Omnimaga
Calculator Community => Other Calculators => Topic started by: critor on July 21, 2011, 01:13:35 pm
-
Finally, I managed to get my hands on a consequent T4x asm documentation.
The 4-bit T4x CPU from Toshiba is used in all recent TI scientific calculators:
- TI-30XB/XS MultiView
- TI-30X Pro MultiView
- TI-34 MultiView
- TI-36X Pro
Check on TI-Bank:
http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1254
Why don't you switch your TI-Nspire 3.0/CX calculator with one of those? Their hardware is much more open, and I'm sure there is nor RSA key securing it! :P
-
Well, that's awesome :) So we can program on the TI-30 now?
-
Not yet, but if someone takes the time to work on that document and on the calculator ROM dumps (which can be extracted from the official emulators with my tool linked in the TI-Bank news), it might be the case soon.
-
Congratulations for finding this documentation :)
-
Thanks :)
I've been looking for it for months...
It might be usefull to get the T4x asm tools mentionned in the documentation.
But Google doesn't seem to know these files...
- smac4x
- mac4x
- tumpl.exe
- tuapp
- sapp4x.exe
- fal4x.exe
- conv4x.exe
- asm4x.exe
ASM4X Relocatable Assembler V0.1o (UDE)
ASM4X Relocatable Assembler V0.1r (UDE)
Copyright(C) 1992 TOSHIBA CORPORATION All rights reserved
- link4x.exe
T4X Linkage Editor V0.1k(UDE)
T4X Linkage Editor V0.1l(UDE)
Copyright(C) 1992 TOSHIBA CORPORATION All rights reserved.
- ISTPBJ.EXE
- BUILDER.EXE
T8X/T4X Program Builder
If anybody finds something, please post here.
-
I found this page: http://www.cfpt.com.tw/eng_p2.htm , which contains "asm4x.exe".
Don't know if its the right file though...
-
Nope, it seems to be different.
-
I've got a Ti-34 multiview and I've always wanted to hack it, or find a hidden menu or something. So I just downloaded all the files.
This will be around my 6th programming language if I do it :D
-
This is really cool. Good luck to all involved. ^-^
-
I've got a Ti-34 multiview and I've always wanted to hack it, or find a hidden menu or something.
I've allready digged into those ROMs, but I couldn't find any string related to a hidden self test menu or something like that.
-
This appears to be quite interesting, excellent work critor! ;)
-
By the way, if you want to modify the dumped T4x ROMs and make some basic tests, my online emulator might be of some use to you.
http://xandrean.free.fr/T4X/TIScientific.html
-
I went through the emulator's ProcessorCoreT4xFunctions class to make a quick list of what each instruction does; hopefully this will help in understanding the instructions that weren't mentioned in the document.
opcode fields cycles flags description
0 0000 1111114433---222 1 -- nop (f3=0), halt (f3=2)
0100 invalid
0200 2 -- PC = PC + 1 + reg[f2]
0300 3 -- pop PC
1 0400 1111114433332222 2 -- M = low byte of ROM[reg7:reg6:reg5:reg4]
0500 2 -- M = high byte of ROM[reg7:reg6:reg5:reg4]
0600 1 -- M = f2, L = L + f3
0700 1 -- M = f3:f2
2 0800 11111144----2222 2 ZC add M, f2
0900 invalid
0A00 2 ZC sub M, f2
0B00 invalid
3 0C00 11111144----2222 2 Z- and M, f2
0D00 2 Z- or M, f2
0E00 2 Z- xor M, f2
0F00 1 ZC cmp M, f2
4 1000 111111---------- invalid
5 1400 1111114433332222 2 -- M = WRam[f3:f2]
1500 invalid
1600 4 -- swap M and WRam[f3:f2]
1700 invalid
6 1800 111111443333---- 3 ZC block add WRam[f3:L] into WRam[H:L]: loops for A nybbles (0 = 16), L auto-increments
1900 3 ZC block BCD add
1A00 3 ZC block subtract
1B00 3 ZC block BCD subtract
7 1C00 1111114433332222 2 -- block copy to WRam[H:(L+f2)] from WRam[f3:L]
1D00 2 -- block copy to WRam[H:(L+f2)] from WRam[f3:L] with decrementing L
1E00 4 -- block swap WRam[H:L] and WRam[f3:L]
1F00 2 ZC block compare WRam[H:L] to WRam[f3:L]
