Re: A83: Patching the Ti83+ ROM?
[Prev][Next][Index][Thread]
Re: A83: Patching the Ti83+ ROM?
I actually did look for accidental code on the correct ROM pages that would
unlock the flash. As there's only 12K of code to look through (only three
pages have "flash unlocking rights" AFAIK), the chances aren't very good. I
did find one port output to a port that should have functioned like the
flash instruction port (14h), but it did not work correctly, so I have to
assume that there's something more complicated in the unlock procedure (like
all the superfluous nop's and the such in the unlock procedure being
necessary).
I don't know how successful lowering the protect line on the flash chip
would be (there may be an intermediary device that will block writes unless
it gets it's "OK" from the TIOS), but I think a possible way of unlocking
via hardware would go something like this:
1) Run a halt so that the interrupt cycle wont trigger in the next few
instructions
2) Set the cursor timer so the cursor will invert next interrupt cycle, and
set the cursor on flag.
3) Set a hook for the text display routines.
4) Pull one of the link lines low, and then jump to a routine that unlocks
the Flash.
5) Have a simple device sitting on the link line, and when it goes low (you
might have to wait a few milliseconds so that the flash will have been
unlocked), generate a NMI pulse on the Z80 chip.
6) The TIOS is not properly set up to handle NMIs, so it will jump to a
bunch of junk, but will eventually end up in the regular interrupt routine.
7) When the interrupt routine gets to the cursor display, it will be hooked
by the text hook, and control will be passed to whatever code you want.
Someone can have fun trying that, I'm sure not going to,
-Dan Englender
----- Original Message -----
> At 20:53 2001-01-27, you wrote:
>
> >The problem is that things are simpler on the 83 Plus, and thus it's
harder
> >to find a loophole (or maybe that's just 83 Plus programmers' excuses for
> >why they haven't found one yet ;). Every time the Flash is unlocked,
> >interrupts are disabled, and IM 1 is set (which rules out just about all
of
> >the "sneaky" stuff you can do on a Z80). There are no external calls
which
> >can be trapped, except small routines that are loaded to RAM, and it
makes
> >sure that a RAM page is loaded, and not a ROM page, so so much for
that...
> >All the routines that unlock Flash relock it before they return. Anyhow,
if
> >anyone wants to look, they can feel free to do so, all of the Flash stuff
is
> >contained on pages 1Ch, 1Dh and 1Fh. An example of the unlock code can
be
> >found at address 4000h on page 1Dh.
> >
> >-Dan Englender
>
> When finding a loophole, it isn't as interesting to look where the calc
> unlocks it, theese routines are often very well protected, as it is to
know
> exactly how the calc unlocks, and what criterias there is for a successful
> unlock..
> The first way found to unlock the 89 was to jump to a textstring in
> romspace, that just happened to do the right things (three reads
> (instruction fetch is enough, probably this the TI OS coders didn't think
> of, or they just forgot to check their data) from the right adress, and
> then a write.), and then generate an illeagal instruction or adress error
> or something like that.
> Not the first thing to think of, if you are not a mad hacker :)
> But ofcourse, the simpler the processor, the fewer things to think of, and
> prevent...
> And with the paged memory of the 83+, it is probably even easier to
> implement a waterproof protection.
> There is always hardware hacks though :) But that isn't as usefull
> ofcourse, not many people are very keen of soldering in their calcs...
>
> ///Olle
>
>
Follow-Ups:
References: