Omnimaga
Omnimaga => News => Topic started by: thepenguin77 on June 28, 2011, 05:32:47 pm
-
This whole process started a long time ago when FloppusMaximus unlocked flash on his calculator. Then came custom OS's, the key factoring, and finally modifying the boot code. This will remove almost all traces of TI from your calculator, but your not quite done, you still can't execute code >$C000.
However, today, I managed to do it. I executed code all the way from $C000 to $FFFF on page 0.
I was playing around with DrDnar's MicrOS preparing to do some boot code changes, when I got a little scared and decided to play around with the protected ports a little. I kept going down the line seeing what would change, and what wouldn't, when all of a sudden, writing to port (25h) crashed my calculator. After a little bit of experimentation, I figured out that any value higher than 17h caused a restart. Then I noticed that port (26h) also crashed my calculator, so after a bit more playing, I realized that any value lower than 1Ah would cause a reset.
Why this actually happened caused me quite a bit of trouble. I started outputting different values to the ports and seeing what I could get to crash. I tried running all sorts of programs with these ports enabled and I wasn't really getting any results. But finally, four hours later, with lots of trial and error with StarFox, I realized that the programs would crash if they executed ram low in memory. A quick check with a RET placed at $8000 confirmed this and then I was off to test the limits.
Setting port (25h) to 17h crashed when PC went below 9C00h. 16h crashed at 9800h. So obviously it is counting by 400h. I then did some testing with port (26h). 19h crashed at A800h and 1A crashed at AC00h. So again, counting by 400h.
After a bit more testing, I realized that these ports are looking at the ram chip as a whole where page 00h comes first, then 01h, 02h, and so on and setting the upper and lower ram execution limits.
So...
Send 00h to port (25h) and FFh to (26h) and your calculator will never crash from PC execution ever again.
For more details, see the newly updated wikiTi for ports 25h (http://wikiti.brandonw.net/index.php?title=83Plus:Ports:25) and 26h (http://wikiti.brandonw.net/index.php?title=83Plus:Ports:26).
-
Wiow this is awesome, so you totally destroyed the 8 KB limit? O.O
-
Cool! What are the original values?
Too bad this doesn't work on a Ti-83+ BE
-
Cool! What are the original values?
Too bad this doesn't work on a Ti-83+ BE
It has its own method that's just as easy ;)
-
Wiow this is awesome, so you totally destroyed the 8 KB limit? O.O
Gone
Cool! What are the original values?
Too bad this doesn't work on a Ti-83+ BE
Typically, 25h and 26h are at 10h and 20h respectively. As long as bits 4 and 5 are 00 though, you should only have to set 25h to 00h to make this work.
-
Cool! What are the original values?
Too bad this doesn't work on a Ti-83+ BE
It has its own method that's just as easy ;)
Well, almost as easy...
-
so, doing:
ld a,0
nop
nop
im 1
di
out (25h),a
ld a,$FF
nop
nop
im 1
di
out (26h),a
will allow you to never have the >$C000 thing happen again?
AWESOME.
-
so, doing:
ld a,0
nop
nop
im 1
di
out (25h),a
ld a,$FF
nop
nop
im 1
di
out (26h),a
will allow you to never have the >$C000 thing happen again?
It also looks like you cannot alter the values of the ports unless you do so from certain flash pages. But I've been wrong before.
-
Well, first, flash has to be unlocked before you can even dream about changing ports 25 and 26.
But actually, what we've found through testing is that you don't need that special sequence and it doesn't have to be on a privileged page, the boot code does it, but I'm not really sure you need it. I've been just changing them with OUT ($24), a.
So, unlock flash. Then use the ports like normal.
-
So... Can we get a demo program to try out or is it too dangerous?
-
Wow. You did it.
It feels awesome to be reminded that underneath all these little details, the TI-83 Plus series are just little computers.
-
Sure, why not. Actually, I want people to run this. It will tell me two things.
1. Do you actually have to do the special sequence to change ports 25h and 26h.
2. Does this work on an 83+SE.
So, just run this program. It will show you the number on screen that it is currently executing at. What it is doing is it is putting a RET at every address in ram and calling it. If it breaks through the $C000 boundary, that means it works fine.
