Modified Flash Tool for WP 34S

[Marcus von Cube, Germany]

I've uploaded a modified version of Cyrille's MySamBa download tool to SF. Please try it out on your machines and report back here.

[Marcus von Cube, Germany]

First Impression: I works just once. :-(

It seems that the software write protects the flash after updating it which makes it impossible to burn another image once the tool has been used. You need to do a full erase first. I will investigate this further.

[Namir]

Marcus,

That does not sound too user friendly!!!!

Namir

[Marcus von Cube, Germany]

The problem is that I need to disassemble and modify ARM assembly code which exists as a hex dump only in the program. I have an idea but this will need some testing.

Cyrille talked about doing the disassembly with an HP 50g. Is anybody here with enough knowledge to help me? I can post the hex dump here if needed.

Edit: here it is:

70 47 78 47

01 06 A0 E3

02 1C A0 E3

EB 30 E0 E3

0D 3C C3 E3

9B 70 E0 E3

43 20 A0 E3

00 40 93 E5

02 00 14 E3

FC FF FF 0A

08 20 83 E5

00 40 A0 E3

40 20 A0 E3

00 60 93 E5

01 00 16 E3

FC FF FF 0A

04 50 93 E5

05 40 24 E0

00 60 93 E5

01 00 16 E3

FC FF FF 0A

04 60 93 E5

06 40 24 E0

06 54 85 E0

00 60 93 E5

01 00 16 E3

FC FF FF 0A

04 60 93 E5

06 40 24 E0

06 58 85 E0

00 60 93 E5

01 00 16 E3

FC FF FF 0A

04 60 93 E5

06 40 24 E0

06 5C 85 E0

04 50 80 E4

01 20 52 E2

E5 FF FF 1A

00 20 93 E5

01 00 12 E3

FC FF FF 0A

04 20 93 E5

04 00 52 E1

01 0C 40 12

58 20 A0 13

D7 FF FF 1A

FF 2C A0 E3

0F 28 82 E3

00 20 02 E0

01 2C 42 E2

01 20 82 E2

5A 24 82 E3

00 20 87 E5

04 20 97 E5

01 00 12 E3

FC FF FF 0A

59 20 A0 E3

01 10 51 E2

CA FF FF 1A

5A 04 A0 E3

01 0C 80 E2

0B 00 80 E2

00 00 87 E5

04 20 97 E5

01 00 12 E3

FC FF FF 0A

04 20 97 E5

01 00 12 E3

FC FF FF 0A

FF 00 E0 E3

02 0C C0 E3

0D 10 A0 E3

A5 14 81 E3

00 10 80 E5

FE FF FF EA

Edited: 4 Oct 2011, 10:15 a.m.

[Marcus von Cube, Germany]

I found a very simple disassembler for ARM code on the net, compiled it, pasted my hex dump into HexEdit on my Mac, saved the resulting binary and came up with the following:

200B40 47784770	Undefined instruction  ; [undefined instr]

200B44 E3A00601	MOV	r0, #1<<20

200B48 E3A01C02	MOV	r1, #1<<9

200B4C E3E030EB	MVN	r3, #&EB

200B50 E3C33C0D	BIC	r3, r3, #&D00

200B54 E3E0709B	MVN	r7, #&9B

200B58 E3A02043	MOV	r2, #67

200B5C E5934000	LDR	r4, [r3, #0]

200B60 E3140002	TST	r4, #2

200B64 0AFFFFFC	BEQ	&00200B5C

200B68 E5832008	STR	r2, [r3, #8]

200B6C E3A04000	MOV	r4, #0

200B70 E3A02040	MOV	r2, #64

200B74 E5936000	LDR	r6, [r3, #0]

200B78 E3160001	TST	r6, #1

200B7C 0AFFFFFC	BEQ	&00200B74

200B80 E5935004	LDR	r5, [r3, #4]

200B84 E0244005	EOR	r4, r4, r5

200B88 E5936000	LDR	r6, [r3, #0]

200B8C E3160001	TST	r6, #1

200B90 0AFFFFFC	BEQ	&00200B88

200B94 E5936004	LDR	r6, [r3, #4]

