31 replies to this topic

[Roeoender]

For AlgebraFX2(plus) and Graph100(plus) users:
Finaly after a long, long time of research I was able to force booting my own autoexec.bat and config.sys. It seems that other system files similiar to msdos.sys and io.sys are used as built-ins (they aren't on disk A:) and are booted in other way.

I used an autoexec.bat which launched enter.com (my prog) instead of "launcher", then I used maxmem to check free mem and results are *GREAT*:
Normal boot: 58608 free
My boot: 73216 free!

A funny side effect: it seems that launtsr.exe (normally executed by launcher.exe) hooks some routines to keyboard, like SHIFT+AC for power off, so not using launtsr.exe saves some memory but disables power off switch (ofcourse opwer off can be done by a special (simple) program).

How it works (just a sketch, later I'll do a prog for it)
1. sending a desired system disk for booting to one flash disk: L-Q.
2. sending a specially prepared patched boot routine
3. do some segment/drive mapping
4. jumping to the boot code (setting CS:IP)
viola!

Now some drawbacks:
1. this method consumes at least 2 flash drives (maybe it would be limited to 1 if reboot after system transfer to drive A: would use this patched reboot code)
2. this method is probably very hardware dependent (as I own AFX ROM1.01 I have a patch only for this version)
3. after power off and power on calc will probably boot in the normal way (not tested, walkaround - power on using F1' />+[->]+)

Purpose:
1. significant increase of memory available to programmers
2. getting rid of LAUNCHER.EXE and switching to your own file explorer (got to investigate "SHELL" cammand in config.sys)
3. boot what you like

REQUEST
To make this method portable to other AFX ROM versions (like 1.03) I need someone to send me:
1. few first segments of calc's ROM memory (first 5*64Kb should be enough), please send me a note about calc's model and ROM version too (use comsend by BradN or probably GComm can do it) just make sure you send me ROM not RAM!
2. first disk drive (you can use FlashCOM for it - send me your .csf disk).

Roeoender.

Ps. Please don't post anything worthless below.

[CrimsonCasio]

Excelent Roe! Great Work!

Topic Pinned!

[dscoshpe]

Good stuff! Put me down for having more thoughts after Im done studying for some exams..


- dscoshpe -

[huhn_m]

great! you're the best!

There was a project by superna I think where some of us (e.g. me) uploaded their rom.
I'll try to find the topic. You can download the again.

What drive do you mean? Drive A? I'll send a copy to your mail adresse!

cu huhn

here is the adresse:

Rom Collection Topic

I'll upload the FX 2.0+ Rom as soon as I've time!

*edit*

ROM is uploaded.
The System Files can be found here

[Roeoender]

OK, thanks for fast reply!
I will sit down this evening and make a handy program that will automatically do this reboot (currently I have to use Touche and my prog).
So till around midnight!

BTW ater disassembling 000000.bin I think that int 4Ch ah=28h is responsible for checking validity of system disk (return code in AL) but I wasn't able to track it, what I do is replace with NOPs a conditional jump after "int" and NOP some drive mappings that occur before it.
Roeoender.

[mastermage]

complete ROM 1.03 dump (RAM + FLASH + ROM + BIOS)

http://shine.sourcef...ources/Dump.rar

very cool, roe

[Roeoender]

Rom in file "de-afx2+-103.rar" wasn't download from the calc properly (the most significant bit is always 0).
The "De-fx2+-103.ace" has correct bytes but is longer by 2 bytes (leading and ending) but at least it describes exactly what it is.
Also "fr-g100-103.zip" is a correct one, but it is not stated wheter it is from a "PLUS" model or a "normal" one (is there a difference)?
To make things clearer I suggest this "naming" convention:
AFX1N100 - Algebra FX1.0 Normal Rom 1.00
AFX2N100 - Algebra FX2.0 Normal Rom 1.00
AFX2P103 - Algebra FX2.0 PLUS Rom 1.03
G100N102 - Graph 100 Normal Rom 1.02
G100P103 - Graph 100 Plus Rom 1.03
... (and so on).

So if you know which dump file on http://g100storage.free.fr/CalcRoms/ is for which model then reply below.
For example dump.rar has identical ROM as is in "fr-g100-103.zip" (plus or not?)

Anyway I finished making a BETA of a user friendly boot program.
Now I am investigating and patching rom dumps other than AFX2N101 (my own, as a bonus I disabled this "CASIO" picture to see how drivers are loaded).
Later I'll write a quick readme.txt and finally upload it.
Roe.

[Roeoender]

//wasn't able to edit previous
Ok is seems that Rom1.03 for Graph100 (plus?) and AFX2P103 calcs are the same (and probably "plus" and "normal" are same too).
rom dump in fr-g100-102.zip is too long (probably lots of trailing FFs)
Going offline. I'll be back when I'll patch G100P103 and AFX2N102.
Roeoender.

