TI 99+ titanium edition
This is an archived, read-only copy of the United-TI subforum , including posts and topic from May 2003 to April 2012. If you would like to discuss any of the topics in this forum, you can visit Cemetech's General Open Topic subforum. Some of these topics may also be directly-linked to active Cemetech topics. If you are a Cemetech member with a linked United-TI account, you can link United-TI topics here with your current Cemetech topics.

This forum is locked: you cannot post, reply to, or edit topics. Open Topic & United-TI Talk => General Open Topic
TI 99+ titanium edition
United-TI Archives -> Open Topic & United-TI Talk
 
    »
» View previous topic :: View next topic  
Author Message
Mapar007


Advanced Member


Joined: 04 Oct 2008
Posts: 365
Posted: 31 Mar 2009 07:51:48 am    Post subject:
I've been mucking about with a TI 84+ SE rom file, changing operating system texts and stuff: some screenies:
[attachment=2623:w00tcode.png][attachment=2624:mod2.png]
[attachment=2622:ramtrashed.png]
Back to top
Galandros


Active Member


Joined: 29 Aug 2008
Posts: 565
Posted: 31 Mar 2009 02:53:46 pm    Post subject:
Neutral

Can you send that to a real calculator? Or there is some sort of checksum that doesn't allow that?
Back to top
FloppusMaximus


Advanced Member


Joined: 22 Aug 2008
Posts: 472
Posted: 31 Mar 2009 10:06:25 pm    Post subject:
You can't change the "BOOT Code" message; that's produced by... the boot code.

As for the other stuff, well, you're not supposed to be able to modify the OS...
Back to top
Taricorp


Member


Joined: 09 Mar 2006
Posts: 188
Posted: 31 Mar 2009 10:19:17 pm    Post subject:
FloppusMaximus wrote:
You can't change the "BOOT Code" message; that's produced by... the boot code.

Translation: it's totally shopped (or just recreated on the graph screen).

On the other hand, such things (with the exception of changing the boot code strings) are totally possible. I still need to do that to my calc.

EDIT: Oh, I see, this is in an emulator. :facepalm: I didn't catch that the first time around.

Last edited by Guest on 01 Apr 2009 05:41:59 pm; edited 1 time in total
Back to top
Mapar007


Advanced Member


Joined: 04 Oct 2008
Posts: 365
Posted: 01 Apr 2009 05:39:37 am    Post subject:
Nope. It's not shopped. (in a ROM file you can do anything, even modify the boot code)


EDIT: btw, is there an OS signing program out there?

Last edited by Guest on 01 Apr 2009 07:53:56 am; edited 1 time in total
Back to top
magicdanw
pcGuru()


Calc Guru


Joined: 14 Feb 2007
Posts: 1110
Posted: 01 Apr 2009 09:42:58 am    Post subject:
Neat stuff. I've always wanted to make a program that automates 8xu (OS update files) editing, such as keeping track of string locations in the various OS versions, recalculating the checksum, and providing a safe, legal way to distribute 8xu patch files that individuals can apply to a legally acquired 8xu and then download to their calculator. By the way, if I'm not mistaken, someone in the community will be shortly announcing an awesome new way of downloading modified OSes to calculators... XD

Mapar007 wrote:
btw, is there an OS signing program out there?
I think you can sign an OS with any of the APP signing programs. You just need an OS key....... *giggles maniacally*

Oh, and I'm loving the forum updates! I'm making mine permanent Very Happy *tosses a kitten while knowing his onions and having his cake and eating it too* Very Happy

Last edited by Guest on 01 Apr 2009 09:48:06 am; edited 1 time in total
Back to top
Mapar007


Advanced Member


Joined: 04 Oct 2008
Posts: 365
Posted: 01 Apr 2009 10:55:13 am    Post subject:
Let's see what rabbitsign will say if I try to sign an OS with the 0104 key, and if it works, what my calc will say... XD


lol I know it's never going to work...

