set = 1: sets the bits according to flagmask
set = 0: clears the bits according to flagmask
bit 0 (0x01): AD conversion interrupt done
bit 1 (0x02): IRQ1
bit 2 (0x04): IRQ2
bit 3 (0x08): associated with SD card access
bit 4 (0x10): WDT occupied
bit 5 (0x20): keyboard interrupt
bit 6 (0x40): RTC alarm interupt done
bit 7 (0x80): RTC periodic interrupt done
Inside the IRQ0-handler (0x80033460, OS 1.03) the byte is queried, too. If the mask 0x18 fits, the calc performs a silent poweroff.
The startup interrupt table starts at 0x80000340 for all OS versions.
The runtime interrupt table starts at 0x8001022C for all OS versions.
Each interrupt table consists of 0x77 entries.
The effective address ea of a handler can be calculated from the interrupt code IC of the interrupt source.
ea = table_base + ( IC - 0x40 ) / 8
vbr is set to 0x80010380 for the OS versions 1.02..1.05 and 1.10..1.11. It
is stored as vbr-shadow in RAM-location 0x88006818 (OS 1.02, 1.03), 0x8800681C
(OS 1.04, 1.05) or 0x88006B6C (OS 1.10, 1.11). According to the exception- and
interrupt-entrycode at 0x80010480, 0x80010780 and 0x80010980 the exception-
and interrupt-target-addresses are redirected to the tables based on the
content of the vbr-shadow if it contains another value than vbr.
To redirect ExcInt-handlers one has to provide for a structure like the range from 0x8001022C to 0x80010A00, replace the exception- and/or interrupt-target-addresses to be hooked and set vbr accordingly. The system copies the value of vbr to the vbr-shadow automatically. That is a problem!
If the vbr is set back to the default value (to deinstall a redirection), the shadow-value still contains the redirection-value. An interrupt would call the redirected code. If this code is deleted too fast after setting vbr to default the system crashs. To deinstall a ExcInt-redirection vbr and the vbr-shadow have to be set simultaneously, while interrupts disabled.