Quote from: Compynerd255 on March 25, 2011, 07:01:24 pm

How does the calculator even detect that code is running in the "illegal" area? The only explanation that I can think of is that the last two bits on the address bus (the ones that must be on if code above C000 is being executed) are wired into a trigger that causes the processor to jump to the boot code. In other words, the detection is in the hardware itself.

Most likely it is.  Remember that we are talking about all of this being in the processor.  So the processor knows immediately if the pc is C000h or above.

The original TI-83+ just had a stock Z84C00 processor. The detection there must have been done by outside hardware, probably checking the address and the M1 signal (which is active only on instruction fetches).

I use the 900D0000 timer, which the OS sets to 100Hz (well, actually more like 99.3Hz). Running 3 frames every 5 timer ticks gives a speed close to the NES's 60.1Hz.

I suspect some program is changing the timer speed and not putting it back.

EDIT: Yep, it's gbc4nspire. Use this program to restore the timer speed after running it.

Here's a harder one: Find natural numbers a, b, and c where a³+b³=c³

0³ + 0³ = 0³

And yes, 0 is a natural number. The standard way to define the natural numbers in modern mathematics is to represent 0 with the empty set, 1 as the set {0}, 2 as the set {0,1}, etc.

There are actually two solutions (four if you allow a > b), so I'm going to be a smartass and give the unintended one:

I've found a buffer overflow vulnerability in the command shell's printf routine, which could potentially allow executing code by TYPEing a file. We may not be able to exploit it at this time because
- the code may have changed (the CAS+ has Reliance v2.00.0451/FlashFX v2.0, instead of Reliance v2.10.1150/FlashFX v3.00).
- the WRITE command can't create a file with 00, 08, 0A, or 0D bytes in it (this could be insurmountable, or not a problem at all, depending on what the addresses of the relevant functions and stack items turn out to be)
but I think it might be worth a try.

First step is to dump the stack to get some addresses... Try this (in whatever directory you're comfortable creating files in):

write stackdump 192
%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x
type stackdump

Yes, the two are signed with different keys.

Actually, they are signed with the same key. The reason you cannot use a TI-Nspire CAS OS on the TI-Nspire or vice versa is because for an OS to validate:

• There must be an 8010 field present which matches the first two characters of the Product ID, which are stored in NAND flash (but don't bother trying to change it, because of the other protection described next)
• The 80E0 field must contain a byte matching a part of the value read from address 0x900A0028/0x900A002C (presumably, this is an 8 byte ROM inside the ASIC and cannot be changed)

Changing these fields in the OS image will mean the signature isn't valid and the OS won't load.

Just wondering, but how many Hz does the nspire emulator get. My current version of the Prizm emulator achieves about 8MHz now on the average computer (I released the first test version yesterday), but I still have many more optimizations to do including multi threading.

On my computer, it typically runs around 100-200 million instructions per second. It depends heavily on the code being executed - plain arithmetic is fast, branches and memory accesses are slower, accesses to memory-mapped I/O ports are very slow. The main reason it's so fast otherwise is that I translate sequences of ARM instructions into the x86 code needed to emulate them, and execute that directly, so the overhead of figuring out what an instruction does is only incurred the first time it's executed. Without this feature, it's about 10x slower.

I have to ask: what hardware does the Prizm have whose emulation can be sped up with multi-threading?