Last edited by Guest on 01 Apr 2009 11:11:42 am; edited 1 time in total
Back to top
FloppusMaximus


Advanced Member


Joined: 22 Aug 2008
Posts: 472
Posted: 01 Apr 2009 12:04:08 pm    Post subject:
Unfortunately, OS signing uses a different algorithm (RSA rather than Rabin.) (I don't know why; Rabin signatures are both faster to validate and more provably secure.) In addition, the calculator certificate uses slightly different formats for the public keys, so that app signing keys can't be used to sign OSes and vice versa. So while it wouldn't be too difficult to write a program for signing OSes (Rabbitsign doesn't, currently) you would also need to hack the certificate in order for it to be validated.
Back to top
darkstone knight


Advanced Member


Joined: 07 Sep 2008
Posts: 438
Posted: 01 Apr 2009 01:10:38 pm    Post subject:
patch the os directly on the calc

make a program to mod flash
Back to top
TheStorm


Calc Guru


Joined: 17 Apr 2007
Posts: 1233
Posted: 01 Apr 2009 03:28:41 pm    Post subject:
Mapar007 wrote:
Let's see what rabbitsign will say if I try to sign an OS with the 0104 key, and if it works, what my calc will say... XD


lol I know it's never going to work...

You'd ahve to modify the device cert a little and of course the signing app would need some adjustments also but that technichly would work if I understand the way the calculators work correctly.
Back to top
Taricorp


Member


Joined: 09 Mar 2006
Posts: 188
Posted: 01 Apr 2009 05:33:40 pm    Post subject:
darkstone knight wrote:
patch the os directly on the calc

make a program to mod flash

You mean.. like this (look down)?
I had been thinking of making something like this for a bit, even previous to this conversation. I just hammered out most of it.

(DISCLAIMER: it's not finished; I got tired of working on it, but it's understandable as-is. I also left unlockFlash to your imagination for implementation. Wink )

Code:
.nolist
.include "ti83plus.inc"
;=====bcalls=====
_FindSwapSector = 5095h
_EraseFlashPage = 8084h
_WriteFlash = 80C9h
;=====My RAM locations and others=====
writeAddr = appBackUpScreen
writePage = writeAddr+2
readAddr = writePage+1
readPage = readAddr+2
swapSector = readPage+1
strLen = swapSector+1  ;length of string, excluding terminator
strBuf = saveSScreen
strBufLen = 768
rwBuf = statVars
rwBufLen = 512
.list

.org 9D93h
.db 0BBh,6Dh
BEGIN:
;prompt for address and page to patch
   ld b,4
   ld hl,M_addr
   call hexInput
   ld (writeAddr),hl
   ld b,2
   ld hl,M_page
   call hexInput
   ld a,l
   ld (writePage),a
;display memory at location, ensure is OK
   ld de,strBuf
   ld hl,(writeAddr)
   ld bc,strBufLen
   ld a,(writePage)
   bcall(_FlashToRAM)
   ld hl,strBuf
   bcall(_PutS)
   bcall(_NewLine)
   ld hl,M_addrOK
   bcall(_PutS)
   call yesNoPrompt
   ret nz
;get string length
   ld hl,strBuf
   bcall(_StrLength)
   ld (strLen),bc
   ld hl,strBufLen-1  ;StrLength doesn't include the terminator
   or a
   sbc hl,bc
   jr nc,_LenOK
   ld hl,M_lenAbort
   bcall(_PutS)
   ret
_lenOK:;take string input
   ld hl,strBuf
   call strInput
   ld hl,M_isSure
   call yesNoPrompt
   ret nz
   ld hl,M_reallySure
   call yesNoPrompt
   ret nz
;find and erase swap sector
   call unlockFlash
   bcall(_FindSwapSector)
   ld (swapSector),a
   bcall(_EraseFlashPage)
;copy all of sector to temp sector, excluding string
   ld hl,4000h
   ld (readAddr),hl
   ld a,(writePage)
   and 11111100b  ;masks out page to get sector start
   ld (readPage),a
_sectorCopyLoop:
   ld a,(readPage)
   and 03h  ;page offset in sector
   ld b,a
   ld a,(writePage)
   and 03h
   cp b
   jr nz,_sectorCopy_Normal
_sectorCopy_ReplacePage:
;This is the page containing the string to be replaced.
;We must not copy it
   ld de,rwBuf
   ;... finish me?
_sectorCopy_Normal:
   ld a,(readPage)
   ld de,rwBuf
   ld hl,(readAddr)
   ld bc,rwBufLen
   push bc
    bcall(_FlashToRAM)
    pop bc
   ld hl,(readAddr)
   add hl,bc
   ld bc,8000h
   or a
   sbc hl,bc
   jr nz,_sectorCopyToTemp
   ld hl,4000h
   ld (readAddr),hl
   ld hl,readPage
   inc (hl)
_sectorCopyToTemp:
   ;...
   bcall(_WriteFlash)
   ;...
;erase original sector
   call eraseSector
;copy temp back to original sector
   ;read from temp to rwBuf, rwBuf back to original page
   ;write new string back to page
   ;done
   ret
   
