Eagle-eyed community members have spotted the first twelve TI-84 Plus CE apps, now available for download from TI Education's website. The twelve apps plus TI-Connect CE include Cabri Jr., CellSheet, Periodic, ProbSim, SciTools, TestGuard, and all the other Apps we've come to expect from TI on the TI-84 Plus series of calculators. With these apps available, we can start exploring the format of Apps. We already know that Apps no longer need to be multiples of 16KB, must be relocatable, and are written in ez80 assembly. We hope that DrDnar's ez80 disassembler will be the first of several reverse-engineering tools in the community, and that our trusty ASM coders will post everything they discover in this topic and on WikiTI.

Edit: I should clarify for anyone nervous about our motives that this topic is intended to provide resources for assembly programmers to find the system calls and RAM locations they need to write ASM programs, as permitted by the TI-84 Plus CE. "Reverse-engineering" in this context doesn't mean breaking any of the protections that protect the testing LED, the OS key, or App keys.

Download
TI-84 Plus CE Apps from TI Education
Cool! Should be a fun journey. This probably means that page swapping is no longer an issue, I imagine? Or am I incorrect? Razz

And now Apps are labeled as .8ek... How interesting. Smile So many different types.
MateoConLechuga wrote:
Cool! Should be a fun journey. This probably means that page swapping is no longer an issue, I imagine? Or am I incorrect? Razz


It seems there is no such thing as page swapping on the 84+CE, since there is a 24-bit address space. However, because of that, Flash Apps are not guaranteed to be run from any certain address in memory. So, the applications include relocation information which the OS uses to update all necessary addresses when installing the App (and probably during Defragmentation as well).
I am mainly curious about if this calc will support parser hooks. Does anyone know if that is what the language applications used on older models?
In spirit, TI-eZ80 FlashApps are quite similar to TI-68k FlashApps:
* flat binary file, directly usable;
* relocations, seemingly on a 3-byte + 3-byte (2+22 bits: 0b00 indicates a reference to the code segment executing from Flash, and 0b10 indicates a reference to the data/bss segment in RAM. 0b01 and 0b11 are reserved) format;
* arbitrary size (< 4 MB), no longer has to be multiple of 16 KB;
* 0x032(6) 0x090(4) [4 bytes of timestamp]. IIRC, both TI-68k and TI-Z80 FlashApps use that.

Differences:
* the magic number at the beginning of the 0x817(F) field. A 3-byte "eZ8" on the TI-eZ80 series, 4 bytes on the TI-68k series: 0x16, 0x7B, 0x53, 0x3D.
* TI-eZ80 FlashApps indicate the target OS version number, in the 0x812(D) field closer to the beginning. They're compiled against a precise OS version and won't work on others.
* the timestamp field is no longer signed by a 512-bit RSA key, the 0x40-byte 0x020(D) signature is right after the timestamp field on TI-68k FlashApps.
* perhaps the most important difference, and most inconvenient to us: the size of the signature at the end of the FlashApp. Yup, that's a 0x023(E) field containing 0x100 bytes (2048 bits) of data. TI-68k and TI-Z80 FlashApps use a 0x020(D) field containing 0x40 bytes (512 bits) of data.

(also posted on TI-Planet)
Lionel Debroux wrote:
TI-eZ80 FlashApps indicate the target OS version number, in the 0x812(D) field closer to the beginning. They're compiled against a precise OS version and won't work on others.
Do we have any information about whether this is backwards-compatible in any way? Precise OS version matching would be horrible.

Lionel Debroux wrote:
perhaps the most important difference, and most inconvenient to us: the size of the signature at the end of the FlashApp. Yup, that's a 0x023(E) field containing 0x100 bytes (2048 bits) of data. TI-68k and TI-Z80 FlashApps use a 0x020(D) field containing 0x40 bytes (512 bits) of data.
0x100 is 256 bytes; perhaps you meant 0x1000 bytes of data? That's really unfortunate: I think we'll need that key from TI. Sad
I'm not aware we have any kind of information on whether FlashApps (and ASM programs) are backwards-compatible, but I wonder why sticking a precise OS version number into FlashApps if there is backwards compatibility.

Let's assume that there's no backwards compatibility, and that we won't have the private key (given that this time, we can't find it ourselves, it conforms to modern guidelines). If we do have backwards compatibility and/or the private key, we'll be happy.