[Roeoender]

OK beta is finished and can be found here: RoeBoot BETA
As usual read "redame.txt" before using.
Post below if you have any problems or if you was able to use it successfully.
Roeoender.

[huhn_m]

Hi roe! I'll test it asap!

The romdumps ... well I made them with the prog of superna and it works well ... somewhat strange.

It reports that 103MB are expected to be sent from the calc (????) while it stops after ~4 MB
(the right size).

If you can post a better program here e.g. this from bradn i'll try it and upload the roms again.

[Overlord]

for the g100s :
ROM <1.03 -> G100 normal
ROM = 1.03 -> G100 plus

[huhn_m]

For all of you who got problems installing the boot program I wrote a little windows app.
You now only have to install roeboot on any drive (except P and Q) run my program that
generates the Q and P drives as you like and the upload them using FLash100
(or flashCOM would work too I think)

Here is the link:Roe Boot - Windows

This prog is windows based and will upload the images itsself in the final version
but not now since I had no time to figure the protocll out 100%.

Maybe on friday.

Have fun! (Some fixes like about dialog and upload will come on friday so I have to say thanks here )
Thanks to:

Of course roeoender for his great discovery
2072 Productions for TOUCHE (the best!)
Libthium for FlashCOM
All Authors of Flash100 for this great Tool (the way I figure out the protocoll )

And all the others I forgot!

*edit*

Ah yeah I forgot you need the pure roeboot.exe so I extracted it:

Here is it:

ROEBOOT.EXE

i think roe doesn't mind

Vefore you click patch calc make sure you are in receive mode on calc and have selected the right comport.

I only uploaded this BETA version because I won't be there tomorrow and thursday till evening.
So no answers on questions till then. please report all bugs you find!

[Roeoender]

???
My program is BETA and it was made for testing on other ROM versions not to be something similiar to final release.
I don't know why you started doing this program without consulting with me as it may result that you did a program that won't be needed. Well at least describe what you think your program will do when it will be finished so I can do some planning for myself.
BTW Your program doesn't allow to choose which ROM version to send so it probably won't work on other calc ROM versions.
As you can see I am just not happy about the way you did it.
It is not a big deal, you can do everything you want, but I'd rather concentrate on doing my stuff.

What I need is some info if this solution works, one more "beta" program will probably just add more mess and not mine bugs.

Finally I asked here and in the readme.txt to put comments about if this method works and I patched all ROM images correctly.

BTW 1. I see that on my ROM1.01 when I power off and on the calc it will reboot using patched boodcode, does it happen on other ROMs (this is caused by the drive mapping made by roeboot and can be removed)?

Roeoender.

[X-thunder28]

excellent work, roe.

Does it means that even P button reboot in an specified boot drive?!

[Roeoender]

Nope, "p" button seems to do really deep initialization and I really did many dangerous and weird things on my calc (ROM1.01 not plus) and always "P" button was able to boot up correctly the system. But it is evident now that rebooting using hidden test menu isn't as deep (i mean RESET - and "no" for resetting all memories).
Jumping to ffff:0 (by using for example docall.exe) seems to boot correctly the system too.

Roe.

Ps 1. I managed to use "PCC - A Personal C Compiler" and compile a program right on the calc (normally I would get "out of mem" and MaxMem causes damage to the first BASIC files). Sadly we don't have a text editor that allows to type in all ASCII chars and save document as a file on RAMdisk (roedisk). An utility for transfering BASIC program<=>ramdisk would be nice too, as now I cannot create .c file on the calc.
Ps 2. The main memory eater is memdisk.sys (14Kb) which just add flash drivers I am sure that it could be rewritten and consume less memory (but this is a job for someone else - I just can't program too much a day).

[Roeoender]

1. I have tracked down the position in the boot code that handles the memory limit available to DOS. So it is possible to boot with all memory available to DOS (256Kb) ofcourse the Casio's programs (runmat, etc.) don't check this value so just like with maxmem.exe using them will corrupt memory.
2. I investigated the boot code more deeply and sadly it seems that the whole 64Kb of flashdisk A: is compared (segments 9000h and 0B000h: mov cx,8000h # rep cmpsw) against ROM contents so (although very stupid - if it have to be same as in ROM then why needing it on flash?) it seems that it won't be possible to boot in the ordinary way (after using link and sending system disk) any modified flashdisk A:. But I'll try a new method that won't need drive P: and maybe I'll find a way for using A: (but it will probably cause erasing memory after powerin off the calc).
As you can see new ideas still come.

Roeoender.
Ps. How many people from France uderstand English language?

[[neo]f4kill]

a lot ... why?
I have already put this news on the french forum ...

