include "settings.inc" ;Specific settings for this application NOLIST include "ti83plus.inc" LIST include "equates.inc" ;Equates and macros to be used GLOBALS ON include "usb8x.inc" MemPtr EQU 0FFFEh offInBuf EQU 0 ;64 do not reorder offPacketSizeTable EQU offInBuf+64 ;8 offCallBackTable EQU offPacketSizeTable+8 ;2 offErrorCode EQU offCallBackTable+2 ;2 offHighAddr EQU offErrorCode+2 ;1 offLogPage EQU offHighAddr+1 ;1 offLogAddr EQU offLogPage+1 ;2 offLogDataAddr EQU offLogAddr+2 ;2 offFlags EQU offLogDataAddr+2 ;1 offKBDBuf EQU offFlags+1 ;2 offPadBuf EQU offKBDBuf+2 ;2 offVernierBuf EQU offPadBuf+2 ;2 offStatus EQU offVernierBuf+2 ;1 offMouseFlags EQU offStatus+1 ;1 offMouseBtn EQU offMouseFlags+1 ;1 offMouseX EQU offMouseBtn+1 ;2 offMouseY EQU offMouseX+2 ;2 offMouseSavedData EQU offMouseY+2 ;1 offMouseCallBack EQU offMouseSavedData+1 ;2 offMSDMemPtr EQU offMouseCallBack+2 ;2 offMSDSectorBuffer EQU offMSDMemPtr+2 ;2 offMSDInterruptPipe EQU offMSDSectorBuffer+2 ;1 offMSDCacheBuf EQU offMSDInterruptPipe+1 ;2 offMSDCachePage EQU offMSDCacheBuf+2 ;1 flagPort82 EQU 0 logGetMaxPacketSize EQU 1 logData EQU 2 logGetClass EQU 3 logGetIDs EQU 4 logReadDescriptor EQU 5 logQuit EQU 6 logSendData EQU 7 logSendControlData EQU 8 logAutoSetup EQU 9 logDataEnd EQU 10 logInA0Start EQU 11 logOutA0Start EQU 12 logHostInit EQU 13 logKillDevice EQU 14 logKillDriver EQU 15 logSetupLog EQU 16 logInData EQU 17 logCallBack EQU 18 logError EQU 19 logSetPortFeature EQU 20 logClearPortFeature EQU 21 logGetDeviceStatus EQU 22 logSetHubFeature EQU 23 logClearHubFeature EQU 24 logGetHubStatus EQU 25 logGetHubPortStatus EQU 26 logSetAddress EQU 27 logLogDone EQU 28 logDataStart EQU 29 logCustom EQU 30 logInterrupt EQU 31 logKBDInit EQU 32 logKBDGetKey EQU 33 logMSDInit EQU 34 logUFIInit EQU 35 logFATInit EQU 36 logPadInit EQU 37 logPadStart EQU 38 logPadSetup EQU 39 logPadCallBack EQU 40 logPumpOn EQU 41 logPumpOff EQU 42 logPump EQU 43 logCache EQU 44 ;usb8x variables Var USBDriverCall,32 ; 32; RAM calls for U_CALL and callback routine Var USBDriverBuf,128 ;128; Static buffer for USB driver's usage Var DummyCallbackLoc,1 ; 1; dummy "ret" for usb8x callback EXTERN DispHexA,DispHexHL,IGetKey Initializeusb8x: res usb8xInitted,(iy+flashAppFlags) ;Initialize usb8x, if it's currently oncalc ld hl,DummyCallback ld de,DummyCallbackLoc ld bc,DummyCallbackEnd-DummyCallback ldir U_CALL_INIT DummyCallbackLoc ret c ld hl,USBDriverBuf U_CALL DriverInit ret c set usb8xInitted,(iy+flashAppFlags) ret DummyCallback: ld a,'W' B_CALL PutC ret DummyCallbackEnd: iPhoneInit: ;Initializes the iPhone/iPod touch over USB. ;You must put the device in recovery (DFU) mode first. ;Inputs: None ;Outputs: Returns carry flag set if problems U_CALL HostInit ret c ld hl,appData ld b,descDevice U_CALL ReadDescriptor ret c ld b,1 U_CALL ConfigureDevice ret c ld hl,sSetInterface rst 20h ld hl,OP1 ld b,0 U_CALL SendControlData ret c ld b,01h ld c,pipeBulk ld d,8 ld e,0 U_CALL SetupInPipe ld b,01h U_CALL ReqData ret sSetInterface: DB 01h,0Bh,01h,00h,01h,00h,00h,00h iPhoneSendCommand: ;Sends a command to the iPhone/iPod touch in recovery mode. ;Inputs: HL => zero-terminated command string ;Outputs: Returns carry flag set if problems ;Destroys OP1 push hl ld bc,2000h xor a cpir pop de scf ret nz push de or a sbc hl,de push hl ld hl,sSendCommandRequest rst 20h pop bc ld ix,OP1 ld (ix+6),c ld (ix+7),b pop de ld hl,OP1 ld a,81h jr MySendControlDataOut