Perhaps ASM programs, rather than FlashApps, are the way to go on the TI-eZ80 series, like they were on the TI-68k series. Time will tell.
The link is no longer available, did anyone save the files? TI-Planet's usually good about this stuff, i guess i'll check over there. Ah, there's (understandably) still no CE section.
Lionel Debroux wrote:
perhaps the most important difference, and most inconvenient to us: the size of the signature at the end of the FlashApp. Yup, that's a 0x023(E) field containing 0x100 bytes (2048 bits) of data. TI-68k and TI-Z80 FlashApps use a 0x020(D) field containing 0x40 bytes (512 bits) of data.

You are probably correct, but I am unable to find any evidence of this while looking through the various files.... Would you mind pointing this out exactly? For instance, there is 0x104 bytes remaining in the file after the final readable string in the ProbSim App.

Kerm wrote:
0x100 is 256 bytes; perhaps you meant 0x1000 bytes of data? That's really unfortunate: I think we'll need that key from TI. Sad

0x100 is 256 bytes == 2048 bits, unless I'm mistaken? Confused

Also, it appears as though the name size bytes have been retained the same; the size is still an offset from $40, as the second nibble represents the size in bytes of the name. This appears to be a part of the standard header:

Code:
81 12 13 0F ;Appears to be the key sign thingy
81 2D 0B 35 2E 30 2E 30 2E 30 30 38 39 00 ; Version number?
81 32 59 00 ; No idea
81 47 43 61 62 72 69 4A 72 ; Name "CabriJr" $47 represents size
81 A1 07
03 26 09 04 21 ; Same for all apps
BB 6E DC 00 ; Different for different apps...
0D C7 ; $0D constant; either $C7 or $C6
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
81 7F 00 01 ; Signifies start of App?

Rather than the earlier $80 seperator for the elements in the header, it appears the $81 is used instead. I have no idea, but perhaps the $00s are for an icon or something? Too small really, so probably not. It must be contained elsewhere.

This also means that the structure of the header is exactly like the previous versions it seems.
Quote:
You are probably correct, but I am unable to find any evidence of this while pursuing the various files.... Would you mind pointing this out exactly? For instance, there is 104 bytes remaining in the file after the final readable string in the ProbSim App.



