Re: A89: Writing to Flash ROM

Re: A89: Writing to Flash ROM

• To: <assembly-89@lists.ticalc.org>
• Subject: Re: A89: Writing to Flash ROM
• From: "Zeljko Juric" <zjuric@utic.net.ba>
• Date: Tue, 6 Jun 2000 14:37:22 +0200
• Reply-To: assembly-89@lists.ticalc.org

>I draw my sources from Johan Borg's flashrom.txt, and
>TI92 and TI89 Structures and Variables by Gareth
>James.  According to them, you must (while executing
>code in 0x200000-0x20FFFF, 0x212000-0x217fff or
>0x21a000-0x21fff0f) write to anywhere in
>0x1c0000-0x1f0000.  The routine that I use for writing
>to 0x1c0000-0x1f0000 is located at 0x2128ae.

This is not enough. To disable the protection, each writing
to area 0x1c0000-0x1f0000 must be preceeded with three
successive reads (which may be opcode fetches too) from area 
0x200000-0x20ffff or 0x212000-0x217fff just immidiately before
writing to 0x1c0000-0x1f0000. But, to make the situation harder,
TI made yet another trick: the arbitrary address is written to
directly before any write to memory via a register. So even
if the register was set to (0x1C????) it would not be possible
to execute 3 reads from "correct" area before the write. So,
in "regular" base code, there is no enough "good" place
where you can jump into. On HW1 calcs, such good places
exist in a "garbage", more precise in the table of error 
messages used in the lockup routines. When executed with
the registers set appropriately, it will perform 3 reads from
the correct region before a write to anywhere. But note that
such "garbage" code continues with a lot of "illegal"
instructons, so you also need to hook "Illegal instructions"
vector.

On HW2 calcs, enough good place does not exist even in the
garbage, so it seems that on HW2 calcs protection breaking
is impossible. But it is still possible. You need to force
archive memory garbage collection, which will display
a confirmation dialog. Before this, you need to set the
display address (using PortSet) to point over the table of
interrupt vectors, so drawing a dialog will screw up 
interrupt vectors. During waiting for a keypress (in the 
confirmation dialog), TIOS executes trap #1. This was their
BIG mistake. If vectors are "screwed up" correctly, this 
allows your routine to be executed while flash protection 
is off (you guess, it is off while confirmation dialog is 
on the  screen). This is what HW2 patch and MaxMem made by
Julien Muchembled really do.

Zeljko Juric

• Re: A89: Writing to Flash ROM
• From: "Juan Corral" <juancorral@lvcm.com>

• Prev: Re: A89: Writing to Flash ROM
• Next: A89: Re: Good C book
• Index(es):
  • Main
  • Thread