ROM:0000 ; ROM:0000 ; +-------------------------------------------------------------------------+ ROM:0000 ; | This file is generated by The Interactive Disassembler (IDA) | ROM:0000 ; | Copyright (c) 2007 by DataRescue sa/nv, <> | ROM:0000 ; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 | ROM:0000 ; +-------------------------------------------------------------------------+ ROM:0000 ; ROM:0000 ; Input MD5 : B92ED2F3AE85C505EDF079293AACF6E8 ROM:0000 ROM:0000 ; File Name : C:\Users\Brian\Documents\calculator\information\boot dissassembly\boot1.bin ROM:0000 ; Format : Binary file ROM:0000 ; Base Address: 0000h Range: 4000h - 8000h Loaded length: 4000h ROM:0000 ROM:0000 ; Processor : z80 [] ROM:0000 ; Target assembler: Zilog Macro Assembler ROM:0000 ROM:0000 ; =========================================================================== ROM:0000 ROM:0000 ; Segment type: Pure code ROM:0000 segment ROM ROM:0000 unk_0: ds 1 ; CODE XREF: ROM:loc_4175j ROM:4000 ; --------------------------------------------------------------------------- ROM:4000 ld a, 7 ; remember, this is executing at 0000h ROM:4002 out (4), a ; set memory map 1 ROM:4004 ld a, 7Fh ; '' ROM:4006 out (6), a ; put the boot code in $8000 ROM:4008 ld a, 3 ROM:400A out (0Eh), a ; we're pretty sure this port does nothing ROM:400C jp unk_812C ROM:400C ; --------------------------------------------------------------------------- ROM:400F a1_02: .ascii '1.02 ',0 ROM:4015 db 0FFh ROM:4016 db 0FFh ROM:4017 db 0FFh ROM:4018 dw 66ECh ; _MD5Final ROM:401A db 7Fh ;  ROM:401B dw 6A3Ch ; _RSAValidate ROM:401D db 7Fh ;  ROM:401E dw 6E0Dh ; _CmpStr ROM:4020 db 7Fh ;  ROM:4021 dw 4C9Ah ; _WriteAByte ROM:4023 db 7Fh ;  ROM:4024 dw 4C2Ah ; _EraseFlash ROM:4026 db 7Fh ;  ROM:4027 dw 4D53h ; _FindFirstCertField ROM:4029 db 7Fh ;  ROM:402A dw 4DA0h ; _ZeroToCertificate ROM:402C db 7Fh ;  ROM:402D dw 4D44h ; _GetCertificateEnd ROM:402F db 7Fh ;  ROM:4030 dw 4E7Dh ; _FindGroupedField ROM:4032 db 7Fh ;  ROM:4033 dw 4867h ; _ret_1 ROM:4035 db 7Fh ;  ROM:4036 dw 4867h ; _ret_2 ROM:4038 db 7Fh ;  ROM:4039 dw 4867h ; _ret_3 ROM:403B db 7Fh ;  ROM:403C dw 4867h ; _ret_4 ROM:403E db 7Fh ;  ROM:403F dw 4867h ; _ret_5 ROM:4041 db 7Fh ;  ROM:4042 dw 6CD1h ; _Mult8By8 ROM:4044 db 7Fh ;  ROM:4045 dw 6CD3h ; _Mult16By8 ROM:4047 db 7Fh ;  ROM:4048 dw 6DBEh ; _Div16By8 ROM:404A db 7Fh ;  ROM:404B dw 6DC0h ; _Div16By16 ROM:404D db 7Fh ;  ROM:404E dw 4924h ; _804E ROM:4050 db 7Fh ;  ROM:4051 dw 486Eh ; _LoadAIndPaged ROM:4053 db 7Fh ;  ROM:4054 dw 4888h ; _FlashToRam2 ROM:4056 db 7Fh ;  ROM:4057 dw 4D37h ; _GetCertificateStart ROM:4059 db 7Fh ;  ROM:405A dw 4DA9h ; _GetFieldSize ROM:405C db 7Fh ;  ROM:405D dw 4DECh ; _FindSubField ROM:405F db 7Fh ;  ROM:4060 dw 4E30h ; _EraseCertificateSector ROM:4062 db 7Fh ;  ROM:4063 dw 4B4Ah ; _CheckHeaderKey ROM:4065 db 7Fh ;  ROM:4066 dw 4F82h ; _8066 ROM:4068 db 7Fh ;  ROM:4069 dw 4EF0h ; _8069 ROM:406B db 7Fh ;  ROM:406C dw 790Ch ; _Load_LFontV2 ROM:406E db 7Fh ;  ROM:406F dw 790Ch ; _Load_LFontV ROM:4071 db 7Fh ;  ROM:4072 dw 5C69h ; _ReceiveOS ROM:4074 db 7Fh ;  ROM:4075 dw 5009h ; _FindOSHeaderSubField ROM:4077 db 7Fh ;  ROM:4078 dw 4D4Dh ; _FindNextCertField ROM:407A db 7Fh ;  ROM:407B dw 5AFFh ; _GetByteOrBoot ROM:407D db 7Fh ;  ROM:407E dw 442Fh ; _GetSerial ROM:4080 db 7Fh ;  ROM:4081 dw 5D6Dh ; _ReceiveCalcID ROM:4083 db 7Fh ;  ROM:4084 dw 4C1Eh ; _EraseFlashPage ROM:4086 db 7Fh ;  ROM:4087 dw 4CA1h ; _WriteFlashUnsafe ROM:4089 db 7Fh ;  ROM:408A dw 44F1h ; _DispBootVer ROM:408C db 7Fh ;  ROM:408D dw 6675h ; _MD5Init ROM:408F db 7Fh ;  ROM:4090 dw 668Fh ; _MD5Update ROM:4092 db 7Fh ;  ROM:4093 dw 51FAh ; _MarkOSInvalid ROM:4095 db 7Fh ;  ROM:4096 dw 4B1Ah ; _FindProgramLicense ROM:4098 db 7Fh ;  ROM:4099 dw 51E6h ; _MarkOSValid ROM:409B db 7Fh ;  ROM:409C dw 52B7h ; _CheckOSValidated ROM:409E db 7Fh ;  ROM:409F dw 5372h ; _SetupAppPubKey ROM:40A1 db 7Fh ;  ROM:40A2 dw 6E66h ; _SigModR ROM:40A4 db 7Fh ;  ROM:40A5 dw 6E80h ; _TransformHash ROM:40A7 db 7Fh ;  ROM:40A8 dw 52D2h ; _IsAppFreeware ROM:40AA db 7Fh ;  ROM:40AB dw 4FFBh ; _FindAppHeaderSubField ROM:40AD db 7Fh ;  ROM:40AE dw 53B3h ; _WriteValidationNumber ROM:40B0 db 7Fh ;  ROM:40B1 dw 6CE6h ; _Div32By16 ROM:40B3 db 7Fh ;  ROM:40B4 dw 4E52h ; _FindGroup ROM:40B6 db 7Fh ;  ROM:40B7 dw 477Ch ; _GetBootVer ROM:40B9 db 7Fh ;  ROM:40BA dw 4781h ; _GetHardwareVersion ROM:40BC db 7Fh ;  ROM:40BD dw 5B08h ; _XorA ROM:40BF db 7Fh ;  ROM:40C0 dw 6A45h ; _BigNumPowerMod17 ROM:40C2 db 7Fh ;  ROM:40C3 dw 606Ch ; _ProdNrPart1 ROM:40C5 db 7Fh ;  ROM:40C6 dw 4C95h ; _WriteAByteSafe ROM:40C8 db 7Fh ;  ROM:40C9 dw 4C8Ah ; _WriteFlash ROM:40CB db 7Fh ;  ROM:40CC dw 5434h ; _SetupDateStampPubKey ROM:40CE db 7Fh ;  ROM:40CF dw 4784h ; _SetFlashLowerBound ROM:40D1 db 7Fh ;  ROM:40D2 dw 56D5h ; _LowBatteryBoot ROM:40D4 db 7Fh ;  ROM:40D5 ; --------------------------------------------------------------------------- ROM:40D5 out (6), a ROM:40D7 jp loc_7AA4 ROM:40DA ; --------------------------------------------------------------------------- ROM:40DA nop ROM:40DB ex (sp), hl ROM:40DC push af ROM:40DD ld a, l ROM:40DE ; START OF FUNCTION CHUNK FOR bcall ROM:40DE ROM:40DE loc_40DE: ; CODE XREF: bcall+3Bj ROM:40DE out (6), a ROM:40E0 pop af ROM:40E1 pop hl ROM:40E2 ret ROM:40E2 ; END OF FUNCTION CHUNK FOR bcall ROM:40E2 ; --------------------------------------------------------------------------- ROM:40E3 db 0 ROM:40E4 dw 4145h ; _AttemptUSBOSReceive ROM:40E6 db 6Fh ; o ROM:40E7 dw 5FB8h ; _DisplayBootMessage ROM:40E9 db 7Fh ;  ROM:40EA dw 705Fh ; _NewLine2 ROM:40EC db 7Fh ;  ROM:40ED dw 562Ah ; _DisplayBootError10 ROM:40EF db 7Fh ;  ROM:40F0 dw 5FD4h ; _Chk_Batt_Low_B ROM:40F2 db 7Fh ;  ROM:40F3 dw 5FC6h ; _Chk_Batt_Low_B2 ROM:40F5 db 7Fh ;  ROM:40F6 dw 48CAh ; _ReceiveOS_USB ROM:40F8 db 6Fh ; o ROM:40F9 dw 6133h ; _DisplayOSProgress ROM:40FB db 7Fh ;  ROM:40FC dw 5D64h ; _ResetCalc ROM:40FE db 7Fh ;  ROM:40FF dw 532Fh ; _SetupOSPubKey ROM:4101 db 7Fh ;  ROM:4102 dw 4B4Dh ; _CheckHeaderKeyHL ROM:4104 db 7Fh ;  ROM:4105 dw 592Ah ; _USBErrorCleanup ROM:4107 db 6Fh ; o ROM:4108 dw 5276h ; _InitUSB ROM:410A db 6Fh ; o ROM:410B dw 6297h ; _810B ROM:410D db 6Fh ; o ROM:410E dw 5933h ; _KillUSB ROM:4110 db 6Fh ; o ROM:4111 dw 562Ah ; _DisplayBootError1 ROM:4113 db 7Fh ;  ROM:4114 dw 562Ah ; _DisplayBootError2 ROM:4116 db 7Fh ;  ROM:4117 dw 562Ah ; _DisplayBootError3 ROM:4119 db 7Fh ;  ROM:411A dw 562Ah ; _DisplayBootError4 ROM:411C db 7Fh ;  ROM:411D dw 562Ah ; _DisplayBootError5 ROM:411F db 7Fh ;  ROM:4120 dw 562Ah ; _DisplayBootError6 ROM:4122 db 7Fh ;  ROM:4123 dw 562Ah ; _DisplayBootError7 ROM:4125 db 7Fh ;  ROM:4126 dw 562Ah ; _DisplayBootError8 ROM:4128 db 7Fh ;  ROM:4129 dw 562Ah ; _DisplayBootError9 ROM:412B db 7Fh ;  ROM:412C ; --------------------------------------------------------------------------- ROM:412C im 1 ROM:412E ld b, 0 ROM:4130 ld sp, 0FDFAh ; this is a delay to make sure the hardware is ready ROM:4130 ; the battery is in all the way ROM:4130 ; and the interrupts are done ROM:4133 ROM:4133 loc_4133: ; CODE XREF: ROM:loc_4133j ROM:4133 ; ROM:413Dj ROM:4133 djnz $ ROM:4135 ld ix, 1 ROM:4139 add ix, sp ROM:413B ld sp, ix ROM:413D jr nc, loc_4133 ROM:413F ld sp, 0FFC5h ROM:4142 ld a, 3 ROM:4144 out (0Fh), a ; again, I don't think this is necessary ROM:4146 ld a, 7Fh ; '' ROM:4148 out (7), a ; put the boot code in port (07) so when we switch ROM:4148 ; memory mapping, it will be in $8000 ROM:414A ld a, 6 ROM:414C out (4), a ; back to memory mapping 0 ROM:414E jp loc_4151 ROM:4151 ROM:4151 loc_4151: ROM:4151 nop ROM:4152 nop ROM:4153 nop ; they probably had other code here but they nopped it ROM:4153 ; very useful for mods though :D ROM:4154 nop ROM:4155 nop ROM:4156 nop ROM:4157 ld a, 81h ; '' ROM:4159 out (7), a ; just setting ram ROM:415B push af ROM:415C ld a, 1 ROM:415E nop ROM:415F nop ROM:4160 im 1 ROM:4162 di ROM:4163 out (14h), a ; unlock flash, we're in the boot code so we can do that ROM:4165 di ROM:4166 push bc ; this whole next section is dedicated to make sure you ROM:4166 ; can't unlock flash in a sneaky way, essentially, if ROM:4166 ; any of the next tests fail, it clears ram ROM:4167 push hl ROM:4168 ld (word_83E8), sp ROM:416C ld a, (word_83E8+1) ROM:416F and 0C0h ; '+' ; is SP > $C000? ROM:4171 cp 0C0h ; '+' ROM:4173 jr z, loc_4178 ROM:4175 ROM:4175 loc_4175: ; CODE XREF: ROM:417Fj ROM:4175 ; ROM:418Bj ... ROM:4175 jp unk_0 ROM:4178 ; --------------------------------------------------------------------------- ROM:4178 ROM:4178 loc_4178: ; CODE XREF: ROM:4173j ROM:4178 ld bc, 8 ROM:417B ld hl, (word_83E8) ; is SP at least 8 away from the end? ROM:417E add hl, bc ROM:417F jr c, loc_4175 ROM:4181 in a, (6) ROM:4183 and 7Fh ; '' ROM:4185 cp 7Fh ; '' ROM:4187 jr z, loc_4191 ; are we on a boot page? ROM:4189 cp 6Ch ; 'l' ROM:418B jr c, loc_4175 ROM:418D cp 70h ; 'p' ROM:418F jr nc, loc_4175 ROM:4191 ROM:4191 loc_4191: ; CODE XREF: ROM:4187j ROM:4191 in a, (7) ROM:4193 cp 81h ; '' ; is $8000 ram? ROM:4195 jr nz, loc_4175 ROM:4197 ld hl, 0C000h ROM:419A ld c, 0 ; first loop of this: is the bank in $C000 writable? ROM:419A ; second loop: is the bank in $8000 writable? ROM:419C ROM:419C loc_419C: ; CODE XREF: ROM:41B3j ROM:419C ld a, (hl) ROM:419D ld b, a ROM:419E cpl ROM:419F ld (hl), a ROM:41A0 ld a, (hl) ROM:41A1 cpl ROM:41A2 cp b ROM:41A3 jr nz, loc_4175 ROM:41A5 ld (hl), a ROM:41A6 ld a, c ROM:41A7 or a ROM:41A8 jr z, loc_41AE ROM:41AA pop hl ROM:41AB pop bc ROM:41AC jr loc_41B5 ROM:41AE ; --------------------------------------------------------------------------- ROM:41AE ROM:41AE loc_41AE: ; CODE XREF: ROM:41A8j ROM:41AE ld hl, 8000h ROM:41B1 ld c, 1 ROM:41B3 jr