Author Topic: HP Prime Emulator  (Read 6585 times)

0 Members and 1 Guest are viewing this topic.

Offline gigi1237

  • LV1 Newcomer (Next: 20)
  • *
  • Posts: 17
  • Rating: +0/-0
    • View Profile
Re: HP Prime Emulator
« Reply #15 on: August 19, 2017, 10:48:31 am »
Yep I'm perfectly aware of that. I initially thought it was because the interrupt controller was not working properly but that can't be the case because the boot process breaks before unmasking any interrupts. I for the life of me can't figure what unimplemented system is causing the failure to boot.

Debugging with gdb does not provide anything too useful as the fault occurs far from where the code hangs.

Offline webmasterpdx

  • LV0 Newcomer (Next: 5)
  • Posts: 4
  • Rating: +0/-0
    • View Profile
Re: HP Prime Emulator
« Reply #16 on: September 03, 2017, 03:07:33 am »
You can't emulate this at the system level without the various system call API.....where are you going to get that? I doubt if HP is just going to give it to you....
just curious...
Thx

Offline Hooloovoo

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 225
  • Rating: +22/-0
    • View Profile
Re: HP Prime Emulator
« Reply #17 on: September 03, 2017, 04:18:02 am »
We're emulating at a level much lower than the syscall level, we're emulating the hardware the syscalls run on.
"My world is Black & White. But if I blink fast enough, I see it in Grayscale." -tr1p1ea
Spoiler For some of the calcs I own:



(actually I have quite a few more than this, but I don't feel like making bars for them all.)

Offline gigi1237

  • LV1 Newcomer (Next: 20)
  • *
  • Posts: 17
  • Rating: +0/-0
    • View Profile
Re: HP Prime Emulator
« Reply #18 on: September 03, 2017, 02:35:44 pm »
You can't emulate this at the system level without the various system call API.....where are you going to get that? I doubt if HP is just going to give it to you....
just curious...
Thx

My original project was doing exactly this. The way I obtained the SysAPIs was by reverse engineering the calc's firmware. So no need for HP to hand them over.

The new project is a hardware level emulator.

Offline webmasterpdx

  • LV0 Newcomer (Next: 5)
  • Posts: 4
  • Rating: +0/-0
    • View Profile
Re: HP Prime Emulator
« Reply #19 on: September 03, 2017, 07:16:21 pm »
Ah, OK, because in an earlier post, it was stated that it wasn't going to be a hardware emulator, but a syscall level emulator. That makes more sense. Emulating the hardware allows the system rom file to be used.....makes much more sense...
Thks
-D

Offline gigi1237

  • LV1 Newcomer (Next: 20)
  • *
  • Posts: 17
  • Rating: +0/-0
    • View Profile
Re: HP Prime Emulator
« Reply #20 on: October 25, 2017, 09:54:53 am »
I've been bashing my head on the emulator. I've narrowed down the biggest issue at the moment being memory allocation being incorrect. Does anyone know exacly how the RAM/SRAM is mapped on the Prime? Because if I allocate 32mb at 0x30000000 the prime tries reading and writing above that too, even though it correctly detects the amount on memory in the UART output logs.

Offline Jean-Baptiste Boric

  • LV2 Member (Next: 40)
  • **
  • Posts: 20
  • Rating: +1/-0
    • View Profile
Re: HP Prime Emulator
« Reply #21 on: October 26, 2017, 05:38:51 pm »
It's been way too long (NumWorks is kinda distracting me these days), but there should be 32 MiB at 0x30000000 and 64 KiB at 0x0. The DRAM controller can map up to 128 MiB of memory.

Not sure why the official firmware would want to poke beyond 0x32000000. It could be memory prodding/detection (unlikely), GPIO/hardware registers not having the right values or plain old sloppiness. I can poke memory around with the Rip'Em GDB stub over serial if you need.
« Last Edit: October 27, 2017, 11:46:41 am by Jean-Baptiste Boric »
We're gonna have a geeky Christmas,
That is what we'll do.
We're gonna have a geeky Christmas,
Hope you'll have one too.

Offline gigi1237

  • LV1 Newcomer (Next: 20)
  • *
  • Posts: 17
  • Rating: +0/-0
    • View Profile
Re: HP Prime Emulator
« Reply #22 on: October 27, 2017, 10:34:05 am »
My best best is something being wonky in the DRAM configuration registers. Right now I'm initializing the values to the defaults found in the s3c2416 manual, these might be incorrect for the prime or even plain wrong in general (its happened already).

