Re: A83: Patching the Ti83+ ROM?
[Prev][Next][Index][Thread]
Re: A83: Patching the Ti83+ ROM?
Dan Englender wrote:
>
> I actually did look for accidental code on the correct ROM pages that would
> unlock the flash. As there's only 12K of code to look through (only three
> pages have "flash unlocking rights" AFAIK), the chances aren't very good. I
> did find one port output to a port that should have functioned like the
> flash instruction port (14h), but it did not work correctly, so I have to
> assume that there's something more complicated in the unlock procedure (like
> all the superfluous nop's and the such in the unlock procedure being
> necessary).
>
> I don't know how successful lowering the protect line on the flash chip
> would be (there may be an intermediary device that will block writes unless
> it gets it's "OK" from the TIOS), but I think a possible way of unlocking
> via hardware would go something like this:
> 1) Run a halt so that the interrupt cycle wont trigger in the next few
> instructions
> 2) Set the cursor timer so the cursor will invert next interrupt cycle, and
> set the cursor on flag.
> 3) Set a hook for the text display routines.
> 4) Pull one of the link lines low, and then jump to a routine that unlocks
> the Flash.
> 5) Have a simple device sitting on the link line, and when it goes low (you
> might have to wait a few milliseconds so that the flash will have been
> unlocked), generate a NMI pulse on the Z80 chip.
> 6) The TIOS is not properly set up to handle NMIs, so it will jump to a
> bunch of junk, but will eventually end up in the regular interrupt routine.
> 7) When the interrupt routine gets to the cursor display, it will be hooked
> by the text hook, and control will be passed to whatever code you want.
>
> Someone can have fun trying that, I'm sure not going to,
> -Dan Englender
>
> ----- Original Message -----
> > At 20:53 2001-01-27, you wrote:
> >
> > >The problem is that things are simpler on the 83 Plus, and thus it's
> harder
> > >to find a loophole (or maybe that's just 83 Plus programmers' excuses for
> > >why they haven't found one yet ;). Every time the Flash is unlocked,
> > >interrupts are disabled, and IM 1 is set (which rules out just about all
> of
> > >the "sneaky" stuff you can do on a Z80). There are no external calls
> which
> > >can be trapped, except small routines that are loaded to RAM, and it
> makes
> > >sure that a RAM page is loaded, and not a ROM page, so so much for
> that...
> > >All the routines that unlock Flash relock it before they return. Anyhow,
> if
> > >anyone wants to look, they can feel free to do so, all of the Flash stuff
> is
> > >contained on pages 1Ch, 1Dh and 1Fh. An example of the unlock code can
> be
> > >found at address 4000h on page 1Dh.
> > >
> > >-Dan Englender
> >
> > When finding a loophole, it isn't as interesting to look where the calc
> > unlocks it, theese routines are often very well protected, as it is to
> know
> > exactly how the calc unlocks, and what criterias there is for a successful
> > unlock..
> > The first way found to unlock the 89 was to jump to a textstring in
> > romspace, that just happened to do the right things (three reads
> > (instruction fetch is enough, probably this the TI OS coders didn't think
> > of, or they just forgot to check their data) from the right adress, and
> > then a write.), and then generate an illeagal instruction or adress error
> > or something like that.
> > Not the first thing to think of, if you are not a mad hacker :)
> > But ofcourse, the simpler the processor, the fewer things to think of, and
> > prevent...
> > And with the paged memory of the 83+, it is probably even easier to
> > implement a waterproof protection.
> > There is always hardware hacks though :) But that isn't as usefull
> > ofcourse, not many people are very keen of soldering in their calcs...
> >
> > ///Olle
> >
> >
Hi,
Could you precise the address of that out instruction, I'm willing to
pass (yet another) night on the Ti-sim...
--
Solignac Julien
x1cygnus@xcalc.org
http://xcalc.org
- A hacker does for love what others wouldn't do for money
Follow-Ups:
References: