I know it'd been everywhere, especially on DS, but as far as I could find there is no place where the facts are gathered.
Boot 1.00, Base 1.16
Put a jump at FFCD, install a cursorhook, enable the cursor, and set curTime to 1. Then 1 to port 5, 7F to 6, SP at OP1+27d+4000h, jump to 4314h.
so is that all? no! what about all other versions? With my awesome (cough) google skills, I have not been able to find anything about them.On OS 2.22 (presumably also on 2.21; I don't have that OS so I can't check (*)): SP = OP1+4000h+11d, catch at FF67h and with the cursorhook at 0067h.
On OS 2.30 only: SP = OP1+4000h+23d, catch at FF7Ch and with the cursorhook at 007Ch.
Regardless of base version, your jump is at 43B3.
Anyway, the flash itself, and doing anything but reading from it, is easier, but by far not easy.
SE calcs do not have the same flash as BE calcs, they support additional commands, but luckily they are backwards compilable (if you can speak of that at all, seeing as they aren't the same brand)
they are both CFI-compitable, but on the SE's flash you can use fast-write (which you must enable first).
There is a lot to find and read about CFI (common flash interface), but these are the most important (can found in PongOS) and don't even think about going in 16 bit mode:
Which is the same as stated in the manuals and references that can be found all over the internet (even on Intel's site).PongOS wrote:;;; Commands are sent to the Flash chip by ordinary write cycles.
;;; Keep in mind that a physical address ppppp dddddd dddddddd
;;; corresponds to a logical address 000ppppp:01dddddd dddddddd.
;;; Any unrecognized command, including an attempt to read data, will
;;; reset the chip. Thus you cannot execute code to write Flash from
;;; within Flash; the code must be copied into RAM and executed there.
;;; When the chip is busy programming or erasing, commands written are
;;; usually ignored. Reading from the appropriate address will give
;;; status information.
;;; <AA>: Write AA to address *AAAA
;;; <55>: Write 55 to address *5555
;;; [nn]: Write nn to address *AAAA
;;; (nn): Write nn to any relevant address
;;; {nn}: Write nn anywhere, address doesn't matter
;;; The commands for the BE (AMD Am29F400B) are:
;;;
;;; {30} Resume suspended erase operation
;;;
;;; <AA><55>[80]<AA><55>[10] Automatically erase entire chip
;;;
;;; <AA><55>[80]<AA><55>(30) Automatically erase single sector
;;;
;;; <AA><55>[90] Read auto-select data
;;; (device ID, manufacturer, and sector
;;; protect states; used by an embedded
;;; device that supports many similar
;;; Flash chips but doesn't know which
;;; will be used; unneeded since the
;;; TI's provide port 2 for this
;;; purpose)
;;;
;;; <AA><55>[A0](xx) Program one byte
;;;
;;; {B0} Temporarily suspend current erase operation
;;;
;;; {F0} Reset (return to read mode)
;;; The SE (Fujitsu MBM29LV160) supports all of the above plus:
;;;
;;; <AA><55>[20] Enable fast programming mode
;;;
;;; {90}{F0} Exit fast mode
;;;
;;; {A0}(xx) Program one byte while in fast mode
;;;
;;; [98] Read CFI (Common Flash Interface) data
;;; (a generalization of the same
;;; concept as autoselect; the system
;;; can find out everything it needs to
;;; know -- size of the chip, sizes of
;;; sectors, supported command set --
;;; and a whole lot more besides.
;;; Again, the TI's don't need this.)
The mangling of the addresses is a result of the connections of pin A14 and A15, which (as most of us know) are not connected to the memory chips, but are used (together with the memory mode and ports 5, 6 and 7) to decide which chip should be accessed. All well and good, you may think, but it means that we won't write to AAAAh but 6AAAh.
Don't forget to return to read mode, your calc will most likely die if you don't.
Now, post your info
ps: don't look at your certificate if you live in the US, and if you do, don't remember it, because that's copying to your brain.