Author |
Message |
|
panyan
Member
Joined: 29 Dec 2007 Posts: 142
|
Posted: 02 Jun 2009 08:34:42 am Post subject: |
|
|
tiuser1010 wrote: Well Well it looks like there are some "good" games for the nspire
the one linked to above i couldnt manage to get working |
|
Back to top |
|
|
TylerMcL
Member
Joined: 28 May 2008 Posts: 148
|
Posted: 01 Jul 2009 12:51:33 am Post subject: |
|
|
Alright - this has been too long. I've read all i could here about the nSpire, and it looks like very subtle advancements. Brandonw, where have you been and what's the status of the so called "community" that has been working on it. You had told me at one point to leave it alone and let you guys handle it. One year later --- still not done!
So I don't know who's still current here in the community, for I have not been dedicated myself for the past year. Life changes, and it takes its' steps.
I'm still hearing ideas of brute forcing the 64bit encryption. Looks like we just have to find a program that will do such things. That's gonna be a pain in the rear.
I read in another post that one was "pressing random buttons" and a wireless dock diagnostics frame opened up or rather. I guess everyone just try pressing random buttons until we get this thing hacked. [/sarcasm]
I feel this has been going on for too long, and we have too many great minds here to go to waste. Weregoose, Darkerline, we should put you're guys' resources and great minds to use |
|
Back to top |
|
|
panyan
Member
Joined: 29 Dec 2007 Posts: 142
|
Posted: 01 Jul 2009 03:43:23 am Post subject: |
|
|
^i cant wait for some development! good to have you on board |
|
Back to top |
|
|
TylerMcL
Member
Joined: 28 May 2008 Posts: 148
|
Posted: 01 Jul 2009 01:15:43 pm Post subject: |
|
|
After doing some research on brute force - it's near impossible, especially with a 64 bit encryption. Our better bet is to do what was stated before and "be creative". One has mentioned the boot file not being encrypted. This might be a small hole. I might need to try and to get my hands on it - I think hackspire has it on their site?
What do any experienced programmers think about editing the information that the computer sends as the OS update. Any possibilities there? I think I remember it being stated somewhere in another forum about how it checks the OS with another file before actually applying it - but don't hold me to that one. |
|
Back to top |
|
|
FloppusMaximus
Advanced Member
Joined: 22 Aug 2008 Posts: 472
|
Posted: 04 Jul 2009 04:12:39 pm Post subject: |
|
|
Briefly: The actual OS code (the 8070 field within TI-Nspire.img) is encrypted, presumably with a 64-bit block cipher (and using the same key and initialization vector for both the CAS and non-CAS.) Unless you can find the key, you can't expect to do anything useful by twiddling bits in the OS.
In addition, the OS is digitally signed, just as older calculator OSes are. Without a valid signature, the calculator won't accept the OS. In order to generate a signature for a modified OS, you need to know three things: the algorithm, the public key, and the private key. As far as I know nobody's figured out any of the three. (Knowing the public key, it would be easy to guess the algorithm. Knowing the algorithm, it might or might not be possible to find the public key by brute force.) Since the key is 1024 bits long, compared to the 512-bit keys used by older calculators, it is currently impossible to find the private key.
It would be very useful to get an unencrypted copy of the OS, either by dumping it from the calculator somehow, or by finding the key used to encrypt it. With that, we could begin disassembling it, which would potentially allow us to find vulnerabilities, as on the TI-85, TI-82, and TI-92, that could enable us to run machine code.
It might also be useful to know what algorithm is used for the signature. It is not inconceivable that the signature algorithm contains mathematical flaws that could be exploited to make tiny changes to the OS.
It would be extremely useful to find and disassemble the actual code responsible for decrypting and installing the OS. This would presumably tell us what algorithms are being used, and if not the actual keys, then at least it would give us an idea of how to find the keys. In addition, if it was written by the same people who wrote the TI-83+ boot code, it's probably riddled with vulnerabilities of all sorts.
