Pretty intriguing title for a post eh? Essentially, I'm trying to make a program that will erase the OS on my calculator by storing a 0 to every memory address. Of course I'm not a calculator sadist; this program will only ever be run on my emulator, and I'm just doing it because I'm curious to see what a calculator would run like when its completely empty...nothing but hardware. Either way, the code below seems like it should be able to wipe the calculator's memory, but it doesn't work as intended. For one thing, it finishes executing almost instantly, so it's probably not looping all $9D93 times as it should. I think this has something to do with the "if (hl == progStart) ret" block of code, where I was essentially trying to do cp $9D93 with HL instead of the accumulator.
Code: start: ;Load a 0 into every memory address and destroy everything
ld hl,$0000
loop:
ld a,h ;if (hl == progStart) quit
cp $9D
ld b,a
ld a,l
cp $93
or b
ret z
ld (hl),$00 ;++hl
inc hl
jp loop
As you can see, the program will only store a 0 to every memory address leading up to progStart, since then it would start erasing the program and everything would be a mess. I guess my final question then is, is my code perhaps working right, but you just can't erase an OS simply by storing 0 to every address? Any help will be appreciated, thanks!
That would be too easy. You must first learn about what flash memory is. Look up the datasheet for the flash chip:
http://pdf1.alldatasheet.com/datasheet-pdf/view/116260/SPANSION/S29AL008D.html The method to erase the flash chip or poke it in general is protected by the OS.
You can't easily destroy the flash.
Also, the flash has all bits 1 when in the erased state, so the flash will be filled with rst 38h op codes. When the OS runs, it enters an infinite loop in the ISR. If you have all 0's by flash writing, then the PC just spins in circles.
So what about when I initialize hl at $8000, after all the flash ROM? Shouldn't I be able to wipe out the TI OS then?
Your calculator's address space is $0000 through $FFFF, which is 16^4 or 65536 bytes (64KB). Your calculator has a total of between 512KB and 2048KB of Flash ROM, and anywhere from 32KB to 128KB of RAM, depending which model you have. The way that you access that memory, which clearly is way to big to be addressed all at once, is via a trick called paging. You map (usually) 16KB-sized pages into one of your calculators four banks, $0000-$3FFF, $4000-$7FFF, $8000-$BFFF, and $C000-$FFFF. The first bank is stuck to Flash page 0, while the other three are remappable, within reason. You would have to map each Flash page and RAM page to memory, zero it out, then move on to the next one. For RAM, you can simply write zeroes. As AHelper said, for flash pages, you would have to invoke a special Flash erase command. However, you couldn't totally brick your calculator without a lot of work, as the boot page is generally protected in a special way.
I think I may be of some help, here, as I have (bad) experience (s) in this field:
Basically all you need to know here is that the flash chip is very special. The best advice I ever got was “Be careful, Dapiano, messing with the falsh chip unprotected can be VERY dangerous,” and I have 2 bricked ti83+’s attesting to that, as well as a third one I failed to fix for my brother.
There have only ever been a few rare and special cases involving truly bricking your calculator, and most of the time that involves making it impossible to communicate with a computer and then putting it into a broken OS loop being an easy way, the other way being screwing up your boot code. Other than that, you’ve got exotic ways that I’m sure BrandonW can tell you all about. So basically, you’ve got nothing to worry about as for screwing it up.
Even on a Ti83+, running a program that can actually do that would not only have to be very particular in what and how it erases, but it would also take a very long time, and you would have to watch to see what happens, and I wouldn’t expect anything interesting to come up on the LCD.
If you unprotected flash and boot and erased them, whatever fashion you erase them both with, you’re going to end up with:
A. A calculator that cannot operate and
B. About 400 grams of plastic and an ASIC that can’t be reprogrammed to work.
You’d also have to tell the program not to delete parts of the OS essential to the program, which defeats the whole purpose of the program.
Since anything observable happens with RAM anyway, erasing flash can only mean wasting a calculator or wabbit.
Dude, c’mon. Wabbit abuse?
Haha no I don't want to abuse my Wabbit:P But I mean TI essentially programmed a blank z80 processor when they MADE their calculators, so I have to believe you could still resurrect a bricked calc somehow. Isn't that what people do when they program new operating systems? I'm just curious to see what that environment would look like...would you just turn on your calculator and everything would be blank, no cursor or menus or anything?
Well, they constructed it using enough firmware to work with, I suppose. They program new operating systems using an existing one running an IDE.
You would press the on button and nothing would happen. Part of the boot process is initializing LCD. Take that out, and it just completes a circuit of nothing in particular appearing.
Quote:
Isn't that what people do when they program new operating systems?
GlassOS relies on TI's boot code to handle the transfer of a signed OS to the calc. If I damage the boot code, then I have to buy a new calc. (IIRC) For the ti83+ and older ones, Page 0 is what gets booted to. Newer ones (ti84+__/it83+se) use a boot code to start the OS. If you want to 0 out the OS, the smart thing would be to send a null OS that you make and sign.
Also, removing the flash chip in the calcs isn't easy. Getting it back on is even harder. Reprogramming it is killer.
AHelper wrote:
(IIRC) For the ti83+ and older ones, Page 0 is what gets booted to. Newer ones (ti84+__/it83+se) use a boot code to start the OS.
Almost. The entire 83+ line (including the 83+ itself) has a boot code that the calculators start with. It's the 82, 83, 85, and 86 (as well as the 81, I presume--none of these calculators have Flash ROM) that don't have a boot code. 
To expand on what they’ve told you, the boot code is protected, however there are means of writing to, rewriting, or erasing it. Although doing that won’t be very good. Erasing the OS, however, leaves you with a calculator waiting for one as instructed by the boot code. There is no direct use of a calculator without a boot code.
shundra9 wrote:
Haha no I don't want to abuse my Wabbit:P But I mean TI essentially programmed a blank z80 processor when they MADE their calculators, so I have to believe you could still resurrect a bricked calc somehow. Isn't that what people do when they program new operating systems? I'm just curious to see what that environment would look like...would you just turn on your calculator and everything would be blank, no cursor or menus or anything?
The only way to resurrect a bricked calc is to do the same thing TI did when they made it, which is to hook it up to a special programmer and flash the boot-loader using that. Assuming the pins necessary to do the flash are actually there and that you know how to put it into programming mode, of course.
If you want to "see" what a calc with no firmware looks like, simply turn it off. It is now completely indistinguishable from a calculator with no firmware whatsoever.
Or if you want to see it with an emulator, simply delete the ROM you've given to the emulator.
