Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

99 — Open questions & roadmap

The structural reverse-engineering is comprehensive (every subsystem mapped, both cross-page mechanisms resolved, full input→parse→eval→display pipeline documented). What remains is depth. Each item below is self-contained for a future session.

Still open

  1. Flash sector write/erase primitive map — the live DB confirms anchors flash_program_buf@3D:678C, flash_erase_wait@3D:5ED3, flash_cmd_base@3D:738B, flash_set_sector_cnt@3D:727D, flash_page_select@3D:726E, flash_find_nonff@3D:7DEA, and flash_op_fd/fb/fe@3D:7C8F/7C93/7C97. The public bcall entry points for these primitives are named in ti83plus.inc: _WriteAByte (8021), _WriteAByteSafe (80C6), and _FlashToRam2 (8054); the retail boot table maps them to 3F:4C9F, 3F:4C9A, and 3F:4888. The candidate addresses 3D:61AF, 3D:64AA, 3D:62C2, 3D:6413, and 3D:6B9B are still undisassembled (not defined functions) in the live DB; their flash_* names are project-local inferred labels, not WikiTI or ti83plus.inc equates. See sub-vat-archive.md / 12.
  2. Flash archive garbage collector — the behavior is documented. The GC-path candidates flash_gc_relocate@3C:7BD0, gc_show_screen@3C:7E0D, and flash_cmd_dispatch@3C:7121 are still undisassembled (not defined functions) in the live DB; those flash_*/gc_* names are project-local inferred labels, not WikiTI or ti83plus.inc equates.
  3. Enum equates. Apply TIKeyCode/TIError/TIVarType to scalar operands in the relevant handlers (conservative, scoped).
  4. Smaller residuals (in each doc’s local TODO): absolute APD timeout/blink period (page-0x35 crystal-timer handler is unanalyzed data), the For/While/Repeat FPS loop-frame byte layout (page-0x33 dispatch confirmed), the Asm(/AsmPrgm compile/setup body before the traced payload handoff (ram:9D95 op=0xC9 is confirmed), direct ASM-initiated BASIC program execution beyond VAT lookup and cooperative Ans callback (_ChkFindSym works from AsmPrgm; the ASMFORM.8xp/ZZFORM.8xp _Find_Parse_Formula fixture fails with ERR:UNDEFINED; the ASMPARSE.8xp/ZZPARSE.8xp _ParseInpLastEnt fixture fails with ERR:INVALID; _ExecuteNewPrgm reaches ERR:SYNTAX; _JForceCmd abandons the caller stack; _PutTokString/_rclToQueue are edit-buffer paths, not proven program-call entries), and the group-archive member walk (_Arc_Unarc’s CP 0x17 reject routes elsewhere; body fragmented by cross-page calls).

How to continue

Reopen ti84.gpr (the GhidraMCP plugin reconnects for interactive work), or extend the headless pipeline in tools/ and rebuild with tools/build.sh. The remaining items mostly need a headless raw-byte dump of regions the live decompiler leaves as unanalyzed data (the page-0x35 timer handler, the page-0x38 0xBB/class-3 dispatch tables).