If you could poke around and dump the values of the registers relating to memory you'd do me a huge favor. At the moment I've got no way to use the GDB stub on my Prime.  :-\

Offline Jean-Baptiste Boric

  • LV2 Member (Next: 40)
  • **
  • Posts: 20
  • Rating: +1/-0
    • View Profile
Re: HP Prime Emulator
« Reply #23 on: October 27, 2017, 11:50:06 am »
I checked and I have everything at hand in my flat. I'll perform the hex dumps tomorrow.
We're gonna have a geeky Christmas,
That is what we'll do.
We're gonna have a geeky Christmas,
Hope you'll have one too.

Offline Jean-Baptiste Boric

  • LV2 Member (Next: 40)
  • **
  • Posts: 20
  • Rating: +1/-0
    • View Profile
Re: HP Prime Emulator
« Reply #24 on: October 29, 2017, 04:52:40 am »
Took a bit longer to set up everything once again than expected, but here it goes :

Code: [Select]
# DRAM Controller
(gdb) x/8xw 0x48000000
0x48000000:     0x0004890d      0x44000050      0x0099003f      0x80000033
0x48000010:     0x00000405      0x00000000      0x00000000      0x00000000
0x48000020:     0x00000000      0x00000000      0x00000000      0x00000000
0x48000030:     0x00000000      0x00000000      0x00000000      0x00000000

# Matrix & EBI
(gdb) x/16xw 0x4E800000
0x4e800000:     0x00000004      0x00000004      0x00000004      0x00000000
0x4e800010:     0x00000004      0x00000004      0x00000004      0x00000000
0x4e800020:     0x00000004      0x00000004      0x00000004      0x00000000
0x4e800030:     0x00000004      0x00000004      0x00000004      0x00000000

# Memory Controllers ( SSMC )
(gdb) x/64xw 0x4F000000
0x4f000000:     0x0000000f      0x0000001f      0x0000001f      0x00000002
0x4f000010:     0x00000002      0x00303000      0x00000000      0x0000001f
0x4f000020:     0x0000000f      0x0000001f      0x0000001f      0x00000002
0x4f000030:     0x00000002      0x00303000      0x00000000      0x0000001f
(gdb) x/8xw 0x4F000100
0x4f000100:     0x00000000      0x0000001f      0x0000001f      0x0000001f
0x4f000110:     0x0000001f      0x0000001f      0x0000001f      0x0000001f
(gdb) x/8xw 0x4F000200
0x4f000200:     0x00000000      0x00000003      0x00000000      0x0000000a
0x4f000210:     0x00000000      0x00000000      0x00000000      0x00000000

# Interrupt controller
(gdb) x/16xw 0x4A000000
0x4a000000:     0x00004004      0x00000000      0xffffffff      0x00000000
0x4a000010:     0x00000000      0x00000000      0x00010003      0x1fffffff
0x4a000020:     0x00000000      0x00000000      0x00000000      0x00000000
0x4a000030:     0x00000000      0x0000007f      0xdeadcafe      0xdeadcafe

# System controller
(gdb) x/16xw 0x4C000000
0x4c000000:     0x0000ffff      0x0000ffff      0x00008000      0xdeaddead
0x4c000010:     0x80640061      0xdeaddead      0x01200102      0x00000000
0x4c000020:     0x00000118      0x0000022d      0x00000000      0x00000000
0x4c000030:     0xffffffff      0xffffffbf      0xffff9fff      0xdeaddead

# I/O ports
(gdb) x/72xw 0x56000000
0x56000000:     0x005e0000      0x00007000      0x00000000      0x00000000
0x56000010:     0x00141016      0x000003ea      0x00000950      0x00000000
0x56000020:     0xaaaa56aa      0x000000b0      0x00000000      0x00000000
0x56000030:     0xaaaa5555      0x00000080      0x00000000      0x00000000
0x56000040:     0xa0000000      0x0000c000      0x05555555      0x00000000
0x56000050:     0x000061a1      0x0000007d      0x00000404      0x00000000
0x56000060:     0x00000000      0x0000ff00      0x00005555      0x00000000
0x56000070:     0x1400150a      0x00000062      0x01554050      0x00000000
0x56000080:     0xd0000020      0x00000000      0x00000000      0x00000000
0x56000090:     0x00000000      0x00000000      0x00000000      0x00000000
0x560000a0:     0x00000000      0x00fffff0      0x00000040      0x0000000f
0x560000b0:     0x32450003      0x00000000      0x00000000      0x00000000
0x560000c0:     0x2aaaaaaa      0x0aaaaaaa      0x0aa8aaaa      0x00000000
0x560000d0:     0x00000000      0x00000000      0x55555555      0x00000000
0x560000e0:     0xaaaaaaaa      0x00000000      0x55555555      0x00000000
0x560000f0:     0x04050055      0x00007cf0      0x00050055      0x00000000
0x56000100:     0x00000008      0x00000003      0x00000000      0x00000000
0x56000110:     0x000002aa      0x00411540      0x05451500      0x00ff0000
We're gonna have a geeky Christmas,
That is what we'll do.
We're gonna have a geeky Christmas,
Hope you'll have one too.