[C@siomax]

yea I can understand english quite good ... was reading all these news ... really amazing 'didn't thought someone would be able to do sth like that!! Really nice to see that mem. compatibility problems will maybe have an issue in a few months

So I'm wondering how will be the incoming explorers You've done an outstanding discovery I'm pleased to see that so keep on da good work as some of yours say

[huhn_m]

???
My program is BETA and it was made for testing on other ROM versions not to be something similiar to final release.
I don't know why you started doing this program without consulting with me as it may result that you did a program that won't be needed. Well at least describe what you think your program will do when it will be finished so I can do some planning for myself.
BTW Your program doesn't allow to choose which ROM version to send s

I'm sorry roe.

I just wanted to make the testing more easy for others.

The calc repots its rom version when it sends its handshake (displayed in an edit field)
and the right rom image is choosen automatically.

I just wanted to help :-)

It worked fine for me btw.

I just wanted to write a "boot patcher"
It is supposed to:

-Download the Drive A
-Let you select the new contents
-Determine the ROM Version
-and Install all new drives needed.

Thats it. I'll put it down if you want.

[Roeoender]

About French&language: Thats good. I asked because I once read (automatic translation) thread about Falcon and proglems with memory and it looked like many weren't able to read what I post at the ucn.

NOTE: an universal (every ROM) address for rebooting is offset=100h (for your information exactly: c000:100)

To huhn_m:
Maybe I am a bit prejudiced (my fault)- this is because too often I see that people instead of making something really new are just doing minimal changes to older ideas (cazio clock "2", bmp2c) and there are a lot of original things that are simply needed, and not done yet for the calc.

Good communication is another point - for example currently I try to patch ROMs right on the calc (using last 64Kb of RAM as buffer) so it would not need wasting 1 flash disk and thus patching on PC side isn't needed.
So do you really want to change your prog everytime I find out another feature, change reboot method etc.

I looked at you <{GNULINUX}> stuff - and saw your huge "legal" info in the comunication program:

This software is freeware but may not be distributed, decompiled, modified and / or published in any form without my PRIOR approval

Well if you wan't your rules to be respected then why not treating other's programs the same?
This is what I meant.
BTW I ofcourse encourage to distribute my programs, but I don't like when my program is extracted from the package and distributed separatly.

Releasing a finished (few bugs) program that wouldn't allow uhm, unexperienced people to "crash" their calc is one more important point.


Well just as you I'd like to compile C programs righ on the calc - it is possible but there is no text editor to create files with the source code - a handy text editor with features:
- easy typing all visible ASCII characters
- editing files of at least 20Kb with nice small,fixed width font
- saving to normal disk file
- saving to BASIC prog
would be really a nice thing

Thats it. I'll put it down if you want.

Nope, just keep in mind that roeboot may change drastically as research progresses.
Roeoender.

[dscoshpe]

2. I investigated the boot code more deeply and sadly it seems that the whole 64Kb of flashdisk A: is compared (segments 9000h and 0B000h: mov cx,8000h # rep cmpsw) against ROM contents so (although very stupid - if it have to be same as in ROM then why needing it on flash?) it seems that it won't be possible to boot in the ordinary way (after using link and sending system disk) any modified flashdisk A:.

As to the neccessity of keeping the A: drive in flash, I may have some useful information...

The RXE add-in programs are probably the reason for that, because the nature of the RXE format is to be partially relocatable in memory Casio needed to be able to have any combination of Add-Ins on the calculator and as such residing in any memory zone. This is not an inherent ability of the RXE format, as it is with regular EXE, so Casio (I presume) has a system which I am aware of to let the Add-Ins exist anywhere on the flash. These are what I have described as 'links' and I havent studied them since last year in any depth but they, I believe, are a record of which parts of the program should be adjusted for the program to run. You can find these as a list of data in any Casio CFX structure that needs it, I recall only a couple official programs that did not utilize them because they were sufficiently small. However programs like STAT2 had a large number of them. I know that a recognizable derivative of the data stored in the CFX structure gets transferred to an area in the system segment. If my theory is right, for the purpose of allowing those programs to run correctly.

Another interesting fact is that there seemed to be 2 versions of the data in the CFX structure to use... One version intended for ROM 1.00 and the other for the others (if memory serves me correct)

Heres what I dont know about them, I dotn know that they were indeed related to the RXE. My other theory was related to them being a list of addresses of certain ROM functions, like an API of sorts. I also dont know exactly what their representation format is defined as, such as address = 3 bytes payload = 2 bytes ROM tag = 3 bytes.. or such. And now I cant remember if the resultant table occurs in the first 64k of the system segment.

However, I promise you if you load one of the larger Casio programs you will see the data Im talking about int he system segment so you can evaluate it yourself, you can also look at the CFX structure of the Add-In and compare.

Maybe this will help. It would explain, in my logic, why Casio would want a redundant system segment (especially if it is being remotely modified).

