Author |
Message |
|
critor
Member
Joined: 04 Feb 2009 Posts: 132
|
Posted: 13 Oct 2009 01:36:58 pm Post subject: |
|
|
Mapar007 wrote: This may be a stupid question, but where exactly does the 8070 field start, or how is it identified? (I have extracted the boot2.img from the tno file, AMS upgrade 1.7)
I've asked the same question, and got this usefull answer:
http://www.unitedti.org/index.php?showtopi...st&p=136885 |
|
Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008 Posts: 365
|
Posted: 13 Oct 2009 01:56:53 pm Post subject: |
|
|
Aaah, I was taking the 4 bytes following the 807F with the field... |
|
Back to top |
|
|
fullmetalcoder
Member
Joined: 01 Aug 2009 Posts: 139
|
Posted: 08 Nov 2009 04:10:44 pm Post subject: |
|
|
not strictly related to the topic but...
I just got my hands on a nspire cas + and it appears that, contrary to what one might think, it is a preproduction model... Now this wouldn't worry me that much were it not for the fact that TI says it isn't possible to upgrade the OS on these calcs. So my questions are : is there really such a limitation? if so, would there be a way to circumvent it that does not involve too much soldering? and if no such wy is known at the moment is there any hope that it might someday be possible? (my understanding is that it isn't possible to flash the boot1 that resides in the 512k NOR flash but that the rest of the memory could at some point be altered so, depending on where the "protection" is located, circumvention may or may not be possible) |
|
Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007 Posts: 95
|
Posted: 09 Nov 2009 08:37:20 pm Post subject: |
|
|
I figured out the problem: the OS image is decrypted little-endian, while the library I had been using did it big-endian. I'll post a program to decrypt the OS image soon.
Edit: Here it is. Since it was so non-intuitive to extract the 8070 field out of a .img file, you don't have to do that with this. Just run it on TI-Nspire.img directly (or boot2.img, since I included boot2 decompression too).
Edit: redacted, not sure it's legal to distribute this publicly
Last edited by Guest on 28 Jul 2010 08:28:57 pm; edited 1 time in total |
|
Back to top |
|
|
calc84maniac
Elite
Joined: 22 Jan 2007 Posts: 770
|
Posted: 10 Nov 2009 12:05:35 am Post subject: |
|
|
Goplat wrote: I figured out the problem: the OS image is decrypted little-endian, while the library I had been using did it big-endian. I'll post a program to decrypt the OS image soon.
Edit: Here it is. Since it was so non-intuitive to extract the 8070 field out of a .img file, you don't have to do that with this. Just run it on TI-Nspire.img directly (or boot2.img, since I included boot2 decompression too).
Hold on - you decrypted the OS? |
|
Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007 Posts: 95
|
Posted: 10 Nov 2009 12:23:53 am Post subject: |
|
|
calc84maniac wrote: Hold on - you decrypted the OS? Yes. Decrypting TI-Nspire.img gives a .zip file which contains a file called phoenix.raw which is the main part of the OS.
Last edited by Guest on 10 Nov 2009 12:35:58 am; edited 1 time in total |
|
Back to top |
|
|
fullmetalcoder
Member
Joined: 01 Aug 2009 Posts: 139
|
Posted: 10 Nov 2009 02:44:49 am Post subject: |
|
|
err... the OS has been decrypted for a few days already... the details are available on a french forum but the general procedure is simple : extract the 8070 field from boot2.img and TI-nspire.img and run the blowfish decryption of the boot2 in an arm simulator (gdb (from an arm-elf toolchain) can do that) to decrypt the OS.
The french community has been figuring out entry points addresses like crazy over the past few days. |
|
Back to top |
|
|
ah-blabla
Newbie
Joined: 28 Oct 2009 Posts: 26
|
Posted: 10 Nov 2009 04:19:15 am Post subject: |
|
|
-->[whiteout]I'd watch out about DMCA stuff: whereas TI were in the wrong about signing keys, they are probably perfectly within their rights to demand this is taken down, since it circumvents their copy protection on the os. Backup everything you see just in case.[/whiteout]<--
Wow...
Last edited by Guest on 12 Jul 2010 01:05:38 am; edited 1 time in total |
|
Back to top |
|
|
Galandros
Active Member
Joined: 29 Aug 2008 Posts: 565
|
Posted: 10 Nov 2009 09:22:54 am Post subject: |
|
|
wow, nice
I am gonna get my Nspire CAS of the box soon. ^^
I have to start thinking where I can get tools to program it? CPU instructions set, assemblers, compilers, etc..
First "we" need to find the exploit, though. |
|
Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008 Posts: 365
|
Posted: 10 Nov 2009 10:37:30 am Post subject: |
|
|
ah-blabla wrote: -->[whiteout]I'd watch out about DMCA stuff: whereas TI were in the wrong about signing keys, they are probably perfectly within their rights to demand this is taken down, since it circumvents their copy protection on the os. Backup everything you see just in case.[/whiteout]<--
Wow...
Too late. I downloaded it! xD
Last edited by Guest on 12 Jul 2010 01:04:23 am; edited 1 time in total |
|
Back to top |
|
|
ah-blabla
Newbie
Joined: 28 Oct 2009 Posts: 26
|
Posted: 10 Nov 2009 11:10:16 am Post subject: |
|
|
Mapar007 wrote: Too late. I downloaded it! xD
However that tool isn't even needed to do the decryption, there is a guide *somewhere* in french on how to do it, the program is just an implementation. [whiteout]Do the TI guys even understand French? And I don't think the DMCA can act against guides how to circumvent copy protection, only software. As well as banning your circumventing such protections. But even there there is an exception (. Sadly I'm not in the US -- what a shame.[/whiteout]<--
Edit:// Actually, the DMCA explicitly allows this:
Quote: (f) Reverse Engineering. -
* (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.
* (2) Notwithstanding the provisions of subsections (a)(2) and ( , a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure, in order to enable the identification and analysis under paragraph (1), or for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title.
(From http://cyber.law.harvard.edu/openlaw/DVD/1201.html#B)
Last edited by Guest on 12 Jul 2010 01:03:36 am; edited 1 time in total |
|
Back to top |
|
|
fullmetalcoder
Member
Joined: 01 Aug 2009 Posts: 139
|
Posted: 10 Nov 2009 11:48:31 am Post subject: |
|
|
Galandros wrote: I am gonna get my Nspire CAS of the box soon. ^^
I have to start thinking where I can get tools to program it? CPU instructions set, assemblers, compilers, etc..
First "we" need to find the exploit, though.
Don't get too excited yet. There's still no way to run native code AFAIK. As for CPU spec they can be found on the hackspire wiki and any gcc toolchain targeted for arm cross compilation will do when times come to write some code.
@ah-blabla : I'm pretty sure the TI-guys do understand french well enough. They cannot send DMCA in europe (even though the soon-to-come ACTA agreement might change that) but they used a somewhat similar law to silence the RSA-factoring related thread on a french forum. Besides they do not seem very concerned about the validity of their DMCA (ab)uses... |
|
Back to top |
|
|
fullmetalcoder
Member
Joined: 01 Aug 2009 Posts: 139
|
Posted: 10 Nov 2009 11:52:08 am Post subject: |
|
|
critor wrote: Mapar007 wrote: This may be a stupid question, but where exactly does the 8070 field start, or how is it identified? (I have extracted the boot2.img from the tno file, AMS upgrade 1.7)
I've asked the same question, and got this usefull answer:
http://www.unitedti.org/index.php?showtopi...st&p=136885
Field extracting made easy for those who'd like to play with the img files : extract_field.c just does what its name suggests. |
|
Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007 Posts: 95
|
Posted: 10 Nov 2009 04:08:57 pm Post subject: |
|
|
I found the main function of the Z80 calc emulator: it's at addresses 103C5904 to 103D88C7. Since the emulator is known to be so buggy, it might be a good place to look for exploits. |
|
Back to top |
|
|
fullmetalcoder
Member
Joined: 01 Aug 2009 Posts: 139
|
Posted: 10 Nov 2009 04:57:44 pm Post subject: |
|
|
Goplat wrote: I found the main function of the Z80 calc emulator: it's at addresses 103C5904 to 103D88C7. Since the emulator is known to be so buggy, it might be a good place to look for exploits.
Is that code also present on the nspire CAS? Because if, as I remember, it isn't then any exploit found in it will not be usable on CAS calcs which would be a shame... |
|
Back to top |
|
|
calc84maniac
Elite
Joined: 22 Jan 2007 Posts: 770
|
Posted: 10 Nov 2009 06:16:50 pm Post subject: |
|
|
Do you know of any capable, free ARM disassemblers for Windows? I can't seem to find any. |
|
Back to top |
|
|
fullmetalcoder
Member
Joined: 01 Aug 2009 Posts: 139
|
Posted: 10 Nov 2009 06:30:05 pm Post subject: |
|
|
a arm cross-compiled build of objdump will do. Obviously it does not has all the features of IDA but it works... |
|
Back to top |
|
|
Techrocket9
Advanced Newbie
Joined: 07 Nov 2009 Posts: 62
|
Posted: 10 Nov 2009 09:43:48 pm Post subject: |
|
|
I don't know if this can help in the nSpire battle, but I recall that the Windows Bitlocker encryption was broken by freezing the RAM with liquid nitrogen while the system was running, then plugging the frozen RAM chip in to a "friendly" system and dumping its contents (because some/all ram types maintains their states for a short time when powered down while frozen). Though, it seems that the encryption has been broken, so this post could be entirely irrelevant. If that is the case, could such a dump provide some insight into where a buffer overflow can be found?
Note that this is not my page:
You can get liquid nitrogen (click here)
Last edited by Guest on 10 Nov 2009 09:44:36 pm; edited 1 time in total |
|
Back to top |
|
|
calc84maniac
Elite
Joined: 22 Jan 2007 Posts: 770
|
Posted: 10 Nov 2009 10:23:42 pm Post subject: |
|
|
My disassembly only went up to 774934. Did I do something wrong? |
|
Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007 Posts: 95
|
Posted: 10 Nov 2009 10:41:53 pm Post subject: |
|
|
calc84maniac wrote: My disassembly only went up to 774934. Did I do something wrong? Non-CAS phoenix.raw v1.7.2741 is 0x774938 bytes long, so that's the right size at least. Remember that the OS should start at address 0x10000000, though (in objdump, use the --adjust-vma option to set the base address) |
|
Back to top |
|
|
|