200B98 E0244006	EOR	r4, r4, r6

200B9C E0855406	ADD	r5, r5, r6, LSL #8

200BA0 E5936000	LDR	r6, [r3, #0]

200BA4 E3160001	TST	r6, #1

200BA8 0AFFFFFC	BEQ	&00200BA0

200BAC E5936004	LDR	r6, [r3, #4]

200BB0 E0244006	EOR	r4, r4, r6

200BB4 E0855806	ADD	r5, r5, r6, LSL #16

200BB8 E5936000	LDR	r6, [r3, #0]

200BBC E3160001	TST	r6, #1

200BC0 0AFFFFFC	BEQ	&00200BB8

200BC4 E5936004	LDR	r6, [r3, #4]

200BC8 E0244006	EOR	r4, r4, r6

200BCC E0855C06	ADD	r5, r5, r6, LSL #24

200BD0 E4805004	STR	r5, [r0], #4

200BD4 E2522001	SUBS	r2, r2, #1

200BD8 1AFFFFE5	BNE	&00200B74

200BDC E5932000	LDR	r2, [r3, #0]

200BE0 E3120001	TST	r2, #1

200BE4 0AFFFFFC	BEQ	&00200BDC

200BE8 E5932004	LDR	r2, [r3, #4]

200BEC E1520004	CMP	r2, r4

200BF0 12400C01	SUBNE	r0, r0, #&100

200BF4 13A02058	MOVNE	r2, #88

200BF8 1AFFFFD7	BNE	&00200B5C

200BFC E3A02CFF	MOV	r2, #&FF00

200C00 E382280F	ORR	r2, r2, #&F0000

200C04 E0022000	AND	r2, r2, r0

200C08 E2422C01	SUB	r2, r2, #&100

200C0C E2822001	ADD	r2, r2, #1

200C10 E382245A	ORR	r2, r2, #&5A000000

200C14 E5872000	STR	r2, [r7, #0]

200C18 E5972004	LDR	r2, [r7, #4]

200C1C E3120001	TST	r2, #1

200C20 0AFFFFFC	BEQ	&00200C18

200C24 E3A02059	MOV	r2, #89

200C28 E2511001	SUBS	r1, r1, #1

200C2C 1AFFFFCA	BNE	&00200B5C

200C30 E3A0045A	MOV	r0, #&5A000000

200C34 E2800C01	ADD	r0, r0, #&100

200C38 E280000B	ADD	r0, r0, #11

200C3C E5870000	STR	r0, [r7, #0]

200C40 E5972004	LDR	r2, [r7, #4]

200C44 E3120001	TST	r2, #1

200C48 0AFFFFFC	BEQ	&00200C40

200C4C E5972004	LDR	r2, [r7, #4]

200C50 E3120001	TST	r2, #1

200C54 0AFFFFFC	BEQ	&00200C4C

200C58 E3E000FF	MVN	r0, #&FF

200C5C E3C00C02	BIC	r0, r0, #1<<9

200C60 E3A0100D	MOV	r1, #13

200C64 E38114A5	ORR	r1, r1, #&A5000000

200C68 E5801000	STR	r1, [r0, #0]

200C6C EAFFFFFE	B	&00200C6C

I turned out that the routine assumed a clear memory which can be simply written without erase (command #1) at address 200c28. I changed that to #3 (erase and write) and this should have done the trick. I was able to replace the 34S image with the original 20b ROM and back to WP 34S.

I'm uploading the modified version on SF.

Edited: 4 Oct 2011, 11:55 a.m.

[Marcus von Cube, Germany]

200B48 E3A01C02	MOV	r1, #1<<9

If you look at this instruction you can see that r1 is loaded with the number of flash pages. r1 is later used to stop the download, set the boot bit and reset the calculator. I'd like to replace it with an instruction that loads an arbitrary constant (the number of flash pages in the current bin file). The number is <= 512. Any ARM specialist who can help me out? Is there an instruction that allows this? We can assume that the size is a multiple of 4 so something like MOV r1, #n<<2 should do the trick and I just need to fill #n with the correct value (<=128) before I send the code to the calculator.