loc_419C ROM:41B5 ; --------------------------------------------------------------------------- ROM:41B5 ROM:41B5 loc_41B5: ; CODE XREF: ROM:41ACj ROM:41B5 pop af ROM:41B6 ld a, 2 ROM:41B8 out (2Dh), a ; we're still not sure ROM:41BA call setupLinkHandler ROM:41BD ld a, 17h ROM:41BF out (29h), a ; 6MHz lcd setup ROM:41C1 ld a, 27h ; ''' ROM:41C3 out (2Ah), a ; 15 MHz lcd setup ROM:41C5 ld a, 2Fh ; '/' ROM:41C7 out (2Bh), a ; 20 MHz lcd setup ROM:41C9 ld a, 3Bh ; ';' ROM:41CB out (2Ch), a ; 25 MHz LCD setup ROM:41CD ld a, 45h ; 'E' ROM:41CF out (2Eh), a ; hardware delay ROM:41D1 ld a, 4Bh ; 'K' ROM:41D3 out (2Fh), a ; lcd ready delay ROM:41D5 ld a, 1 ROM:41D7 nop ROM:41D8 nop ROM:41D9 im 1 ROM:41DB di ROM:41DC out (21h), a ; lock the boot code (hush) ROM:41DE di ROM:41DF ld a, 8 ROM:41E1 nop ROM:41E2 nop ROM:41E3 im 1 ROM:41E5 di ROM:41E6 out (22h), a ; set flash lower limit ROM:41E8 di ROM:41E9 ld a, 69h ; 'i' ROM:41EB nop ROM:41EC nop ROM:41ED im 1 ROM:41EF di ROM:41F0 out (23h), a ; set flash upper limit ROM:41F2 di ROM:41F3 ld a, 10h ROM:41F5 nop ROM:41F6 nop ROM:41F7 im 1 ROM:41F9 di ROM:41FA out (25h), a ; set ram lower limit ROM:41FC di ROM:41FD ld a, 20h ; ' ' ROM:41FF nop ROM:4200 nop ROM:4201 im 1 ROM:4203 di ROM:4204 out (26h), a ; set ram upper limit ROM:4206 di ROM:4207 xor a ROM:4208 out (0Eh), a ; useless ROM:420A out (0Fh), a ROM:420C out (5), a ROM:420E ld a, 7Fh ; '' ; ram page 0 to $C000 (it was already there) ROM:4210 out (6), a ROM:4212 ld a, 0F0h ; '=' ROM:4214 out (39h), a ; only needed on old USB driver ROM:4216 ld a, 20h ; ' ' ROM:4218 out (4Ah), a ; turn off the supplimentary D- power ROM:421A push af ROM:421B xor a ROM:421C nop ROM:421D nop ROM:421E im 1 ROM:4220 di ROM:4221 out (14h), a ; lock flash back up ROM:4223 di ROM:4224 or a ROM:4225 jp nz, unk_0 ; kill ourselves if we just unlocked flash ROM:4228 pop af ROM:4229 ld a, 80h ; '' ROM:422B out (7), a ; ram page 0 to $8000 ROM:422D call bootCSCScan ROM:4230 cp 38h ; '8' ROM:4232 jr z, delPressed ROM:4234 cp 20h ; ' ' ROM:4236 jr z, statPressed ROM:4238 ld a, (byte_38) ROM:423B cp 0FFh ROM:423D jr z, noOSFound ROM:423F ld hl, (word_56) ROM:4242 ld bc, 0A55Ah ROM:4245 or a ROM:4246 sbc hl, bc ROM:4248 jp z, unk_53 ; if all checks out, jump to the OS ROM:424B ; START OF FUNCTION CHUNK FOR sub_461A ROM:424B ROM:424B noOSFound: ; CODE XREF: ROM:423Dj ROM:424B ; sub_461A-7Aj ... ROM:424B ld sp, 0FFC5h