8 2000 111111444-----22 1 -C load M and shift right (count is offset by 1)
9 2400 111111444-----22 1 -C load M and shift left (count is offset by 1)
10 2800 111111333333---- 1 -- push regpair[f3]
11 2C00 111111333333---- 1 -- pop regpair[f3]
12 3000 111111444333--22 1 -C shift right (count is offset by 1)
13 3400 111111444333--22 1 -C shift left (count is offset by 1)
14 3800 111111333333---- 1 -- reg[f3] = M
15 3C00 111111333333---- 1 -- M = reg[f3]
16 4000 1111114443332222 1 ZC add reg[f4], reg[f3], f2
17 4400 111111444333-222 1 ZC add reg[f4], reg[f3], reg[f2]
18 4800 1111114443332222 1 ZC sub reg[f4], reg[f3], f2
19 4C00 111111444333-222 1 ZC sub reg[f4], reg[f3], reg[f2]
20 5000 1111113333332222 1 -- reg[f3] = f2
21 5400 111111444333-222 1 ZC adc reg[f4], reg[f3], reg[f2]
22 5800 1111114433332222 1 -- regpair[f4*2] = f3:f2
23 5C00 111111444333-222 1 ZC sbc reg[f4], reg[f3], reg[f2]
24 6000 1111114443332222 1 Z- and reg[f4], reg[f3], f2
25 6400 111111444333-222 1 Z- and reg[f4], reg[f3], reg[f2]
26 6800 1111114443332222 1 Z- or reg[f4], reg[f3], f2
27 6C00 111111444333-222 1 Z- or reg[f4], reg[f3], reg[f2]
28 7000 1111114443332222 1 Z- xor reg[f4], reg[f3], f2
29 7400 111111444333-222 1 Z- xor reg[f4], reg[f3], reg[f2]
30 7800 111111333333---- 1 -- regpair[f3] = M
31 7C00 111111333333---- 1 -- M = regpair[f3]
32 8000 1111444433332222 1 -- WRam[f4:f3] = f2
36 9000 1111222222222222 0 -- call
40 A000 1111222222222222 2 -- call, setting high nybble of PC to zero
44 B000 1111222222222222 1 -- jump if Z=1
48 C000 1111222222222222 1 -- jump if Z=0
52 D000 1111222222222222 1 -- jump if C=1
56 E000 1111222222222222 1 -- jump if C=0
60 F000 1111222222222222 1 -- jump, sets high nybble of PC to reg7 if previous instruction modified reg7
I notice the emulator has ROM and RAM as separate address spaces, so it can't execute code from RAM... let's hope that's not how the actual calculator works.
Edit: things don't look good; section 4.3 of that pdf shows ROM and RAM both starting from address 0.
-
Not yet, but if someone takes the time to work on that document and on the calculator ROM dumps (which can be extracted from the official emulators with my tool linked in the TI-Bank news), it might be the case soon.
Either way, this seems like some progress, as the TI-30 was always completely unprogrammable :)
-
Thank you Goplat for taking the time to work on that.
I don't know if this has some interest, but on the 1st TI-30X Pro MultiView ROM, it was possible to freeze the calculator by typing some special values in the polynomial solver:
(http://i63.servimg.com/u/f63/13/23/13/53/30xpro10.gif)
The ROM is included in this old emulator version:
http://ti.bank.free.fr/index.php?mod=archives&ac=voir&id=1960
Could that bug trigger anything interesting?...
-
That screenshot is such a TI fail -.-
-
Wow, goplat, thank you. That looks like enough information to finish my disassembler. I feel like what you did was a lot easier than calc84 and I's guessing method. :P
Edit:
Goplat, I need some clarification on some of the opcodes.
- What is block add?
- When you shift, what are the arguments?
But other than that, I think I understood the rest.
Edit2:
Your push/pops are wrong. It should be:
111111---22----- 1 -- push regpair[f2*2]
Also, the registers are:
4 bit:
f a l h e d p b
000 001 010 011 100 101 110 111
8 bit:
af hl de bp
00 01 10 11
Edit3:
I'm just going to keep editing until someone responds (as I find new information of course).
7800 and 7C00 also have the same format as push/pop, so in the list they are wrong.
Edit4:
Based on your system, what would 3EE0 be? I have no idea.
-
Goplat, I need some clarification on some of the opcodes.
It does multiple add-with-carries in a loop, so you can add multi-nybble numbers easily. Basically:
do {
adc WRam[H:L], WRam[f3:L]
inc L
dec A
} while (A != 0)
- When you shift, what are the arguments?
Field 4 specifies the destination register, field 3 the source register, field 2 the shift count minus 1.
Edit2:
Your push/pops are wrong. It should be:
111111---22----- 1 -- push regpair[f2*2]
Actually the emulator does allow the use of the "high registers" (8-63) in push/pop, and even allows a register pair that starts on an odd-numbered register (although that's probably just a bug)
Edit4:
Based on your system, what would 3EE0 be? I have no idea.
Store register 46 to memory. I can't find anything about register 46 though.
-
This is pretty cool. I'll be floored if you guys manage to find a way to execute code on these. ;D
-
do those calcs actually have a port to send programs to them? You don't have anything abouth programs for that calc when you can't send them to it.
-
No, they don't have any sort of data port. I don't think any of them have any sort of programability built in either. If I remember correctly they are all scientific calcs.
-
List of all the high registers I could find that have special meaning to the emulator:
8-9: Stack pointer. Emulator masks off bits 0 and 7 when modified. References memory from 080 to 0FF
10-11: Bit 1: Enable ON key interrupt
Bit 2: Enable timer 1
Bit 3: Enable timer 2
Bit 4: Enable key press interrupt
Bit 5: Enable DMA complete interrupt
12-13: Bits 0-5: Select keypad rows
16-17: Bits 0-7: Bit set when key pressed
22: Bit 1: Set to start LCD update
23: Bit 0: Set to enable DRam bank/address auto-increment or decrement on access to 30-31
Bit 1: If set, DRam bank/address auto-decrements, otherwise auto-increments
24: Bit 0: Allow access to DRam banks 0-D
Bit 1: Allow access to DRam banks E-F
27: DRam bank
28-29: DRam address
30-31: DRam data. Access as a pair to read or write a byte
32-33: Bits 0-7: Key press interrupt column mask
40-41: Bit 0: ON key interrupt active
Bit 1: Timer 1 interrupt active
Bit 2: Timer 2 interrupt active
Bit 3: Key pressed interrupt active
Bit 4: DMA interrupt active
Bit 5: LCD interrupt active
42: Bits 0-1: Timer 1 interval
00 = 350000 TStates
01 = 350000 TStates
02 = 350000 TStates
03 = 350000 TStates (...yes, they're all the same)
Bit 2: Timer 1 interrupt enable
43: Bits 0-1: Timer 2 interval
00 = 6000 TStates
01 = 6000 TStates
02 = 6000 TStates
03 = 6000 TStates (...ditto)
Bit 2: Timer 2 interrupt enable
44: Bit 0: Set to enable timers
47: Bit 0: ON key pressed
Bit 3: Enable interrupt on ON key
48-50: DRam DMA byte count (000-7FF)
51: DRam DMA source bank
52-53: DRam DMA source address
56: DRam DMA bit shift count (0-7)
58: Bit 0: Set to start DMA; cleared when done
Bit 3: Interrupt when complete
59: DRam DMA destination bank
60-61: DRam DMA destination address
-
Here's the disassembler, have fun.
-
Finally thePenguin77, did you find any hidden self test menu/program or something like that in the 5 available ROMs?
-
*bump*
Is there a way to load programs/os's to the flash by means of Arduino and wires?
-
I just took apart my TI-34 multiview, and although I can't speak for the others, I definitely don't think you can load programs onto this. The circuit board is just a cheap little thing with the processor buried under epoxy. There are only two exposed pieces of copper on the board and they are little circles that are probably just connected to ground. I don't see anywhere on this board where you would be supposed to connect a programmer.
I did find an LED though, if someone could find a way to light that, that would be cool.
-
I guess no more progress has been made, has it?
Maybe I will look into it too.
-
Yea, doesn't look like. Last post was a couple years ago. Some pretty talented people already took a crack at this, so I'm not sure you'll have much luck either.
-
Yea, doesn't look like. Last post was a couple years ago. Some pretty talented people already took a crack at this, so I'm not sure you'll have much luck either.
Idk, maybe it's worth a look. I will see if I can find anything useful.
-
@benedikt.muessig :I seem to remember their being a more definitive answer of no. It might've been in another thread, but I can't seem to find anything at the moment. Maybe @critor or @Goplat remembers. At any rate, if you are able to figure something out, that would be super cool! ^^