Re: A83: Patching the Ti83+ ROM?

Re: A83: Patching the Ti83+ ROM?

• To: assembly-83@lists.ticalc.org
• Subject: Re: A83: Patching the Ti83+ ROM?
• From: Gabriel Hughes <ghughes@clipper.jbhs.wi.k12.md.us>
• Date: Mon, 29 Jan 2001 10:44:04 -0500 (EST)
• In-Reply-To: <006301c0895e$0953ec80$0200a8c0@pc2>
• Reply-To: assembly-83@lists.ticalc.org

  So what are you dissin' me!?!
[smile]
-Direct G-

On Sun, 28 Jan 2001, Dan Englender wrote:

> 
> > Oh. I was wrong then. But then the 89HW2 and the 83+ is about the same age
> > at least.
> ...Yeah, I suspect that the protection scheme on the TI-83 Plus is much
> closer to the HW2 TI-89 than HW1.
> 
> > That is interesting...  Since I don't own a ti83+ I think I would have
> > problems with the motivation for organizing such data... But if I ever get
> > one, I know who to ask :)
> > Maybe I can get a used one quite cheap.
> >
> > ///Olle
> ...I hope you do find a cheap TI-83 Plus.  It would be great to have someone
> as knowledgeable as you working on it!
> 
> -Dan Englender
> 
> 
> ----- Original Message -----
> From: "Olle Hedman" <oh@hem.passagen.se>
> To: <assembly-83@lists.ticalc.org>
> Sent: Sunday, January 28, 2001 5:28 AM
> Subject: Re: A83: Patching the Ti83+ ROM?
> 
> 
> >
> > At 04:54 2001-01-28, you wrote:
> > >I vaguely remembered someone mentioning that TI's protection device will
> > >block writes to the flash chip if it isn't in an unlocked state, that's
> why
> > >I said that.  Of course, it may just be a figment of my imagination.
> >
> > I downloaded the pdf from AMD now, and have skimmed through it, reading
> > about its protection feutures.
> > It has something called "Temporary Sector Unprotect", and this is probably
> > what TI uses.
> > To go around it, you have to find Vid, a 11.5V - 12.5V programming
> voltage,
> > and reroute this, past the circuit for protection, and to the Reset-pin.
> > Could be easy or quite tricky, depending on how they have implemented it.
> > I find it unprobable that they have added any extra protection except
> this,
> > since that is just to much work. The protection isn't against people
> > attacking it the hardware way, it is to protect against software attacks.
> > But ofcourse, TI has amased me before :)
> > When reset is at Vid, then the chip accept write and erase commands over
> > the bus.
> > There are some operations involved with WE and CE in programming too, but
> I
> > havn't read it closly enough to know if it will cause any problems. It
> also
> > depends on the implementation.
> > Ofcourse, all this is my speculations based on experience and what I have
> > read on this list and other places.
> > I have never even used a ti83+
> >
> > >Actually, the TI-83 Plus is newer than the TI-89 (at least in terms of
> when
> > >it was announced).  The TI-89 was announced with the TI-73 on March 13th,
> > >1998.  The TI-83 Plus was announced on January 11th, 1999.  Quite a few
> > >things could have happened in that gap.
> >
> > Oh. I was wrong then. But then the 89HW2 and the 83+ is about the same age
> > at least.
> >
> > >Port 14h is what is used to unlock the flash.  Outputting a value of one
> > >(from a "special" page, perhaps after a series of strange code execution)
> > >will unlock.  This will cause the usually read-protected page of 1Eh to
> be
> > >unprotected, and will allow writes to flash (using an equally complicated
> > >procedure).  A value of 0  to port 14h will lock the flash again.  Port
> 16h
> > >is used somewhere along the line too, but I haven't looked closely enough
> to
> > >see what that is.
> >
> > Nice to see that at least someone is trying :)
> > Some monitoring of the hardware, and reading of pin-activity, along with
> > testing from software, is probably needed to gain full understanding of
> the
> > procedure...
> >
> > >As for the flash chip, it's an AMD manufactured AM29F400B.  The docs for
> it
> > >should be available from AMD's website, if not, I can upload the .pdf
> > >somewhere.  It's a 512K chip, and has a minimum of 1,000,000
> program/erase
> > >cycles per sector according to AMD (as opposed to the 100,000 figure TI
> > >quotes).
> >
> > Maybe they mixed it up with the ti89s flash. This one has a minimum of
> > 100,000 erases.
> >
> > >There is no page like yours for the TI-83 Plus.  I have researched and
> > >compiled tons of information (about everything, not just the flash),
> which I
> > >have repeatedly offered to give out to anyone who wants to compile it in
> > >some sort of organized fashion (so far only Henk Poley with his Romcall
> > >reference).  The problem is that it's completely disorganized and
> scattered
> > >between my computer, my TI-92 Plus, five notebooks, and my brain.
> >
> > That is interesting...  Since I don't own a ti83+ I think I would have
> > problems with the motivation for organizing such data... But if I ever get
> > one, I know who to ask :)
> > Maybe I can get a used one quite cheap.
> >
> > ///Olle
> >
> >
> 
> 

• Re: A83: Patching the Ti83+ ROM?
• From: "Dan Englender" <dan@calc.org>

• Prev: RE: A83: Getkey + 2nd + on
• Next: Re: A83: Re: question about moving programs around
• Index(es):
  • Main
  • Thread