| Author |
Message |
|
critor
Member
Joined: 04 Feb 2009
Posts: 132
|
 Posted: 15 Jul 2010 03:15:39 pm Post subject: |
|
|
Is there a way on the emulator to launch the maintenance menu ?
I couldn't find a key mapped to the Home-Key...
I'd like to install OSes 2.1 and 2.0 in 2 different flash-files, and then reformat.
That way, I would have less garbage to compare... |
|
| Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007
Posts: 95
|
| Posted: 15 Jul 2010 05:51:26 pm Post subject: |
|
|
It's just home: hold down home+enter+P, and reboot.
Anyway, I've analyzed this a bit: it looks like the problem is at 15A800 (page A80). At the end of the OS installation process, BOOT2 writes a little data there:
Install an old OS, and BOOT2 writes: AA C6 8C 92 25 24 01 01
But install 2.1, and BOOT2 writes: AA C6 8C 92 63 08 07 01
Looks like it's a signature followed by the minimum allowable version. BOOT2 is probably getting the version to write from the second 8020 field in TI-Nspire.img, since that field always contained 1.1.9253 before, but in 2.1 was changed to 1.7.2147. |
|
| Back to top |
|
|
ExtendeD
Advanced Newbie
Joined: 30 Aug 2009
Posts: 91
|
| Posted: 17 Jul 2010 02:53:52 am Post subject: |
|
|
| Boot 2 seems actually to search for any page within 150000-160000 with the marker. |
|
| Back to top |
|
|
critor
Member
Joined: 04 Feb 2009
Posts: 132
|
| Posted: 17 Jul 2010 05:07:49 am Post subject: |
|
|
Goplat wrote:
It's definitely ARM. I did some looking around with a disassembler and found some interesting stuff. There is an implementation of the Blowfish cipher in these functions: (offsets are for the latest version, 1.4.1571)
131A4C-131F8B: Encrypt one 8 bit block
131F8C-1324E3: Decrypt an array of 8 bit blocks
1324E4-1326E3: Initialize context
1335C4-13361B: Encrypt an array of 8 bit blocks (function doesn't appear to be used)
The initialize and decrypt functions appear to only be called from the function at 1326E4-1335C3. This function at some point calls the function at 1314A8-131A4B, which stores the bytes 71 AD 02 53 8F 6C 49 A1 83 6D E5 12 94 5C 03 AC into the buffer provided. It takes this result and xors it with the 4 bytes pointed to by r3, repeated 4 times, and uses that as the key to pass to the initialize function. At least, I think this is what these functions do, the code is really poorly written - whoever did it must have been paid by the line.
In both places 1314A8 is called, r3 points to the string F2 23 0D A6 (I think... I have no way to actually run this stuff), implying a key of 83 8E 0F F5 7D 4F 44 07 71 4E E8 B4 66 7F 0E 0A. I tried to decrypt the OS with this key but it didn't look any less random afterwards, so either I screwed up somewhere, there's some extra pre- or post- processing involved, or this code isn't used for decrypting the OS.
Finally is "83 8E 0F F5 7D 4F 44 07 71 4E E8 B4 66 7F 0E 0A" the BlowFish key used to crypt the header of the TI-Nspire.img file ? |
|
| Back to top |
|
|
ExtendeD
Advanced Newbie
Joined: 30 Aug 2009
Posts: 91
|
| Posted: 17 Jul 2010 05:59:35 am Post subject: |
|
|
The behavior of boot 2 seems even wierder: each time it loads an OS image with a minimum version in its manifest different than the one found in NAND, it creates a new NAND page with it (keeping the previous one). It means the history of the minimum versions is kept.
If the highest minimum version in NAND is greater than the minimum version in the OS image to load, the OS is uninstalled by boot 2. |
|
| Back to top |
|
|
critor
Member
Joined: 04 Feb 2009
Posts: 132
|
| Posted: 17 Jul 2010 07:20:28 am Post subject: |
|
|
ExtendeD wrote:
The behavior of boot 2 seems even wierder: each time it loads an OS image with a minimum version in its manifest different than the one found in NAND, it creates a new NAND page with it (keeping the previous one). It means the history of the minimum versions is kept.
If the highest minimum version in NAND is greater than the minimum version in the OS image to load, the OS is uninstalled by boot 2.