sSendCommandRequest: DB 40h,00h,00h,00h,00h,00h iPhoneUploadFile: ;Sends a file to the iPhone/iPod touch in recovery mode. ;Inputs: IX => data to send ; B: page of data to send (in 8000h-0BFFFh) ; DEHL: size of data to send ;Outputs: Returns carry flag set if problems ;NOTE: This assumes the data is stored in a Flash application, ; which means that when it overflows into the next page, ; it will DECREASE the page, NOT INCREASE. ;Destroys OP1-OP3 ld (OP2),ix ld ix,OP2+2 ld (ix+0),l ld (ix+1),h ld (ix+2),e ld (ix+3),d ld (ix+4),0 ld (ix+5),0 ld (ix+6),b ld de,0 ld hl,0 uploadFileLoop: push de push hl ld ix,OP2+2 xor a or (ix+3) or (ix+2) or (ix+1) or (ix+0) pop hl pop de jr z,uploadFileLoopDone push de push hl ;Determine how many bytes to send in this packet ld bc,0800h push hl ld ix,OP2+2 ld l,(ix+2) ld h,(ix+3) ld a,h or l pop hl jr nz,$F ;definitely need to send 0800h bytes push hl ld l,(ix+0) ld h,(ix+1) or a sbc hl,bc pop hl jr nc,$F ;more than 0800h bytes left, so send 0800h bytes ;Less than 0800h bytes remaining, so just send whatever's left ld c,(ix+0) ld b,(ix+1) $$: push bc ;Send BC bytes from appData to the device ld hl,sUploadDataRequest rst 20h pop bc push bc ld ix,OP1 ld (ix+6),c ld (ix+7),b ld a,(OP2+2+4) ld (ix+2),a ld a,(OP2+2+5) ld (ix+3),a push ix pop hl ld de,7 ld (curRow),de ld a,(OP2+2+6) call DispHexA ld de,(OP2) ex de,hl call DispHexHL ex de,hl call MySendControlDataOut jr c,P3ret call IGetKey ld bc,(OP2+2+4) inc bc ld (OP2+2+4),bc pop bc pop hl pop de add hl,bc jr nc,$F inc de $$: push de push hl ;Decrease the remaining byte count ld ix,OP2+2 ld l,(ix+0) ld h,(ix+1) ld e,(ix+2) ld d,(ix+3) or a sbc hl,bc jr nc,$F dec de $$: ld (ix+0),l ld (ix+1),h ld (ix+2),e ld (ix+3),d ;Increase our data pointer ld hl,(OP2) ld a,(OP2+2+6) $$: call inc_AHL dec bc ld d,a ld a,b or c ld a,d jr nz,$B ld (OP2+2+6),a ld (OP2),hl ;Get the status of our transmitted data call GetUploadStatusRequest pop hl pop de ret c cp 5 scf ret nz jr uploadFileLoop P3ret: pop hl pop hl pop hl ret inc_AHL: inc hl bit 6,h ret z set 7,h res 6,h dec a ret uploadFileLoopDone: ;Send the packet one last time with no data ld hl,sUploadDataRequest rst 20h ld ix,OP1 ld (ix+6),0 ld (ix+7),0 ld a,(OP2+2+4) ld (ix+2),a ld a,(OP2+2+5) ld (ix+3),a push ix pop hl ld b,0 U_CALL SendControlData ret c call GetUploadStatusRequest ret c cp 6 scf ret nz call GetUploadStatusRequest ret c cp 7 scf ret nz call GetUploadStatusRequest ret c cp 8 scf ret nz xor a ret GetUploadStatusRequest: ld hl,sUploadStatusRequest rst 20h ld hl,OP1 ld de,OP3 ld b,6 U_CALL SendControlData ret c ld a,(OP3+4) or a ret sUploadDataRequest: DB 21h,01h DW 0000h ;this is the packet # DB 00h,00h sUploadStatusRequest: DB 0A1h,03h,00h,00h,00h,00h,06h,00h iPhoneSendControlExploit: ;Sends the 0x21 control request exploit to the iPhone/iPod touch in recovery mode. ;Inputs: None ;Outputs: Returns carry flag set if problems ;Destroys OP1 ld hl,sSendExploitRequest rst 20h ld hl,OP1 ld b,0 U_CALL SendControlData ret sSendExploitRequest: DB 21h,02h,00h,00h,00h,00h,00h,00h MySendControlDataOut: ;Inputs: HL => setup packet to send ; DE => data packet to send ; BC: number of bytes in data packet ; A: page (in 8000h-0BFFFh range) of data packet ;Outputs: Returns carry flag set if problems ld (83EBh),a push bc call Send8PortA0 ld a,0Ah call SendControlCmd pop bc jr c,SendControlDataDone ex de,hl ld e,64 ;E = max packet size for control pipe