Changes

Jump to navigation Jump to search

HP Prime/Linking Protocol

16,300 bytes added, 10:06, 16 August 2013
Add initial firmware reflashing analysis
Brought to you by TDD v1.81.0, ...</pre></spoiler>
 
== Lower-level USB behaviour ==
 
=== Reflashing mode ===
Here is an analysis of the raw USB data for an upgrade to 0.30 firmware from 2013/08/09, captured by someone else.
 
Tools: USBpcap on Windows for capture; Wireshark and hte on Linux for interpretation.
 
Additional information: Wikipedia: SCSI_command‎ and pages linked from that one.
 
<spoiler><pre>HP Prime update 0.30: USB Mass Storage packets exchanged between host and calculator
====================================================================================
 
0) Initialization
-----------------
Before transfer:
Repeat N times:
PC -> CALC: SCSI Command 0x00: TEST UNIT READY
CALC -> PC: Command 0x00: Good
 
Start transfer:
PC -> CALC: SCSI Command 0x25: READ CAPACITY(10)
CALC -> PC: 00 07 FC FF 00 00 02 00
523519 (2^19 - 3*2^8 - 1) sectors of 512 bytes = 268041728 bytes.
CALC -> PC: Command 0x25: Good
 
 
1) First phase: BXCBOOT0.BIN
----------------------------
Repeat N times:
PC -> CALC: SCSI Command 0x88: READ(16) from LBA 0, with zero length (invalid packet)
PC -> CALC: 8+256 bytes of data (*)
CALC -> PC: Command 0x88: Good
PC -> CALC: SCSI Command 0x89: COMPARE AND WRITE from LBA 0, with zero length (invalid packet)
CALC -> PC: 8+256 bytes of identical data (*)
CALC -> PC: Command 0x89: Good
 
