Files
riojoy/rio-firmware/make_patch.py
T
CydandClaude Fable 5 30d5223b9b RIO firmware: v4.2 EPROM dump, 68HC11 disassembly, reply-latch wedge patch
- RIOv4_2.bin: 64K image dumped from the board's AM27C512 (code at
  $C000-$FFFF, TMP68HC11).
- disasm_6811.py + RIOv4_2.disasm.asm: vector-rooted 68HC11 disassembly;
  SCI ISR at $D630 traced to the $2521 reply-in-progress latch leak that
  wedges the analog reply path under button-mash stress.
- make_patch.py + RIOv4_2_patched.bin: two in-place edits (abort-path stub
  at $DFF0, unconditional latch clear at $DA21) statically verified by
  re-disassembly diff. Dynamic proof awaits a burned W27C512.
- Analysis + burn/validation plan in RIOv4_2-ANALYSIS.md and README.md.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-06 09:29:33 -05:00

65 lines
2.6 KiB
Python

#!/usr/bin/env python3
"""Apply the RIO v4.2 reply-wedge fix to RIOv4_2.bin -> RIOv4_2_patched.bin.
Fix (see RIOv4_2-ANALYSIS.md): clear the reply-in-progress latch $2521 on
EVERY reply teardown, not just the $2522-gated success path.
1. Give-up path: redirect $D9DD `JMP $DA2F` to a stub at free ROM $DFF0
that clears $2521/$2522 then continues to $DA2F.
2. Success path: make $DA00's clear of $2521/$2522 unconditional.
Each edit asserts the exact original bytes first, so a wrong assumption
aborts instead of corrupting the image. Address == file offset.
"""
import sys, hashlib
SRC = sys.argv[1] if len(sys.argv) > 1 else "RIOv4_2.bin"
DST = sys.argv[2] if len(sys.argv) > 2 else "RIOv4_2_patched.bin"
d = bytearray(open(SRC, "rb").read())
assert len(d) == 0x10000, f"expected 64KB image, got {len(d)}"
orig_sha = hashlib.sha256(d).hexdigest()
assert orig_sha == "60a88718835c654b6135dbec7721c40ef99dca07df2ad4b57eedeb24037a5f73", \
f"unexpected source image {orig_sha}"
def patch(addr, expect, new):
got = bytes(d[addr:addr+len(expect)])
assert got == bytes(expect), (
f"@${addr:04X}: expected {got.hex()} to be {bytes(expect).hex()}")
assert len(new) == len(expect), "length mismatch"
d[addr:addr+len(new)] = bytes(new)
# --- edit 1: give-up path redirect ---------------------------------------
# $D9DD 7E DA 2F JMP $DA2F -> 7E DF F0 JMP $DFF0
patch(0xD9DD, [0x7E, 0xDA, 0x2F], [0x7E, 0xDF, 0xF0])
# stub at $DFF0 (was erased $FF): CLR $2521; CLR $2522; JMP $DA2F
patch(0xDFF0, [0xFF]*8,
[0x7F, 0x25, 0x21, # CLR $2521
0x7F, 0x25, 0x22, # CLR $2522
0x7E, 0xDA]) # JMP $DA2F (hi + first target byte)
patch(0xDFF8, [0xFF], [0x2F]) # JMP low byte
# --- edit 2: success teardown, unconditional clear -----------------------
# $DA21 B6 25 22 LDAA $2522
# $DA24 81 01 CMPA #$01
# $DA26 26 06 BNE $DA2E
# $DA28 7F 25 21 CLR $2521
# $DA2B 7F 25 22 CLR $2522 (13 bytes $DA21-$DA2D; $DA2E RTS untouched)
# -> CLR $2521 ; CLR $2522 ; NOP x7
patch(0xDA21,
[0xB6,0x25,0x22, 0x81,0x01, 0x26,0x06, 0x7F,0x25,0x21, 0x7F,0x25,0x22],
[0x7F,0x25,0x21, 0x7F,0x25,0x22, 0x01,0x01,0x01,0x01,0x01,0x01,0x01])
assert d[0xDA2E] == 0x39, "RTS at $DA2E must be intact"
open(DST, "wb").write(d)
new_sha = hashlib.sha256(d).hexdigest()
# byte-diff report
diffs = [(a, orig, d[a]) for a, orig in
enumerate(open(SRC,"rb").read()) if d[a] != orig]
print(f"source : {SRC} sha256 {orig_sha}")
print(f"patched: {DST} sha256 {new_sha}")
print(f"{len(diffs)} bytes changed:")
for a, o, n in diffs:
print(f" ${a:04X}: {o:02X} -> {n:02X}")