| Author |
Message |
|
calc84maniac
Elite
Joined: 22 Jan 2007
Posts: 770
|
 Posted: 10 Nov 2009 10:52:36 pm Post subject: |
|
|
Goplat wrote: calc84maniac wrote: My disassembly only went up to 774934. Did I do something wrong? Non-CAS phoenix.raw v1.7.2741 is 0x774938 bytes long, so that's the right size at least. Remember that the OS should start at address 0x10000000, though (in objdump, use the --adjust-vma option to set the base address)
Thanks, that worked |
|
| Back to top |
|
|
bwang
Member
Joined: 15 Mar 2009
Posts: 128
|
| Posted: 10 Nov 2009 10:57:41 pm Post subject: |
|
|
fullmetalcoder wrote: err... the OS has been decrypted for a few days already... the details are available on a french forum but the general procedure is simple : extract the 8070 field from boot2.img and TI-nspire.img and run the blowfish decryption of the boot2 in an arm simulator (gdb (from an arm-elf toolchain) can do that) to decrypt the OS.
The french community has been figuring out entry points addresses like crazy over the past few days.
Which French forum? |
|
| Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008
Posts: 365
|
| Posted: 11 Nov 2009 03:45:16 am Post subject: |
|
|
OK, let's see how fast I can learn arm asm... xD
I hope I can be of some help to this mission. |
|
| Back to top |
|
|
Lionel Debroux
Member
Joined: 01 Aug 2009
Posts: 170
|
| Posted: 11 Nov 2009 03:52:02 am Post subject: |
|
|
It's yAronet, which has a section dedicated to TI-Nspire development: http://www.yaronet.com/sujets.php?f=2844 .
yAronet is generally French-speaking, but has several English-speaking sub-forums (such as the GCC4TI forum), as well as occasional English-speaking posts in French-speaking sections (e.g. those of TI-68k programmers lachprog / Lach Asderity and Samuel Stearley). |
|
| Back to top |
|
|
Graphmastur
Advanced Member
Joined: 25 Mar 2009
Posts: 360
|
|
| Back to top |
|
|
brandonw
Advanced Member
Joined: 12 Jan 2007
Posts: 455
|
| Posted: 15 Nov 2009 10:36:05 pm Post subject: |
|
|
Graphmastur wrote:
Yes. It's my Nspire. I gave it to him. |
|
| Back to top |
|
|
Techrocket9
Advanced Newbie
Joined: 07 Nov 2009
Posts: 62
|
| Posted: 15 Nov 2009 10:51:52 pm Post subject: |
|
|
So, is this OS decryption tool the breakthrough? What I mean is, is it now just a matter of time until a buffer overflow or some such is found and the NSpire is hacked?
Last edited by Guest on 16 Nov 2009 10:51:19 am; edited 1 time in total |
|
| Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008
Posts: 365
|
| Posted: 16 Nov 2009 01:43:42 am Post subject: |
|
|
| Probably. |
|
| Back to top |
|
|
brandonw
Advanced Member
Joined: 12 Jan 2007
Posts: 455
|
| Posted: 16 Nov 2009 07:23:42 am Post subject: |
|
|
Techrocket9 wrote: So, is this OS decryption tool the breakthrough? What I mean is, is it now just a matter of time until a buffer overflow or some such is found and the nSpire is hacked?
Yeah, now we just need to find an exploit and use it. And please don't refer to it as the "nSpire" (like the title of this thread), it's actually Nspire (or TI-Nspire). We really have to watch how we phrase things to avoid confusion down the road. It doesn't reflect well if we aren't consistent in what it's called. |
|
| Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007
Posts: 95
|
| Posted: 18 Nov 2009 03:09:04 am Post subject: |
|
|
I've been making an emulator/debugger. It's very incomplete and non-usable, but it can now run at least one version of the OS (CAS version 1.1).
To try it out, first run: "nspire_emu /B=<filename of BOOT2 dump> /G /X /C /W=<filename of flash image to create> /O=<filename of TI-Nspire.tnc>" to install the OS and create a flash image. When that finishes, run "nspire_emu /B=<filename of BOOT2 dump> /G /X /C /R=<filename of flash image>" to run the OS.
Some caveats:
- Newer OSes don't work because of something about an "unrecognized keypad"
- The old non-CAS OS just crashes (I think this is because of the lack of BOOT1)
- No USB emulation
- Runs too slow with instruction translation off, runs too fast with it on
- Debugger acts strange when translation is on, and is pretty minimally functional in general
Still, it's a start. You can enter the debugger with ctrl-D. |
|
| Back to top |
|
|
brandonw
Advanced Member
Joined: 12 Jan 2007
Posts: 455
|
| Posted: 18 Nov 2009 03:10:47 pm Post subject: |
|
|
| Fantastic. Very impressive. |
|
| Back to top |
|
|
critor
Member
Joined: 04 Feb 2009
Posts: 132
|
| Posted: 18 Nov 2009 03:47:25 pm Post subject: |
|
|
Wonderfull!
A wonderfull tool for future development.
You must have been working very hard on it those last weeks...
Thank you very much! |
|
| Back to top |
|
|
ztrumpet
Active Member
Joined: 06 May 2009
Posts: 555
|
| Posted: 18 Nov 2009 05:22:16 pm Post subject: |
|
|
| Looks nice. Keep up the great work! |
|
| Back to top |
|
|
Techrocket9
Advanced Newbie
Joined: 07 Nov 2009
Posts: 62
|
| Posted: 18 Nov 2009 07:12:47 pm Post subject: |
|
|
Does anyone have a link to download the 1.1 firmware? I got my calculator after that.
Unrelated Note:
I believe that someone said a quantum computer is needed to crack the firmware signature key? Well, they've made one (good luck getting use of it though)
Quantum Computer
Last edited by Guest on 18 Nov 2009 10:28:26 pm; edited 1 time in total |
|
| Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008
Posts: 365
|
| Posted: 19 Nov 2009 01:41:42 am Post subject: |
|
|
Sweet, I'll check to what degree I can use this under Linux.
(crosses his fingers)
Last edited by Guest on 19 Nov 2009 01:42:15 am; edited 1 time in total |
|
| Back to top |
|
|
geogeo
Newbie
Joined: 19 Nov 2009
Posts: 7
|
| Posted: 19 Nov 2009 03:19:39 pm Post subject: |
|
|
Goplat> Your work is very impressive ! What are methods that you employed to find I/O and mapping of memory ?
I think that french and english communities should join efforts to open the TI-NSpire to programming. |
|
| Back to top |
|
|
Lionel Debroux
Member
Joined: 01 Aug 2009
Posts: 170
|
| Posted: 19 Nov 2009 03:38:51 pm Post subject: |
|
|
Indeed, the work on the emulator so far is impressive  |
|
| Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007
Posts: 95
|
| Posted: 20 Nov 2009 01:07:37 pm Post subject: |
|
|
geogeo wrote: What are methods that you employed to find I/O and mapping of memory ? Mainly, I just look at what BOOT2 and the OS expect, and give them whatever will keep them running. I also noticed that the serial (at address 9002xxxx) has the same interface as the 8250 UART that's on PCs. |
|
| Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007
Posts: 95
|
| Posted: 21 Nov 2009 06:09:57 pm Post subject: |
|
|
Here's a new version. It allows OS 1.7 to detect the keypad properly; both the CAS and non-CAS versions can run. However, the TI-84+ emulator in non-CAS does not work, and both versions hang if you do nothing for 3 minutes.
I also implemented speed throttling, toggleable with the ` key, so you no longer need godlike reflexes to select something with the arrow keys. |
|
| Back to top |
|
|
critor
Member
Joined: 04 Feb 2009
Posts: 132
|
| Posted: 21 Nov 2009 07:57:12 pm Post subject: |
|
|
Thank you for that new version, with many improvments!!!
I've tested it with CAS versions 1.1, 1.3, 1.4, 1.6, and 1.7 (installation & booting only for now).
* 1.1 / 1.3 / 1.7 are booting correctly :-)
* 1.4 / 1.6 aren't booting successfully...
There is an error displayed in the console, and it's entering debug mode:
Code:
Beginning system initialization.
Warning at PC=A4009898: Bad read_word: 900a0000
debug>
It's not to criticize... just to help you make that wonderfull emulator, even more wonderfull :biggrin:
Edit: more tests on the non-CAS versions 1.1, 1.3, 1.4, 1.6, and 1.7 (installation & booting only for now).
* 1.3 / 1.7 are booting correctly :-)
* 1.1 / 1.4 / 1.6 aren't booting successfully...
(for 1.4 and 1.6, it's the same error as above... for 1.1, the emulator exits complaining about a null PC...)
Last edited by Guest on 21 Nov 2009 08:28:28 pm; edited 1 time in total |
|
| Back to top |
|
|
|
Community News & Discuss Nspire => Technology & Calculator Open Topic