There is, after all, a reason that the OS image is encrypted. |
|
Back to top |
|
|
Vadko
Newbie
Joined: 09 Jul 2009 Posts: 5
|
Posted: 09 Jul 2009 07:24:58 am Post subject: |
|
|
Since there are not very much progress on getting the Nspire CAS OS on the Nspire, does anyone know or find useful to develop programs that emulate the CAS functions?
Such as (from tinspire site):
- Easily factor and the find the real or complex zeros of a function
- Find exact answers to area, perimeter, and length of a side involving fractions, ∏, and radical notation
- Find compositions of functions symbolically
- Find exact answers to limits, sequences, and series involving fractions, ∏, and radical notation
- Symbolically find limits, derivatives, and integrals of functions
- Find exact answers to problems involving integrals and derivatives
- Find exact areas under a curve
If anyone know of such programs or anything that could help on bringing a kind of CAS to the Nspire would be very nice to share or develop instead of trying to break algorithms and things that are too complicated, take too long and for sure have a scent of less than legal all over
Best regards to all |
|
Back to top |
|
|
xcomenforcer231
Newbie
Joined: 10 Aug 2009 Posts: 7
|
Posted: 10 Aug 2009 10:49:10 am Post subject: |
|
|
By bridging a few pins on the keyboard input, you can boot the calculator into the Nspire mode. I have yet to find out how to boot into the 84+ mode. |
|
Back to top |
|
|
xcomenforcer231
Newbie
Joined: 10 Aug 2009 Posts: 7
|
|
Back to top |
|
|
flamesbladeflcl
Newbie
Joined: 20 Aug 2009 Posts: 1
|
Posted: 20 Aug 2009 11:35:02 pm Post subject: |
|
|
Any progress? |
|
Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008 Posts: 365
|
Posted: 23 Aug 2009 02:11:30 pm Post subject: |
|
|
Here's another few suggestions:
Scan boot code image (it was unencrypted according to a previous post) for vulns to execute remote code (84+ boot code has a such vulnerability).
If anyone has the means to read the nspires memory chip... |
|
Back to top |
|
|
FloppusMaximus
Advanced Member
Joined: 22 Aug 2008 Posts: 472
|
Posted: 23 Aug 2009 11:37:43 pm Post subject: |
|
|
Yeah, has anyone figured anything out about the "boot" image? I've tried disassembling it in various ways (even assuming we're correct about the CPU model, there are quite a number of different possible machine code formats!) Nothing has jumped out at me as being obviously correct. |
|
Back to top |
|
|
kevincroissant
Newbie
Joined: 21 Mar 2009 Posts: 1
|
Posted: 24 Sep 2009 08:17:54 pm Post subject: |
|
|
brandonw wrote: FocusedWolf wrote: brandonw wrote: And yes, you can use the recovery menu mentioned on the wiki to erase the OS.
[post="128087"]<{POST_SNAPBACK}>[/post]
I stand corrected, so is their "really" a downgrade protection? Like has it been tested that:
1. if you upgrade you cant install a older os?
2. if you do that maintence reset thing that you can install an older os?
So does this mean if a exploit is found in a older version that a user can easily downgrade to that version? (Wish psp had that feature lol)
It's seriously looking like somehow digitally signing a os made from scratch is the way to go.
O did TI really make the os out of java on the nspire like the computer software? lol
[post="128114"]<{POST_SNAPBACK}>[/post]
As I've already said many times before, yes, you can install an older OS if you erase the existing one using the recovery menu, and yes, I've done it.
And yes, if anything is found on any older version, you can go back to it to run it.
And I've said already many times that you CANNOT sign your own OS. None of us have the slightest idea how to manipulate the hardware through code, or even see the code for the existing OS, so how in the world would you create one? Things like this don't just happen.
And as I said, we can't even break the 83+ OS signing process, and I guarantee you that TI used something stronger with the Nspire. You will never break it...ever. Take my word for this.
Brandonw, do you have an email address I can email you at? I have something that you will probably like very very much. For some reason my messenger is saying I am not allowed to use it...?!
And yes, I joined just to post here.