I really need to you run this test if
1. You have a 83+SE. Theoretically, this should work.
2. You have a really low revision 84+BE/SE. We need to know if the port writing still works OK on these.
Finally, here is the program and the source. (I left out the unlock flash so I don't make certain people mad) Just so you know, it clears ram. It will crash when it gets to 10000h or you can pull a battery.
-
I really need to you run this test if
1. You have a 83+SE. Theoretically, this should work.
2. You have a really low revision 84+BE/SE. We need to know if the port writing still works OK on these.
Works on my ancient 0404 84+SE calc. No revision letter because it was the very first revision.
-
Runer112 you have one of the first-revision ones? O.O When'd you get it?
-
I bet plenty of people on IRC still got them, because they were around since their release. I think tr1p1ea has one of them.
-
So about this eliminating the 8kb limit, how long until we can have say like an OS patch to remove this. I know we have Hot_Dog's Crabcake, but what about just completely patching the OS to remove it?
-
Well, since runer did a (no revision) we can safely assume that this works on all 84+'s and that you don't need to use the special sequence for anything besides port 14h.
Jkag, how about a boot code mod?
-
Yeah it's a boot code mode we're talking about here, right? (so the user doesn't have to patch his OS over and over, when re-installing it).
Also I think the difference between this and Crabcake was that Crabcake is one of (if not the) first successful released attempt to break the 8 KB limit, but it actually worked around it, while ThePenguin77 hack gets rid of it completely.
Nice job to Hot Dog on Crabcake and ThePenguin77 on this, and nice job to BrandonW/DrDnar too
-
What about the TI logo?
But seriously, nice job on squashing out the TI on your calc.
-
Well Crabcake doesn't require the user to do anything, it's built into the program itself.
-
well we could have two compiled versions of the game, one with Crabcake, another that is smaller (I believe Crabcake requires some space, albeit not a lot).
I still think its a good idea, its a limit that should have been taken off after TI decided selling apps/programs wasn't gonna work.
-
By the way guys, as a reminder, DO NOT ATTEMPT TO UNLOCK FLASH UNLESS YOU KNOW WHAT YOU ARE DOING. ;D
Modifying the boot code is actually a good idea. However, I don't see it eliminating Crabcake for three reasons:
1. Crabcake is completely portable
2. There are some people who really shouldn't be messing with their boot code (or who don't WANT to mess up their boot code), namely beginners
3. There's always a chance that TI could write a boot 1.02, after which a new patch might have to be written.
-
Yeah, hot_dog, I don't think putting it in the boot code is a good idea, yet. We first need to know what kind of side effects this will have before we make it permanent. (Programs will no longer crash, they will freeze or go crazy.)
However, runer figured out an easy way mod the boot code that doesn't involve erasing it, you only overwrite what was previously there. In fact, it is simple enough that I wouldn't mind writing it in the boot code myself. (Not that I'm normal ;))
-
Wow, so many awesome advances recently! :O Great work thepenguin and anyone else who was involved with this!
-
Yeah, hot_dog, I don't think putting it in the boot code is a good idea, yet. We first need to know what kind of side effects this will have before we make it permanent. (Programs will no longer crash, they will freeze or go crazy.)
Hmmm, that makes sense. It's for that reason that Crabcake relocks the C000-FFFF area upon shutdown
-
Yeah, hot_dog, I don't think putting it in the boot code is a good idea, yet. We first need to know what kind of side effects this will have before we make it permanent. (Programs will no longer crash, they will freeze or go crazy.)
Hmmm, that makes sense. It's for that reason that Crabcake relocks the C000-FFFF area upon shutdown
Wait, you mean you already implemented this? Because if that's the case, then you should save the previous values so that if a person has it permanently unlocked, crabcake won't relock it.
Edit:
Also with this, you don't to shut down the hooks.
-
Yeah, hot_dog, I don't think putting it in the boot code is a good idea, yet. We first need to know what kind of side effects this will have before we make it permanent. (Programs will no longer crash, they will freeze or go crazy.)
Hmmm, that makes sense. It's for that reason that Crabcake relocks the C000-FFFF area upon shutdown
Wait, you mean you already implemented this? Because if that's the case, then you should save the previous values so that if a person has it permanently unlocked, crabcake won't relock it.
