The shoutbox is currently out of service. Join us on Discord instead.
You can help CodeWalrus stay online by donating here.

Announcing Rip'Em, a third-party firmware for the HP Prime

Started by Jean-Baptiste Boric, January 01, 2016, 10:30:14 pm

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jean-Baptiste Boric

Odd. I have a HW-C model though.

I hope it's just the keypad matrix being connected to different GPIO pins. A DVT model is too precious to sacrifice FOR SCIENCE! tinker recklessly with its UART.

Previously, I (ab)used the external interrupt pin hooked to the ON key, but I switched to the proper scanning method when I got it working.

I'll make a firmware to dump all GPIO registers on the screen. Since BXCBOOT0.BIN initializes the keypad GPIO to read the ON+Symb key combination, with a bit of luck the configuration registers will tell me where the keypad pins are located.

DJ Omnimaga

Maybe you did something that causes the new version to only run on hardware C? I hope hardware differences won't make it too difficult to develop third-party firmwares or bootloaders for that calculator.

Jean-Baptiste Boric

Dumper's done. Hopefully without bugs.

It's in the gpio-dumper branch on the GitHub repository. I took a picture on my HW-C calc and attached the results.

critor

Someone needs to test on HW-A.
Visually, the DVT PCB looks like the HW-A PCB.

DJ Omnimaga

Would this qualify as safe? I am curious because while under normal means I wouldn't mind sacrifying a calculator to test an OS for compatibility, I am currently short on money for new calculator purchases, so I am reluctant about taking the risk with my only HP Prime.

Jean-Baptiste Boric

Quote from: DJ Omnimaga on March 08, 2016, 12:19:29 am
Would this qualify as safe? I am curious because while under normal means I wouldn't mind sacrifying a calculator to test an OS for compatibility, I am currently short on money for new calculator purchases, so I am reluctant about taking the risk with my only HP Prime.


Beyond the "decline any responsibility" disclaimer, Rip'Em doesn't touch the NAND at all except for turning on (irrevocably until reset) write-protection for the recovery as the very first thing done, so a brick is theoretically impossible. I'd qualify it as safe.

The reckless part is about opening a HP Prime to connect to the UART and probe the GPIO registers through the GDB stub until something interesting happens. My calc has suffered no side effects, but I wouldn't recommend nor ask anyone to do that.

The dumper firmware merely dumps the contents of the GPIO registers on the screen, no reckless probing here. With screenshots running on different hardware revisions, I can hopefully pinpoint some differences between the revisions and code accordingly.

Lionel Debroux

My Prime is HW A, but I can't run VMs any longer on my main computer to reflash the Prime...
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TIEmu and TILP.
Co-admin of TI-Planet.

Jean-Baptiste Boric

Yeah, Windows-only flashing sucks, but I don't think I'm up to the task of reverse-engineering the USB flashing protocol. I only have so much sanity to spare ;D

On the other hand, I've reverse-engineered a good chunk of the first 8 KiB (only 2 KiB worth of code, but still) of BXCBOOT0.BIN. There's enough stuff to piggy-back here to allow unlimited read access to the NAND.

It is acceptable to post such material here or should I put it somewhere else ?

alexgt

This looks great! I can't wait for more features. I am sorry for not following this more closely ._.

Lionel Debroux

March 08, 2016, 01:31:47 pm #24 Last Edit: March 08, 2016, 01:36:07 pm by Lionel Debroux
QuoteYeah, Windows-only flashing sucks, but I don't think I'm up to the task of reverse-engineering the USB flashing protocol. I only have so much sanity to spare ;D

I had scratched the surface of that reverse-engineering work, and AHelper0 worked on it later as well. But there's no complete reimplementation of that protocol.

QuoteOn the other hand, I've reverse-engineered a good chunk of the first 8 KiB (only 2 KiB worth of code, but still) of BXCBOOT0.BIN. There's enough stuff to piggy-back here to allow unlimited read access to the NAND.

Indeed, we already knew it.

QuoteIt is acceptable to post such material here or should I put it somewhere else ?

What about the TI-Planet hpwiki, which already contains such kind of material, as well as other content unmatched elsewhere (not even in the HP community), that I know of ? :)
See https://tiplanet.org/hpwiki/index.php?title=User:BXCBOOT0_BIN_pastebin_com_SKw5xtev , dropped by an anonymous user in August 2013.
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TIEmu and TILP.
Co-admin of TI-Planet.

Jean-Baptiste Boric

Quote from: Lionel Debroux on March 08, 2016, 01:31:47 pm
Indeed, we already knew it.


Better than knowing it, now we can use it. Besides other things I figured out the subroutine that reads a NAND block, so now I can either write a reimplementation or piggy-back the existing one for Rip'Em.

Quote from: Lionel Debroux on March 08, 2016, 01:31:47 pm
What about the TI-Planet hpwiki, which already contains such kind of material, as well as other content unmatched elsewhere (not even in the HP community), that I know of ? :)
See https://tiplanet.org/hpwiki/index.php?title=User:BXCBOOT0_BIN_pastebin_com_SKw5xtev , dropped by an anonymous user in August 2013.


I used that page as a starting point, but I've done my reverse-engineering with only arm-none-eabi-objdump since I don't have IDA. I've requested an account, now waiting for the email.

By the way, why is the HP wiki separate from the main TI-Planet wiki and why does it require a separate account from TI-Planet's ? It's not very practical and the HP pages are needlessly hidden away...

Lionel Debroux

QuoteBy the way, why is the HP wiki separate from the main TI-Planet wiki

IIRC, that was an aim, for neutrality or something along those lines. Even if hosted on the server which hosts TI-Planet, Inspired-Lua, ToutMonExam and whatever else I forget right now, It could have been accessible from a different URL later, with a redirect.
Of course, we now know that very few people care about tinkering with the Prime...

Quoteand why does it require a separate account from TI-Planet's ?

Indeed, no integration between MediaWiki and PHPBB was performed, but beyond the aforementioned aim, I don't know whether it's because it's "impossible" (as in, annoying) to do, or because "we" - mostly Adriweb - didn't spend time trying, or because of security reasons (deeper integration = more damage upon intrusion or legal attacks).
Hackspire was separated from anything else, too.
Trying to concentrate much shared community knowledge - and therefore power - into a single integrated infrastructure has clear downsides, all the more said concentration is performed partially without permission, as occurred recently on another TI community site.
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TIEmu and TILP.
Co-admin of TI-Planet.

Vogtinator

Quote from: Jean-Baptiste Boric on March 08, 2016, 02:16:57 pm
I used that page as a starting point, but I've done my reverse-engineering with only arm-none-eabi-objdump since I don't have IDA. I've requested an account, now waiting for the email.


IDA 5.0 is free and a huge step up compared to objdump -D...

Jean-Baptiste Boric

Quote from: Vogtinator on March 08, 2016, 03:38:33 pm
IDA 5.0 is free and a huge step up compared to objdump -D...


If I remember well, IDA 5.0 only supports x86 disassembly and it doesn't run under Linux.

Adriweb

About the wiki thing, I've now validated the account.

The HP Wiki we have is indeed separate from TI-Planet itself, but the TI-Planet wiki is however using the forum's phpBB account for single-sign-on user friendliness.
Co-founder & co-administrator of TI-Planet and Inspired-Lua

Powered by EzPortal