Calculator Community > ASM

A routine to lock/unlock flash? (Request by Sir, relayed by me)

(1/5) > >>

DJ Omnimaga:
Ok, since SirCmpwn cannot visit any TI site until Summer 2011, I am relaying his request for him:

He would like to ask if someone has a routine to lock/unlock flash memory? He also wants to know which pages would this affect?

_player1537:
maybe ask brandon for one, I know he has used it.  But he says it is pretty dangerous iirc

Galandros:
This has been questioned and answered in some UTI topics. mapar007 should have one routine for that and calcmaniac84 probably will (for his TI-Boy SE).

I know he can not visit the TI forums but we can save the pages and send to him. Or see WikiTI ports documentation, I have saw there code to unlock flash.
And Brandon Wilson has the most up to date method to unlock flash (if there is some bcall we can use or details in the instructions to unlock flash) and even knows details in the emulated TI-84+ SE in a Nspire unlock flash.

mapar007:
I'll do my duty, then :P

The 'universal exploit' that works on all OS versions. (c) Brandon Wilson


--- Code: ---
UnlockFlash:
;Unlocks Flash protection.
;Destroys: appBackUpScreen
;          pagedCount
;          pagedGetPtr
;          arcInfo
;          iMathPtr5
;          pagedBuf
;          ramCode
        in a,(6)
        push af
        ld a,7Bh
        call translatePage
        out (6),a
        ld hl,5092h
        ld e,(hl)
        inc hl
        ld d,(hl)
        inc hl
        ld a,(hl)
        call translatePage
        out (6),a
        ex de,hl
        ld a,0CCh
        ld bc,0FFFFh
        cpir
        ld e,(hl)
        inc hl
        ld d,(hl)
        push de
        pop ix
        ld hl,9898h
        ld (hl),0C3h
        inc hl
        ld (hl),returnPoint & 11111111b
        inc hl
        ld (hl),returnPoint >> 8
        ld hl,pagedBuf
        ld (hl),98h
        ld de,pagedBuf+1
        ld bc,49
        ldir
        ld (iMathPtr5),sp
        ld hl,(iMathPtr5)
        ld de,9A00h
        ld bc,50
        ldir  
        ld de,(iMathPtr5)
        ld hl,-12
        add hl,de
        ld (iMathPtr5),hl
        ld iy,0056h-25h
        ld a,50
        ld (pagedCount),a
        ld a,8
        ld (arcInfo),a
        jp (ix)
translatePage:
        ld b,a
        in a,(2)
        and 80h
        jr z,_is83P
        in a,(21h)
        and 3
        ld a,b
        ret nz
        and 3Fh
        ret
_is83P: ld a,b
        and 1Fh
        ret
returnPoint:
        ld iy,flags
        ld hl,(iMathPtr5)
        ld de,12
        add hl,de
        ld sp,hl
        ex de,hl
        ld hl,9A00h
        ld bc,50
        ldir
        pop af
        out (6),a
        ret

--- End code ---

EDIT:

To answer the second question: unlocking flash enables writing on all pages of the Flash memory (except the boot code, of course), and additionally grants access to the certificate page (7Eh).

DJ Omnimaga:
OOOH RIGHT! The last part is the one that can be the most dangerous. I think this is what Brandon talked about. When unlocking flash, be VERY careful to not overwrite the certificate, otherwise, big "OOPS".

Navigation

[0] Message Index

[#] Next page