;write new string
   
M_addr:
   .db "Address:",0
M_page:
   .db "Page:",0
M_addrOK:
   .db "Address OK?",0
M_isSure:
   .db "Are you SURE?",0
M_reallySure:
   .db "REALLY sure?",0
M_lenAbort:
   .db "String too long,"
   .db "giving up.",0
   
;;Prompts the user for OK
;;Inputs:
;; HL->prompt string
;;Outputs:
;; ZF set if OK, reset otherwise
yesNoPrompt:
   bcall(_Puts)
   bcall(_NewLine)
   ld hl,M_OK
   bcall(_PutS)
   call waitSK
   cp skEnter
   ret
M_OK:
   .db "ENTER = OK, any "
   .db "other key aborts",0
   
;;Takes input from the user as a hex number
;;Inputs:
;; b=number of nibbles to accept
;; hl=address of prompt to display
;;Outputs:
;; hl=inputted number
hexInput:
   bcall(_PutS)
   set CurAble,(IY+CurFlags)
_waitKey:
   call waitSK
_keyLookup:
   cp skDel
   jr z,_keyDelete
   push hl
    ld hl,_keyLookupTab
    push bc
     ld b,0Fh
_keyLookupLoop:
     cp (hl)
     inc hl
     jr z,_keyLookup_Found
     inc hl
     djnz _keyLookupLoop
_notFound:
     pop bc
    pop hl
   jr _waitKey
_keyDelete:
   push bc
    ld b,4
_delLoop:
    rl l
    rl h
    djnz _delLoop
    pop bc
   ld a,' '
   push hl
    ld hl,curCol
    dec (hl)
    bcall(_PutMap)
    pop hl
   inc b
   jr _waitKey
   
_keyLookup_Found:
     ld a,(hl)
     pop hl
    ld b,4
_found_ShiftLoop:
    rra
    rr h
    rr l
    djnz _found_ShiftLoop
    pop bc
   djnz _waitKey
_inputDone:
   call waitSK
   cp skEnter
   jr nz,_inputDone
   res CurAble,(IY+CurFlags)
   bcall(_NewLine)
   ret
_keyLookupTab:
   .db sk0,0
   .db sk1,1
   .db sk2,2
   .db sk3,3
   .db sk4,4
   .db sk5,5
   .db sk6,6
   .db sk7,7
   .db sk8,8
   .db sk9,9
   .db skMath,0Ah
   .db skMatrix,0Bh;actually APPS
   .db skPrgm,0Ch
   .db skRecip,0Dh
   .db skSin,0Eh
   .db skCos,0Fh
   