(*) 8 bytes of control data, followed by 256 bytes from BXCBOOT0.BIN.
* 2 bytes: tag ?
* 2 bytes: an indication of direction ? Most host -> calc packets have 00 00, most calc -> host packets have 00 80.
* 4 bytes: offset ?
Control data dump, in order:
PC -> CALC: cd be 00 00 ad be 00 00
CALC -> PC: cd be 00 80 ad be 00 00
PC -> CALC: c5 be 00 00 00 00 00 00
CALC -> PC: c5 be 00 80 00 00 00 00
PC -> CALC: c5 be 00 00 01 00 00 00
CALC -> PC: 00 00 00 00 00 00 00 00
PC -> CALC: c5 be 00 00 02 00 00 00
CALC -> PC: 00 00 00 00 00 00 00 00
PC -> CALC: cd be 00 00 ad be 00 00
CALC -> PC: cd be 00 80 ad be 00 80
---------------------------------------
PC -> CALC: dc be 00 00 00 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 00
CALC -> PC: c6 be 00 80 00 01 00 00
PC -> CALC: c6 be 00 00 00 01 00 01
CALC -> PC: c6 be 00 80 00 01 00 01
...
PC -> CALC: c6 be 00 00 00 01 00 3f
CALC -> PC: c6 be 00 80 00 01 00 3f
---------------------------------------
PC -> CALC: dc be 00 00 06 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 40
CALC -> PC: c6 be 00 80 00 01 00 40
...
PC -> CALC: c6 be 00 00 00 01 00 7f
CALC -> PC: c6 be 00 80 00 01 00 7f
---------------------------------------
PC -> CALC: dc be 00 00 0c 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 80
CALC -> PC: c6 be 00 80 00 01 00 80
...
PC -> CALC: c6 be 00 00 00 01 00 bf
CALC -> PC: c6 be 00 80 00 01 00 bf
---------------------------------------
PC -> CALC: dc be 00 00 12 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 c0
CALC -> PC: c6 be 00 80 00 01 00 c0
...
PC -> CALC: c6 be 00 00 00 01 00 ff
CALC -> PC: c6 be 00 80 00 01 00 ff
---------------------------------------
PC -> CALC: dc be 00 00 19 00 00 00 (why 19 instead of 18 ? Special / spare page ?)
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 00
CALC -> PC: c6 be 00 80 00 01 00 00
PC -> CALC: c6 be 00 00 00 01 00 01
CALC -> PC: c6 be 00 80 00 01 00 01
...
PC -> CALC: c6 be 00 00 00 01 00 3f
CALC -> PC: c6 be 00 80 00 01 00 3f
---------------------------------------
PC -> CALC: dc be 00 00 1f 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 40
CALC -> PC: c6 be 00 80 00 01 00 40
...
PC -> CALC: c6 be 00 00 00 01 00 7f
CALC -> PC: c6 be 00 80 00 01 00 7f
---------------------------------------
PC -> CALC: dc be 00 00 25 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 80
CALC -> PC: c6 be 00 80 00 01 00 80
...
PC -> CALC: c6 be 00 00 00 01 00 bf
CALC -> PC: c6 be 00 80 00 01 00 bf
---------------------------------------
PC -> CALC: dc be 00 00 2b 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 c0
CALC -> PC: c6 be 00 80 00 01 00 c0
...
PC -> CALC: c6 be 00 00 00 01 00 ff
CALC -> PC: c6 be 00 80 00 01 00 ff
---------------------------------------
PC -> CALC: dc be 00 00 32 00 00 00 (again, mysterious +1)
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 00
CALC -> PC: c6 be 00 80 00 01 00 00
...
PC -> CALC: c6 be 00 00 00 01 00 3f
CALC -> PC: c6 be 00 80 00 01 00 3f
---------------------------------------
PC -> CALC: dc be 00 00 38 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 40
CALC -> PC: c6 be 00 80 00 01 00 40
...
PC -> CALC: c6 be 00 00 00 01 00 7f
CALC -> PC: c6 be 00 80 00 01 00 7f
---------------------------------------
PC -> CALC: dc be 00 00 3e 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 80
CALC -> PC: c6 be 00 80 00 01 00 80
...
PC -> CALC: c6 be 00 00 00 01 00 bf
CALC -> PC: c6 be 00 80 00 01 00 bf
---------------------------------------
PC -> CALC: dc be 00 00 44 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 c0
CALC -> PC: c6 be 00 80 00 01 00 c0
...
PC -> CALC: c6 be 00 00 00 01 00 ff
CALC -> PC: c6 be 00 80 00 01 00 ff
---------------------------------------
PC -> CALC: dc be 00 00 4b 00 00 00 (again, mysterious +1)
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 00
CALC -> PC: c6 be 00 80 00 01 00 00
...
PC -> CALC: c6 be 00 00 00 01 00 3f
CALC -> PC: c6 be 00 80 00 01 00 3f
---------------------------------------
PC -> CALC: dc be 00 00 51 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 40
CALC -> PC: c6 be 00 80 00 01 00 40
...
PC -> CALC: c6 be 00 00 00 01 00 7f
CALC -> PC: c6 be 00 80 00 01 00 7f
---------------------------------------
PC -> CALC: dc be 00 00 57 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 80
CALC -> PC: c6 be 00 80 00 01 00 80
...
PC -> CALC: c6 be 00 00 00 01 00 bf
CALC -> PC: c6 be 00 80 00 01 00 bf
---------------------------------------
PC -> CALC: dc be 00 00 5d 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: c6 be 00 00 00 01 00 c0
CALC -> PC: c6 be 00 80 00 01 00 c0
...
PC -> CALC: c6 be 00 00 00 01 00 ff
CALC -> PC: c6 be 00 80 00 01 00 ff
PC -> CALC: c7 be 00 00 00 04 00 00
CALC -> PC: c7 be 00 80 00 04 00 00
---------------------------------------
PC -> CALC: dc be 00 00 64 00 00 00 (again, mysterious +1)
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 64 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: cd be 00 00 ad be 00 00
CALC -> PC: cd be 00 80 ad be 00 80
PC -> CALC: dc be 00 00 00 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
Total amount of data in "c6 be" packets: 4 * 256 packets of 256 bytes = 256 KB = size of BXCBOOT0.bin.
 