Edit:
Also with this, you don't to shut down the hooks.
Don't the hooks have problems when a different page is swapped using port $05 on a 15 Mhz? On the 15 Mhz calcs, RAM is never unlocked.
Whatever the case, I agree about saving the value in case someone permanently unlocked their flash
-
Oh, no. Nevermind. I thought that you had already implemented the port 25/26 thing in CrabCake. I meant save those values
And there's no reason to save the flash unlock state, flash gets relocked every time you archive/unarchive something or even run an app.
-
Oh, no. Nevermind. I thought that you had already implemented the port 25/26 thing in CrabCake. I meant save those values
And there's no reason to save the flash unlock state, flash gets relocked every time you archive/unarchive something or even run an app.
Actually, if I implemented this, you're right, there's no need to worry about hooks. It would also save more space. My hesitation beforehand was I thought I would need to run boot pages, but as it turns out, I only need unlock flash, and crabcake already has the unlock flash code
-
Woah, that's crazy?
But no one's actually tried running anything >8kb yet with this, right? Like penguin said, there's a chance it would do some weird thing instead haha
Or am I interpreting it wrong?
-
ill give that program a whirl on my A model calc when i get home and find some batteries >.> <.<
other than that AWESOME ti lost....again :P
congrats guys this is why we do what we do to enjoy it !!!
-
Wow, modding boot code and removing the 8kb limit all within 2 days. Program works on my friend's A revision 84+BE. TI just lost for the 9001st time.:hyper:
I just scratch the TI logo off and you're good to go!
-
TI: "I hate you guys."
-
Wow this is perfect. Screw TI we now have complete control over your calculators. YOu can't lock us out now no matter how hard you try
-
Sure they can. They can just revise the hardware. A little expensive, perhaps, but doable. Then all future students will be stuck with the changes.
-
Sure they can. They can just revise the hardware. A little expensive, perhaps, but doable. Then all future students will be stuck with the changes.
Do you really think they'd mod the hardware to lock us out? That would suck and be pretty expensive for TI
-
It depends on how much pressure they're under to do it. Don't count it out.
-
They would only do that if testing people realized these changes would allow people to cheat.
-
And how exactly would it allow people to cheat
-
Well, it is already trivial to use a calculator to cheat, but if say a custom os was made that had a CAS and no press 2 test, there could be issues.
-
you can already make custom hooks to do that...?
-
Well, it is already trivial to use a calculator to cheat, but if say a custom os was made that had a CAS and no press 2 test, there could be issues.
The RAM page 0 protection has nothing to do with loading custom OSes :P
-
Kinda late, but good job on this!
-
This specific hack doesn't really do much to the calculator that would help cheating I don't think
-
True, but the fact TI now has absolutely no control over what is going on their calculators will make some testing people nervous.
EDIT: 1 more post and I'm at 1K :D
-
This is no way changes the possibly of cheating. That will not change unless the flash unlock exploits themselves are fixed.
-
Works for me on 0405C.
-
This is no way changes the possibly of cheating. That will not change unless the flash unlock exploits themselves are fixed.
The guys over at T3 don't get that. They think everything we do makes students cheat :P
-
Congratulations to thepenguin77... and congratulations to TI as well :)
When they make a nasty move, the community notices, looks deeper... and finds/does some pretty interested things that wouldn't have been found/done so soon without TI's move. And we all laugh at TI's renewed fail.
-
\o/
Yay! This is wonderful! Thank you, thepenguin77!
Does anyone see the irony here? We are an anti-troll community and we spend all of our time trolling TI. Go figure. :P
-
\o/
Yay! This is wonderful! Thank you, thepenguin77!
Does anyone see the irony here? We are an anti-troll community and we spend all of our time trolling TI. Go figure. :P
TI needs to be trolled
-
hmm, what's supposed to be the max upper limit where that program can execute? FFFF? i just ran it on an old, extra pages 84+ BE and it crashed at FFC7.
anyways, is this the last big step to be taken? the 83/4 series has always been moving forward to some larger goal after achieving one that was previously thought impossible (grayscale, sound, custom OS's, internet access, and now this). is there anything else that remains to be done, now?
