A83: Flash Memory

A83: Flash Memory

• To: "Assembly 83 List" <assembly-83@lists.ticalc.org>
• Subject: A83: Flash Memory
• From: "Solignac Julien" <x1cygnus@online.fr>
• Date: Fri, 18 Aug 2000 21:20:22 +0200
• Reply-To: assembly-83@lists.ticalc.org

It's been a while now that I've been tracing TI's code to figure out how to
write to flash, here's all that I've gathered up for the moment, it should
help anyone following the same goal:

Although I've found out routines used to write to flash, they only work on
the TI simulator/debugger, there seems to be some "magic code" missing. A
lot of TI's flash writing takes place at ram offset 8100h, if you care to
place a breakpoint at 810Ch, you'll fall right into the flash write code.
Yet there's some mysterious code that runs before. For example, a routine
used to write one byte to flash has this piece of code in it before calling
8100h (bcall 8021h):

PUSH AF
PUSH BC
LD A,I
PUSH AF
DI
POP BC
LD A,C
LD (82A2h), A
POP BC
POP AF
RET

The byte stored at 82A2h is not used at all, it might be controlled by
hardware to gain flash write access. What's more, mechanics of flash writing
is complicated to find out as TI's software contents itself with the last
step of flash write control:

IN A, (06h)
PUSH AF
LD A, 02h
OUT (06h), A
LD A, 0AAh
LD (6AAAh), A
LD A, 01h
OUT (06h), A
LD A, 55h
LD (5555h), A
LD A, 02h
OUT (06h), A
LD A, 0A0h
LD (6AAAh), A
POP AF
OUT (06h), A
LDI
[...]
DEC DE
LD A, 0F0h
LD (DE), A

If you use that code under the TI simulator, you can effectively write to
flash, on a real TI-83 Plus though, you'll hang. So this code is only useful
for emulators.
Another piece of magic code is this, used before bcalling 8087h, a routine
to write a stream of bytes to flash:

 PUSH AF
 XOR A
 NOP
 DI
 NOP
 NOP
 IM 1
 DI
 OUT (14),A
 DI
 OR A
JR NZ, Error
POP AF

As you can see, these routines seem to be totally useless unless for
hardware flash write restriction. Too bad, the Z80 doesn't have advanced
interrupts like the 68k. With routines like "WriteArchiveBlock" TI just
couldn't sell their App software kit for the TI-89/92+.
A good place to start tracing is after calling Arc_UnArc at 6507h page 07h
is the piece of code that runs after having determined is var was in RAM or
flash.

Anyway, I'm determined to gain flash access, if I can't gain it this way
I'll try to brake TI's certificate keys, a 3MHZ Z80 can't handle very
advanced cryptology. Hoping this helps a few crackers/hackers/whatever.


Solignac Julien
x1cygnus@xcalc.org
http://xcalc.org

• Re: A83: Flash Memory
• From: Olle Hedman <oh@hem.passagen.se>

• Prev: A83: Re: Linking/Memory
• Next: A83: Really Messed up 83+
• Index(es):
  • Main
  • Thread