 
2) Second phase: BESTAARM.ROM + MASTER.DAT + APPSDISK.DAT + <something else>
----------------------------------------------------------------------------
$OFFSET = 0
Repeat N times:
Repeat 0, 1 or more times:
PC -> CALC: SCSI Command 0x2A: WRITE(10) from LBA $OFFSET, size 0x20
PC -> CALC: 16384 bytes of data (the contents of BESTAARM.ROM, then MASTER.DAT, then APPSDISK.DAT - see below for more details)
CALC -> PC: Command 0x2A: Good
$OFFSET = $OFFSET + 0x20
 
More frequent at the beginning, this group of packets nearly disappears near the end of the transfer:
PC -> CALC: SCSI Command 0x88: READ(16) from LBA 0, with zero length (invalid packet)
PC -> CALC: 8+256 bytes of data (*)
CALC -> PC: Command 0x88: Good
PC -> CALC: SCSI Command 0x89: COMPARE AND WRITE from LBA 0, with zero length (invalid packet)
CALC -> PC: 8+256 bytes of identical data (*)
CALC -> PC: Command 0x89: Good
(*) 8 bytes of control data, followed by 256 near-constant bytes from ????.
Control data dump, in order:
PC -> CALC: dc be 00 00 01 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 03 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 04 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 06 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 07 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 09 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 0a 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 0c 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 0e 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 0f 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 11 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 12 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 14 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 15 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 17 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 19 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 1a 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 1c 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 1d 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 1f 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 20 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 22 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 23 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 25 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 27 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 28 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 2a 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 2b 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 2d 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 2e 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 30 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 32 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 33 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 35 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 36 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 38 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 39 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 3b 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 3c 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 3e 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 40 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 41 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 43 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 44 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 46 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 47 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 49 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 4b 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 4c 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 4e 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 4f 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 51 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 52 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 54 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 55 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 57 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 59 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 5a 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 5c 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 5d 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 5f 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 60 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 62 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 64 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
-------------------------------------------
PC -> CALC: cd be 00 00 ad be 00 00
CALC -> PC: cd be 00 80 ad be 00 80
PC -> CALC: dc be 00 00 00 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 01 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 02 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
...
PC -> CALC: dc be 00 00 64 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
-------------------------------------------
PC -> CALC: cd be 00 00 ad be 00 00
CALC -> PC: cd be 00 80 ad be 00 80
PC -> CALC: dc be 00 00 00 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
PC -> CALC: dc be 00 00 01 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
...
PC -> CALC: dc be 00 00 64 00 00 00
CALC -> PC: dc be 00 80 00 00 00 00
NOTE1: there are 0x128 "dc be" packets after the initial weirdness.
 
Once in a while:
PC -> CALC: SCSI Command 0x00: TEST UNIT READY
CALC -> PC: Command 0x00: Good
 
NOTE2: Highest value reached by $OFFSET: 0x127e0. 0x12800 sectors of 512 bytes are written, which corresponds to:
* BESTAARM.ROM: 1048576 bytes = 0x800 * 512 bytes, at LBA offset 0;
* MASTER.DAT: 4194304 bytes = 0x2000 * 512 bytes, at LBA offset 0x800 (marker "EA656XXX.DAT", soon followed by version number "SDKV0.30");
* APPSDISK.DAT: 33554432 bytes = 0x10000 * 512 bytes, at LBA offset 0x2800 (marker "APDSKXXX.DAT", soon followed by version number "V1.00").
 
 
3) Finalization (or something like that)
----------------------------------------
PC -> CALC: SCSI Command 0x88: READ(16) from LBA 0, with zero length (invalid packet)
PC -> CALC: 8+256 bytes of data:
cd be 00 00 ad be 00 00
...
CALC -> PC: Command 0x88: Good
PC -> CALC: SCSI Command 0x89: COMPARE AND WRITE from LBA 0, with zero length (invalid packet)
CALC -> PC: 8+256 bytes of data:
cd be 00 80 ad be 00 80
CALC -> PC: Command 0x89: Good
PC -> CALC: SCSI Command 0x88: READ(16) from LBA 0, with zero length (invalid packet)
PC -> CALC: 8+256 bytes of data:
c1 be 00 00 00 00 00 00
<No reply>
</pre></spoiler>
Bureaucrats, Check users, recentchangescleanup, Administrators
25

edits

Navigation menu