This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - bsl
Pages: 1 ... 6 7 [8] 9 10 11
106
« on: February 27, 2011, 03:10:35 pm »
I'm just wondering if I could remove the OS, then send a more recent compatible OS (which I don't have for now) and use it to dump Boot1, Boot2 & diags.
But if this 1.1.7xxx boot2 has no USB linking support, then the calculator will be totally unusable.
You still have the option of upgrading the later developer boot2 through RS232
107
« on: February 26, 2011, 11:30:14 am »
Does it accept a Ti-84+ keypad ?
And if so - see if there are undocumented calls for this prototype .
108
« on: February 23, 2011, 09:53:56 am »
I have Adobe Acrobat - it works for OCR.
If all you have is hexadecimal digits [0-9A-F] it should work.
I have had problems having it distinguish small "L" from ones "1", and zeroes from capital "O" in other cases.
Look alike characters tend to be confusing to the OCR.
It gets worse when the Font size gets smaller.
109
« on: February 22, 2011, 11:12:53 pm »
Sounds like you might have to go to the hardware level.
Open the calculator and compare with a production calculator, and if you are
lucky you might find a JTAG interface on those older calcs. Then you can dump the OS.
They got the OS on there somehow ....
I saw an article where one person had to open an Hp Ipaq for example and soldered to the JTAG connections - usually 3 or 4 wires.
He had to do it because he bricked it, and reflashed his boot loader.
111
« on: February 19, 2011, 07:34:35 pm »
Any chance of having built in asm?
probably
probably not
We have to wait for ExtendeD and his Ndless 3.0 / Ndless CX.
If the current exploit works - great !!! Ndless can be ported. Otherwise you have to go through the time consuming, trial and error procedure of finding another exploit.
112
« on: February 19, 2011, 04:57:56 pm »
Found the fx9860g ROM in the fx9860g OS upgrade, now finding prizm syscalls should be easy (assuming they used the same compiler) sh3_disass.py -s 10070 -e 10080 -p 80010070 ISSetupFile.SetupFile3
80010070: d202 .. MOV.L @($02*4+PC),R2 = #801B0130
80010072: 4008 @. SHLL2 R0
80010074: 002e .. MOV.L @(R0+R2),R0
80010076: 402b @+ JMP @R0
80010078: 0009 .. NOP
8001007A: 0000 .. 0000 ?
8001007C: 801b .. .data 801b0130 dword ref:80010070
Goplat: Yes it is a small icon - the Geometry and PictPlot add-ins have one , but not the conversion add-in Here is that icon for the Geometry add-in: 000290: wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
0002b0: wwwwwwwwwp...wwwwww..wwwwwwwwwww
0002d0: wwwwwwwwp.....wwwww..wwwwwwwwwww
0002f0: wwwwwwww..ww..wwwwp..wwwwwwwwwww
000310: wwwwwwwp.wwww..wwwp..wwwwwwwwwww
000330: wwwwwwwp.wwwwp.www....wwwwwwwwww
000350: wwwwwww..wwwwp.www.wp.wwwwwwwwww
000370: wwwwwww.wwww........p.wwwwwwwwww
000390: wwwwwww.wwww........w.wwwwwwwwww
0003b0: wwwwwww.wwww.w.ww...w..wwwwwwwww
0003d0: wwwwwww.wwww.w.ww.w.wp.wwwwwwwww
0003f0: wwwwwww..www.p.wp.w.wp.wwwwwwwww
000410: wwwwwwwp.www.p.wp.w.ww.wwwwwwwww
000430: wwwwwwwp.www...w..w.ww..wwwwwwww
000450: wwwwwwww..ww..ww.ww.wwp.wwwwwwww
000470: wwwwwwwwp.....wp........wwwwwwww
000490: wwwwwwwwwp...wwp........wwwwwwww
0004b0: wwwwwwwwwwww.wwwwww.wwwwwwwwwwww
0004b0: wwwwwwwwwwww.wwwwww.wwwwwwwwwwww
0004b0: wwwwwwwwwwww.wwwwww.wwwwwwwwwwww
0004b0: wwwwwwwwwwww.wwwwww.wwwwwwwwwwww
000530: wwwwwwwwwwww........wwwwwwwwwwww
000550: wwwwwwwwwwww........wwwwwwwwwwww
000570: wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
113
« on: February 18, 2011, 10:01:40 pm »
Here is a prizm emulator modelling program.
