HP Prime/Firmware files

This is a slightly-updated backup copy of the article from the old "HPWiki" of TI-Planet (that only hosted HP Prime info)

Overview

On the leaked and public versions of the updates files, the 'firmware.zip' archive contained :

the Operating System (leaked: v0.26, v0.30; public: v0.32)
the Boot Code (v11+)
an USB tool to install the above versions (having an interface letting you read/write images from/to any memory address - which is clearly not the final interface). From December 2013, the official Prime Connectivity Kit is the official way to upgrade the firmware on a calculator.

The several files for the calculator side are : APPSDISK.DAT, armfir.elf, BESTAARM.ROM, BXCBOOT0.BIN, MASTER.DAT.

See below for a list of experiments with firmware files

Analysis

APPSDISK.DAT

A 32MB disk image, contains a FAT16 filesystem at offset 8K. On Linux, it can be mounted with e.g.

mount -o loop,offset=8192 APPSDISK.DAT appsdisk/

As of the 2013/11/25 firmware upgrade (revision 5447), the FAT16 filesystem contains the following files:

BESTABFS.IND:                empty 
WINDOW/SYSTEM/SDKLIB.DLL:    PE32 executable (DLL) (Windows CE) ARM, for MS Windows
WINDOW/SYSTEM/KRNLLIB.DLL:   PE32 executable (DLL) (Windows CE) ARM, for MS Windows
WINDOW/SYSTEM/COREDLL.DLL:   PE32 executable (DLL) (Windows CE) ARM Thumb, for MS Windows
WINDOW/SYSTEM/MD5DLL.DLL:    PE32 executable (DLL) (GUI) ARM, for MS Windows
FIRSTRUN.INI:                ASCII text, with CRLF line terminators
APPSLIST.INF:                data
APPSLIST.MAP:                data
programs/tools/bestafir.exe: PE32 executable (console) ARM, for MS Windows
programs/tools/bestafir.dat: DOS executable (block device driver)
programs/tools/hello.exe:    PE32 executable (console) ARM, for MS Windows
programs/tools/hello.dat:    DOS executable (block device driver)
programs/misc/armfir.elf:    ELF 32-bit LSB  executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
programs/misc/armhello.dat:  DOS executable (block device driver)
programs/misc/diagnose.exe:  PE32 executable (GUI) ARM, for MS Windows
programs/misc/diagnose.dat:  data
APPSLIST.MD5:                ASCII text, with CRLF line terminators

The programs/misc/armfir.dat file (DOS executable (block device driver)), was there in 2013/08/15 firmware upgrade (revision 5106) but disappeared.

armfir.elf

ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped. There's a copy in APPSDISK.DAT/programs/misc/ (although they are not exactly the same according to their different md5 hashes)

BESTAARM.ROM

Seems to be part of the bootloader.

BXCBOOT0.BIN

Seems to be part of the bootloader.

Reverse engineering : BXCBOOT0.BIN reverse engineering

MASTER.DAT

Experiments on modified firmware

In ^[1], Lionel Debroux described a seemingly failed direct attempt at modifying the Prime's firmware (several strings in there + updating MD5 sump in APPSLIST.MD5): the modified version wasn't accepted by critor's calculator. However, in early November 2013, critor noticed that the modified firmware had not, actually, been transferred at all to the calculator.

critor did more tests, managed to trigger a transfer of the modified firmware (downgrading before upgrading seems to do the job)... and the modified firmware was running on the calculator, as shown by the snapshots in ^[2]. Needless to say, if we can modify strings so easily, we can also modify other data... and code, which opens the door to a fantastic range of possibilities :)

In early July 2014, Lionel Debroux spent several hours making a crappy PoC for a full-custom third-party armfir.elf, which displays three colored areas on the screen and enters an infinite loop: First third-party firmware and assembly on the Prime.

References

Modèle:Reflist

↑ August 2013 - on Omnimaga
↑ November 2013 - TI-Planet news item

[1] August 2013 - on Omnimaga

[2] November 2013 - TI-Planet news item

[1]

[2]