25

edits

Jump to navigation
Jump to search

Add initial firmware reflashing analysis

Brought to you by TDD v1.81.0, ...</pre></spoiler>

== Lower-level USB behaviour ==

=== Reflashing mode ===

Here is an analysis of the raw USB data for an upgrade to 0.30 firmware from 2013/08/09, captured by someone else.

Tools: USBpcap on Windows for capture; Wireshark and hte on Linux for interpretation.

Additional information: Wikipedia: SCSI_command and pages linked from that one.

<spoiler><pre>HP Prime update 0.30: USB Mass Storage packets exchanged between host and calculator

====================================================================================

0) Initialization

-----------------

Before transfer:

Repeat N times:

PC -> CALC: SCSI Command 0x00: TEST UNIT READY

CALC -> PC: Command 0x00: Good

Start transfer:

PC -> CALC: SCSI Command 0x25: READ CAPACITY(10)

CALC -> PC: 00 07 FC FF 00 00 02 00

523519 (2^19 - 3*2^8 - 1) sectors of 512 bytes = 268041728 bytes.

CALC -> PC: Command 0x25: Good

1) First phase: BXCBOOT0.BIN

----------------------------

Repeat N times:

PC -> CALC: SCSI Command 0x88: READ(16) from LBA 0, with zero length (invalid packet)

PC -> CALC: 8+256 bytes of data (*)

CALC -> PC: Command 0x88: Good

PC -> CALC: SCSI Command 0x89: COMPARE AND WRITE from LBA 0, with zero length (invalid packet)

CALC -> PC: 8+256 bytes of identical data (*)

CALC -> PC: Command 0x89: Good

(*) 8 bytes of control data, followed by 256 bytes from BXCBOOT0.BIN.

* 2 bytes: tag ?

* 2 bytes: an indication of direction ? Most host -> calc packets have 00 00, most calc -> host packets have 00 80.

* 4 bytes: offset ?

Control data dump, in order:

PC -> CALC: cd be 00 00 ad be 00 00

CALC -> PC: cd be 00 80 ad be 00 00

PC -> CALC: c5 be 00 00 00 00 00 00

CALC -> PC: c5 be 00 80 00 00 00 00

PC -> CALC: c5 be 00 00 01 00 00 00

CALC -> PC: 00 00 00 00 00 00 00 00

PC -> CALC: c5 be 00 00 02 00 00 00

CALC -> PC: 00 00 00 00 00 00 00 00

PC -> CALC: cd be 00 00 ad be 00 00

CALC -> PC: cd be 00 80 ad be 00 80

---------------------------------------

PC -> CALC: dc be 00 00 00 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 00

CALC -> PC: c6 be 00 80 00 01 00 00

PC -> CALC: c6 be 00 00 00 01 00 01

CALC -> PC: c6 be 00 80 00 01 00 01

...

PC -> CALC: c6 be 00 00 00 01 00 3f

CALC -> PC: c6 be 00 80 00 01 00 3f

---------------------------------------

PC -> CALC: dc be 00 00 06 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 40

CALC -> PC: c6 be 00 80 00 01 00 40

...

PC -> CALC: c6 be 00 00 00 01 00 7f

CALC -> PC: c6 be 00 80 00 01 00 7f

---------------------------------------

PC -> CALC: dc be 00 00 0c 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 80

CALC -> PC: c6 be 00 80 00 01 00 80

...

PC -> CALC: c6 be 00 00 00 01 00 bf

CALC -> PC: c6 be 00 80 00 01 00 bf

---------------------------------------

PC -> CALC: dc be 00 00 12 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 c0

CALC -> PC: c6 be 00 80 00 01 00 c0

...

PC -> CALC: c6 be 00 00 00 01 00 ff

CALC -> PC: c6 be 00 80 00 01 00 ff

---------------------------------------

PC -> CALC: dc be 00 00 19 00 00 00 (why 19 instead of 18 ? Special / spare page ?)

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 00

CALC -> PC: c6 be 00 80 00 01 00 00

PC -> CALC: c6 be 00 00 00 01 00 01

CALC -> PC: c6 be 00 80 00 01 00 01

...