Code:
for file in `ls *.8ek`; do echo $file; od -v -t x1 -A x $file | tail -20; done
CabriJr_CE.8ek
018f90 ec d0 2a ea ec d0 ed 5b f0 ec d0 22 f0 ec d0 ed
018fa0 53 ea ec d0 c9 dd cb 05 c6 21 e7 ec d0 11 ed ec
018fb0 d0 cd ff ff ff cd ff ff ff c1 c9 02 3e 01 00 28
018fc0 52 51 eb 44 9d 8e 9c ec 5e e5 e0 35 1f c4 c0 4f
018fd0 66 df 3c a4 c1 c1 dc 50 bd 39 07 fd 80 1d 3b ee
018fe0 1a 01 9c 8d a8 a7 2f d9 c4 7d f0 fc 24 3e 6e 35
018ff0 ac 24 8c f9 c0 21 66 a7 f2 1a 82 f6 f8 b3 1e 74
019000 ab 35 92 1b f5 da 1d c5 b6 91 00 b7 05 ca 91 7a
019010 14 c5 8d ba d5 66 78 c9 10 f7 f4 3f b5 23 57 38
019020 2a c8 ef d3 78 a4 86 5c a2 7d 22 26 a1 e8 ec 6b
019030 b6 fa e7 3a 94 6a 4a 69 2d 6f 44 f0 14 90 a2 36
019040 0d 4f b4 c0 ad d3 c9 ee 44 06 7a 35 95 54 d4 37
019050 b8 8f 92 ef ed d0 f1 d3 85 26 6c 47 fe db 4e 01
019060 9c 90 2e fd 51 9c 0e c8 b0 28 7a c6 01 e1 b5 b9
019070 fc bc 9a 48 71 46 87 5f 63 6e bd 22 9d 7a 04 12
019080 0a 92 46 6d 09 17 ae d1 0b 46 63 bf c4 e0 30 ef
019090 df 86 aa 56 c7 3f e0 2b 68 45 bf 3f 8e fd 42 b1
0190a0 13 07 10 54 81 75 cc ea 08 3e 92 0e d1 99 c2 0e
0190b0 7e 60 63 fa 84 1a 16 aa af e4 a9 c8 39 1c a3
0190bf
CelSheet_CE.8ek
01dfb0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
01dfc0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
01dfd0 ff ff ff ff ff 02 3e 01 00 d0 1f e9 b6 d8 1e fc
01dfe0 65 c8 99 bc 44 ea 9e 96 a7 dc 13 f9 e5 58 56 7a
01dff0 3c a0 9b 7d c8 4e b4 de 02 d0 2d 46 a9 67 99 ea
01e000 ab 08 75 d1 ae d6 20 d1 bc bb 4b 2b f3 5d 77 c4
01e010 ff 4c ff 00 25 92 b0 85 4f ea 80 d9 33 9c 5f 56
01e020 3e 34 40 c0 51 07 43 16 b9 f6 b9 41 72 e3 74 8b
01e030 86 0d 52 0e 33 07 c2 81 49 8b f4 2b 86 28 89 e5
01e040 a4 50 04 f8 26 6e e5 0a 90 80 69 90 ea f7 e8 05
01e050 22 dc 1f e6 36 25 80 e0 a2 22 95 2f 36 a9 6f fa
01e060 49 dd 95 86 58 34 d3 b9 2c 14 8c 31 cf a5 97 ef
01e070 5c 26 c5 45 6a d1 36 0c ca ce 78 d6 e5 6f 4e 3e
01e080 c9 e6 51 88 a3 9b 5f 4a 9b a5 6b 1d be 2d 4b e2
01e090 85 00 ca 58 bf f5 14 a8 3d d8 74 c6 be 05 f0 7f
01e0a0 e8 7c 42 f3 a6 97 a7 ec f9 74 00 59 51 5a 6c 34
01e0b0 79 92 cb fe e6 4b f3 a1 9c 48 7a 62 06 9a 11 b3
01e0c0 c9 b3 e9 fb 4e c7 a9 50 74 1b d6 82 eb e2 7d 74
01e0d0 47 83 37 1c e5 d9 86 b9 51
01e0d9
Conics_CE.8ek
00a6c0 00 06 02 86 fe 00 00 00 00 06 06 00 00 00 00 00
00a6d0 3b 00 00 00 4f 00 00 00 63 00 00 00 77 00 00 00
00a6e0 8b 00 00 00 9f 00 00 00 00 00 02 3e 01 00 82 a8
00a6f0 e0 af 9f e5 02 57 08 92 22 a3 35 1e 91 a1 93 43
00a700 76 95 b0 60 cb 88 cd 87 8b d1 dd 22 31 ae 3d 10
00a710 b8 90 fc 89 6d 56 2e 66 9f 4a 4d f7 9c 91 d7 12
00a720 60 36 46 d7 df 3e ad 46 f0 5e 78 23 bc a4 c5 a3
00a730 2b c6 6e 7f a3 9b 68 bd 7f 7b d5 dd 36 ea fb 46
00a740 cc c5 65 a2 04 16 95 59 a1 9d de 94 ef e0 ac a9
00a750 7a 98 09 27 31 74 7d e6 ab 63 21 e4 b7 50 47 eb
00a760 b1 26 2c 3f 09 3b 31 e0 d3 a8 48 06 2e 69 f7 ff
00a770 ec 89 7a 8f 22 c0 90 3a 86 bd 07 f4 61 28 c5 a0
00a780 0b b4 d2 3f aa ad 8f aa 35 19 ee 15 95 d6 93 60
00a790 7a 69 ec ad 93 31 6d bc cd 4a 9c aa fa 23 8e 7c
00a7a0 2a 7e e8 ac d4 ef ea 40 82 0a c1 d9 45 34 75 e2
00a7b0 38 60 fe c1 aa b4 ae e5 ba f4 c5 8b 5d 0f 19 53
00a7c0 60 6e cb ea 35 20 6e a8 82 69 b1 4e 86 26 dd 13
00a7d0 54 7b 0f 74 cc e6 7c 66 34 2f e8 75 87 e8 9d da
00a7e0 23 63 79 84 fe f6 bc ec 1d 2b c1 2c 1a 67
00a7ee
[...]


The signature is 0x100 bytes after 02 3e 01 00.

TI-68k FlashApps have always used a 0x810(F) field, containing other 0x81n(s) fields, among which a 0x817(F) field which contains the actual FlashApp contents. There may be smaller FlashApps using E size for fields, i.e. two bytes following the field definition instead of four with F size.