SendControlDataOutLoop: ld d,e ;Do we have more than 64 bytes to send? ld a,b or a jr nz,$F ;definitely yes ld a,c cp e jr nc,$F ld d,c $$: di push bc ld b,logDataStart ld c,d call DoLog pop bc $$: ld a,(83EBh) out (7),a ld a,(hl) out (0A0h),a push af ld a,81h out (7),a pop af push bc ld b,logData ld c,a call DoLog pop bc inc hl dec bc dec d jr nz,$B ld a,81h out (7),a push bc ld b,logDataEnd ld c,0 call DoLog pop bc ei ld a,2 call SendControlCmd jr c,SendControlDataDone ld a,b or c jr nz,SendControlDataOutLoop ld a,60h call SendControlCmd SendControlDataDone: ret SendControlCmd: push af call ResetPort82Flag xor a out (8Eh),a pop af out (91h),a call WaitPort82 ret c jp CheckPort91 ResetPort82Flag: push hl push de ld hl,(MemPtr) ld de,offFlags add hl,de res flagPort82,(hl) pop de pop hl ret CheckPort91: push af in a,(91h) bit 2,a jr nz,USBErrorPort91Bit2Pop1 bit 4,a jr nz,USBErrorPort91Bit4Pop1 pop af or a ret USBErrorPort91Bit4Pop1: pop hl USBErrorPort91Bit4: ld a,errPort91Bit4 jr USBErrorCont USBErrorPort91Bit2Pop1: pop hl USBErrorPort91Bit2: ld a,errPort91Bit2 jr USBErrorCont USBErrorPort82Pop3: pop hl USBErrorPort82Pop2: pop hl pop hl USBErrorPort82: ld a,errPort82 jr USBErrorCont USBErrorCont: ld hl,(MemPtr) ld de,offErrorCode add hl,de ld b,(hl) ld (hl),a inc hl ld (hl),b scf ret WaitPort82: push af push de push hl push bc ld hl,(MemPtr) ld de,offFlags add hl,de ld de,0FFFFh $$: ld a,d or e jr z,USBErrorPort82Pop3 dec de bit flagPort82,(hl) jr nz,$f in a,(82h) or a jr z,$B $$: pop bc pop hl pop de pop af or a ret Send8PortA0: ld a,8 SendAPortA0: ld b,a SendBPortA0: xor a out (8Eh),a $$: ld a,(hl) out (0A0h),a inc hl djnz $B ret DoLog: push ix push hl push de push af push bc ; DISAVE call DoLogDo ; EIRESTORE pop bc pop af pop de pop hl pop ix ret DoLogDo: ld hl,(MemPtr) ld de,offLogPage add hl,de ld a,(hl) or a ret z inc hl ld e,(hl) inc hl ld d,(hl) ex de,hl ;HL = logptr out (7),a ;set log ram page ld a,b cp logData jr z,DoLogData cp logDataEnd jr z,DoLogDataEnd cp logDataStart jr nz,$f in a,(7) push af ld a,81h out (7),a ld ix,(MemPtr) ld (ix+offLogDataAddr),l ld (ix+offLogDataAddr+1),h pop af out (7),a $$: ld (hl),b inc hl ld (hl),c inc hl ld (hl),0 inc hl ld (hl),0 inc hl DoLogCont: ld a,81h out (7),a ex de,hl ld (hl),d dec hl ld (hl),e ret DoLogData: ;If we've already stored 32 bytes of data, time to start a new data log entry jr LogDataOK push bc push hl in a,(7) push af ld a,81h out (7),a ld ix,(MemPtr) ld c,(ix+offLogDataAddr) ld b,(ix+offLogDataAddr+1) ;BC -> data start address pop af out (7),a or a sbc hl,bc ;How much data has been stored so far? ld bc,68 or a sbc hl,bc ;If it's 32 bytes, split up into two log entries pop hl pop bc jr nz,LogDataOK push bc ;Start new entry ld a,81h out (7),a ex de,hl ld (hl),d dec hl ld (hl),e ld b,logDataEnd ld c,0 call DoLogDo ;End the current data entry ld b,logDataStart ld c,0 call DoLogDo ;And start the new one pop bc jp DoLogDo ;Restore the data LogDataOK: ld (hl),c inc hl jr DoLogCont DoLogDataEnd: ld a,l and 3 jr z,$f ld (hl),0 inc hl jr DoLogDataEnd $$: ;Update DataEnd and DataStart with each other's addresses ld (hl),b ;DataEnd inc hl inc hl in a,(7) push af ld a,81h out (7),a ld ix,(MemPtr) ld c,(ix+offLogDataAddr) ;DataStart Address ld b,(ix+offLogDataAddr+1) pop af out (7),a ld (hl),c inc hl ld (hl),b inc hl ;HL -> next log address inc bc inc bc ;BC -> DataStart's data2 ld a,l ld (bc),a inc bc ld a,h ld (bc),a jr DoLogCont