;;Takes string input from the user
;;Inputs:
;; HL->buffer
;; BC=max length
;;Outputs:
;; HL->inputted string (tokens converted to characters)
strInput:
   bcall(_GetKey)
   ;;unfinished routine
   ret

waitSK:
   halt
   bcall(_GetCSC)
   or a
   ret z
   jr waitSK
   
unlockFlash:
   ;ohai!
   ret

;erases flash sector containing page in A
eraseSector:
   push af
    ld a,2
    out (6),a
    ld a,0AAh
    ld (6AAAh),a
   
    ld a,1
    out (6),a
    ld a,$55
    ld ($5555),a
   
    ld a,2
    out (6),a
    ld a,80h
    ld (6AAAh),a
   
    ld a,0AAh
    ld (6AAAh),a
   
    ld a,1
    out (6),a
    ld a,55h
    ld (5555h),a
   
    pop af
   out (6),a
   ld a,30h
   ld hl,4000h
   ld (hl),a
_eraseWait:;wait for the erase operation to finish
   ld a,(hl)
   bit 7,a
   jr nz,_eraseReset
   bit 5,a
   jr z,_eraseWait
   ld a,(hl)
   rla
_eraseReset:;reset Flash chip
   ld a,$F0
   ld (0),a
   ret

.end
END


Last edited by Guest on 01 Apr 2009 09:02:39 pm; edited 1 time in total
Back to top
magicdanw
pcGuru()


Calc Guru


Joined: 14 Feb 2007
Posts: 1110
Posted: 01 Apr 2009 06:07:20 pm    Post subject:
That looks pretty cool! Makes me think of CalcSys, if it could write to flash...hmm...why hasn't anyone updated it for that? Razz
Back to top
brandonw


Advanced Member


Joined: 12 Jan 2007
Posts: 455
Posted: 01 Apr 2009 06:23:21 pm    Post subject:
Taricorp wrote:
FloppusMaximus wrote:
You can't change the "BOOT Code" message; that's produced by... the boot code.

Translation: it's totally shopped (or just recreated on the graph screen).

On the other hand, such things (with the exception of changing the boot code strings) are totally possible. I still need to do that to my calc.

EDIT: Oh, I see, this is in an emulator. :facepalm: I didn't catch that the first time around.


You can't change the boot code version string obviously, but you CAN intercept the call to the boot code routine, and Chameleon does this to change that string to 0.01.
Back to top
elfprince13
Retired


Super Elite (Last Title)


Joined: 11 Apr 2005
Posts: 3500
Posted: 01 Apr 2009 07:20:53 pm    Post subject:
magicdanw wrote:
That looks pretty cool! Makes me think of CalcSys, if it could write to flash...hmm...why hasn't anyone updated it for that? Razz

Because idiots who overwrite their VAT table just need to pull a battery.

Also, you can't write arbitrary bytes to flash, since individual bits can only be set one way
Back to top
Mapar007


Advanced Member


Joined: 04 Oct 2008
Posts: 365
Posted: 02 Apr 2009 03:48:35 am    Post subject:
Yeah, that's why you need a swap sector (if I understood it correctly) and swapping the sector for every single byte decimate your archive life time.
Back to top
magicdanw
pcGuru()


Calc Guru


Joined: 14 Feb 2007
Posts: 1110
Posted: 02 Apr 2009 10:14:04 am    Post subject:
I meant that it would only let you clear bits. You'd be surprised at some hacks that can be done with just that...
Back to top
Mapar007


Advanced Member


Joined: 04 Oct 2008
Posts: 365
Posted: 03 Apr 2009 12:07:41 am    Post subject:
Aha, ok, that's true. NOP out some sys routines...
Back to top
Display posts from previous:   
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
TI 99+ titanium edition
    »
» View previous topic :: View next topic  
Page 1 of 1 » All times are UTC - 5 Hours

 

Advertisement