- dscoshpe -

[Roeoender]

In fact using int 48h or ports 54h-5Ah the calc is able to map any Flash/ROM/RAM segment (128Kb blocks) to any physical address visible to the processor (except the last 128Kb for safety reasons) so it is not needed to do any "intelligent" stuff - this RXE can use static addresses and the calc would just map this flash to fit into it's needs.
And how about those Input parts no. 0-5417 visible in system.exe after pressing Shift' />+2' /> - I think they're some addreses for math/system library of routines, but I couldn't figure you where exactly are they pointing at (although I was able to find out that those addresses are written into ROM).
I still don't understand why exactly the same thing (system disk) must exist on flash and in the ROM.
Roeoender.

[huhn_m]

I'm really sorry roe and won't do it again.

About the drive A in rom and flash:

Has ever anyone disassembled the test menus service->"init flash" part?

Maybe there is a special bit at the flash drive A that needs only to be set in order to go arround
the comparrision or something like this. Maybe something unimportant in the first few "0xFF" 's?

There would be no reason to put it on rom AND flash elsewise.

But I think it has sth. got to do with the "service" menu point ...

Btw. the editor:

I began something like this that supports lines of up to 255 char (Scrolling) and has all characters of the
calcs charset included. It supports files up to 32767 Lines with up to 65536 Bytes.

It is fast in loading since manipulation is done directly on the basic files.

There are still some bugs and i've not done the load and the write to flash part yet but
this will be quite simple when I finished the editor itsself.

You can simply write your source file to a flash drive in romdisk format and compile it from there.

I've no time to do anything more till tuesday (going to a lan-party) but when I'm,back I'll try to
complete the editor and put it online.

It is till now ~2267 Bytes large (compressed) and ~3200 (uncompressed). It already has a save feature
and supports dos like linebreak (#13+#10) and has insert and overwrite.

Hope I can finish this. If I do I'll try some tiny assemblers on the calc

btw. the keyboard interface of the editor is quite easy csutomizeabe at compile time.

[Roeoender]

great news about this editor!
BTW there are some small assemblers that can work right on the AFX (some come with "small C" compilers - like with this C compiler I mentioned before (PCC), it can even compile inline ASM in C code with #asm directive)

About test menus:
You can even see this message inside it's code: "Succeeded sys change!" but I wasn't able to finde a code referencing it (although I was able to track code references to other messages).
Yet another strong "clue" for ROM comparsion is that sending disk A: of ROM1.03 wont work on ROM1.01 (got DATA ERROR 60)
But anyway the boot code is located in ROM and this ROM-Flash comparsion is probably launched every time the calc is powered on. My opinion is that Casio used some more universal code - as there is a whole family of those ZX945/G350 test programs which allowed sys change, but and maybe earlier there were plans to make afx able to change the system, but later on casio designers could change their mind and added this 64Kb check in the boot code.
I wasn't able to successfully send something with this "service" menu.

BTW Some time ago I found a good disassebmbler called "sourcer" on one of the french sites dedicated to the calc - you can do your own "investigations" with it - most of the interesting stuff is in the first 128 Kb of ROM (divided in 64Kb segments).
Roeoender.

[huhn_m]

first alpha of the editor is online.

I made a new topic about it but it is not yet able to load files (strange bug).
I know these assemblers since I tried them when your roedisk came out but all of them needed more
memory. hopeully the'll work now.

[huhn_m]

1) Will there come any final version? If not can you give us the sources so that
we can include this discovery into our projects?
2) Is it possible to completely avoid booting dos and boot an individual system by
altering the first sector of drive a (like with a floppy) and booting this one?

Thanks!

[zar]

has anyone taken a look in the rm-afx upgrade? if it's supposed to work in a standard afx, wouldn't it make some changes to the system files? or am I completely lost as usual?

[huhn_m]

the normal AFX is not like the RM version.

These updates are not supposed to work with the non-RM models since they
contain "real" ROM and no flash-able ROM. You need to unsolder the ROM chip
and need a ROM-Burner in order to change its contents.

[Andy.Davies]

surly it wouldnt be too hard to make an ICP for it?

===EDIT===

ICP = In Circuit Programmer

[dscoshpe]

I think Im recalling the info Brad told me...

You may be able to adjust the ROM, as with some you can, however, it is not useful because if I remember correctly it would only be possible to change 1 to 0 and not 0 to 1 (with 12v I believe).

- dscoshpe -

[X-thunder28]

it' s for the flash writing!
rom can't be rewrited.

[dscoshpe]

No it was for ROM, many ROMs can be 'written' but the point I was making is that it is not useful because it is only one way, whereas a flash can be rewritten.

So, even if it were possible to apply the necessary voltage, it would not be useful because the bit changes would occur only in one direction. Im not saying even this level of functionality is possible on the calc's ROM but it is an example of how useless it would be were it possible.

- dscoshpe -