Register

Some reverse-engineered information about fx-9860g OS 02.01

Discuss issues related to Calculator Hacking/Modding.
Member
User avatar
Posts: 27
Joined: Fri Aug 21, 2015 11:54 am
Calculators: Casio fx-9860G, Casio fx-9860 GII, Casio fx-CG 50

Some reverse-engineered information about fx-9860g OS 02.01

Postby lephe » Tue Apr 10, 2018 9:38 am

Hi, :D

I found a folder with some reverse-engineering I did on OS 02.01, SH3, last year. It's not in Simon's chm as of version 20, so I'm sharing it in case it's of some use to you. Unless specified, all of this is OS 02.01.

Cursor settings addresses
  • Column : 0x880057c0
  • Row : 0x880057c1
  • Flash style : 0x880057c2
  • Flash mode : 0x880057c4

Interrupt status flags
  • Located a 0x8800713c; at least 2 bytes are used
  • In the watchdog delay of syscall 0x24a, the system attemps to configure IRQ0, but aborts if bits 0x08 (SD occupied) or 0x10 (WDT occupied) are set. This check is always performed before configuring IRQ0
  • Syscall 0x3ee operates on the first interrupt status byte. It checks if any of a given set of flags is set, and also clears requested flags

A few MMU-related syscalls
  • Syscall 0x000 initializes the MMU by calling 0x3fb, 0x004, 0x018 and 0x400 (in this order)
  • Syscall 0x004 fills the TLB address array with value 0xf0000000
  • Syscall 0x3fb activates the Single Virtual Memory Mode and flushes the TLB
  • Syscall 0x400 activates the Single Virtual Memory Mode and enables address translation
  • Syscall 0x3fc sets the 32-bit value for a single entry/way setting of the TLB

Miscellaneous
  • The address of the syscall table for OS 02.01 is 0x801ba590
  • The address of the syscall table for OS 02.02 is 0x801cdd84
  • Glib_AddinAplExecutionCheck (syscall 0x013) is responsible for some version errors that prevent add-ins from running
  • There are 2-byte customized registers at 0xa44c0000 and 0xa44c0002, both used by UpdateExe. The first is set to 0x4800 at the beginning of the OS-update process, the other is set to 0x4801.

Here are prototypes for the syscalls I mentioned. The names are given as a hint.

Code: Select all
/* 0x000 */ void MMU_Initialize(void);

Configures the MMU (calls 0x3fb), initializes the TLB address array (calls 0x004), flushes the MMU cache (calls 0x018), configures the MMU again and enables it (calls 0x400).

/* 0x004 */ void TLB_InitializeAddressArray(void);

Initializes the TLB address array for addresses between 0x01 and 0x1f, for every way between 0 and 3, with value 0xf0000000.

/* 0x3ee */ int Interrupt_QueryStatusFlags(int flagmask, int clear);

Returns 1 if any of the bits indicated in flagmask is set in the first interrupt status byte, 0 otherwise.
Also, if clear is non-zero, all the bits that are set in flagmask are cleared from the first interrupt status byte.

/* 0x3fb */ void MMU_ConfigureAndFlush(void);

Loads the contents of the register MMUCR using a system setting. In OS 02.01, this activates the Single Virtual Memory Mode and flushes the TLB.

/* 0x400 */ void MMU_ConfigureAndEnable(void);

Loads the contents of the register MMUCR using a system setting. In OS 02.01, this activates the Single Virtual Memory Mode and enables the MMU.

/* 0x3fc */ void TLB_SetAddressValue(int entryAddress, int way, int value);

Writes the given value for the given entryAddress and way in the TLB address array.

The MMU-related syscalls are interesting, specifically. I would have liked to analyse the add-in mapping procedure but I apparently I lacked the time.

Hope it helps! :)

Return to Calculator Hacking/Modding Discussions

Who is online

Users browsing this forum: No registered users and 6 guests