It simply brings up a prizm graphic and responds to key presses - nothing more.
Modeling , is a means of coming up with better ideas or using features of the model
for the first working prototype.
This program written in Python could easily be converted to a C program using Windows GUI API.
114
« on: February 17, 2011, 10:11:19 am »
Thats right , The routines are at offsets:
0x0002c3dc - 0x00309030
from the beginning of the file, if the beginning is 0x00000000
In prizm memory its:
0x8002c3dc - 0x80309030
Which means if you are disassembling prizm3064 from the beginning
of the file set the pc=0x80000000
I havent tried decompressing a fx9860g OS upgrade file yet.
115
« on: February 17, 2011, 02:23:48 am »
Actually , the way I am using the term here - its already dumped in prizm3064, offset 0x2c3dc
Now get an fx9860g OS upgrade file and decompress that - find the routines in that file and start binary
search and match between the files.
116
« on: February 17, 2011, 12:43:54 am »
The syscall table of pointers starts at 0x805edca8:
C:\casio>sh3_disass.py -s 20070 -e 20080 -p 80020070 prizm3064
Dissassembly size: 0x10
80020070: d202 .. MOV.L @($02*4+PC),R2 = #805EDCA8
80020072: 4008 @. SHLL2 R0 ; R0 = syscall number
80020074: 002e .. MOV.L @(R0+R2),R0 ; load from table of pointers
80020076: 402b @+ JMP @R0
80020078: 0009 .. NOP
8002007A: 0000 .. 0000 ?
8002007C: 805e .^ .data 805edca8 dword ref:80020070
The actual routines are in the range : 0x8002c3dc - 0x80309030
By dumping the fx9860g ROM and binary matching the entries with the prizm ROM, many prizm syscalls can be found.
Simon might already be ahead of me on this.
This table has several thousand entries of which only a few are needed for the time being.
I think I found the BASIC parsing table - more on that later ....
117
« on: February 14, 2011, 02:19:03 am »
Change the 2 to a 4 for the third nibble on line 674:
if nib1 == '4' and nib3 == '4' and nib4 == '3':
print "STC.L SPC,@–R%d" % (int(nib2,16)) # 4n43
return
Looks like I am going to work on version 005 during the next week.
118
« on: February 14, 2011, 12:43:18 am »
I am trying to find the basic interpreter.
I think add-ins will play a big role in patching basic, and
give it some low level routines - like possibly peek, poke, Asm()
119
« on: February 13, 2011, 08:20:20 pm »
Here is a Prizm commands <=> text conversion table.
Works well on the Prizm, except for converting text like @7FF5
It would be nice to get the special symbols off the calculator somehow.
120
« on: February 11, 2011, 03:02:22 am »
Sure, but I simply use -n to toggle the endianness.
This is a minor update - fixed the MOV.W @($%s*2+PC) instruction so it reports correctly.
Added python style hex/ascii dump to the output - makes ascii/unicode strings easier to identify:
003000E6: '\xe4\x01' MOV $01, R4
003000E8: 'J\x0b' JSR @R10 = #300154
003000EA: 'f\xb3' MOV R11, R6
003000EC: '\x7f\x04' ADD $04,R15
003000EE: '/\xe6' MOV.L R14,@-R15
003000F0: '{\x01' ADD $01,R11
003000F2: '\xe7 ' MOV $20, R7
003000F4: '\xe5\x05' MOV $05, R5
003000F6: '\xe4\x01' MOV $01, R4
003000F8: 'J\x0b' JSR @R10 = #300154
003000FA: 'f\xb3' MOV R11, R6
003000FC: '\x7f\x04' ADD $04,R15
003000FE: '/\xe6' MOV.L R14,@-R15
00300100: '{\x01' ADD $01,R11
Whats next ?
Disassembling large files like prizm3064 requires more interaction with the user.
As JosJuice found out you quickly run out of memory filling out the dictionaries in the program.
So saving that to a file and adding another option to the program is in order.
Reloading this saved mapping file simply tells the program as it disassembles the next pass whether its in code,data or reverse endianness (or other commands suggested) very similar to IDA's idc file , but not the same.
A user can edit this file in Textpad , run the disassembler in another window and use other utilities like sorting, already
found on Windows/*NIX to make it more interactive.
I will have to give it more thought.
Pages: 1 ... 6 7 [8] 9 10 11
|
Show Posts