Wow... That's evil... |
|
| Back to top |
|
|
Lionel Debroux
Member
Joined: 01 Aug 2009
Posts: 170
|
| Posted: 17 Jul 2010 09:39:47 am Post subject: |
|
|
Well, that's TI 
They have decided to declare war on the community (stupidly so, since moddable devices increase sales), and they're giving themselves the means to their nasty ends... |
|
| Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007
Posts: 95
|
| Posted: 17 Jul 2010 03:00:55 pm Post subject: |
|
|
critor wrote:
the BlowFish key used to crypt the header of the TI-Nspire.img file ?
The real security is in the RSA signature, which is not feasible to crack.
Anyway, new emu version:
- Implemented some LCD features (palette, variable bits per pixel, variable bit/byte orders)
- Added option to save flash under a different filename
- Added ability to send OS
- Support for OS 2.1 (they changed the keypad code again, it's interrupt-driven now)
|
|
| Back to top |
|
|
apcalc
Newbie
Joined: 28 Jun 2010
Posts: 22
|
| Posted: 17 Jul 2010 03:41:03 pm Post subject: |
|
|
| Thanks for the update, Goplat! |
|
| Back to top |
|
|
ExtendeD
Advanced Newbie
Joined: 30 Aug 2009
Posts: 91
|
| Posted: 18 Jul 2010 02:22:03 am Post subject: |
|
|
| Excellent! |
|
| Back to top |
|
|
ExtendeD
Advanced Newbie
Joined: 30 Aug 2009
Posts: 91
|
| Posted: 18 Jul 2010 02:27:38 am Post subject: |
|
|
It fails with the CAS OS 2.1:
Warning at PC=1037703C: Bad read_word: b00001bc |
|
| Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007
Posts: 95
|
| Posted: 18 Jul 2010 11:24:18 am Post subject: |
|
|
ExtendeD wrote:
Warning at PC=1037703C: Bad read_word: b00001bc
[s]Turn the speed throttle back on when booting completes, or else the OS will quickly try to go into standby, which is not supported.  [/s]
EDIT: sorry, didn't realize the CAS version was actually different. I can ignore the accesses to b00001bc and b00001ac but later it just ends up in an infinite loop, with r0 pointing to the string "dcd_free_pipe: Trying to free a used ep\n". So basically it looks like the lack of proper USB support is causing a kind of assertion failure in the USB code... this is bad, since USB is incredibly complicated.
Last edited by Guest on 18 Jul 2010 03:02:57 pm; edited 1 time in total |
|
| Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007
Posts: 95
|
| Posted: 18 Jul 2010 05:24:50 pm Post subject: |
|
|
Some news I noticed on TI-BANK: critor has managed to run the diagnostics image on his Nspire - so good news, it really does exist, at least on an older model. Apparently this wasn't easy to do, so the regular method (holding Esc+Menu+G on boot) must not have worked, which is interesting. (as an aside, why wasn't Esc+Menu+G documented on hackspire before? oh well, I've done so just now)
Last edited by Guest on 18 Jul 2010 05:25:00 pm; edited 1 time in total |
|
| Back to top |
|
|
Lego
Advanced Newbie
Joined: 05 Feb 2010
Posts: 58
|
| Posted: 18 Jul 2010 05:40:07 pm Post subject: |
|
|
Goplat wrote:
Some news I noticed on TI-BANK: critor has managed to run the diagnostics image on his Nspire - so good news, it really does exist, at least on an older model. Apparently this wasn't easy to do, so the regular method (holding Esc+Menu+G on boot) must not have worked, which is interesting. (as an aside, why wasn't Esc+Menu+G documented on hackspire before? oh well, I've done so just now)
lol this menu is funny :D
what does the Function "UpdatedNandFlash(528B)" under Additional Function mean?
There is also an MMC/SD Test Oo
Would be funny to add an SD Card reader to the TI 
Last edited by Guest on 18 Jul 2010 05:49:27 pm; edited 1 time in total |
|
| Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007
Posts: 95
|
| Posted: 18 Jul 2010 06:07:20 pm Post subject: |
|
|
Lego wrote:
what does the Function "UpdatedNandFlash(528B)" under Additional Function mean?
