I haven't tried to create a hardware emulator yet, mostly because I'm thoroughly overworked with an internship, sysadmin freelance work and a GSoC student to mentor. I don't expect a saner workload until September. Also, my C++ is rusty and my knowledge of Qt is nil, even though Qt Creator looks slick as heck.

I did not attempt to use JTAG. I did all my debugging with the UART. I wrote a GDB stub to poke stuff around, but without interrupts it is rather limited.

About exam mode: unlike TI hardware, there is no root of trust inside the HP Prime hardware. You can always program whatever you want into the first 8 KiB of Flash and the S3C2416 will happily run it. While HP could introduce crypto checks and obfuscate things in an update, it's nothing some reverse-engineering and a soldering iron can't reverse. Fixing that hole for real would require at the very least a new hardware revision.

New stuff added since last time :

• Complete keypad support ;
• gzip-compressed payloads ;
• Graphical menu to select a payload to launch ;
• Dumb integer RPN calculator demo, complete with 26 (a-z) variables.

The ability to boot the original firmware is crippled for now (only booting the diagnostic screen works).

I have now run out of simple things to implement. I can't push this thing any further without first porting a real-time operating system and making a USB GDB stub...

Ran out of presents to rip open? How about ripping open your HP Prime for science?

This is Rip'Em, a third-party firmware for the HP Prime calculator. It is a (rather primitive for now) unofficial bootloader that replaces PRIME_OS.ROM and is currently written by someone who doesn't know what he's doing.

For now, unless you can connect to the 3.3v TTL serial port inside the calculator nothing too exciting will happen.

What you can do with it for now :

• Launch a homegrown GDB stub over serial (only suitable for poking memory and upload/run code) ;
• Launch a single ELF file as a payload. Current payloads available are :
  
  • dummy.elf : A dummy payload that blinks the LEDs so you can hang your HP Prime to your Christmas tree ;
  • PRIME_OS.ROM : The official firmware can be launched using the osrom2elf tool supplied.
• Write your own application on bare metal using the libraries supplied.

Current plans and what you can do to help :

• Play around with Rip'Em ;
• Use the GDB stub to figure out the hardware ;
• Replace the homegrown GDB stub with the real stuff ;
• Write a USB serial driver to enable the GDB stub to work over it ;
• Add the ability to have multiple payloads, to read payloads from the FAT16 partition in PRIME_APP.DAT and to select a payload with a simple graphical user interface.

Non-goals (at least for me) :

• Reverse-engineering, patching or otherwise tampering with the official firmware. The TODO list is already big enough to keep me busy for a long time ;
• Bloat within RIp'Em itself. It's an ELF launcher, not a operating system. Even the GDB stub should be demoted as a payload eventually.

Source code available over at https://github.com/boricj/ripem. Kudos to Lionel Debroux for being the first one to run a third-party firmware on the HP Prime.

As always : please void your warranty in a responsible manner. I will decline any responsibility should you turn your HP Prime into the thinnest CAS calculator brick available currently on the market.

The link looks... interesting.

I bet it looks even more interesting right now :

(gdb) x/16x 0x30000000
0x30000000:     0x30000020      0x00000000      0x00100000      0x30000000
0x30000010:     0x00100000      0x004a3556      0x36313432      0x00000000
0x30000020:     0xeb000000      0xeafffffe      0xe92d4008      0xe59f000c
0x30000030:     0xeb00017f      0xe59f0008      0xeb0001cc      0xeb00012b
(gdb) set *(unsigned) 0x30000000 = 0x12345678
(gdb) x/16x 0x30000000
0x30000000:     0x12345678      0x00000000      0x00100000      0x30000000
0x30000010:     0x00100000      0x004a3556      0x36313432      0x00000000
0x30000020:     0xeb000000      0xeafffffe      0xe92d4008      0xe59f000c
0x30000030:     0xeb00017f      0xe59f0008      0xeb0001cc      0xeb00012b
(gdb) x/4x 0x56000070
0x56000070:     0x1400150a      0x00000062      0x01554050      0x00000000
(gdb)
I technically reached the minimum amount of features to one-up Lionel Debroux's PoC. I won't make an official announcement on the relevant board before Christmas for obvious drama and pun combo reasons, but if anyone wants to mutilate their calculator experiment with this before then :

You need a way to connect to a 3.3v TTL serial port. Open up your Prime and connect said way to UART_RX, UART_TX (right on top of the flash chip on my model) and BAT-.

On Debian, install the required cross-compiler packages (binutils-arm-none-eabi gcc-arm-none-eabi gdb-arm-none-eabi), clone the repository, use make to build everything. Prepare a terminal emulator at 115200 bauds.

On Windows, replace PRIME_OS.ROM with ripem.rom, connect the calculator to the computer (the battery isn't required - the Prime can power itself from USB), flash the new OS.

Back on Debian, check that the traditional "Hello world!" appeared on your screen. Close the terminal emulator and use arm-none-eabi-gdb to poke around.

And as always : please void your warranty in a responsible manner, I take no responsibility for whatever you did to your poor calculator.