Omnimaga
Omnimaga => News => Topic started by: shmibs on July 02, 2011, 04:13:32 am
-
In response to TI's addition of anti downgrade protection to their recently updated bootcodes, Brandon Wilson has created Flashy, a program which can directly modify the boot code of a ti-83+SE, 84+, 84+SE, or the brand new ti-84 pocket. With the new ability to modify the boot code of these models, it is now possible to remove every last trace of Texas Instruments code from these calculators and replace it with custom made code. However, doing so is EXTREMELY dangerous, as any errors that may occur will result in the device being insta-bricked. TI-Bank states that Flashy allows bootcodes to:
-be upgraded
-be downgraded
-be custom modified
-be swapped between models (essentially allowing one model to 'become' another, although differences in hardware will still be an issue)
This program (which can be found here (http://ti.bank.free.fr/index.php?mod=archives&ac=voir&id=3603)) has several features included to help avoid anything awful happening to your calculator, but you should still be absolutely certain that you know what you're doing before attempting to use it.
-
Nice! We finally managed to unlock all the software of the 83+/84+, after something like 15 years... Well that's just awesome. :D
-
To add some more information:
The main uses for this are:
1. Testing code very early in the boot process. We can learn a lot more about the hardware now that we can get control very early in the boot process (the very first instruction executed!), and we've learned quite a bit in the past week or so.
2. Downgrading boot code 1.03 calculators, such as the TI-84 Pocket.fr (and now the 84+ and 84+SE, which have started showing up with 1.03). I have upgraded my calculators to 1.03 and downgraded them back to 1.00/1.02 without incident. This means the anti-downrgade protection and added 2048-bit RSA key is useless (epic fail).
3. Customizing the boot sectors. We can now add Calcsys-like functionality to normally read-only boot sectors and gain new emergency recovery abilities you wish you had in the past. Corrupted OS and you really need to get your programs off? Now you can (as soon as we write such a utility to flash to it). We can also change functionality we assume will always be there -- we can change (and I have changed) the ON+DEL keyboard shortcut to something secret or more complex (to prevent strangers from getting into your calculator), or whatever you want...sky's the limit.
Also, if the process to create the image AppVar looks a little scary/confusing to you, you can use the pre-built AppVars made from boot code dumps available elsewhere (for the 83+SE, 84+, and 84+SE, from versions 1.00 to 1.03). I'd link you to them, but it's not exactly legal to host them. I'm sure if you look around in the "usual places", you can find them. :)
This program tries to be as safe as possible. The boot image AppVars it uses have up to two MD5 hashes embedded with them, one for each page. Both of these hashes are checked twice, battery levels are checked twice, the images themselves are checked for code patterns that must be present for the model being flashed to, the boot page jump table is checked for valid page and address ranges, and warnings are thrown up if anything looks amiss.
It even installs a temporary cursor hook to steal back control in the unlikely event that the boot page is erased (filled with 0xFF bytes (which are interpreted as "rst 38h" instructions)), where it will attempt to complete the write.
I personally tested it on my real 83+SE, 84+, and 84+SE calculators, and several other people have used it multiple times without incident. I have yet to brick a calculator using this program, even after making some pretty scary patches.
So it's worth a shot, if you're brave enough.
-
I personally tested it on my real 83+SE, 84+, and 84+SE calculators, and several other people have used it multiple times without incident. I have yet to brick a calculator using this program, even after making some pretty scary patches.
That's me. I've flashed like 12 images or so to my calculator, so I can confirm to you that it works. Just be sure to test it first in wabbitemu. Buckeye's latest debug release allows boot code modification and includes everything new we learned about the calculator hardware on boot (which is weird). If you are going to mod a page, be sure to test it because I've bricked wabbitemu about 6 times.
And I haven't said it yet, but great job Brandon!
-
Awesome stuff guys! Thank you for every thing you do. :)
-
Excellent! :D
thepenguin has, as stated in the other topic (but I'll restate it here), created a modified boot code image that conditionally runs your own code before anything else happens, and Brandon's stated his intentions (he might have already done it) to make a similar version that either starts normally, runs what's on RAM page 0 (which is what thepenguin's does), or runs what's on $2C/$6C (which would be 84+(SE) only, I assume).
...everything new we learned about the calculator hardware on boot (which is weird)
Our current understanding, as I remember it, goes mostly as follows:
The calculator starts in a memory map mode that's mostly like mode 0 (port 6 controls bank 1, port 7 controls bank 2, port 5 controls bank 3) except that page $3F/$7F is swapped into bank 0 (where page $00 normally is). $00 is swapped into banks 1 and 2 and RAM page 0 into bank 3.
A jump ending in a bank swapped in because of port 6 (bank 1 in mode 0, additionally bank 2 in mode 1) swaps $00 back into bank 0.
Ports $0E and $0F have nothing to do with this; as far as we know they are worthless.
Last I checked thepenguin still has not managed to successfully initialize the LCD himself.
The initial states of other ports can be found in the appropriate topic (state of the calculator at boot (http://ourl.ca/11865), to be linked shortly).
thepenguin/BrandonW: I probably forgot something/got something wrong, so correct me if I did.
Edit: Fixed information regarding swapping $00 back.
-
Calcdude, I figured out that you only have to execute code in a bank controlled by port (06).
Also, I figured out what was wrong with the LCD, I had a few "ld ($10), a" where I should have had "out ($10), a"
-
Calcdude, I figured out that you only have to execute code in a bank controlled by port (06).
Ah, okay. Do we still not know why just executing TI's code from bank 1 directly doesn't work?
Also, I figured out what was wrong with the LCD, I had a few "ld ($10), a" where I should have had "out ($10), a"
Oops :P
-
Calcdude, I figured out that you only have to execute code in a bank controlled by port (06).