-
hmm, what's supposed to be the max upper limit where that program can execute? FFFF? i just ran it on an old, extra pages 84+ BE and it crashed at FFC7.
anyways, is this the last big step to be taken? the 83/4 series has always been moving forward to some larger goal after achieving one that was previously thought impossible (grayscale, sound, custom OS's, internet access, and now this). is there anything else that remains to be done, now?
From the title it seems like this was the last step to us being able to completely control the calc
-
Sure they can. They can just revise the hardware. A little expensive, perhaps, but doable. Then all future students will be stuck with the changes.
Do you really think they'd mod the hardware to lock us out? That would suck and be pretty expensive for TI
If they did, how long do you think it would last, looking at recent history? :P
Either way, great job ;D
is there anything else that remains to be done, now?
↑
-
There's still Bluetooth and WiFi left, as well as the ability to put the calc in MSD mode... But as far as control goes, we've achieved everything. (Or have we? Is the 83+ boot code unwritable?)
-
There's still Bluetooth and WiFi left, as well as the ability to put the calc in MSD mode... But as far as control goes, we've achieved everything. (Or have we? Is the 83+ boot code unwritable?)
well for the 84's we've achieved everything. The 83 might be impossible from what I read
-
hmm, what's supposed to be the max upper limit where that program can execute? FFFF? i just ran it on an old, extra pages 84+ BE and it crashed at FFC7.
anyways, is this the last big step to be taken? the 83/4 series has always been moving forward to some larger goal after achieving one that was previously thought impossible (grayscale, sound, custom OS's, internet access, and now this). is there anything else that remains to be done, now?
It's because the stack corrupted stuff, causing a crash. It's unrelated to the actual execution protection.
-
is there anything else that remains to be done, now?
I'd like mode 0 interrupts/extra i/o ports on the 1999 83+'s.
Also, we could do more reverse engineering on the ASIC.
One great feat at a time, though. ;)
-
is there anything else that remains to be done, now?
I'd like mode 0 interrupts/extra i/o ports on the 1999 83+'s.
Please correct me if I'm wrong, but in order to have mode 0 interrupts, we'd have to redesign the Ti-83+ HARDWARE. No software in the world could make use of mode 0 on the current Ti-83+s.
-
I'm decently sure you're correct, Hot_Dog. :D
Edit: Oh, and congrats, thepenguin!
-
Mode 0 is just the 8080 compatible mode, mode 0 in hardware is much different and impossible through software on the 83+...if only we had the pinout to the asic.
-
is there anything else that remains to be done, now?
↑
Starcraft over gCn.
-
is there anything else that remains to be done, now?
↑
Starcraft over gCn.
Even better, Flash Player for starcraft.swf
-
Also, we could do more reverse engineering on the ASIC.
You'd be surprised how much has already been done. I believe we have [nearly] complete schematics for several of the important components.
-
is there anything else that remains to be done, now?
I'd like mode 0 interrupts/extra i/o ports on the 1999 83+'s.
Please correct me if I'm wrong, but in order to have mode 0 interrupts, we'd have to redesign the Ti-83+ HARDWARE. No software in the world could make use of mode 0 on the current Ti-83+s.
Yes, you would have to have extra hardware, but we should do it to prove our 1337ness. ;)
-
I did some tests that suggested that the TI-84+/SE always sends FFh as the byte for IM 2, in which case IM 0 would actually be usable (the ISR would be the RST 38h routine).
-
I did some tests that suggested that the TI-84+/SE always sends FFh as the byte for IM 2, in which case IM 0 would actually be usable (the ISR would be the RST 38h routine).
Definitely not on TI-83+BE, though (http://www.maxcoderz.org/forum/viewtopic.php?f=5&t=2778)
-
But what would trigger the interrupt in mode 0? It might go somewhere predictable, but would it ever trigger?
-
But what would trigger the interrupt in mode 0? It might go somewhere predictable, but would it ever trigger?
It triggers if interrupts are enabled and an interrupt is requested :P
-
Ah. Sorry, I was confusing IM0 with NMI :-[ (I don't think the hardware ever generates those, right?)
