TI-OS 1.13 to 2.30: 50CBh: Receives a Flash application in an extremely bizarre way. Inputs: C is something (number of times to try before timing out?) Outputs: Zero flag set if success: A=0: validation succeeded Zero flag reset if failure: A=8: validation failed A=9: some sort of field problem A=23h: something really wrong (this is JError code) Comments: While this looks similar to A=1 below, it's different and was removed at some point (likely 2.40). TI-OS 2.40+: WriteToFlash: 50CBh: A=0: Write Flash application. Inputs: (sndRecState): 0FFh, otherwise tries sending skip/exit packet? (ramCodeEnd): 0 to write app header, non-zero for data. D: number of app pages (this is only checked when writing app header). E: current page (this is only checked when NOT writing app header). Update this yourself. appData contains the bytes to write. HL is destination address (4000h-7FFFh). BC is number of bytes to write. Comments: The app header must be the first thing you write (all of it). A=1: Validate Flash application. Inputs: None Outputs: Zero flag set if success: A=0: validation succeeded Zero flag reset if failure: A=8: validation failed A=9: some sort of field problem A=2: Create AppVar directly in the archive. Inputs: HL points to VAT entry. OP1 contains type and name of variable. Outputs: AppVar is created directly in archive; size bytes and data not written. Comments: Variable is deleted and ERR:VERSION thrown if 6 or higher. A=3: Write bytes to archived AppVar. Inputs: HL points to data to write. BC is number of bytes to write. Outputs: Bytes are cached and ready to be written. A=4: Finish writing bytes to archived AppVar. Inputs: None Outputs: Buffer is flushed out and all bytes to-be-written are written. A=5: Mark AppVar as valid. Inputs: None Outputs: AppVar data marked as valid. A=6: Delete VAT entry of variable. Inputs: HL points to variable. Outputs: VAT entry only deleted. Comments: I'm not sure how this is related, and is also a separate BCALL (52E4h). I think you're supposed to create a VAT entry before this entire entry point. If so, this would be like a clean-up if it ended up failing. The Flash protection works here by writing to C+1DE2h in the certificate the following bytes: 0FEh, 07Fh, bPage1, bAddr1, bPage2, bAddr2 for writing an AppVar. 0FEh, 0BFh, bPage1, bPage2 for writing a Flash application. where bPage1:bAddr1 is the lowest spot subsequent calls will allow you to write, and bPage2:bAddr2 is the highest spot you will be allowed to write. These values are set by creating the variable (or application) in the archive; you cannot set them yourself. For 0BFh, bPage2 is lower than bPage1. It's likely that you use _CreateAppVar with HL=0 and delete the two size bytes (or whatever method you can think of to create a VAT entry only), and then call WriteToFlash with A=2, A=3 as many times as you need to, A=4, and A=5. A=6 is probably in case WriteToFlash fails at some point.