Re: Modified Flash Tool for WP 34S Message #5 Posted by Marcus von Cube, Germany on 4 Oct 2011, 11:23 a.m., in response to message #4 by Marcus von Cube, Germany
I found a very simple disassembler for ARM code on the net, compiled it, pasted my hex dump into HexEdit on my Mac, saved the resulting binary and came up with the following:
200B40 47784770 Undefined instruction ; [undefined instr]
200B44 E3A00601 MOV r0, #1<<20
200B48 E3A01C02 MOV r1, #1<<9
200B4C E3E030EB MVN r3, #&EB
200B50 E3C33C0D BIC r3, r3, #&D00
200B54 E3E0709B MVN r7, #&9B
200B58 E3A02043 MOV r2, #67
200B5C E5934000 LDR r4, [r3, #0]
200B60 E3140002 TST r4, #2
200B64 0AFFFFFC BEQ &00200B5C
200B68 E5832008 STR r2, [r3, #8]
200B6C E3A04000 MOV r4, #0
200B70 E3A02040 MOV r2, #64
200B74 E5936000 LDR r6, [r3, #0]
200B78 E3160001 TST r6, #1
200B7C 0AFFFFFC BEQ &00200B74
200B80 E5935004 LDR r5, [r3, #4]
200B84 E0244005 EOR r4, r4, r5
200B88 E5936000 LDR r6, [r3, #0]
200B8C E3160001 TST r6, #1
200B90 0AFFFFFC BEQ &00200B88
200B94 E5936004 LDR r6, [r3, #4]
200B98 E0244006 EOR r4, r4, r6
200B9C E0855406 ADD r5, r5, r6, LSL #8
200BA0 E5936000 LDR r6, [r3, #0]
200BA4 E3160001 TST r6, #1
200BA8 0AFFFFFC BEQ &00200BA0
200BAC E5936004 LDR r6, [r3, #4]
200BB0 E0244006 EOR r4, r4, r6
200BB4 E0855806 ADD r5, r5, r6, LSL #16
200BB8 E5936000 LDR r6, [r3, #0]
200BBC E3160001 TST r6, #1
200BC0 0AFFFFFC BEQ &00200BB8
200BC4 E5936004 LDR r6, [r3, #4]
200BC8 E0244006 EOR r4, r4, r6
200BCC E0855C06 ADD r5, r5, r6, LSL #24
200BD0 E4805004 STR r5, [r0], #4
200BD4 E2522001 SUBS r2, r2, #1
200BD8 1AFFFFE5 BNE &00200B74
200BDC E5932000 LDR r2, [r3, #0]
200BE0 E3120001 TST r2, #1
200BE4 0AFFFFFC BEQ &00200BDC
200BE8 E5932004 LDR r2, [r3, #4]
200BEC E1520004 CMP r2, r4
200BF0 12400C01 SUBNE r0, r0, #&100
200BF4 13A02058 MOVNE r2, #88
200BF8 1AFFFFD7 BNE &00200B5C
200BFC E3A02CFF MOV r2, #&FF00
200C00 E382280F ORR r2, r2, #&F0000
200C04 E0022000 AND r2, r2, r0
200C08 E2422C01 SUB r2, r2, #&100
200C0C E2822001 ADD r2, r2, #1
200C10 E382245A ORR r2, r2, #&5A000000
200C14 E5872000 STR r2, [r7, #0]
200C18 E5972004 LDR r2, [r7, #4]
200C1C E3120001 TST r2, #1
200C20 0AFFFFFC BEQ &00200C18
200C24 E3A02059 MOV r2, #89
200C28 E2511001 SUBS r1, r1, #1
200C2C 1AFFFFCA BNE &00200B5C
200C30 E3A0045A MOV r0, #&5A000000
200C34 E2800C01 ADD r0, r0, #&100
200C38 E280000B ADD r0, r0, #11
200C3C E5870000 STR r0, [r7, #0]
200C40 E5972004 LDR r2, [r7, #4]
200C44 E3120001 TST r2, #1
200C48 0AFFFFFC BEQ &00200C40
200C4C E5972004 LDR r2, [r7, #4]
200C50 E3120001 TST r2, #1
200C54 0AFFFFFC BEQ &00200C4C
200C58 E3E000FF MVN r0, #&FF
200C5C E3C00C02 BIC r0, r0, #1<<9
200C60 E3A0100D MOV r1, #13
200C64 E38114A5 ORR r1, r1, #&A5000000
200C68 E5801000 STR r1, [r0, #0]
200C6C EAFFFFFE B &00200C6C
I turned out that the routine assumed a clear memory which can be simply written without erase (command #1) at address 200c28. I changed that to #3 (erase and write) and this should have done the trick. I was able to replace the 34S image with the original 20b ROM and back to WP 34S.
I'm uploading the modified version on SF.
Edited: 4 Oct 2011, 11:55 a.m.