-
IM0 is when you have an external piece of hardware place an opcode on the Databus to be executed. It's possible to do on the first 83+ BE's because the z80 is exposed. I don't know much about the ASIC, so I'm not sure about the later models.
-
I did some tests that suggested that the TI-84+/SE always sends FFh as the byte for IM 2, in which case IM 0 would actually be usable (the ISR would be the RST 38h routine).
ralphdspam, as DrDnar has said, the TI-84+(SE) seems to put $FF on the databus. ;) (Which would make IM0 equivalent to IM1, it seems)
-
Why did they do that? Anyways, there would be no point of that on the 84+SE, then.
I'm talking about applying IM1 to the original 83+BE's.
-
On those the databus seems unpredictable, IIRC. This means that your calculator will execute some random instruction (and probably crash :P)
-
Hmm... somebody needs to test IM 2 with TI-83+SE. If it's always 0xFF, then this might be a useful fact for programs meant to run only on 15MHz calcs.
-
eew, we don't want that to happen... I wonder if I/O would be possible with those calcs, or would the databus be unpredictable as well?
-
Wait, what? ??? For I/O we have the linkport, no?
-
No, I mean using the databus for I/O
-
No, I mean using the databus for I/O
I think that's what ports are for...
-
Yes, I mean connecting an external device to receive I/O read/writes from the Z80. (From the old 83+BE's, of course)
-
Yes, I mean connecting an external device to receive I/O read/writes from the Z80. (From the old 83+BE's, of course)
Well, the databus is in an unknown state when an interrupt occurs (because that could happen at any point in an executing program). Of course it will be in a known state when actually doing port outputs and stuff.
-
The previous generation of programmers say that the TI-83+ leaves whatever was the last value on the bus. Thus, it's effectively random. In my tests, the ASIC models don't seem to do this.
-
Do you mean newer 83+'s too?
-
That's something important to check. Do the newer TI-83+s have the other new ports, too?
-
Hmm... somebody needs to test IM 2 with TI-83+SE. If it's always 0xFF, then this might be a useful fact for programs meant to run only on 15MHz calcs.
I know for a fact that the 84+BE has predictable IM2 vectors whereas the 84+SE does not. This was the major bug I found when I first released Pyoro.
-
In other news, BrandonW has successfully updated the boot code on his TI-84+ to 1.03, making it think it's a Pocket. :D
-
Lol, that's pretty funny. :D
-
Going from 1.03 to 1.02 is equally as easy. 1.03 is defeated in oh-so-many ways.
-
Very interesting :D
@TI: watch this disaster unfold - you've added a protection, and the result, obtained in short order, is not only complete defeat of the protection, but also, additional insight gained into your calculators (e.g. ports 21, 25, 26). Congratulations ;)
-
Going from 1.03 to 1.02 is equally as easy. 1.03 is defeated in oh-so-many ways.
Awesome. =) They should really just give up. After all, the community knows their hardware better than they do.
-
Thepenguin77, I tested t32.8xp on a Ti-83+ Silver Edition, and it works.
However, I started implementing the ports in Crabcake, and I think I'm doing something wrong because the RAM doesn't unlock.
Here's my code:
Is15MhzCalculator:
;Thanks to thepenguin77 for finding out this new method for unlocking RAM.
call FlashUnlockExploit
in a, ($25)
ld (StateOfRam), a
in a, ($26)
ld (StateOfRam + 1), a ;In case the user wants RAM permanently unlocked,
;or in case permanent unlocking causes crashes,
;the old values for these two ports are saved
xor a
out ($25), a
ld a, $FF
out ($26), a
B_CALL $4F3C
-
I'm sure that somewhere in TI's vast vaults is documentation on what ports 0E, 0F, 15, 24, and 2D do. But they'll never tell us without a court order, and they they'd fight it for no good reason.
-
Hot_Dog, the only reason that wouldn't work is because flash isn't actually unlocked. So check port (02), port (25h), and port (26h) and make sure that everything looks correct.
DrDnar, don't forget about ports 0Bh and 0Ch.
-
Oh yeah, I forgot that I shortened BrandonW's routine for using on simply the Ti-83+ BE. Hence it wasn't "universal" ;D