Offline gigi1237

  • LV1 Newcomer (Next: 20)
  • *
  • Posts: 17
  • Rating: +0/-0
    • View Profile
Re: HP Prime Emulator
« Reply #25 on: April 30, 2018, 08:41:42 pm »
Hey guys, just a quick update. I recently tinkered with the emulator a bit more and finally got the original prime OS to boot  :w00t: :w00t:



I'm using a flash dump done through jtag to boot from posted on one of the formus, don't remeber which. I tried to manually make flash images from the update files but none of them seem to work so far. Still this is good progress. Although everything is just mostly a massive hack at this point. The next challenge will be getting the touch input working. This won't be easy at all since the nt11002 touch controller chip appears to be undocumented except for a few source files for linux drivers.  :mad: :banghead:

Offline Jean-Baptiste Boric

  • LV2 Member (Next: 40)
  • **
  • Posts: 20
  • Rating: +1/-0
    • View Profile
Re: HP Prime Emulator
« Reply #26 on: May 01, 2018, 04:13:49 am »
Impressive!

I think really old firmwares don't have the slide-to-unlock at first boot. Might be worth trying one out, I vaguely recall the flash having the following layout: BXCBOOT0.BIN (256KiB) | PRIME_OS.ROM (1MiB) | PRIME_MASTER.DAT (4MiB) | PRIME_APP.DAT (32MiB) | data (remainder). Perhaps you can double-check with your existing image if this matches?

Does the diagnostics tool (C-F-O) work? It's likely to be useful for troubleshooting/reverse-engineering, there's test modes for the touch screen.

I'm not tooled for bus sniffing unfortunately, but maybe I can jury-rig something with a Raspberry Pi. Not going to happen right now though, I'm on vacation and I left my equipment behind...
We're gonna have a geeky Christmas,
That is what we'll do.
We're gonna have a geeky Christmas,
Hope you'll have one too.

Offline gigi1237

  • LV1 Newcomer (Next: 20)
  • *
  • Posts: 17
  • Rating: +0/-0
    • View Profile
Re: HP Prime Emulator
« Reply #27 on: May 02, 2018, 05:43:58 pm »
So I managed to get ahold of the NT11002 datasheet. Sadly it contains nothing particularly useful. Most of the functionality is determined by the firmware as it's basically a 8051-compatible processor. So I guess we should try to get a dump of the firmware on the prime. There might be something in the update images, if the driver is anything like the linux one, which basically tries to perform a firmware update everytime it intializes the NT11002.

For the images I tried to build them by appending the files in the order you mentioned, one after the other and then using truncate to get the image to 256Megs. Which matches the image I have. But the image refused to boot. So either I appended in the wrong order, different versions don't work or there is other data beyond that supplied in the firmware updates.

I was also unable to get into the diagnostic tool. SInce it requires the reset button to be pressed and the emulator does not implement that yet. This, along with implementing touch and getting video to be more stable should be the two main priorities for the emulator right now.

Edit:
I managed to dump the Touch controller's firmware from the diagnostic utility executable. The challenge will be analyzing it now. If anyone is interested PM me and ill send you a copy.
« Last Edit: May 02, 2018, 07:35:40 pm by gigi1237 »

Offline Jean-Baptiste Boric

  • LV2 Member (Next: 40)
  • **
  • Posts: 20
  • Rating: +1/-0
    • View Profile
Re: HP Prime Emulator
« Reply #28 on: May 03, 2018, 11:08:41 am »
I'm not sure doing a low-level emulation of the NT 11002 is the way to go. I believe a high-level emulation of the I2C protocol and not worry about reverse-engineering+emulating a whole MCU would be simpler.

