BCALL keyscnlnk is the heart of the silent link ability of the calculator. It is called in GetKey when link activity is detected. Here are the commands from it (OS 2.41): Enable Key Echo: 2Bh: Sending this command (no data) will get you an acknowledgement back and cause the other calculator to start echoing keypresses back to you in the form of remote control packets. It sends GetCSC scan codes, though, not GetKey codes (which the remote control packet uses), so whoever implemented this was really dumb. Disable Key Echo: 2Ch: Sending this command (no data) will get you an acknowledgement back and the other calculator will stop echoing keypresses to you. Enable Lockdown: 29h: Sending this command (no data) causes the OS on the other calculator to send acknowledgement and install a link activity hook (and set the override bit). This link activity hook is the same as the BCALL RejectCommand: when activity is detected, the entire packet is received and then the skip/exit packet with code 5 is sent back to you. Since this explicitly uses the override bit, I have no idea how or when this is actually used. Disable Lockdown: 2Ah: Sending this command (no data) disables the lockdown from above. Ready: 68h: Sending this command (no data) causes the other calculator to acknowledge. It's used to see if the calculator is there and ready to accept a command, and also to determine the machine ID of the other device. Get Device Information: 2Dh: Sending this command (no data) causes the other calculator to receive acknowledge, at which point you should send a continue packet, receive acknowledgement, then a data packet with the following contents (then you send acknowledgement): DB bOSVersionMajor, bOSVersionMinor, bBootVersionMajor, bBootVersionMinor, bBatteryStatus DB bHardwareVersion, wLocalLanguage, 0, 0, 0 bBatteryStatus is 2 if the batteries are good, 3 if they're low. wLocalLanguage is the same as (localLanguage) in memory. bHardwareVersion is 0 for the 83+, 1 for the 83+SE, 2 for the 84+, and 3 for the 84+SE. Testguard2: 70h: This is the Testguard2 packet. It's long and complicated. Unknown: 47h: Send this command with 32 bytes of data which gets put at 86B7h, for whatever reason, then receive acknowledgement. Unknown: 74h: Send this command (no data) to have the other calculator send you the 47h packet (then you receive acknowledgement). Remote Control: 87h: Send this command to fake a keypress on the other calculator. Use GetKey codes. One-byte keycodes: DB bMachineID,87h,bKeyCode,00h Two-byte keycodes: DB bMachineID,87h,bExtendCode,bKeyCode Get Calculator ID: 6Eh: Send this command (no data) to get the other calculator to send you its calculator ID. Here's how it goes down: It sends you acknowledgement. It sends you a data packet (nine bytes, calculator ID (5) and validation number (2)). I don't know what the last 2 bytes are. You send acknowledgement. Memory Dump: 6Fh: Send this command along with an address and page as well as a number and it will send a data packet of that many bytes to you.DB 73h DB 6Fh DW wPacketSize DW wPage (< 256) DW wAddress DW wNumberOfBytes DW wPacketChecksum You get back a data packet of wNumberOfBytes size with the data from that page:address. Get Screenshot: 6Dh: Send this command (no data) to get a screenshot (current LCD contents) of the other calculator. It's basically BCALL 4ECDh, look it up. Send Variable Forced: 0C9h: Send this as if it were a header packet and then the data for the variable. Send Program and Execute: 0CAh: Same as 0C9h, except it tries to execute it as soon as it receives it (and the type must be TempProgObj, otherwise it just acts like 0C9h). Request Variable: 0A2h: This is the same as what's documented elsewhere. Can be used to get directory contents, too. Unknown: 88h: I'm not totally sure, but I think it might remotely delete a variable (including a Flash application). Remote Execution: 89h: Remotely executes a program or Flash application. Documented elsewhere already. Send Variable to RAM: 0B7h: Same as 0C9h, except it forces it in RAM...okay, whatever. Send Variable: 06h: Your typical variable header packet to send a variable, it can error if it already exists and stuff. Get Clock Status: Unknown: bClockByte1 bClockByte2 bClockByte3 bClockByte4 Then these bytes: 1 if 0,(iy+3Fh) reset, 2 if 1,(iy+3Fh) reset, 3 otherwise 12 if 2,(iy+3Fh) reset, 24 otherwise 0 if clock off, 0FFh if clock on Length is 9 bytes, data packet.