Don't know, although 528B probably just refers to the NAND flash having 528-byte pages. I didn't see this one in critor's screenshots; did you get into the diagnostics too? I would advise against running the flash-related tests until we can be sure of what they do, lest your calculator be bricked by erasing the BOOT2 or manufacturing data. |
|
| Back to top |
|
|
Lego
Advanced Newbie
Joined: 05 Feb 2010
Posts: 58
|
| Posted: 18 Jul 2010 06:10:35 pm Post subject: |
|
|
Goplat wrote:
Lego wrote:
what does the Function "UpdatedNandFlash(528B)" under Additional Function mean?
Don't know, although 528B probably just refers to the NAND flash having 528-byte pages. I didn't see this one in critor's screenshots; did you get into the diagnostics too? I would advise against running the flash-related tests until we can be sure of what they do, lest your calculator be bricked by erasing the BOOT2 or manufacturing data.
I've got this menu by pressing your keys ESC+MENU+G while turing on
Well to late i ran all tests and my nands where not erased.
Maybe i will do some new shoots tomorrow with sunlight if you want, the largest problem is to get my cam to have the right focus.
Last edited by Guest on 18 Jul 2010 07:22:46 pm; edited 1 time in total |
|
| Back to top |
|
|
ExtendeD
Advanced Newbie
Joined: 30 Aug 2009
Posts: 91
|
| Posted: 19 Jul 2010 02:30:02 am Post subject: |
|
|
Goplat wrote:
Some news I noticed on TI-BANK: critor has managed to run the diagnostics image on his Nspire - so good news, it really does exist, at least on an older model.
I realized that when I dumped the diags image as you asked a while ago, and we found nothing, I had played with the maintenance and probably already erased the pre-installed image on my calc.
I have sent the program to critor for another dump.
There also may be a flag in the NAND activating the diags menu at boot time, it showed up as a side-effect to other tests we were making on critor's calcs.
[edit] OK, you've found it, great: http://hackspire.unsads.com/wiki/index.php?title=Memory_layout&curid=9&diff=744&oldid=743
Last edited by Guest on 19 Jul 2010 02:36:11 am; edited 1 time in total |
|
| Back to top |
|
|
ExtendeD
Advanced Newbie
Joined: 30 Aug 2009
Posts: 91
|
| Posted: 19 Jul 2010 02:50:14 am Post subject: |
|
|
By the way how did you find the flag, without any dump of boot 1? Is it used by boot 2?
[edit] forget it, I forgot we had a dump of boot1.
Last edited by Guest on 19 Jul 2010 08:31:54 am; edited 1 time in total |
|
| Back to top |
|
|
critor
Member
Joined: 04 Feb 2009
Posts: 132
|
| Posted: 19 Jul 2010 04:45:16 am Post subject: |
|
|
Goplat wrote:
Lego wrote:
what does the Function "UpdatedNandFlash(528B)" under Additional Function mean?
Don't know, although 528B probably just refers to the NAND flash having 528-byte pages. I didn't see this one in critor's screenshots; did you get into the diagnostics too? I would advise against running the flash-related tests until we can be sure of what they do, lest your calculator be bricked by erasing the BOOT2 or manufacturing data.
I have not posted all screenshots yet.
I've got the "UpdatedNandFlash(528B)" too.
I thought it was something dangerous...
But in fact it just fails immediatly, without any additional information.
I've got that function on my TI-Nspire TouchPad too (although the software is very different).
Same thing...
I have tested all functions.
None of them seem dangerous.
My TI-Nspire & TI-Nspire TouchPad are still working ^^
By the way, Esc+Menu+G doesn't work on the TI-Nspire TouchPad.
(I launched the diagnostic using another complicated trick)
What would be the right key combo on the TouchPad ?
Last edited by Guest on 19 Jul 2010 05:25:49 am; edited 1 time in total |
|
| Back to top |
|
|
Goplat
Advanced Newbie
Joined: 26 Jun 2007
Posts: 95
|
| Posted: 19 Jul 2010 10:31:47 am Post subject: |
|
|
critor wrote:
By the way, Esc+Menu+G doesn't work on the TI-Nspire TouchPad.
(I launched the diagnostic using another complicated trick)
What would be the right key combo on the TouchPad ?
Should be Esc+Menu+Minus. |
|
| Back to top |
|
|
|
Community News & Discuss Nspire => Technology & Calculator Open Topic