I got a bunch of old firmware update files from educalc.net and I managed to launch them, only to quickly get stuck on a HP logo inside what appears to be PRIME_OS.ROM. Firmwares 20130808 and 20130813 have egregious amounts of logging on the UART which could prove useful (after cleaning up garbage):
Code: [Select]
Run>
Init 320x240
Init 320x240 rVIDCON0=0x5270
320x240 rVIDTCON0=0x110300 rVIDTCON1=0x401100 rVIDTCON2=0x7793f rVIDCON1=0x80
ARMCLK:400000000
HCLK  : 133333333
PCLK  : 66666666
nandid: ec da 10 95 44
InitBfsHeader...
nandid: ec da 10 95 44
block size:0x20000 page size :0x800 Attr:1c03110b NandSize:256(MB)
read header...ok
has BFS header
[00][01]
BFS End.

1ram size :32MB
rBANKCFG:4890d
CodeEntry:0x30000020
CodeLoadeAddress:0x30000000
CodeLoadSize:0x100000
CodeEntry:0x30000020
CodeLoadeAddress:0x30000000
CodeLoadSize:0x100000
MPLL  : 800000000
CLK   : 400000000 (400 MHz)
HCLK  : 133333333
PCLK  : 66666666
ARMCLKDIV  : 1
HCLKDIV  : 1
PCLKDIV  : 1
Nand0ID   = EC DA 10 95 44
Nand0Attr = 51c110b
Nand0Sz   = 256 (MB)
[BFS][0] table items = 2048
[BFS][SetupCorrectTable] wTableItemSum = 2048
Nand1ID   =
Nand1 not exist!
CODE INFORMATION 1
 ARCH: V5J, CPU: 2416
  CMV: 0
CURRENT RUNNING CODE
 ARCH: V5J, CPU: 2416
  CMV: 0
Data0: 00000000 01000000 / 00000000 00400000
 nDataInNand0Size=00000000 00500000
 finding appsdisk(00000000 00500000)...
Data1: 00000000 02000000 / 00000000 02000000
 NandChipNum  =1
 CodeSz       =00100000
 Data0Sz      =00000000 00400000
 ApDskSz      =00000000 02000000
 ApDskInNand0 =00000000 02000000
 TotalSz      =00000000 02500000
Unlcok area: 4a00 ~ 20000
SetVRAMAddress=31e80000
UsbVBusInit
[INFO] makedata version=20090828
[INFO] makedata version=20090828
This system don't support hardware 2D accelerate!!!
kv= 0
[ARCH] id=32450003
[ARCH] name=S3C2450
[ARCH] interface=000000F5
UsbHostVbusInit DEV_CONNECTkv= 0
 startblock: 139
   endblock: 7c7
 startblock: 139
   endblock: 7c7
[NAND Scan]Block size:0x 0 20000
[NAND Scan]Page size:0x 0 800
[NAND Scan]OOB size:0x 40
[NAND Scan]Scan start addr:0x 0 2720000
[NAND Scan]Scan end addr:0x 0 f8e0000
NAND Scan Start!

Firmwares 20130813 onwards show a subliminal message ("Firmware verification in progress. HP Prime will automatically continue when the operation is completed. This may take up to 1 minute").

I used the following to get these images:
Code: [Select]
cat BXCBOOT0.BIN BESTAARM.ROM MASTER.DAT APPSDISK.DAT > dat.raw && dd if=/dev/zero of=dat.raw count=1 bs=1 seek=$((256*1024*1024-1))
We're gonna have a geeky Christmas,
That is what we'll do.
We're gonna have a geeky Christmas,
Hope you'll have one too.

Offline gigi1237

  • LV1 Newcomer (Next: 20)
  • *
  • Posts: 17
  • Rating: +0/-0
    • View Profile
Re: HP Prime Emulator
« Reply #29 on: May 03, 2018, 12:22:24 pm »
Apologies, I forgot to commit the last changes to github so you were still running and old version of qemu. Nonetheless, I tried making images that way and I get the same result as yours. I think the problem is that they are missing something that is not included in the update files. The dumped image I have confirms it. Try to boot with it: http://bit.ly/1z6jv9B, you should get to where I got in the screenshot.

I also was not planning of low level emulating the nt11002, but I think the firmware could provide us with good information about the i2c protocol it uses.

Do you happen to know on what pin is the reset switch on the prime?