Ah, okay. Do we still not know why just executing TI's code from bank 1 directly doesn't work?
I did something else wrong, it works now. (I almost feel like I didn't press ON.)
-
I did something else wrong, it works now. (I almost feel like I didn't press ON.)
Oh, okay. So TI's method of switching to mode 1 and then to mode 0, ultimately ending up in bank 1, is officially pointless :P
-
This is awesome. I almost want to upgrade my calc to 1.03, just so I can downgrade again. :P
Just curious, are there any major applications for this, other than just being able to be 100% open-source?
-
Well, there's what Brandon said above. You could add utilities and recovery tools (or even a mini-OS, perhaps). We could get rid of OS validation, etc. But, admittedly, there isn't much use to changing the bootcode beyond that, at least AFAICT.
-
Well, OS validation is good to a point, it ensures that nothing to wipe the bootpages randomly gets written to a privlidged page on corruption. :P
-
This is awesome. Good job BrandonW. By the way is the reason why it doesn't mention the regular 83+ due to this program using the extra RAM page or something? I forgot.
-
It's because the 83+ doesn't have the port that's been used to bypass the protection on the boot code.
We don't know whether or not modification of its boot code is possible yet, I think.
-
BrandonW is a calc god.
-
Don't forget thepenguin77; he did a lot of the testing and helped get most of the information in my post here: http://ourl.ca/11891/224537 (http://ourl.ca/11891/224537) :D
I played the minor role of beta testing FLASHY (I took my 84+SE 1.02->1.03->1.02), as did a couple others, who can speak for themselves. (I think DJ was among them, IIRC.)
-
It's because the 83+ doesn't have the port that's been used to bypass the protection on the boot code.
We don't know whether or not modification of its boot code is possible yet, I think.
Thanks for the info. That said, it doesn't seem like they are willing to add the new boot code to the 83+ anyway, and the latest OS is the best it seems, unlike on the 84+. The only issue that could arise with a boot code update is not being able to run third-party OSes on the 83+BE.
-
The only thing I'm actually wondering about this is if TI will actually even care enough to attempt to prevent a boot code change by some new OS.
-
The only thing TI has on us is the hardware and any read-only code on it, such as the boot code. That's what the initial fear over 1.03 was about. But now that we can change it, it doesn't matter. The 84+/SE/Pocket are permanently open.
It will be interesting to see if they remove this capability in new hardware. The very existence of it is an indicator that this might not be easy for them to do.
We can erase the boot code on the 73 and 83+, but we can't write back to it (yet). So it's not all that useful.
-
On TI-BANK, the news about Flashy says something implying they don,t believe we permanently unlocked the 84+ with Flashy, in reference to how they countered the key factoring, Nleash, etc, and that they might try to come with another alternative to prove us wrong. However, I am wondering what kind of alternative they could find...
-
Like I said before, if they remove the ability to unlock the boot sector, we can still release a bricker using the little-known full chip erase function. Which won't really do anything except remind them that they can't control hardware they didn't manufacture.
-
On TI-BANK, the news about Flashy says something implying they don,t believe we permanently unlocked the 84+ with Flashy, in reference to how they countered the key factoring, Nleash, etc, and that they might try to come with another alternative to prove us wrong. However, I am wondering what kind of alternative they could find...
While it's true that TI can always do something to counter what we do, the fact remains that every 73/83+ and 84+ series calculator manufactured to date (and so far, still being manufactured) is permanently hackable. The only move they have is to modify the hardware, and if you've already bought it, you're in good shape.
-
Downgrading Pocket and emulating other calcs on it? Sweeeet, nice job BrandonW!
-
Downgrading Pocket and emulating other calcs on it? Sweeeet, nice job BrandonW!
I don't think this allows us to emulate other calcs... You can't just take the boot code from another calc and expect it to work, because of all the small hardware differences.
-
Downgrading Pocket and emulating other calcs on it? Sweeeet, nice job BrandonW!
I don't think this allows us to emulate other calcs... You can't just take the boot code from another calc and expect it to work, because of all the small hardware differences.
Can't we emulate the 84+ and 83+ OSs?
-
Downgrading Pocket and emulating other calcs on it? Sweeeet, nice job BrandonW!
I don't think this allows us to emulate other calcs... You can't just take the boot code from another calc and expect it to work, because of all the small hardware differences.
Can't we emulate the 84+ and 83+ OSs?
The Pocket.fr is exactly like an 84+ hardware-wise, so you can just put the 84+ OS on it, and it'll work. The 83+ has some differences in hardware, plus the archive size is different, so it doesn't really work.
-
Wait so if we can modify the boot code, we can boot from the USB port on the calc?
-
We could... sorta. It wouldn't be able to just run like any OS now, which can just run from flash. The boot code would have to read the flash drive and copy code to RAM, while also making the OS able to copy more code. Because you'll just be copying to RAM anyway, it would make a lot more sense just to make a minimal OS that did the same thing. No point in risking modification of the boot code. The closest you should ever get to that is making a very small mod that runs page $3C/$6C under certain conditions, and $3C/$6C could contain that code. Since $3C/$6C is a privileged page, (as is all of its sector, because $3F/$6F is more boot code...) you wouldn't need any other OS. To be honest, I still don't see much point in "booting from a flash drive" :/
-
To be honest, I still don't see much point in "booting from a flash drive" :/
Well, running an OS without installing it.
If it's possible, I should tell Venom.
-
You could still run an OS, it would just be more difficult. You couldn't use page $00, since that's flash, making all of $0000-$3FFF worthless. You'd have to put it in RAM, cutting into free RAM.
To be honest, Venom would probably be better off porting an OS designed for z80 rather than trying to port Linux :/