81 A1 07 is its own field.

The 0x032(6) 0x090(4) nn nn nn nn part, with nn bytes variable across FlashApps, is precisely the timestamp I mentioned above Smile

See https://debrouxl.github.io/gcc4ti/cert.html for more information about certificate fields, especially the cfindfield, cread and CERT_FILE entries of that page.
Oh wow, a 2048 bit signature field.... Yeah, that one is definitely not going to be solvable anytime soon, I believe. Unless TI releases it, that is going to make things very difficult. Sad

Which will probably never happen after 2009...
Someone's probably going to find an exploit for this soon after the release. Razz
Hitechcomputergeek wrote:
Someone's probably going to find an exploit for this soon after the release. Razz

I seriously doubt it. If they do, I will worship them as a deity. TI wins in the case of signing. Razz
MateoConLechuga wrote:
Hitechcomputergeek wrote:
Someone's probably going to find an exploit for this soon after the release. Razz

I seriously doubt it. If they do, I will worship them as a deity. TI wins in the case of signing. Razz

But remember, this is TI, a company who made overwritable boot code.
Lionel Debroux wrote:
TI-eZ80 FlashApps indicate the target OS version number, in the 0x812(D) field closer to the beginning. They're compiled against a precise OS version and won't work on others

Are we sure that's not actually a minimum OS version number instead? TI does seem to have provided a large jump table for their provided routines, given the number of calls to multiple-of-4 addresses starting in the 0x02xxxx address range. It would make sense to provide a minimum OS version in the header in case they add more ROM calls in the future.
Quote:
Are we sure that's not actually a minimum OS version number instead?

At least, I am not, it's true...

Quote:
It would make sense to provide a minimum OS version in the header in case they add more ROM calls in the future.

On TI-68k/AMS, between AMS 1.xx and 2.xx, they changed the contents of the ROM_CALL table a bit. Some calls went out completely (e.g. several direct Flash sector erasing ROM_CALLs) and were usually replaced by unrelated ROM_CALLs, some were moved to different numbers.
chickendude wrote:
The link is no longer available, did anyone save the files? TI-Planet's usually good about this stuff, i guess i'll check over there. Ah, there's (understandably) still no CE section.
The page appears to still be live to me, for some reason.

MateoConLechuga wrote:
Kerm wrote:
0x100 is 256 bytes; perhaps you meant 0x1000 bytes of data? That's really unfortunate: I think we'll need that key from TI. Sad

0x100 is 256 bytes == 2048 bits, unless I'm mistaken? Confused
I think I'm not sleeping enough these days. Thank you for that. Smile

Hitechcomputergeek wrote:
Someone's probably going to find an exploit for this soon after the release. Razz
I really, really want to not get into a cat-and-mouse game with TI about this; Cemetech for one will not be officially supporting any Ndless-like efforts for the TI-84 Plus CE. I remain confident we can get the necessary signing keys from TI in support of community programming and the community's (often inadvertent) efforts to support and promote TI's calculators.

calc84maniac wrote:
Lionel Debroux wrote:
TI-eZ80 FlashApps indicate the target OS version number, in the 0x812(D) field closer to the beginning. They're compiled against a precise OS version and won't work on others

Are we sure that's not actually a minimum OS version number instead? TI does seem to have provided a large jump table for their provided routines, given the number of calls to multiple-of-4 addresses starting in the 0x02xxxx address range. It would make sense to provide a minimum OS version in the header in case they add more ROM calls in the future.
I feel like it would be pretty shortsighted of them to require a precise match, and force themselves to update all of their apps every time a new OS version came out (not to mention having to store versions of their apps matching every supported OS version in their archives).
Could be one way to force upgrades, though - only support one version of the OS, and when they release a new app... hey, if you want this, you have to upgrade everything!
Exactly. After all, that is precisely what they've been doing with the Nspire series for years, through newer (and at times much more complicated and much slower to process...) versions of the document format... After a document has been written by a newer OS version (on the calculator or inside the computer software), only versions newer or equal to that version (most of the time) can deal with the document.

Annoying to users ? Sure. But users grudgingly upgrade.
It is, AFAICS, a minimum compatible, rather than the version.
I just successfully installed the Conics app (rev 89) on the emu running OS rev 87.
FYI, it's about 43 KB and took around 15 seconds to validate... but remember that this is the emu, and the smartview is indeed slower than the actual machine.
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Page 1 of 3
» All times are UTC - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement