Full Reverse Engineering of the TI-84 Plus Operating System

# TI-84 Plus OS — Reverse Engineering Source: [https://siraben.github.io/ti84p-re/](https://siraben.github.io/ti84p-re/) ## Keyboard shortcuts Press←or→to navigate between chapters PressSor/to search in the book Press?to show this help PressEscto hide this help ## TI\-84 Plus OS — Reverse Engineering ## [TI\-84 Plus OS — Reverse\-engineering notes: system overview](https://siraben.github.io/ti84p-re/#ti-84-plus-os--reverse-engineering-notes-system-overview) Target:`ti84plus\.rom`\(1 MiB flash dump\)\. OS self\-identifies as 2\.55MP\. CPU: Zilog Z80 \(16\-bit address bus, 64 KiB logical space\) with hardware flash/RAM paging\. Ghidra project:`ti84\.gpr`\(rebuild:`tools/build\.sh`\)\. > Confidence is flagged: \[confirmed\] = verified in disassembly/decompiler; \[standard\] = matches documented TI\-83\+/84\+ architecture and is consistent with the disassembly; \[hypothesis\] = inferred, not yet verified\. ## [The big picture](https://siraben.github.io/ti84p-re/#the-big-picture) The TI\-84\+ is a Z80 machine that can only see 64 KiB at once, but has 1 MiB of flash and 128 KiB of RAM\. It bridges that gap with a 4\-slot paging scheme and a system\-call \(“bcall”\) mechanism that lets code on one 16 KiB flash page call routines on any other page\. The OS is a single\-tasking monitor: a boot/kernel core on flash`page 0`\(always mapped low\), a large body of OS routines spread across the other flash pages and reached via bcalls, and a fixed RAM region holding the system state \(flags, floating\-point registers, display buffers, the variable table\)\. Everything the user interacts with — the homescreen, TI\-BASIC programs, graphing, the catalog — is built on four pillars: 1. **Paging \+ bcalls**— how code and data beyond 64 KiB are reached\. \(see[02\-paging\.md](https://siraben.github.io/ti84p-re/02-paging.html),[03\-bcall\-mechanism\.md](https://siraben.github.io/ti84p-re/03-bcall-mechanism.html)\) 2. **The floating\-point engine**— 9\-byte BCD reals/complex in the OP1–OP6 registers; all math flows through these\. \([06\-floating\-point\.md](https://siraben.github.io/ti84p-re/06-floating-point.html)\) 3. **The variable system \(VAT\)**— named objects \(reals, lists, matrices, strings, programs, appvars…\) catalogued in the Variable Allocation Table\. \([05\-variables\-vat\.md](https://siraben.github.io/ti84p-re/05-variables-vat.html)\) 4. **The tokenizer/parser**— TI\-BASIC is stored as 1\- and 2\-byte tokens; the parser executes them\. \([07\-tokenizer\-basic\.md](https://siraben.github.io/ti84p-re/07-tokenizer-basic.html)\) Around those sit the I/O subsystems: the IM1 interrupt that drives timing/APD/cursor/ON\-key \([04\-interrupts\.md](https://siraben.github.io/ti84p-re/04-interrupts.html)\), the LCD driver, the keypad scanner, and the link port\. ## [Subsystem index](https://siraben.github.io/ti84p-re/#subsystem-index) Each row maps a documentation page to the subsystem it covers and its analysis status\. DocSubsystem[01\-memory\-map\.md](https://siraben.github.io/ti84p-re/01-memory-map.html)Address space, ports, RAM layout[02\-paging\.md](https://siraben.github.io/ti84p-re/02-paging.html)Flash/RAM banking \(ports 6/7\)[03\-bcall\-mechanism\.md](https://siraben.github.io/ti84p-re/03-bcall-mechanism.html)rst 28h system calls \+ jump table[04\-interrupts\.md](https://siraben.github.io/ti84p-re/04-interrupts.html)IM1 ISR, timers, APD, ON key[05\-variables\-vat\.md](https://siraben.github.io/ti84p-re/05-variables-vat.html)Variable Allocation Table, object types[06\-floating\-point\.md](https://siraben.github.io/ti84p-re/06-floating-point.html)BCD float format, OP registers[07\-tokenizer\-basic\.md](https://siraben.github.io/ti84p-re/07-tokenizer-basic.html)Token tables, parser/interpreter[08\-display\-lcd\.md](https://siraben.github.io/ti84p-re/08-display-lcd.html)LCD ports, screen buffers[09\-keyboard\-link\.md](https://siraben.github.io/ti84p-re/09-keyboard-link.html)Keypad scan, link protocol[10\-subsystem\-map\.md](https://siraben.github.io/ti84p-re/10-subsystem-map.html)bcall API surface, system through\-line[11\-boot\-contexts\-errors\.md](https://siraben.github.io/ti84p-re/11-boot-contexts-errors.html)Boot, context system, \_JError/onSP[12\-memory\-management\.md](https://siraben.github.io/ti84p-re/12-memory-management.html)RAM heap, VAT/userMem, Flash archive/GC[13\-flash\-page\-map\.md](https://siraben.github.io/ti84p-re/13-flash-page-map.html)What each of the 64 flash pages contains[14\-ram\-pages\.md](https://siraben.github.io/ti84p-re/14-ram-pages.html)RAM page selectors, page`83`, and restore rules[99\-open\-questions\.md](https://siraben.github.io/ti84p-re/99-open-questions.html)Prioritized future\-work roadmap[sub\-calculation\.md](https://siraben.github.io/ti84p-re/sub-calculation.html)Calculation engine: FP ops, transcendentals, formatting, errors[sub\-graphing\.md](https://siraben.github.io/ti84p-re/sub-graphing.html)Graphing: window vars, coord↔pixel, draw primitives, Y= eval[sub\-tibasic\.md](https://siraben.github.io/ti84p-re/sub-tibasic.html)TI\-BASIC: program execution, control flow, I/O commands[sub\-tibasic\-tracing\.md](https://siraben.github.io/ti84p-re/sub-tibasic-tracing.html)TI\-BASIC fixture traces, smoke runner, coverage anchors[sub\-vat\-archive\.md](https://siraben.github.io/ti84p-re/sub-vat-archive.html)Variables, Sto/Rcl, Archive/Unarchive, Flash GC[sub\-apps\-mem\-settings\.md](https://siraben.github.io/ti84p-re/sub-apps-mem-settings.html)Apps find/launch, RAM\-reset, MODE/format flags[sub\-statistics\.md](https://siraben.github.io/ti84p-re/sub-statistics.html)STAT: 1/2\-var, regressions, statVars[sub\-matrix\-list\.md](https://siraben.github.io/ti84p-re/sub-matrix-list.html)Matrix/list element access, Gauss\-Jordan inverse/det, matmul[sub\-solver\-numeric\.md](https://siraben.github.io/ti84p-re/sub-solver-numeric.html)Solver root\-finder, nDeriv/fnInt, TVM finance[sub\-table\-yvars\.md](https://siraben.github.io/ti84p-re/sub-table-yvars.html)TABLE generation/cache, Y= equation vars[sub\-equation\-display\.md](https://siraben.github.io/ti84p-re/sub-equation-display.html)Equation display / MathPrint layout \(page 0x39`eqdisp\_\*`\)[sub\-link\-transfer\.md](https://siraben.github.io/ti84p-re/sub-link-transfer.html)Link protocol: byte/packet/var\-transfer \(page 0x3C\)[sub\-usb\-asic\.md](https://siraben.github.io/ti84p-re/sub-usb-asic.html)USB ASIC/link\-assist ports and OS transport selection \(The`sub\-\*`docs are deep dives covering user\-facing functionality and I/O internals: calculation, graphing, TI\-BASIC, VAT/archive, apps, stats, matrices, solver, table, equation display, link, and USB/link assist\.\) New to these notes? Start with[Conventions & Methodology](https://siraben.github.io/ti84p-re/conventions.html)\(how to read the addresses and confidence flags\) and the[Glossary](https://siraben.github.io/ti84p-re/glossary.html); the[bcall Index](https://siraben.github.io/ti84p-re/bcall-index.html)is the full alphabetical system\-call reference\. The main`0x4xxx`bcall table and the retail boot bcall table \(`0x8xxx`, from the local complete ROM\) both carry TI\-OS types\. Most boot bcall bodies are on page`3F`; USB boot routines such as`\_AttemptUSBOSReceive`,`\_ReceiveOS\_USB`,`\_InitUSB`, and`\_KillUSB`are on page`2F`\. Rebuild:`tools/build\.sh`\. [https://siraben.github.io/ti84p-re/10-subsystem-map.html](https://siraben.github.io/ti84p-re/10-subsystem-map.html) [https://siraben.github.io/ti84p-re/10-subsystem-map.html](https://siraben.github.io/ti84p-re/10-subsystem-map.html)