PC -> CALC: c6 be 00 00 00 01 00 3f

CALC -> PC: c6 be 00 80 00 01 00 3f

---------------------------------------

PC -> CALC: dc be 00 00 1f 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 40

CALC -> PC: c6 be 00 80 00 01 00 40

...

PC -> CALC: c6 be 00 00 00 01 00 7f

CALC -> PC: c6 be 00 80 00 01 00 7f

---------------------------------------

PC -> CALC: dc be 00 00 25 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 80

CALC -> PC: c6 be 00 80 00 01 00 80

...

PC -> CALC: c6 be 00 00 00 01 00 bf

CALC -> PC: c6 be 00 80 00 01 00 bf

---------------------------------------

PC -> CALC: dc be 00 00 2b 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 c0

CALC -> PC: c6 be 00 80 00 01 00 c0

...

PC -> CALC: c6 be 00 00 00 01 00 ff

CALC -> PC: c6 be 00 80 00 01 00 ff

---------------------------------------

PC -> CALC: dc be 00 00 32 00 00 00 (again, mysterious +1)

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 00

CALC -> PC: c6 be 00 80 00 01 00 00

...

PC -> CALC: c6 be 00 00 00 01 00 3f

CALC -> PC: c6 be 00 80 00 01 00 3f

---------------------------------------

PC -> CALC: dc be 00 00 38 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 40

CALC -> PC: c6 be 00 80 00 01 00 40

...

PC -> CALC: c6 be 00 00 00 01 00 7f

CALC -> PC: c6 be 00 80 00 01 00 7f

---------------------------------------

PC -> CALC: dc be 00 00 3e 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 80

CALC -> PC: c6 be 00 80 00 01 00 80

...

PC -> CALC: c6 be 00 00 00 01 00 bf

CALC -> PC: c6 be 00 80 00 01 00 bf

---------------------------------------

PC -> CALC: dc be 00 00 44 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 c0

CALC -> PC: c6 be 00 80 00 01 00 c0

...

PC -> CALC: c6 be 00 00 00 01 00 ff

CALC -> PC: c6 be 00 80 00 01 00 ff

---------------------------------------

PC -> CALC: dc be 00 00 4b 00 00 00 (again, mysterious +1)

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 00

CALC -> PC: c6 be 00 80 00 01 00 00

...

PC -> CALC: c6 be 00 00 00 01 00 3f

CALC -> PC: c6 be 00 80 00 01 00 3f

---------------------------------------

PC -> CALC: dc be 00 00 51 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 40

CALC -> PC: c6 be 00 80 00 01 00 40

...

PC -> CALC: c6 be 00 00 00 01 00 7f

CALC -> PC: c6 be 00 80 00 01 00 7f

---------------------------------------

PC -> CALC: dc be 00 00 57 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 80

CALC -> PC: c6 be 00 80 00 01 00 80

...

PC -> CALC: c6 be 00 00 00 01 00 bf

CALC -> PC: c6 be 00 80 00 01 00 bf

---------------------------------------

PC -> CALC: dc be 00 00 5d 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: c6 be 00 00 00 01 00 c0

CALC -> PC: c6 be 00 80 00 01 00 c0

...

PC -> CALC: c6 be 00 00 00 01 00 ff

CALC -> PC: c6 be 00 80 00 01 00 ff

PC -> CALC: c7 be 00 00 00 04 00 00

CALC -> PC: c7 be 00 80 00 04 00 00

---------------------------------------

PC -> CALC: dc be 00 00 64 00 00 00 (again, mysterious +1)

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 64 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: cd be 00 00 ad be 00 00

CALC -> PC: cd be 00 80 ad be 00 80

PC -> CALC: dc be 00 00 00 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

Total amount of data in "c6 be" packets: 4 * 256 packets of 256 bytes = 256 KB = size of BXCBOOT0.bin.

