no page like yours for the TI-83 Plus.  I have researched and
>compiled tons of information (about everything, not just the flash), which I
>have repeatedly offered to give out to anyone who wants to compile it in
>some sort of organized fashion (so far only Henk Poley with his Romcall
>reference).  The problem is that it's completely disorganized and scattered
>between my computer, my TI-92 Plus, five notebooks, and my brain.

That is interesting...  Since I don't own a ti83+ I think I would have 
problems with the motivation for organizing such data... But if I ever get 
one, I know who to ask :)
Maybe I can get a used one quite cheap.

///Olle




Follow-Ups: References: