Author |
Message |
|
ExtendeD
Advanced Newbie
Joined: 30 Aug 2009 Posts: 91
|
Posted: 04 Oct 2009 03:26:05 pm Post subject: |
|
|
Most probably an ARM926EJ-S ( http://hackspire.unsads.com/wiki/index.php/Hardware#CPU )
Congratulation Goplat. How did you manage to find out the algorithm, which is far from being obvious?
Last edited by Guest on 04 Oct 2009 03:27:42 pm; edited 1 time in total |
|
Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008 Posts: 365
|
Posted: 05 Oct 2009 12:13:26 am Post subject: |
|
|
<suggestion>
We have a raw binary of the OS now, right?
Well, hackspire states that the NSpire OS crashes occasionally when trying to read a "bad document". Couldn't there be a buffer overflow exploit somewhere? (which we can now find using our new binary, assuming it's correct)
</suggestion>
Just wanted to share my thoughts... |
|
Back to top |
|
|
magicdanw pcGuru()
Calc Guru
Joined: 14 Feb 2007 Posts: 1110
|
Posted: 05 Oct 2009 12:27:35 am Post subject: |
|
|
We can't disassemble the binary until it's encryption is bypassed. |
|
Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008 Posts: 365
|
Posted: 05 Oct 2009 11:11:58 am Post subject: |
|
|
Sorry, overlooked something... I thought Goplat managed to get a raw binary. |
|
Back to top |
|
|
magicdanw pcGuru()
Calc Guru
Joined: 14 Feb 2007 Posts: 1110
|
Posted: 05 Oct 2009 01:37:37 pm Post subject: |
|
|
Mapar007 wrote: Sorry, overlooked something... I thought Goplat managed to get a raw binary. No worries And perhaps he did - I'm not too clear on the Nspire stuff myself. The problem is, I think the binary is actually mostly encoded, and when you turn on the Nspire for the first time after using the 84+ keypad, it decrypts itself into RAM. At least, that's what I've gathered from reading about developments online, but I could be wrong, so someone correct me if I am! |
|
Back to top |
|
|
xcomenforcer231
Newbie
Joined: 10 Aug 2009 Posts: 7
|
Posted: 05 Oct 2009 06:06:56 pm Post subject: |
|
|
Would it be possible to capture the OS as it is decrypted?
ie. Capture it as it is loading (after removing or switching a keypad)
By doing this, we might be able to also input our own commands in the same manner.
*and to add to the list of not-working TI-84 ASM, many graphics-happy programs crash. Doom83 does not work on the nspire. |
|
Back to top |
|
|
DigiTan Unregistered HyperCam 2
Super Elite (Last Title)
Joined: 10 Nov 2003 Posts: 4468
|
Posted: 05 Oct 2009 06:36:12 pm Post subject: |
|
|
Going back to this initialize/decrypt function at 1326E4-1335C3...what else might it decrypt other than the OS? |
|
Back to top |
|
|
xcomenforcer231
Newbie
Joined: 10 Aug 2009 Posts: 7
|
Posted: 06 Oct 2009 09:05:15 am Post subject: |
|
|
Would the OS signing keys for the other calculators help us, or would we be able to hack the signing key for the nSpire the same way? |
|
Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008 Posts: 365
|
Posted: 06 Oct 2009 10:33:58 am Post subject: |
|
|
As there are ways to read EEPROM chips with special readers/circuits, wouldn't there be a way to read the contents of the memory chip directly? |
|
Back to top |
|
|
darkstone knight
Advanced Member
Joined: 07 Sep 2008 Posts: 438
|
Posted: 07 Oct 2009 03:40:21 pm Post subject: |
|
|
Mapar007 wrote: As there are ways to read EEPROM chips with special readers/circuits, wouldn't there be a way to read the contents of the memory chip directly?
thats is! get yourself an nsprire and place that ROM in tour ti-84+ :biggrin:
seriously, you might be able to hack the rom onto an old usb-stick |
|
Back to top |
|
|
Vadko
Newbie
Joined: 09 Jul 2009 Posts: 5
|
|
Back to top |
|
|
DrDnar
Member
Joined: 28 Aug 2009 Posts: 116
|
Posted: 07 Oct 2009 06:29:02 pm Post subject: |
|
|
As I recall, the main data storage flash chip (the larger one) is not randomly byte-accessible. You have to read blocks of 512 bytes or so. The TI-84+ memory bus simply couldn't work with that kind of chip.
And if even if you could do it, the TI-84 would only be able to read the first 2MB of the chip.
Last edited by Guest on 07 Oct 2009 06:30:40 pm; edited 1 time in total |
|
Back to top |
|
|
Vadko
Newbie
Joined: 09 Jul 2009 Posts: 5
|
Posted: 07 Oct 2009 06:44:37 pm Post subject: |
|
|
This thread is interesting, altough I dont believe that anyone here as the skills to put the nspire cas os on a regular nspire. Its just too much work.
The only way to do this in the next years will be switch the grey case by the blue case |
|
Back to top |
|
|
magicdanw pcGuru()
Calc Guru
Joined: 14 Feb 2007 Posts: 1110
|
Posted: 07 Oct 2009 06:51:41 pm Post subject: |
|
|
Vadko wrote: This thread is interesting, altough I dont believe that anyone here as the skills to put the nspire cas os on a regular nspire. Its just too much work.
The only way to do this in the next years will be switch the grey case by the blue case
That's not the goal here. The goal is to execute unsigned assembly code on either Nspire's ARM processor. Porting one OS to the other's hardware, whether it's possible or not, really isn't a major goal (what would be the point? saving money? getting more purposeless software onto one device? ) |
|
Back to top |
|
|
d235j
Newbie
Joined: 20 Feb 2009 Posts: 4
|
Posted: 07 Oct 2009 07:26:11 pm Post subject: |
|
|
[quote name='Dr. D'nar' post='137245' date='Oct 7 2009, 11:29 PM']As I recall, the main data storage flash chip (the larger one) is not randomly byte-accessible. You have to read blocks of 512 bytes or so. The TI-84+ memory bus simply couldn't work with that kind of chip.
And if even if you could do it, the TI-84 would only be able to read the first 2MB of the chip.[/quote]
There are plenty of ways to read NAND flash though. (NAND flash is the type that must be read in blocks) If I didn't forget, to read the Wii's NAND chip for the first time, a memory card reader (or was it a flash drive) that used a similar chip was found and the chip was transplanted into that device. Today it's a lot easier, but nevertheless there are ways to physically dump the NAND.
However, the NOR flash probably has the encryption code, and should be dumped too.
From what I've seen about the CPU (the link to the datasheet is broken so I'm not entirely certain), the CPU isn't a SoC (system on a chip). If it were, then TI could have put keys directly *on* the CPU.
Of course, attempting to dump the contents of these chips would require destroying an Nspire unit, and good soldering skills. |
|
Back to top |
|
|
DigiTan Unregistered HyperCam 2
Super Elite (Last Title)
Joined: 10 Nov 2003 Posts: 4468
|
Posted: 07 Oct 2009 08:25:19 pm Post subject: |
|
|
Yeah, and unfortunately the test clips to read the ICs Datamath identified cost more than the calculator itself. If someone can follow the traces though, there wouldn't be much stopping them from soldering directly to the buses and grabbing codes the CPU decides to access. Sounds like pulling teeth though.
Last edited by Guest on 07 Oct 2009 08:26:14 pm; edited 1 time in total |
|
Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007 Posts: 95
|
Posted: 07 Oct 2009 11:54:13 pm Post subject: |
|
|
ExtendeD wrote: Congratulation Goplat. How did you manage to find out the algorithm, which is far from being obvious? First I did some frequency analysis: I found the most common 4-byte sequences. I found that many of them matched each other when bit-shifted: for example, the common sequences F8 17 86 D0 and 81 78 6D 09 match with an offset of 4 bits (if we say that the most significant bit comes first). This suggested to me that it's a kind of (big-endian) bit coding. So I dumped some data in binary and, by hand, tried to line things up. It took a while but eventually I found that the data could be nicely split up into 17-bit "1xxxxxxxxxxxxxxxx" and 7-bit "0xxxxxx" codes.
I guessed that the long codes were just literal halfwords, and a quick inspection of the resulting decompression proved this right (there was readable ASCII text). The short codes could only represent halfwords that were never compressed as literals - and hey, there's a table of those right near the start of the compressed file.
Mapar007 wrote: Sorry, overlooked something... I thought Goplat managed to get a raw binary. I got a binary of the stage 2 boot loader, not the OS. The OS is most likely encrypted. |
|
Back to top |
|
|
Lionel Debroux
Member
Joined: 01 Aug 2009 Posts: 170
|
Posted: 08 Oct 2009 12:54:56 pm Post subject: |
|
|
Well, congratulations for your patience and your discovery |
|
Back to top |
|
|
squalyl
Advanced Newbie
Joined: 04 Aug 2009 Posts: 57
|
Posted: 12 Oct 2009 03:04:44 am Post subject: |
|
|
Awesome work. Congratulations |
|
Back to top |
|
|
Mapar007
Advanced Member
Joined: 04 Oct 2008 Posts: 365
|
Posted: 13 Oct 2009 10:15:56 am Post subject: |
|
|
This may be a stupid question, but where exactly does the 8070 field start, or how is it identified? (I have extracted the boot2.img from the tno file, AMS upgrade 1.7) |
|
Back to top |
|
|
|