2) Second phase: BESTAARM.ROM + MASTER.DAT + APPSDISK.DAT + <something else>

----------------------------------------------------------------------------

$OFFSET = 0

Repeat N times:

Repeat 0, 1 or more times:

PC -> CALC: SCSI Command 0x2A: WRITE(10) from LBA $OFFSET, size 0x20

PC -> CALC: 16384 bytes of data (the contents of BESTAARM.ROM, then MASTER.DAT, then APPSDISK.DAT - see below for more details)

CALC -> PC: Command 0x2A: Good

$OFFSET = $OFFSET + 0x20

More frequent at the beginning, this group of packets nearly disappears near the end of the transfer:

PC -> CALC: SCSI Command 0x88: READ(16) from LBA 0, with zero length (invalid packet)

PC -> CALC: 8+256 bytes of data (*)

CALC -> PC: Command 0x88: Good

PC -> CALC: SCSI Command 0x89: COMPARE AND WRITE from LBA 0, with zero length (invalid packet)

CALC -> PC: 8+256 bytes of identical data (*)

CALC -> PC: Command 0x89: Good

(*) 8 bytes of control data, followed by 256 near-constant bytes from ????.

Control data dump, in order:

PC -> CALC: dc be 00 00 01 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 03 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 04 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 06 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 07 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 09 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 0a 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 0c 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 0e 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 0f 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 11 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 12 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 14 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 15 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 17 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 19 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 1a 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 1c 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 1d 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 1f 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 20 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 22 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 23 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 25 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 27 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 28 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 2a 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 2b 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 2d 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 2e 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 30 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 32 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 33 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 35 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 36 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 38 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 39 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 3b 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 3c 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 3e 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 40 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 41 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 43 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 44 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 46 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 47 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 49 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 4b 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 4c 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 4e 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 4f 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 51 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 52 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 54 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 55 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 57 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 59 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 5a 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 5c 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 5d 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 5f 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 60 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 62 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 64 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

-------------------------------------------

PC -> CALC: cd be 00 00 ad be 00 00

CALC -> PC: cd be 00 80 ad be 00 80

PC -> CALC: dc be 00 00 00 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 01 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 02 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

...

PC -> CALC: dc be 00 00 64 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

-------------------------------------------

PC -> CALC: cd be 00 00 ad be 00 00

CALC -> PC: cd be 00 80 ad be 00 80

PC -> CALC: dc be 00 00 00 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

PC -> CALC: dc be 00 00 01 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

...

PC -> CALC: dc be 00 00 64 00 00 00

CALC -> PC: dc be 00 80 00 00 00 00

NOTE1: there are 0x128 "dc be" packets after the initial weirdness.

Once in a while:

PC -> CALC: SCSI Command 0x00: TEST UNIT READY

CALC -> PC: Command 0x00: Good

NOTE2: Highest value reached by $OFFSET: 0x127e0. 0x12800 sectors of 512 bytes are written, which corresponds to:

* BESTAARM.ROM: 1048576 bytes = 0x800 * 512 bytes, at LBA offset 0;

* MASTER.DAT: 4194304 bytes = 0x2000 * 512 bytes, at LBA offset 0x800 (marker "EA656XXX.DAT", soon followed by version number "SDKV0.30");

* APPSDISK.DAT: 33554432 bytes = 0x10000 * 512 bytes, at LBA offset 0x2800 (marker "APDSKXXX.DAT", soon followed by version number "V1.00").

3) Finalization (or something like that)

----------------------------------------

PC -> CALC: SCSI Command 0x88: READ(16) from LBA 0, with zero length (invalid packet)

PC -> CALC: 8+256 bytes of data:

cd be 00 00 ad be 00 00

...

CALC -> PC: Command 0x88: Good

PC -> CALC: SCSI Command 0x89: COMPARE AND WRITE from LBA 0, with zero length (invalid packet)

CALC -> PC: 8+256 bytes of data:

cd be 00 80 ad be 00 80

CALC -> PC: Command 0x89: Good

PC -> CALC: SCSI Command 0x88: READ(16) from LBA 0, with zero length (invalid packet)

PC -> CALC: 8+256 bytes of data:

c1 be 00 00 00 00 00 00

<No reply>

</pre></spoiler>

Retrieved from "https://tiplanet.org/hpwiki/index.php?title=Special:MobileDiff/188"