And, I found something a while back on my nspire while I was in the ti-184+ emulator mode. I was running a program I got (can't remember what it was supposed to do), and halfway through running it, everything locked up. I was able to take the keypad out and it stayed on, and the reset button didn't work either. I had to take the batteries out for 2-3 days. After that, I put my nspire keypad in, and it worked...barely. It would lock up every few seconds and I had to use the reset button several times before it finally started functioning normally again. I wish I could find the name of the program, because I think it might actually allow some kind of lower level access when it freezes up. I'll keep looking.
Last edited by Guest on 25 Sep 2009 03:09:40 pm; edited 1 time in total |
|
Back to top |
|
|
critor
Member
Joined: 04 Feb 2009 Posts: 132
|
Posted: 26 Sep 2009 06:15:03 am Post subject: |
|
|
Have you really searched?...
Just google brandonw : you should find it. |
|
Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007 Posts: 95
|
Posted: 27 Sep 2009 02:15:25 am Post subject: |
|
|
FloppusMaximus wrote: Yeah, has anyone figured anything out about the "boot" image? I've tried disassembling it in various ways (even assuming we're correct about the CPU model, there are quite a number of different possible machine code formats!) Nothing has jumped out at me as being obviously correct. You need to decompress it first. Here's the format:
First 4 bytes = uncompressed size
Next 128 bytes = table of 64 most common half-words
Then the actual data consists of a 1 bit followed by a literal half-word (16 bits), or a 0 bit followed by the index of a common half-word (6 bits).
Once decompressed, it looks like 32-bit ARM code to me. I'll try to attach my decompressor program. |
|
Back to top |
|
|
critor
Member
Joined: 04 Feb 2009 Posts: 132
|
Posted: 27 Sep 2009 03:02:09 am Post subject: |
|
|
Goplat wrote: FloppusMaximus wrote: Yeah, has anyone figured anything out about the "boot" image? I've tried disassembling it in various ways (even assuming we're correct about the CPU model, there are quite a number of different possible machine code formats!) Nothing has jumped out at me as being obviously correct. You need to decompress it first. Here's the format:
First 4 bytes = uncompressed size
Next 128 bytes = table of 64 most common half-words
Then the actual data consists of a 1 bit followed by a literal half-word (16 bits), or a 0 bit followed by the index of a common half-word (6 bits).
Once decompressed, it looks like 32-bit ARM code to me. I'll try to attach my decompressor program.
I couldn't make your decompressor work correctly...
I've tried to use as input files:
- nSpire TNO update files 1.4 and above
- nSpire CAS TNC update files 1.4 and above
- boot2.img extracted from the above files
In all cases, I'm getting the "decompression error" message.
What's wrong? |
|
Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007 Posts: 95
|
Posted: 27 Sep 2009 03:11:43 am Post subject: |
|
|
You have to extract the 8070 field out of boot2.img and put that in its own file. Somewhere near the beginning of boot2.img should be the bytes 80 7F followed by 4 bytes which is the compressed size (in the most recent image, 00 12 FE 83). The 8070 field follows after that.
Last edited by Guest on 27 Sep 2009 03:19:54 am; edited 1 time in total |
|
Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008 Posts: 365
|
Posted: 28 Sep 2009 11:07:38 am Post subject: |
|
|
Clever work! Hope you guys can figure out what kind of code it is... That'd be a step 1 out of 1000!
Last edited by Guest on 28 Sep 2009 11:09:02 am; edited 1 time in total |
|
Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007 Posts: 95
|
Posted: 28 Sep 2009 04:55:38 pm Post subject: |
|
|
Edit: redacted, not sure it's legal to document the encryption publicly
Last edited by Guest on 28 Jul 2010 08:39:14 pm; edited 1 time in total |
|
Back to top |
|
|
DigiTan Unregistered HyperCam 2
Super Elite (Last Title)
Joined: 10 Nov 2003 Posts: 4468
|
Posted: 29 Sep 2009 08:28:32 am Post subject: |
|
|
Did anyone ever put together a bill of materials for that model? |
|
Back to top |
|
|
ShadowPhoenix
Newbie
Joined: 19 Aug 2009 Posts: 20
|
Posted: 03 Oct 2009 11:24:19 pm Post subject: |
|
|
Which ARM is the chip? |
|
Back to top |
|
|
|